tag:blogger.com,1999:blog-4080617372940068027.post342832083141808948..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Malware Root Cause AnalysisCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4080617372940068027.post-90532160966465386172015-05-23T11:28:48.252-04:002015-05-23T11:28:48.252-04:00Hi Corey,
Great post. It seems like a server of m...Hi Corey,<br /><br />Great post. It seems like a server of mine got infected, as md5sum of /bin/ps file dont match up with original one and that file has been marked as malicious by avast av in my window pc. are there any tools i can use to analyse in my linux server to find the entry point of that malware?<br />pointing me articles regarding my question will also be very helpful. thanks<br /><br />Sabin Ranjithttps://www.blogger.com/profile/14533879117259765295noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-45482550879393669672012-08-04T22:05:59.168-04:002012-08-04T22:05:59.168-04:00@anon,
Thanks for the comment; it took a bit to r...@anon,<br /><br />Thanks for the comment; it took a bit to respond since I was reading a few things about what you mentioned.<br /><br />First, I really enjoy reading the Microsoft security reports because they provide a wealth of information. I missed the report you mentioned but read it once I saw your link. It was good by the way. We are both talking about the same issue but doing it from different perspectives. I think this is the main difference between your report and what I'm talking about. The report like most Microsoft or other security reports are coming from the malware analysis perspective. Looking at understnading malware once it is already on a computer. Don't get me wrong, the malware analysis perspective is needed and I enjoy reading about it. However, my perspective is coming from the malware forensics side of the house. Looking at a system to find the malware and determine how it got there. Your report even mentions on page 12 "the actual method of infection is very difficult to determine without performing forensic work on each computer". The comment was made in reference to the MSRT detections but that's the point to the Compromise Root Cause Analysis Model. To help those performing forensic work to determine the actual method of infection.<br /><br />I never tried to compare my model against others such as VERIS. Thinking about it I don't think its comparable to any model. The other models may be helpful by providing a language to describe security incidents. To me they aren't much help in telling me about if malware on the system came from a drive-by targetting Java, a malicious email attachment, or a network share. This is where the Root Cause Analysis Model comes into play; it helps to answer the "how" of a security incident occured.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-36978684318109019622012-08-04T12:13:31.454-04:002012-08-04T12:13:31.454-04:00Hi Corey,
Very interesting stuff. How would you ...Hi Corey,<br /><br />Very interesting stuff. How would you compare this to VERIS or the work on malware root cause analysis that I did in http://download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA-2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_Zeroing_in_on_Malware_Propagation_Methods_English.pdf ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-74578273398639481072012-07-30T16:54:35.273-04:002012-07-30T16:54:35.273-04:00Harlan,
I wanted to know the same thing when I we...Harlan,<br /><br />I wanted to know the same thing when I went back over the case for this post. I did my analysis in January 2012 and I first learned about the shim cache in April 2012 when Mandiant’s post came out about it. The shim cache would have been useful since the prefetch files didn’t show the malware executing or provide additional timestamps. Unfortunately, the only thing I held onto from the case was the exploit, my timeline, and my notes.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-15866364104284082162012-07-30T12:17:55.904-04:002012-07-30T12:17:55.904-04:00Corey,
I'd be interested in knowing if anythi...Corey,<br /><br />I'd be interested in knowing if anything appeared in the shimcache data...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-82112305176297412292012-07-30T08:31:05.951-04:002012-07-30T08:31:05.951-04:00Corey,
Great stuff! This really goes a long way ...Corey,<br /><br />Great stuff! This really goes a long way toward helping to codify and document the root cause of an incident. Thanks so much for sharing this insightful, well written, and well thought out post.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com