Malware Artifacts
Agenda Quick Introduction Quick overview of artifacts Walk-through lab
Introduction Edgar Sevilla Ken Warren CIO, Kyrus Technology 15 years software development, reverse engineering, computer forensics, & information security Ken Warren Director of training, AccessData 15 years of experience in law enforcement and computer forensic examinations
Today’s Goal Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes Walkthrough of a memory image, disk image, and live systems to find artifacts This lab will NOT go into the reverse engineering, no matter how much I want to!
Where can we find artifacts? Memory Processes enumeration Driver enumeration Module enumeration Open Registry keys Open File Handles Synchronization events Communications Content
Where can we find artifacts? Disk Files Prefetch files Registry Files File Attributes File Times Restore points pagefile
Where can we find artifacts? Live Systems Hidden Files Hidden Processes Repetitive actions Registry activity Communications Processes Hidden Registry Entries
Processes/Drivers Process enumeration Driver enumeration
Files Prefetch file File times File Attributes Hidden files Open Handles Loaded Modules
Registry Autoruns entries Windows Firewall modifications Check autoruns entries in registry Windows Firewall modifications
Synchronization Methods Mutants/Mutex Semaphores Events
Communications Sockets Named Pipes Listening sockets Connected sockets Named Pipes Inter-process communication Communication content, urls, headers
Getting Started Finding the first artifact is sometimes the toughest Process listing Anomalous files System autoruns Prefetch artifacts Good news there are a lot of artifacts, the bad news there are a lot of artifacts
List of tools that can be used Disk FTK Encase Memory Volatility Memoryze Live System FTK Enterprise Microsoft Sysinternals Tools GEMR
Questions prior to the lab ?
Lab Red = Possible starting points Blue = Artifacts Process Listing Prefetch File Anomalous File Read only Attrib File Properties Owner: Administrator Unusual Create Time File Properties Autoruns Entry Bot.exe File Properties sdra64.exe Registry File Autoruns tool Open Handle Prefetch file Restore point A0013970.exe Rootkit Revealer Restore point Userint entry Active Connections Lowsec directory Lowsec\local.ds Open Handle Open Handle Active sockets Open Handle Winlogon.exe Pid: 652 Svchost.exe Pid: 876 Domain: m4ht.com Socket lists Socket Listing Memory Scan IP Address Open Handle Open Handle Get HTTP Request Avira_2109 Open Handle Memory Scan Memory Scan Open Handle Memory Scan Lowsec\local.ds Lowsec\user.ds.ll Avira_2109 URLs Post HTTP Request
Summary Initial Thread Found Installer file, and dropped file Found bad process in Process Listing Anomalous file listing Autoruns entries Prefetch file Found Installer file, and dropped file Identified data files Linked data files to winlogon & svchost Svchost had active sockets IP address linked: to domain m4ht.com Get HTTP request to download configuration file Post HTTP request to upload data
Remediation Remove artifacts that have been found Delete sdra64.exe Can we delete a file that we can’t access Remove entry from userinit registry entry While Zeus is running this entry is checked every few seconds Delete data files from lowsec directory Can we delete files that are hidden and in use Re-enable Windows Firewall