Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brief Intro To Malware We have met the Devil of Information Overload and his impish underlings, the computer virus, the busy signal, the dead link, and.

Published byAlban Parrish Modified over 5 years ago

Similar presentations

Presentation on theme: "Brief Intro To Malware We have met the Devil of Information Overload and his impish underlings, the computer virus, the busy signal, the dead link, and."— Presentation transcript:

1 Brief Intro To Malware We have met the Devil of Information Overload and his impish underlings, the computer virus, the busy signal, the dead link, and the PowerPoint presentation. - James Gleick

2 In This Lecture Brief Intro to Malware Characteristics
Indicators of Compromise Discussion Analysis for Detecting Malware Small Case Study

3 Note Today is not an exhaustive discussion of malware and the forensic analysis thereof. Will have a full week dedicated to understanding more of malware after we discuss memory forensics. But you will have to perform malware forensics on your group project. Today is going to be a discussion on how to combine artifacts and tools already discussed.

4 Malware Analysis Effective, timely malware detection requires context.
Need some idea of what to look for. “Find all the bad stuff” is nigh impossible. “Bad” is context sensitive. In one case the forensic analyst found a suite of hacking tools. Analyst thought they found compromised machine used as a staging area. Turned out the workstation belonged to a pentester.

5 Malware? What is malware? What properties does it have?

6 Malware Malware is defined by intent, not any specific code.
Most malware tends to perform certain similar functions. Those functions give rise to a framework for considering malware Initial Infection Vector - how malware got on the system Propagation Mechanism - how the malware moves between systems Persistence Mechanism - how the malware remains on the system Artifacts - traces malware leaves behind which can be found by forensic examination.

7 Malware Your client will have their own concerns.
What individuals or organizations want to know about infections. How did we get infected? What data, if any, was exposed? If data taken, where did it go? What data if any, was placed on the system? Everyone caught with contraband insists a virus put it there. Sometimes they’re not wrong.

8 Malware Your client will have their own concerns.
Was the organization specifically targeted? Who sent the malware? How will this impact our partnerships? Were partners or clients infected / have data exposed? How does this affect our legal and compliance obligations? How do we remediate?

9 Malware Window of Compromise
Time from infection to successful remediation. Establishing this time Window is an important step in any malware investigation. Will inform and shape remained of investigation. Needed to answer client concerns.

10 Malware Analysis What would be some indicators of infection?

11 Indicators of Infection - Sample
Internet History URLs visited Temporary Files USB devices Vulnerable Programs Unpatched or outdated OS or software Insecure Configurations

12 Indicators of Infection - Sample
Actual Malware Files Temporary Files folder Tasks folder Recycle Bin attachments Other weird locations

13 Indicators Malware Actually Ran
Ideas?

14 Malware Execution Registry MUICache key Run & RunOnce Registry keys
Enum\Root keys Windows Internals Prefetch Files

15 Malware Persistence? Suggestions?

16 Malware Persistence Scheduled Tasks Run & RunOnce Registry Keys
System Event Log - services being started

17 Sample Analysis Workflow
Prepare Run Log2Timeline Scheduled Tasks Prefetch Internet History Registry Network State Log Analysis And so on...

18 Sample Workflow Assemble known information.
Make educated guesses about window of compromise and activity based on information given. Determine most likely places to search. Decide on an investigation order. Shouldn’t poke around ad hoc. Have a plan in place before closely investigating. A good plan lets you pipeline your utilities to minimize investigator downtime.

19 Sample Workflow System Logs
Sheer size makes for a good source of information even as it takes time to sift through. Determine a reasonably wide window of compromise to reduce amount to be parsed. But don’t want to guess wrong and have to redo timeline. Start log2timeline early in your investigation. While waiting potentially hours or days for it to complete, work on other tasks. Hopefully when complete you will have specific timestamps, process names, network connections, etc. to inform your timeline analysis.

20 Sample Workflow Run an antivirus scan of the image
May get lucky and have the signature identified. Use an external AV, not one running inside the image.

21 Sample Workflow Prefetch
Knowing the recently run programs gives us context for the system. Does anything not belong? Is there an unusual ordering? Internet History Websites accessed around time of infection? Visited known watering holes? Malicious file name specified in a URL?

22 Sample Workflow Registry - First Pass Autorun keys Scheduled Tasks
Is anything persistent that shouldn’t be there? Network Analysis

23 Sample Workflow Look at the internet addresses connected to around likely infection time. Unusual addresses? Unusual protocols? Pay attention to directed user activity as well as background processes. Try and carve suspicious files.

24 Malware Analysis Example
Scenario Windows 7 Enterprise 64 bit workstation. Infection with the ZeusVM malware. Banking trojan designed to steal credentials for financial institutions. Thoughts on how to approach?

25 Example - Prefetch Find that “latest_report.pdf.exe” ran on the system. File name is a huge red flag! Located in C:\Users\<<UserName\Downloads\latest_report.pdf.exe. Another huge red flag! When search this location cannot find file. More red flags! “epqe.exe” is one of the files listed in the exe’s prefetch file. Found at C:\users\<<userName>>\appdata\roaming\imyrug\epqe.exe This is an unusual name and a suspicious location.

26 Example - Prefetch Followed immediately by “epqe.exe” and then “explorer.exe” Looks like a dropper and payload.

27 Example - Internet History
Our suspect exe file was found in the downloads folder. System has Internet Explorer and Mozilla Firefox installed. Search Mozilla history first Visited Visit occurred immediately after the user visited mail.yahoo.com Suggests link sent by .

28 Example - Email Open the victim’s mailbox file.
Check s received shortly before infection. Checking the link target, it’s actually “

29 Example - Registry Autorun
Search HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. Matches a suspicious file we found in prefetch. Likely the persistence mechanism.

30 Example - Network Traffic
Next match internet history and download time with packet capture from the network monitor. Find TCP port 80 connection to maldomain.com’s IP address at the correct time. In this case we get luck and can extract the malicious executable from the TCP stream. Send this to the reverse engineers.

31 Example - Timeline Log2Timeline should be done by now.
Filter the Excel sheet to corroborate our existing findings. Look for additional artifacts in close temporal proximity. Here is corroboration of our prefetch findings:

32 Example - Next Steps Continue corroborating artifacts.
Ask yourself what other artifacts should exist given observed behavior. Ask yourself what other artifacts shouldn’t exist given observed behavior.

33 Questions?

Download ppt "Brief Intro To Malware We have met the Devil of Information Overload and his impish underlings, the computer virus, the busy signal, the dead link, and."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.

P6 - CONFIGURE THE SOFTWARE. CONFIGURE SOFTWARE Most software can be configured to suit an individual user, for example by changing the appearance of.
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.

Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.
Chapter 5 Protecting Your PC from Viruses Prepared by: Khurram N. Shamsi.

Chapter 5 Protecting Your PC from Viruses Prepared by: Khurram N. Shamsi.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Similar presentations

Ads by Google