begood Posted September 18, 2010 Report Share Posted September 18, 2010 In my travels, it has come to my attention that some folks have not taken or had the time to document a checklist or bullet list of actions to perform during an infection or an outbreak. In response I’ve created a decision tree to help as a guide for following a step by step process for malware analysis. The site is response.ortizonline.com . The site basically contains a mindmap created using freeplane that steps the users through the process of analyzing a machine for malware. It provides links to both Symantec , 3rd party, fee and open source tools. The majority of the information has been mostly compiled from NIST SP800-83 , and public symantec KB articles. I hope this is something that community members find useful and can provide feedback to improve. Please provide any feedback and I'll be happy to update the decision tree. Below is a sample of the decision tree. Cheers, Netrunner 1. Suspect Worm 1.1. Manual Analysis and Remediation Steps 1.1.0. Run Full System AntiVirus Scan 1.1.0.1. Did it find and Eliminate Threat? 1.1.0.1.1. IF Yes, ensure all other computers are up to date and get a scan performed. 1.1.0.1.2. IF No Then GOTO 1.1.1[*] 1.1.1. Symantec SEP Support Tool Power Eraser Option? http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe 1.1.1.1. LINK http://www.symantec.com/techsupp/home_homeoffice/products/sep/Sep_SupportTool.exe 1.1.1.2. Did it find a possible Threat? 1.1.1.2.1. IF Yes, consider acquiring binary for online analysis at step 1.1.3 to ensure it is not a false positive. 1.1.1.2.1.1. IF 1.1.3 does not identify as a known file and you can validate its an unknown internal application, then proceed to FIX.[*] 1.1.1.2.2. IF No Then GOTO 1.1.2[*] 1.1.1.2.3. Did SEP_Support_Tool identify any negative reputation files? 1.1.1.2.3.1. If negative reputation files are identified, acquire for further analysis.GOTO step 1.1.3.[*] 1.1.2. Symantec Endpoint Recovery Tool CD-ROM Boot Disk 1.1.2.1. LINK http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041515464348 1.1.2.2. Did it find and Eliminate Threat? 1.1.2.2.1. IF Yes, consider acquiring binary for online analysis at step 1.1.3. 1.1.2.2.2. IF No Then consider 1.1.6 for memory analysis of possible zero day threat.[*] 1.1.3. Web Analysis? 1.1.3.1. Use www.threatexpert.com to get High Level overview of the threat. Analysis 1.1.3.1.1. LINK http://www.threatexpert.com 1.1.3.1.2. If binary was uploaded for analysis, what were the results? 1.1.3.3.1. Does threatexpert.com identify the binary as a virus by any other AV vendor? 1.1.3.3.2. Does threatexpert.com NSRL listing identify the binary as known good? 1.1.3.3.3. Does threatexpert.com Symantec Reputation identify the threat as "suspicious"?[*] 1.1.3.2. Use Anubis.iseclab.org to obtain highly detailed program analysis and pcap file for analysis. 1.1.3.2.1. LINK http://anubis.iseclab.org [*] 1.1.3.3. Use VirusTotal - Free Online Virus, Malware and URL Scanner 1.1.3.3.1. Does virustotal.com identify the binary as a virus by any other AV vendor? 1.1.3.3.2. Does virustotal.com NSRL listing identify the binary as known good? 1.1.3.3.3. Does virustotal.com Symantec Reputation identify the threat as "suspicious"?[*] 1.1.4. Network Traffic Analysis WireShark | Analyzing Wireless Solutions that work 1.1.4.1. If Anubis provides a pcap file for analysis, is any content able to be leveraged in order to create a SEP IPS Custom Signature 1.1.4.2. SEP Firewall Rule with specific port activity and associated application with Packet capture enabled.[*] 1.1.5. Clean Boot Disk Analysis and Extraction with Helix https://www.e-fense.com/store/index.php?_a=viewProd&productId=11 Malware Analysis and Response Step by Step Decision Tree | Symantec Connect 1 Quote Link to comment Share on other sites More sharing options...
nedo Posted September 18, 2010 Report Share Posted September 18, 2010 mersi pentru ghidul asta, o sa imi fie foarte folositor, acum trec prin el Quote Link to comment Share on other sites More sharing options...
