740 likes | 1.08k Views
Memory Forensics. Timelines, Badness, and C0ff33 Breaks. Melissa Augustine, McAfee Foundstone. Who I am…. Alphabet Soup: GCIH, GCIA, CCE Senior Consultant at McAfee Foundstone Fly-Away Team for IR and Forensics Malware Analysis Memory Analysis Taught at Black Hat Las Vegas
E N D
Memory Forensics Timelines, Badness, and C0ff33 Breaks Melissa Augustine, McAfee Foundstone
Who I am… • Alphabet Soup: GCIH, GCIA, CCE • Senior Consultant at McAfee Foundstone • Fly-Away Team for IR and Forensics • Malware Analysis • Memory Analysis • Taught at Black Hat Las Vegas • Teach MFIRE classes globally • Malware Forensics and Incident Response • Previous Life: US Department of Defense
Agenda • Modified slightly based on research! • A little bit of both • What can be found with a memory dump? • Unencrypted Data! • Timeline of Infection! • Wouldn’t it be GREAT if we could script this? • Right now geared towards finding badness... • BETA of Tool
Why Memory Forensics? • Well… because the bad guys are getting smarter! • Malware is becoming harder to detect • AV is struggling to keep up From VirusTotal
Why Memory Forensics? • Static Analysis does not always see everything • Hooked processes • SSDT wipes • If you depend on user level tools… and the malware is at a lower level…. How can you be sure of the results? Memory Forensics grabs the data at the lowest level- (most) malware cannot hide!
R.E.F.R.E.S.H. • IAT Hooking • DKOM • SSDT Hooking • Injecting into valid processes • Hollowing out a valid processes and burrowing there • Driver Creation • DLL Hijacking • Packed Files
No Matter What… • Malware has to put itself –somewhere– on the drive to maintain persistence! • Else my job would be much easier…. “Hello, IT. Have you tried turning it off and on again?”
Example! • Suspicious executable • Strange metadata • Strings does not show a lot
Parsing memory… • Simple ‘pslist’ shows us some interesting bits of data ProcessPIDPPIDThrdHndlStart Time End Time smss.exe 564 4 3 19 2013-03-01 13:44:40 csrss.exe 612 564 12 452 2013-03-01 13:44:41 … netsh.exe 2636 2684 0 -- 2013-03-01 14:27:55 2013-03-01 14:27:59 net.exe 2252 2684 0 -- 2013-03-01 14:27:55 2013-03-01 14:27:58 net.exe 2776 2684 0 -- 2013-03-01 14:27:55 2013-03-01 14:27:56 sc.exe 2792 2684 0 -- 2013-03-01 14:27:56 2013-03-01 14:27:56 sc.exe 2808 2684 0 -- 2013-03-01 14:27:56 2013-03-01 14:27:56 csrss.exe 2684 2672 12 248 2013-03-01 14:27:55
Csrss… Is it really you? • There are two csrss processes, let’s compare the dll’s used by both using dlllist plugin • PID 612 uses 12 modules • PID 2684 uses 59 • Different command line invocations… ಠ_ಠ
Connections • We can again see open and recently closed connections using two different plugins • Looking for abnormal ports/IPs • Verify with proxy (if you are logging!) Connections Connscan (see old connections too)
Handles- More Than Files • We can see what objects the suspicious process had open (this includes registry, files, mutexes…) • Looks like internet history and maybe some registry? • This can be a good way of finding malware or narrowing down places to look
Threads… • Pslist indicated csrss (PID 2684) has 12 active threads… • When you have two processes, can check their priorities against a baseline to pick out the real one! • You can also see where the next execution point is by looking at the EIP (is it within the program or its imported DLLs?)
Check Your Priorities! The valid csrss has a VERY high priority (15) whereas our suspicious one is only 8. System processes that are required by Windows to run always have a high priority (else Windows may not work!)
If you have hands-on box • You can see threads with Process Explorer… this is a valid csrss executable
Linking Threads with DLLs • All threads being used by a process should link with a dll or the executable itself… if not, you have some injected code!
Procexedump and strings… • We can dump the suspicious process and do analysis that way • Much better information… but can we find more?
Virtual Address Descriptors • This is how Windows determines what process has what spaces of virtual addressing, and just what they have permissions to do • We can dump all of these VADs (and their corresponding virtual memory addresses) and investigate
Example VAD node @ 0x8626af10 Start 0x3d930000 End 0x3da15fff Tag Vad Flags: CommitCharge: 8, ImageMap: 1, Protection: 7 Protection: PAGE_EXECUTE_WRITECOPY ControlArea @863a1d98 Segment e1887860 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: 1 NumberOfPfnReferences: 144 NumberOfMappedViews: 9 NumberOfUserReferences: 10 WaitingForDeletion Event: 00000000 Control Flags: Accessed: 1, File: 1, HadUserReference: 1, Image: 1 FileObject @865a8e50, Name: \WINDOWS\system32\wininet.dll First prototype PTE: e18878a0 Last contiguous PTE: fffffffc Flags2: Inherit: 1
TrID can confirm this… This could be a DLL used by the program (which we know from the file object from the vadlist), or even an embedded executable!
However… It’s Still A lot! Is there another way of narrowing Vad’s down? We could try to run antivirus… but you cannot always trust the results!
Yara to the rescue • Malware identification and classification tool • Even default rules can be very useful, and new rules are easy to write! • 3 immediate places to look… • The first one we saw is related to wininet.dll • Yara says bankers and IRC for the other two • Lets check our vadinfo output for those two VADs and see if that can help us out a bit
What does this tell us? • Various pages of memory are allocated to these (10 and 616) • Some located in private memory (only associated with this process) • No file associated with this pages (memory resident ONLY)
Strings FTW In total 148 domains were found, plus what looks like IRC commands and a registry key… THIS IS MEMORY RESIDENT ONLY
Third file • We saw some of these in the process dump • If a page is not being used by process at that time, they may be somewhere else in memory so just dumping the process may not enough!
Registry • We can use printkey to look at registry keys we have seen (winlogon & run are common persistence keys) • Below we see the culprit! • Registry can hide a lot of goodies…
Other Ways to Find Badness… • Apihooks • Services • UserAssist • Shellbags • ShimCache • Event Logs • Registry (again) • Timeline
Example of Malicious APIhook API (Application Programming Interface) calls are the functions within a DLL which can be called on by a program. Malware can hook these calls to execute its own malicious code. Example of Sality hooking a function of Wininet.dll
Good ‘ol Services Offset: 0x385d28 Order: 112 Process ID: - Service Name: MRxNET Display Name: Service Type: SERVICE_FILE_SYSTEM_DRIVER Service State: SERVICE_RUNNING Binary Path: \FileSystem\MrxNet • Svcscan plugin will dump all the services for you from the OS • Services are classic persistence mechanisms!
UserAssistaka “Frequently Used Things” REG_BINARY UEME_RUNPATH:C:\Documents and Settings\Ch1n00k\Desktop\facebook-pic0008422013\facebook-pic0008422013.exe : ID: 35 Count: 1 Last updated: 2013-03-01 14:27:54 • If you have a timeframe (beyond useful), registry is an amazing wealth of information • Userassist also prints out last updated time and the number of times this was run
Shellbags • These are used by explorer.exe to know how to display folder information (icons, size, position) • So… why not try them for forensic analysis? • Think: deleted/hidden files and folders (malware loves to do this!)
ShimCache aka Registries Prefetch Last Modified: 2012-10-09 14:29:00, Lastupdate: 2013-02-06 14:20:11 , Path: \??\C:\OfficeMalScanner\OfficeMalScanner.exe • Another great registry tidbit (are you getting the hint?) • Gives you last modified, last update, and full path
RegList • A port of the RegRipper plugin for Volatility • Even can check for specific keys by plugin • -C = compname • -C = user_run • -C = soft_run • http://code.google.com/p/lgvtotal/wiki/ReglistPlugin • Doesn’t seem to be in the latest volatility
Event Logs • Another classic dead disk analysis tool • Right now only works on XP/2003
netsh.exe 2636 2684 0 -- 0 2013-03-01 14:27:55 2013-03-01 14:27:59 net.exe 2252 2684 0 -- 0 2013-03-01 14:27:55 2013-03-01 14:27:58 csrss.exe 2684 2672 12 248 0 2013-03-01 14:27:55 Processes 2013-03-01 14:27:54|(User: Ch1n00k)|Security|592| Success|2316;C:\...\facebook-pic0008422013.exe;1560 2013-03-01 14:27:55|(User: Ch1n00k)|Security|592| Success|420;C:\...\facebook-pic0008422013.exe;2316 2013-03-01 14:27:55|(User: Ch1n00k)|Security|592| Success|2672;C:\WINDOWS\csrss.exe;420 2013-03-01 14:27:55 |(User: Ch1n00k)| Security|592| Success|2684;C:\WINDOWS\csrss.exe;2672 2013-03-01 14:27:55 |(User:Ch1n00k)| Security|592| Success|2636;C:\WINDOWS\system32\netsh.exe;2684 2013-03-01 14:27:55 |(User: Ch1n00k)| Security|592| Success|2252;C:\WINDOWS\system32\net.exe;2684 Correlating Event Logs
Master File Table • The new volatility (2.3) has a mftparser tool • So you can see when files on the drive were created/modified/accessed • So, with memory we can now dump the following: • MFT • Event Logs • Registry (at least last written times) • Almost sounds like the making of a timeline…
ZeroAccess • Ran my tool (show a bit later) • Checked malfind (which uses VADs) • Used ‘file’ and saw there are 3 potential executables • Checked pslist to determine what process these were found in • 0x861b5720 -> svchost.exe (PID 1140) • 0x865e8258 -> services (PID 676)
Strings • From svchost.exe • www.zsearch.org (potential spyware) • Additional hints of internet activity • %s\00000001.@ definite ZeroAccess • Z00clicker3 <- unusual string, what does Google say?
Registry Dump • Ok ok this isn’t automated yet • Dumped registry via hive dump • Checked last written times for the timeline in question • There is only ONE last written timeframe in question for Software Hive
Garbage In… • Wonder what else is in the trash… • Volatility has filescanplugin, simply grep for RECYCLER • There are rumours of the new Volatility having a filedump plugin…
Timeliner • Created by Gleeda for Volatility 2.0 • (sometimes) works… you can pull EVT LOG, SOCKET, and PROCESS DATA • You can add shellbags and mftparser • Sounds pretty comprehensive! • Hard to show on powerpoint
“No, there is too much. Let me sum up”-Inigo Montoya • We see 3 processes started • ZeroAccess Movie • CMD.exe • Svchost.exe • We see attempts to open up ports in the firewall • 8 UDP Sockets • The attempting process? The ZeroAccess Movie • Application Gateway Layer Stopped • Windows Firewall Stopped • Security Center Stopped
All nerds are lazy… • I got sick of running the same things over and over again… • Wrote a Python script to automate common commands and tried to implement ‘smart’ analysis of some of the output • Began to add DB backend support to add to its smartness