Jump to content


Photo

Virus Auditing?


  • Please log in to reply
8 replies to this topic

#1 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,956 posts
  • Location:QLD

Posted 20 July 2016 - 11:05 AM

Hey guys, just curious what tools companies use to actually assess what a virus does.

 

for example, this recently did the rounds:

https://www.reverse....tId=100&lang=id

 

I'd never have caught all the OLE objects and what not without that sort of assessment.

 

Surely they're using a tool\toolbox of some kind, they can't be doing this manually?


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#2 Rybags

Rybags

    Immortal

  • Super Hero
  • 34,805 posts

Posted 20 July 2016 - 11:57 AM

It'd be much the same as reverse engineering a piece of code you've lost the source for or want to analyse (competitors) how it works.  Also similar to cracking games and software - often you're trapping system calls and looking for the unusual or stuff that just doesn't look like it belongs there.

 

Of course for stuff like VBScripts and Office Macros it's just sitting there in front of you ready to analyse.

 

Supposedly in older times they had quarantined machines where they'd run suspicious software on but I imagine these days the paranoia isn't really required as you could use virtualisation and sandboxing to ensure you don't pollute your infrastructure.

 

I think a big part of clamping down on viruses is that so many of them are just produced by amateurs and just evolutions or modifications of stuff that's already out there.  Which means in some cases heuristics flag them before you even bother to start deeper analysis.



#3 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,956 posts
  • Location:QLD

Posted 20 July 2016 - 03:02 PM

So there's no more 'advanced' version of... say...... the oldschool "Norton Cleansweep" which will monitor keys, files and hooks and report back?

 

I can understand if there's not, I just really expected a toolbox.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#4 Rybags

Rybags

    Immortal

  • Super Hero
  • 34,805 posts

Posted 20 July 2016 - 03:36 PM

I suppose you could assess what a virus does by extensive before/after analysis where you have a snapshot of system + registry files but it would be a pretty drawn out process and vague in it's findings.

 

Given that the actual virus and even for stuff like malware/keyloggers the "payload" as in the actual tacked on part doing the nasty stuff is usually not a huge program, it's entirely feasible to just isolate it and disect it down to the machine instruction level.  Such a thing would be necessary given that some nasties are time/date dependant for their activation, or rely on random event or certain number of executions before they do their thing.



#5 SquallStrife

SquallStrife

    Really knows where his towel is

  • Atomican
  • 17,936 posts

Posted 20 July 2016 - 07:52 PM

Yeah, there are plenty of business-oriented intelligence software for this sort of thing.

Splunk is the popular one right now, and it has a free tier.

http://www.splunk.com/
SyDjDDk.png [retro swim] | AzpUvwG.png @retroswimau | q5O6HgO.png +RetroSwim
四時半を待っています!

#6 ArchangelOfTheLamb

ArchangelOfTheLamb

    Learner

  • Quark
  • 32 posts

Posted 07 September 2016 - 11:30 AM

My understanding is that Splunk is one of the tools that's most widely-used in a commercial context.

 

IMO virtualisation/sandboxing is the way to go. Essentially, you set up a honeypot VM - a VM with all the vulnerabilities that worms/viruses/trojans love to exploit. Many of the more advanced forms of malware are actually selective about their targets and are designed to go for the lowest-hanging fruit - i.e. the machine that is going to be most likely to let the virus do its thing. So you set up a VM that has all these vulnerabilities built into it. You also set up very comprehensive, debugging-level logging and monitoring on that VM, so that you can see exactly what the virus is doing. The better honeypot VMs that are available are also designed to emulate a real machine - this is because lots of malware starts by detecting whether it's running inside a VM - if the answer is yes, then the malware simply self-destructs, for obvious reasons. It's important not to interconnect the VM to any trusted/secure network to avoid the risk of the malware infecting the said network - in my view, the only 100% secure way of doing this is to use an air-gapped network in addition to the VM - i.e. have a testing network that's physically separated from the machines that you actually use for important things.

 

After the malware has done its thing, you look at the logs and the output of the monitoring tools to reverse engineer the cunt. With the more advanced forms of malware, this can sometimes be like finding a needle in a haystack, but I still reckon it's good fun. I used to hate viruses but now I actually enjoy letting them run wild and free on my testing platform so that I can find out how they work.

 

If you'd like some linkage to some of the honeypot software that's available, let me know which platform you're using and I'll send you through some links to downloads and tutorials on how to set them up. Obviously there are different ones available for Windows and Linux.


"Be not forgetful to entertain strangers: for thereby some have entertained angels unawares." Hebrews 13:2

"These sayings are faithful and true: and the Lord God of the holy prophets sent his angel to shew unto his servants the things which must shortly be done." Revelation 22:6

"And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city." Revelation 22:12-14

"I Jesus have sent mine angel to testify unto you these things in the churches. I am the root and the offspring of David, and the bright and morning star." Revelation 22:16


#7 Rybags

Rybags

    Immortal

  • Super Hero
  • 34,805 posts

Posted 07 September 2016 - 12:18 PM

Why would malware ignore VMs?  Sure, it's likely the case that a VM is 2-3 times more likely than a native box to be just running a test or unimportant environment but absolute shiteloads of production stuff runs on VM - half the reason for using VM is to make multi client enterprise computing more flexible.



#8 ArchangelOfTheLamb

ArchangelOfTheLamb

    Learner

  • Quark
  • 32 posts

Posted 08 September 2016 - 09:23 AM

Why would malware ignore VMs?  Sure, it's likely the case that a VM is 2-3 times more likely than a native box to be just running a test or unimportant environment but absolute shiteloads of production stuff runs on VM - half the reason for using VM is to make multi client enterprise computing more flexible.

 

Depends on the malware in question, but exactly because VMs are often run in a test environment. Though I'm sure that the newer malware doesn't ignore VMs because so much production stuff is run in a virtualised environment these days - really I was referring to the viruses I've experimented with, which are older and have been around for a while, well before VMs became so widely-used for production builds.


"Be not forgetful to entertain strangers: for thereby some have entertained angels unawares." Hebrews 13:2

"These sayings are faithful and true: and the Lord God of the holy prophets sent his angel to shew unto his servants the things which must shortly be done." Revelation 22:6

"And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city." Revelation 22:12-14

"I Jesus have sent mine angel to testify unto you these things in the churches. I am the root and the offspring of David, and the bright and morning star." Revelation 22:16


#9 joemeow

joemeow

    Initiate

  • Quark
  • 21 posts

Posted 27 September 2016 - 11:40 PM

Yeah, there are plenty of business-oriented intelligence software for this sort of thing.

Splunk is the popular one right now, and it has a free tier.

http://www.splunk.com/

good share mate thanks for posting this






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users