Saturday, October 31, 2009

Unknow Binary Files?

What to do if unknown executable file is running on your system?

1. Upload to virustotal - http://www.virustotal.com/ then read the report carefully if it is identified as malicious software (check the links on extra info about the executable e.g. ThreatExpert)

2. Upload to sandbox to get a report on the system level behavior of the malicious software
- I strongly recommend below listed free sanboxes
* Anubis - http://anubis.iseclab.org/
* Sunbelt CWSandbox - www.sunbeltsecurity.com
* Norman Sandbox - www.norman.com/technology/norman_sandbox/

3. Use sysinternals tools (now aquired by Microsoft) like tcp view, process monitor and process explorer

4. If you have a sacrificial PC or virtual PC then try to run the binary on it and monitor change using file integrity tools. Also use wireshark to monitor & capture network level activity

PCAP Analysis Tools

I found these tools extremely easy to operate and useful in network level forensic investigation - Wireshark captured file (*.pcap)

1. Network Miner- http://networkminer.sourceforge.net/
2. Netwitness Investigator - http://download.netwitness.com
3. Xplico - http://www.xplico.org/

Yes there are free ;)

Additional details on Xplico fo Ubuntu 9.x
- run apt-get install apache2
- run apt-get install xplico
- edit /etc/php5/apache2/php.ini to increase the size of files to upload:
* post_max_size = 100M
* upload_max_filesize = 100M
- restart Apache2
- sudo sh /opt/xplico/script/sqlite_demo.sh
- http://localhost:9876
- create new case in Xplico
- create new session then upload you pcap file