- Malware Identification Decision Tree
Compilation By Efrain Ortiz- 1. Commence Manual Analysis
- 1.1. Manual Analysis and Remediation Steps
- 1.1.0. Run Full System AntiVirus Scan on suspect system
- 1.1.0.1. Did it find a possible threat?
- 1.1.0.1.1. YES
- 1.1.0.1.1.2. If identified binary is a false positive submit to Symantec in order to be whitelisted.
-
- 1.1.0.1.3.1.1. LINK https://submit.symantec.com/false_positive/
-
- 1.1.0.1.1.1. Was the the threat eliminated?
- 1.1.0.1.1.1.1. YES
- 1.1.0.1.1.1.1.1. Ensure all other computers are up to date and perform a full system scan.
- 1.1.0.1.1.1.2. NO
- 1.1.0.1.1.1.2.1. Commence malware sample acquisition procedures in order to submit for Analysis and to AV vendor.
- 1.1.0.1.2. NO
- 1.1.0.1.2.1. Then GOTO 1.1.1
-
- 1.1.1.2. Did it find a possible threat?
- 1.1.1.2.1. If No Then GOTO 1.1.2
- 1.1.1.2.2. YES
- 1.1.1.2.2.1. If suspect file found, is the file and file path a known good application?
- 1.1.1.2.2.2. If suspect file found, is the file path an unknown application?
- 1.1.1.2.2.2.1. YES
- 1.1.1.2.2.2.1.1. Upload file for online analysis at step 1.1.3 to ensure it is not a false positive.
- 1.1.1.2.4. Did SEP_Support_Tool Load Point Analysis identify any negative reputation files?
- 1.1.1.2.4.1. If negative reputation files (-50 or lower) are identified, upload for further analysis.GOTO 1.1.3.
-
- 1.1.2.2. Ensure latest virus definitions are used.
-
- 1.1.2.3. Did it find and Eliminate Threat?
- 1.1.2.3.1. NO
- 1.1.2.3.1.1. Consider Step 1.1.6 for memory analysis of possible zero day threat. GOTO 1.1.6
- 1.1.2.3.2. YES
- 1.1.2.3.2.1. Apply online analysis info to create a response policy.
- 1.1.2.3.2. Copy file to a secure removable media to upload for online analysis at GOTO 1.1.3.
- 1.1.3. Web Analysis?
-
- 1.1.3.1.2. If binary was uploaded for analysis, what were the results?
- 1.1.3.3.1. Does threatexpert.com identify the binary as a virus by any other AV vendor?
- 1.1.3.3.2. Does threatexpert.com NSRL listing identify the binary as known good?
- 1.1.3.3.3. Does threatexpert.com Symantec/Norton Insight identify the threat as "suspicious"?
-
- 1.1.3.2.2. Does pcap file indicate it is leveraging email as a transport mechanism?
- 1.1.3.2.2.1. YES
- 1.1.3.2.2.1.1. Are there any unique identifiers that can be leveraged?
- 1.1.3.2.2.1.1.1. Is it spreading via a unique file name?
- 1.1.3.2.2.1.1.1.1. Can the unique file name be used to block the message entirely?
- 1.1.3.2.2.1.1.2. Is it spreading with a specific file extension that can be blocked?
- 1.1.3.2.2.1.1.2.1. Can the file extension be blocked at the internal email server?
- 1.1.3.2.2.1.1.3. Is it spreading via direct port 25 to internet, bypassing internal mail servers?
- 1.1.3.2.2.1.1.3.1. Apply a port 25 block at gateway firewall and local endpoint firewall.
- 1.1.3.2.3. Does pcap file indicate it is leveraging http as a transport to suspicious external IP addresses?
- 1.1.3.2.3.1. How to tell if site is suspcious?
- 1.1.3.2.3.1.1. Does the pcap file show repeated GET requests that return executable code embedded that would normally only run on a computer and not a web site?
- 1.1.3.2.3.1.1.1. This may indicate a malicious piece of code is being downloaded.
- 1.1.3.2.3.1.2. Does the pcap file show attempts to communicate on port 80/443 but reveals HTTP activity?
- 1.1.3.2.3.1.2.1. This may be a false positive or it may indicate Command and Control communications(Bot communications).
- 1.1.3.2.3.1.3. Does the pcap file show attempts to communicate over IRC or SSH to external sites?
- 1.1.3.2.3.1.3.1. This may be a user violating policy or it may indicate Command and Control communications(Bot communications).
- 1.1.3.3. Use www.virustotal.com to compare sample against many AV vendors.
- 1.1.3.3.1. Does virustotal.com identify the binary as a virus by any other AV vendor?
- 1.1.3.3.1.1. Submit to AV vendor.
- 1.1.3.3.2. Does virustotal.com NSRL listing identify the binary as known good?
- 1.1.3.3.2.1 Exclude from further analysis.
- 1.1.3.3.3. Does virustotal.com Symantec Reputation identify the threat as "suspicious"?
- 1.1.3.3.3.1. Continue Web Analysis.
- 1.1.3.4. Is the source of the infection a web site?
- 1.1.3.4.1. YES
-
- 1.1.3.4.2. NO
-
http://www.wireshark.com
- 1.1.4.1. If Anubis.iseclab.org provides a pcap file for analysis, is any content able to be leveraged in order to create a SEP IPS Custom Signature
- 1.1.4.2. Create SEP IPS Custom Signature
- 1.1.4.3. SEP Firewall Rule with specific port activity and associated application with Packet capture enabled.
https://www.e-fense.com/store/index.php?_a=viewProd&productId=11
-
- 1.1.5.0.1. LINK https://www.e-fense.com/store/index.php?_a=viewProd&productId=11
- 1.1.5.1. Manually Acquire File from Disk and Extract to secure media
- 1.1.5.1.1. Load Helix or Backtrack from CD-ROM
- 1.1.5.1.2. Mount /dev/sdb1 partition into Sleuthkit case
- 1.1.5.1.3. Locate required file and click it for meta analysis.
- 1.1.5.1.4. Copy contents in RAW. This is the actual suspect file.
- 1.1.5.1.5. Upload to Symantec Support for analysis.
- 1.1.5.1.5.1. Basic GOTO 1.1.7.1.
- 1.1.5.1.5.2. Platinum GOTO 1.1.7.2.
- 1.1.5.6. Upload to ThreatExpert.com for automated analysis.
- 1.1.5.6.1. ThreatExpert.com LINK http://www.threatexpert.com
- 1.1.5.7. Upload to Virustotal.com for AntiVirus vendor comparison.
- 1.1.5.7.1. VirusTotal.com LINK http://www.virustotal.com
- 1.1.5.2. Leverage known Good Files to Exclude (Advanced Feature requiring work prior to incident)
- 1.1.5.2.2. Known Good File Collection Points?
- 1.1.5.2.2.1. Microsoft Management Server or System Center Configuration Manager Inventory
- 1.1.5.2.2.2. Software Repository Product
- 1.1.5.2.2.3. Sample Systems with SEP application learn enabled
- 1.1.5.2.2.4. Run checksum.exe on sample set of machines and extract the generated .txt file with MD5
-
- 1.1.6. Memory Analysis?
-
- 1.1.6.1.2. Win32dd.exe and Win64dd.exe can both be used to capture the contents of RAM. Both utilities do not require a reboot.
-
- 1.1.6.2.2. Mandiant Memoryze can be used to generate an output that shows the names of files and any open network connections.
- 1.1.6.2.3. Mandiant Memoryze can be used to extract binaries captured from memory using Mandiant Memoryze or with win32dd.exe or win64dd.exe.
-
-
- 1.1.7. Submit to Commercial Vendor for Analysis and Fix?
- 1.1.7.1. Submit to Symantec
https://submit.symantec.com/websubmit/basic.cgi Web Site Expected information_ First Name: Last Name: Company Name: Email Address: contact ID: File to Upload: (Please submit no more than 9 files in any zip file regardless of size. Total Size should not be greater than 10MB.) Symptoms: What symptoms are you seeing? - Increased email activity - Ports opened/used, and protocols used - Anti-virus software is being disabled - Files being deleted - Network traffic - Users being locked out of their accounts - Error messages - Blue screens - Registry keys being created
- 1.1.7.1.2. Platinum
https://submit.symantec.com/websubmit/platinum.cgi Web Site Expected information_ First Name: Last Name: Company Name: Email Address: contact ID: File to Upload: (Please submit no more than 9 files in any zip file regardless of size. Total Size should not be greater than 10MB.) Symptoms: What symptoms are you seeing? - Increased email activity - Ports opened/used, and protocols used - Anti-virus software is being disabled - Files being deleted - Network traffic - Users being locked out of their accounts - Error messages - Blue screens - Registry keys being created
-
- 1.1.8. Sucessfully Remediated?
- 1.1.8.1. NO
- 1.1.8.1.1. Does the asset contain high value or private information?
- 1.1.8.1.1.1. YES
- 1.1.8.1.1.1.1. Have a forensics expert image the machine for thorough analysis with Forensics tools such as Guidance Encase or Mandiant Technologies.
- 1.1.8.1.1.2. NO
- 1.1.8.1.1.2.1. Proceed to wipe machine. GOTO 1.2.
- 1.1.8.2. YES
- 1.1.8.2.1. STOP and GOTO 3.6. Post-Incident Activity
- 1.2. Wipe/Restore Machine
- 1.2.1. Bare Metal Restore? (Restoring a computer starting with the Operating System and continuing with all other applications)
- 1.2.2. Snapshot Restore? (Restoring from a backup copy that contains a main backup smaller daily or weekly backups)
- 1.2.2.1. If a snapshot was taken before the issue arose, restore to last known good state.
- 1.2.3. PXE Based Restore? (Restoring from a local network imaging server. Typically a corporate only option.)
- 1.2.3.1. If PXE is used and a local PXE server is available, commence reboot and PXE boot procedures.
- 1.2.4. Attached USB Backup Restore? (Backups available on an external USB drive).
- 1.2.4.1. If an external backup drive contains a backup image, restore from this backup.
- 1.2.5. If data was backed up to a cloud service?
- 1.2.5.1. Restore operating system and proceed to restore data from cloud after system reimage.
- 1.3. Is the suspected threat widespread?
- 1.3.1. NO
- 1.3.1.1. Proceed to 1.4 GOTO 1.4.
- 1.3.2. YES
- 1.3.2.1. Activate Incident Response Team
- 1.3.2.1.1. Network Operations
- 1.3.2.1.1.1. Gateway Firewall Specialist
- 1.3.2.1.1.1.1. Is Gateway Firewall administrator observing abnormal activity?
- 1.3.2.1.1.1.2. Is the Gateway Firewall recording abnormal activity from system currently being analyzed?
- 1.3.2.1.1.1.2.1. If NO, proceed to 1.3.1.2. GOTO 1.3.1.2.
- 1.3.2.1.1.1.2.2. If YES, obtain packet captures for analysis by Network Forensics specialist.
- 1.3.2.1.1.2. Network Operations Center Analyst
- 1.3.2.1.1.2.1. Is Network Operations Center detecting increase in traffic on core switches?
- 1.3.2.1.1.2.1.1. Is activity indicative of a one-to-many propagation or an A-to-B-to-C propogation method?
- 1.3.2.1.1.2.1.1.1. If NO, proceed to next steps.
- 1.3.2.1.1.2.1.1.2. If YES, engage NOC in Incident Response.
- 1.3.2.1.2. Desktop Operations
- 1.3.2.1.2.1. Desktop Software Management Technician
- 1.3.2.1.2.1.1. Are new applications detected in software inventory report?
- 1.3.2.1.2.1.1.1. Upload for Analysis on Step 1.1.3. GOTO 1.1.3.
- 1.3.2.1.2.2. Desktop Software Deployment Technician
- 1.3.2.1.2.2.1 Has Desktop Software Deployment recently deployed a new application, patch or upgrade?
- 1.3.2.1.2.2.1.1. Does the suspect activity coincide with the new software deployment?
- 1.3.2.1.2.2.1.1.1. Is the problem exhibited only on systems with the new software deployed?
- 1.3.2.1.2.2.1.1.1.1. NO
- 1.3.2.1.2.2.1.1.1.1.1. If NO, then new software deployment is not the culprit.
- 1.3.2.1.2.2.1.1.1.2. YES
- 1.3.2.1.2.2.1.1.1.2.1. If YES, then new software deployment may be the suspect file and this is a false positive.
- 1.3.2.1.3. Server Operations
- 1.3.2.1.3.1. Server Software Management Technician
- 1.3.2.1.3.1.1. Is the problem only exhibited on servers?
- 1.3.2.1.3.1.1.1. If NO, proceed to next step.
- 1.3.2.1.3.1.1.2. If YES, go to step 1.3.2.3.2.1. GOTO 1.3.2.3.2.1.
- 1.3.2.1.3.2. Server Software Deployment Technician
- 1.3.2.1.3.2.1. Has Server Software Deployment team recently deployed a new application, patch or upgrade?
- 1.3.2.1.3.2.1.1. If NO, proceed to next step.
- 1.3.2.1.3.2.1.2. Does the suspect activity coincide with the new software deployment?
- 1.3.2.1.3.2.1.2.1. If NO, proceed to next step.
- 1.3.2.1.3.2.1.2.2. If YES, is the problem exhibited only on systems with the new software deployed?
- 1.3.2.1.3.2.1.2.2.1. If NO, then new software deployment is not the culprit.
- 1.3.2.1.3.2.1.2.2.2. If YES, then new software deployment may be the suspect file and this is a false positive.
- 1.3.2.1.4. Messaging Operations
- 1.3.2.1.4.1. Mail Messaging Administrator
- 1.3.2.1.4.1.1. Can administrator provide insight from messaging logs?
- 1.3.2.1.4.1.1.1. If NO, proceed to next step.
- 1.3.2.1.4.1.1.2. If YES, is there an abnormal number of same messages spreading?
- 1.3.2.1.4.1.1.2.1. If YES, possible mass mailer in use. Attempt to identify origin of mail. Attempt to identify keyword to use to block continued spread.
- 1.3.2.1.4.1.1.2.2. If NO, proceed to next step.
- 1.3.2.1.5. Compliance
- 1.3.2.1.5.1. Data Loss Prevention Technician
- 1.3.2.1.5.1. Is DLP system generating events on tracked data?
- 1.3.2.1.5.1.1. If NO, proceed to next step.
- 1.3.2.1.5.1.2. If YES, create a list of systems generating largest count of DLP violations and start analyzing them.
- 1.3.2.1.5.2. Is DLP system generating events from suspect system?
- 1.3.2.1.5.2.1. If NO, proceed to next step.
- 1.3.2.1.5.2.2. If YES, run a report on the DLP system for event violations on the suspect IP.
- 1.3.2.1.5.2.3. If YES, run a report across all computers with similar data violations to determine if threat is widespread.
- 1.3.2.1.6. Legal
- 1.3.2.1.6.1.1. Does legal need to be involved?
- 1.3.2.1.6.1.1. Consult with an attorney to determine when they should be contacted.
- 1.3.2.1.7. Public Relations
- 1.3.2.1.7.1. Does Public Relations need to be notified?
- 1.3.2.1.7.1.1. Notify Public Relations of situation.
- 1.4. Post-op Prevent Recurrence Policy
- 1.4.1. Custom IPS Signature Possible?
- 1.4.1.2. Did analysis of network traffic reveal unique packet information?
- 1.4.1.2.1. Create an endpoint Custom IPS signature with unique packet information and set to log only.
- 1.4.1.2.1.1. After testing in log only, confirm no false positives then activate block.
- 1.4.2. Is it possible to leverage Application and Device Control policy for recurrence prevention?
- 1.4.2.2. Is threat spreading through Autorun.inf files?
- 1.4.2.3. Using Application and Device Control in Symantec Endpoint Protection (SEP) to block activity in common loading points for threats
- 1.4.2.4. Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security
- 1.4.3. Firewall Block policy possible?
- 1.4.3.1. Block Specific Ports Inbound or Outbound
-
- 1.4.3.2. Did analysis of network traffic reveal specific domain or port used by threat?
- 1.4.3.2.1. If possible, add found domain and port number to an endpoint firewall policy.
- 1.4.4. If False Positive found, add to Centralized Exceptions Policy in SEPM.
- 2. Incident Response Phases
- 2.1. Preparation
- 2.1.1. Make users aware of malicious code issues.
Users should be familiar with the methods that malicious code uses to propagate and the symptoms of infections. Holding regular user education sessions helps to ensure that users are aware of the risks that malicious code poses. Teaching users how to safely handle email attachments should reduce the number of infections that occur.
- 2.1.2. Read antivirus bulletins.
Bulletins regarding new malicious code threats provide timely information to incident handlers.
-
-
- 2.1.2.1.1.1. LINK http://www.symantec.com/business/security_response/threatexplorer/search.jsp
-
- 2.1.2.1.2.1. LINK http://us.norton.com/security_response/threatexplorer/index.jsp
-
- 2.1.2.1.3.1. LINK http://www.symantec.com/business/security_response/threatexplorer/index.jsp
-
- 2.1.2.2. McAfeeThreat Bulletins
-
- 2.1.2.2.2. LINK http://www.mcafee.com/us/threat_center/default.asp
-
- 2.1.2.2.1.1. LINK http://vil.nai.com/vil/default.aspx
-
-
- 2.1.3. Deploy host-based intrusion detection and prevention systems, including file integrity checkers, to critical hosts.
Host-based IDPS software, particularly file integrity checkers, can detect signs of malicious code incidents, such as configuration changes and modifications to executables.
- 2.1.4. Use antivirus software, and keep it updated with the latest virus signatures.
Antivirus software should be deployed to all hosts and all applications that may be used to transfer malicious code. The software should be configured to detect and disinfect or quarantine malicious code infections. All antivirus software should be kept current with the latest virus signatures so the newest threats can be detected.
- 2.1.5. Configure software to block suspicious files.
Files that are very likely to be malicious should be blocked from the environment, such as those with file extensions that are usually associated with malicious code and files with suspicious combinations of file extensions.
- 2.1.6. Eliminate open Windows shares.
Many worms spread through unsecured shares on hosts running Windows. A single infection may rapidly spread to hundreds or thousands of hosts through unsecured shares.
- 2.1.7. Configure intrusion detection software to alert on attempts to gain unauthorized access.
Network and host-based intrusion detection software (including file integrity checking software) is valuable for detecting attempts to gain unauthorized access. Each type of software may detect incidents that the other types of software cannot, so the use of multiple types of computer security software is highly recommended.
- 2.1.8. Configure all hosts to use centralized logging.
Incidents are easier to detect if data from all hosts across the organization is stored in a centralized, secured location.
- 2.1.9. Establish procedures for having all users change their passwords.
A password compromise may force the organization to require all users of an application, system, or trust domain—or perhaps the entire organization—to change their passwords.
- 2.1.10. Configure the network perimeter to deny all incoming traffic that is not expressly permitted.
By limiting the types of incoming traffic, attackers should be able to reach fewer targets and should be able to reach the targets using designated protocols only. This should reduce the number of unauthorized access incidents.
- 2.1.11. Secure all remote access methods, including modems and virtual private networks (VPN).
Unsecured modems provide easily attainable unauthorized access to internal systems and networks. Remote access clients are often outside the organization’s control, so granting them access to resources increases risk.
- 2.1.12. Put all publicly accessible services on secured demilitarized zone (DMZ) network segments.
This action permits the organization to allow external hosts to initiate connections to hosts on the DMZ segments only, not to hosts on internal network segments. This should reduce the number of unauthorized access incidents.
- 2.1.13. Disable all unneeded services on hosts and separate critical services.
Every service that is running presents another potential opportunity for compromise. Separating critical services is important because if an attacker compromises a host that is running a critical service, immediate access should be gained only to that one service.
- 2.1.14. Use host-based/personal firewall software to limit individual hosts’ exposure to attacks.
Deploying host-based or personal firewall software to individual hosts and configuring it to deny all activity that is not expressly permitted should further reduce the likelihood of unauthorized access incidents.
- 2.1.15. Create and implement a password policy.
The password policy should require the use of complex, difficult-to-guess passwords and should ensure that authentication methods are sufficiently strong for accessing critical resources. Weak and default passwords are likely to be guessed or cracked, leading to unauthorized access.
- 2.2. Detection and Analysis
- 2.2.1. Prioritize handling the incident based on the business impact
- 2.2.1.1. Identify which resources have been affected and forecast which resources will be affected
- 2.2.1.2. Estimate the current and potential technical effect of the incident
- 2.2.1.3. Find the appropriate cell(s) in the prioritization matrix based on the technical effect and affected resources
- 2.2.2. Indication or signs of a possible incident.
- 2.2.2.1. The network intrusion detection sensor alerts when a buffer overflow attempt occurs against an FTP server.
- 2.2.2.2. The antivirus software alerts when it detects that a host is infected with a worm.
- 2.2.2.3. The Web server crashes.
- 2.2.2.4. Users complain of slow access to hosts on the Internet.
- 2.2.2.5. The system administrator sees a filename with unusual characters.
- 2.2.2.6. The user calls the help desk to report a threatening email message.
- 2.2.2.7. The host records an auditing configuration change in its log.
- 2.2.2.8. The application logs multiple failed login attempts from an unfamiliar remote system.
- 2.2.2.9. The email administrator sees a large number of bounced emails with suspicious content.
- 2.2.2.10. The network administrator notices an unusual deviation from typical network traffic flows.
- 2.2.3. Report the incident to the appropriate internal personnel and external organizations
- 2.3. Containment
- 2.3.1. Contain the incident—halt the DoS if it has not already stopped
- 2.3.1.1. Identify and mitigate all vulnerabilities that were used, if possible.
- 2.3.1.2. If not yet contained, implement filtering based on the characteristics of the attack, if feasible
- 2.3.1.3. If not yet contained, contact the ISP for assistance in filtering the attack
- 2.3.1.4. If not yet contained, relocate the target
- 2.3.2. Performing port scans to detect hosts listening on a known Trojan horse or backdoor port.
- 2.3.3. Using antivirus scanning and cleanup tools released to combat a specific instance of malicious code.
- 2.3.4. Reviewing logs from email servers, firewalls, and other systems that the malicious code may have passed through, as well as individual host logs.
- 2.3.5. Configuring network and host intrusion detection software to identify activity associated with infections.
- 2.3.6. Auditing the processes running on systems to confirm that they are all legitimate.
- 2.4. Eradication
- 2.4.1. Eradicate the incident. Identify and mitigate all vulnerabilities that were used
- 2.5. Recovery
- 2.5.1. Recover from the incident
- 2.5.1.1. Return affected systems to an operationally ready state
- 2.5.1.2. Confirm that the affected systems are functioning normally
- 2.5.1.3. If necessary and feasible, implement additional monitoring to look for future related activity
- 2.6. Post-Incident Activity
- 2.6.1. Create a Post Incident (Lessons Learned) report
- 2.6.2. Hold a lessons learned meeting
- 2.6.2.1. Exactly what happened, and at what times?
- 2.6.2.2. How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
- 2.6.2.3. What information was needed sooner?
- 2.6.2.3.1. What could facilitate improved data sharing?
- 2.6.2.4. Were any steps or actions taken that might have inhibited the recovery?
- 2.6.2.4.1. Were there any bottlenecks that slowed down the recovery process?
- 2.6.2.5. What would the staff and management do differently the next time a similar incident occurs?
- 2.6.2.6. What corrective actions can prevent similar incidents in the future?
- 2.6.2.7. What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
- 3. Symantec Specific Analysis Steps
- 3.1. Identify the Threat and Attack Vectors
- 3.1.0. Acquire Binary
- 3.1.0.1. Simply copy the file.
- 3.1.0.1.1. Successful?
- 3.1.0.1.1.1. YES
- 3.1.0.1.1.1.1. GOTO 3.2
- 3.1.0.1.1.2. NO
- 3.1.0.1.1.2.1. Boot system with WinPE disk and copy file to USB stick.
AutoRuns Tool http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Process Explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
- 3.1.1. Submit the file to Symantec Response
- 3.1.1.1. Submit via the web portal
https://submit.symantec.com/websubmit/basic.cgi Web Site Expected information_ First Name: Last Name: Company Name: Email Address: contact ID: File to Upload: (Please submit no more than 9 files in any zip file regardless of size. Total Size should not be greater than 10MB.) Symptoms: What symptoms are you seeing? - Increased email activity - Ports opened/used, and protocols used - Anti-virus software is being disabled - Files being deleted - Network traffic - Users being locked out of their accounts - Error messages - Blue screens - Registry keys being created
- 3.1.1.1.1.1. LINK https://submit.symantec.com/websubmit/basic.cgi
https://submit.symantec.com/websubmit/platinum.cgi Web Site Expected information_ First Name: Last Name: Company Name: Email Address: contact ID: File to Upload: (Please submit no more than 9 files in any zip file regardless of size. Total Size should not be greater than 10MB.) Symptoms: What symptoms are you seeing? - Increased email activity - Ports opened/used, and protocols used - Anti-virus software is being disabled - Files being deleted - Network traffic - Users being locked out of their accounts - Error messages - Blue screens - Registry keys being created
- 3.1.1.1.2.1. LINK https://submit.symantec.com/websubmit/platinum.cgi
-
- 3.1.1.2. Call into Support and specify urgency of request.
- 3.1.2. Upload to VirusTotal.org
- 3.1.2.1. Recognized by 3rd Party AV Vendors?
- 3.1.2.1.1. YES
- 3.1.2.1.1.1. Proceed to upload to Symantec and Analyze with Steps 3.1.5, 3.1.7)
- 3.1.2.1.2. NO
- 3.1.2.1.2.1. Does Virustotal identify it as a known good file by the NSRL?
- 3.1.2.1.2.1.1. YES
- 3.1.2.1.2.1.1.1. File is known Good, exclude from further research.
- 3.1.2.1.2.1.2. NO
- 3.1.2.1.2.1.1.2. GOTO 3.1.3
- 3.1.3. Upload to www.threatexpert.com to get High Level overview
- 3.1.3.1. Does the executable modify critical files?
- 3.1.3.1.1. YES
- 3.1.3.1.1.1. Record File names and Paths.
- 3.1.3.1.2. NO
- 3.1.3.2. Does the executable modify common load points in the registry?
- 3.1.3.2.1. YES
- 3.1.3.2.1.1. Record the Registry key and value type
- 3.1.3.2.2. NO
- 3.1.3.2.2.1. Continue with next steps
- 3.1.3.3. Does the executable open communications to the internet? and if so, what destination and port.
- 3.1.3.3.1. YES
- 3.1.3.3.1.1. Record Destination IP and Destination Port
- 3.1.3.3.1.2. Proceed to Step 6.4 in order to obtain pcap file from Anubis.
- 3.1.3.3.2. NO
- 3.1.3.4. Does packet capture reveal specific file names or unique patterns that may be leveraged to create a containment policy?
- 3.1.4. Configure SEP to higher security state
- 3.1.4.1. Configure Auto-Protect to allow network scanning.
- 3.1.4.2. Configure All IPS Signatures in Log-only
Using Application and Device Control in Symantec Endpoint Protection (SEP) to log activity to common loading points for threats http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009101207390448?Open&docid=2010011510455048&nsf=ent-security.nsf&view=854fa02b4f5013678825731a007d06af
- 3.1.4.4. Increase the Bloodhound level to High
How to increase the sensitivity of Proactive Threat Protection in Symantec Endpoint Protection 11.x http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120214031748?Open&docid=2010011510455048&nsf=ent-security.nsf&view=854fa02b4f5013678825731a007d06af
- 3.1.5. Upload to Anubis.iseclab.org
- 3.1.5.1. Does the executable modify critical files?
- 3.1.5.1.1. YES
- 3.1.5.1.1.1. Record File names and Paths.
- 3.1.5.1.2. NO
- 3.1.5.2. Does the executable modify common load points in the registry?
- 3.1.5.2.1. YES
- 3.1.5.2.1.1. Record the Registry key and value type
- 3.1.5.2.2. NO
- 3.1.5.3. Does the executable open communications to the internet? and if so, what destination and port.
- 3.1.5.3.1. YES
- 3.1.5.3.1.1. Record Destination IP and Destination Port
- 3.1.5.3.1.2. Download pcap file from Anubis.iseclab.org and analyze the type of traffic generated using pcap reader.
- 3.1.5.3.1.2.1. LINK http://www.wireshark.com
- 3.1.6. Observed Activity
- 3.1.6.1. Observed Host Activity
- 3.1.6.1.1. System Cannot Boot
- 3.1.6.1.1.1. Possible Multipartite Virus
- 3.1.6.1.1.2. Possible Rootkit
- 3.1.6.1.2. Error message displayed during system boot
- 3.1.6.1.2.1. Possible Multipartite Virus
- 3.1.6.1.2.2. Possible Rootkit
- 3.1.6.1.3. System instability and crashes occur
- 3.1.6.1.3.1. Possible Macro virus
- 3.1.6.1.3.2. Possible Network Service Worm
- 3.1.6.1.3.3. Possible Trojan Horse
- 3.1.6.1.3.4. Possible Backdoor
- 3.1.6.1.3.5. Possible Rootkit
- 3.1.6.1.4. Programs start slowly, run slowly, or do not run at all
- 3.1.6.1.4.1. Possible Multipartite Virus
- 3.1.6.1.4.2. Possible Macro Virus
- 3.1.6.1.4.3. Possible Network Service Worm
- 3.1.6.1.4.4. Possible Trojan Horse
- 3.1.6.1.4.5. Possible Rootkit
- 3.1.6.1.4.6. Possible Malicious Browser Plugin
- 3.1.6.1.5. Unknown processes are run at system startup
- 3.1.6.1.5.1. Possible Trojan Horse
- 3.1.6.1.5.2. Possible Backdoor
- 3.1.6.1.5.3. Possible Keystroke Logger
- 3.1.6.1.5.4. Possible E-mail Generators
- 3.1.6.1.6. Unusual and unexpected ports open
- 3.1.6.1.6.1. Possible Backdoor
- 3.1.6.1.7. Sudden increase occurs in the number of e-mails being sent and received
- 3.1.6.1.7.1. Possible Macro Virus
- 3.1.6.1.7.2. Possible Mass Mailing Worm
- 3.1.6.1.7.3. Possible Rootkit
- 3.1.6.1.8. Changes are made in templates for word processing documents, spreadsheets, etc.
- 3.1.6.1.8.1. Possible Macro Virus
- 3.1.6.1.9. Web browser configuration is changed, such as different home page and new toolbars
- 3.1.6.1.9.1. Possible Malicious Mobile Code
- 3.1.6.1.9.2. Possible Malicious Browser Plug-Ins
- 3.1.6.1.10. Files are deleted, corrupted, or inaccessible
- 3.1.6.1.10.1. Possible Multipartite Virus
- 3.1.6.1.10.2. Possible Macro Virus
- 3.1.6.1.10.3. Possible Trojan Horse
- 3.1.6.1.10.4.Possible Rootkit
- 3.1.6.1.11. Unusual items appear on the screen, such as odd messages, graphics, and overlapping or overlaid message boxes
- 3.1.6.1.11.1. Possible Macro Virus
- 3.1.6.1.11.2. Possible Malicious Mobile Code
- 3.1.6.1.11.3. Possible Rootkit
- 3.1.6.1.11.4. Possible E-mail Generators
- 3.1.6.1.12. Unexpected dialog boxes appear, requesting permission to do something
- 3.1.6.1.12.1. Possible Malicious Mobile Code
- 3.1.6.1.12.2. Possible Malicious Browser Plug-Ins
- 3.1.6.2. Observed Network Activity
- 3.1.6.2.1. Significantly increased network usage
- 3.1.6.2.1.1. Possible Network Service Worm
- 3.1.6.2.1.2. Possible Mass Mailing Worm
- 3.1.6.2.1.3. Possible Backdoor
- 3.1.6.2.1.4. Possible E-mail Generators
- 3.1.6.2.1.5. Possible Bot/Downloader
- 3.1.6.2.2. Port scans and failed connection attempts targeted at the vulnerable service (e.g., open Windows shares, HTTP)
- 3.1.6.2.2.1. Possible Network Service Worm
- 3.1.6.2.2.2. Possible Backdoor
- 3.1.6.2.3. Network connections between the host and unknown remote systems
- 3.1.6.2.3.1. Possible Network Service Worm
- 3.1.6.2.3.2. Possible Trojan Horse
- 3.1.6.2.3.3. Possible Malicious Mobile Code
- 3.1.6.2.3.4. Possible Backdoor
- 3.1.6.2.3.5. Possible Keystroke Logger
- 3.1.6.2.3.6. Possible Rootkit
- 3.1.6.2.3.7. Possible Malicious Browser Plug-Ins
- 3.1.6.2.3.8. Possible E-mail Generators
- 3.1.7. Run SEP Support tool
-
- 3.1.7.1.2. Did it find and Eliminate Threat?
- 3.1.7.1.2.1. If Yes Then STOP
-
- 3.2. Identify the Infected Computers
- 3.2.1. Ensure Latest Virus Definitions are Deployed to entire network
- 3.2.2. Perform Admin Scan on all machines.
- 3.2.3. If Virus Definitions do not contain protection for current threat, leverage Threatexpert.com and Anubis Knowledge to identify symptoms to block.
- 3.2.4. Create SEP Application Control rules to setup traps to be tripped by infected machines
- 3.3. Quarantine the Infected Computers
- 3.3.1 Proceed to Containment Phase
- 3.3.1.1. VLAN Containment to monitored route.
- 3.3.1.2. Gateway Firewall Rules and ACL restrictions
- 3.3.1.3. Endpoint Protection Policy Modification
- 3.3.1.3.1. AntiVirus Policy
- 3.3.1.3.1.1. Access and modify Scanning
- 3.3.1.3.1.2. Bloodhound Level 3 (High)
- 3.3.1.3.2. Intrusion Prevention Policy
- 3.3.1.3.2.1. Activate Blocking Signatures
- 3.3.1.3.2.2. Create Custom IPS Signature to Block discovered Threat
- 3.3.1.3.3. Firewall Policy
-
- 3.3.1.3.3.2. Disable Local C$ and Admin$ sharing from general network. Restrict inbound C$ and Admin$ to admins and helpdesk systems only.
-
- 3.3.1.3.4. Application Control Policy
- 3.3.1.3.4.1. Add Registry Block related to threat.
- 3.3.1.3.4.2. Add File Block related to threat.
- 3.3.1.3.4.2.1. Add Autorun.inf write Block
- 3.3.1.3.4.3. Add Process Terminate related to threat.
-
-
- 3.3.1.3.4.5.1. LINK http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009101410542148?Open&docid=2010011510455048&nsf=ent-security.nsf&view=854fa02b4f5013678825731a007d06af
- 3.3.1.3.5. Device Control Policy
- 3.3.1.3.6. Host Integrity Policy
- 3.3.1.4. Close any open shares
- 3.3.1.5. Disable Windows AutoPlay Feature.
- 3.3.1.5.1. Via GPO
- 3.3.1.5.2. Via Registry
- 3.3.1.5.3. Via SEP Application Control Policy
- 3.3.1.6. Restrict the use of writable USB drives
- 3.3.1.6.1. No EXE write to USB drives.
- 3.3.1.7. Restrict the writing of .lnk files to USB and network drives
- 3.3.1.8. Restrict the writing of autorun.inf files to USB and network drives
- 3.3.1.9. Create custom firewall rules to prevent the threat from spreading.
- 3.3.1.10. Move the infected clients to a "quarantine" client group.
- 3.4. Clean the Computers Infected
- 3.4.1. Assess whether it would be more cost-effective to "start from scratch" — to freshly rebuild or reinstall a compromised computer.
- 3.4.2. Assess whether any threats found can be easily removed from a computer by running an antivirus scan, or if additional tasks will need to be performed before or afterwards.
- 3.4.3. Assess whether any system changes were made on infected computers and how to revert those changes.
- 3.4.4. Assess when it is safe to add the computers back to the network.
- 3.5. Post-op Prevent Recurrence
- 3.5.1. Patch Exploited Vulnerabilities
- 3.5.2. Disable AutoPlay
- 3.5.3. If possible deploy a policy that mitigates or contains the threat.
- 4. Information References
-
- 4.2. Web Site Based Malware Analysis
-
-
- 4.4. IPS Signatures List
- 4.5. Security Company Twitter Feeds
-
-
- 4.7. Useful Binaries for Analysis
- 4.7.1. Manual LiveSystem Analysis Tools
-
- 4.8. Malware Sample Submission Pages
- 4.8.1. Symantec Submission Site
https://submit.symantec.com/websubmit/basic.cgi Web Site Expected information_ First Name: Last Name: Company Name: Email Address: contact ID: File to Upload: (Please submit no more than 9 files in any zip file regardless of size. Total Size should not be greater than 10MB.) Symptoms: What symptoms are you seeing? - Increased email activity - Ports opened/used, and protocols used - Anti-virus software is being disabled - Files being deleted - Network traffic - Users being locked out of their accounts - Error messages - Blue screens - Registry keys being created
https://submit.symantec.com/websubmit/platinum.cgi Web Site Expected information_ First Name: Last Name: Company Name: Email Address: contact ID: File to Upload: (Please submit no more than 9 files in any zip file regardless of size. Total Size should not be greater than 10MB.) Symptoms: What symptoms are you seeing? - Increased email activity - Ports opened/used, and protocols used - Anti-virus software is being disabled - Files being deleted - Network traffic - Users being locked out of their accounts - Error messages - Blue screens - Registry keys being created
-
-
- 4.8.1.4.1. LINK https://submit.symantec.com/false_positive/insight/
-
-
- 4.9. Symantec Endpoint Protection Product Downloads
-
- 4.9.2. SEP Database Schema
-
- 4.9.2.2.1.1. LINK http://www.symantec.com/business/support/index?page=content&id=DOC2410&key=54619&actp=LIST
-
- 4.9.2.2.1. LINK http://www.symantec.com/business/support/index?page=content&id=DOC2411&key=54619&actp=LIST
-
-
-
- 4.11. Reporting an Incident
-
-