,
10 tweets,
6 min read
Read on Twitter
There are several #infosec data "event horizons" that significantly impact the ability to perform serious malware archeology, depending on the capabilities available to an analyst. I thought it was worth mentioning a few horizons as I've hit a few recently (1/7)
⚫️🔚 YARA retro hunts (~3m/1y/custom if doing it yourself)
Helps in identifying existing samples, but commercial services limit searches. If you can't index yourself you are probably out of luck here (2/7)
Helps in identifying existing samples, but commercial services limit searches. If you can't index yourself you are probably out of luck here (2/7)
⚫️🔚 Public reporting (~2012, maybe 2008)
Some blogs contained interesting factual snippets, but only really started being comprehensive around 2012. Previously it was just elements of interest or forum archives. Recording hashes for research wasn't typical. (3/7)
Some blogs contained interesting factual snippets, but only really started being comprehensive around 2012. Previously it was just elements of interest or forum archives. Recording hashes for research wasn't typical. (3/7)
⚫️🔚 Passive DNS (~2009)
Even commercial PDNS sources rarely go back later than around 2010 when most came online and started collecting data. I'd say 2009 is pretty much the event horizon unless you are really lucky (4/7)
Even commercial PDNS sources rarely go back later than around 2010 when most came online and started collecting data. I'd say 2009 is pretty much the event horizon unless you are really lucky (4/7)
⚫️🔚 Samples (~2006)
@virustotal came online around 2006 and is pretty much the largest commercial repository available to researchers, but without a hash you are unlikely to retrieve. No doubt there are older private archives but processing that far back is a challenge (5/7)
@virustotal came online around 2006 and is pretty much the largest commercial repository available to researchers, but without a hash you are unlikely to retrieve. No doubt there are older private archives but processing that far back is a challenge (5/7)
@virustotal Ultimately, comprehensive malware archeology tends to break down if you are looking back prior to 2009 unless you luck on some data source like the @ridt/@juanandres_gs MOONLIGHT MAZE work (6/7)
@virustotal @RidT @juanandres_gs Say what you will about public reports, but well documented publications are now a critical part of vital history for infosec research moving forward. Always consider hashes/domains in text form, and noting PDNS with time ranges where possible & preserve/redirect old pages (7/7)
@virustotal @RidT @juanandres_gs Here are some more..
⚫️🔚 WHOIS (~2000)
Historic WHOIS records can be a spotty the further back you go (h/t @NateBeachW), and it's also worth considering the artificial GDPR event horizon which cloaks data going forward from here. Yes, I'm still salty. (8/7)
⚫️🔚 WHOIS (~2000)
Historic WHOIS records can be a spotty the further back you go (h/t @NateBeachW), and it's also worth considering the artificial GDPR event horizon which cloaks data going forward from here. Yes, I'm still salty. (8/7)
@virustotal @RidT @juanandres_gs @NateBeachW ⚫️🔚 IP WHOIS (~?)
Records of IP address assignments can be challenging depending on the registry, and there's no real requirement to publish allocations. RIPE (apps.db.ripe.net/db-web-ui/#/qu…) and APNIC (apnic.net/static/whowas-…) have some ok tools though (9/7)
Records of IP address assignments can be challenging depending on the registry, and there's no real requirement to publish allocations. RIPE (apps.db.ripe.net/db-web-ui/#/qu…) and APNIC (apnic.net/static/whowas-…) have some ok tools though (9/7)
And another - web pages in general! Saving (and donating) to @internetarchive is a must for general pages, and although not it’s express purpose, using @urlscanio to store malicious pages is also advised
