> What benefits are there from analyzing malware?
It depends on what the customer wants. I've been asked in the past to examine malware to determine if it had networking capabilities, and in another instance to attempt to determine if the malware was specifically targeting files or data on the customer's network/systems.
Due to state notification laws for PII, as well as compliance enforcement regarding PCI (Visa PCI) and PHI (HIPAA), many organizations now want to know if, when they were infected, was any data taken from systems. So, questions generally tend to trend to things along those lines.
Harlan, recently I have identified the files on multiple machines that were identified by our Threat Analysis group as having sent suspicious traffic (HTTP PUTS) to IP addreses outside of the network. In all cases it was requested to identify what was sent. Every instance involved data that was sent was encoded, thus making it unknown what was sent.
My question in this scenario is what tactics\approach would you adopt to try and figure out if even possible what data was captured and sent. Keep in mind these are ZERO Day exploits. I do get a copy of the PCAP data showing the HTTP PUTS often showing the name of the file that is being sent but I do not find any traces of the file locally on the machine after the fact.
Regards, Brian.
What benefits are there from analyzing malware?
Hogfly's blog is pretty useful to read from time to time.
From my own point of view, virus vendors may not be trustworthy when it comes to getting the technical description of a virus or other alarm-worthy code right if you want to ensure that you know what is going on, you need to dig deeper.
Not a very good example, but still I recently had to investigate a Trend Micro AV alarm that kept repeating on a small set of laptops, and involving a number of offending registry entries. It was a 'safe' alarm, as all offending entries had been removed – but it was weird in that there was no offending binary file, only registry entries, and the registry entries of the actual alarm did not correspond to the entries listed in the technical description, and it was equally weird in that in some cases, that systems was absolutely fresh from installation. So, was this just another false positive, or was something bad that just happened to trigger a particular virus alarm, but where the actual malware was still undetected?
It turned out to be (safe) software package that was installed (and reinstalled) on this subset of laptops. It used some user interface components that were used in the original malware, and had been misclassified as malware signature. Thus … a false positive with very limited scope.
In that kind of case, where the symptoms keep coming back despite all your best efforts, you have to stop trusting that the antivirus vendor is 100% right, and start to look deeper yourself. At least, if IT security is not just nominal.