Incident Response
-
Incident ResponseIncident Reporting
-
Incident Response Use CasesLab Setup
-
Role Playing - Shift Manager
-
Demonstrating: Investigating and Escalating
-
Report from Malware Analyst
-
Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
-
Exercise 1.2: Investigating Multiple Failed Logins using SIEM
-
Exercise 3: Mitigating Risk
-
Exercise 4.1: Asking the Right Questions
-
Scenario 4.1: Asking the Right Questions
-
Scenario 4.2: Suspicious or Malicious?
-
Exercise 4.2: Reviewing the Shift Log
-
Exercise 4.3: Investigating an Unauthorized Login Attempt
-
Exercise 4.4: Investigating Firewall Traffic
-
Exercise 4.5: Reviewing the Security Operations Mailbox
-
Exercise 5.1: Reviewing New Intelligence
-
Exercise 5.2: Assessing Threat Severity
-
Exercise 6: Recommending Remediation
-
Exercise 7: Conducting a Post-Incident Review
-
Exercise 8: Communicating with Operations and Senior Management
-
Business ContinuityBusiness Continuity Plan Development8 Topics
-
BCP Invocation Process2 Topics
-
Emergency Procedures7 Topics
-
Crisis Management Team10 Topics
-
BCP Seating Plan
-
Overview
-
Disaster RecoveryScope of Critical Services
-
Network Services
-
Application Hosting Service
-
File Hosting Services
-
Call Centre and Voice Recording Services
-
Regulatory Links
-
Thin Client Environment
-
Voice System (Non-Service Desk)
-
Printing Services
-
Recovery Time Objective (RTO) & Recovery Point Objective
-
Single Point of Failure
-
Redundancy Requirements
-
Alternate Locations
-
Contact Protocol4 Topics
Participants3
Report from Malware Analyst
File Name
build.exe
File type
Windows executable
MD5
ed67d056bdb2ac50e57228a03b7dfd9c
SHA-1
294540a60ca6d2cc4ca2fc6c93e18c887d8ee1d6
Systems Affected
Systems Affected
- Windows 2000
- Windows 95
- Windows 98
- Windows Me
- Windows NT
- Windows Server 2003
- Windows Vista
- Windows XP
Network Traffic
IP address 213.183.58.186 resolves the domain name radiolovers.ru.
Behavior
Creates file: C:\Documents and Settings\Administrator\Application Data\<random folder name>\soaw.exe.
- Starts process soaw.exe.
- Process soaw.exe writes to the virtual memory of process Explorer.exe.
- Explore.exe starts a command shell
Reference
Anubis analysis report on the stage 2 executable (build.exe) that the initial malware downloads by connecting to radiolovers.ru:
Summary
The download of build.exe from http://roadiolovers.ru/sexy/files is an indicator of WORM_ZBOT.
- Configuration information from the compromised machine is sent
to:
radiolovers.ru/sexy/files/file.php.
- This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
- This worm drops the following copies of itself into the affected system and executes them:
%Application Data%\{Random Folder 1}\{Random Filename}.exe
- This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu rrentVersion\Run {Ranom} = “%Application Data%”\{Rdandom Folder 1}\{Random Filename}.exe
- This worm creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser vices\SharedAccess\Parameters\FirewallPolicy\St andardProfile\AuthorizedApplications\ListWindow s%\explorer.exe =
%Windows%\explorer.exe:*:Enabled:Windows Explorer
Demonstration: Report from Malware Analyst