Join Us!

Malware Analysis an...
 
Notifications
Clear all

Malware Analysis and Reverse Engineering  

  RSS
noahb2868
(@noahb2868)
Member

All,
I am starting to learn and I am putting together a service offering for my company showing that I/We (My Group) can do malware forensics. I was wondering if anyone out there has any ideas on books, training or information for someone just starting to look at this. I have been searching the internet, but find too many articles from early 2000. I am sure stuff has changed a little. Anything would be greatly appreciated.

Thanks,
Noah

Quote
Posted : 06/08/2008 3:45 am
KPryor
(@kpryor)
Member

Malware Forensics Investigating and Analyzing Malicious Code came out recently. I don't have it yet, but I hear it's good. You can find it at http//tinyurl.com/6rsny5

ReplyQuote
Posted : 06/08/2008 9:07 am
BitHead
(@bithead)
Community Legend

There is the ever popular Windows Forensic Analysis Including DVD Toolkit ISBN-10 159749156X
Chapters 6 & 7

Are you going at this from the programming side or the detection side or what? What is your definition of "malware forensics"?

ReplyQuote
Posted : 06/08/2008 8:09 pm
noahb2868
(@noahb2868)
Member

I am going at this from a detection and analysis side. I can understand what the code is trying to do at a beginner level. My definition of Malware forensics would be finding the "malicious software or code" on a machine and analyzing how it got there and by whom. I am sure there is more, but again I am at the beginning stages of learning about this.

ReplyQuote
Posted : 06/08/2008 10:32 pm
keydet89
(@keydet89)
Community Legend

Noah,

Once you find the the malware on a system, determining the infection vector can be relatively straightforward. In most cases, spyware and malware gets on a system via a limited number of vectors, and if you scan an image with AV, all you need to do is check the AV vendor's description of the malware propagation method, and then verify it.

ReplyQuote
Posted : 07/08/2008 4:12 am
kleanchap
(@kleanchap)
New Member

I have been stung by rootkits atleast about 3 times in the past 5 months. The only recourse was to reinstall Windows. Having said that, my main question is,

What benefits are there from analyzing malware?

I am trying to understand the business benefit for the customer who is hiring someone to perform malware forensics? If all the data is lost, then it is purely forensics to prosecute the offending party.

By no means, I am discouraging the original poster with his business venture. I am trying to understanding the business benefit from such an analysis.

Wish you all the best on the business venture.

Thanks to anyone who can enlighten an ignorant person like me. -)

ReplyQuote
Posted : 07/08/2008 11:37 pm
keydet89
(@keydet89)
Community Legend

> What benefits are there from analyzing malware?

It depends on what the customer wants. I've been asked in the past to examine malware to determine if it had networking capabilities, and in another instance to attempt to determine if the malware was specifically targeting files or data on the customer's network/systems.

Due to state notification laws for PII, as well as compliance enforcement regarding PCI (Visa PCI) and PHI (HIPAA), many organizations now want to know if, when they were infected, was any data taken from systems. So, questions generally tend to trend to things along those lines.

ReplyQuote
Posted : 08/08/2008 1:39 am
Spawn
(@spawn)
Junior Member

Getting back to the original question I would recomend the following books.

The Art of Computer Virus Research and Defense (Symantec Press) (Paperback) - ISBN-13 978-0321304544

Hacker Disassembling Uncovered Powerful Techniques To Safeguard Your Programming (Paperback) - ISBN-13 978-1931769228

and not forgetting

Microsoft Windows Internals (4th Edition) Microsoft Windows Server 2003, Windows XP, and Windows 2000 (Hardcover) - ISBN-13 978-0735619173

If only these had been around when I started… even so I still own copies now.

I'm sure someone will be able to chip in with *nix variants.

ReplyQuote
Posted : 06/10/2008 6:15 am
echo6
(@echo6)
Member
farmerdude
(@farmerdude)
Active Member

I would have to disagree with Jon and _not_ recommend UNIX Forensic Analysis. I don't think too many folks after reading it would be able to do malware analysis or identify rootkits on *nix systems.

George Carlin is infamous for saying … "Opinions are like _ _ _ _ _ _ _ _, we all have them and they all stink".

😉

Cheers!

farmerdude

www.forensicbootcd.com

www.onlineforensictraining.com

ReplyQuote
Posted : 27/10/2008 4:08 pm
bperk
(@bperk)
New Member

> What benefits are there from analyzing malware?

It depends on what the customer wants. I've been asked in the past to examine malware to determine if it had networking capabilities, and in another instance to attempt to determine if the malware was specifically targeting files or data on the customer's network/systems.

Due to state notification laws for PII, as well as compliance enforcement regarding PCI (Visa PCI) and PHI (HIPAA), many organizations now want to know if, when they were infected, was any data taken from systems. So, questions generally tend to trend to things along those lines.

Harlan, recently I have identified the files on multiple machines that were identified by our Threat Analysis group as having sent suspicious traffic (HTTP PUTS) to IP addreses outside of the network. In all cases it was requested to identify what was sent. Every instance involved data that was sent was encoded, thus making it unknown what was sent.

My question in this scenario is what tactics\approach would you adopt to try and figure out if even possible what data was captured and sent. Keep in mind these are ZERO Day exploits. I do get a copy of the PCAP data showing the HTTP PUTS often showing the name of the file that is being sent but I do not find any traces of the file locally on the machine after the fact.

Regards, Brian.

ReplyQuote
Posted : 22/06/2009 11:38 pm
athulin
(@athulin)
Community Legend

What benefits are there from analyzing malware?

Hogfly's blog is pretty useful to read from time to time.

From my own point of view, virus vendors may not be trustworthy when it comes to getting the technical description of a virus or other alarm-worthy code right if you want to ensure that you know what is going on, you need to dig deeper.

Not a very good example, but still I recently had to investigate a Trend Micro AV alarm that kept repeating on a small set of laptops, and involving a number of offending registry entries. It was a 'safe' alarm, as all offending entries had been removed – but it was weird in that there was no offending binary file, only registry entries, and the registry entries of the actual alarm did not correspond to the entries listed in the technical description, and it was equally weird in that in some cases, that systems was absolutely fresh from installation. So, was this just another false positive, or was something bad that just happened to trigger a particular virus alarm, but where the actual malware was still undetected?

It turned out to be (safe) software package that was installed (and reinstalled) on this subset of laptops. It used some user interface components that were used in the original malware, and had been misclassified as malware signature. Thus … a false positive with very limited scope.

In that kind of case, where the symptoms keep coming back despite all your best efforts, you have to stop trusting that the antivirus vendor is 100% right, and start to look deeper yourself. At least, if IT security is not just nominal.

ReplyQuote
Posted : 23/06/2009 2:53 pm
Share: