Security Basics mailing list archives
RE: Malware Analysis
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Wed, 11 Nov 2009 08:35:38 +1000
Hi JMK, I welcome the expansion of the thread to include process as well as tools. I guess it just got me thinking about other tools. You're right on the money when you say that it is essential to have a framework for the tools to work within. As for the IR threads, check out http://www.securityfocus.com/archive
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of kmj1268 () comcast net Sent: Wednesday, November 11, 2009 3:55 AM To: murdamcloud () bigpond com; kmj1268 () comcast net; security- basics () lists securityfocus com Subject: RE: Malware Analysis Yes. I did notice the thread was around tools. However, I just wanted to talk about the process as well so that was my 2 cents worth. I also mentioned the TCPView tool which is great at allowing you to tie process visually to network connections. Like they say, the devil is in the details. Even if you have the best tools, it's how you use them that makes the biggest difference. I wonder if there is a thread or security focus list around Incidence Response in the event of a breach, virus attack, etc. That would be another good topic to discuss as far as processes. As far as the question, what's in your RAM? You should check out this episode at hak5.org. I am not affiliated with this podcasting group, but they always have great episodes around this kind of thing. http://www.hak5.org/?s=Cold+boot+attack Thanks.. JMK Original Message: ----------------- From: Murda Mcloud murdamcloud () bigpond com Date: Tue, 10 Nov 2009 10:13:50 +1000 To: kmj1268 () comcast net, security-basics () lists securityfocus com Subject: RE: Malware Analysis Good points. I know that the OP was asking for straightforward tools for some basic tasks but I began to wonder whether having the ability to capture the physical memory as well might come in useful, especially as the systems may be allowed to stay 'live'. Windd is good for that.-----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of kmj1268 () comcast net Sent: Tuesday, November 10, 2009 5:10 AM To: security-basics () lists securityfocus com Subject: Malware Analysis In relation to the copied thread below, this is some great discussion. I have been fascinated with the science of malware analysis myself,andthere is so much to learn. While I am not an expert, what I generally see happen with a machine is processes (either hidden by rootkits or not hidden) taking over network connections and phoning home to controlandcommand centers to grow the botnet army. You always have to take the assumption that you could have a rootkit and start from there. The problem with rootkits is they make everyday programs on the suspect's runningOSthat should be innocuous operate differently and hide behavior. WhatIhave always seen as a recommendation is to take a suspect machine'sdriveout and have it scrubbed and analyzed with a live forensic distro.Betteryet, use a Live CD distro such as clonezilla to create a bit for bit clone of the hard drive. A popular one is Trinity Rescue. The key isworkingwith something that is not native to the suspect machine. You canttrustthe programs or what kind of response you might get if you runprogramson a possibly rootkitted machine or one that is compromised. What youcantrust is the programs on a live CD/DVD and the traffic you see on your network. Now when the machine is running and I want to do analysis, I usually will carry a hub with me (they are certainly hard to find now adays) and will run wireshark on the traffic for the suspect machine. Have it running with all explorer sessions shut down and the machinestartedfrom a reboot - but the machine doesnt need to be connected to the network. If there are rogue processes they will show up in wireshark. Then after you identify rogue network processes you can use a program likeTCPViewwhich will tie back a connection to a program and then you can investigate that program to see if it is malicious. Anyways, I just wanted to chime in and say thanks and offer my twocentsfor whatever it is worth. There is certainly more than one way to approach the analysis. I would be interested in learning more about theprocessesfolks on this thread run through in this type of event. There is some excellent feedback and advice in this thread and I amgladto be able to take away some good advice myself. Thanks so much.... JMK J. Mark Kellerman, CISSP, CCSA-NGX Snr Security Engineer. Sent from my iPhone Begin forwarded message: From: Murda Mcloud <murdamcloud () bigpond com<mailto:murdamcloud () bigpond com>> Date: November 4, 2009 11:46:13 PM EST To: 'exzactly' <exzactly () hotmail com<mailto:exzactly () hotmail com>>, "security-basics () securityfocus com<mailto:security- basics () securityfocus com> " <security-basics () securityfocus com<mailto:security- basics () securityfocus com>Subject: RE: Security Toolkit for dummies Fport might come in handy. I'm guessing you want 'clean' versions of everything because who knows what is running on the box itself or what has been modified. How will you be able to trust that the cmd window that you run some of these from is legit? Or that it will run at all? Maybe a cmd alternative will help, too. Fciv so you could check hashes? Regalyzer? Will you image the machines before allowing the support guys to dotheirstuff? -----Original Message----- From:listbounce () securityfocus com<mailto:listbounce () securityfocus com>[mailto:listbounce () securityfocus com] On Behalf Of exzactly Sent: Thursday, November 05, 2009 4:27 AM To: <mailto:security-basics () securityfocus com> security-basics () securityfocus com<mailto:security- basics () securityfocus com> Subject: Security Toolkit for dummies I am currently working on a (free)toolkit to pass down to Tier 3 andTier2 to be used in the event of a breach/infection or suspected breach/infection. In a nutshell I want to give them some tools to use to gain further information about the system and processes and/or malicious toolsrunningon it. This toolkit is designed for a Windows desktop and Server environment. I am looking at building out tools that are fairly easy to use and donotrequire much training. Currently I have the following tools on it: (SysInternal tools) Autoruns PortMon Process Explorer Process Monitor Ps Tools Logon Sessions Other tools: Adaware Is there anything else folks out there are using to provide theirlowerlevel support guys with some tools for informational gathering purposes....the tools have to run offline as systems are removed intheevent of a breach or infection...I am not looking for a full blown forensics kit, just something I can train folks unfamiliar with tool fairly quickly... ------------------------------------------------------------------------Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits yourcompanyand how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your companyandhow your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apachewebserver. Throughout, best practices for set-up are highlighted to helpyouensure efficient ongoing management of your encryption keys anddigitalcertificates.http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 -------------------------------------------------------------------------------------------------------------------------------------------- mail2web.com - Enhanced email for the mobile individual based on MicrosoftR Exchange - http://link.mail2web.com/Personal/EnhancedEmail ------------------------------------------------------------------------Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits yourcompanyand how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f 727 d1 ------------------------------------------------------------------------ -------------------------------------------------------------------- mail2web LIVE - Free email based on MicrosoftR Exchange technology - http://link.mail2web.com/LIVE ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f 727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Malware Analysis kmj1268 () comcast net (Nov 09)
- RE: Malware Analysis Murda Mcloud (Nov 10)
- <Possible follow-ups>
- RE: Malware Analysis kmj1268 () comcast net (Nov 10)
- RE: Malware Analysis Murda Mcloud (Nov 12)