Last-minute presentation: A 'sting operation' to fool suspected threats

Sergei Shevchenko PC Tools

Threats can end up on a computer from numerous sources, via email, using chat programs such as Messenger or IRC programs, or by browsing sites containing malware on the Internet.

When new suspected threat files are identified, system administrators can send these files to an Internet security company, such as an anti-virus or anti-malware vendor, for analysis. These companies investigate the threats and some time later, possibly ranging from a few up to 48 hours later, depending on the complexity of the threat, provide updated database definitions to remove them. In some circumstances, if the threat warrants additional research, a detailed description of it is subsequently posted on the Internet.

Nevertheless, the downtime between identifying the relevant threat files and receiving a database update to remove the infection can result in severe financial losses to an organization.

This is where Threat Expert steps in. Threat Expert takes a threat file, places it in a self-contained environment, deliberately executes the threat in this environment and then monitors its behaviour. A combination of file system, Windows Registry, network traffic, memory snapshots are then recorded, in addition to a series of specific 'hooks' that intercept communication routes typically exploited by threat infections.

These hooks 'deceive' the threat into communicating across a simulated network, whereas the threat's communication actions are actually being recorded in detail by Threat Expert. Using this invaluable recorded data, a detailed report is generated, consisting of system changes, memory and traffic dump analyses, and other important system activities caused by the threat.

This presentation is a practical guide to the advantages of using an advanced automated threat analysis system in the current climate of zero-hour threats to effectively reduce the time taken between first detection and solution/signature.

The presentation covers the following topics:

  • Snapshotting the system: file system, Windows Registry, running processes/services, loaded modules, allocated memory pages, open ports
  • Proactive memory scanner: how to catch a threat process in memory once it is fully unpacked
  • 'Talk to me, baby' - implementation of the 'fake' servers such as DCOM RPC, IRC, HTTP, DNS/SMTP
  • 100% bullet-proof rootkit detection: catching Mailbot/Rustock and Storm/Zhelatin rootkits
  • API monitor/interceptor: reporting various threat behaviour
  • Kernel mode driver: detecting SSDT/IRP-hooks
  • 'Goat on a leash': a practical implementation of the automated threat analysis system with a physical hardware - No Virtual Machines, No Sandboxes. 'Goat on a leash' defeats Themida protection and successfully analyses threats that employ various detection methods and/or attack vectors against VM.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.