With the rise of a forensic response to malware intrusion you would think that malware would be smart enough to actually attempt to clean up its tracks by implementing secure deletion methods.  These would include Secure deletion off the disk so as to foil file recovery via forensic means by using tried and true secure deletion tools such as are used to wipe a drive of classified materials.  Microsoft SysInternals sdelete.exe and a zillion other tools are freely available for for whatever reason have not been incorporated into attack methods.  I have been wondering this absence for awhile now in malware.  It will only be a matter of time.  While Metasploit has pioneered a number of anti-forensics methods not one has delved into the secure erasure of malware footprints so as to render forensic response by products such as Guidance Software Encase moot. 

Additionally advanced methods to obfuscate in memory and secure deletion or overwriting of critical data in memory would be needed to foil the growing rise of live memory forensics which many organizations still cant seem to wrap their heads around to use operationally.  HBGary is an awesome tool for live memory forensics as well as Mandiant and the Volitility Framework.

So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.

motorcycle-160

Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.

etbadge

HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.

dna2

I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.

Follow

Get every new post delivered to your Inbox.