Sunday, 21 May 2017

Finding Unknown Malware – Step-By-Step

STEP 1: Prep Evidence/Data Reduction

• Carve and Reduce Evidence
- Gather Hash List from similar system (NSRL, md5deep)
- Carve/Extract all .exe and .dll files from unallocated space

• foremost • sorter (exe directory) • bulk_extractor

• Prep Evidence
- Mount evidence image in Read-Only Mode
- Locate memory image you collected
- Optional: Convert hiberfil.sys (if it exists to raw memory image) using volatility

STEP 2: Anti-Virus Checks

Run the mounted drive through an anti-virus scanner with the latest updates. Anti-virus scanners employ hundreds of thousands of signatures that can quickly identify
well-known malware on a system. First, download the latest anti-virus signatures
and mount your evidence for analysis. Use a “deep” scan when available and
consider scanning your mounted drive with multiple anti-virus engines to take
advantage of their scanning and signature differences.

Get in the habit of scanning files exported from your images such as deleted files, data carving results, Sorter output, and email attachments. While anti-virus will not be effective on 0-day or unknown malware, it will easily find the low hanging fruit.

STEP 3: Indicators of Compromise Search

Using indicators of compromise (IOCs) is a very powerful technique to identify malware components on a compromised host. IOCs are implemented as a combination of boolean expressions that identify specific characteristics of malware. If these characteristics are found, then you may have a hit. An IOC should be general enough to find modified versions of the same malware, but specific enough to limit false positives.

There are two types of indicators: host-based (shown above), and network-based (similar to snort
signatures plus additional data).

The best IOCs are usually created by reversing malware and application behavioral analysis.
     File Md5
     File Fuzzy Hash
     File Path Contains \windows\system32\
     File Size is > 100kb and < 150kb
     Service Name = svchost
     " "    = srvavc
     Malware is Packed
     Compile time is between 2-Dec and 10 Dec
     RegKey = Softwaare\Microsoft\Windows\CurrentVersion\Run
     RegKey = Softwaare\Microsoft\Windows\CurrentVersion\RunOnce

       Registry Value = winzf32

 What Works?
            OpenIOC Framework -
            IOC Editor
            IOC Finder
            YARA Project

STEP 4: Automated Memory Analysis

    • Behavior Ruleset
- Code Injection Detection
- Process Image Path Verification

    • svchost outside system32 = Bad
- Process User Verification (SIDs)

    • dllhost running as admin = Bad
             - Process Handle Inspection

    • iexplore.exe opening cmd.exe = Bad
    • )!voqa.i4 = known Poison Ivy mutant
    • Verify Digital Signatures
- Only available during live analysis
- Executable, DLL, and driver sig checks
- Not signed?
    • Is it found in >75% of all processes?

What Works?
Volatility Malfind

STEP 5: Evidence of Persistence Malware
        Scheduled Tasks
Service Replacement
Service Creation
Auto-Start Registry keys
DLL Search Order Hijacking
Trojaned legitimate System Libraries
More Advanced - Local group policy, MS office Add-In, or BIOS Flashing

 Malware wants to hide, but it also wants to survive a reboot. Malware persistence is extremely common and is an excellent way to find hidden malware.
Persistence comes in many forms. The simplest mechanism is via scheduled tasks and the “at” command. Other popular persistence mechanisms include Windows Services and auto-start locations. Adversaries can run their malware as a new service or even replace an existing service.
There are numerous Windows Registry mechanisms to auto-start an executable at boot or login.Using a tool called autorunsc.exe will easily parse the autostart locations across scheduled tasks, services, and registry keys. While these are the most common, keep in mind there are more advanced techniques.

For example, the Mebromi malware even flashes the BIOS to persist.
Attacks of this nature are rare because even the simplest of techniques are effective,
allowing attackers to maintain persistence for long periods of time without being discovered.

 What Works?
  Autorunsc.exe from Microsoft sysinternals
STEP 6: Packing/Entropy Check 

 • Scan the file system or common locations for possible malware
- Indication of packing
- Entropy test
- Compiler and packing signatures identification
- Digital signature or signed driver checks

What Works?
MANDIANT Red-Curtain
Sigcheck -

STEP 7: Review Event Logs 

     Scheduled Tasks Log
Logon Events
Account Logon Events
Rogue Local Accounts
Suspicious Services
Clearing Event Logs

    What Works?
logparser -
Event Log Explorer -
Log Parser Lizard -

STEP 8: Super Timeline Examination

Once you are down to about 10-20 candidates, it is a good time to identify where
those files show up in your timeline. The additional context of seeing other files in
close temporal proximity to your candidates allows you to identify false positives and
focus on those files most likely to be malicious.  In the above example, we see the
creation of the file winsvchost.exe in the C:\Windows\System32\ directory.
If this were one of your candidate files, you would clearly see artifacts that indicate a
spear phishing attack surrounding that file’s creation time.

Notably, an .XLS file was opened via email, winsvchost.exe was executed,an
auto-start persistence mechanism was created, and finally, a network socket was opened.

All within one second! Contextual clues in temporal proximity to the files
you are examining are quite useful in your overall case.

What Works? log2timeline found in SIFT Workstation

STEP 9: By-Hand Memory Analysis

     * Identify rogue processes
               - name,path,parent,command line,start time,SIDs

     * Analyze process DLLs and handles

     * Review network artifacts
               - Suspicious ports, connections and processes

     * Look for evidence of code injection
            - Injected memory sections and process hollowing

     * Check for signs of a rootkit
            - SSDT, IDT,IRP and inline hooks

     * Dump suspicious process and drivers
           - Review strings, anti-virus scan, reverse-engineer

  Memory analysis is one of the most powerful tools for finding malware. Malware
has to run to be effective, creating a footprint that can often be easily discovered
via memory forensics. A standard analysis can be broken down into six major steps.
Some of these steps might be conducted during incident response, but using a
memory image gives deeper insight and overcomes any rootkit techniques that
malware uses to protect itself. Memory analysis tools are operating-system specific.
Since each tool gathers and displays information differently, use multiple tools to check your results.

    What Works?
                  Mandiant Redline

STEP 10: By-Hand 3rd Party Hash Lookups

      Hash lookups to eliminate known good files and identify known bad files is a useful technique when narrowing down potential malware. Bit9 FileAdvisor is a free search engine for querying Bit9’s application whitelisting database.

  It is available via online lookup, as well as via a downloadable utility (

 The National Software Reference Library also provides a robust set of known good hashes for use.

VirusTotal will scan a file through over 40 different A/V scanners to determine if any of the current signatures detect the malware. VirusTotal also allows its database to be searched via MD5 hashes, returning prior analyses for candidate files with the same MD5.

      What Works?
            VirusTotal and bit9
                 NSRL Query

STEP 11: MFT Anomalies

A typical file system has hundreds of thousands of files. Each file has its own MFT
Record Number. Because of the way operating systems are installed, it’s normal to
see files under entire directory structures written to disk with largely sequential MFT Record Number values.

For example, above is a partial directory listing from a Windows NTFS partition’s %system32% directory, sorted by date.

Note that the MFT Record Number values are largely sequential and, with some exceptions, tend to align with the file creation times. As file systems are used over the years and new patches are applied causing files to be backed up and replaced, the ordering of these files by MFT Record Number values can break down. Surprisingly, this ordering remains intact enough on many systems, even after years of use, that we can use it to spot files of interest. This will not happen every time as
MFT entries are recycled fairly quickly, but in many cases an outlier can be identified.

STEP 12: File-Time Anomalies

        * Timestamp Anomalies
- $SI Time is before $FN Time
- Nanoseconds values are all zeroes

One of the ways to tell if file time backdating occurred on a windows machine is to examine the NTFS $Filename times compared to the times stored in $Standard Information. Tools such as timestomp allow hackers to backdate a file to an arbitrary time of their choosing.

Generally, hackers do this only to programs they are trying to hide in the system32 or similar system directories. Those directories and files would be a great place to start. Look to see if the $Filename (FN) creation time occurs after the $Standard Info creation time, as this often indicates an anomaly.

What Works?
 found on SIFT Workstation and
               log2timeline found on SIFT Workstation

STEP 13: You Have Malware! Now What?

      • Hand it to Malware Analyst
         - FOR610 – RE Malware
         - Hand over sample, relevant configuration files, memory snapshot

      • Typical Output from Malware Analyst
         - Host-based indicators
         - Network-based indicators
         - Report on malware capabilities and purpose

 • You can now find additional systems compromised by the malware you found

No comments:

Post a Comment