Malware Incident Response Erdal Ozkaya Raymond Comvalius

20 Slides4.35 MB

Malware Incident Response Erdal Ozkaya Raymond Comvalius CISO Infrastructure Architect Emt Holding NEXTXPERT

Module Agenda First response at a malware attack Recognizing malware Identifying Malware processes Locating malware files Removing persistence Tracing malware More on tooling

Don’t rely on antivirus This was once effective Still recognizes the usual suspects Easy to bypass? “Symantec's senior vice president for information security estimates antivirus now catches just 45% of cyberattacks.” The Wall Street Journal, May 4, 2014

Incident response: Malware Disconnect from network Identify malicious processes and drivers Terminate identified processes Identify and delete malware autostarts Delete malware files Reboot and repeat

What to look for Processes that: Have no icon Have no description or company name Unsigned Microsoft images Live in Windows directory or user profile Include strange URLs in their strings Have open TCP/IP endpoints

Process Explorer Process View Highlights VirusTotal Integration DLL View Strings

Identifying malicious processes All (most) Microsoft software is digitally signed Verify all signatures Verification will connect to the Internet to check Certificate Revocation Lists (CRLs) Submit to VirusTotal

Scan for malicious executables Tool: sigcheck sigcheck –e – vs –vr –u –s c:\ -e scan for executables -v for VirusTotal -u for unsigned images Popular locations are %appdata% and %windir%

Terminating Processes Don’t just kill the process - Watchdogs often restarts the process Instead suspend the process May cause system hang for Svchost processes Record the full path to each exe and DLL Then kill the processes - Watch for new appearances

Remove Persistance MSConfig is not the best tool Task Manager is also not your best option Use AutoRuns from SysInternals

Using AutoRuns Filter the list Do not show entries from Microsoft Verify signatures Check VirusTotal Be careful to submit to VirusTotal Do not delete the malicious entry but disable

Tracing Malware Tool: Process Monitor Event Classes File System Registry Process Network Profiling

System Monitor (Sysmon) Background system monitoring Records to the Windows event log Enables tracing of historic activity Installs as a service/driver


Other SysInternal Forensic Tools Disk2vhd TcpView

Other Forensic Tools SysInternals PowerShell NirSoft MyLastSearch WebBrowserPassView IECookieViewer

Summary Be prepared for a malware attack Make sure you know the tools and strategy Implement Sysmon Learn PowerShell!

TechNet Virtual Labs Deep technical content and free product evaluations Hands-on deep technical labs Free, online, technical courses At the TechNet Evaluation Center you can download free, trial versions of Microsoft software, with no feature limits. Dozens of trials are available – all at no cost. Microsoft Hands On Labs offer virtual environments that will take you through guided, technically deep product learning experience. Microsoft Virtual Academy provides free online training on the IT scenarios that are important to your company and your career. Try Windows Server 2012 R2 for up to 180 days. Download the Windows 8.1 Enterprise 90-day evaluation. Or try Microsoft Azure at no-cost for up to 90 days. Learn at your own pace in labs that you can complete in 90 minutes or less. There is no complex setup or installation is required to use TechNet Virtual Labs. Download Microsoft software trials today. Find Hand On Labs. Learn at your own pace and boost your IT skills with over 100 courses across more than 15 Microsoft technologies including Windows Server, Windows 8, Microsoft Azure, Office 365, virtualization, Windows Phone, and more. evalcenter virtuallabs Take a free online course.

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Back to top button