So Eddy, would you like to give me some examples, or just tell me off again?

Obviously you know the basics. It also seems as if you take a strong interest in the Malware industry… Correct?

Start with the easy stuff. How Batch Files work, CMD etc, then slowly move your way up. Do research, practice, more research etc. (Any practicing you do should be done inside of a Virtual Machine!!)

Michael is right, do some reading here: https://forum.avast.com/index.php?topic=166044.0
and https://forum.avast.com/index.php?topic=129271.0
Read about protocols, read about CMS and server software updates, outdated themes, plug-ins.
Learn about dns, SSL, Poodle, Beast etc. Scan with http://toolbar.netcraft.com/site_report/
and analyze website’s code here: http://toolbar.netcraft.com/site_report/
Do your analysis and reading inside a browser with NoScript and RequestPolicy extensions active and the browser should be running in a Virtual Machine/sandbox. Clean your sandbox every other day or after fear of encountering some threat and also cleanse your computer with CCleaner disconnected.
To detect malcode on your own machine, yes that is thoroughly possible now download process-explorer and autoruns and know you can start VT scans from inside there.
For site evaluation download the Malzilla browser. But be aware what you do, no one can help you when you have encountered a file-infector like Virut, it is bye-bye system then.
Never click any link, just cut and paste and do third party cold reconnaissance scans. So never, I repeat never visit the site to be analyzed itself (this even may be illegal to do as give results to it in public).

Checking on code do a jsunpack scan - or use this uri debugger scan: http://linkeddata.informatik.hu-berlin.de/uridbg/

Always remember to proceed patiently and learn this step by step, Krakau was not built in one day as was Cologne. Good luck to you,

polonus (volunteer website security analyst and website error-hunter)

My own research methods are a tad different to normal research methods,

My approach is normally on finding new types of adware/malware/trojens.

On a daily basis I often stumble across malware while searching across perfectly normal sites, social media pages and server logs. Once you discover a potential threat on sites use checkers such as Virustotal, Malwr.com and urlquery to try and see if the threat has been actively scanned upon. If they are and vendors are proactively blocking the files in question you can move onto the next case, however if they arn’t then it’s time to talk to the community, provide your evidence to them including the MD5 hashes (so these can be looked up files for verification, an MD5 Hash is a digital finger print of a file.)

Some advice i can offer (still pretty new at searching for APTs)

Start to get to know research toolkits. WinHex can do wonders for in-depth forensics analysis of files at the Binary level, Open forensics toolkits such as the TSK Autopsy Kit.
Start to learn Linux/Unix systems, Ubuntu is a good/safe operating system to do checks behind with cuckosandbox. I would recommend running rkhunter on the system after you have done any tests inside a virtual computer. Normally a good VM for malware analysis is Oracle Virtualbox (free to download)
Start to read information security news sources (Darkreading is an excellent place to get information about emerging threats.)
Look into active malware hunting communities, Project Honeypot is a great example of communities across the world working together to discover malware.
Start to read books on coding, A good first language to learn is Python, Then move up to C#/.NET (which is becoming open source shortly so the demand for C# researchers will come in handy).

Finally Remember with great power comes great responsablity!

Not sure if this helped, if it did awesome!

Thank you all for your input!

Now I have a simple question that I hope someone can answer for me.
It seems from these 2 articles (linked to above):
http://windows.microsoft.com/en-us/windows/certificate-faq#1TC=windows-vista
http://ask-leo.com/what_are_root_certificates_and_why_do_i_need_to_update_them.html, that one shouldn’t delete
that one shouldn’t delete “untrusted” certificates, but it doesn’t address Fraudulent certificates.
So, should I delete any of the Fraudulent certificates in the above-attached list, or not?
If anyone can just tell me if yes or no, I would very much appreciate it.
Thank you!

Hi ehmen,

In windows in command prompt check certificate revocation and give in:

certutil -f –urlfetch -verify [FilenameOfCertificate]

certutil -f –urlfetch -verify mycertificatefile.cer

Check the list here: http://www.entrust.net/ssl-technical/revoked.cfm

polonus

Thank you polonus for addressing my question!

So how do I plug a certificate called “global trustee” or “VeriSign Commercial Software Publishers CA” into the above command? (certutil -f –urlfetch -verify mycertificatefile.cer)

You should know where that certificate is and the exact position of file and file name and then give it in in the command prompt in the required format. It is a pity you were not brought up with DOS command txt books and worked commands like ipconfig /all and C:/Users/computername/netstat & cd & cd/… to go back to C:/Users/computername/ and again cd/… to go back to C:/Users/
In such cases as this it is still nice to have the skills. The folks that learned computing around the turn of the century still can do these command prompt shortcuts. ;

polonus

I just know whatever it says in the Certificate Manager list.
Is there a way I could find the position of file and filename, etc.?
Thank you.

See: http://www.delphifaq.com/faq/windows_user/f1571.shtml
and http://www.mazecomputer.com/sxs/help/certmanage.htm
Also read: http://superuser.com/questions/334824/windows-7-certificate-manager-snap-in-without-access-to-mmc

pol

The articles speak of importing and installing certificates, but not how to find the location of existing certificates that I had nothing to do with, at least not knowingly (that is to say, I never did anything to get them, as is the case with most people who don’t deal with certificates).

Well they are stored in the registry mainly: https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136(v=vs.85).aspx

polonus

Be cautious when going to the registry. You can ruin your machine if you do unadvised things. Always make a copy of the registry first. Write down what you wanna do for references, work from that later.

polonus

Thanks.

How do I find the untrusted and fraudulent certificate location in the registry?

(By the way, I don’t have XP, I have Vista.)

Click on button start - type certmgr.msc in search then push enter.
Certificates are in folder Certificates.
You should have admin rights for HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

polonus

Unless you know what your doing, this can totally mess up your computer and make you vulnerable.
Your computer your choice. Certainly not something I’d advise messing around with.

Hi bob3160,

Not a thing I would advise either, but ehmen keeps asking and asking.
If you do not know your way under the hood, it may well be your car engine won’t run anymore.
Likewise with computer registers. If you do not know how to hoover, do not dust.
As you say, it is the choice of that particular user, be bold and screw things up.
But forewarned is forearmed.

polonus
.

1. I know my way around the registry and have successfully done things there in the past (I could tell you if you’re interested).
2. I’m not sure what all the warnings are, I never asked how to change anything in the registry, all I asked is if I should delete the fraudulent certificates or not, and I still don’t know the answer to that simple question, nor do I know how to ascertain the individual fraudulent certificates.
3. polonus, I’m not sure why you told me how to open certmgr.msc and how to find certificates there, my very first post above is a screenshot of certificates I found there.
   4.) I went to HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots as you said polonus,
   and there’s only one item there, I attached it below.

I’d like to thank you for your help, I’m just a little confused about the reasons for the instructions and warnings you are giving me.

Just click it to open the various categories and then go over them, do not change anything.
Then go back and read resources over what you have found.
Then decide what to do further.
Read: http://www.wikihow.com/Clean-the-Windows-Registry-by-Hand

I think when things should be adapted and cleansed Microsoft will choose to do so via updates.
I think they should tackle bad SDK certification that way also.
It is their OS, so it is their task.
Just like firefox has already takem Superfish out of the browser registry
for those that decided to take to uninstall it first.

polonus

Thanks for that.

Now, do you know if there’s a way for me to figure out if I should delete the fraudulent certificates?