[pipedev]

I am doing a college project - it has to do with malware in industrial control systems
(just to say my day job is coding DCS/PLC/SCADA's). As part of the project I am looking at how to improve knowledge and help engineers on the ground. I have come up with a list of things I think IT/Control Engineers involved with critical infrastructure need to know in order to have at least a chance of knowing what to look for if a system is suspected to be comprised.
I am hoping that members of this forum in which there is a massive amount of knowledge can contribute some ideas and validate/argue against what I am saying.

My areas are the following (and remember we are not dealing with expert OS internals experts!)

-- Executable, Dynamic Library Link and Driver files
-- Windows Registry
-- Service Control Manager
-- Auto-started applications
-- Rootkits
-- DLL Injection
-- Ring 0 and Ring 3 applications
-- Kernel tampering methods – DKOM, Hooking

I would appreciate feedback on this list and any other areas or ideas would be welcome

[EP_X0FF]

Most of your list are common information (like PE32/PE32+ executable file formats) and/or documented in MSDN and/or can be learned from WinDDK. List of autostart locations here http://gladiator-antivirus.com/forum/in ... opic=24610. What kind of feedback do you want?

[pipedev]

Thanks for replying:

The question I would ask is what areas in your opinion, should a person responsible for critical control systems know about in order to at least be able to examine a system that is suspected to be comprised - for example if they don't know what the windows registry is used for then they are in trouble

[EP_X0FF]

Thanks for replying:

The question I would ask is what areas in your opinion, should a person responsible for critical control systems know about in order to at least be able to examine a system that is suspected to be comprised - for example if they don't know what the windows registry is used for then they are in trouble

Without a doubt this ->

-- Executable, Dynamic Library Link and Driver files
-- Windows Registry
-- Service Control Manager
-- Auto-started applications

As you can understand software called "Antirootkits" should not be used on critical control systems running Windows OS, due to high risk of DoS because all antirootkits are bugged by design as they are all built on using undocumented routines, structures and dirty hacks. In general - avoid any kind of software based on system hacks. See this as alternative http://www.kernelmode.info/forum/viewto ... =13&t=2130. Additionally big plus if this engineer has a good knowledge of OS internals, for example MCTS Windows Internals or similar. This will make things much easier.

[rinn]

Hi, pipedev.

additionally check this video from Mark Russinovich on TechEd 2012
http://blogs.msdn.com/b/deva/archive/20 ... tools.aspx

session provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. These utilities enable deep inspection and control of processes, file system and registry activity, and autostart execution points. Mark Russinovich demonstrates their malware-hunting capabilities by presenting several real-world cases that used the tools to identify and clean malware, and concludes by performing a live analysis of a Stuxnet infection’s system impact.

Best Regards,
-rin

[pipedev]

Thanks for the feedback guys