tag:blogger.com,1999:blog-9518042.post2131108598528580583..comments2024-03-19T07:39:50.514-05:00Comments on Windows Incident Response: Malware for Incident Responders - ExamplesUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-58387751488813813012009-03-13T06:42:00.000-05:002009-03-13T06:42:00.000-05:00SB...Good point about the persistence mechanism fo...SB...<BR/><BR/>Good point about the persistence mechanism for <A HREF="http://www.sans.org/resources/malwarefaq/ms-sql-exploit.php" REL="nofollow">SQL Slammer</A>, but it's not about having to have something to fill in that blank. The persistence mechanism will be a subset of the overall artifacts.<BR/><BR/><I>In some cases the Initial Infection Vector and the Propogation mechanism could be describing the same bit of malware functionality.</I><BR/><BR/>Exactly! This isn't about having different information to fill in all the blanks...some will overlap. It's about having a way to think about malware in the context of the systems and an environment it infects, leading into the business environment that it disrupts.<BR/><BR/>Thanks for the comment!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-50593058859104348892009-03-12T23:25:00.000-05:002009-03-12T23:25:00.000-05:00I think this is a really good general dissection o...I think this is a really good general dissection of malware, and a good way to break the subject down and make it understandable to an audience to whom it may not be very familiar. Im currently in the process of writing Incident Response procedure for the office here and this has given me a new way of looking at the subject which I can translate to the document to help make it understandable to others.<BR/><BR/>A few comments:<BR/><BR/>While the vast majority of malware will have persistence mechanisms there are a few examples that don't (SQL Slammer is one). So only looking for signs of a persistent threat (by checking the finite list of Windows startup locations for example) could result in you missing a piece of malware on a system.<BR/><BR/>In some cases the Initial Infection Vector and the Propogation mechanism could be describing the same bit of malware functionality. For example, in the case of worms, they initially infect a system by a network service being exploited by an already infected host, and they propagate by .... scanning other hosts and exploiting a network service. Of course there are many examples (as you've noted) where these vectors are different.<BR/><BR/>Good post.<BR/><BR/>SBAnonymousnoreply@blogger.com