Quantcast
Channel: Forensic Focus Forums - Recent Topics
Viewing all articles
Browse latest Browse all 20111

General Discussion: malware / backdoor

$
0
0
gavrielhan wrote: hi, if I found malware or backdoor virus on a computer, how do I tell which information it is gathering from the computer??? Assuming that you still have that system live and running, and you have access to it, you can start by examining the system itself. One of the biggest issues with this sort of activity is that most folks doing it are malware RE folks, and as such, the focus is purely on malware-specific aspects and most of the work being done focuses on what _could be done_ by the malware, rather than what was actually done. A good way to start is to find out what the malware actually is...I highly recommend that you hash the malware (SHA-1) and do a search on VirusTotal. Or, depending upon how you found the malware (say, via an AV alert), look up the malware based on your detection mechanism. From there, look for data repository files (such as RAR archives, etc.). If you can get a memory capture while the malware is running (on Windows systems, I've had considerable luck with hibernation files when memory captures were not available), you can get much more granular information (handles, run strings on process memory, etc.). Reading AV vendor write-ups will only get you so far, as will performing static/dynamic analysis of the sample extracted from the system image. gavrielhan wrote: also how can I trace where it is broadcasting it to (ip or mail)??? As others have said, you can monitor the system while it is active in order to determine this...however, there are alternatives. IF the malware is reporting off of the system using the WinInet API, and IF it is running with System-level privileges (as with a Windows service), you may be able to find indications of off-system comms via the appropriate index.dat file (for XP, the profile is "Default User", for Vista+, it will usually be "Network Service"...). Again, if the system has a hibernation file, and if the system hibernated while the malware was active in memory, you may be able to extract information about the malware process memory. I've also found some valuable information in the pagefile, but that will depend upon a number of factors (malware type and family, etc.).

Viewing all articles
Browse latest Browse all 20111

Trending Articles