Case Study: IT Manager in Trouble

Volodymyr Obrizan, Alexander Adamov
3rd of February, 2010

This case study shows an application of "Creating a description for a malware sample" service at virtual enterprise and virtual situation.

Introduction

John Doe is an administrator of a local area network at Some Corporation. His responsibilities are setting-up internal and external services for employees, and maintenance of their personal computers. Every day John responds to employees’ issues and solves problems, which they cannot solve independently. Also John looks through logs of some services, including anti-virus software.

An Incident

One day, John observed a malware detection report while looking through an anti-virus software log. This malware was detected as Backdoor.Win32.Bancodor.bk and removed from the system. John remembered what instructor on Information Security said: “Anti-virus software doesn’t provide 100 % protection guarantee. Nowadays, it is important not only to detect and remove malware, but to know which security hole or which personnel’s action leads to infection, what this malware does, which remote computer connections are established, what type of data is gathered and sent away.”

John was curious about these questions and he decided to know all the details. This information is needed to handle the security incident and minimize security risks.

John saved the malware sample from a quarantine and sent it to Design and Test Lab for an urgent expertise.

Expertise at the Lab

Virus analysts of Design and Test Lab reversed the malware sample and studied its behavior within single day. The analysts identified type of the sample — a trojan allowing remote control of infected system.

Right after the start, the backdoor copies it to Program Files folder, using name "ashAvast_.exe".

The trojan adds a registry key to provide automatic start-up during the system boot:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Alwil Software SA"="%Program Files%\ashAvast_.exe"

Once loaded, the backdoor downloads a file from the location:

http://recallbr.com/img/call.cfg

This file contains commands to control the backdoor. The file is downloaded to current user’s temporary folder:

%Temp%\call.cfg

The backdoor reads commands from the file and puts redirect rules to hosts file located at:

%System%\drivers\etc\hosts

It leads to a situation when user may be redirected to a criminal’s site instead of needed web-site during web-browsing.

The backdoor may read additional links from its configuration file and download additional malware samples. These samples will be stored at the temporary folder with unique filenames.

When the malware expertise was done, the virus analysts put all information to a report and sent it to John Doe.

The administrator’s actions

John learnt from the report that the malware grants full access to the file system to the criminal.

John followed the advices provided by Design and Test Lab. First, all passwords must be changed, because the backdoor might use phishing sites to gather passwords. Secondly, it is needed to updated antivirus databases and scan the system.

Conclusions

Anti-virus Software does not provide 100 % guarantee. There is need for additional expertise of malware samples, detected in the system. Depending on results of expertise, IT Manager may perform necessary actions to prevent sensitive information leaks and future intrusions.

Such kind of expertise can be achived using "Creating a description for a malware sample" service.

	Case Study: IT Manager in Trouble Home News Services Education Online trainings Encyclopedia About the Lab News — Articles — Press releases Volodymyr Obrizan, Alexander Adamov 3rd of February, 2010 This case study shows an application of "Creating a description for a malware sample" service at virtual enterprise and virtual situation. Introduction John Doe is an administrator of a local area network at Some Corporation. His responsibilities are setting-up internal and external services for employees, and maintenance of their personal computers. Every day John responds to employees’ issues and solves problems, which they cannot solve independently. Also John looks through logs of some services, including anti-virus software. An Incident One day, John observed a malware detection report while looking through an anti-virus software log. This malware was detected as Backdoor.Win32.Bancodor.bk and removed from the system. John remembered what instructor on Information Security said: “Anti-virus software doesn’t provide 100 % protection guarantee. Nowadays, it is important not only to detect and remove malware, but to know which security hole or which personnel’s action leads to infection, what this malware does, which remote computer connections are established, what type of data is gathered and sent away.” John was curious about these questions and he decided to know all the details. This information is needed to handle the security incident and minimize security risks. John saved the malware sample from a quarantine and sent it to Design and Test Lab for an urgent expertise. Expertise at the Lab Virus analysts of Design and Test Lab reversed the malware sample and studied its behavior within single day. The analysts identified type of the sample — a trojan allowing remote control of infected system. Right after the start, the backdoor copies it to Program Files folder, using name "ashAvast_.exe". The trojan adds a registry key to provide automatic start-up during the system boot: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "Alwil Software SA"="%Program Files%\ashAvast_.exe" Once loaded, the backdoor downloads a file from the location: http://recallbr.com/img/call.cfg This file contains commands to control the backdoor. The file is downloaded to current user’s temporary folder: %Temp%\call.cfg The backdoor reads commands from the file and puts redirect rules to hosts file located at: %System%\drivers\etc\hosts It leads to a situation when user may be redirected to a criminal’s site instead of needed web-site during web-browsing. The backdoor may read additional links from its configuration file and download additional malware samples. These samples will be stored at the temporary folder with unique filenames. When the malware expertise was done, the virus analysts put all information to a report and sent it to John Doe. The administrator’s actions John learnt from the report that the malware grants full access to the file system to the criminal. John followed the advices provided by Design and Test Lab. First, all passwords must be changed, because the backdoor might use phishing sites to gather passwords. Secondly, it is needed to updated antivirus databases and scan the system. Conclusions Anti-virus Software does not provide 100 % guarantee. There is need for additional expertise of malware samples, detected in the system. Depending on results of expertise, IT Manager may perform necessary actions to prevent sensitive information leaks and future intrusions. Such kind of expertise can be achived using "Creating a description for a malware sample" service. Retrieved from "http://www.dnt-lab.com/en/Case_Study:_IT_Manager_in_Trouble" Hidden category: Feed
© 2010 "Design and Test Lab", LLC. All rights reserved. Privacy policy About Design and Test Lab Disclaimers