December is a time for giving and with the holidays around the corner, we wanted to recognize the favorites on M-Unition from our readers. One of our most popular categories is The Lab. This is the place that readers go for the latest on Mandiant incident response tools, tips and in-depth research. In case you've missed any of these posts in 2012, here is a recap of our five most popular.
Authored by Ryan Kazanciyan and Christopher Glyer, this post overviews an interesting sample of malware that was uncovered by Mandiant analysts and discusses some of its distinctive characteristics, particularly the clever mechanisms it uses to load on a compromised system.
Christopher Glyer and Ryan Kazanciyan continue their analysis into this piece of malware and in this second part take a look at some of the counter-forensic techniques that it utilizes to stay hidden in a compromised environment, provide an Indicator of Compromise (IOC) used to find host-based evidence of the malware, and discuss how attackers took advantage of its functionality.
M-Unition blogger, Carrie Jung, takes a deeper look at Duqu, which received a lot of media attention at the beginning of the year. Duqu is a computer worm that the CrySyS Lab (http://www.crysys.hu/) discovered during September, 2011. In this post, Carrie examines the OpenIOC language and demonstrates how to use this powerful, flexible tool to spot the entire Duqu family.
William Ballenthin and Jeff Hamm kicked-off this series after holding a webinar on how to use INDX buffers to assist in an incident response investigation. This series looks at extracting an INDX attribute, the internal structure of the file name attribute, a step-by-step guide to parsing INDX records and the internal structure of an INDX structure. You can view the entire series here, here and here.
During MIRcon™ in October, Mandiant's Nick Bennett and Jake Valletta discussed data stacking. If you were unable to attend the talk, this blog post discusses the data analysis technique in-depth.