Justin Brady Malware Forensics

Intro Malware Forensics I chose this because I always have loved finding out how Malware works MotherBoard We do a lot of elemination of Malware but no reasearch on the types This job is always very rewarding but eaves me with a lot of different questions still! So what does this different malware do? Where is it hiding at exactly?

Setup for the Release The malware was set up and released on a VM. I used VirtualBox to run the VM on a non personal computer. This was to ensure that none of my personal data would be at risk or that any info would be stolen I made sure that it was non networked. Also there was no file sharing between the VM and host system. The VM was a windows 10 image. This is what people everywhere will be and are using. Note taking and screenshots like for court

First look I decided to start with the filesystem and see what was to be found. There were a couple of things already on the desktop Bombermania, things that look harmless Downloads There was a lot in downloads This is where Malware would usually start its journey. Most of the files were .exe’s or zipped files One I notices was called win32.peals Later found this to be a common name for some trojans

Windows Defender Next I decided to use the built in system tool to do some more analysis. I tried some different scans and it looked like they didn’t find anything I tried a couple of different scans and techniques Opened some of the files Upon further inspection we can see it did find a good amount of things.

The history Tab There is a record kept of all detected items and a description panel Six different items They had been quarantined I made sure I allowed them all so that I could keep on doing analysis.

PWS:Win32/Zbot!GO I looked into them all and decided to focus on this one particularly. PWS:Win32/Zbot!Go Is a password stealer. it comes from a family program called Win32/Zbot Zeus Wsnpoem or Citadel Win32- The name makes it seem safe. Win is a common denotation for windows liscenced system files that is on all windows operating systems Also 32 or the system 32 folder is a name for one of the folders that is on windows as a core program.

PWS:Win32/Zbot!GO I found out that Win32/Zbot is actually a trojan this specific trojan focuses on is stealing financial information from the user Passwords Logins It can start by lowering your firewall and internet browser security then this malware can give a malicious hacker access to your computer directly. It does it all!

-The filesystem where the password stealer is located. Note that it is located in AppData/Roaming. This file location is actually hidden to the normal user .

PWS:Win32/Zbot!GO How it works tecnically Sits and monitors when a user goes to an online banking address It finds an API and latches onto it Once attached the virus then injects code into the webpages Information is then stolen Passwords, User ID’s ect

Test Files I was very curious as to what these were. It turns out these are indeed not malware at all. It is a file that would be downloaded to check if your security is up to par. X5O!P%@AP[4\PZX54(P^)7CC)7}$ EICAR-STANDARD-ANTIVIRUS- TEST-FILE!$H+H*

Prevention have a high quality security program running at all times have your firewall always up never opened any unknown email attachment do not download or run anything suspicious from websites that you do not frequent In other words, there are no special ways to defend against a password stealer versus a PUP. You can get both just as easily You need all of these comprehensive security measures in place if you want to have a secure and safe computing experience.