It is not uncommon in the course of a forensic investigation for us to have to load up some software we find an a piece of evidence and start to reverse it. That process has been very helpful to us in the past.
It does not always bear fruit, I can think of one instance a few months ago where I spent a fair amount of time reversing out a "odd" executable that Matt discovered on a system that we thought might be malware. It had all the common signs, it was packed, ran on start up, installed in a odd location, modified networking information on boot, would auto shut down if there was no network present, etc. After spending a couple of hours on it, turned out it was simply a sysadmins way of enforcing users made use of the VPN correctly, had proper route tables, and the windows firewall policy was set correct. (They just went about it in a very odd way!)
But on the other hand, at times you can get a real gem.
I have read some reports stating that "suspect malware was discovered with likely altered the ..." etc etc. From my point of view, that is bull. There should be no such thing as "suspect" malware. It is, or it is not. And it is your job to find out which it is.
Reverse the application, determine what it is doing, and document it.
Not always that easy to do however, especially when you have not done it before. On that note, I came across blog post tonight which I thought would make a great starting point for you if this is something that interest you:
Back in September a friend had pointed me to a little contest being held online called ‘The 2008 Malware Challenge‘. The Malware Challenge was created to establish a fun way for folks to get their hands dirty with reverse engineering by analyzing real world malware. The organizers of the contest realize the need for these skills in this day in age, especially for IT administrators and such to be able to keep networks safe.
0 comments:
Post a Comment