Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Malware Analysis
From: Chip Panarchy <forumanarchy () gmail com>
Date: Sun, 22 Nov 2009 17:12:02 +1100

Hi,

Not sure what happened to my last post, so I'll just reiterate it!

Of many anti-malware software I've tried, MalwareBytes (free) seems to
be the best.

However, I haven't tested the latest ones, so I'd recommend (if you
have the time) to test out as many of the different free/trial malware
detection/removal software as you can, then decide for yourself.

Best of luck,

Panarchy

On Wed, Nov 11, 2009 at 9:35 AM, Murda Mcloud <murdamcloud () bigpond com> wrote:
Hi JMK,
I welcome the expansion of the thread to include process as well as tools.
I guess it just got me thinking about other tools. You're right on the money
when you say that it is essential to have a framework for the tools to work
within.

As for the IR threads, check out
http://www.securityfocus.com/archive

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of kmj1268 () comcast net
Sent: Wednesday, November 11, 2009 3:55 AM
To: murdamcloud () bigpond com; kmj1268 () comcast net; security-
basics () lists securityfocus com
Subject: RE: Malware Analysis

Yes.
I did notice the thread was around tools.  However, I just wanted to talk
about the process as well so that was my 2 cents worth. I also mentioned
the TCPView tool which is great at allowing you to tie process visually
to
network connections.  Like they say, the devil is in the details. Even if
you have the best tools, it's how you use them that makes the biggest
difference.

I wonder if there is a thread or security focus list around Incidence
Response in the event of a breach, virus attack, etc. That would be
another
good topic to discuss as far as processes.

As far as the question, what's in your RAM?

You should check out this episode at hak5.org.
I am not affiliated with this podcasting group, but they always have
great
episodes around this kind of thing.

http://www.hak5.org/?s=Cold+boot+attack

Thanks..
JMK

Original Message:
-----------------
From: Murda Mcloud murdamcloud () bigpond com
Date: Tue, 10 Nov 2009 10:13:50 +1000
To: kmj1268 () comcast net, security-basics () lists securityfocus com
Subject: RE: Malware Analysis


Good points. I know that the OP was asking for straightforward tools for
some basic tasks but I began to wonder whether having the ability to
capture
the physical memory as well might come in useful, especially as the
systems
may be allowed to stay 'live'. Windd is good for that.

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of kmj1268 () comcast net
Sent: Tuesday, November 10, 2009 5:10 AM
To: security-basics () lists securityfocus com
Subject: Malware Analysis

In relation to the copied thread below, this is some great discussion.

I have been fascinated with the science of malware analysis myself,
and
there is so much to learn.  While I am not an expert, what I generally
see
happen with a machine is processes (either hidden by rootkits or not
hidden) taking over network connections and phoning home to control
and
command centers to grow the botnet army.  You always have to take the
assumption that you could have a rootkit and start from there.  The
problem
with rootkits is they make everyday programs on the suspect's running
OS
that should be innocuous operate differently and hide behavior.  What
I
have always seen as a recommendation is to take a suspect machine's
drive
out and have it scrubbed and analyzed with a live forensic distro.
Better
yet, use a Live CD distro such as clonezilla to create a bit for bit
clone
of the hard drive.  A popular one is Trinity Rescue.  The key is
working
with something that is not native to the suspect machine.  You cant
trust
the programs or what kind of response you might get if you run
programs
on
a possibly rootkitted machine or one that is compromised.  What you
can
trust is the programs on a live CD/DVD and the traffic you see on your
network.  Now when the machine is running and I want to do analysis, I
usually will carry a hub with me (they are certainly hard to find now
adays) and will run wireshark on the traffic for the suspect machine.
Have
it running with all explorer sessions shut down and the machine
started
from a reboot - but the machine doesnt need to be connected to the
network.
If there are rogue processes they will show up in wireshark.    Then
after
you identify rogue network processes you can use a program like
TCPView
which will tie back a connection to a program and then you can
investigate
that program to see if it is malicious.

Anyways, I just wanted to chime in and say thanks and offer my two
cents
for whatever it is worth. There is certainly more than one way to
approach
the analysis.  I would be interested in learning more about the
processes
folks on this thread run through in this type of event.

There is some excellent feedback and advice in this thread and I am
glad
to be able to take away some good advice myself.

Thanks so much....

JMK
J. Mark Kellerman, CISSP, CCSA-NGX
Snr Security Engineer.






Sent from my iPhone

Begin forwarded message:

From: Murda Mcloud
<murdamcloud () bigpond com<mailto:murdamcloud () bigpond com>>
Date: November 4, 2009 11:46:13 PM EST
To: 'exzactly' <exzactly () hotmail com<mailto:exzactly () hotmail com>>,
"security-basics () securityfocus com<mailto:security-
basics () securityfocus com>
"
<security-basics () securityfocus com<mailto:security-
basics () securityfocus com>

Subject: RE: Security Toolkit for dummies

Fport might come in handy.
I'm guessing you want 'clean' versions of everything because who knows
what
is running on the box itself or what has been modified.
How will you be able to trust that the cmd window that you run some of
these
from is legit? Or that it will run at all?
Maybe a cmd alternative will help, too.
Fciv so you could check hashes?
Regalyzer?


Will you image the machines before allowing the support guys to do
their
stuff?




-----Original Message-----
From:
listbounce () securityfocus com<mailto:listbounce () securityfocus com>
[mailto:listbounce () securityfocus com]
On Behalf Of exzactly
Sent: Thursday, November 05, 2009 4:27 AM
To: <mailto:security-basics () securityfocus com>
security-basics () securityfocus com<mailto:security-
basics () securityfocus com>
Subject: Security Toolkit for dummies

I am currently working on a (free)toolkit to pass down to Tier 3 and
Tier
2
to be used in the event of a breach/infection or suspected
breach/infection.
In a nutshell I want to give them some tools to use to gain further
information about the system and processes and/or malicious tools
running
on
it. This toolkit is designed for a Windows desktop and Server
environment. I
am looking at building out tools that are fairly easy to use and do
not
require much training. Currently I have the following tools on it:

(SysInternal tools)
Autoruns
PortMon
Process Explorer
Process Monitor
Ps Tools
Logon Sessions

Other tools:
Adaware


Is there anything else folks out there are using to provide their
lower
level support guys with some tools for informational gathering
purposes....the tools have to run offline as systems are removed in
the
event of a breach or infection...I am not looking for a full blown
forensics
kit, just something I can train folks unfamiliar with tool fairly
quickly...


----------------------------------------------------------------------
--
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate. We look at how SSL works, how it benefits your
company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f
727d1
----------------------------------------------------------------------
--


----------------------------------------------------------------------
--
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL
certificate. We look at how SSL works, how it benefits your company
and
how
your customers can tell if a site is secure. You will find out how to
test,
purchase, install and use a thawte Digital Certificate on your Apache
web
server. Throughout, best practices for set-up are highlighted to help
you
ensure efficient ongoing management of your encryption keys and
digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f
727
d1
----------------------------------------------------------------------
--




--------------------------------------------------------------------
mail2web.com - Enhanced email for the mobile individual based on
MicrosoftR
Exchange - http://link.mail2web.com/Personal/EnhancedEmail



----------------------------------------------------------------------
--
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f
727d1
----------------------------------------------------------------------
--


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your
Apache
web server. Throughout, best practices for set-up are highlighted to help
you ensure efficient ongoing management of your encryption keys and
digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f
727
d1
------------------------------------------------------------------------


--------------------------------------------------------------------
mail2web LIVE - Free email based on MicrosoftR Exchange technology -
http://link.mail2web.com/LIVE



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f
727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: Malware Analysis Chip Panarchy (Nov 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]