Yes.
I did notice the thread was around tools. However, I just wanted to talk
about the process as well so that was my 2 cents worth. I also mentioned
the TCPView tool which is great at allowing you to tie process visually to
network connections. Like they say, the devil is in the details. Even if
you have the best tools, it's how you use them that makes the biggest
difference.
I wonder if there is a thread or security focus list around Incidence
Response in the event of a breach, virus attack, etc. That would be another
good topic to discuss as far as processes.
As far as the question, what's in your RAM?
You should check out this episode at hak5.org.
I am not affiliated with this podcasting group, but they always have great
episodes around this kind of thing.
http://www.hak5.org/?s=Cold+boot+attack
Thanks..
JMK
Original Message:
-----------------
From: Murda Mcloud murdamcloud (at) bigpond (dot) com [email concealed]
Date: Tue, 10 Nov 2009 10:13:50 +1000
To: kmj1268 (at) comcast (dot) net [email concealed], security-basics (at) lists.securityfocus (dot) com [email concealed]
Subject: RE: Malware Analysis
Good points. I know that the OP was asking for straightforward tools for
some basic tasks but I began to wonder whether having the ability to capture
the physical memory as well might come in useful, especially as the systems
may be allowed to stay 'live'. Windd is good for that.
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of kmj1268 (at) comcast (dot) net [email concealed]
> >Sent: Tuesday, November 10, 2009 5:10 AM
> >To: security-basics (at) lists.securityfocus (dot) com [email concealed]
> >Subject: Malware Analysis
> >
> >In relation to the copied thread below, this is some great discussion.
> >
> >I have been fascinated with the science of malware analysis myself, and
> >there is so much to learn. While I am not an expert, what I generally
> >see
> >happen with a machine is processes (either hidden by rootkits or not
> >hidden) taking over network connections and phoning home to control and
> >command centers to grow the botnet army. You always have to take the
> >assumption that you could have a rootkit and start from there. The
> >problem
> >with rootkits is they make everyday programs on the suspect's running OS
> >that should be innocuous operate differently and hide behavior. What I
> >have always seen as a recommendation is to take a suspect machine's drive
> >out and have it scrubbed and analyzed with a live forensic distro. Better
> >yet, use a Live CD distro such as clonezilla to create a bit for bit
> >clone
> >of the hard drive. A popular one is Trinity Rescue. The key is working
> >with something that is not native to the suspect machine. You cant trust
> >the programs or what kind of response you might get if you run programs
> >on
> >a possibly rootkitted machine or one that is compromised. What you can
> >trust is the programs on a live CD/DVD and the traffic you see on your
> >network. Now when the machine is running and I want to do analysis, I
> >usually will carry a hub with me (they are certainly hard to find now
> >adays) and will run wireshark on the traffic for the suspect machine.
> >Have
> >it running with all explorer sessions shut down and the machine started
> >from a reboot - but the machine doesnt need to be connected to the
> >network.
> >If there are rogue processes they will show up in wireshark. Then
> >after
> >you identify rogue network processes you can use a program like TCPView
> >which will tie back a connection to a program and then you can
> >investigate
> >that program to see if it is malicious.
> >
> >Anyways, I just wanted to chime in and say thanks and offer my two cents
> >for whatever it is worth. There is certainly more than one way to
> >approach
> >the analysis. I would be interested in learning more about the processes
> >folks on this thread run through in this type of event.
> >
> > There is some excellent feedback and advice in this thread and I am glad
> >to be able to take away some good advice myself.
> >
> >Thanks so much....
> >
> >JMK
> >J. Mark Kellerman, CISSP, CCSA-NGX
> >Snr Security Engineer.
> >
> >
> >
> >
> >
> >
> >Sent from my iPhone
> >
> >Begin forwarded message:
> >
> >From: Murda Mcloud
> ><murdamcloud (at) bigpond (dot) com [email concealed]<mailto:murdamcloud (at) bigpond (dot) com [email concealed]>>
> >Date: November 4, 2009 11:46:13 PM EST
> >To: 'exzactly' <exzactly (at) hotmail (dot) com [email concealed]<mailto:exzactly (at) hotmail (dot) com [email concealed]>>,
> >"security-basics (at) securityfocus (dot) com [email concealed]<mailto:security-
> >basics (at) securityfocus (dot) com [email concealed]>
> >"
> ><security-basics (at) securityfocus (dot) com [email concealed]<mailto:security-
> >basics (at) securityfocus (dot) com [email concealed]>
> >>
> >Subject: RE: Security Toolkit for dummies
> >
> >Fport might come in handy.
> >I'm guessing you want 'clean' versions of everything because who knows
> >what
> >is running on the box itself or what has been modified.
> >How will you be able to trust that the cmd window that you run some of
> >these
> >from is legit? Or that it will run at all?
> >Maybe a cmd alternative will help, too.
> >Fciv so you could check hashes?
> >Regalyzer?
> >
> >
> >Will you image the machines before allowing the support guys to do their
> >stuff?
> >
> >
> >
> >
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed]<mailto:listbounce (at) securityfocus (dot) com [email concealed]>
> >[mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of exzactly
> >Sent: Thursday, November 05, 2009 4:27 AM
> >To: <mailto:security-basics (at) securityfocus (dot) com [email concealed]>
> >security-basics (at) securityfocus (dot) com [email concealed]<mailto:security-
> >basics (at) securityfocus (dot) com [email concealed]>
> >Subject: Security Toolkit for dummies
> >
> >I am currently working on a (free)toolkit to pass down to Tier 3 and Tier
> >2
> >to be used in the event of a breach/infection or suspected
> >breach/infection.
> >In a nutshell I want to give them some tools to use to gain further
> >information about the system and processes and/or malicious tools running
> >on
> >it. This toolkit is designed for a Windows desktop and Server
> >environment. I
> >am looking at building out tools that are fairly easy to use and do not
> >require much training. Currently I have the following tools on it:
> >
> >(SysInternal tools)
> >Autoruns
> >PortMon
> >Process Explorer
> >Process Monitor
> >Ps Tools
> >Logon Sessions
> >
> >Other tools:
> >Adaware
> >
> >
> >Is there anything else folks out there are using to provide their lower
> >level support guys with some tools for informational gathering
> >purposes....the tools have to run offline as systems are removed in the
> >event of a breach or infection...I am not looking for a full blown
> >forensics
> >kit, just something I can train folks unfamiliar with tool fairly
> >quickly...
> >
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL certificate. We look at how SSL works, how it benefits your company
> >and how your customers can tell if a site is secure. You will find out
> >how to test, purchase, install and use a thawte Digital Certificate on
> >your Apache web server. Throughout, best practices for set-up are
> >highlighted to help you ensure efficient ongoing management of your
> >encryption keys and digital certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727d1
> >-----------------------------------------------------------------------
-
> >
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL
> >certificate. We look at how SSL works, how it benefits your company and
> >how
> >your customers can tell if a site is secure. You will find out how to
> >test,
> >purchase, install and use a thawte Digital Certificate on your Apache web
> >server. Throughout, best practices for set-up are highlighted to help you
> >ensure efficient ongoing management of your encryption keys and digital
> >certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727
> >d1
> >-----------------------------------------------------------------------
-
> >
> >
> >
> >
> >--------------------------------------------------------------------
> >mail2web.com - Enhanced email for the mobile individual based on
> >MicrosoftR
> >Exchange - http://link.mail2web.com/Personal/EnhancedEmail
> >
> >
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL certificate. We look at how SSL works, how it benefits your company
> >and how your customers can tell if a site is secure. You will find out
> >how to test, purchase, install and use a thawte Digital Certificate on
> >your Apache web server. Throughout, best practices for set-up are
> >highlighted to help you ensure efficient ongoing management of your
> >encryption keys and digital certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727d1
> >-----------------------------------------------------------------------
-
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your Apache
web server. Throughout, best practices for set-up are highlighted to help
you ensure efficient ongoing management of your encryption keys and digital
certificates.
--------------------------------------------------------------------
mail2web LIVE ? Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
I did notice the thread was around tools. However, I just wanted to talk
about the process as well so that was my 2 cents worth. I also mentioned
the TCPView tool which is great at allowing you to tie process visually to
network connections. Like they say, the devil is in the details. Even if
you have the best tools, it's how you use them that makes the biggest
difference.
I wonder if there is a thread or security focus list around Incidence
Response in the event of a breach, virus attack, etc. That would be another
good topic to discuss as far as processes.
As far as the question, what's in your RAM?
You should check out this episode at hak5.org.
I am not affiliated with this podcasting group, but they always have great
episodes around this kind of thing.
http://www.hak5.org/?s=Cold+boot+attack
Thanks..
JMK
Original Message:
-----------------
From: Murda Mcloud murdamcloud (at) bigpond (dot) com [email concealed]
Date: Tue, 10 Nov 2009 10:13:50 +1000
To: kmj1268 (at) comcast (dot) net [email concealed], security-basics (at) lists.securityfocus (dot) com [email concealed]
Subject: RE: Malware Analysis
Good points. I know that the OP was asking for straightforward tools for
some basic tasks but I began to wonder whether having the ability to capture
the physical memory as well might come in useful, especially as the systems
may be allowed to stay 'live'. Windd is good for that.
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of kmj1268 (at) comcast (dot) net [email concealed]
> >Sent: Tuesday, November 10, 2009 5:10 AM
> >To: security-basics (at) lists.securityfocus (dot) com [email concealed]
> >Subject: Malware Analysis
> >
> >In relation to the copied thread below, this is some great discussion.
> >
> >I have been fascinated with the science of malware analysis myself, and
> >there is so much to learn. While I am not an expert, what I generally
> >see
> >happen with a machine is processes (either hidden by rootkits or not
> >hidden) taking over network connections and phoning home to control and
> >command centers to grow the botnet army. You always have to take the
> >assumption that you could have a rootkit and start from there. The
> >problem
> >with rootkits is they make everyday programs on the suspect's running OS
> >that should be innocuous operate differently and hide behavior. What I
> >have always seen as a recommendation is to take a suspect machine's drive
> >out and have it scrubbed and analyzed with a live forensic distro. Better
> >yet, use a Live CD distro such as clonezilla to create a bit for bit
> >clone
> >of the hard drive. A popular one is Trinity Rescue. The key is working
> >with something that is not native to the suspect machine. You cant trust
> >the programs or what kind of response you might get if you run programs
> >on
> >a possibly rootkitted machine or one that is compromised. What you can
> >trust is the programs on a live CD/DVD and the traffic you see on your
> >network. Now when the machine is running and I want to do analysis, I
> >usually will carry a hub with me (they are certainly hard to find now
> >adays) and will run wireshark on the traffic for the suspect machine.
> >Have
> >it running with all explorer sessions shut down and the machine started
> >from a reboot - but the machine doesnt need to be connected to the
> >network.
> >If there are rogue processes they will show up in wireshark. Then
> >after
> >you identify rogue network processes you can use a program like TCPView
> >which will tie back a connection to a program and then you can
> >investigate
> >that program to see if it is malicious.
> >
> >Anyways, I just wanted to chime in and say thanks and offer my two cents
> >for whatever it is worth. There is certainly more than one way to
> >approach
> >the analysis. I would be interested in learning more about the processes
> >folks on this thread run through in this type of event.
> >
> > There is some excellent feedback and advice in this thread and I am glad
> >to be able to take away some good advice myself.
> >
> >Thanks so much....
> >
> >JMK
> >J. Mark Kellerman, CISSP, CCSA-NGX
> >Snr Security Engineer.
> >
> >
> >
> >
> >
> >
> >Sent from my iPhone
> >
> >Begin forwarded message:
> >
> >From: Murda Mcloud
> ><murdamcloud (at) bigpond (dot) com [email concealed]<mailto:murdamcloud (at) bigpond (dot) com [email concealed]>>
> >Date: November 4, 2009 11:46:13 PM EST
> >To: 'exzactly' <exzactly (at) hotmail (dot) com [email concealed]<mailto:exzactly (at) hotmail (dot) com [email concealed]>>,
> >"security-basics (at) securityfocus (dot) com [email concealed]<mailto:security-
> >basics (at) securityfocus (dot) com [email concealed]>
> >"
> ><security-basics (at) securityfocus (dot) com [email concealed]<mailto:security-
> >basics (at) securityfocus (dot) com [email concealed]>
> >>
> >Subject: RE: Security Toolkit for dummies
> >
> >Fport might come in handy.
> >I'm guessing you want 'clean' versions of everything because who knows
> >what
> >is running on the box itself or what has been modified.
> >How will you be able to trust that the cmd window that you run some of
> >these
> >from is legit? Or that it will run at all?
> >Maybe a cmd alternative will help, too.
> >Fciv so you could check hashes?
> >Regalyzer?
> >
> >
> >Will you image the machines before allowing the support guys to do their
> >stuff?
> >
> >
> >
> >
> >-----Original Message-----
> >From: listbounce (at) securityfocus (dot) com [email concealed]<mailto:listbounce (at) securityfocus (dot) com [email concealed]>
> >[mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> >On Behalf Of exzactly
> >Sent: Thursday, November 05, 2009 4:27 AM
> >To: <mailto:security-basics (at) securityfocus (dot) com [email concealed]>
> >security-basics (at) securityfocus (dot) com [email concealed]<mailto:security-
> >basics (at) securityfocus (dot) com [email concealed]>
> >Subject: Security Toolkit for dummies
> >
> >I am currently working on a (free)toolkit to pass down to Tier 3 and Tier
> >2
> >to be used in the event of a breach/infection or suspected
> >breach/infection.
> >In a nutshell I want to give them some tools to use to gain further
> >information about the system and processes and/or malicious tools running
> >on
> >it. This toolkit is designed for a Windows desktop and Server
> >environment. I
> >am looking at building out tools that are fairly easy to use and do not
> >require much training. Currently I have the following tools on it:
> >
> >(SysInternal tools)
> >Autoruns
> >PortMon
> >Process Explorer
> >Process Monitor
> >Ps Tools
> >Logon Sessions
> >
> >Other tools:
> >Adaware
> >
> >
> >Is there anything else folks out there are using to provide their lower
> >level support guys with some tools for informational gathering
> >purposes....the tools have to run offline as systems are removed in the
> >event of a breach or infection...I am not looking for a full blown
> >forensics
> >kit, just something I can train folks unfamiliar with tool fairly
> >quickly...
> >
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL certificate. We look at how SSL works, how it benefits your company
> >and how your customers can tell if a site is secure. You will find out
> >how to test, purchase, install and use a thawte Digital Certificate on
> >your Apache web server. Throughout, best practices for set-up are
> >highlighted to help you ensure efficient ongoing management of your
> >encryption keys and digital certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727d1
> >-----------------------------------------------------------------------
-
> >
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL
> >certificate. We look at how SSL works, how it benefits your company and
> >how
> >your customers can tell if a site is secure. You will find out how to
> >test,
> >purchase, install and use a thawte Digital Certificate on your Apache web
> >server. Throughout, best practices for set-up are highlighted to help you
> >ensure efficient ongoing management of your encryption keys and digital
> >certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727
> >d1
> >-----------------------------------------------------------------------
-
> >
> >
> >
> >
> >--------------------------------------------------------------------
> >mail2web.com - Enhanced email for the mobile individual based on
> >MicrosoftR
> >Exchange - http://link.mail2web.com/Personal/EnhancedEmail
> >
> >
> >
> >-----------------------------------------------------------------------
-
> >Securing Apache Web Server with thawte Digital Certificate
> >In this guide we examine the importance of Apache-SSL and who needs an
> >SSL certificate. We look at how SSL works, how it benefits your company
> >and how your customers can tell if a site is secure. You will find out
> >how to test, purchase, install and use a thawte Digital Certificate on
> >your Apache web server. Throughout, best practices for set-up are
> >highlighted to help you ensure efficient ongoing management of your
> >encryption keys and digital certificates.
> >
> >http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f
> >727d1
> >-----------------------------------------------------------------------
-
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your Apache
web server. Throughout, best practices for set-up are highlighted to help
you ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727
d1
------------------------------------------------------------------------
--------------------------------------------------------------------
mail2web LIVE ? Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]