1 / 19

Malware Artifacts

Malware Artifacts. Agenda . Quick Introduction Quick overview of artifacts Walk-through lab. Introduction. Edgar Sevilla CIO, Kyrus Technology 15 years software development, reverse engineering, computer forensics, & information security Ken Warren Director of training, AccessData

redford
Download Presentation

Malware Artifacts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware Artifacts

  2. Agenda • Quick Introduction • Quick overview of artifacts • Walk-through lab

  3. Introduction • Edgar Sevilla • CIO, Kyrus Technology • 15 years software development, reverse engineering, computer forensics, & information security • Ken Warren • Director of training, AccessData • 15 years of experience in law enforcement and computer forensic examinations

  4. Today’s Goal • Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes • Walkthrough of a memory image, disk image, and live systems to find artifacts • This lab will NOT go into the reverse engineering, no matter how much I want to!

  5. Where can we find artifacts? • Memory • Processes enumeration • Driver enumeration • Module enumeration • Open Registry keys • Open File Handles • Synchronization events • Communications • Content

  6. Where can we find artifacts? • Disk • Files • Prefetch files • Registry Files • File Attributes • File Times • Restore points • pagefile

  7. Where can we find artifacts? • Live Systems • Hidden Files • Hidden Processes • Repetitive actions • Registry activity • Communications • Processes • Hidden Registry Entries

  8. Processes/Drivers • Process enumeration • Driver enumeration

  9. Files • Prefetch file • File times • File Attributes • Hidden files • Open Handles • Loaded Modules

  10. Registry • Autoruns entries • Check autoruns entries in registry • Windows Firewall modifications

  11. Synchronization Methods • Mutants/Mutex • Semaphores • Events

  12. Communications • Sockets • Listening sockets • Connected sockets • Named Pipes • Inter-process communication • Communication content, urls, headers

  13. Getting Started • Finding the first artifact is sometimes the toughest • Process listing • Anomalous files • System autoruns • Prefetch artifacts • Good news there are a lot of artifacts, the bad news there are a lot of artifacts

  14. List of tools that can be used • Disk • FTK • Encase • Memory • FTK • Volatility • Memoryze • Live System • FTK Enterprise • Microsoft Sysinternals Tools • GEMR

  15. Questions prior to the lab ?

  16. Lab Red = Possible starting points Blue = Artifacts Process Listing Prefetch File Anomalous File Read only Attrib File Properties Owner: Administrator Unusual Create Time File Properties Autoruns Entry Bot.exe File Properties sdra64.exe Registry File Autoruns tool Open Handle Prefetch file Restore point Rootkit Revealer Restore point A0013970.exe Userint entry Active Connections Lowsec directory Lowsec\local.ds Open Handle Open Handle Active sockets Open Handle Winlogon.exe Pid: 652 Svchost.exe Pid: 876 Domain: m4ht.com Socket lists Memory Scan Socket Listing IP Address Open Handle Open Handle Get HTTP Request Avira_2109 Open Handle Memory Scan Memory Scan Open Handle Memory Scan Lowsec\local.ds Lowsec\user.ds.ll Avira_2109 URLs Post HTTP Request

  17. Summary • Initial Thread • Found bad process in Process Listing • Anomalous file listing • Autoruns entries • Prefetch file • Found Installer file, and dropped file • Identified data files • Linked data files to winlogon & svchost • Svchost had active sockets • IP address linked: • to domain m4ht.com • Get HTTP request to download configuration file • Post HTTP request to upload data

  18. Remediation • Remove artifacts that have been found • Delete sdra64.exe • Can we delete a file that we can’t access • Remove entry from userinit registry entry • While Zeus is running this entry is checked every few seconds • Delete data files from lowsec directory • Can we delete files that are hidden and in use • Re-enable Windows Firewall

More Related