ISW Security Papers Contest
Malware Response and Analysis by Thomas Hyslip on 13/11/07

With the ever expanding use of the internet, and the availability of always on, high speed internet at the home, the threat of malware has never been greater. In the past viruses were passed from user to user through storage media, or as attachments to email. But today malicious software, or malware, is potentially on any website, or embedded in many files that appear harmless. In most instances, antivirus software or spyware removal software will detect the malware and protect the computer from infection, but not always. This paper examines the response needed when your computer is infected with malware, the effect of malware programs and how to determine the changes to an operating system. My research shows the different programs available to analyze malware and determine the effects of malware. This includes the methodology that should be used when analyzing malware, and will take the reader step by step through the process of responding to a malware infection, establishing a controlled environment, infecting a PC with malware and analyzing the results. This includes how to establish a baseline of the victim machine you intend to infect with the malware, and monitor pre-infection network traffic to isolate it from the malware inspired traffic. I discuss the process of examining the malware during your response to an infection, isolating the malware for future analysis in a lab, infecting a lab PC with the malware and monitoring the changes to the file system, registry, executables, open ports, and network traffic. This information is then compared with the baseline status to determine the effects of the malware on the operating system. The network traffic is also analyzed to identify any suspicious traffic, and possible remote sites the malware is attempting to communicate with. All the software used for this paper is free, and all sources of the software will be identified.

This document is in PDF format. To view it click here.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , All rights reserved. Comments are property of the respective posters.