Sunday, August 7, 2011

Procedures for Behavioral Analysis Process

1. Gather the hash value of the malware.
2. Activate monitor tools (in an order that is tailored to capture the maximum information)
3. Run the malware in the host-only virtual machine, under the observation of some dynamic tools (such as Process Explorer and TCPView)
4. Don't kill the process unless it is terminated by itself.
5. Wait for a few minutes. If the process is terminated by itself, at least wait for another 1-2 minutes.
6. Pause the monitoring tools (in a reverse order of their start ups)
7. Observe logs and suspicious entries. (Write down all identified information and revisit the logs if new traces are found)
8. Exercise your judgements to interpret your findings. (This is an art)
9. Based on the above findings, call up additional tools (such as: Process Explorer, WinObj or VMmap) to inspect the possible artifacts in the process or memory and keep screen captures for the new findings.
10. Terminate the process if it is still running.
11. Call up the tools again to re-examine the possible artifacts in the registry, process or memory.
12. Write down all MAC times and hash values for all add, deleted and modified files and copy these files to a "file" folder.
13. Back up all logs, screen captures to "data" folder for further reference.
14. Zip these folders with password and copy to the host machine before rollback your virtual machine.
15. Further analyze your logs by the helps of the search capability from an editor or import into Excel if they are CSV format for further searching.
16. Never inspect the "file" folder in your host machine.
17. Finally, document all your findings and prepare a formal report.

Of course, I did not cover on how to mode the network to response the malware's requests and I am assuming these procedures will be carried out after the studying of pcap file contained in the CaptureBAT log.
Posted by at No comments:

Saturday, May 5, 2007

SPYLOCKS

From Wiki: http://en.wikipedia.org/wiki/SpyLocked

Try this:

You need to remove all these files

spylocked.exe
xkrdk.dll
onwtj.dll
fyxkaah.dll
higehsg.dll
geplxss.dll
tvomnc.dll

you can find more information here
http://www.xp-vista.com/spyware-removal/spylocked-removal-instructions

OR:

Check this: http://www.bleepingcomputer.com/forums/topic85376.html


Posted by at No comments:

MSRundll.exe

From Symantec this virus is called W32.Vibmaru
Try to fix it by the following golden rules for virus removing:
1. Disable System Restore, if you are using XP
2. Update virus defintions
3. Run a full scan
4. Delete some registry

4. To delete the value from the registry
  1. Delete these entries

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System" = "system.exe (74295303)"

  2. Restore the following registry entries to their original values, if required:

    HKEY_CLASSES_ROOT\scrfile\"(default)" = ""
    HKEY_CLASSES_ROOT\inifile\shell\open\command\"(default)" = "system32.exe %1"
    HKEY_CLASSES_ROOT\txtfile\shell\open\command\"(default)" = "msrundll.exe %1"
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\"ActiveTimeBias" = "420"
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\"ActiveTimeBias" = "480"

Posted by at No comments:

Virus for China

Just fixed a browser hijack called My123.com for one of my friend in China....

At first, I think it is a simply job by removing some files by booting up a UBCD4Win CD and delete some registry entries. However, the virus comes back and I found it is a rootkit hidden inside drivers which are loaded during boot up.

It drive me to get the interest to study and find solutions for the unique viurs in China. I prepare to put some solutions on this blog and hope others could provides me the viurs sample so that I can do some more research....
Posted by at No comments:
Subscribe to: Posts (Atom)