Home page logo
/

basics logo Security Basics mailing list archives

Malware Analysis
From: "kmj1268 () comcast net" <kmj1268 () comcast net>
Date: Mon, 9 Nov 2009 14:09:36 -0500

In relation to the copied thread below, this is some great discussion.

I have been fascinated with the science of malware analysis myself, and
there is so much to learn.  While I am not an expert, what I generally see
happen with a machine is processes (either hidden by rootkits or not
hidden) taking over network connections and phoning home to control and
command centers to grow the botnet army.  You always have to take the
assumption that you could have a rootkit and start from there.  The problem
with rootkits is they make everyday programs on the suspect's running OS
that should be innocuous operate differently and hide behavior.  What I
have always seen as a recommendation is to take a suspect machine's drive
out and have it scrubbed and analyzed with a live forensic distro. Better
yet, use a Live CD distro such as clonezilla to create a bit for bit clone
of the hard drive.  A popular one is Trinity Rescue.  The key is working
with something that is not native to the suspect machine.  You cant trust
the programs or what kind of response you might get if you run programs on
a possibly rootkitted machine or one that is compromised.  What you can
trust is the programs on a live CD/DVD and the traffic you see on your
network.  Now when the machine is running and I want to do analysis, I
usually will carry a hub with me (they are certainly hard to find now
adays) and will run wireshark on the traffic for the suspect machine.  Have
it running with all explorer sessions shut down and the machine started
from a reboot - but the machine doesnt need to be connected to the network.
If there are rogue processes they will show up in wireshark.    Then after
you identify rogue network processes you can use a program like TCPView
which will tie back a connection to a program and then you can investigate
that program to see if it is malicious.

Anyways, I just wanted to chime in and say thanks and offer my two cents
for whatever it is worth. There is certainly more than one way to approach
the analysis.  I would be interested in learning more about the processes
folks on this thread run through in this type of event.

 There is some excellent feedback and advice in this thread and I am glad
to be able to take away some good advice myself.  

Thanks so much....

JMK
J. Mark Kellerman, CISSP, CCSA-NGX
Snr Security Engineer.






Sent from my iPhone 

Begin forwarded message: 

From: Murda Mcloud
<murdamcloud () bigpond com<mailto:murdamcloud () bigpond com>> 
Date: November 4, 2009 11:46:13 PM EST 
To: 'exzactly' <exzactly () hotmail com<mailto:exzactly () hotmail com>>,
"security-basics () securityfocus com<mailto:security-basics () securityfocus com>
"
<security-basics () securityfocus com<mailto:security-basics () securityfocus com>

Subject: RE: Security Toolkit for dummies 

Fport might come in handy. 
I'm guessing you want 'clean' versions of everything because who knows what 
is running on the box itself or what has been modified. 
How will you be able to trust that the cmd window that you run some of
these 
from is legit? Or that it will run at all? 
Maybe a cmd alternative will help, too. 
Fciv so you could check hashes? 
Regalyzer? 


Will you image the machines before allowing the support guys to do their 
stuff? 




-----Original Message----- 
From: listbounce () securityfocus com<mailto:listbounce () securityfocus com>
[mailto:listbounce () securityfocus com] 
On Behalf Of exzactly 
Sent: Thursday, November 05, 2009 4:27 AM 
To: <mailto:security-basics () securityfocus com>
security-basics () securityfocus com<mailto:security-basics () securityfocus com> 
Subject: Security Toolkit for dummies 

I am currently working on a (free)toolkit to pass down to Tier 3 and Tier 
2 
to be used in the event of a breach/infection or suspected 
breach/infection. 
In a nutshell I want to give them some tools to use to gain further 
information about the system and processes and/or malicious tools running 
on 
it. This toolkit is designed for a Windows desktop and Server 
environment. I 
am looking at building out tools that are fairly easy to use and do not 
require much training. Currently I have the following tools on it: 

(SysInternal tools) 
Autoruns 
PortMon 
Process Explorer 
Process Monitor 
Ps Tools 
Logon Sessions 

Other tools: 
Adaware 


Is there anything else folks out there are using to provide their lower 
level support guys with some tools for informational gathering 
purposes....the tools have to run offline as systems are removed in the 
event of a breach or infection...I am not looking for a full blown 
forensics 
kit, just something I can train folks unfamiliar with tool fairly 
quickly... 


------------------------------------------------------------------------ 
Securing Apache Web Server with thawte Digital Certificate 
In this guide we examine the importance of Apache-SSL and who needs an 
SSL certificate. We look at how SSL works, how it benefits your company 
and how your customers can tell if a site is secure. You will find out 
how to test, purchase, install and use a thawte Digital Certificate on 
your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your 
encryption keys and digital certificates. 

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f 
727d1 
------------------------------------------------------------------------ 


------------------------------------------------------------------------ 
Securing Apache Web Server with thawte Digital Certificate 
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. 

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1 
------------------------------------------------------------------------ 

 


--------------------------------------------------------------------
mail2web.com – Enhanced email for the mobile individual based on Microsoft®
Exchange - http://link.mail2web.com/Personal/EnhancedEmail



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]