Thursday, September 27, 2012

Quick malware analysis during incidents

During security incidents due to malware infections, it is required to act fast and identify the malware behavior and take actions. However analyzing malware may takes time ,especially if considering that antiviruses cannot detect new well-crafted malwares.

To quickly analyses a suspicious file to identify if it a malware or not and understand its behavior, the following quick actions can be taken

1-upload the file to virustotal
Virustotal.com will check if the file detected by any of the antiviruses rather the one installed. In this case the antivirus vendor may contacted to produce a signature for the malware

2-upload the file to anubis and malwr
Both sites will analyze the file behavior and will indicate if it is a malware or not. Comparing results
Also the analysis will help taking necessary action such as removing the virus, blocking access to its C&C, produce IDS/IPS signature etc.

These 2 actions are very simple but when there is no time or tools in place remeber that these actions will be the last resort.

Sunday, September 16, 2012

C&C traffic , TOR network the new media

A new research by GData Software researchers, Identified a C&C server for a botnet hidden in TOR network.

Their blog is excellent where they described the 2 C&C traffic medias are being used by Botnets and the new media using TOR. I highly recommend reading it and establish an approach to detect and stop such traffic.

Enjoy reading:
Botnet command server hidden in Tor

Digital Forensics Procedure- Quick thought

Always follow a propoer Digital Forensics Procedure, many can be found on the internet but for guidance one of the following can be used:
 
SANS Digital Forensics and Incident Response Poster
Forensic Process Lifecycle

Always remober because you are responsible for an evidence, it means you have to show "chain of custody" by following proper procedure and protect the integrity of an evidence all the way to its dispostion.  

Thursday, August 30, 2012

Who is next in the shamoon queue?

like a nightmare, i have this thought:
  1. Company "X" in Qatar got infected
  2. remote offices of company "X" in another GCC state "H" got infected
  3. Service provider "A" managing the remote office became infected
  4. Same Service provider "A" managing few of the GCC state  "H" government entities became infected then infect other gov entities.
Of course it will be a chain of infections and network shutdowns.

Seems crazy, but think about it as if you are another state has serious issues with GCC and you already has the technology, the skills and the code. if you can do it 2 times then hardly you will be stopped.

Have a nice weekend.

Who was next to ARAMCO?

Answer: It is RASGas in Qatar whom has experienced virus outbreak, the computers network has been taken off for 3 days ,so far, by unknown virus. but let me guess, it can be shamoon or one of his cousins.
ARAMCO at KSA, RASGas at Qatar, will UAE be the next ? specially with remote offices around the GCC ?

However stopping or reducing the impact can be done by applying basics of the IT security as listed in the following blogs:
Stop Shamoon before it is too late
Making Life Difficult for Malware

References:
http://www.pipelinecommunity.com/Oil-News/breaking-rasgas-it-network-black-out.html
http://dohanews.co/

Wednesday, August 29, 2012

Making Life Difficult for Malware

Making Life Difficult for Malware is presentation by Jarno Niemelä from F-Secure, it is very practical and i highly recommend it.

Jarno listed recommendations based on a research of the behavior data of ~750000 known malware. Most of the recommendations cost zero dollar and can be implemented easily by any type of organizations using minimal resources.

Enjoy the reading:
Making Life Difficult for Malware