Notifications
Clear all

Malware Analysis

4 Posts
4 Users
0 Likes
390 Views
(@jegham)
Posts: 40
Eminent Member
Topic starter
 

Greetings everybody

I would like some help/ guidance about malware analysis on how to find out all the possible information from any given file (the one i am working on is a PDF file that has a malware in it )

* What kind of virus it is ?
* What damage does it do ?
* How to find out how to delete it ?

Thanks

 
Posted : 11/07/2008 1:41 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

One quick way to go about this is to dump the file up on Virustotal.com, and then follow the links to the various vendor identifications (if any).

Another method is to install several AV tools, and then use each to scan the file. Based on what (if anything) the AV tool reports, go to the vendor web site and look up their write up for the malware.

These are simply suggestions for you…I don't know you, your background, technical abilities, etc. I do hope that they help, though.

 
Posted : 11/07/2008 5:05 am
(@jeffcaplan)
Posts: 97
Trusted Member
 

One question to start…how did you become aware that this particular .PDF file was infected with any malware to begin with? Was it due to an AV scan? If so, follow Harlan's advice and head to the AV's site and look up the details on that particular virus/trojan.

If you'd like to investigate the symptoms of the malware for yourself as opposed to reading someone else's analysis, you could also setup a sandbox to play in…

Without writing a book on the subject, I'll give you the quick and dirty

1) Install some virtualization software on your computer (VMWare or Virtual PC, etc.)
2) Setup a virtual machine and [OPTIONAL] create an image of the virtual machine - a reference point.
3) Grab some of Microsoft's Sysinternals products - they're easier to use than some other malware analysis tools and they'll give you a good start about where to focus your investigation about what happens when this malware is activated - in particular, start with Process Monitor - it'll allow you to monitor changes to files on disk in addition to registry keys.
4) Safely transfer the suspected malware over to your virtual machine without having some anti-virus software accidentally clean it en route.
5) Start up Process Monitor or any other tools you'll be using for the analysis and then activate the malware and record what happens
6) If you created a disk image of your virtual machine, now would be when you create a second image and analyze any new files or files with a different hash value to see what was created or modified.

One caveat to kep in mind - make sure you isolate your virtual machine's network connection. If the malware attemps to make outside contact, this is not something you want to allow. With a more sophisticated setup, you could allow network access, but you'd need to make sure that your host machine or some other device on your network is filtering outbound connections.

Like I said, not especially thourough, but that'll get you on the right track to begin your investigation at the entry level. If you have any other questions, feel free to ask.

Jeff

 
Posted : 11/07/2008 1:32 pm
(@mindsmith)
Posts: 174
Estimable Member
 

Take a look at this

http//www.syngress.com/book_catalog/sample_1597491640.pdf

Also there are a some good pointers and examples in KeyDet's (Harlen Carvey) book "Windows Forensics".

Regards,

 
Posted : 11/07/2008 4:37 pm
Share: