The Malware Management Framework

BENEFITS OF USING THE MALWARE MANAGEMENT FRAMEWORK

Utilizing the Malware Management Framework process provides the following benefits:

  • Reduce virus/malware investigation time
  • Reduce user downtime
  • Reduce time required by staff to investigate
  • Reduce investigation costs
  • Speed up traditional forensics
  • Faster resolution and decision about a suspect system
  • Faster return to normal business
  • Discover even the most advanced malware
  • Significant reduction of costs for incident response
  • Minimal costs if any to setup

Much like vulnerabilities are managed, malware must too be managed.  Malware can no longer be ignored and time between compromise and discovery must be reduced from the average 200+ days to hours or days is crucial.  You won't find what you are not looking for and today's malware is an ever increasing challenge and threat.  Anti-Virus/Malware prevention is failing to keep up with today's malware challenge, but the Malware Management Framework can significantly improve this condition and significantly reduce your costs.    

DEFINITION

The Malware Management Framework is the cyclical practice of identifying, classifying, remediating, and mitigating malware.  This practice generally refers to malicious or suspect software in computing systems and is made up of the following components:

Regular (daily/weekly/monthly) review of virus descriptions, malware analysis and Advanced Persistent Threat (APT) reports for malware bits that you can look for or monitor for in your environment
A Master File Repository (MFR).  An offline system that contains an operating system that have as many, if not all applications installed onto from your environment.  This system is kept offline/disconnected from the network
A scanning script and/or tool(s) to compare files from the MFR against a suspect or compromised system containing malware
Analysis of the results of the scan
Creation of any analysis (scripts and/or tools) to monitor systems on your network for locations and files that are identified from #1 review of virus descriptions, malware analysis and APT reports
Reporting any malware findings using the Malware Reporting Standard for public consumption

MASTER FILE REPOSITORY (MFR)

A Master Files Repository is a system that contains an Operating System and as many applications installed onto this 'master' system that are normally installed and used on systems in your environment.  One or more systems are built for each operating system version containing the appropriate applications for a particular environment (HR, IT, Accounting, Marketing, etc.).  The Master File Repository must be maintained offline (unplugged from the network) in order to maintain integrity of the system from infection or compromise from malware over a network.  Only connect to the network long enough to allow 'auto-update' to run and complete software updates.  The local firewall shoudl also be used to restrict what Internet systems are allowed to be contacted, such as Windows Update, Adobe update, Google update, Java update, etc.  It is critical a Master FIle Repository never be left on the network or connected to account repository such as Active Directory or LDAP.  Use local unique accounts to limit access in the event of an account compromise.

Obtain a desktop (or bare metal server hardware) with plenty of hard disk space and at least 16GB of RAM. An SSD drive if you can, it really speeds up the Virtual Machines
Pick a VM tool like Virtual Box, VMWare Workstation or VMWare ESXi

  • https://www.virtualbox.org
  • http://www.vmware.com/products/workstation
  • http://www.vmware.com/products/vsphere/esxi-and-esx/overview.html

Create a new VM for each Windows version (works for Linux/Unix too) you plan for your Master File Repository
Install the version(s) of Windows you want to manage malware detection on
Install every possible OS option you can during the install (more options for servers)
Configure the Windows firewall to only allow Update.Microsoft.com, or any other update services you trust and use
Run Windows update and fully patch the system, yes many reboots will be needed
UNPLUG the network cable!!! You don’t want or need your Master File Repository(s) on the network

GETTING STARTED


Build your Master File Repository (MFR)
Run a hashing utility like MD5Deep, SHA1Deep or SHA256Deep on each of your Master systems
Md5deep64 C:\*.* -r (does the entire drive and all subdirectories)
Md5deep64 C:\Program Files\*.* -r (does only Program Files and all subdirectories)
You may want to do the whole drive or by directories from the root to speed up spot checking. We recommend by directory as the files will be smaller and faster for spot checking. If you scan Users, ProgramData and Windows directories and they come up clean, then do the whole disk as time permits off hours or as a scheduled job.

There are many options for the hash utilities, use the ‘-h’ (MD5Deep) switch to understand all the available options or visit the website and read the Man Page.

  • http://md5deep.sourceforge.net/md5deep.html

Jedi Tip: You may copy/install these utilities to your Master File Repositories via a freshly formatted USB drive or CD/DVD. Do NOT use your Master File Repository to download files from the Internet - EVER! The goal is to keep your Master File Repository off the network and free of any potential contamination. You must feel 100% confident that your Master File Repository is clean!

3.  Compare your Master File Repository to a suspect system or to validate a system is clean

The MD5Deep tools allow you to compare a file to a system you are scanning. The –m, -M, -x and –X flags explain the options and how to use them. All you need is to copy off the saved hash file(s) output you created on your Master File Repository to a thumb drive (preferably with a read-only switch) or burn a CD/DVD. You don’t want any malware to infect your master files!

Use your read-only copy of your Master File Repository hashes and run the hash utilities against your target system(s) with the master file hashes as your input.

At this point you might be wondering what about systems with valid unique files such as drivers, applications and utilities the user might have installed? Or maybe the hardware vendor is different for the system or a component.

As you run your hashing utility against a target system and find something NEW, you will want to add the new application(s) to your Master File Repository in order to eliminate these files for future scans on your systems. The more you add to your Master File Repository, the less output you will have on your target scans.

REMOTE SYSTEMS

You can map a drive letter to a remote system, say Z:, and run your scan against the target this way. It will be slow, but it works. If you have a software management solution like Microsoft SCCM, BigFix, etc. then you can create a package and job to run these scans off hours and push the output to a central server.

IT'S A PROCESS


The process of The Malware Management Framework is a continual process of updating your Master File Repository with trusted applications and files. Files that you find on target systems and you are certain are clean from a trusted vendor source, directly downloaded from a vendor website. You feed the Master File Repository and use the output against target or suspect system(s) to evaluate their potential for malware or to validate it is clean. The more you feed your Master File Repository, the cleaner your output from the targets will be!

The Malware Management Framework is as good as you feed your Master File Repository valid files. For hardware specific files such as drivers for video, network and system drivers, you may extract the installer onto your master file repository using the built-in flag of the installer, or use a tool like WinZip or 7Zip to extract the files onto your Master File Repository.


As you update and patch your user systems and servers, power up your Master File Repository, plug it into the network and run Windows update. Once complete, unplug from the network! You might also consider using Secunia PSI and CSI to keep your applications up to date or notify you of updates on your Master File Repository. Be sure to use manual downloads directly from the vendor websites to avoid any malicious updater downloading files from untrusted sources.  Avoid freeware and shareware in your Master File Repositories unless you are certain they are clean.

Conclusion


If you are diligent and follow these basic steps of the Malware Management Framework, you can quickly evaluate systems for suspicious files like malware, or assure a system is malware free.

Resources

Below are some items to help you start using the Malware Management Framework.

Malware Reporting Standard
Malware analysis worksheet sample
Malware Analysis Reports: