Notifications
Clear all

Scanning Images

18 Posts
7 Users
0 Likes
1,063 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

All,

First off, I'd like to hear how folks are scanning imaged systems for malware. I know that you can mount the image in EnCase's virtual file system, or you can use LiveView to open up a dd image as a running system in VMWare.

Given, say, just a dd image, what are some other methods for scanning for malware?

This brings me to the issue of artifacts. Do you think it would be feasible to develop classes of artifacts such that exploits or other issues (malware, etc) could be easily culled from an image?

Harlan

 
Posted : 28/11/2006 11:49 pm
deckard
(@deckard)
Posts: 77
Trusted Member
 

That could be one of the Holy Grails of CF. It seems I have to do a lot of research every time I run across a new possible artifact or malware that I don;t know artifacts of. I don't experience it enough to build a viable personal repository, I need the impact of many other folks discoveries.

As for dd images, I almost totally rely on finding artifacts or other traces of malware files. I have been playing with the Liveview/VMW combo, but my results are really mixed.

Bill

 
Posted : 29/11/2006 6:21 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

> That could be one of the Holy Grails of CF

Perhaps. This is something I've been wrestling with lately…a viable means of cutting through the "noise" in an image or on a live system. My thinking is that if something like this can be developed, something that can be used, then it *will* be used…and maybe we can move away from the mentality of reformatting the hard drive and reinstalling the OS.

 
Posted : 29/11/2006 7:11 am
az_gcfa
(@az_gcfa)
Posts: 116
Estimable Member
 

At one time I used simply scanned disk images via network devices SMB shares for the presence of viruses and malware. Initially, just to detect if anything was present.
I perfer to mount the image copy readonly in loopback mode on linux –allowing individual file granularity for the scanning. I have found it beneficial to use two different virus/malware products. This process is slower than direct attached devices. On the plus side I can access the data from different systems. I have one system setup for scanning and another one with forensic tools.

 
Posted : 29/11/2006 10:47 am
(@member)
Posts: 22
Eminent Member
 

yes, if you wanna do it for free… mount the dd image(partitions) as LOOP DEVICE in linux. open up SMB share. scan it using windows.

SIMPLE! (o

 
Posted : 29/11/2006 7:35 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Harlan,

Scanning for malware on a system could be done any number of ways.
Some things I've done…

Tried Gargoyle (pretty useless when it comes to malware..not sure how it is with the other files it claims to be able to search for) on images mounted with mount image pro.

Compared hashes against the nepenthes and offensivecomputing.net hashes.
I've yet to really delve in to ssdeep for this purpose but I imagine it would help an awful lot.

In my experience anyways I've noticed that the windows based antivirus tools kind of suck. Bitdefender seems to come up with a lot of things that Symantec and others seem to miss regularly so I mount an image in linux and scan with BDC.

Artifact libraries while a great idea are almost impossible to develop. I guess libraries already exist for things like spyware or trojans in so far as we have common search locations in the registry and the file system but other than that, with point and click malware dev tools and the abundance of programmers out there it would be extremely difficult to create an accurate library.

That said..
Someone *could* write a crawler that rips through the AV vendors sites to pull out the relevant technical sections of the malware descriptions, organize them by class and generate a generic library that way but it would still be behind the curve,

 
Posted : 29/11/2006 7:55 pm
(@jakec)
Posts: 7
Active Member
 

I had success mounting the dd image as a RO loopback under Linux and scaning it with ClamAV.

I don't think we should move away from the mentality of reformat/reinstall because as with all malware scanners, you can only detect malware that is know to the scanner. There is no guarantee that your system is clean simply because your AV software says it's clean.

 
Posted : 29/11/2006 8:35 pm
az_gcfa
(@az_gcfa)
Posts: 116
Estimable Member
 

Another point often overlooked with the reformat and reinstall methodology - this does not truly purge an infected disk. The virues or malware can still reside in file slack and unallocated disk space. Yes, the possibly of an reoccurrence is somewhat less. I always insist that any system that has been infected by virus, malware or intrusion must be wiped before any reinstallation.
Previously, when I ran an IT Security department, I insisted on the two architecture approach for servers. If some incident would cause a production server to be taken off-line, I would insist that the off-line system be scanned by another chip architecture base server. For example, it the system was intel based, a HP or Sun server would be required to validate the system prior to reactivation.

 
Posted : 29/11/2006 10:14 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

JakeC,

> I don't think we should move away from the mentality of reformat/reinstall…

Well, what that mentality doesn't take into account is a root cause analysis. An infected or compromised system can be taken offline, the hard drive wiped and reformatted, and everything installed from clean media…but if you don't know how the system got p0wned in the first place, how do you prevent it from happening again?

Harlan

 
Posted : 30/11/2006 1:37 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Hogfly,

> Artifact libraries while a great idea are almost impossible to develop.

Funny…Will Smith's new movie has a scene where the main character says, "People will tell you something is impossible because they can't do it."

I don't think that an artifact library is difficult to develop…as you've pointed out, there are already several out there. With MetaSploit, you could easily document artifacts based on exploits available in the framework.

Would it be tough to maintain? Perhaps. But maybe what's needed is a slightly different approach…an artifact "library" sounds too much like a signature-based approach, and signatures can be hard to maintain. How about a framework for understanding how artifacts are created, and where they might be located based on different scenarios (remote compromise, etc)?

After all, even though there are malware toolkits out there, the number of places within the Registry where you can autostart something is finite. Also locating executables isn't all that hard, if you think about it.

> Someone *could* write a crawler

Funny. Rather than putting that off on someone else to do, would it be possible to come up with a concensus, or at least have a discussion about classifying artifacts?

 
Posted : 30/11/2006 1:50 am
Page 1 / 2
Share: