Sunday, May 17, 2009

Anti-forensic techniques in malware

It is not a surprise that anti-forensic techniques are being used by malware writers to increase the examiner’s time. Few weeks ago I was analyzing malware for the customer (the malware has been identified by VirusTotal as Zbot-Trojan). I noticed quite interesting behavior of the malicious code.


The malware self-modify file attributes - MAC times of file which contain malicious code are modified during installation & execution (system startup). This is an example of anti forensic method which makes the creation of Timeline Activity less valuable.


Trojan is using GetFileTIme() and SetFileTime() API which are exported by kernel32.dll. MAC times of malware executable file are set to MAC times of an operating system library – ntdll.dll file.



We can still use time related information from MFT but above activity can lead to misinterpret results of reconstructed timeline activity.

4 comments:

johnmccash said...

Setfiletime doesn't affect the MAC times in the filename attributes, does it? I didn't think so, but can't seem to dig up a concrete reference at the moment.

mariusz said...

Hi,

SetFileTime function can only set Modified, Accessed and Created times. Common timeline analysis techniques focus on that information. But we have two additional metadata attributes in the MFT - $STANDARD_INFORMATION MFT Modified & $FILE_NAME MFT Modified. This is “time related information from MFT” about which I mentioned above.
Of course it is possible to change all metadata attributes - take a look at the timestomp tool which is part of meterpreter package.

Best regards,
M

rtfgvb7816 said...

IS VERY GOOD..............................

aefea21 said...

Today Internet plays a big part of our lives. With the development of modern technologies we spent more and more time on the web every day. As we browse for information around the web many people don't realize that their personal information can be exposed to danger. This is why CyberTraining 365 is here to teach you about Analyzing malware and how to protect your data from unauthorized access.