Malware Artifacts.

Slides:

Advertisements

Similar presentations

Windows Vista Security Tidbits

Advertisements

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Welcome to Middleware Joseph Amrithraj

MODULE 3: OS & APP LAYERS. Agenda Preparing and importing a gold image Creating and understanding Install Machines Creating basic Application layers Understanding.

Using VHDs in Remediation Workshops. Overview Advantages Simple and robust setup Use prepared VHDs Easy to reset (copy VHD file) Easy to switch between.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Module 1: Installing Windows XP Professional

Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Creating and Configuring Group Policy

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

Linux Operations and Administration

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

Module 1: Installing Internet Information Services 5.0.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.

®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Introducing, Installing, and Upgrading Windows 7 Lesson 7.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.

Conditions and Terms of Use

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Module 13: Maintaining Software by Using Windows Server Update Services.

Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

Module 6: Implementing Group Policy. Overview Implementing Group Policy Objects Implementing GPOs in a Domain Managing the Deployment of Group Policy.

Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.

Scott Drucker, Systems Engineer Migrating to Microsoft Vista with WinINSTALL.

Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.

Module 1: Installing Microsoft Windows XP Professional.

Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.

Module 9: Implementing Caching. Overview Caching Overview Configuring General Cache Properties Configuring Cache Rules Configuring Content Download Jobs.

Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.

Module 5: Creating and Configuring Group Policies.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

NetTech Solutions Security and Security Permissions Lesson Nine.

Module 10: Windows Firewall and Caching Fundamentals.

11 IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES Chapter 7.

Linux Operations and Administration

CTI CybOX SC Meeting August 27, 2015.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

MICROSOFT TESTS /291/293 Fairfax County Adult Education Courses 1477/1478/1479.

ACCESSDATA® FORENSICS Windows 7 Registry Introduction

Module 6 Creating and Configuring Group Policy. Module Overview Overview of Group Policy Configuring the Scope of Group Policy Objects Evaluating the.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab.

Troubleshooting Workflow 8 Raymond Cruz, Software Support Engineer.

Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.

Malware Incident Response

Module 3: Enabling Access to Internet Resources

Enabling Secure Internet Access with TMG

Malware Reverse Engineering Process

Defeat Tomorrow’s Threats Today

Securing the Network Perimeter with ISA 2004

Microsoft /6/ :30 PM BRK3293 Explore adventures in the underland: Forensic techniques against hackers evading the hook Paula Januszkiewicz.

Bethesda Cybersecurity Club

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Malware Artifacts

Agenda Quick Introduction Quick overview of artifacts Walk-through lab

Introduction Edgar Sevilla Ken Warren CIO, Kyrus Technology 15 years software development, reverse engineering, computer forensics, & information security Ken Warren Director of training, AccessData 15 years of experience in law enforcement and computer forensic examinations

Today’s Goal Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes Walkthrough of a memory image, disk image, and live systems to find artifacts This lab will NOT go into the reverse engineering, no matter how much I want to!

Where can we find artifacts? Memory Processes enumeration Driver enumeration Module enumeration Open Registry keys Open File Handles Synchronization events Communications Content

Where can we find artifacts? Disk Files Prefetch files Registry Files File Attributes File Times Restore points pagefile

Where can we find artifacts? Live Systems Hidden Files Hidden Processes Repetitive actions Registry activity Communications Processes Hidden Registry Entries

Processes/Drivers Process enumeration Driver enumeration

Files Prefetch file File times File Attributes Hidden files Open Handles Loaded Modules

Registry Autoruns entries Windows Firewall modifications Check autoruns entries in registry Windows Firewall modifications

Synchronization Methods Mutants/Mutex Semaphores Events

Communications Sockets Named Pipes Listening sockets Connected sockets Named Pipes Inter-process communication Communication content, urls, headers

Getting Started Finding the first artifact is sometimes the toughest Process listing Anomalous files System autoruns Prefetch artifacts Good news there are a lot of artifacts, the bad news there are a lot of artifacts

List of tools that can be used Disk FTK Encase Memory Volatility Memoryze Live System FTK Enterprise Microsoft Sysinternals Tools GEMR

Questions prior to the lab ?

Lab Red = Possible starting points Blue = Artifacts Process Listing Prefetch File Anomalous File Read only Attrib File Properties Owner: Administrator Unusual Create Time File Properties Autoruns Entry Bot.exe File Properties sdra64.exe Registry File Autoruns tool Open Handle Prefetch file Restore point A0013970.exe Rootkit Revealer Restore point Userint entry Active Connections Lowsec directory Lowsec\local.ds Open Handle Open Handle Active sockets Open Handle Winlogon.exe Pid: 652 Svchost.exe Pid: 876 Domain: m4ht.com Socket lists Socket Listing Memory Scan IP Address Open Handle Open Handle Get HTTP Request Avira_2109 Open Handle Memory Scan Memory Scan Open Handle Memory Scan Lowsec\local.ds Lowsec\user.ds.ll Avira_2109 URLs Post HTTP Request

Summary Initial Thread Found Installer file, and dropped file Found bad process in Process Listing Anomalous file listing Autoruns entries Prefetch file Found Installer file, and dropped file Identified data files Linked data files to winlogon & svchost Svchost had active sockets IP address linked: to domain m4ht.com Get HTTP request to download configuration file Post HTTP request to upload data

Remediation Remove artifacts that have been found Delete sdra64.exe Can we delete a file that we can’t access Remove entry from userinit registry entry While Zeus is running this entry is checked every few seconds Delete data files from lowsec directory Can we delete files that are hidden and in use Re-enable Windows Firewall