Post on 28-Mar-2015
Malware Artifacts
Agenda
• Quick Introduction• Quick overview of artifacts• Walk-through lab
Introduction
• Edgar Sevilla– CIO, Kyrus Technology– 15 years software development, reverse
engineering, computer forensics, & information security
• Ken Warren– Director of training, AccessData– 15 years of experience in law enforcement and
computer forensic examinations
Today’s Goal
• Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes
• Walkthrough of a memory image, disk image, and live systems to find artifacts
• This lab will NOT go into the reverse engineering, no matter how much I want to!
Where can we find artifacts?
• Memory– Processes enumeration– Driver enumeration– Module enumeration– Open Registry keys– Open File Handles– Synchronization events– Communications– Content
Where can we find artifacts?
• Disk– Files– Prefetch files– Registry Files– File Attributes– File Times– Restore points– pagefile
Where can we find artifacts?
• Live Systems– Hidden Files– Hidden Processes– Repetitive actions• Registry activity• Communications• Processes
– Hidden Registry Entries
Processes/Drivers
• Process enumeration• Driver enumeration
Files
• Prefetch file• File times• File Attributes• Hidden files• Open Handles• Loaded Modules
Registry
• Autoruns entries– Check autoruns entries in registry
• Windows Firewall modifications
Synchronization Methods
• Mutants/Mutex• Semaphores• Events
Communications
• Sockets– Listening sockets– Connected sockets
• Named Pipes– Inter-process
communication• Communication content,
urls, headers
Getting Started
• Finding the first artifact is sometimes the toughest– Process listing– Anomalous files– System autoruns– Prefetch artifacts
• Good news there are a lot of artifacts, the bad news there are a lot of artifacts
List of tools that can be used
• Disk– FTK– Encase
• Memory– FTK– Volatility– Memoryze
• Live System– FTK Enterprise– Microsoft Sysinternals Tools– GEMR
Questions prior to the lab
?
Process Listing Prefetch File Anomalous File
Autoruns EntryBot.exe
Read only Attrib
Userint entry
Lowsec directory
Winlogon.exePid: 652 Svchost.exe
Pid: 876
Active sockets
Lowsec\local.ds
Avira_2109
IP Address
Domain: m4ht.com
Get HTTP Request
Avira_2109Lowsec\local.ds Lowsec\user.ds.ll
A0013970.exe
sdra64.exe
Owner: Administrator
Unusual Create Time
Post HTTP Request
URLs
LabRed = Possible starting pointsBlue = Artifacts
Active Connections
Restore pointOpen HandlePrefetch file
File Properties
File Properties
File Properties
Registry FileAutoruns tool
Rootkit RevealerRestore point
Open HandleOpen Handle
Open Handle
Open HandleOpen Handle
Open Handle
Open Handle
Socket lists Socket Listing
Memory Scan
Memory Scan
Memory Scan
Memory Scan
Summary• Initial Thread
– Found bad process in Process Listing– Anomalous file listing– Autoruns entries– Prefetch file
• Found Installer file, and dropped file• Identified data files• Linked data files to winlogon & svchost• Svchost had active sockets• IP address linked:
– to domain m4ht.com– Get HTTP request to download configuration file– Post HTTP request to upload data
Remediation
• Remove artifacts that have been found– Delete sdra64.exe• Can we delete a file that we can’t access
– Remove entry from userinit registry entry• While Zeus is running this entry is checked every few
seconds
– Delete data files from lowsec directory• Can we delete files that are hidden and in use
– Re-enable Windows Firewall