4. The Purpose
Malware writers use obfuscation and
sophisticated behavior to cover up
their digital tracks and move quickly
from host to host.
XOR-
"Fast-flux" Payload
Polymorphism encrypted
DNS migration verification
shellcode
5. Static Analysis is Difficult
"Finally, there is post-mortem analysis, the study
of program behavior by looking at the after effects
of execution. ... [It] is often the only tool available
after an incident."
-Dr. Wietse Zweitze Venema
6. Meet Frank the Hermit Crab
“Forensic Response Analytic Network Kit”
“Shout out to Tom Sennett”
9. Open Source Security Information
Management (OSSIM)
OSSIM provides a strong
correlation engine, detailed low,
medium and high level
visualization interfaces, and
reporting and incident
management tools, based on a
set of defined assets such as
hosts, networks, groups and
services.
10. OSSIM Components
Arpwatch
• used for MAC anomaly detection.
P0f
• used for passive OS detection and OS change analysis.
Nessus
• used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
Snort
• the IDS, also used for cross correlation with nessus.
Spade
• the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures.
Ntop
• which builds an impressive network information database from which we can identify aberrant behavior/anomaly
detection.
Nagios
• fed from the host asset database, it monitors host and service availability information.
OSSEC
• integrity, rootkit, registry detection, and more.
27. References
1. Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University.
http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic
%20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf
2. Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007.
http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book
3. Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room.
http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103?
show=2103.php&cat=malicious
4. “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim.
http://www.cwsandbox.org/
5. Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network
Scanning. http://nmap.org/book/zenmap-topology.html
6. Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus.
http://www.securityfocus.com/infocus/1780
7. Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/
8. “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault.
http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture
9. Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php
10. Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort
11. “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering
Institute. http://tools.netsa.cert.org/silk/
12. Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery.
http://www.porcupine.org/forensics/forensic-discovery/chapter6.html
13. “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc.
http://www.xen.org/products/xenhyp.html
14. "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http://
www.eecs.umich.edu/virtual/>.
Notas do Editor
Project Vision: A forensic tool for investigators and researchers to forensically examine the behavior of malware across networks, in order to reconstruct and study viral techniques to propagate across a compromised network of systems.
These techniques take time and resources to analyze, and static analysis is too human-resource intensive to be practical.
Virus, Worms, and Botnets are often challenging for forensic investigators to identify and uncloak. Most of the payloads require write permissions, so the use of write-protection forensic tools makes it difficult to see what the malware is actually doing. In most cases, once malicious code has been identified, it is executed in a sandboxed virtual machine. While this will give an investigator an idea what the payload does, it doesn’t always give a full picture, especially in networked environments. The use of a virus aquarium will attempt to augment static (and potentially live) forensic investigations of malware-infected networks with captured network traffic and logs from the operating system and application level.