Recommended
More Related Content
What's hot
What's hot (20)
Similar to Apparatus finding bad(malware)
Similar to Apparatus finding bad(malware) (20)
Recently uploaded
Recently uploaded (19)
Apparatus finding bad(malware)
- 1. Managed IT Solutions Keep IT Clean Kyle Bisdorf
- 3. Managed IT Solutions W.W.W.W.W. – Kyle Bisdorf – TTL/ Lead Security Analyst – 24 y.o. – Indy for ~7 years Computer Security (Forensics/Incident Response), Breaking stuff, Building servers & testing apps
- 5. Managed IT Solutions Malware, eh? • Malware is any code/application that can be used with malicious intent – Rootkits – Worms – Trojans – Spyware/Adware – Fork Bomb(DoS) • This presentation will focus on Windows based malware – Yes, Mac OS X, Android, iPhone, can be infected
- 6. Managed IT Solutions Malware, eh? • Who has seen an infected computer? • What did you do to fix it?
- 7. Managed IT Solutions Trust & Responsibility – Use at your own risk • I have used all of the tools we will be discussing, but I do not guarantee their security. They are constantly developed, often by anonymous contributors. I don’t have time to do a code review of all the tools I use. – Respect the privacy of others – Get permission, it is not implied
- 9. Managed IT Solutions How did this happen?!
- 10. Managed IT Solutions How did this happen? • The web is littered with bad code – Compromised web site • Cross-site Scripting (XSS) • Modified source code of a site – Piggybacking on other applications • PDFs, torrent downloads, email attachment
- 11. Managed IT Solutions What can you do?
- 12. Managed IT Solutions What can you do? • Containment • Eradication • Recovery • Lessons
- 13. Managed IT Solutions Cease and Desist! [containment]
- 14. Managed IT Solutions Tricky! • Some malware is “self-aware” – If it sees well-known processes running, it may behave differently • Programmers are lazy, they may only look for file names – Try renaming your executable before running it! • Traverses the network too
- 15. Managed IT Solutions What to do… • Isolation is your friend – USB, Network (wireless / wired) • Pray you have backups! – * There are clever ways to get data back • Linux LiveCD or Hard Drive Case • Fight back!
- 17. Managed IT Solutions Sysinternals (and cmd) • Toolset made by Mark Russinovich (and many other co- authors) – TCPView – ProcessMonitor – Autoruns – Netstat -naob
- 18. Managed IT Solutions Sysinternals (and cmd) • ProcMon – RegSetValue, RegCreateKey, RegDeleteKey – CreateFile, WriteFile – Process Create, Process Start
- 19. Managed IT Solutions Sysinternals • AutoRuns
- 20. Managed IT Solutions Useful commands • doskey /history • wmic process list brief • wmic startup list full • ipconfig /displaydns | find /i "record name“ • tasklist /svc | sort • echo startup | WMIC
- 21. Managed IT Solutions FCIV • File Checksum Integrity Verifier
- 22. Managed IT Solutions Automated Cleanup • MalwareBytes • F-Secure Rescue CD • *many others
- 23. Managed IT Solutions Worst Case… • Restore from backup • Reinstall from original media
- 24. Managed IT Solutions Going Forward
- 25. Managed IT Solutions Be careful • The internet is a dangerous place – Browser extensions • Hover technique • Virtual Sandbox
- 26. Managed IT Solutions Toolbox Keyword Description Reference Virus Total Google’s Hash Checker https://www.virustotal.com/ MalwareBytes Post-infection, malware removal https://www.malwarebytes.org/ Sysinternals Peel back behind the GUI to find what Windows is doing http://technet.microsoft.com/en- us/sysinternals/bb842062.aspx Team Cymru Hash Lookup TC Hash Checker https://hash.cymru.com/ VirtualBox Hypervisor, for running virtual machines https://www.virtualbox.org/ MalwareViz Upload hashes or links to malwr.com to visualize malware https://www.malwareviz.com/ F-Secure Rescue CD LiveCD to automatically scan your computer https://www.f- secure.com/en/web/labs_global/rescu e-cd
- 27. Managed IT Solutions Toolbox, cont’d Keyword Description Reference Process Hacker http://processhacker.sourceforge.net/ Wireshark Network sniffing. You can see where the malware is going! https://www.wireshark.org/download.h tml Microsoft FCIV Useful for creating file hashes, or verifying known files http://www.microsoft.com/en- us/download/details.aspx?id=11533 7z Zip up malware with password protection http://www.7-zip.org/ Extension: Ad Block Plus Extension: Ghostery Extension: NoScript Extension: PrivacyBadger
Editor's Notes
- Eradication phase about removing files you have identified as being malicious.
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove Sysinternals is REALLY REALLY useful for learning the ins/outs of Windows
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove ProcMon is a GUI application that actively shows processes on your machine, and associated files/network activity Helpful for post-infection If you find a suspect file, you can FCIV it and submit your hash
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove Windows has manymanymany load points A load point is a directory/location on your operating system that is called upon regularly Helps malware maintain persistence
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove Windows has manymanymany load points A load point is a directory/location on your operating system that is called upon regularly Helps malware maintain persistence
- These tools can help you identify what files are doing bad things May need to boot into a linux liveCD to remove If you find a file you think is malware, obtain an MD5 hash