My colleague Vadim Kotov and I recently wrote an article for Digital Forensics Magazine focused on malware analysis for the Security Operations Center (SOC). In this article we reverse engineer several samples of bootkits discovered in the wild and discuss how our LAVA analysis platform can be leveraged for analyzing similar instances of malware. We used a few samples of Gapz for the analysis, which is regarded to be one of the more sophisticated bookits.
Summary of the article:
– Analysis leveraging contextual visual insights of the malware execution flow can be useful, particularly for identifying the key functions of the malware quickly.
– A relational view of the malware execution in conjunction with core Operating System elements (FileSystem, Registry, network, CPU Registers, etc) can help to identify the category of malware and prioritize research efforts.
– The ability to change the entropy of the infected environment (micro-VM) can uncover new code paths of the malware with minimal effort for the researcher.
The article is titled “VM Introspection: Creating New Frontiers For Live Forensics” and is available here. Check it out!