Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.

Similar presentations

Presentation on theme: "Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab."— Presentation transcript:

1 Malware Artifacts

2 Agenda Quick Introduction Quick overview of artifacts Walk-through lab

3 Introduction Edgar Sevilla – CIO, Kyrus Technology – 15 years software development, reverse engineering, computer forensics, & information security Ken Warren – Director of training, AccessData – 15 years of experience in law enforcement and computer forensic examinations

4 Todays Goal Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes Walkthrough of a memory image, disk image, and live systems to find artifacts This lab will NOT go into the reverse engineering, no matter how much I want to!

5 Where can we find artifacts? Memory – Processes enumeration – Driver enumeration – Module enumeration – Open Registry keys – Open File Handles – Synchronization events – Communications – Content

6 Where can we find artifacts? Disk – Files – Prefetch files – Registry Files – File Attributes – File Times – Restore points – pagefile

7 Where can we find artifacts? Live Systems – Hidden Files – Hidden Processes – Repetitive actions Registry activity Communications Processes – Hidden Registry Entries

8 Processes/Drivers Process enumeration Driver enumeration

9 Files Prefetch file File times File Attributes Hidden files Open Handles Loaded Modules

10 Registry Autoruns entries – Check autoruns entries in registry Windows Firewall modifications

11 Synchronization Methods Mutants/Mutex Semaphores Events

12 Communications Sockets – Listening sockets – Connected sockets Named Pipes – Inter-process communication Communication content, urls, headers

13 Getting Started Finding the first artifact is sometimes the toughest – Process listing – Anomalous files – System autoruns – Prefetch artifacts Good news there are a lot of artifacts, the bad news there are a lot of artifacts

14 List of tools that can be used Disk – FTK – Encase Memory – FTK – Volatility – Memoryze Live System – FTK Enterprise – Microsoft Sysinternals Tools – GEMR

15 Questions prior to the lab ?

16 Process Listing Prefetch File Anomalous File Autoruns Entry Bot.exe Read only Attrib Userint entry Lowsec directory Winlogon.exe Pid: 652 Winlogon.exe Pid: 652 Svchost.exe Pid: 876 Svchost.exe Pid: 876 Active sockets Lowsec\local.ds Avira_2109 IP Address Domain: Get HTTP Request Avira_2109 Lowsec\local.ds Lowsec\user.ds.ll A exe sdra64.exe Owner: Administrator Unusual Create Time Post HTTP Request URLs Lab Red = Possible starting points Blue = Artifacts Active Connections Restore point Open Handle Prefetch file File Properties Registry File Autoruns tool Rootkit Revealer Restore point Open Handle Socket lists Socket Listing Memory Scan

17 Summary Initial Thread – Found bad process in Process Listing – Anomalous file listing – Autoruns entries – Prefetch file Found Installer file, and dropped file Identified data files Linked data files to winlogon & svchost Svchost had active sockets IP address linked: – to domain – Get HTTP request to download configuration file – Post HTTP request to upload data

18 Remediation Remove artifacts that have been found – Delete sdra64.exe Can we delete a file that we cant access – Remove entry from userinit registry entry While Zeus is running this entry is checked every few seconds – Delete data files from lowsec directory Can we delete files that are hidden and in use – Re-enable Windows Firewall


Download ppt "Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab."

Similar presentations

Ads by Google