'forensic'에 해당되는 글 1건

  1. 2014.01.16 제로데이 샘플, 어떤 부분을 통해 분석할까?

지난 2013년도에는 3.20 사이버테러, 6.25 사이버워 등 굵직굵직한 사건들이 참 많았습니다. 덕분에 관련된 많은 사람들이 고생도 많이 하셨을 것이고, 또한 이를 통해 APT 등 새로운 분야에 대한 관심사가 떠오르기도 했습니다.

 

보안 쪽 특히 해킹이나 악성코드 분석에 관심이 있는 친구들이라면, 꼭봐둬야할 기사를 하나 소개합니다.

 

PC에 뭔가 있는거 같다! 뭘 유심히 봐야 하느냐! 에 대한 해외 자료입니다.

 

http://journeyintoir.blogspot.kr/2014/01/it-is-all-about-program-execution.html

 

요약하면...

What Malware Indicators to Look For


As the name implies program execution artifacts show what programs executed on a system and at times what programs were present on the system. The significance of knowing what programs ran can be seen in my corollary to the Rootkit Paradox:

      1. They need to run
      2. They want to remain hidden

Malware wants to remain hidden on a system so it can accomplish what it was designed to do. However, in order for malware to hide on a system a program has to run. This program executes to either hide itself or another piece of malware; in the process it will leave artifacts on the system. These artifacts - program execution artifacts - can be used to find where the malware is hidden. Below are the malware indicators to look for as the program execution artifacts are reviewed (my post Triaging Malware Incidents shows how to use these indicators for triaging).

      - Programs executing from temporary or cache folders
      - Programs executing from user profiles (AppData, Roaming, Local, etc)
      - Programs executing from C:\ProgramData or All Users profile
      - Programs executing from C:\RECYCLER
      - Programs stored as Alternate Data Streams (i.e. C:\Windows\System32:svchost.exe)
      - Programs with random and unusual file names
      - Windows programs located in wrong folders (i.e. C:\Windows\svchost.exe)
      - Other activity on the system around suspicious files

reTweet
Posted by 문스랩닷컴
blog comments powered by Disqus


    Web Analytics Blogs Directory