Monday, 15 April 2013

Is it infected?

How do you know if a system is infected with malware?

This question is important to journalists, testers and other reviewers of anti-malware software.

The security product may claim to have defeated the threat but you need to dig down into the system using forensic tools to be sure that it has succeeded.

The following links and notes are intended for the journalists who attended Kaspersky Lab's reviewers workshop this week:

Wireshark
http://www.wireshark.org/download.html
http://wiresharkdownloads.riverbed.com/wireshark/win32/Wireshark-win32-1.8.6.exe
http://wiresharkdownloads.riverbed.com/wireshark/win64/Wireshark-win64-1.8.6.exe

CaptureBAT
https://www.honeynet.org/node/315
https://www.honeynet.org/files/CaptureBAT-Setup-2.0.0-5574.exe

>> CaptureBAT.exe -l demo.txt -n -c

Autoruns

http://technet.microsoft.com/en-US/sysinternals


WinPrefetchView
http://www.nirsoft.net/utils/win_prefetch_view.html
http://www.nirsoft.net/utils/winprefetchview.zip

Volatility
https://code.google.com/p/volatility/
https://volatility.googlecode.com/files/volatility-2.2.standalone.exe

>> volatility-2.2.standalone.exe -f stuxnet.raw pslist

>> volatility-2.2.standalone.exe -f stuxnet.raw psscan

>> volatility-2.2.standalone.exe -f stuxnet.raw psxview

Malware Analyst's Handbook
http://www.malwarecookbook.com
http://goo.gl/7gONZ (specific page on Amazon.com)

Stuxnet analysis
http://mnin.blogspot.co.uk/2011/06/examining-stuxnets-footprint-in-memory.html