Malware Artifacts

Agenda

• Quick Introduction• Quick overview of artifacts• Walk-through lab

Introduction

• Edgar Sevilla– CIO, Kyrus Technology– 15 years software development, reverse

engineering, computer forensics, & information security

• Ken Warren– Director of training, AccessData– 15 years of experience in law enforcement and

computer forensic examinations

Today’s Goal

• Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes

• Walkthrough of a memory image, disk image, and live systems to find artifacts

• This lab will NOT go into the reverse engineering, no matter how much I want to!

Where can we find artifacts?

• Memory– Processes enumeration– Driver enumeration– Module enumeration– Open Registry keys– Open File Handles– Synchronization events– Communications– Content

Where can we find artifacts?

• Disk– Files– Prefetch files– Registry Files– File Attributes– File Times– Restore points– pagefile

Where can we find artifacts?

• Live Systems– Hidden Files– Hidden Processes– Repetitive actions• Registry activity• Communications• Processes

– Hidden Registry Entries

Processes/Drivers

• Process enumeration• Driver enumeration

Files

• Prefetch file• File times• File Attributes• Hidden files• Open Handles• Loaded Modules

Registry

• Autoruns entries– Check autoruns entries in registry

• Windows Firewall modifications

Synchronization Methods

• Mutants/Mutex• Semaphores• Events

Communications

• Sockets– Listening sockets– Connected sockets

• Named Pipes– Inter-process

communication• Communication content,

urls, headers

Getting Started

• Finding the first artifact is sometimes the toughest– Process listing– Anomalous files– System autoruns– Prefetch artifacts

• Good news there are a lot of artifacts, the bad news there are a lot of artifacts

List of tools that can be used

• Disk– FTK– Encase

• Memory– FTK– Volatility– Memoryze

• Live System– FTK Enterprise– Microsoft Sysinternals Tools– GEMR

Questions prior to the lab

?

Process Listing Prefetch File Anomalous File

Autoruns EntryBot.exe

Read only Attrib

Userint entry

Lowsec directory

Winlogon.exePid: 652 Svchost.exe

Pid: 876

Active sockets

Lowsec\local.ds

Avira_2109

IP Address

Domain: m4ht.com

Get HTTP Request

Avira_2109Lowsec\local.ds Lowsec\user.ds.ll

A0013970.exe

sdra64.exe

Owner: Administrator

Unusual Create Time

Post HTTP Request

URLs

LabRed = Possible starting pointsBlue = Artifacts

Active Connections

Restore pointOpen HandlePrefetch file

File Properties

File Properties

File Properties

Registry FileAutoruns tool

Rootkit RevealerRestore point

Open HandleOpen Handle

Open Handle

Open HandleOpen Handle

Open Handle

Open Handle

Socket lists Socket Listing

Memory Scan

Memory Scan

Memory Scan

Memory Scan

Summary• Initial Thread

– Found bad process in Process Listing– Anomalous file listing– Autoruns entries– Prefetch file

• Found Installer file, and dropped file• Identified data files• Linked data files to winlogon & svchost• Svchost had active sockets• IP address linked:

– to domain m4ht.com– Get HTTP request to download configuration file– Post HTTP request to upload data

Remediation

• Remove artifacts that have been found– Delete sdra64.exe• Can we delete a file that we can’t access

– Remove entry from userinit registry entry• While Zeus is running this entry is checked every few

seconds

– Delete data files from lowsec directory• Can we delete files that are hidden and in use

– Re-enable Windows Firewall