Monday, March 19, 2012

Guest Posting on Open Security Research

I have my latest blog posting over at Open Security Research-- Integrating Cuckoo with NTR. For those who need some perspective, Cuckoo is a free sandbox application for performing automated malware analysis. NTR (Network Threat Response) is a McAfee tool for analyzing network traffic.

The posting is me following the awesome AMP guys (creators of NTR), who wrote a blog talking about how to do this on their site, and the issues I experience trying to get everything to play nicely. I even have a fun video!

Best thing, the VM of NTR is free right now and Cuckoo is also free--- so free automated malware analysis in the comfort of your own home. What are you waiting for??

Original HowTo Posting by AMP
My Guest Blog Post 
Posted by at Monday, March 19, 2012 0 comments
Labels: , , , ,

Tuesday, March 06, 2012

When You Only Have 10 Minutes...


Now don't get me wrong, doing your own analysis is a great thing. Sometimes you have a piece of malware you think is something new and rather trip others about your knowledge of it would rather keep to yourself until there a good eradication procedure (be it AV, FW rules, etc) on it.

For all those other times, there are many of good online scanners out there! Simple submit your file or hash, and kerpow! Results! Now obviously results vary, but submitting to these sites can be a good first step in seeing exactly what you and your organization are up against.

I am going to highlight a few, but please don't think that I have not used more than this!
  • Virustotal: Upload a file, submit a URL for analysis or search via MD5. This tells you what 44 AV companies have to say about it.
  • ThreatExpert: An oldie but a goodie. Kind of a one-stop shop (except for URL analysis). Lets say you have an IP/MD5/domain/filename and want to see what it has been associated with (and its subsequent actions) this is a good place to start. You can also submit a file for analysis too.
  • Anubis: Analyses suspicious executable files as well as URLs.
  • Jsunpack: Sometimes you don't feel like trying to deobsfuscate Javascript with Malzilla, or its just a bit complicated and all you really want is to see where the redirect is taking you and what it's grabbing. Cue Jsunpack! Now I am not sure what's going on, the site seems down, but there is jsunpack-n which is the same thing but is run on your own system. Having this on a lab system is probably a good idea :)
  • malwr.com: This is a web front end to Cuckoo, which is a network emulation tool/sandbox used for malware analysis, except now instead of setting your own up, you can search for MD5 or submit a file and see the report
  • Wepawet: I almost forgot about this, which would have been sad. Worried about redirects or hidden iFrames in a URL? Have a PDF you want anlayzed? 
More lists (and repeats) can be found here:
  • http://www.malwarehelp.org/online_anti_malware_scanners_single_file.html
  • http://www.coresec.org/2011/07/26/online-malware-analysis-scanners/
So now, keep in mind-- your submitted file is now out on the internet and is now on some database. Some of these may be owned by AV companies which look for new juicy malware to add to their signatures. So, if you are really worried about that:
 (A) read documentation on their website to see what happens with collected data
 (B) do your own analysis
 (C) Ask customer/boss what their position is about submitting files to these sites -- make sure you know the answer for choice 'A' too for this one

Remember collaboration is one of the biggest deciding factors in incident response, but use common sense and discretion.


Posted by at Tuesday, March 06, 2012 2 comments
Labels: , , , , , , ,

Thursday, March 01, 2012

Wrapping Up Looking for Meterpreter

Yes guys-- sorry it took a while. Been busy with work and vacation (my desktop in the video is a photo from Iceland!)

This one I feels like I ramble a bit, so here is a quick rundown for those with better things to do:

  • I am using Mandiant's Highlighter tool to parse thru the log file. This tool seems very flexible and there are many additional features I did not highlight (see what I did there??) in the video. Check out the tool yourself at Mandiant's website. 
  • The Prefetch Parser is the tool I used to parse the prefetch from the victim machine. This is from RedWolf Computer forensics. 
  • Baselining is a very important aspect in IR. If you know how your network normally operates and how the software you run interacts with the OS it become much easier to pick out the abnormal instances. 
  • The TEMP  and Prefetch  directories have been storehouses for malware for as long as I can remember. Even meterpreter which sits in memory needs to leave a footprint -somewhere-. When doing an investigation always look at these two locations (SHAMELESS PLUG: My powershell script does this for both Vista/7)
So if you fear a meterpreter session in your workplace, take heart that all is not lost, there are still place to find traces of it! Of course, if the attackr tries to maintain persistence then you know there will be traces on the filesystem/registry. Timeline analysis could be very useful here as well, and again I cannot stress enough memory dumps.


Posted by at Thursday, March 01, 2012 3 comments
Labels: , , , ,
Subscribe to: Posts (Atom)