±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 7
Overall: 27351
Visitors: 100

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

malware / backdoor

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

malware / backdoor

Post Posted: Mon Dec 23, 2013 3:20 pm

hi, if I found malware or backdoor virus on a computer, how do I tell which information it is gathering from the computer??? also how can I trace where it is broadcasting it to (ip or mail)???

thanks for all the replies.

gavriel  

gavrielhan
Member
 
 
  

Re: malware / backdoor

Post Posted: Mon Dec 23, 2013 10:15 pm

If you catch it in act of collecting and sending data then a Wireshark trace would be a good place to start. (assuming the data isn't encrypted and the malware doesn't kill the debug tools).  

Passmark
Senior Member
 
 
  

Re: malware / backdoor

Post Posted: Tue Dec 24, 2013 5:15 am

- gavrielhan
hi, if I found malware or backdoor virus on a computer, how do I tell which information it is gathering from the computer???


Only way is to analyze it. You could rely on analysis of others, but chances are pretty good that antivirus company X will
identify it as a Generic-Java-Trojan, and add the note that it collects passwords, and nothing more.

Executables can be run in special, 'bare' environments, along with something like SysInternals Process Monitor that records everything that happens. Or in a sandbox, where evey attempt to reach or modify the environment is intercepted and redirected to safe copies. (SandboxIE is useful for simpler sandboxing experiments.)

also how can I trace where it is broadcasting it to (ip or mail)???


That comes out of your analysis as above. In a good sandbox, attempts to send network traffix would be intercepted and logged; in a monitored environment, the system calls that send data to a network connection are monitored and can be examined. You can even set up a throw-away system, let it get infected, and monitor all network traffic in and out of that system. (That takes a bit of planning, as you don't really want to hand the system over to an intruder ...)

Of course, you may not be able to -- you may have found a generic downloader that gets the actual malware from a internet site, the address of which is carefully *not* stored anywhere, but passed as run-time information at the time of infection. That is, you're looking at the first stage of a multi-stage malware 'rocket'. In those cases, you may not be able to do more than identify it as one.

There are a number of books on the topic -- I like Malware Forensics by Malin, Casey & Aquilina -- but I see there are several later titles that also seem useful, including Malware Forensics Field Guide for Windows Systems by the same authors.  

athulin
Senior Member
 
 
  

Re: malware / backdoor

Post Posted: Tue Dec 24, 2013 2:25 pm

hi, first thanks for all the replies.

would it be best to use wireshark or sandbox is better. I do know wireshark, sandbox is rather new concept to me. I have seen some sites that allow you to load a file for examening but takes ruther long time or they get stock.

is there a way of loading multiple files to a sandbox for analyze?

thanks in advance for all the answers.

Gavriel  

gavrielhan
Member
 
 
  

Re: malware / backdoor

Post Posted: Wed Dec 25, 2013 7:17 am

- gavrielhan
would it be best to use wireshark or sandbox is better.


They're different. Not necessarily better.

You could set up a system, install the suspected malware, and use wireshark, but if the malware doesn't try to communicate while you're monitoring, it doesn't do any good. And if it does communicate ... but there's nothing at the other end ... you're not much further ahead -- did it try to send password hashes? or download malware? or open a backdoor? You don't know, you only know that there was an attempt at communication. Perhaps it was looking for a software update.

With a sandbox, you might find out that the program create a registry entry to ensure that it would be executed on the next reboot or login. You might find that it tried to read files. Etc. But unless you can put that into context, it's not of any use either.

But unless you understand malware analysis, and *why* you choose to use wireshark or a sandbox or a disassembler or a debugger ... it's of no use to you.

Try 'Malware Analysis - An Introduction' from the SANS Institute reading room.  

athulin
Senior Member
 
 
  

Re: malware / backdoor

Post Posted: Fri Dec 27, 2013 9:08 am

- gavrielhan
hi, if I found malware or backdoor virus on a computer, how do I tell which information it is gathering from the computer???


Assuming that you still have that system live and running, and you have access to it, you can start by examining the system itself.

One of the biggest issues with this sort of activity is that most folks doing it are malware RE folks, and as such, the focus is purely on malware-specific aspects and most of the work being done focuses on what _could be done_ by the malware, rather than what was actually done.

A good way to start is to find out what the malware actually is...I highly recommend that you hash the malware (SHA-1) and do a search on VirusTotal. Or, depending upon how you found the malware (say, via an AV alert), look up the malware based on your detection mechanism. From there, look for data repository files (such as RAR archives, etc.). If you can get a memory capture while the malware is running (on Windows systems, I've had considerable luck with hibernation files when memory captures were not available), you can get much more granular information (handles, run strings on process memory, etc.).

Reading AV vendor write-ups will only get you so far, as will performing static/dynamic analysis of the sample extracted from the system image.

- gavrielhan
also how can I trace where it is broadcasting it to (ip or mail)???


As others have said, you can monitor the system while it is active in order to determine this...however, there are alternatives. IF the malware is reporting off of the system using the WinInet API, and IF it is running with System-level privileges (as with a Windows service), you may be able to find indications of off-system comms via the appropriate index.dat file (for XP, the profile is "Default User", for Vista+, it will usually be "Network Service"...).

Again, if the system has a hibernation file, and if the system hibernated while the malware was active in memory, you may be able to extract information about the malware process memory. I've also found some valuable information in the pagefile, but that will depend upon a number of factors (malware type and family, etc.).  

keydet89
Senior Member
 
 
  

Re: malware / backdoor

Post Posted: Sun Dec 29, 2013 3:39 am

I believe this needs to be broken into two parts as mentioned by keydet89. Understanding the malware or its capabilities can be the first part. This will give you a insight of what the malware is, things it can do, file it will create/delete, servers/domains it will contact, registry keys that will be modified/created etc. If you have a copy of malware, you can use something like cuckoo sandbox to analyze it. Have a look at malwr.com for this.

Doing a live memory capture and having a look at it using Volatility framework or similar tools will also provide you with very good information about malware behavior. I strongly recommend it.

Armed with above knowledge, you can look into the suspect system and move on to second part, where you will try and map your knowledge of malware's behavior to the artifacts you find on system. You might need to make use of malware analysis as well as timeline analysis to gather information about :

1. How the malware found its way into the system? i.e. malicious PDF/Office file/Tiff file or a JAVA applet etc.
2. What changes were made on this system by malware?
3. What information was accessed during the infection time? (this could be dificult)

Cheers,
Kartik  

kartik
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next