Indicators of Trojan Incidents

1. The computer screen blinks, flips upside down, or is inverted so that everything is displayed backward
2. The default background or wallpaper settings change automatically
3. Sound volume suddenly fluctuates all the way up or down
4. Antivirus programs are automatically disabled, and data are corrupted, altered, or deleted from the system
5. The mouse right-click takes the function of the left-click and vice versa
6. Spam or phishing emails sent to everyone on the contact list
7. Strange warnings or question boxes appear; often, these are personal messages directed to the user
8. The taskbar disappears automatically

Importance of Safely Handling Malware

 Malware handling and analysis are crucial steps in incident response process in order to understand malware functionality and threat actors involved

 Before initiating malware analysis, malicious files must be handled cautiously, especially while storing or transferring them from live functional computer
systems/networks

 Any overlook in handling a malware incident can result in service disruption, data/memory corruption, and data loss

Steps to Handle Malware Safely

 Use an isolated virtual machine or sandbox environment

 Use secure channels for transferring malware files

 Use secure USB drives

 Compress and password protect the malware files

 Modify the file extensions of identified malware

 Store the malware files in an isolated storage facility

 Exclude malware files with invalid file extensions from antivirus scans

Preparing Malware Incident Response Team

 Handling and responding to malware incidents is different from other IR tasks since it requires adequate knowledge, skills, and abilities

 While creating a team to handle malware incidents, the organization must ensure that the team members possess the following:
o An understanding of each major category of malware, propagation methods, and infection chain

o Awareness of all the implemented malware detection tools and configurations

o Ability to identify and differentiate the characteristics and indicators of malware

o Knowledge and experience of various malware analysis tools and environments

o Experience in performing in-depth malware analysis using manual and automated techniques

o An awareness of current malware trends

 The organization must regularly train the team to handle different malware through drills and implement different methods of building and maintaining skills

Common Techniques Attackers Use to Distribute Malware on the Web

 Black hat Search Engine Optimization (SEO): Ranking malware pages highly in search results

 Socially Engineered Click-jacking: Tricking users into clicking on innocent-looking webpages

 Spear Phishing Sites: Mimicking legitimate institutions in an attempt to steal login credentials

 Malvertising: Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites

 Compromised Legitimate Websites: Hosting embedded malware that spreads to unsuspecting visitors

Module 04- ECIH …. By Leena Rane. Page 1

  Drive-by Downloads: Exploiting flaws in browser software to install malware just by visiting a web page

 Spam Emails: Attaching the malware to emails and tricking victims to click the attachment

 RTF Injection: Injecting malicious macros into an RTF file and tricking users to open the malicious document

Malware Propagation Techniques

1. Instant messenger applications
2. Portable hardware media/removable devices
3. Browser and email software bugs
4. Insecure patch management
5. Rogue/decoy applications
6. Untrusted sites and freeware web applications/software
7. Downloading files from the Internet
8. Email attachments
9. Network propagation
10. File sharing services (NetBIOS, FTP, SMB)
11. Installation by other malware
12. Bluetooth and wireless networks

Introduction to Malware Incident Handling

 Malware is the most common threat to organizations that can cause extensive damage due to its complex design and ability to propagate across connected devices
and systems

 Organizations must possess a robust and structured malware incident response plan to detect the presence of malware and quickly react to contain the threat

 The malware incident response plan should be effective in recovering the affected systems after containing the ongoing incident

 The response plan will also help identify paths and vectors of malware attacks and prevent similar attacks in the future

Malware Analysis Techniques

After obtaining initial reports of suspicious activity from victims, the incident responders should employ various malware analysis techniques to thoroughly examine the network
and its systems for suspicious and malicious malware files.

Malware Analysis Techniques

 Live System/ Dynamic Analysis

Involves analyzing live systems in operation for the presence of malware.

 Memory Dump/ Static Analysis

Involves analyzing memory dumps or binary code for traces of malware.

 Intrusion Analysis
Involves analyzing the logs and alerts from intrusion detection systems, SIEMs, and firewalls for the detection and analysis of malware.

Malware Analysis Tools

Hardware Tools Required for Malware Analysis

 A ready-to-use jump kit with different types of connectors to acquire data from a compromised system and create a backup of the system.

 Storage media to store the acquired data and backup.

 A write protected device to protect the data from being modified during acquisition and backup.

 A system installed with a virtual client to run a sandbox environment.

Software Tools Required for Malware Analysis

 Virtualization software such as VirtualBox, VMware vSphere Hypervisor, and Microsoft Hyper-V Server.

 Forensic image extraction tools for data acquisition such as FTK® Imager.

Module 04- ECIH …. By Leena Rane. Page 2

  PE analysis tools such as PEview, PeStudio, PEiD, and FileAlyzer.

 Tools for taking snapshots of the hosts such as Regshot and Total Commander.

 Memory dumping tools such as Belkasoft Live RAM Capturer and Volatility Framework.

 Network sniffing tools such as Wireshark and tcpdump.

 Network simulation software such as iNetSim.

 Process exploring and monitoring tools such as Process Monitor and Process Explorer.

 Hex viewing tools such as Hex Editor Neo, 010 Editor, and Hexinator.

 Debugging tools such as OllyDbg, Ghidra, and IDA Pro.

 Tools for searching malicious strings such as Binetex, FLOSS, and Hex Workshop.

 Tools such as Dependency Walker for finding program dependencies.

Preparing Malware Testbed

Step 1: Allocate a physical system for the analysis lab.
Step 2: Install a virtual machine (VMware, Hyper-V, etc.) on the system.
Step 3: Install a guest OS on each virtual machine.
Step 4: Isolate the system from the network by ensuring that the NIC card is in the "host only" mode.
Step 5: Simulate Internet services using tools such as iNetSim.
Step 6: Disable "shared folders" and "guest isolation."
Step 7: Install malware analysis tools.
Step 8: Generate the hash values of each OS and tool.
Step 9: Copy the malware to the guest OS.

Containment of Malware Incidents

1. Separate the compromised host from the operational network.
2. In case the malware has compromised multiple systems, cut off compromised-system network services and prioritize compromised systems according to
importance of affected hosts to maintain business continuity.
3. Use separate VLANs for infected hosts to determine the processes the malware employs to join the network when connected.
4. Allow connections for non-compromised devices through an access control network or VPN.
5. Start analysis of the compromised host to find malware signatures, patterns, or behaviors that you can use to contain the incident.
6. Disable the targeted services, applications, and systems until the exploited vulnerabilities are patched.
7. Remove malicious registry entries added by the malware.
8. Review the network traffic and block access to the malware command and control server.

Indicators of Fileless Malware Incidents

1. Unexpected modifications in RAM contents.
2. Presence of malicious code hiding in device firmware such as BIOS.
3. Unexpected changes in Windows registry files and computers communicating with an unknown remote server.
4. High volumes of data transfer from the network.
5. Multiple attempts of privileged login from the same user during unofficial hours.
6. Unusual queries to access Active Directory.
7. Access denied to Windows tools such as Windows Management Instrumentation (WMI) and PowerShell.

Indicators of Virus Incidents

1. Processes take more resources and time, resulting in reduced performance.
2. The computer beeps with no display.

Module 04- ECIH …. By Leena Rane. Page 3

 3. Drive labels change and the OS cannot be loaded.
4. Files and folders are missing.
5. Unwanted advertisements and popup windows.
6. Unexpected logout from the system before session time-out.
7. The files containing more than one extension, such as .exe, .vbs, .gif, or .jpg.
8. Existence of duplicate or corrupted files.

Malware Analysis Techniques: Live-System/ Dynamic Analysis

Live system/dynamic analysis is also called behavioral analysis because it detects the presence of malware
based on the malicious behavior or functioning of malware
This type of analysis requires a safe environment such as virtual machines and sandboxes to deter the
spread of malware
Dynamic analysis consists of two stages: system baselining and host integrity monitoring
System Baselining

 Refers to taking a snapshot of the system at the time when the malware analysis begins
 The main purpose of system baselining is to identify significant changes from the baseline state
 The system baseline includes details of the file system, registry, open ports, network activity, etc.

Host Integrity Monitoring

 Involves taking a snapshot of the system state using the same tools before and after analysis, to
detect changes made to the entities residing on the system
 Host integrity monitoring includes the following:
o Port monitoring
o Process monitoring
o Registry monitoring
o Windows services monitoring
o Startup programs monitoring
o Event logs monitoring
o Installation monitoring
o Files and folders monitoring
o Device drivers monitoring
o Network traffic monitoring/analysis
o DNS monitoring/resolution
o API and system calls monitoring
o Scheduled tasks monitoring
o Browser activity monitoring

Get smarter answer from GPT-4o

Module 04- ECIH …. By Leena Rane. Page 4

Module 04- ECIH …. By Leena Rane. Page 5
Module 04- ECIH …. By Leena Rane. Page 6
Module 04- ECIH …. By Leena Rane. Page 7
Module 04- ECIH …. By Leena Rane. Page 8
Module 04- ECIH …. By Leena Rane. Page 9
Module 04- ECIH …. By Leena Rane. Page 10
Malware Analysis Techniques: Memory Dump/Static Analysis
 Memory dump/static analysis is the process of Some of the static malware analysis techniques:
analyzing a suspicious file or an application to find its  File fingerprinting
functionality, design, metadata, and other details.  Local and online malware scanning
 It is also known as code analysis because it involves  Performing strings search
going through the executable binary code without  Identifying packing/obfuscation methods
actually executing it.  Finding the portable executables (PE) information
 Identifying file dependencies
 It employs different tools and techniques to quickly
 Malware disassembly
determine whether a file is malicious.
 Analyzing ELF executable files
 Analyzing the binary code provides information about  Analyzing Mach-O executable files
the malware functionality, its network signatures, exploit  Analyzing malicious MS Office documents
packaging technique, dependencies involved, and so on.

Module 04- ECIH …. By Leena Rane. Page 11

Module 04- ECIH …. By Leena Rane. Page 12
Module 04- ECIH …. By Leena Rane. Page 13
Module 04- ECIH …. By Leena Rane. Page 14
Module 04- ECIH …. By Leena Rane. Page 15
Module 04- ECIH …. By Leena Rane. Page 16
Malware Analysis Techniques: Intrusion Analysis
 Attackers use different types of malware that are specifically designed to intrude into an organization’s
network, spread infections and maintain long-term persistence.
 The IH&R team of an organization is responsible for analyzing and investigating malware incidents to
determine the intent and capabilities of the malware.
 Intrusion analysis not only involves analyzing IDSs and other perimeter security systems for detecting
malware but also involves analyzing abnormal behavior patterns after malware intrusion.
 Detecting malware by intrusion analysis based on its behavior includes:
o Detecting malware via its covert storage/hiding techniques
o Detecting malware via its covert communication techniques

Module 04- ECIH …. By Leena Rane. Page 17

Module 04- ECIH …. By Leena Rane. Page 18
Module 04- ECIH …. By Leena Rane. Page 19
Module Summary
 In this module, we have discussed the following:
o The importance of malware incident handling, propagation techniques, and common
techniques attackers use to distribute malware on the web
o Preparation steps involved while handling malware incidents
o Various indicators of malware incidents and detection techniques such as live
system/dynamic analysis, memory dump/static analysis, and intrusion analysis
o Steps and guidelines that IH&R personnel must follow to contain and eradicate malware
incidents
o Various steps that IH&R personnel must follow to recover after malware incidents to
maintain business continuity
 In the next module, we will discuss handling and response to various email security incidents.

Module 04- ECIH …. By Leena Rane. Page 20