little Siberians. And welcome back to incident response It advanced Forensics. My name is Max Alexander, and I'll be your subject matter expert for today's lesson, Mauer incidents and, um, our incidents. We're gonna talk about some of the common ways to examine malware
spend into to remediate malware is this This is probably going to be something that you're gonna face
a lot of times, most of the times when you're doing incident response. And, of course, forensics is going to tie into the malware analysis for mediation as well.
So, again as we talked about Middle, where is going to be a very common incident? Probably accepting that you're gonna have to deal with almost every other day.
Malware could be nine, uh, annoying. Or it could be very serious. Just key logging, ransomware or remote access. Varying types of malware. Uh, various types of in results.
The best case scenario for your mouth. Where is that? Your anti virus is gonna notify the user admin
that it was a quarantine, some type of program.
So hopefully all you're going to have to do is ensure that the anti virus did its job and then go back in and see how the malware got on onto your system and kind of what actions that the anti virus took. Just ensure that nothing various happened to your system.
Worst case, Uh, more than likely an end user might notify you that he's gonna have to pay $500 in Bitcoin to someone in Russia to unlock his files.
Are you're going to have a serious malware incident that's going to spread throughout your network, such as has recently happened among hospitals of the U. S. Canada, where they've had to pay upwards of $17,000 to Russian hackers. So, best case, worst case, best case,
you know, nothing really happens. Worst case, you're having to call in,
uh, your attorney's you're having to call under mediation specialist because something went very, very wrong that day.
analyzing malware. So when we get malware on our systems, one of the first things that we want to do is figure out what it is, what it does. How did it happen and go headfirst into this? This battle against the person who's trying to attack our systems?
The biggest takeaway from this is Do not analyze malware on your own system without taking precautions to ensure that it will not spread to your system are two other places in your network where it has not already been so since you're going to be generally higher level.
Add men's kind of working in the network environment.
If the malware to get loose on your system, that has essentially a foothold into something a lot greater that maybe it would have been on a regular user system.
But bottom line, don't make the incident worse. Take precautions to ensure that you're protecting your network at all times.
Ideally, what you want to do that set up some type of virtual machine or use a standalone offline system to analyze any type of malware that you have
now. Both of those have their advantages and disadvantages. Virtual machine is great. You can kind of easily go back and
reconfigure that machine to an earlier state on offline system that allows you to look at the mount where, more or less in the native environment. Oftentimes, some Mauer will know that it executes in a virtual machine
and it will not behave. A zit would if it were on a normal system, so
kind of some pros and cons there.
now, this is not going to be an all inclusive guide to analyzing Mount where it will provide some of the broad brush strokes. And then we can talk about later on and other courses of doing that deep dive into malware analysis. But this will provide a good overview
on some of the steps that you, the incident responders, can't take.
Figure out what type of malware you have and what it's doing to your networks.
So when we're looking at mount where essentially going to be four stages of malware and as you can see from our nice
infographic here down at the very bottom of that,
that pyramid is your automated analysis,
and that's going to be your lowest level and your easiest way to end up doing your malware analysis, then moving up in difficulty to the top of the pyramid. We go from static analysis, the dynamic analysis. Oh, Billy, up to reverse engineering.
No, All of these processes have have their strengths and weaknesses
automated. The now sisters we're gonna talk about next. It's very fast. It's automated.
The biggest drawback to automated analysis is that one, you're up leading files to the Internet generally
and buy up loading those files. A potential attacker could be tipped off that you are uploading those files and that you have detected whatever it is he is trying to do on your system.
So that is one of the disadvantages with the automated analysis and then as we go up, obviously, in that level of difficulty as we work our way up the pyramid, the harder it ISS said. You have to be essentially trained on how to do some of these these tactics, techniques and procedures looking at that
malware a deeper level.
the first thing we're going to talk about it's the difference between static and dynamic analysis. We know what automated analysis is. We're going to upload a file, and a program is going to come back and produce some type of result.
Uh, however ecstatic dynamic and that was just the first step is essentially to be
is going to be running an anti virus on that suspected malware flower.
Before we do anything, we essentially want to know if someone helps already know something about this file,
this essentially just prevents us from having to do extra work. If someone has already done the work for us, there's no need to go back in and re invent the wheel, and it can shorten the time that we need for analysis. If we're not able to determine anything about the file from from that analysis,
the next step that we would want to do is essentially hash that file.
Get a ND one deeper Shaw one deep Wow, check some and then we can upload that to other programs.
Um, one of the more common ones that you can upload to this virus, Toto
and Virus Total offers a great AP I've iris scanner or Windows based up loader. The shoeprint upload these files to that will analyze the information from numerous anti wire service is to provide you some type of results, and then virus total can scan
your hell's domains and eyepiece.
So it's a pretty powerful tool. It scans, I think, 50 something antivirus providers again, though the problem with virus total is that you're uploading
a file to the Internet, and that could tip off
that the attacker that you are on to, whatever it is that he was doing So you're going to end up having to weigh the pros and cons of kind of uploading these things because depending on the environment that you're in, you may not want to provide those tippers,
uh, to to your potential adversary.
So going back to that very bottom level of the pyramid, the automated analysis your automated tools are great. They're fast for on the fly analysis. They can save a lot of time, and they could provide an overview of your virus that you have its capabilities
so that you can decide essentially where to focus
Maur of your attention and efforts towards. And then I've listed a couple of the
automated analysis tools here. There's there's a least six or seven out there. There's probably more on the good thing about using More than one is that they all do different things. So they're certain vile file analysis program, such a file analyzer that look specifically at files.
and then there are other types of systems that you have such a cz malware R M a L W R. That could take different types of submissions. There's a document analyzer that looks just specifically documents, so each of these has their own strength and weaknesses, and it's good to least
hit one or two of these to help confirm some of the answers that you might be getting
from another automated analysis provider.