Hey guys,
If you haven’t read the previous articles here they are:-
So, moving onto module 4 ‘Handling and Responding to Malware Incidents’.
- Understand the concept of malware incident response (IR)
- Define different types of malware and their propagation
- Discuss preparation required to handle malware incidents
- Detect malware from live systems, memory dumps, and intrusions
- Illustrate containment of malware incidents
- Explain eradication methodology
- Explain steps required to recover after malware incidents
- Define guidelines to prevent malware incidents

We start off in this section speaking about the different types of malware from Trojan Horse to Worms and Ransomware to Crypter with everything in between.
It goes over components of malware, methods of malware propagation, common techniques used to distribute malware and the NEED for malware incident response.

It’s a really interesting section, you know already a lot about malware but its nice seeing it broken down like this.
In the labs section we have NINE labs to get our teeth into which I am proper excited about.
Lab 1
Monitoring TCP/IP Connections Using CurrPorts
CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.
In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file , XML file, or to tab-delimited text file.
CurrPorts also automatically mark with pink colour suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons).


Lab 2
Performing Registry Entry Monitoring
Regshot takes a snapshot of the registry allowing you to compare any changes made, is a small, free and open-source registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one – done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between the two snapshots. In addition, you can also specify folders (with subfolders) to be scanned for changes as well.


Lab 3
Performing Startup Program Monitoring
WinPatrol is a computer monitoring utility used to protect files and folders from any unwanted changes, it is a free security utility that allows you to get a closer look under the hood of Windows so that you can detect programs that should not be running.
When using WinPatrol, you will be shown various tabs that show information about configuration sections in Windows.
These tabs allow you to get a good overview of what programs are starting and files that may have been left behind by malware.
Some of the information that WinPatrol displays include:
- Active Tasks
- Services
- Startup Programs
- Cookies
- File Types
- Hidden Files
To make it easier to interpret the information being displayed, WinPatrol will automatically whitelist services and startup items that belong to Microsoft. This allows you to quickly spot ones that do not belong.
For those who wish to have extra features such as ActiveX Controls and Registry monitoring, you can upgrade to WinPatrol Plus.

Lab 4
Performing Device Driver Monitoring
Driver Booster 5 is a powerful and easy-to-use driver updater from IObit it is an easy-to-use yet powerful driver updater program, which can help users to keep the outdated/faulty/missing drivers and game components always updated correctly.

Lab 5
Detecting Trojans
A trojan is a program that contains malicious or harmful code hidden inside apparently harmless programming or data in such a way that it can take control of the system and cause damage (e.g., by ruining the file allocation table on a hard drive).
Autoruns has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players.
These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys.
Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
I have used it before doing malware analysis.

jv16 PowerTools is a Windows utility suite with 13 powerful, yet easy to use tools to make your Windows PC work faster and smoother.
Automatically fix common Windows errors, make your computer start faster and clean old, unneeded junk from your system with ease.

Lab 6
Virus Analysis Using VirusTotal
VirusTotal calculates the hash values of a suspect file and compares them to online and offline malware databases to find the existence of the recognized malicious code.
VirusTotal was founded in 2004 as a free service that analyses files and URLs for viruses, worms, trojans and other kinds of malicious content.
The goal is to make the internet a safer place through collaboration between members of the antivirus industry, researchers, and end users of all kinds.


Lab 7
Virus Analysis Using IDA Pro
IDA Pro is a multi-platform disassembler and debugger that explores binary programs for which source code is not always available to map their execution.
The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It also can be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost.
First time I have used this, I have previously used OllyDbg.


Lab 8
Virus Analysis Using OllyDbg
OllyDbg is a debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers; recognizes procedures, API calls, switches, tables, constants, and strings; and locates routines from object files and libraries.
OllyDbg (named after its author, Oleh Yuschuk) is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It has a user-friendly interface, and its functionality can be extended by third-party plugins.
I have previously used on a malware analysis course I done.

Lab 9
Removing Malware Using ClamWin
ClamWin is a highly effective and widely used malware removal program that can detect and remove the latest variants of multiple malwares
ClamWin Free Antivirus.

So yeah, pretty good module overall and was good getting into some of the tools, I haven’t come across a few of them previously so that was nice and when you use one tool for a job you can usually get your head around other similar ones.
Regards
Alex