A couple interesting papers posted up on SANS reading room.
First, “Malware Analysis: An Introduction.” I don’t particularly care so much for the introduction part, but I do like the walk-through later in the paper. I like to save paper, so I only printed out what I found interesting: pages 40-63. I should save even more paper and invest in a Kindle or e-book reader… One thing I notice the author didn’t use but I would recommend is a snapshot tool run before and after execution of the malware to capture changes in processes, files, and registry entries (Inctrl5 is still a great choice). I know he watches Process Explorer and TCPView, but it can be difficult to read everything in realtime if the malware does a lot. I was surprised there was no mention of Filemon or Regmon either.
Second, “Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider.” I didn’t think this would be something I’d print out and read, but in quickly scrolling through it, it seems to pack a lot of very technical stuff into a web-borne client-side exploit. I appreciate that! Later in the paper, Ahmed discusses the incident reponse actions of the victim.
I swear I picked these up from McGrew’s blog, but can’t find them now. I could be wrong and got them elsewhere…