This document discusses managed IT solutions and malware. It begins with an introduction of Kyle Bisdorf, a 24-year-old lead security analyst with 7 years of experience. The document then defines malware and examples like rootkits, worms, and trojans. It asks if anyone has seen an infected computer and what they did to fix it. The document outlines steps to contain, eradicate, and recover from a malware infection and provides examples of tools to use like Sysinternals, MalwareBytes, and F-Secure Rescue CD. It concludes with advice to be careful online and use browser extensions and sandboxing for protection.
5. Managed IT Solutions
Malware, eh?
• Malware is any code/application that can be used with
malicious intent
– Rootkits
– Worms
– Trojans
– Spyware/Adware
– Fork Bomb(DoS)
• This presentation will focus on Windows based malware
– Yes, Mac OS X, Android, iPhone, can be infected
7. Managed IT Solutions
Trust & Responsibility
– Use at your own risk
• I have used all of the tools we will be discussing, but I do not
guarantee their security. They are constantly developed, often by
anonymous contributors. I don’t have time to do a code review of
all the tools I use.
– Respect the privacy of others
– Get permission, it is not implied
10. Managed IT Solutions
How did this happen?
• The web is littered with bad code
– Compromised web site
• Cross-site Scripting (XSS)
• Modified source code of a site
– Piggybacking on other applications
• PDFs, torrent downloads, email attachment
14. Managed IT Solutions
Tricky!
• Some malware is “self-aware”
– If it sees well-known processes running, it
may behave differently
• Programmers are lazy, they may only look
for file names
– Try renaming your executable before
running it!
• Traverses the network too
15. Managed IT Solutions
What to do…
• Isolation is your friend
– USB, Network (wireless / wired)
• Pray you have backups!
– * There are clever ways to get data back
• Linux LiveCD or Hard Drive Case
• Fight back!
17. Managed IT Solutions
Sysinternals (and cmd)
• Toolset made by Mark Russinovich (and many other co-
authors)
– TCPView
– ProcessMonitor
– Autoruns
– Netstat -naob
18. Managed IT Solutions
Sysinternals (and cmd)
• ProcMon
– RegSetValue, RegCreateKey, RegDeleteKey
– CreateFile, WriteFile
– Process Create, Process Start
25. Managed IT Solutions
Be careful
• The internet is a dangerous place
– Browser extensions
• Hover technique
• Virtual Sandbox
26. Managed IT Solutions
Toolbox
Keyword Description Reference
Virus Total Google’s Hash Checker https://www.virustotal.com/
MalwareBytes Post-infection, malware removal https://www.malwarebytes.org/
Sysinternals
Peel back behind the GUI to find what
Windows is doing
http://technet.microsoft.com/en-
us/sysinternals/bb842062.aspx
Team Cymru Hash Lookup TC Hash Checker https://hash.cymru.com/
VirtualBox
Hypervisor, for running virtual
machines
https://www.virtualbox.org/
MalwareViz
Upload hashes or links to malwr.com
to visualize malware
https://www.malwareviz.com/
F-Secure Rescue CD
LiveCD to automatically scan your
computer
https://www.f-
secure.com/en/web/labs_global/rescu
e-cd
27. Managed IT Solutions
Toolbox, cont’d
Keyword Description Reference
Process Hacker http://processhacker.sourceforge.net/
Wireshark
Network sniffing. You can see where
the malware is going!
https://www.wireshark.org/download.h
tml
Microsoft FCIV
Useful for creating file hashes, or
verifying known files
http://www.microsoft.com/en-
us/download/details.aspx?id=11533
7z
Zip up malware with password
protection
http://www.7-zip.org/
Extension: Ad Block Plus
Extension: Ghostery
Extension: NoScript
Extension: PrivacyBadger
Eradication phase about removing files you have identified as being malicious.
These tools can help you identify what files are doing bad things
May need to boot into a linux liveCD to remove
Sysinternals is REALLY REALLY useful for learning the ins/outs of Windows
These tools can help you identify what files are doing bad things
May need to boot into a linux liveCD to remove
ProcMon is a GUI application that actively shows processes on your machine, and associated files/network activity
Helpful for post-infection
If you find a suspect file, you can FCIV it and submit your hash
These tools can help you identify what files are doing bad things
May need to boot into a linux liveCD to remove
Windows has manymanymany load points
A load point is a directory/location on your operating system that is called upon regularly
Helps malware maintain persistence
These tools can help you identify what files are doing bad things
May need to boot into a linux liveCD to remove
Windows has manymanymany load points
A load point is a directory/location on your operating system that is called upon regularly
Helps malware maintain persistence
These tools can help you identify what files are doing bad things
May need to boot into a linux liveCD to remove
If you find a file you think is malware, obtain an MD5 hash