±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35388
New Yesterday: 3 Visitors: 237

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Scaning for rootkits and malware

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

DataR
Member
 

Scaning for rootkits and malware

Post Posted: Aug 23, 16 21:07

I have a case in which the client claims that his laptop was infected with rootkit or a malware of some kind, which allowed the creator of the rootkit to take control of his laptop and to post defamatory posts by using my clients name.

Now usually I scan for hash sets match, and use some sort of a malware detector like the one by emsisoft to scan the drive's image.

Is there anything else i'm missing, any additional step i need to take in this one?  
 
  

Rampage
Senior Member
 

Re: Scaning for rootkits and malware

Post Posted: Aug 23, 16 22:32

Generally when it comes to malwares, and especially rootkits, analyzing the sistem with automated tools isn't enaugh.

Especially if we are specifically talking about rootkits, it sounds like a fairly sofisticated attack, and you should really take precautions to make sure you are not missing anything.

there are many ways a rootkit can hide itself on a windows system and you should really be confident with them when analyzing a machine that is potentially infected with a sophisticated tool.
if it's an high profile attack, don't expect to find the malware by simply running automated tools that scan the disk image for known hashes.

obviously it depends on the profile of the case / attack you are dealing with but if you smell that there is the hand of a skilled attacker that is using self-crafted tools the analysis can become really tedious

things you should do, somewhat in a logic order of precedence (don't take this as a golden role)

- scan with tools and see if you find results if the finding is compatible with what you are expecting then forensically verify the way the malware was installed on the system, and see if the results are compatible with the case you are dealing with

- if no findings: check all the persistence locations that can be used by malwares on the target OS, malwares can hide but they must run, and to survive reboots they need persistence

- try to filter by signed and unsigned executables that run at boot, same applies for drivers, it's not so common to find malware code digitally signed with valid and trusted certificates, this can help you restricting the dataset for future analysis.

- if you can, compare the installed OS with a baseline installation of the same exact version of the target: this can help you whitelisting by known goods

- if available, analyze the memory dump of the system when it was turned on and check for processes, services, DLLs loaded by processes and so on, verify consistency of the process tree (iexplorer.exe running under svchost is definitely not good)

- timeline of events is always your friend.. try to correlate everything and understand the meaning of the events you are analyzing.

if you find anything suspicious in terms of executables, DLLs, drivers, services, whatever then your next step is to find out how deep the white rabbit hole is by diving in the field of malware analysis and reverse engineering...
if you have little or no experience in this, i really suggest you to get in touch with an expert that can aid you in the investigation


but don't let all the things i said scare you.. don't overdo if there is no reason to. start with the simple things and raise the bar little by little. a profile of the potential attacker can help you a lot in understanding how complex the analysis can be, what tools he has access to, and so on: for commercial RATs, pretty much every antivirus can detect them, and you can easly spot them by looking at the autorun, or at the installed services for the most complex ones.

good luck!  
 
  

tracedf
Senior Member
 

Re: Scaning for rootkits and malware

Post Posted: Aug 23, 16 23:35

Rampage's reply was great. Start with that.

You should also check the Event Logs for things like service installation/start that might indicate the presence or introduction of malware.

You may want to boot a working copy of the image as a VM so that you can check open file handles, loaded DLLs, etc.

Check the scheduled tasks for possible malware as well.

If you do find malware, your job isn't done. You still need to figure out what it is and what it's capabilities are. Finding a banking Trojan won't prove your client's case; you need to be able to show that the malware is (at least conceivably) connected to the activity that he is accused of.

Good luck.  
 
  

athulin
Senior Member
 

Re: Scaning for rootkits and malware

Post Posted: Aug 24, 16 16:38

- DataR
I have a case in which the client claims that his laptop was infected with rootkit or a malware of some kind, which allowed the creator of the rootkit to take control of his laptop and to post defamatory posts by using my clients name.


Have you verified that that laptop was used in that way? Is there some kind of client involved?

There just might be a simpler solution.  
 
  

DataR
Member
 

Re: Scaning for rootkits and malware

Post Posted: Aug 24, 16 20:24

First of all thank you Rampage and tracedf for your replies, i learned a lot from them!

Regarding the question asked by athulin : Yes, I have established a solid base in showing that the laptop was involved in defamatory act my client is being accused of  
 
  

passcodeunlock
Senior Member
 

Re: Scaning for rootkits and malware

Post Posted: Sep 04, 16 10:29

If some malware is still there, it will try to communicate, send or listen for data over the network. Create a VM from the device, start it and use some reliable local process explorer. Log the traffic, and try figuring the communication, it could lead to the hidden unknown running programs. Even if you see nothing unusual at the beginning, give it time, since the "bad" process might be running scheduled or as a fork of a legit, but infected application.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 

Page 1 of 1