MALWARE EVOLUTION #2 Secure deletion methods

March 12, 2010


With the rise of a forensic response to malware intrusion you would think that malware would be smart enough to actually attempt to clean up its tracks by implementing secure deletion methods.  These would include Secure deletion off the disk so as to foil file recovery via forensic means by using tried and true secure deletion tools such as are used to wipe a drive of classified materials.  Microsoft SysInternals sdelete.exe and a zillion other tools are freely available for for whatever reason have not been incorporated into attack methods.  I have been wondering this absence for awhile now in malware.  It will only be a matter of time.  While Metasploit has pioneered a number of anti-forensics methods not one has delved into the secure erasure of malware footprints so as to render forensic response by products such as Guidance Software Encase moot. 

Additionally advanced methods to obfuscate in memory and secure deletion or overwriting of critical data in memory would be needed to foil the growing rise of live memory forensics which many organizations still cant seem to wrap their heads around to use operationally.  HBGary is an awesome tool for live memory forensics as well as Mandiant and the Volitility Framework.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: