?
Solved

Analysis for Virus attack

Posted on 2014-08-29
3
Medium Priority
?
533 Views
Last Modified: 2014-09-04
If virus attack a system. what best tools/Formula/Calculation to understand what virus effect in our environment or infrastructure and what data we should collect from our infrastructure network traffic, OS, ..... will help us to evaluate this attack or impact.  From where I can get this samples?
0
Comment
Question by:abdallah1973
3 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40294347
What you are asking a proper response would be either a college course or a week long seminar just to cover the basics. Every virus works differently and has different objectives. A security consultant that specializes in this might be available in your area.  All that you can do is not leave any low hanging fruit .. no user should run routinely as an administrator .. standard accounts are your friend. Prevention here is the key, the cure can be expensive.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40294348
You should setup the cuckoo sandbox http://www.cuckoosandbox.org/ 
You can run your samples in that, and it will tell you everything you need to know, what registry changes, traffic captures, and files it may access or download. There are virus databases out there like VirusSign, MalwareMustDie, ThreatGRID, OffensiveComputing, and contagiodump. These professional groups however are better suited to decompile and understand the samples. If your trying to get your start in malware research, the above should get you started.
-rich
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40294399
you can have the sample sent to the online scanning to check its modus operandi which will start to create its trails of doings (carrier, dropper, rootkit, callbacks etc) on its "residential" (file system, registry, processes, application) or commonly known as Indicator Of Compromise (IOC). There is a nice OpenIOC (http://www.openioc.org/) to represent sample doing and helps in cluster samples, and mainly for threat intelligence sharing (analogous to "signature" sharing)
Such exploitation scheme will need to surface the sample (or dropper) injection and override (breach and vulnerability) performed. Thus static (code run/reverse engr) and dynamic (include sandboxing) analysis of the sample is useful to surface these meta-data and trail as a whole. Can check out this wp describing crimeware, downloader / dropper scheme. (https://www.damballa.com/downloads/r_pubs/WP_Advanced_Malware_Install_LifeCycle.pdf)
Primarily, this is to help analyst in understanding its TTP (tactic, technique and procedure) throughout the sample targeted infestation (lateral and depth of penetration) and accompanying cyber kill chain (recon > intrusion > exploitation > persistence) lifecycle. Its sophistication is revealed as the analysis reveal more of its "anti" capability such as anti-forensic, anti-debugging, ant-packing, anti-VM and etc. Likely it sums up to be cyber sabotage or cyber espionage or simply cyber theft scheme behind this one (out of many) samples...

You can check out below for the approach, tools and analysis services (cum course) to aid the understanding and analysis - Main summary - http://zeltser.com/combating-malicious-software/index.html

Some useful takeaways from the summary:-
Analyzing Malicious Documents Cheat Sheet
http://zeltser.com/reverse-malware/analyzing-malicious-documents.html

Malware Sample Sources for Researchers
http://zeltser.com/combating-malicious-software/malware-sample-sources.html

Analyzing Malicious Documents Cheat Sheet
http://zeltser.com/reverse-malware/analyzing-malicious-documents.html

Free Automated Malware Analysis Services
http://zeltser.com/reverse-malware/automated-malware-analysis.html

Free Online Tools for Looking Up Potentially Malicious Websites
http://zeltser.com/combating-malicious-software/lookup-malicious-websites.html
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question