Many times during an examination, you may want to do a little data reduction, by scanning your image for the presence of malware. While this should not be considered a 100% guarantee that there is no malware if there are no hits, this may lead you to something and narrow your search a bit. Again, this is just a tool, something that as a forensic analyst you can use.
Start by mounting the image as a read-only drive letter using Mount Image Pro or VDKWin. Then scan the drive letter with your AV scanner of choice. Some free AV scanner options include:
GriSoft AVG Free Edition
avast! Home Edition (free for home/non-commercial use)
ClamWin
Avir AntiVirus PersonalEdition
Comodo AV
Windows Defender (spyware)
Some rankings reports (includes free and for-pay):
PCWorld
Top10 Reviews
GCN Lab
Top Windows AV
Note that some of the available AV products may include a command line interface (F-Prot, for example) which means that you can run the scanner after hours using a Scheduled Task.
So, what's in your wallet? What is your AV scanner of choice (free or otherwise)?
19 comments:
I tend to use bitdefender in addition to symantec. Any unknown binaries get sent off to jotti,virustotal,norman, and anubis.
I use F-Secure, I am really happy with that product. Also our customers are satified with it. The guys there in finland do a great job ;o)
The unknown binaries are sent to virustotal
Great comments, both. I know folks who really like to use Kaspersky, and I've had customers who've really been interested in NOD32.
Another tool that is great for data reduction is Gargoyle.
My question to you two is this...are you doing anything at all to document the malware prior to submitting it to other sites to analyze? On Windows the malware is most likely a PE file, correct? Are you doing anything to document obfuscation techniques, entry point analysis, hashing, dumping the import table, etc? Anything at all? Or are you simply submitting it?
I just had an unrecognized malware and used Anubis and CWsandbox (http://www.cwsandbox.org/?info=EXLINK)
to do a quickl triage and get stuff I normally grab manually.... it was quick
RWUIUC,
How about you? Besides Anubis, did you do any documentation of the malware yourself?
Harlan,
In response to your questions, generally I don't do anything other than submit. I have a few reasons for this:
1) If it matches a signature from Symantec or bd that's not a generic match (bloodhound), then the binary is already documented. I simply attach the output from the online tools and document the specifics of the case.
2) The sites do a large portion of the documentation for the user. Duplicating the information is redundant.
My actions are based on the results I get back from the online tools and in addition to my local scans.
I do an in depth binary analysis if there is no signature, a signature that doesn't meet my standards (a generic signature like W32.SDbot or downloader). At that point I do a dynamic analysis of the binary in a virtual sandbox in a manner similar to what you outlined in your book. If it won't run there I have an old dell system I use. I haven't had much occasion to use ida or ollydbg in a while - mainly because I'm just seeing regurgitated malware.
As an aside..I don't hold gargoyle in high esteem. There's a bunch of accuracy issues with the tool IMO. However it is a tool that can cut down some noise.
Hogfly,
Thanks for the response...very informative.
One of the things I've seen is customers ask if the malware is specifically targeting them, or looking for specific files on the systems that it infects. Many time, this is missed in malware analysis provided by some researchers, and well as AV vendors. Some modicum of both static and dynamic analysis is very beneficial.
For obfuscated malware analysis, is anyone dumping RAM and extracting the unobfuscated executable image?
For Malware I dump RAM like Harlan mentioned. I run the virus on a Windows 2000 VM and Suspend the machine. I take the VMEM file and use Harlan’s Lsproc.pl or Schusters’ PTFinder to find the physical offset of the suspect process. I use Harlan’s tool LSPM.EXE to make an image of the file (now, nicely unencrypted). I then use my favorite BIN-to-Hex Program (by Analog X) to look for important information. Two added steps- Sometimes the suspect process exits too fast and by the time I suspend the machine the process I am looking for has exited and/or paged out. I open up Ollydbg in my sandbox and Start Debug. Also if I’m afraid the malware is looking to thwart sandbox environments I have a couple of old 4 GB Hard drives. I restore my test image (still Win 2000) to the hard drive using Encase basically like “Ghost”. The Win2000 Program is setup to do a controlled Blue Screen of Death Full Dump (Ctrl -Scroll Lock) and I analyze the .dmp file. The whole process usually takes less then 15 minutes.
Richard F. McQuown
ForensicZone
Richard,
Very impressive.
Regarding Antivirus solutions, I use NOD32 (not free) because it is light on the resources and very reliable. Bitdefender free version is usually also installed and as you all know, it doesn't have real-time protection, so on-demand scanning is the only option and that is what I need :-)
AV is only used as one of the several steps to do a preliminary analysis and indicate what I am up against.
Someone mentioned Kaspersky here; I believe it is one of the best AV currently on the market but takes up a bit of juice (RAM and CPU) to operate. Interestingly enough Kaspersky and some other reputable AV or Internet Security Suites are easily deactivated by malware that attacking the license validation process of these products.
Regards
"Fun of Harlan"
A.Ro..
Australia
"Fun of Harlan"...???
OK, just jocking. Should have said, "Harlan's fun" :-) :-)
A.Ro..
Oh, everyone says that! No, wait, hold on...that came out wrong...
I am glad to see that some folks are using AV (and anti-spyware) tools to perform data reduction, and that in some cases, extra steps are taken to document or even analyze unusual files. I've seen many instances were the EXE used by the bad guy is easily found (via logs, location, etc.) and when passed to a site like VirusTotal, gets NO hits from 32+ AV scanners!
Yeah,
I remember one Russian website a couple of years back offered a free virus download with claiming that if will not be detected by any Antivirus at the time of publishing (tested few AV’s at the time and it went undetected from the few hours to a couple of days). My guess is that it is probably a “Buy Now” service now.
A.Ro..
I can't typeanymore, it's 10:54pm here in Sydney, G'd night everyone :-)
A.Ro..
I used to get free virus scans from Nod32 and Kaspersky by going to their websites. The only downside was that they don't really remove the viruses very well since they want you to purchase their product. However, in this case that wouldn't matter.
Lively thread! I often mount a target image and run a virus scan. This issue arises most often in child porn (cp) cases, where the defense may assert that a "backdoor" placed the images on the machine. Naturally, I also want to see whether the suspect may have been victimized by such a phenomenon. I do appreciate that fact the search for exculpatory evidence is part of my task.
The biggest issue I face is documenting what an identified trojan or exploit is capable of doing. I rely on the publishers of the scanners for this information. We use McAfee and NOD32. NOD32 provides miserable documentation of what it claims are threats. NOD may identify 25 threats, and, on average, has documentation on none of them. NOD's support staff acknowledges that their virus encyclopedia is deficient, yet nothing changes. Maybe they make up threats to increase their stats. McAfee, while not perfect, is miles ahead.
I've had good results with V-Grep, a free service available at https://www.virusbtn.com/login. The Lightspeed archive at http://www.lightspeedsystems.com/Search/ also is impressive. Of course, NOD does not participate in V-Grep.
All of this aside, AFAIK, no one has documented a case in which one of the myriad backdoors or trojans was responsible for placing cp on a system. I'm not talking about pop-ups and the like that may put images in cache. I'm talking about creating something like \My_Illegal_Stash\Child_Porn.jpg. I'm not saying that it can't be done, and therein lies the issue. If, however, it has happened, I want to see a cite to the case.
Aside from offering my comments, I truly would appreciate suggestions on tools that provide reliable documentation on all (most) of the threats they identify. As far as free tools go, Clam seems to be the best, in my limited tests. For the time being, I'll likely spend too much time tracking down indications of infections and trying to prove negatives. We can't use every scanner on every image, so we can't say that we've covered every potential threat. I do recognoze that alerts may rise from code analysis with a view to warning of a potential problem, as with heuristics.
Still, I need to know what an identified piece of malcode can do, and the signs of whether it has infected a machine, e.g., registry keys edited. All too often, folks presume that an alert from their scanner means that a system was, in fact, compromised. I've seen opponents carry on about flagged exploits, when the subject system was patched long before the questionable activities took place. (I hope my piece was on point to the topic!)
...I need to know what an identified piece of malcode can do...
Jimmy, this is an on-going issue. The forensic analysis "community" hasn't come into it's own yet. We all know that we need this...know already, or will find out very soon. However, the fact is that for the most part, we haven't come together as a community to request this from anyone. One or two going to MS or an AV vendor every now and then isn't going to make a change. What happens for the most part (IMHO) is that most of us simply take what we can get and stop there...be it an AV vendor's technical write up, or the brief description we see in an AV scanner application.
In all honesty, I don't think that the forensic analysis community is all that "new" or "young", as some may think. I think that enough subsets of it are established enough to have some kind of influence, though they choose not to use that to bring the rest of the community together, or to lobby for things that are needed...like better descriptions/understanding of what the detected malware is capable of.
This is why I asked what kind of analysis analysts are doing on their own...like you, many of us can't get the answers we need, so in some cases, we come up with ways to find them...
I use AVG constantly, I've never bought any adaware or anti virus software and have been fine. I just use AVG and Adaware.
Post a Comment