Malware Infection

Challenges and Countermeasures

Aditya G Sood , Richard Enbody , in Targeted Cyber Attacks, 2014

8.1.2 Myths About Malware Infections and Protection

There are a number of misconceptions and myths in the industry virtually malware infections and protection technologies that touch the security countermeasures in fighting malware infections. A number of bug are detailed equally follows:

Anti-virus (AV) engines provide robust protection. AV engines are software programs that are installed in the operating systems to prevent the execution of malware and protect legitimate installed applications against whatever infections. AV engines use techniques such as signature drafting, heuristics, and emulation. Some believe that AV engines protect the stop-user organisation from all types of attacks and malware. For example, some users feel that if an AV solution is installed, they can surf anywhere on the Internet without getting infected. Unfortunately, such users get infected based on this simulated sense of security. AV engines fall curt of providing robust security confronting nix-twenty-four hours attacks in which attackers use exploits for undisclosed vulnerabilities. Sophisticated malware such as rootkits having authoritative admission can hands tamper the functioning of AV engines thereby making them inefficient. In addition, AV engines are not considered equally a stiff security solution to defend against malware classes using polymorphic or metamorphic code which mutates itself on every execution.

Deployment of an Intrusion Prevention System (IPS) or Intrusion Detection Organization (IDS) protects malicious lawmaking from entering my network. The majority of IPS and IDS are signature based, so detecting infection or malicious traffic requires a signature. Just attackers can easily bypass IPS and IDS using techniques similar unicode encoding, canonicalization, null byte injection, overlapping TCP segments, fragmentation, slicing, and padding [ane,2].

Malware is distributed primarily through shady and rogue web sites such as torrents and warez. While rogue sites do distribute malware, many more than-trustworthy sites also deliver malware. For case, in targeted attacks based on waterholing (refer to Affiliate 3), legitimate and highly ranked web sites are infected with malicious lawmaking that downloads malware onto user machines through drive-past download attacks. It is hard to flag sites as secure to ensure users that they are interacting with legitimate spider web sites free of malware.

Email filtering mechanisms only allow secure and verified attachments to be delivered with emails. E-mail filtering is a process of filtering out the emails containing malicious attachments and illegitimate links that instantiate infections in the organisation network. As described before (refer to Chapter 3), social engineered emails are used extensively in targeted attacks. In the corporate world, employees believe that their personal inboxes receive only secure emails with attachments from verified identities. This is non true because attackers tin can employ several tactics such as social engineering with zero-day attacks to skid malware through enterprise email solutions and successfully deliver the malicious emails. The thought is to embed a zero-solar day exploit inside an attached file that bypasses through the filter and successfully delivers to the target. This technique has been seen in a number of contempo targeted attacks.

Malware infections are specific to sure operating systems. For case, Mac OS is much more secure than Windows and is less prone to exploitation. This is fake. Mac Os also gets infected with malware and has been targeted by attackers, the recent Flashback [3] malware beingness one of many. In addition, malware families such as DNS changer [4,v] are platform contained and infect almost all operating systems.

Mobile devices are completely secure. A number of users believe that mobile platforms are secure. Well, that's non true. At that place has been a significant growth in Android-based mobile platforms, and attackers are targeting these devices to steal data. In this manner, mobile devices provide a plethora of information that can help to carry out targeted attacks. For example, contact information is stolen from the infected mobile devices.

Virtualization technologies are untouched by malware. Virtualization is based on the concept of building security through isolation. Virtualization is implemented using hypervisors which are virtual machine monitors that run Virtual Machines (VMs). Hypervisors tin be blank-metal (installed direct on the hardware) and hosted (installed in the operating system running on underlying hardware). In virtualized environments, invitee VMs are not allowed to access the resources and hardware used by other guest VMs. Virtualization likewise helps in building secure networks as access controls tin be restricted to target networks. Infected virtualized systems tin can exist reverted back to previous snapshots (arrangement state) in a minor flow of time equally opposed to concrete servers. Patching is far easier in virtualized servers, and migration of virtualized servers is like shooting fish in a barrel among infrastructure which shows how virtualization provides portability. A number of users believe that hypervisors are immune from malware infections. Unfortunately, virtualized hypervisor malware does be in the real world. Malware such as Bluish Pill [6] is a VM-based rootkit that exploits the hypervisor layer, so that it tin circumvent the virtualization model. Basically, when blue pill type of malware is installed in the operating system, the malware creates a new hypervisor on the fly and this hypervisor is used to control the infected organization which is at present treated every bit a virtualized arrangement. As a event, it is very hard to find the malware equally it resides in the hypervisor and has the capability to tamper the kernel. These are sophisticated attacks that are difficult merely not impossible to implement. A large ready of users use VMs for critical operations such as cyberbanking which they call back provide a secure style of Internet surfing. The potential compromise of VMs (guest OS) in a network is vulnerable to the same set of attacks as the host Bone. In addition, compromising VMs could effect in gaining access to other hosts in the network. Several current families of malware are VM-centric which ways they contain techniques that can easily detect whether the malware is running inside the virtualized automobile or not. Based on this information, malware can alter the execution flow. Full hardware-based virtualization (host OS kernel is different from invitee OS kernel) prevents malware from gaining admission to the underlying host, just the malware can notwithstanding control the consummate invitee OS. Partial virtualization (sharing same OS kernel as host) in which privilege restrictions are heavily used to manage virtual file systems tin exist easily circumvented by malware, if the kernel is exploited.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128006047000085

Security component fundamentals for cess

Leighton Johnson , in Security Controls Evaluation, Testing, and Cess Handbook (2d Edition), 2020

Containment, eradication, and recovery

"Containment is important before an incident overwhelms resources or increases harm. Most incidents crave containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is conclusion-making (east.yard., shut downward a system, disconnect it from a network, or disable certain functions). Such decisions are much easier to make if at that place are predetermined strategies and procedures for containing the incident. Organizations should define acceptable risks in dealing with incidents and develop strategies accordingly.

Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS assail. Organizations should create dissever containment strategies for each major incident type, with criteria documented clearly to facilitate decision-making." fifteen

"Subsequently an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, likewise equally identifying and mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected hosts within the organization so that they can be remediated. For some incidents, eradication is either not necessary or is performed during recovery.

In recovery, administrators restore systems to normal operation, confirm that the systems are functioning ordinarily, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security (e.thousand., firewall rulesets, purlieus router access command lists). Higher levels of system logging or network monitoring are often part of the recovery procedure. Once a resource is successfully attacked, it is frequently attacked once more, or other resource within the organisation are attacked in a like fashion.

Eradication and recovery should be done in a phased approach so that remediation steps are prioritized. For large-scale incidents, recovery may have months; the intent of the early phases should be to increase the overall security with relatively quick (days to weeks) loftier value changes to forestall futurity incidents. The later phases should focus on longer-term changes (e.g., infrastructure changes) and ongoing work to keep the enterprise as secure as possible." 16

Read total chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780128184271000112

Domain 8: Business concern Continuity and Disaster Recovery Planning

Eric Conrad , ... Joshua Feldman , in Eleventh Hour CISSP (2d Edition), 2014

Disaster Recovery Planning

The Disaster Recovery Plan (DRP) provides a short-term plan for dealing with specific IT-oriented disruptions. Mitigating a malware infection that shows risk of spreading to other systems is an instance of a specific Information technology-oriented disruption that a DRP would accost. The DRP focuses on efficiently attempting to mitigate the impact of a disaster and the immediate response and recovery of critical It systems in the face up of a meaning disruptive event. Disaster Recovery Planning is considered tactical rather than strategic and provides a ways for immediate response to disasters.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B978012417142800008X

Malware Detection

Harlan Carvey , in Windows Forensic Assay Toolkit (Tertiary Edition), 2012

Antivirus Scans

One time y'all've determined and documented which, if whatever, AV applications had been installed and/or run on the organisation prior to acquisition, another step you may decide to do is to mount the prototype equally a volume on your analysis workstation and scan it with other AV products. Not all AV applications seem to exist created equal; in some instances, I've run multiple big-proper noun AV applications beyond a mounted prototype and not found annihilation. Then afterward running a freely bachelor AV awarding, I got a hit for i of the files associated with the malware, and was able to use that every bit a starting bespeak for further investigation. So, it doesn't hurt to utilise multiple AV applications in your detection procedure.

Mounting an acquired image is relatively straightforward, using a number of freely available tools. For example, the ImDisk virtual disk commuter ( http://world wide web.ltr-information.se/opencode.html/#ImDisk ) installs as a Control Panel applet and allows you to mountain Windows images (NTFS or Fat) as read-but on your Windows system. AccessData's FTK Imager version 3.0 ( http://accessdata.com/support/adownloads#FTKImager ) includes the capability to mount images, as well. As mentioned in Chapter iii, the "vhdtool.exe" program (available from Microsoft) will allow you to convert a copy of your image to a virtual hard bulldoze (VHD) file and mount it read-simply on your Windows 7 organization. Regardless of the tool used, the purpose is to make the file system within the epitome accessible equally a drive letter or book (albeit in read-only mode) on your assay system.

Once y'all've mounted the image as a book, you tin scan it with AV scanners in the same manner as you would a "normal" file system. Many AV products permit scans to be configured to only be run against specific volumes or drive letters (some even allow y'all to scan specific directories), making it relatively simple and straightforward to browse only the mounted book(s). If yous practice non have access to commercial AV products, there are a number of free AV products bachelor for download and employ (be sure to read the license understanding thoroughly!!), several of which are merely limited (in the sense that they provide scanning just no other capabilities, such as existent-time monitoring, etc.) versions of the full commercial AV products. For instance, in that location is a gratuitous version of the AVG scanner bachelor at http://free.avg.com , and y'all have the option to upgrade to a full version of the awarding that provides additional protection, while downloading files or chatting online. Other AV products such as Eset (producer of the NOD32 AV production, available at http://www.eset.com ) provide a limited-time trial version of their software; over again, be certain that you lot read and understand the license agreement earlier using any of these options.

At that place are a number of other AV products available for use, and many (such every bit Microsoft'southward Defender product, mentioned before in this chapter) are freely available, while other vendors provide limited-time trial versions of their full, professional person products. This role of the chapter is non intended to provide a breakup or "shootout" among the various available products, only to instead demonstrate that there are options available. The point is that information technology's ever ameliorate to run a scan using an AV product that had not been installed on or run on the system, and it's non commonly a bad idea to run multiple AV scans using disparate products.

One free, open-source AV product that is very useful and includes a portable (run from a thumb bulldoze) version is ClamWin (see Effigy 6.iii), institute at http://www.clamwin.com .

Figure 6.3. Partial ClamWin v.0.97 portable GUI.

ClamWin can be installed on, updated, and run from a thumb drive, making it a useful pick for using amongst multiple systems without having to install the full application on your analysis organisation.

Another option available, particularly when specific malware variants are suspected, is micro-scanners. These are non general-purpose AV scanning products, but are instead targeted scanners to look for specific malware variants. One such product is McAfee's Avert Stinger product, available at http://www.mcafee.com/us/downloads/gratis-tools/how-to-use-stinger.aspx . Downloading the file and running information technology on your analysis system opens the user interface (UI) illustrated in Effigy 6.4.

Effigy half-dozen.4. McAfee's Stinger UI.

If y'all click on the purple "List Viruses" button in the Stinger UI (see Figure vi.4), a dialog listing all of the malware that the microscanner is designed to detect will be listed. Again, while not every bit comprehensive as a more than general AV product, microscanners offering a useful capability. At the same fourth dimension, don't forget other scanner products, such as those specifically designed to detect spyware and adware, as these can also provide some useful coverage. Finally, be sure to document the applications that you exercise use, as well as their versions and results. Both pieces of information will assistance demonstrate the thoroughness of your detection procedure.

AV Write-ups

In that location'south something that I think is worth discussing with respect to malware write-ups from AV vendor companies. These write-ups provide descriptions and a wealth of information about the malware that these companies take establish, been given access to, and analyzed. However, there'southward very often a gap when it comes to what incident responders and forensic analysts need to know nearly malware, and what's provided past the AV companies. This gap is due in large part to the fact that AV companies are non in the business of supporting incident responders; rather, they're in the business of supporting their business.

Now, don't accept this as an indictment of AV companies, because that's not what I'm doing. What I am saying hither is that malware write-ups from AV companies are a skillful resource, but should be considered inside that context, as sometimes they are not consummate and do non provide a comprehensive or completely accurate picture of the malware. For example, at that place is malware that infects files that are "protected" past Windows File Protection (WFP), only oft in that location is no reference to WFP or the fact that it was subverted in the malware write-up. While WFP is non intended as a security or AV machinery and is easily subverted (lawmaking for this is available on the Internet), this fact is important to know as it may assist us detect the malware where the AV product fails since AV products are most often based on signatures inside the malware files themselves, and not on specific artifacts on the system.

Another attribute of malware write-ups that can be confusing is that in that location'south ofttimes no differentiation between artifacts produced by the malware infection and those produced by the ecosystem (e.g., operating system, installed applications, etc.) that the malware infects. One instance of this is the MUICache central inside the Registry; several years ago I found a number of malware write-ups that stated that the malware added a value to this primal when it infected a arrangement, when, in fact, the value was added past the operating system based on how the malware was executed in the test environment. Another instance is the ESENT key within the Registry on Windows XP systems. When someone asked what this primal was used for, Google searches indicated that there were malware samples that modified this key when executed. Information technology turned out that Windows XP systems were mistakenly shipped with a checked (or debug) version of the "esent.dll" file, and the primal itself (and all of its subkeys and values) were a outcome of that debug version of the DLL being deployed on production systems. As such, it wasn't the malware infecting the system that caused the Registry modifications as much as it was the result of the debug version of the DLL. This could be confusing when an analyst was examining a Windows Vista or Windows 7 system and found the malware in question, but did not notice a corresponding ESENT key inside the Registry.

Alarm

Googling

Analysts should beware of conclusively identifying any malware sample as a item virus based on the name or location of the malicious file, a Registry central used for persistence, etc. There are literally hundreds of thousands of malware samples and variants floating around, and a relatively express number of autostart/persistence locations, innocuous-looking filenames, etc. that tend to get used and reused by malware authors. Analysts should not base their analysis on "I Googled the filename and this is what I institute," every bit doing so can easily lead to a misidentification of the malware, and an incorrect study of the malware's capabilities provided to a customer.

Recall, the client is very likely going to have to brand some tough business decisions regarding risk and compliance based on your findings, and providing incorrect data nigh the nature of the malware found on their systems volition lead to the wrong decisions being made. In some cases, all information technology would take is for the intruder to design his malware to use the aforementioned filenames and locations every bit some very well-known malware (mayhap something known to be adequately innocuous) that has completely different functionality and poses a completely different set of risks to infected systems. This would take a significant bear on on the information provided to the customer, if the analyst relied on the Googling to identify the malware.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597497275000064

Analysis Process

Jack Freund , Jack Jones , in Measuring and Managing Information Adventure, 2015

LEF level

If your system has a reasonable amount of information from past loss events, then you should typically brand your LEF estimates directly. Examples include malware infections, atmospheric condition-related events, and hardware failures. For weather-related events especially, we take found it to exist a waste of fourth dimension to attempt to draw the line regarding what represents a threat event. Odds are good that if your system has been in business organisation for whatever length of time, it volition have weather damage experience to draw from, and if it doesn't, other businesses in the neighborhood volition. There is no shortage of these data.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780124202313000063

Mobile Device Security

Paul Cerrato , in Protecting Patient Information, 2016

It is estimated that at least 16 million mobile devices were infected with malware in 2014. Alcatel-Lucent found that about half of these malware infections occurred on Android phones and tablets because the digital certificates used to authenticate Android apps are less vigorously controlled. "Since Android apps are usually self-signed and can't be traced to the developer, it's easy to hijack Android apps, inject code into them and then re-sign them," according to one International Business Times report [17]. (Self-signed means the app developer has not purchased a trust certificate from a Certificate Authorization. Some compare self-signing to having a simulated driver's license.)

Read full affiliate

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B978012804392900006X

Working Unseen on the Net

Todd Grand. Shipley , Art Bowker , in Investigating Internet Crimes, 2014

Anonymizing your surfing

For the investigator, there are several web-based methods to anonymize your browsing. The get-go option to consider is the use of a proxy via a website. A proxy is an agent authorized to act for another. These web anonymizers just deed every bit a go between the investigator's browser and the website that is being investigated. (We will hash out the use of a proxy server, aka proxy firewall or application level gateway, later on in the chapter) There are numerous free and pay websites that tin act as proxy. These sites should be tested out so that you are aware of their functionality before using them during an investigation. Some of the websites allow you lot to browse successive webpages and some do not. Others will not allow yous to bear certain investigations, such as peer-to-peer (P2P) cases or complete downloads. Some web anonymizers could retain information of the investigator'south browser and IP address. Sometimes, spider web anonymizers, such every bit Anonymouse.org (http://anonymouse.org/anonwww.html), do not allow you to choose your originating IP accost. You become whatever IP address is available, which may or not exist an issue for your investigation. Others, such as Hidemyass.com (http://www.hidemyass.com/proxy/) and Newipnow.com (http://world wide web.newipnow.com/), will allow you to pick from a range of diverse IP addresses. All the same, even this range may limit your choices to those originating from a particular country, such as the United States. Additionally, some web anonymizers volition include ads with their service. Finally, be aware that some web anonymizers will not provide the same look or functionality, every bit a website non being accessed via a proxy (Figure 9.iii).

Figure 9.3. How proxying websites work.

Web anonymizers though are not without their benefits. Besides hiding the investigator's IP accost from the target website, these sites tin also prevent malware infection. The proxy server acting every bit the web anonymizers is the server that runs whatsoever lawmaking from the target page. So if the target webpage has whatsoever malicious code the proxy can prevent it from running on the investigator's machine. Additionally, by redirecting your Net traffic through the anonymizing services secure servers, your online identity is protected. These servers often use encryption applied science similar to the cyberbanking industry.

Investigative Tip

Unremarkably Available Web Anonymizers

Complimentary

Anonymouse.org, http://anonymouse.org/anonwww.html

Hidemyass.com, http://www.hidemyass.com/proxy/

Kproxy, http://www.kproxy.com/

Newipnow.com, http://www.newipnow.com/

Ninja Proxy http://world wide web.ninjacloak.com/

Webwarper.cyberspace http://webwarper.net/

Some gratuitous proxy websites will provide boosted features with a subscription.

Pay for Services

Anonymizer.com, https://www.anonymizer.com/

Proxify, https://proxify.com/

Another method for hiding your activities while on the Internet is through the use of Virtual Individual Networks (VPN). VPN's also act as a go between your browser and the website you want to access. Still, they have the added benefit of encrypting all the communication between your browser and the website. Some of the aforementioned limitations that apply to web anonymizers also employ to VPNs. Many of the spider web anonymizers as well provide VPN for a fee.

The pay version of Anonymizer institute at world wide web.anonymizer.com is an example of a VPN. This plan hides your computer's IP address from the Cyberspace and provides an encrypted tunnel (Secure Sockets Layer (SSL)) between your calculator and Anonymizer's servers. SSL is the same encryption you run into when you practice banking or other secure business over the Internet. It besides reduces spam and tracking. You can easily toggle the program on and off. Some sites don't like it (i.due east., Google) because they remember you're a hacker doing a denial of service assault. A simple search for VPN services online will provide a number of bachelor services that tin can suit the investigator's needs.

Investigative Tip

Usually Available VPN Services

Anonymizer.com, https://www.anonymizer.com/

BT Guard, http://btguard.com/

Private Net Access, https://www.privateinternetaccess.com/

Proxy.sh, https://proxy.sh/

TorGuard, http://torguard.cyberspace/

TorrentPrivacy, https://torrentprivacy.com

The Good and the Bad of Anonymization

The Expert: Freedom of speech, anticensorship, and anonymous tips.

The Bad: Bypassing Internet utilise policy, abusing organization resource, and preventing filters from monitoring activities.

The Ugly: Spam, piracy, information and identity theft, cyber-stalking, and hiding terrorist activities (Figure 9.4).

Figure 9.4. Criminal use of multiple layers of anonymity.

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/commodity/pii/B9780124078178000096

Reputation-Based Detection

Chris Sanders , Jason Smith , in Applied Network Security Monitoring, 2014

Malware Domain List

Regardless of the global concerns related to targeted attacks by sophisticated adversaries, the bulk of an annotator's twenty-four hour period will exist spent investigating incidents related to malware infections on their systems. Because of this, it becomes pertinent to exist able to observe malware at both the host and network level. One of the easiest ways to notice malware at the network level is to employ public reputation lists that contain IP addresses and domain names that are known to exist associated with malware-related advice.

Malware Domain Listing (MDL) is a non-commercial community projection that maintains lists of malicious domains and IP addresses. The project is supported by an open customs of volunteers, and relies upon those volunteers to both populate the list, and vet it to ensure that items are added and removed from the list as necessary.

MDL allows you to query its list on an individual ground, or download the list in a variety of formats. This includes CSV format, an RSS feed, and a hosts.txt formatted list. They as well provide lists that include just new daily list entries, and lists of sites that were once on the list but have now been cleaned or taken offline. MDL is ane of the largest and almost used reputation lists available.

I've seen many organizations that accept had a great deal of success detecting malware infections and botnet command and control (C2) by using MDL equally an input for reputation-based detection. The vastness of MDL tin sometimes upshot in faux positives, so an warning generated from a friendly host visiting an entry found on MDL isn't enough past itself to automatically declare an incident. When one of these alerts is generated, you should investigate other data sources and a wider range of advice from the friendly host to try to determine if there are other signs of an infection or compromise.

You tin can acquire more well-nigh MDL at http://www.malwaredomainlist.com.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780124172081000088

Analytics Defined

Mark Ryan Grand. Talabis , ... D. Kaye , in Information Security Analytics, 2015

Try Before You Buy

The best fashion to explore the possibilities of simulations in security is through examples. For instance, if a security analyst wanted to see the effect of a virus or malware infection in an organization, how would the security analyst go nearly doing this? Obviously, the simplest and about accurate solution is to infect the network with live malware! But, of course, we cannot do that. This is where simulations come in. By doing some creative computer modeling, you tin can potentially create a close approximation of how malware would spread in your organization'due south information systems.

The same concept can be practical to other scenarios. Yous can model hacker attacks and couple them with vulnerability results to show their potential outcome to your network. This is somewhat alike to creating a virtual simulated penetration examination.

Read full affiliate

URL:

https://www.sciencedirect.com/scientific discipline/commodity/pii/B9780128002070000010

Malware Detection

Harlan Carvey , in Windows Forensic Analysis Toolkit (Fourth Edition), 2014

Additional detection mechanisms

In add-on to the various detection techniques we've discussed so far, there are a number of other locations within an prototype that yous can look for indications of a malware infection, for instance, looking for unusual Scheduled Tasks, either the actual.chore files in the Tasks directory or listed in the Scheduled Tasks log file (SchedLgU.txt) for Windows XP and 2003, and the Microsoft-Windows-TaskScheduler/Operational Upshot Log on Windows Vista systems and beyond (discussed in Affiliate 4).

Tip

AT Jobs

Scheduled tasks created using the native at.exe utility are often used by intruders to install malware on or execute other processes on a organization. While Ambassador privileges are required to create these scheduled tasks, the tasks themselves run with elevated privileges. Inside most infrastructures, at.exe is not commonly used for routine organization assistants, and equally such, the existence of scheduled tasks named "at1.job," "at2.job," etc. would merit a closer look.

We've discussed malware that uses a Windows service as a persistence mechanism and other artifacts associated with services. Some other place y'all might want to await is to examine the System Event Log (discussed in detail in Chapter 4) for indications of services being started (event ID 7035) with a user security identifier (SID), rather than a system SID. Services are unremarkably started past LocalService (SID: S-one-5-19) or NetworkService (SID: S-1-v-20) or similar accounts (depending upon their configuration), so services (specially the PSExecSvc service) started past a user business relationship are definitely worth a closer look. Too, services ordinarily starting time when the system is booted; services that are started hours or days later a system starting time may also indicate something suspicious.

Some other location within the file system that you may observe indications of malware includes Temp directories, either the Windows Temp directory (C:\Windows\Temp) or the Temp directory within the user contour. Further, the Tasks binder (C:\Windows\Tasks) is often used to store malware or a location from which to comport operations, as this is ane of the "special" Windows folders in which the truthful contents are not visible when viewed via Windows Explorer. The same is true for the Fonts (C:\Windows\Fonts) folder, as well every bit the Recycle Bin. With these folders, the true contents can exist seen via the control line, using the "dir" command.

As with many of the techniques that we've described then far in this affiliate, none of them provides us with 100% guaranteed detection of malware. However, nosotros tin correlate the output from multiple techniques and utilise these techniques to perform data reduction and address the potential for malware being on the system you're analyzing. Remember that there are no argent bullets in data security and digital forensics, simply by automating the use of multiple techniques to expect for dissimilar artifacts of malware, from different perspectives, the goal is to provide plenty coverage to minimize the chance of the malware avoiding detection. We should never expect to completely eliminate the possibility of a system existence infected, simply what nosotros tin can exercise is continually improve our procedure and checklist, and perform every bit complete and thorough of an cess every bit nosotros tin.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B9780124171572000060