Tuesday, July 22, 2008

Malware Analysis and Response: A Quick Howto

A recent wave of spam has managed to bypass some central email AV systems. The virus, which Sophos calls Troj/Agent-HFZ, wasn't recognized by many of the larger players in the antivirus space until earlier today. Virustotal's list shows many players still don't recognize this specific variant. As I watched some of our staff work to deal with the infections that resulted from users running the infected executables, I realized that a few basic steps could really save them some time. Here they are:

1. Get a copy of the malware and submit it to:

You'll see something like this - note that only 19 of 34 vendors recognized this malware when VirusTotal checked it.

2. Review the responses - often at least one or two vendors will have identified the malware, and some may have already written directions for removal. In this case, Sophos provided directions on removal that matched what was seen on infected systems.

3. Run strings on the malware. If it isn't packed or otherwise encoded, you may get enough information to either block remote contact sites, or you may learn more about it.

4. If you don't have a vendor provided removal process, and if you're technically proficient enough, you can test the malware out yourself. I like to use a locked down VM with network access only to a host that runs Wireshark. Here's an example of an outbound connection attempt from a recently infected host:

Note the attempts to connect to a .ru site - not something I would expect to see in a normal boot process.

I'll also use a utility that will monitor the host for changes - Wise's Installation Studio is a commercial example, and various freeware packages are also available . You may also find tools like Windows SteadyState to be useful, as they allow virtual sandbox environments for testing.

5. Once you've figured out what the malware does, and what it changed, you're ready to figure out a course of action. In most cases, this will be one of three things:
  • Rely on 3rd party AV products to do the removal
  • Create a scripted or manual removal process
  • Reinstall or restore system state
You may also discover that there are outbound IP addresses or domains that you may wish to block to prevent outbound communications from occurring, or there may be specific strings you want to filter for on your inbound mail server. By now, you should know what you're looking for, and you'll be far more ready to handle further occurrences of the malware.

As for the malware of the day? The SMTP scanner servers are filtering it, the helpdesk has repair information, and our AV vendors are releasing updates to remove it. The users? Well, they're still occasionally clicking on their fake UPS invoices.

No comments: