Malware Behaving Badly: Preview
Written by Peter Silberman
Hope everyone on the northern east coast is staying warm during snowpaclypse. Since I can’t go anywhere I figured now is the right time to write about an upcoming webinar I am giving with Michael Graven.
The webinar entitled Malware Behaving Badly is on Thursday, February 18, at 2:00 p.m. EST. The webinar title is a cute play on my DOD Cyber Crime (DC3) talk where I first introduced Malware Rating Index (MRI) into Audit Viewer (which is available for download).
If you saw my DC3 talk or viewed the slides and are wondering, “hey is this the same talk?” the answer is…well a little bit. The webinar will build off of a lot of the behaviors and theories I discussed at DC3. We will be addressing new behaviors as well as looking at APT vs Mass Malware behaviors. I’ve added two new configurable behaviors to MRI and did enough research to scrap a third. I’ll share those as well as give more real world examples of how malware exposes itself in memory.
For example the below listing shows the keylogger, the process and the file handle that process has. The file handle is actual the log file the key logger is writing too.
| Keylogger Name | Process | Log File |
| Klog | System | \Klog.txt |
| Advanced Keylogger | Explorer | \WINDOWS\Help\dsclientsock.hlp |
| Spector Pro | Explorer | \WINDOWS\system32\avoxnot\BEC7CA9645B2AF87DEEACD53B38B223FEE1C605C.zup |
If you didn’t catch my DC3 talk and didn’t understand the slides this is a good time to get an updated version of the talk. I’m going to focus on malware behavior, what it does when it’s installed that makes it stand out in memory. We will cover APT and Mass Malware, and specifically where we see their behaviors intersect. Some of these behaviors are horribly simple, i.e. flag svchost launched from directories other than \windows\system32. Some are as simple but may not be as obvious, for example flag svchost, or iexplore if they have a process handle to cmd.exe. These are rules that should never be true.
When discussing rules, I use that term loosely. Basically in Audit Viewer you now have the option to configure all this information. If you go to Operations -> Configure Malware Rating Index you can configure all these things and a few more not mentioned in this post but mentioned in the webinar. We will wrap up the webinar like always with a live demo. Live demos are the most fun really, it’s like NASCAR except it’s just reputation not lives on the line.
I hope you can join us, it should be fun.
If you would like to learn more in-depth about how physical memory analysis works, use Memoryze and Audit Viewer, understand MRI, or write your own malware rules, join Jamie and I at the CanSecWest training. CanSecWest specializes in technical, hands-on classes with an extremely low student-teacher ratio.
Tags: APT, Audit Viewer, CanSecWest, Fresh Prints Malware Behaving Badly, Malware Behaving Badly, Malware Rating Index, Memoryze, MRI, webinar
. 12 Feb 10 | Conferences, General
Leave a Reply
You must be logged in to post a comment.
Recent Posts
- Stuxnet Memory Analysis and IOC creation
- Malware Persistence without the Windows Registry
- State of the Hack: M-Trends: State of Remediation
- Memory acquisition and the pagefile(s)
- Web Historian: Reloaded
Follow us on Twitter
- Mandiant: Security on ATMs needs to be revisited http://bit.ly/aPfu48 @jamierbutler #blackhatevents -hb
- Mandiant: RT @kanyewest It is even better than I could have imagined. -mjg
- Mandiant: Thanks for hitting the M party last night, y'all. See you next year and next webinar. http://bit.ly/aGfY6q mjg #blackhatevents