Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Artifacts.

Published byKeon Tamplin Modified over 10 years ago

Similar presentations

Presentation on theme: "Malware Artifacts."— Presentation transcript:

1 Malware Artifacts

2 Agenda Quick Introduction Quick overview of artifacts Walk-through lab

3 Introduction Edgar Sevilla Ken Warren CIO, Kyrus Technology
15 years software development, reverse engineering, computer forensics, & information security Ken Warren Director of training, AccessData 15 years of experience in law enforcement and computer forensic examinations

4 Today’s Goal Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes Walkthrough of a memory image, disk image, and live systems to find artifacts This lab will NOT go into the reverse engineering, no matter how much I want to!

5 Where can we find artifacts?
Memory Processes enumeration Driver enumeration Module enumeration Open Registry keys Open File Handles Synchronization events Communications Content

6 Where can we find artifacts?
Disk Files Prefetch files Registry Files File Attributes File Times Restore points pagefile

7 Where can we find artifacts?
Live Systems Hidden Files Hidden Processes Repetitive actions Registry activity Communications Processes Hidden Registry Entries

8 Processes/Drivers Process enumeration Driver enumeration

9 Files Prefetch file File times File Attributes Hidden files
Open Handles Loaded Modules

10 Registry Autoruns entries Windows Firewall modifications
Check autoruns entries in registry Windows Firewall modifications

11 Synchronization Methods
Mutants/Mutex Semaphores Events

12 Communications Sockets Named Pipes
Listening sockets Connected sockets Named Pipes Inter-process communication Communication content, urls, headers

13 Getting Started Finding the first artifact is sometimes the toughest
Process listing Anomalous files System autoruns Prefetch artifacts Good news there are a lot of artifacts, the bad news there are a lot of artifacts

14 List of tools that can be used
Disk FTK Encase Memory Volatility Memoryze Live System FTK Enterprise Microsoft Sysinternals Tools GEMR

15 Questions prior to the lab
?

16 Lab Red = Possible starting points Blue = Artifacts Process Listing
Prefetch File Anomalous File Read only Attrib File Properties Owner: Administrator Unusual Create Time File Properties Autoruns Entry Bot.exe File Properties sdra64.exe Registry File Autoruns tool Open Handle Prefetch file Restore point A exe Rootkit Revealer Restore point Userint entry Active Connections Lowsec directory Lowsec\local.ds Open Handle Open Handle Active sockets Open Handle Winlogon.exe Pid: 652 Svchost.exe Pid: 876 Domain: m4ht.com Socket lists Socket Listing Memory Scan IP Address Open Handle Open Handle Get HTTP Request Avira_2109 Open Handle Memory Scan Memory Scan Open Handle Memory Scan Lowsec\local.ds Lowsec\user.ds.ll Avira_2109 URLs Post HTTP Request

17 Summary Initial Thread Found Installer file, and dropped file
Found bad process in Process Listing Anomalous file listing Autoruns entries Prefetch file Found Installer file, and dropped file Identified data files Linked data files to winlogon & svchost Svchost had active sockets IP address linked: to domain m4ht.com Get HTTP request to download configuration file Post HTTP request to upload data

18 Remediation Remove artifacts that have been found Delete sdra64.exe
Can we delete a file that we can’t access Remove entry from userinit registry entry While Zeus is running this entry is checked every few seconds Delete data files from lowsec directory Can we delete files that are hidden and in use Re-enable Windows Firewall

19

Download ppt "Malware Artifacts."

Similar presentations

Windows Vista Security Tidbits

Windows Vista Security Tidbits
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.

MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.
Using VHDs in Remediation Workshops. Overview Advantages Simple and robust setup Use prepared VHDs Easy to reset (copy VHD file) Easy to switch between.

Using VHDs in Remediation Workshops. Overview Advantages Simple and robust setup Use prepared VHDs Easy to reset (copy VHD file) Easy to switch between.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Module 1: Installing Windows XP Professional

Module 1: Installing Windows XP Professional
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

Similar presentations

Ads by Google