Defeating anti-forensics in contemporary complex threats

Eugene Rodionov ESET
Aleksandr Matrosov ESET

Forensic analysis plays a crucial role in cybercrime group investigation, as it allows investigators to obtain such information as bot configuration data, C&C URLs, payload, stolen data and so on. Some of the modern malware falling into the class of complex threats employs various tricks to resist forensics and conceal its presence on the infected system. This paper will present technical and in-depth analysis of the most widely used anti-forensic technique, the implementation of hidden encrypted storage, as used by complex threats currently in the wild:

  • Win64/Olmarik (TDL4)
  • Win64/Olmasco (MaxSS)
  • Win64/Rovnix/Carberp
  • Win64/Sirefef (ZeroAccess)
  • Win32/Hodprot

These complex threats use hidden encrypted storage areas to conceal their data and avoid relying on the file system maintained by the operating system. In the presentation the authors will focus on the details of hidden storage implementation as well as the ways in which it is maintained within the system by various kinds of malware. The analysis begins with the initialization procedure and the mechanisms behind it. It is shown which system mechanisms are used to store and retrieve data from the hidden container and the degree to which the malware depends on them. Close attention is paid to the self-defence mechanisms employed by the malware in order to conceal the content kept in its hidden storage areas and protect those contents against modification by the system or by security software. Also a detailed description of the hidden file system is presented for each threat considered, as well as a comparison of its features to the other threats analysed here.

To conclude, an approach is presented on the retrieval of data from hidden storage. We will discuss the steps that should be taken to defeat self-defence mechanisms, locate hidden storage on the hard drive and read plain data.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

AusCert2014

Jobs
In Virus Bulletin's jobs pages among others:

Virus Bulletin currently has 231,344 registered users.