Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Malware Analysis vs. Analysing a 'dirty' OS

From: Syn Ack <synackackack () gmail com>
Date: Sat, 31 Aug 2013 02:22:49 +0000
Hi All,

So some time back (year or 2 ago at least) I bought a copy of Win
Server 2008 R2 from a computer mall/market type thing in Beijing,
China. Can't remember exactly how much it cost, but it was
ridiculously cheap. Came on a blank CD type deal.

Some questions:

1) Surely will have nasties (malware, backdoors, etc) loaded by default, right?

... I have looked a little bit into building a malware analysis
environment and I assume the process of analysing an OS would be
similar, but given this is an entire OS not a little .exe we are
launching from a fresh/rollbacked environment, where we start the
analysis...

2) How would you go about analysing a potentially dirty OS as oposed
to a smaller executable? is it exactly the same?

I would imagine you want to-
- monitor memory, disk R/W
- monitor network activity
- check listening ports
- differentiate between bad/good traffic (appreciate that this is
probably the main skill of a malware analyst, but there will be a lot
going on and i assume its easier when you know what executable you are
about to launch and can scope your searching/monitoring a lot easier).
Without that ability, I guess that you're quite likely to need to
baseline traffic against a known good host, to assist identifying good
vs. bad traffic.

Cheers

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: