PV204 Security technologies In-Memory Malware Analysis Václav Lorenc Incident Response Analyst, CIRT, Honeywell Agenda • Basic intro – No assembly required – No malware (de)obfuscation magic • How does the OS look “inside”? – Processes and other data structures – How the memory is organized • Common tools used for analysis • Searching for system “oddities” – What are the important system indicators? • Real samples discussed and analyzed! (Labs) 2 | PV204 In-Memory Malware Analysis Why memory analysis? • It’s fun! • Acquiring evidence for legal investigations – It used to be different in the past • Incident response activities – Easy way how to learn more about the attackers – Malicious binary may only be present in memory • Technical simplification of reverse engineering – No binary obfuscation present – the code has to run 3 | PV204 In-Memory Malware Analysis 4 | PV204 In-Memory Malware Analysis Challenges in Reverse Engineering (RE) • Assembly language (for multiple platforms) – Plus undocumented instructions (or behavior) • Anti-debugging tricks – Exceptions, interrupts, PE manipulations, time checking, ... • Anti-VM tricks – Uncommon behavior of known instructions – Registry detections, HW detections • Code obfuscation/packing – The most challenging to overcome, mostly 5 | PV204 In-Memory Malware Analysis 6 | PV204 In-Memory Malware Analysis PE File Format 7 | PV204 In-Memory Malware Analysis PDF File Format ‘cause reverse engineering ninjas are busy 8 | PV204 In-Memory Malware Analysis MEMORY ANALYSIS… x86/x64 Memory organization • Physical memory – RAM; what we really have installed • Virtual memory – Separation of logical process memory from the physical – Logical address space > physical (e.g. swap) – Address space shared by several processes, yet separated • Paging vs. Segmentation – Possible memory organization approaches 9 | PV204 In-Memory Malware Analysis Segmentation Paging Physical Address 10 | PV204 In-Memory Malware Analysis 11 | PV204 In-Memory Malware Analysis Win32 Address Space 12 | PV204 In-Memory Malware Analysis Linux Address Space Operating System Data Structures • How the OS knows about processes, files, …? – A lot of ‘metadata’ for important data – Based on C/C++ data structures (see MSDN documentation) • (Double-)linked list – Another common data structure (not only in OS) – Method for implementing lists in computer memory • Direct Kernel Object Manipulation (DKOM) – Used for manipulating the structures to hide malicious stuff 13 | PV204 In-Memory Malware Analysis Double Linked Lists 14 | PV204 In-Memory Malware Analysis Windows Process Structures 16 | PV204 In-Memory Malware Analysis Interesting OS Structures • Suspicious Memory Pages • Processes • Threads • Sockets (Connections) • Handles (Files) • Modules/Libraries • Mutexes • LSA (Local Security Authority) • Registry • … 17 | PV204 In-Memory Malware Analysis Memory Pages • Various ‘flags’ – Read/write/executable pages – Helping OS to organize memory efficiently • Executable + Writable pages – Why is it bad? • Process Injection technique – Allocating a memory that can be modified (unpacked, decoded, decrypted) and executed. – Used by legitimate processes too (Windows OLE) 18 | PV204 In-Memory Malware Analysis DLL/Process Injection 19 | PV204 In-Memory Malware Analysis So that Internet Explorer behaves like a malicious process… And now something completely… PRACTICAL 20 | PV204 In-Memory Malware Analysis Memory (re)sources • Live RAM – The most common source for analysis – Easier to obtain from virtualized hosts • Paging file/Swap – Used by operating systems to allocate more memory then available RAM • Hibernation file • Memory crash dumps – Very limited analysis options 21 | PV204 In-Memory Malware Analysis 22 | PV204 In-Memory Malware Analysis VM? Memory Dump Snapshot Clone Running? Hibernation File Page File (Swap) Crash Dumps Got root? Dumping locally Remote access? Cost / Benefits Tool Footprint FireWire PCI Probes Yes Yes Yes No No No MemoryAcquisition Memory Acquisition • Virtual Machines – VMWare, VirtualBox, … – VirtualBox –dbg –startvm “MalwareVM” (and .pgmphystofile command) • Directly from the system! (if we have system rights to do that) – windd, fastdump, memoryze – Or we can hibernate the system (hiberfil.sys) • Remotely – Encase Enterprise, Mandiant Intelligent Response, Access Data FTK • Common issues – Unsupported OS (Linux, MacOS; 32bit/64bit) – Swap (portions of memory on drive) – Malware not running inside a virtual machine 23 | PV204 In-Memory Malware Analysis Memory Acquisition (2) • Local memory acquisition notes – Unless you have plenty of money, try to get root/admin access to the host – Better to acquire to external storage (USB, network) – The lower tool’s memory footprint, the better – If you run malware in VM, better have less RAM • Faster analysis • .. And configure no swap for the system too 24 | PV204 In-Memory Malware Analysis Memory Acquisition (3) • Remote memory acquisition – Very useful for fast Incident Response – Requires enterprise licenses for the commercial tools – Acquisition is done over network – Agents already in memory, no extra memory demands • Open source alternative? – GRR (Google Rapid Response) – Still in development, primarily Incident Response tool – Allows remote memory acquisition 25 | PV204 In-Memory Malware Analysis Memory Analysis Tools • Mandiant Redline – Free, available for Windows • HBGary Responder (CE/Pro) – Community Edition available against registration • Volatility Framework – Open source, no GUI • Rekall – Open source, ‘Volatility done right’, GUI – Google supported (part of GRR agent) 26 | PV204 In-Memory Malware Analysis Mandiant/FireEye Redline • Free tool for Incident Response – Not open-source, though – .NET executable (runs only under Windows) • Nice and simple user interface – Very nice analysis workflow – Perfect for searching for string information – Rates the level of suspiciousness over processes • Sad things – Memory analysis not reliable, process rating as well 27 | PV204 In-Memory Malware Analysis Redline: Start Redline: Timeline Redline: Time Wrinkles HBGary Responder (Pro/CE) • Professional Tool – Very expensive – Yet not very well maintained in the last few years • Windows only – .NET written, supports only Windows images • ‘Killer’ features – Digital DNA • automatic rating of suspicious processes – Visual ‘Canvas’ debugger • Supports the analysis of (unpacked) binaries 31 | PV204 In-Memory Malware Analysis HBGary Responder Pro -- DDNA • Examples of the ‘reasoning’ behind DDNA – Does the process communicate over TCP/IP? – Does it manipulate with registry? – Did the analysis reveal any known bad stuff (strings, IPs, mutexes?) – Does the process access any other process in the system? – Does it access some system-critical process? – Did the analysis find any evidence of obfuscation? – … 32 | PV204 In-Memory Malware Analysis Responder Pro: DDNA Responder Pro: DDNA Responder Pro: Canvas Volatility Framework • Open source tool – GPL licensed • Written in Python – Available for variety of platforms (Linux, Windows, Mac OS) – Can be automated; many contributed plugins • Supports analysis of memory dumps from various OSs – Windows, Linux, MacOS, Android – Both 32-bit and 64-bit versions • Command-line driven • Two (experimental) web GUIs Google Rekall • Another open source tool • Supported by Google – Included as a part of GRR (Google Rapid Response) agent • Originally based on the code of Volatility – Shared commands – Different architectural concepts • Proof-of-concept GUI – Better workflows 37 | PV204 In-Memory Malware Analysis Additional Important Tools • Strings – Both *nix and Windows – Extracts strings information from the file – Can be used in cooperation with Volatility/Rekall – Beware of text encoding! (ascii, utf-8, …) • Foremost – Forensic tool – Can extract various data files from an image (or process) • Images, executables, documents, … 38 | PV204 In-Memory Malware Analysis Forensic analysis of RAM? • Are there any benefits? • Collecting forensic evidence – Executable images – PDF/Doc documents • Possible origin of the infection? – Images – URLs • Getting approximate timeline – Works better on servers (always online, higher uptime, way more RAM) 39 | PV204 In-Memory Malware Analysis What to search for in Operating System? • Command&Control (C2) communication • Hidden processes • Process/DLL injection evidence • Non-standard/infamous binaries/mutexes • Open sockets and files • Registry records • Command-line history • Encryption keys! 40 | PV204 In-Memory Malware Analysis Known Bad Mutexes • Conficker: .*-7 and .*-99 • Sality.AA: Op1mutx9 • Flystud.??: Hacker.com.cn_MUTEX • NetSky: 'D'r'o'p'p'e'd'S'k'y'N'e't' • Sality.W: u_joker_v3.06 • Poison Ivy: )!VoqA.I4 (and 10 thousand others) • Koobface: 35fsdfsdfgfd5339 41 | PV204 In-Memory Malware Analysis Operational Security (OpSec) • Basics of OpSec – “Think before you act” mentality – Limited information sharing • Specifics of memory analysis – You can often upload dumped executables to VirusTotal • md5 of the process is different from the executable • This doesn’t apply for documents/HTML pages! – However, incomplete binaries still can infect your system! • Running in VM or other OS is recommended 42 | PV204 In-Memory Malware Analysis Recommended Analysis Process • Use Internet! (Google, VirusTotal, …) • Make notes! – What OS is being analyzed? (imageinfo) – Network connections? (+ whois records, …) – Processes (hidden, odd, non-standard; timestamps, …) – Mutexes (+ files open) – Dump processes when needed (OpSec!) – Strings (URIs, C-like strings %s %d, domains, …) • Summarize your findings in final report 43 | PV204 In-Memory Malware Analysis More information • Web pages of this course – https://dior.ics.muni.cz/~valor/pv204_2016/ • Additional resources – Public memory images for analysis – Reverse Engineering for Beginners (amazing PDF doc) – REMnux: All you need to start with RE – ContagioDump blog (for additional malware samples) 44 | PV204 In-Memory Malware Analysis Answers & Questions Thank you for your attention. 45 | PV204 In-Memory Malware Analysis LAB 46 | PV204 In-Memory Malware Analysis Lab Requirements • Oracle VirtualBox – And enough space on your hard drive (12 GB at least) • Volatility Framework • Mandiant Redline • Unix tools – strings, foremost • Your favorite text editor for notes • Javascript/PDF analysis tools 47 | PV204 In-Memory Malware Analysis Recommended Analysis Process • Use Internet! (Google, VirusTotal, …) • Make notes! – What OS is being analyzed? – Network connections? (+ whois records, …) – Processes (hidden, odd, non-standard; timestamps, …) – Mutexes (+ files open) – Strings (URIs, C-like strings %s %d, domains, …) – … • Summarize your findings in final report 48 | PV204 In-Memory Malware Analysis Volatility Framework – cheat sheet • psxview (search for hidden processes) • apihooks • driverscan • ssdt / driverirp / idt • connections / connscan (WinXP, active network connections) • netscan (Win7, opened network sockets and connections) • pslist / psscan (process listing from WinAPI vs. EPROCESS blocks) • malfind / ldrmodules (code injection + dump / DLL detection) • hivelist (registry lookup and parsing) / hashdump • handles / dlllist / filescan (filelist / DLL files / FILE_OBJECT handles) • cmdscan / consoles (cmd.exe history / console buffer) • shimcache (application compatibility info) • memdump / procmemdump / procexedump 49 | PV204 In-Memory Malware Analysis Analysis: xp-infected.vmem • Recommended tools – Volatility, Rekall (or Redline) • Objectives: – Get familiar with memory of your first infected system 50 | PV204 In-Memory Malware Analysis Analysis: win7_x64.vmem • Recommended tools – Volatility, Rekall (or Redline) • Objectives: – Get familiar with memory of Win7 x64 system – Can you see any differences from the previous sample? 51 | PV204 In-Memory Malware Analysis Analysis: zeus.vmem • Recommended tools – Volatility, Rekall • Objectives: – Find suspicious network connections – Find process responsible for the network activity – Can you figure out what infections this 52 | PV204 In-Memory Malware Analysis Analysis: zeus2x4.vmem • Recommended tools – Volatility, Rekall • Objectives: – Find suspicious network connections – Find process responsible for the network activity – Can you figure out what infections this – Can you dump the virus configuration? 53 | PV204 In-Memory Malware Analysis Analysis: bob.vmem • Recommended tools – Volatility, Rekall, Foremost, Strings • Objectives: – Find suspicious network connections – Find process responsible for the network activity – Can you figure out what caused the infection? – Can you dump the initial source vector? – What known vulnerability (CVE) has been exploited? 54 | PV204 In-Memory Malware Analysis More information • Web pages of this course – https://dior.ics.muni.cz/~valor/pv204_2016/ • Additional resources – Public memory images for analysis – Reverse Engineering for Beginners (amazing PDF doc) – REMnux: All you need to start with RE – ContagioDump blog (for additional malware samples) 55 | PV204 In-Memory Malware Analysis Answers & Questions Thank you for your attention. 56 | PV204 In-Memory Malware Analysis