Friday, April 27, 2012

Registry analysis in Volatility

Volatility is an excellent tool that can extract registry data out of memory dumps.
 
Using volatility will help confirming malware infection or identify how malware keeps its presentence
 
The “Top10 malware registry launch points” study done by Fsecure can be used as a starting point.

For example Volaility can be used as the following:
  • vol.py -f zeus.vmem printkey -K "Microsoft\Windows\CurrentVersion\Run"
  • vol.py -f zeus.vmem printkey -K "Microsoft\Windows\CurrentVersion\Runonce"
  • vol.py -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon
 
Addition to that the following can be used to identify malware:
  • vol.py -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\windows" --> check AppInit_DLLs entries
  • vol.py -f zeus.vmem printkey -K "Classes\.exe\shell\open\command"
  • vol.py -f zeus.vmem printkey -K "Classes\exefile\shell\open\command"
  • vol.py -f zeus.vmem printkey -K "Software\Microsoft\Command Processor\AutoRun"
References
Posted by at No comments:

Thursday, April 26, 2012

Assess your internet connection security


Have you ever thought about doing external penetration testing and but no budget available.

I suggest the following free online tools to determine how is your organization security. these online tools give you basic assessment and you need to do in depth penetration testing to make sure no security weaknesses can allow hackers into your network

Port Scanner
Web Tool Hub Online port scanner

Web applications and vulnerability scanners
Qualys FreeScan
Automated Security Analyser for ASP.NET Websites
Posted by at No comments:

Tuesday, April 17, 2012

Memory Forensics

As incident responder, you have to know how to conduct memory forensics .

All over the internet you can find many excellent articles, here I will list these articles in order to help new incident responders understanding and building memory forensics skills using volatility tool.

First, references you must keep with you all the time
Memory Forensics Cheat Sheet

List of tutorials

IETab_IE65 Malware Memory Analysis
Volatility Memory Forensics | Basic Usage for Malware Analysis
Zeus Analysis in Volatility 2.0Zeus Analysis in Volatility 2.0
Zeus v2 Malware Analysis - Part II
Stuxnet's Footprint in Memory with Volatility 2.0
Memory Forensics: Analyzing a Stuxnet Memory Dump (And you can too!) Volatility Memory Forensics | Basic Usage for Malware Analysis
Zeus Analysis in Volatility 2.0Zeus Analysis in Volatility 2.0
Zeus v2 Malware Analysis - Part II
Stuxnet's Footprint in Memory with Volatility 2.0
Memory Forensics: Analyzing a Stuxnet Memory Dump

I will keep the list updated with the best references and tutorials.
Posted by at No comments:
Labels: , ,

One Hour A Day Keeps Intrusions Away

In IT field, everyone is busy and forget about checking IT infrastructure security, by spending almost one hour daily, IT or security administrators will be able to prevent intrusions or at least detect them before it is too late.

All you need is to have reports generated from security tools in place for example antivirus, proxy, content filter, intrustion prevention systems, etc.. what about firewalls, if no log and reporting tool in place splunk (freeware) or OSSIM (opensource) can be used to generate required reports.

Addition to reports, you have to subscribe to one or more security alerts and news letters.

So how can we spend that hour daily ? simply the following can be done
  1. Based on Antivirus reports
    1. Review the top 5 infected computers
    2. Review the top 5 viruses infections
  2. Based IPS/IDS reports
    1. Review  IPS/IDS report top 5 source of attacks
    2. Review IPS/IDS REPORT top 5 targets of attacks
  3. Based on Proxy or content filtering reports
    1. Review top 5  visited web sites
    2. Review web links visited during non working hours or during week ends
    3. Review suspicious web links.
  4. Based on Firewall ports
    1. Review top 5 blocked ports
    2. Review top 5 blocked internal IP addresses
    3. Review accessed external ports (UDP/TCP)
  5. Search pastebin.com for posted information about your entity
  6. Search zon-h.org for unknown web defacement happened to your web server
  7. Review security news letters and alerts
Soon i will add more details about what to look for and how to identify possible or potentail intrusions or weaknesses.


Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)