Cameron H. Malin - Malware Forensics: Investigating and Analyzing Malicious Code

In Memory of Our FathersJames A. Aquilina1940 2003James Malin19262002Acknowledgements James warmly thanks and honors trusted confidants, friends, and co-authors Cameron and Eoghanwhat a ride. For Obi Jol es and my loving family, who always support and cherish me, thank you, I love you, you al mean the world to me. I am ever humbled by the tremendous talent of my LA staff and appreciate the input of Stroz Friedberg col eagues Steve Kim, Jenny Martin, Beryl Howel , and Paul Luehr on this project. I am grateful for the enduring loyalty and friendship of Ali Mayorkas, Alicia Vil arreal, Jeff Isaacs, Alka Sagar, and my other friends and col eagues at the U.S. Attorneys Office in Los Angeles, from whom I have learned so much.

For FBI Cyber Squad Supervisor Ramyar Tabatabian, U.S. Marshal Adam Torres, and al of the talented federal law enforcement agents I have come to know and work with, keep fighting the good fight. To Curtis Rose, our dedicated and tireless technical editor, we could not have pul ed this off without you. And for my father, my rock, I miss you terribly. Eoghan would primarily like to thank Cameron Malin for coming up with the idea for this book and bringing it to fruition, and James Aquilina for his continued friendship. I am indebted to Cory Altheide, Harlan Carvey and Aaron Walters for sharing their knowledge, responding to my questions with such promptness and patience, and providing technical feedback on material in this book.

I am grateful to Curtis Rose for his thorough and insightful technical editing. Many thanks to Andy Johnston and Thorsten Holz for sharing malware samples used to develop ideas and scenarios for this book. Thanks also to Seth Leone, Terrance Maguire, Marissa McGann, Steve Mead, Anthony Pangilinan, Ryan Pittman, Ryan Sommers, Gerasimos Stellatos, and my other friends from Stroz Friedberg for their support of this project. Finally, my love to Gen and Roisin for enriching my existence, and enabling the many late nights and weekend work that made this book possible. Cameron would like to thank the following people for their support on this project: Eoghan and JamesI am grateful for having the opportunity and privilege of working with you both. Thank you for your dedication and hard work on this project.

My deepest gratitude to Curtis Rose for tackling this Herculean task and making it look easy; your insightful and methodical technical editing is greatly appreciated. Many thanks to the talented Special Agents of the FBI Cyber program in Los Angeles and across the FBI for the honor of working and sharing ideas with you. Also, special thanks to the folks in the FBI who made this project possible. To my mother, father and sister for inspiring me to always pursue my goals and dreams and to never give up in the face of adversity. Although Dad is no longer with us, his legacy and lessons are very much alive and well. To my grandmother, who always stressed the important of education and faith.

Finally, to my beautiful soul mate Adrienne; your patience, support and sacrifice made this book possible. I love you. iv AuthorsJames M. Aquilina is an Executive Managing Director and Deputy General Counsel of Stroz Friedberg, a technical services and consulting firm specializing in digital computer forensics; electronic data preservation, analysis, and production; computer fraud and abuse response; and computer security. Mr. Aquilina contributes to the management of the firm and the handling of its legal affairs, in addition to having overal responsibility for the Los Angeles office.

He supervises numerous digital forensic and electronic discovery assignments for government agencies, major law firms, and corporate management and information systems departments in criminal, civil, regulatory and internal corporate matters, including matters involving e-forgery, wiping, mass deletion and other forms of spoliation, leaks of confidential information, computer-enabled theft of trade secrets, and il egal electronic surveil ance. He has served as a neutral expert and has supervised the court-appointed forensic examination of digital evidence. Mr. Aquilina also has led the development of the firms online fraud and abuse practice, regularly consulting on the technical and strategic aspects of initiatives to protect computer networks from spyware and other invasive software, malware and malicious code, online fraud, and other forms of il icit Internet activity. His deep knowledge of botnets, distributed denial of service attacks, and other automated cyber-intrusions enables him to provide companies with advice and solutions to tackle incidents of computer fraud and abuse and bolster their infrastructure protection. Prior to joining Stroz Friedberg, Mr.

Aquilina was an Assistant U.S. Attorney in the Criminal Division of the U.S. Attorneys Office for the Central District of California, where he most recently served as a Computer and Telecommunications Coordinator in the Cyber and Intellectual Property Crimes Section. He also served as a member of the Los Angeles Electronic Crimes Task Force and as chair of the Computer Intrusion Working Group, an inter-agency cyber-crime response organization. As an Assistant, Mr. Aquilina conducted and supervised investigations and prosecutions of computer intrusions, extortionate denial of service attacks, computer and Internet fraud, criminal copyright infringement, theft of trade secrets, and other abuses involving the theft and use of personal identity.

Among his notable cyber cases, Mr. Aquilina brought the first U.S. prosecution of malicious botnet activity for profit against a prolific member of the botmaster underground who sold his armies of infected computers for the purpose of launching attacks and spamming, and used his botnets to generate income from the surreptitious installation of adware; tried to jury conviction the first criminal copyright infringement case involving the use of digital camcording equipment; supervised the governments continuing prosecution of Operation Cyberslam, an international intrusion investigation involving the use of hired hackers to launch computer attacks against online business competitors; and oversaw the collection and analysis of electronic evidence relating to the prosecution of a local terrorist cell operating in Los Angeles. During his tenure at the U.S. Attorneys Office, Mr. Aquilina also served in the Major Frauds and Terrorism/Organized Crime Sections where he investigated and tried numerous complex cases, including a major corruption trial against an IRS Revenue Officer and public accountants; a fraud prosecution against the French bank Credit Lyonnais in connection with the rehabilitation and liquidation of the now defunct insurer Executive Life; and an extortion and kidnapping trial against an Armenian organized crime ring.

In the wake of the September 11, 2001 attacks, Mr. Aquilina helped establish and run the Legal Section of the FBIs Emergency Operations Center. Before public service, Mr. Aquilina was an associate at the law firm Richards, Spears, Kibbe Orbe in New York, where he focused on white collar work in federal and state criminal and regulatory matters. Mr. Aquilina served as a law clerk to the Honorable Irma E.

Gonzalez, U.S. District Judge, Southern District of California. He received his B.A. magna cum laude from Georgetown University, and his J.D. from the University of California, Berkeley, School of Law, where he was a Richard Erskine Academic Fellow and served as an Articles Editor and Executive Committee Member of the California Law Review. He currently serves as an Honorary Council Member on cyber law issues for the International Council of E-Commerce Consultants (EC-Council), the organization that provides the CEH (Certified Ethical Hacker) and CHFI (Certified Hacking Forensic Investigator) certifications to leading security industry professionals worldwide. i