Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Managed IT Solutions Clean Malware
Similar to Managed IT Solutions Clean Malware (20)
Recently uploaded
Recently uploaded (20)
Managed IT Solutions Clean Malware
- 1. Managed IT Solutions Keep IT Clean Kyle Bisdorf
- 3. Managed IT Solutions W.W.W.W.W. – Kyle Bisdorf – TTL/ Lead Security Analyst – 24 y.o. – Indy for ~7 years Computer Security (Forensics/Incident Response), Breaking stuff, Building servers & testing apps
- 5. Managed IT Solutions Malware, eh? • Malware is any code/application that can be used with malicious intent – Rootkits – Worms – Trojans – Spyware/Adware – Fork Bomb(DoS) • This presentation will focus on Windows based malware – Yes, Mac OS X, Android, iPhone, can be infected
- 6. Managed IT Solutions Malware, eh? • Who has seen an infected computer? • What did you do to fix it?
- 7. Managed IT Solutions Trust & Responsibility – Use at your own risk • I have used all of the tools we will be discussing, but I do not guarantee their security. They are constantly developed, often by anonymous contributors. I don’t have time to do a code review of all the tools I use. – Respect the privacy of others – Get permission, it is not implied
- 9. Managed IT Solutions How did this happen?!
- 10. Managed IT Solutions How did this happen? • The web is littered with bad code – Compromised web site • Cross-site Scripting (XSS) • Modified source code of a site – Piggybacking on other applications • PDFs, torrent downloads, email attachment
- 11. Managed IT Solutions What can you do?
- 12. Managed IT Solutions What can you do? • Containment • Eradication • Recovery • Lessons
- 13. Managed IT Solutions Cease and Desist! [containment]
- 14. Managed IT Solutions Tricky! • Some malware is “self-aware” – If it sees well-known processes running, it may behave differently • Programmers are lazy, they may only look for file names – Try renaming your executable before running it! • Traverses the network too
- 15. Managed IT Solutions What to do… • Isolation is your friend – USB, Network (wireless / wired) • Pray you have backups! – * There are clever ways to get data back • Linux LiveCD or Hard Drive Case • Fight back!
- 17. Managed IT Solutions Sysinternals (and cmd) • Toolset made by Mark Russinovich (and many other co- authors) – TCPView – ProcessMonitor – Autoruns – Netstat -naob
- 18. Managed IT Solutions Sysinternals (and cmd) • ProcMon – RegSetValue, RegCreateKey, RegDeleteKey – CreateFile, WriteFile – Process Create, Process Start
- 19. Managed IT Solutions Sysinternals • AutoRuns
- 20. Managed IT Solutions Useful commands • doskey /history • wmic process list brief • wmic startup list full • ipconfig /displaydns | find /i "record name“ • tasklist /svc | sort • echo startup | WMIC
- 21. Managed IT Solutions FCIV • File Checksum Integrity Verifier
- 22. Managed IT Solutions Automated Cleanup • MalwareBytes • F-Secure Rescue CD • *many others
- 23. Managed IT Solutions Worst Case… • Restore from backup • Reinstall from original media
- 24. Managed IT Solutions Going Forward
- 25. Managed IT Solutions Be careful • The internet is a dangerous place – Browser extensions • Hover technique • Virtual Sandbox
- 26. Managed IT Solutions Toolbox Keyword Description Reference Virus Total Google’s Hash Checker https://www.virustotal.com/ MalwareBytes Post-infection, malware removal https://www.malwarebytes.org/ Sysinternals Peel back behind the GUI to find what Windows is doing http://technet.microsoft.com/en- us/sysinternals/bb842062.aspx Team Cymru Hash Lookup TC Hash Checker https://hash.cymru.com/ VirtualBox Hypervisor, for running virtual machines https://www.virtualbox.org/ MalwareViz Upload hashes or links to malwr.com to visualize malware https://www.malwareviz.com/ F-Secure Rescue CD LiveCD to automatically scan your computer https://www.f- secure.com/en/web/labs_global/rescu e-cd
- 27. Managed IT Solutions Toolbox, cont’d Keyword Description Reference Process Hacker http://processhacker.sourceforge.net/ Wireshark Network sniffing. You can see where the malware is going! https://www.wireshark.org/download.h tml Microsoft FCIV Useful for creating file hashes, or verifying known files http://www.microsoft.com/en- us/download/details.aspx?id=11533 7z Zip up malware with password protection http://www.7-zip.org/ Extension: Ad Block Plus Extension: Ghostery Extension: NoScript Extension: PrivacyBadger
Editor's Notes
- Eradication phase about removing files you have identified as being malicious.
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove Sysinternals is REALLY REALLY useful for learning the ins/outs of Windows
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove ProcMon is a GUI application that actively shows processes on your machine, and associated files/network activity Helpful for post-infection If you find a suspect file, you can FCIV it and submit your hash
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove Windows has manymanymany load points A load point is a directory/location on your operating system that is called upon regularly Helps malware maintain persistence
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove Windows has manymanymany load points A load point is a directory/location on your operating system that is called upon regularly Helps malware maintain persistence
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove If you find a file you think is malware, obtain an MD5 hash