SANS Digital Forensics and Incident Response Blog

Digital Forensic Case Leads: Malware hunting

Incident responders and digital forensics investigators are on the front-lines in the battle against malware. We need good intelligence for tracking its origins and command and control structures. This intelligence can help us limit malware's access to our networks and help us find it. When we do find it, we need good tools for eradicating it. For this week's Case Leads, I've been looking into some resources and tools that can aid in these efforts.
Tools:

  • First up, a new, to me, malware removal tool called Malwarebytes. As I said, it's new to me, and I've only done a little playing around in the lab, but I've been told by others that it works great. I'm blocking out some time to delve into the tool more extensively and will have more to say about it then.
  • Two sites that provide lists of sites known to be distributing malware, http://www.malwaredomains.com/ and http://www.malwaredomainlist.com/. Use these lists how you see fit. Be careful out there.

Good Reads:

Coming Events:

Those interested in signing up for vLive 408: Computer Forensic Essentials starting in June 2010, please use the following code to recieve a 25% discount when you sign up!

The code is IN408A.

http://www.sans.org/vlive/details.php?nid=20703

If you have suggestions for the Digital Forensics Case Leads posts, please email them to caseleads@sans.org.

Digital Forensics Case Leads for 200100429 was compiled by Dave Hull, SANS Community Instructor, recovering web app sec guy, now focusing on IR and forensics in the Fortune 500.

3 Comments

Posted April 29, 2010 at 2:51 PM | Permalink | Reply

gregorypendergast

Speaking of intelligence, it can often be helpful to know what others see originating from our networks. Sometimes this comes haphazardly through emails to our "abuse@" addresses. But another useful tool I recently discovered is the ASN/Netblock Reporting Service offered by Shadowserver.org. ( http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork )
If your organization "directly owns or controls network space," you can register to receive reports from Shadowserver.org regarding malicious activity they see pertaining to your organization's network space. The link above explains what they monitor and report on. This is a useful supplement to an organization's internal monitoring, especially if said monitoring is budget-crippled or otherwise immature.

Posted April 29, 2010 at 6:46 PM | Permalink | Reply

Dinos

There is another malware database, with website listing from pareto logic at http://mdl.paretologic.com/ . Not too many sites are listed but there are files for analysis.

Posted July 28, 2010 at 1:25 PM | Permalink | Reply

Kasey Clark

Another good utility I use for Malware analysis is Kaspersky Rescue Disk. It's a pre-boot environment that is built with a TON of NIC drivers so it can phone home and update the database before it runs. I have had one instance where it didn't delete a temp folder on the root of the C:\\ Drive, but other than that it has been a solid solution. I usually use a combination of Kaspersky Rescue Disk + Malware Bytes if I can't clean it manually.