Bangeter 04-malware_identification_v50.pdf

• Malware identification is important for incident reponse in a company or in law enforcement context.
• In cyber crime case: reinstall machine and you're done.
• Espionage type of attack possible affects substantial parts of a network and requiers different / more complex reactions.

• Mostly the same attack has been used befor.
• Most malware families have been analyzed befor -> addition information
• Through identifying malware we emidiatly get access to all work done previously
• analysis of new malware can take days to months.

An indicator of compromise (IOC) is an a priori known characteristic artefact of attacks, malware samples / families.

IOCs can be used for detection and identification purposes.

Host based IOCs

• Hashes of malware executables, modules, dropped files etc...
• Filenames of dropped files or email attachements (infection vector)
• Registry entries (e.g. used for persistence)
• Mutexes (program object that is created so that multiple program thread can take turns sharing the same resource, such as access to a file.)
• Process names
• Anti-virus or Yara signatures
• Strings

Network based IOCs

• IPs addresses or domain of CC
• CC protocol characteristics
• WHIOIS information

Yara is a language to check for IOCs

• open language anyone can write rules
• allows shareing of rules

In contrast to AV engine rules, Yara rules can be written and shared by anybody, which allows security teams to act independently of vendors.

Yara rules ca be used in different places of an organiyation's detection / security technologies:

• Memory forensic investigation
• Sandboxes
• Endpoint / AV
• Gateway detection