Sunday, December 04, 2011

Quick Malware Notes, Incident Response, and 00-outs

A while back after dealing with some heavily malware-infected systems, I wrote a followup post Anti-Malware Tools of Note.

Since that time, a few other bits and bytes have come across my desk so I thought I would supplement it slightly.

TinyApps bloggist brings our attention to and a recommendation for a “new” Free standalone and bootable antimalware that has ranked very high on Virus Bulletin’s VB100 comparative tests.

That tool is eScanAV Anti-Virus Toolkit (MWAV) which is also available in a standalone eScan Rescue Disk format as well.  Registration is requested to access the download link, however the tools are free.

It is similar in many ways to Microsoft Safety Scanner which I previously wrote about:

Being a “standalone” tool of sorts, it can be run in the WinPE environment or on the “live” system.  The trick in WinPE is to make sure your WinPE build has a large scratch-space value.  Check out this 4sysops post Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 for more details.

I do understand that for some folks, the thought of making a custom-spun WinPE boot tool could be quite intimidating.  With that in mind, you will want to keep a copy of the Microsoft Standalone System Sweeper Beta handy.  Of course you will need an uninfected “host” system to create the tool. Download the “builder” utility in either x32 or x64 flavor depending on your hardware and choose a blank CD, DVD, or USB drive with at least 250 MB of space. Execute the tool and build-away.

Of course, you may want to do more with this plain-Jane WinPE build that it lets you.  And you can if you know the tricks our dear TinyApps bloggist posts in his Extending Microsoft Standalone System Sweeper tips.

Michael Pietroforte has some more related details of his on in his 4Sysops post FREE: Microsoft Standalone System Sweeper – Standalone antivirus software

Back in my “younger” days of malware response, tool sets were pretty limited and there seemed to be just a few strong "antimalware” package tools available. One of those I depended on was Spybot-Search & Destroy.  As my skills got sharper and my toolsets became more focused due to the advances in malware, I gradually drifted away from using it regularly.  I was pleased recently to find that they are still kicking strong and have recently made available Spybot Search & Destroy 2.0 Beta 4 for public download and testing.  This version offers “Live Protection” by default, performance improvements, and Explorer shell integration.  Check it out!

The ISC Diary handler Chris Mohan posted Safer Windows Incident Response with a reminder of the dangers of incident-response handler’s cross contamination when working on a potentially compromised system.

Windows Incident Response bloggist Keydet89 has some good tips, and touches on incident response items in his New Stuff post from a just a few days ago.

Specifically he calls out to Corey Harrell’s Journey Into Incident Response blog post Linkz 4 Exploits to Malware. In it, Cory gives some perspectives on Harlan’s Malware Detection Checklist.  Checklists like this are a great starting point for incident response.  Granted, every situation is different, and the hardware, software, and network topology that you operate in may require much fine-tuning to dial-it-in for the best signal to noise ratio. But that’s the point, take the time to develop a structured incident response plan/checklist and the investment will pay off when the stress in on…helping guide you and ensuring no stone gets left unturned.

Cory goes on to address alternatives at finding malware, mentioning Mark Morgan over at My Stupid Forensic Blog discussing How to Identify Malware Behavior.  He then leads over to touch on malware analysis via The Hexacorn blogs post Automation vs. In-depth Malware Analysis.

Both Cory’s post and the referenced links reminded me of Mark Russinovich’s most excellent material recently posted at the Sysinternals Site Discussion pages:

Zero Day Malware Cleaning with the Sysinternals Tools (link to PDF): Mark has posted the slides from the highly-attended and well received Blackhat 2011 Workshop he delivered last week, Zero Day Malware Cleaning with the Sysinternals Tools, which demonstrates how to use the Sysinternals tools to hunt down and eliminate malware.

The team at Mandiant really lead the way in the IR community as well. Not only is their business based on incident response, they continue to offer great MANDIANT: Free Software to the IR community. Those tools aid in detection, analysis, and reporting of all kinds of bad-things. 

TZWorks also offers a great selection of specialized (and free) Prototype Downloads for Forensic tools covering areas such as Artifact Analysis, Registry/Event Analysis, NTFS Analysis, Network Utilities, and PE Utilities. And they come in both 32 and 64-bit flavors!

To borrow a concept from the PDCA process, incident response needs to be seen as a continual process; plan for incident detection, do the incident response, check & study your response and findings, and act on that knowledge to improve your future responses.  All of the items mentioned in the links above can contribute to that process.

For a good read, take a look at F-Secure’s post How we found the file that was used to Hack RSA. This is a fantastic example of not being satisfied with the initial response and mitigation, but going the extra mile to hunt down the actual file used in the RSA attack.  In doing so, they discover that while the attack plan may have been quite specialized, the actual attack vector wasn’t so much.

TinyApps bloggist pulls some most excellent fresh finds in considering the question Is it possible to recover data from a drive overwritten with zeros once?  The conclusion of all the linkage sources provided still seems to be pretty much “Nope!”. From the post:

Daniel Feenberg's Can Intelligence Agencies Read Overwritten Data? and Craig Wright's Overwriting Hard Drive Data are. For those who are still confused (or are just fond of pictures), see Disk Wiping - One Pass is Enough - Part 2 (this time with screenshots).

(Note: that last post link as well as an unreferenced Part I post: Disk Wiping – One Pass is Enough both are from the Anti-Forensics blog.)

I’ve also touched on the subject of secure-disk wiping here at GSD in series of posts:

It was in that last post that I mentioned the following:

I read with curiosity the following posts:

With the exception of the Data Sanitization Tutorial (PDF-link) written by the University of California at San Diego Center for Magnetic Recording Research, I haven’t seen very many other official-grade research papers that detail just how effective a single-pass bit-wipe of a drive is in comparison to a 3-pass or even a 35-pass wipe.  Now there’s a new research paper on the block Overwriting Hard Drive Data: The Great Wiping Controversy that seeks to dispel the mythos surrounding multi-pass wipes.

From the heise Security link:

    • Craig Wright, a forensics expert, claims to have put this legend finally to rest. He and his colleagues ran a scientific study to take a close look at hard disks of various makes and different ages, overwriting their data under controlled conditions and then examining the magnetic surfaces with a magnetic-force microscope. They presented their paper at ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy).
    • They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.

The actual paper itself must be accessed for $ or bought via a book, however the author kindly repackaged the research paper in a recent post at SANS Computer Forensics blog.  The details there should be sufficient for most mortals.

Overwriting Hard Drive Data – Dr. Craig Wright, SANS Computer Forensics, Investigation, and Response blog

Cheers!

--Claus V.

No comments: