The idea and practice of encrypting or obfuscating malware has been around since the early to mid 1980s. Malware authors quickly realized that to be successful at introducing and spreading their creations; they would need to take steps to not only conceal the malware’s behavior, but they would need to take steps to inhibit the progress of those who would reverse engineer the capabilities of these new Cybersoldiers. The longer a malware sample can remain undetected and thwart reverse engineering, the longer it has to spread and complete its mission.
In order to identify and respond to advanced malware, the analyst much have the training and expertise to conduct surveillance on the malicious code. Surveillance on malicious code - Observational Malware Analysis (OMA) - provides a better understanding of malware capabilities, the mission of the attacker, and the effects on the company being targeted. An analyst armed with this methodology and skillset is a valuable resource to defend against today’s most advanced threats.
Observational Malware Analysis (OMA) provides a better understanding of malware capabilities, the mission of the attacker, and the effects on the company being targeted. An analyst armed with this methodology and skillset is a valuable resource to defend against today’s most advanced threats.
This paper serves as a high-level summary of a fully integrated forensic approach to identifying today’s advanced malware threats with higher confidence, better understanding, and in a more time efficient manner. Much of the information mentioned in the article should be fairly well known to a reader who oversees incident response or forensics teams, and to those who perform such tasks as part of their work experience.
About the author: Kristopher Bleich has 15 years of military and civilian law enforcement, computer information security and computer forensic experience. He has extensive experience in criminal investigations and criminal computer forensic investigations. Kristopher is certified to instruct law enforcement personnel in the seizing of electronic evidence through the National White Collar Crime Center (NW3C), along with being a Certified Ethical Hacker (C|EH) and certified as an EnCase Certified Examiner (EnCE).
SpearTip is a cyber counterintelligence firm located in St Louis, MO with offices in Dallas, TX and Washington D.C. SpearTip’s mission statement is, “Blending cutting-edge technologies, unique skill sets, and military-proven cyber-counterintelligence strategies, SpearTip partners with our clients to protect shareholder value, shield corporate reputations, and enhance long-term profits.” http://www.speartip.com