P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PV204 Security technologies In-Memory Malware Analysis • •Václav Lorenc •Security Operations Center Manager, Oracle + NetSuite P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 2 | PV204 In-Memory Malware Analysis https://xkcd.com/1328/ P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Agenda •Basic intro –No x86 assembly required –No malware (de)obfuscation magic •How does the OS look “inside”? –Processes and other data structures –How the memory is organized •Common tools used for analysis •Searching for system “oddities” –What are the important system indicators? •Real samples discussed and analyzed! (Labs) 3 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Why memory analysis? •It’s fun! •Acquiring evidence for legal investigations –It used to be different in the past •Technical simplification of reverse engineering –No binary obfuscation present – the code has to run •Incident response activities –Easy way how to learn more about the attackers –Malicious binary may only be present in memory –Fast: RAM is (usually) smaller than full hard-drive images 4 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 5 | PV204 In-Memory Malware Analysis https://xkcd.com/1353/ P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 6 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Challenges in Reverse Engineering (RE) •Assembly language (for multiple platforms) –Plus undocumented instructions (or behavior) •Anti-debugging tricks –Exceptions, interrupts, PE manipulations, time checking, ... •Anti-VM tricks –Uncommon behavior of known instructions –Registry detections, HW detections •Code obfuscation/packing –The most challenging to overcome, mostly 7 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 8 | PV204 In-Memory Malware Analysis C:\Users\E525127\Documents\School\Prednasky\English PE Walkthrough.png PE File Format P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 9 | PV204 In-Memory Malware Analysis C:\Users\E525127\Documents\School\Prednasky\PDF101 an Adobe document walkthrough.png PDF File Format P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg ‘cause reverse engineering ninjas are busy 10 | PV204 In-Memory Malware Analysis MEMORY ANALYSIS… P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg x86/x64 Memory organization •Physical memory –RAM; what we really have installed •Virtual memory –Separation of logical process memory from the physical –Logical address space > physical (e.g. swap) –Address space shared by several processes, yet separated •Paging vs. Segmentation –Possible memory organization approaches 11 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 12 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 13 | PV204 In-Memory Malware Analysis Windows 32 bit address spaces Win32 Address Space P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 14 | PV204 In-Memory Malware Analysis Linux 32 bit address spaces Linux Address Space P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 15 | PV204 In-Memory Malware Analysis https://minnie.tuhs.org/CompArch/Lectures/week06.html P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 16 | PV204 In-Memory Malware Analysis https://xkcd.com/138/ P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Operating System Data Structures •How the OS knows about processes, files, …? –A lot of ‘metadata’ for important data –Based on C/C++ data structures (see MSDN documentation) •(Double-)linked list –Another common data structure (not only in OS) –Method for implementing lists in computer memory •Direct Kernel Object Manipulation (DKOM) –Used for manipulating the structures to hide malicious stuff – 17 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Double Linked Lists 18 | PV204 In-Memory Malware Analysis http://www.catch22.net/img/editor1712.gif P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg DKOM – Direct Kernel Object Manipulation •Dozens of various (double-)linked lists in Windows –Maintained by kernel –Processes, threads, opened files, memory allocations, … •DKOM is used by rootkits –Hiding from the sight of the user •Rootkit paradox –Rootkits need to run on the system –… and need to remain hidden at the same time •Memory analysis can help to discover DKOM –Anti-analysis techniques are known as well 19 | PV204 In-Memory Malware Analysis http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg http://cfile3.uf.tistory.com/image/1216E3284C2755D7038CB7 Windows Process Structures 20 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Interesting OS Structures •Suspicious Memory Pages •Processes •Threads •Sockets (Connections) •Handles (Files) •Modules/Libraries •Mutexes •LSA (Local Security Authority) •Registry •… 21 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Memory Pages •Various ‘flags’ –Read/write/executable pages –Helping OS to organize memory efficiently •Executable + Writable pages –Why is it bad? •Process Injection technique –Allocating a memory that can be modified (unpacked, decoded, decrypted) and executed. –Used by legitimate processes too (Windows OLE) 22 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg DLL/Process Injection 23 | PV204 In-Memory Malware Analysis http://1.bp.blogspot.com/-NQx0mo7wOnw/UOr00ZmbtXI/AAAAAAAABag/oGjHH1YlttM/s1600/DLL%2BInjection-Fun ctions.png So that Internet Explorer behaves like a malicious process… P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 24 | PV204 In-Memory Malware Analysis https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-commo n-and-trending-process P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg And now something completely… •PRACTICAL 25 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 26 | PV204 In-Memory Malware Analysis https://xkcd.com/1197/ P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Memory (re)sources •Live RAM –The most common source for analysis –Easier to obtain from virtualized hosts •Paging file/Swap –Used by operating systems to allocate more memory then available RAM •Hibernation file •Memory crash dumps –Limited analysis options • 27 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 28 | PV204 In-Memory Malware Analysis VM? Memory Dump Snapshot Clone Running? Hibernation File Page File (Swap) Crash Dumps Got root? Dumping locally Remote access? Cost / Benefits Tool Footprint FireWire PCI Probes Yes Yes Yes No No No P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Memory Acquisition •Virtual Machines –VMWare, VirtualBox, … –VirtualBox –dbg –startvm “MalwareVM” (and .pgmphystofile command or vboxmanage debugvm) •Directly from the system! (if we have permissions to do that) –windd, fastdump, dumpit, memorize, winpmem –Or we can hibernate the system (hiberfil.sys) •Remotely –Encase Enterprise, Mandiant Intelligent Response, Access Data FTK •Common issues –Unsupported OS (Linux, MacOS; 32bit/64bit) –Swap (portions of memory on drive) –Malware not running inside a virtual machine 29 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Memory Acquisition (2) •Local memory acquisition notes –Unless you have plenty of money, try to get root/admin access to the host –Better to acquire to external storage (USB, network) –The lower tool’s memory footprint, the better –If you run malware in VM, better have less RAM •Faster analysis •.. And configure no swap for the system too •However: malware can check for the available memory – 30 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Memory Acquisition (3) •Remote memory acquisition –Very useful for fast Incident Response –Requires enterprise licenses for the commercial tools –Acquisition is done over network –Agents already in memory, no extra memory demands •Open source alternative? –GRR (Google Rapid Response) •Still in development, primarily Incident Response tool •Allows remote memory acquisition –Rekall (still a beta) 31 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Memory Analysis Tools •Mandiant Redline –Free, available for Windows •HBGary/CounterTack Responder (CE/Pro) –Community Edition available against registration •Volatility Framework –Open source, no GUI •Google Rekall –Open source, ‘Volatility done right’, GUI –Google supported (part of GRR agent) 32 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Mandiant/FireEye Redline •Free tool for Incident Response –Not open-source, though –.NET executable (runs only under Windows) •Nice and simple user interface –Very nice analysis workflow –Perfect for searching for string information –Rates the level of suspiciousness over processes •Sad things –Memory analysis not reliable, process rating as well 33 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Redline: Start P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Redline: Timeline P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Redline: Time Wrinkles P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg HBGary Responder (Pro/CE) •Professional Tool –Very expensive –Yet not very well maintained in the last few years •Windows only –.NET written, supports only Windows images •‘Killer’ features –Digital DNA •automatic rating of suspicious processes –Visual ‘Canvas’ debugger •Supports the analysis of (unpacked) binaries •Replaced with CounterTack Responder Pro • 37 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg HBGary Responder Pro -- DDNA •Examples of the ‘reasoning’ behind DDNA –Does the process communicate over TCP/IP? –Does it manipulate with registry? –Did the analysis reveal any known bad stuff (strings, IPs, mutexes?) –Does the process access any other process in the system? –Does it access some system-critical process? –Did the analysis find any evidence of obfuscation? • 38 | PV204 In-Memory Malware Analysis Obsolete and unavailable at for a long time, but it had interesting features – and there’s a professional alternative already: https://www.gosecure.net/responder-pro https://cdn2.hubspot.net/hubfs/150964/CounterTack_DDNA_SCMagazine_030117-1.pdf?t=1495723489966&__hs tc=&__hssc=&hsCtaTracking=18aabc2a-88fc-46f2-9de8-4de89e22de86%7Cb02adedf-d309-4687-870d-eee1b16754 55 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg C:\Users\E525127\Documents\SOC\Trainings\responder-ddna.png Responder Pro: DDNA P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg C:\Users\E525127\Documents\SOC\Trainings\responder-ddna.png Responder Pro: DDNA P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg C:\Users\E525127\Documents\SOC\Trainings\responder-canvas.png Responder Pro: Canvas P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Volatility Framework •Open source tool –GPL licensed •Written in Python –Available for variety of platforms (Linux, Windows, Mac OS) –Can be automated; many contributed plugins •Supports analysis of memory dumps from various OSs –Windows, Linux, MacOS, Android –Both 32-bit and 64-bit versions •Command-line driven •Two (experimental) web GUIs • P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Google Rekall •Another open source tool •Supported by Google –Included as a part of GRR (Google Rapid Response) agent •Originally based on the code of Volatility –Shared commands –Different architectural concepts •Proof-of-concept GUI –Better workflows 43 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Additional Important Tools •Strings –Both *nix and Windows –Extracts strings information from the file –Can be used in cooperation with Volatility/Rekall –Beware of text encoding! (ascii, utf-8, …) •Foremost –Forensic tool –Can extract various data files from an image (or process) •Images, executables, documents, … 44 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Forensic analysis of RAM? •Are there any benefits? •Collecting forensic evidence –Executable images –PDF/Doc documents •Possible origin of the infection? –Images –URLs •Getting approximate timeline –Works better on servers (always online, higher uptime, way more RAM) 45 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg What to search for in Operating System? •Command & Control (C2) communication •Hidden processes •Process/DLL injection evidence •Non-standard/infamous binaries/mutexes •Open sockets and files •Registry records •Command-line history •Encryption keys! 46 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Known Bad Mutexes •Conficker: .*-7 and .*-99 •Sality.AA: Op1mutx9 •Flystud.??: Hacker.com.cn_MUTEX •NetSky: 'D'r'o'p'p'e'd'S'k'y'N'e't' •Sality.W: u_joker_v3.06 •Poison Ivy: )!VoqA.I4 (and 10 thousand others) •Koobface: 35fsdfsdfgfd5339 • 47 | PV204 In-Memory Malware Analysis http://hexacorn.com/examples/2014-12-24_santas_bag_of_mutants.txt P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Known Good Processes/Locations Process Name Expected Path lsass.exe \windows\system32 services.exe \windows\system32 csrss.exe \windows\system32 explorer.exe \windows spoolsv.exe \windows\system32 smss.exe \windows\system32 svchost.exe \windows\system32 iexplore.exe \program files \program files (x86) winlogon.exe \windows\system32 48 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Operational Security (OpSec) •Basics of OpSec –“Think before you act” mentality –Limited information sharing •Specifics of memory analysis –You can often upload acquired executables to VirusTotal •MD5/SHA1 of the dump is different from the executable •This doesn’t apply for documents/HTML pages! –However, incomplete binaries still can infect your system! •Running in VM or other OS is recommended 49 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Recommended Analysis Process •Use Internet! (Google, VirusTotal, …) •Make notes! –What OS is being analyzed? (imageinfo) –Network connections? (+ whois records, …) –Processes (hidden, odd, non-standard; timestamps, …) –Mutexes (+ files open) –Dump processes when needed (OpSec!) –Strings (URIs, C-like strings %s %d, domains, …) •Summarize your findings in final report 50 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg More information •Web pages of this course –https://dior.ics.muni.cz/~valor/pv204 •Additional resources –Public memory images for analysis –Reverse Engineering for Beginners (amazing PDF doc) –REMnux: All you need to start with RE –ContagioDump blog (for additional malware samples) –Malware Traffic Analysis (both traffic & samples) 51 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Answers & Questions •Thank you for your attention. 52 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg LAB 53 | PV204 In-Memory Malware Analysis D:\Documents\Obrázky\services_icon_full_bw5.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Lab Requirements •Oracle VirtualBox –And enough space on your hard drive (12 GB at least) •Volatility Framework •Mandiant Redline •Unix tools –strings, foremost •Your favorite text editor for notes •Javascript/PDF analysis tools 54 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Recommended Analysis Process •Use Internet! (Google, VirusTotal, …) •Make notes! –What OS is being analyzed? –Network connections? (+ whois records, …) –Processes (hidden, odd, non-standard; timestamps, …) –Mutexes (+ files open) –Strings (URIs, C-like strings %s %d, domains, …) –… •Summarize your findings in final report 55 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Volatility Framework – cheat sheet •psxview (search for hidden processes) •apihooks •driverscan •ssdt / driverirp / idt •connections / connscan (WinXP, active network connections) •netscan (Win7, opened network sockets and connections) •pslist / psscan (process listing from WinAPI vs. EPROCESS blocks) •malfind / ldrmodules (code injection + dump / DLL detection) •hivelist (registry lookup and parsing) / hashdump •handles / dlllist / filescan (filelist / DLL files / FILE_OBJECT handles) •cmdscan / consoles (cmd.exe history / console buffer) •shimcache (application compatibility info) •memdump / procmemdump / procexedump 56 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Analysis: xp-infected.vmem •Recommended tools –Volatility, Rekall (or Redline) •Objectives: –Get familiar with memory of your first infected system 57 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Analysis: win7_x64.vmem •Recommended tools –Volatility, Rekall (or Redline) •Objectives: –Get familiar with memory of Win7 x64 system –Can you see any differences from the previous sample? 58 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Analysis: zeus.vmem •Recommended tools –Volatility, Rekall •Objectives: –Find suspicious network connections –Find process responsible for the network activity –Can you figure out what infections this 59 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Analysis: zeus2x4.vmem •Recommended tools –Volatility, Rekall •Objectives: –Find suspicious network connections –Find process responsible for the network activity –Can you figure out what infections this –Can you dump the virus configuration? 60 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Analysis: bob.vmem •Recommended tools –Volatility, Rekall, Foremost, Strings •Objectives: –Find suspicious network connections –Find process responsible for the network activity –Can you figure out what caused the infection? –Can you dump the initial source vector? –What known vulnerability (CVE) has been exploited? 61 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg More information •Web pages of this course –https://dior.ics.muni.cz/~valor/pv204 •Additional resources –Public memory images for analysis –Reverse Engineering for Beginners (amazing PDF doc) –REMnux: All you need to start with RE –ContagioDump blog (for additional malware samples) –Malware Traffic Analysis (both traffic & samples) 62 | PV204 In-Memory Malware Analysis P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Answers & Questions •Thank you for your attention. 63 | PV204 In-Memory Malware Analysis