Monday, July 04, 2011


Independence Day
Before anything else, Happy 4th!  I hope that everyone takes a moment to remember those who have fought and sacrificed for our freedoms...that includes not only those who have given the ultimate sacrifice, but those who have lost loved ones in the fight for freedom.  Also remember our public servants (cops, firefighters, EMTs), as well as our service members who are fighting to give others freedom.  May God bless them all.

There's been an update over at the e-Evidence web site, with the addition of some good reading...take a look.

I posted recently regarding an article Jason Andress had written for ISSA, regarding APT.  Shortly thereafter, my friend Russ contacted me to let me know that he'd co-authored a similar paper, and that I might want to take a look at it.  The blog post is here, and the paper can be found here.  The paper was written as a requirement for the SANS Technology Institute MSISE program, and while it touches on some of the same themes as Jason's paper, this one takes a bit more of a tactic approach...and that's one of the things I really like about this paper.  The approach taken in the paper is not just's "here are some of the things that are seen on the network, and here's a cheap or free way to go about detecting it."

The paper also points out some interesting aspects of tactics used by the threat actors, particularly getting into the infrastructure via some method (spear phishing), gaining a foothold with PI-RAT, and then moving laterally within the infrastructure.

Another aspect of this paper is that it provides additional insight into the threat itself; anyone unfamiliar with the threat should read this paper, Jason's article, and others in order to develop a better understanding of the threat.  Much of what I've read out there covers the general flow of these threats, and this paper provides some insight into a specific implementation, and should be considered as such.  Not every incident of this type is going to include the same persistence mechanism, use of the same RAT, or the same network traffic.  However, the paper does a very good job of pointing out some of what can be done in response to this threat, both in initial detection and then response.

So, again...some great information in the paper, and it is easy to follow; if you're trying to get a better understanding of the threat overall, be sure to include this in your reading, along with additional credible, authoritative sources.

In the past, I've talked about the four malware characteristics I'd developed to help DFIR folks understand and explain malware, and over time, those characteristics have served me pretty well.  One of those characteristics is the initial infection the malware gets on the system.  Well, I ran across this InformationWeek article this morning talks about Facebook being the "new" malware vector.  Okay, the meaning of "new" aside, I think that this is interesting, in part because it makes complete sense.  Look at the statistics in the article regarding users and the clients they use to access Facebook...pretty telling, if you ask me.

As an analyst, I'd like to hear from other analysts...have you seen incidents where Facebook was the delivery mechanism for malware?  If so, what are the artifacts on a PC or laptop, as opposed to a smartphone?

Also, Cory started a drinking game at OSDFC, because apparently, I pronounce malware "mall-ware" for every time I wrote "malware", you need to drink!

WFA 2/e Review
Mike Ahrendt posted a review of WFA 2/e recently; it's great to see that this book is still active and making its rounds, and that people who are reading it are finding something useful.  I tend to reference it myself now and again for my own needs, and sometimes will make notes of new, additional information that I've found with respect to a particular topic.  I think it's great that folks are still picking it up for the first time and finding it useful.

There was a post over on the SANS ISC site recently regarding the resurgence of bootkits, in which MS's Win32/Popureb.E (which is still short of any information useful to analysts) was specifically mentioned.  The post goes on to take a look at AV products that detect and/or clean MBR infectors, and indicates which are more successful than others.  I still think that one of the biggest issues surrounding this sort of thing is that most analysts I've spoken with appear to not look for this sort of thing when it comes to determining if there is malware (drink!) in an image acquired from an infected system.  I'm not sure if this is an awareness issue, or a training/understanding issue; I have a checklist that I use (and try to keep up to date) for engagements such as this, so when I receive an image and the statement that, "we think it was infected with malware", I run through this process, which includes checking for indications of MBR infectors.

My thoughts on this subject aren't so much that I think that MBR infectors are more pervasive than most analysts think; not at all.  I think that it's more of a knowledge or "engaging with your peers" issue than anything else.  I don't think that available courses (whether for training, or ultimately ending in a certification) are necessarily going to cover the topic of malware detection within an acquired image, but I do think that the issue is one that needs to be understood (i.e., the "Trojan defense").  As such, where do analysts go to get this sort of information or education?

What are your thoughts?


Jamie Butler said...

jamierbutler New game at #OSDFC - drink when @keydet89 says mall ware.

Keydet89 said...

Why just #OSDFC? ;-)