Finding Malware Like Iron Man Slide Decks

Friday, July 12, 2013 Posted by Corey Harrell
This year I decided to step out of my comfort zone by presenting at conferences. I’m not a public speaker but I wanted to reach an audience beyond jIIr to provide information that may be helpful to combat malware. Specifically, a triage technique I have been using to find malware extremely fast (in less than 15 minutes). Below are my CFPs and links to the slide decks for the talk I gave at the SANs Digital Forensic and Incident Response Summit and New York State Cyber Security Conference.
FYI, both presentations are pretty much the same except for the lead in to the triage technique. I tailored that to the audience.

Finding Malware Like Iron Man – SANs DFIR Summit Version

When confronted with a system impacted by unknown malware time is of the essence. Triage needs to be done, information technology units need guidance, and the business needs to get back up and running. Questions have to be answered quickly: is the system infected, what malware is involved, and how did the infection occur in the first place. The available triage options all take time: scanning with antivirus, dumping and analyzing memory, performing live analysis, or performing a full post mortem examination. Mass malware makes triage even more challenging with new variants being released at a pace faster than signatures and IOCs are generated.
This presentation discusses how to perform triage on a system infected with malware in three examination steps. Within minutes not only can the majority of malware be detected but the initial infection vector can be identified as well. Topics will include: malware indicators, program execution artifacts, auto-start extensibility points (ASEPs) artifacts, and NTFS artifacts and then there will be a mock case study tying everything together.
Finding Malware Like Iron Man – SANs DFIR Summit Version slide deck can be downloaded from: PDF format or viewable online

Finding Malware Like Iron Man – NYS Cyber Security Conference Version

There are several common misconceptions about malware. One being that malware is just a nuisance, and is usually the product of bored teenagers sitting in their bedrooms. As a result, the typical response to a malware incident is to reimage, rebuild, and redeploy. The primary focus of this response is getting the system back into production as quickly as possible. Analysis of the malware and further research on the system is not a priority or goal.
Malware is not a nuisance or a minor disruption; it can pose significant risks to an organization. Malware is a tool that is leveraged by numerous threat groups to accomplish specific goals. When malware impacts a system the system does not become sick, it becomes compromised, and our incident response processes need to reflect this accordingly.
Root case analysis needs to be performed on systems impacted by malware to improve decision making. Questions need to be answered including: how did this happen, when did it happen, what (if anything) was taken, were we targeted, or what can be done to mitigate this from re-occurring. By re-imaging and re-deploying malware infected systems we no longer answer these questions, and we lose critical intelligence to better protect our organizations. The first step in root cause analysis is locating the malware.
In this technical presentation Corey will discuss three steps to locate malware on a computer running the Windows operating system. The topics will include the following: what is malware, why perform root cause analysis, program execution artifacts, persistence mechanism artifacts, NTFS artifacts, and freely available tools.
At the conclusion of the presentation, attendees will know how to perform three specific examination steps that help to identify common artifacts that point to where malware is located on the infected system.
Finding Malware Like Iron Man – NYS Cyber Security Conference Version slide deck can be downloaded from: PDF format or viewable online
  1. Anonymous

    Nice slides. I really like the approach as these are indeed the real thing. Im hoping that you will do one(1) case in your post that will run through all the things in the slide with actual malware investigation, just to get a bigger picture in an actual malware case.

  2. That was absolutely excellent. I will be referring back to this a lot!

  3. Anonymous

    Great slides. IR newbie here - such practical examples are very helpful.

    Sometimes committing DFIR blasphemy and hunting down malware on a live system is needed. A pre-built mobile toolkit (e.g. on a CDROM or a folder that contains all dependencies and can run on the target system) would be very useful in such cases. Is there any documentation on building such a mobile toolkit with the tools you used?

  4. @anon

    I'm not aware about any framework that integrates the tools in this presentation. Personally, I have all the tools on a thumb drive and run them against the data I collect with these scripts

  5. Anonymous

    Corey, This is great stuff and I will be using this info going forward.
    In on of earlier posts you mentioned that in order to practice you first need to install malware on the system; I wanted to ask if you know of a resource where you can obtain infected images but more importantly it has IR solutions that you can look at to compare your results?

  6. @anon,

    I'm not aware about any publicly available images of systems infected with malware. However, it's pretty easy to create your own to improve your skills. One of my next posts I'm going to outline how I progressed with creating test images of infected systems. My plan is to make it easy for others to replicate so even if you can't find any public images at least you can create your own

  7. Anonymous

    Hi Mr Harell,
    I'm newbie in IR and my problem that all versions of your tools that I downloaded (auto_rip-7-21-2014 & autorip_08-26-13) behave as such 64bit and this desappointed me. Does your tool works only in 64bit systems???
    I need help. Thanks for your attention on my post!!!

  8. @anon,

    The executable is only available in 64-bit versions. However, you can install Perl and run the Perl version on both 64 and 32-bit systems.

Post a Comment