Tom from the c-APT-ure blog recently pointed me to the Malware Analysis Quant Research Project spearheaded by Securosis. The goal of the project is to develop a malware analysis model, complete with specific processes and metrics. The published white paper is 53 pages. Every organization has a malware problem and rapid identification and scoping is a big step towards successfully allocating precious security resources towards important events like attacks from determined adversaries as opposed to commodity worms and malware. The open nature of the model allows existing infrastructure within your organization to be readily integrated, shifting the focus towards identification and measurement of any process gaps. Those of you routinely hammered by ROI questions will applaud the focus on actionable metrics aimed at cost quantification.
Archives For Malware
Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant. About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard). Few resources have explained rootkit internals so simply. As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe:
The original PDF is a little hard to find these days, but here are a couple of links:
Amanda Stewart at the FireEye blog dissected the PlugX malware remote access tool (RAT). Of particular interest is this beautiful graphic showing the attack progression. With decoys, DLL sideloading, encrypted payloads, process injection, and new payload retrieval, this attack pretty much has it all!
Packers are most commonly used for compression, code obfuscation, and malware anti-reversing. While not always malicious, packers are often a clue to look a little deeper into a particular binary. Ange Albertini did a marvelous job of representing the (known) universe of executable packers in this infographic.
The full PDF file can be found here.
One of the fun things I have been working on is the huge revision of the SANS Forensics 508: Advanced Forensics and Incident Response material. Rob Lee has spent the last ten years building and updating what has become one of the most well-known and respected digital forensics training courses. The golden age of hacking is in full swing and a whole host of new threats have emerged, including state-sponsored espionage (aka APT), hactivism, client-side attacks, and crimeware. Digital forensic investigations have never been more in demand. However, computer intrusion and malware investigations require a very different skill set than the cases seen by the average forensic examiner. Rob saw a great opportunity to update the FOR508 course to train this next generation of forensic professionals. I estimate that at least 60-70% of the course and nearly every exercise is new within the last year. My specific part in the course is writing the new memory forensics day. My forensic experience dates to the late 1990s, and I can’t remember any other advance in the field that has so fundamentally shifted the balance from the bad guys to the good guys. Memory forensics is now a mature discipline and we have a wonderful array of tools available, allowing us to analyze everything from raw memory files to hibernation files to crash dumps to live memory audits. Memory analysis is a game changing skill and we spend a significant part of the new 508 course learning and incorporating the results of that analysis into the broader forensic process.
A year after release, the Malware Analyst’s Cookbook continues to elicit uniformly high praise from the security community. It is one of those rare books that only come around once every few years. The breadth of information covered is staggering, and it makes an excellent reference to return to as your skills develop. If I could make one recommendation, I would encourage readers to not wait to read the last four chapters of the book.
The last quarter of the book covers memory forensic analysis, and it is the definitive resource currently available on the subject (either online or in print). Continue Reading…