Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Web Historian: Reloaded

Written by Aaron LeMasters

We’ve been busy here on team agent at MANDIANT.  In the spirit of our long-standing support of free software in the Incident Response community, we are happy to announce the release of Web Historian 2.0.  This release is a complete rewrite and revamp of our very popular web history extraction tool.  This version of Web Historian comes packed with features and supports Firefox 2/3+, Chrome 3+, and Internet Explorer versions 5 through 8.  Here is a quick run-down of some of the new features:

  • Collects web history, cookie history, file download history, and form history into data sets
  • Simple/powerful UI based on tabbed organization of datasets
  • Perform a live artifact scan of the local system
  • Perform an artifact scan of one or more arbitrary history files from all supported browsers
  • Import results from existing XML scan documents
  • Data displayed in gridview style with full search, sort, and filter capabilities
  • Custom filters can be created and applied to one or more data sets
  • Export data sets to XML, HTML or CSV
  • Extract and export history files used in live artifact scan
  • Quick copy/paste selected gridview rows to clipboard
  • Customizable scan settings can tweak the scan to target specific browsers and data sets
  • Right-click context menu for narrowing gridview data instantly
  • Select which columns to display in each dataset
  • View page thumbnails and indexed content
  • Export sanitized version of history results to distribute to others
  • Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
  • Website Profiler shows a quick “report card” of artifacts for various websites

The custom filters mentioned above are extremely useful for narrowing the scope of your web history investigation. Web Historian ships with several pre-defined filters that allow you to quickly cull through large web history data sets.  For example, you can instantly filter the web history data by visit type to only show hidden page views caused by ads; or, filter the file download history data to only show downloaded media (movies, images, etc.), PDF’s, or plain text files.  You can easily create your own filters using the filter editor and configure Web Historian to automatically save any of your searches as filters.  Finally, more filters are accessible with a simple right-click on any web history item.

Also new in Web Historian 2.0 are the Website Analyzer and Website Profiler features.  The Website Analyzer allows you to visualize web history data (rather than scrolling through pages of records) and generate useful bar graphs, pie charts and timeline plots that can be used in an external report.  The Website Profiler generates a quick “report card” summary of any domain in your web history data, showing all artifacts created on your system when it was visited (page titles, cookies, cached files, form data, etc).  This feature allows you to get a quick impression of how a site behaves.  The screenshot below shows the profile of CNN.com:

We hope you enjoy the new features in this release of Web Historian.  As usual, if you have any questions, comments or feedback, please head on over to the user forum.

Stay tuned for even more exciting features coming soon!  If you would like a demo or talk to me about features, I will be at Blackhat USA in Las Vegas this summer and hope to be accepted to demo Web Historian 2.0 at Blackhat Arsenal.  And finally, don’t miss out on our memory forensics training at Blackhat:  Advanced Memory Forensics in Incident Response.

Download Web Historian 2.0

Tags: , , , ,

. 16 Jun 10 | Conferences, General, Products | Comments (0)

It’s a MANDIANT FIRST; grab your stick

Written by Michael J. Graven

We’re taking our State of the Hack webinar series on the road — to the 22nd Annual FIRST conference in Miami, FL!

Kris Harms and I will present the next State of the Hack webinar in front of a live audience at the MANDIANT booth (#5), on Wednesday, June 16, from 12:30-1:30PM EDT. And for this webinar only, we’ll be taking live questions from the floor. Of course, you can also ask questions on the webinar chat channel if you’re not in Miami with us.

As usual, we’ll also cover a few case studies. We’re going to focus on cases that started out as one thing, but turned out to be something completely different. In the words of VP Steve, “It’s like we went to see a fight, and a hockey game broke out.”

There will be more time than usual for Q&A, by webinar chat and live from the exhibitor hall. If you plan to attend the conference, stop by our booth before and during the broadcast. We’ll try to take your questions live on the air – about the case studies, or about other interesting topics. Can’t make the conference? Don’t worry, you can still register and ask questions beforehand using the registration form.

Learn more and register here.

. 08 Jun 10 | Conferences, General | Comments (0)

New Memoryze, Audit Viewer, and Training

Written by Jamie Butler

For those who are not on our mailing list for Memoryze or Audit Viewer, we released a new version a little over a week ago. The new version of the software includes all of the memory analysis features that are available in the newly released MANDIANT Intelligent Response (MIR) 1.4.
 

So what is included in Memoryze and Audit Viewer 1.4? Well, here is the short of it.
 

Memoryze:

  • Support for Windows 2003 x64 SP2
  • Improved support of Vista SP1 and SP2 including port enumeration and a better installer
  • Enumeration of digital signatures for all loaded modules in a processes’ address space, hooked and hooking drivers, and all drivers found by driver signature scans
  • Enumeration of MD5/SHA1/SHA256 hash on disk for all loaded modules in a process’ address space and all drivers found by driver signature scans
  • Updated documentation
  • Single installer for 64-bit and 32-bit versions

 
Audit Viewer:

  • Improvements to the Malware Rating Index (MRI)
  •      Report visualization of MRI results
  •      MRI rule editors that will allow users to graphically edit the MRI rule file
  •      Handle Trust view to help identify suspicious handles
  • Ability to search results within a specific process
  • Multi-select with copy
  • Multi-select and export to a CSV file

 
Those who attended the CanSecWest Training in March have already been enjoying many of these features in beta form for months, and we are committed to ensuring that those who attend the Advanced Memory Forensics in Incident Response class at Black Hat will get early access to the next version of Memorzye, which will support Windows 7 64-bit.
 
As for the Black Hat training, there is a lot of new and updated content for 2010.

  • Coverage of 64-bit operating systems
  • New section on malware covering different malware techniques and how they stand out in memory
  • Four new case studies ranging from real Advanced Persistent Threat (APT) incidents, to spear phishing attacks, and everything in between
  • Student receive early access Memoryze and Audit Viewer for Windows 7 64-bit
  • Students receive the only free tool to analyze Windows Vista
  • Students receive the only free tool to analyze Windows 2003 64-bit
  • Better data collection to help identify processes and drivers as malicious or not
  • Added the Malware Rating Index (MRI), which helps automatically identify many malware behaviors discussed in the class. Through a simple user interface, students learn how to write rules to identify malware in their own work environments. MRI then uses those rules to score processes as suspicious or not.

 
I would like to thank James Long who pointed out an issue with the batch scripts* and Peter Villadsen who worked so hard to improve the build process and installation for Memoryze. Peter and I would also like to thank all our loyal users. We appreciate all your feedback, and we hope to see you in Las Vegas.

 
* When specifying an output directory from the command line with the batch scripts in Memoryze, the directory must already exist.

Tags: , , , , , ,

. 06 Jun 10 | Conferences, General, Products | Comments (0)

SANS EU Malware in Memory

Written by Peter Silberman

Next Monday, April 18th, I’ll be presenting at SANS EU Forensic Summit. I’m really impressed with the line up of this SANS EU conference. It has a very eclectic mix of people talking. Ero Carrera will be dicussing malware analysis. While Ero isn’t a forenscitar, his insight into malware is pretty expansive, and his exposure to advanced malware is also pretty impressive. It will be a great talk.
 
Matthieu Suiche of MoonSols is also presenting. His presentation is always fun and very informative. There are a lot of other talks going on that run the gamut from traditional forensics to legal discussions. It should be a great conference.
 
I’ll be doing a 2 1/2hr presentation/training at 7pm. This hybrid presentation/training is actually taken directly from the Advanced Memory Forensics in Incident Response class that Jamie Butler and I teach at Blackhat. We will go over malware in memory, why checking for malware in memory is important, what you can look for, generic malware behaviors, etc. All attendees will be given a boot camp in how to use and get the most out of Audit Viewer, Memoryze and how to write Malware Rating Index (MRI) rules. They’ll also be given new copies of Audit Viewer and Memoryze (x64 support anyone?. Heck, if I stop traveling so much, we might even have support for Windows 7 32-bit or 64-bit, but I am not going to promise Jamie’s time.)
 
We will then spend the rest of the class, hopefully an hour or more, examining case studies. The case studies are designed to mimic real world incidents from mass malware infection, to insider threats and targeted attacks. Our case studies involve answering specific questions about an incident. Sometimes, especially when MRI is enabled, we’ll set time limits just to keep it sporting. It should be a lot of fun, and hopefully everyone will learn something new. I’m certainly looking forward to teaching it. 
 
I’ll also be on a panel on Tuesday answering the question:  “Discuss new ways to find malware on a machine?  Which technique is the best?”

 

Tags: , ,

. 15 Apr 10 | Conferences, General | Comments (0)

Blackhat Europe, State Of Malware: Family Ties

Written by Peter Silberman

Ero and I will be in Barcelona presenting at Blackhat Europe 2010. Our talk is called State of
Malware: Family Ties. This talk focuses on malware families.  We thought about interesting research we could do in the same vein as our last talk, State of Malware: Explosion of the Axis of Evil. We decided to look at malware families.
 
There’s a lot to gather from malware families, from a mass malware perspective looking at conficker, bagel, waldeac, storm worm, rustock, etc. Equally important is examining APT families. MANDIANT tracks over 20 different families. Each family means something different to us. When we see one family at a client site, we might immediately pull Indicators of Compromise (IOC) for other APT families that are closely related. If we find another group, we might quickly start figuring out what was exfiltrated because we know that group and its actors are solely there to move information out. A lot can be extracted from the families we track and that is why clustering malware into families from a targeted perspective is so important.
 
Ero and I wonder about a few things:

  • Do mass malware families share enough common attributes across families? Example, does conficker share code with waledac? If so, is it enough so that we could consider them members of a sub family. Also maybe proving they were written by the same author(s) or group of authors.
  • Do mass malware families share code amongst APT samples? Example, this could mean that we find samples of subseven that match some of our APT backdoors (again just an example).

 
These two questions alone are very interesting because the results could indicate some author of a mass malware sample is also authoring malware for targeted attacks.
 
But we didn’t stop there. We also wondered:

  • Do rootkits from rootkit.com have very high similarities to rootkits found by MANDIANT and out in the wild?
  • Do APT samples of family A share enough in common to be also classified as part of family B? We can draw a lot of interesting conclusions if this is the case.

 
These are all interesting questions, but we had a lot of disappointments when doing the research and some ah ha moments where we thought about theories and realized why some wouldn’t be true. We also had some finds that we were surprised with, specifically regarding APT. We’ll be sharing the results on April 14th at 4:45. It should be fun. Our talk has a lot of diagrams, a lot of IDA screen shots, and a great video that Ero made.
 
If you can’t make it to Barcelona, we will be posting our slides and a follow up blog post. Stay tuned! I also have recently updated the slides for Advanced Memory Forensics in Incident Response for Black Hat USA to include an APT case study and a ton of additional information on observing the behavior of malware in memory.

Tags: , , ,

. 12 Apr 10 | Conferences, General | Comment (1)

Memory Analysis on Windows 2003 64-bit and What’s Next

Written by Jamie Butler

    Peter and I have been busy planning for CanSecWest in a week. The course, Advanced Memory Forensics in Incident Response, is constantly evolving. It has been about a year and a half since Memoryze was released, and just over a year for Audit Viewer. Honestly, it seems a lot longer, but that is not a bad thing. This week my team will be handing over to QA Windows 2003 64-bit support. While that is in testing, Peter will be making improvements to Audit Viewer that you the user have recommended, and he will be verifying everything works correctly with the 64-bit output. The Malware Rating Index (MRI), which is in Audit Viewer, really changes the case studies in the training. For some exercises, we have to turn MRI off because the malware becomes obvious if you know how to use the tool. I expect MRI will evolve a lot over the next six months as we think of news ways to visualize, sort, and search the data as well as identify new pieces of data to collect. If you are curious how visualization and sorting can help, check out how Harlan Carvey and Chris Pogue use it.

    We have gotten a lot of great feedback from the user community, but what Windows operating system support or feature would you like see next? Yes, MANDIANT Intelligent Response has a roadmap, but Memoryze allows us to play a little bit. It is really a labor of love. So let us know what you think. You can reach us at peter.silberman or james.butler plus company name.com. We currently support:

      - Windows 2000 SP4
      - Windows XP SP2 and SP3
      - Windows Vista SP1 and SP2 (better installer coming in next release)
      - Windows 2003 SP1 and SP2
      - Windows 2003 SP2 64-bit (** next release **)

    So if you cannot make the training at CanSecWest in a week, Black Hat USA has just opened their training schedule, and we will be there for the weekend and weekday offerings of Advanced Memory Forensics in Incident Response. I hope to see you soon. Keep your eyes open for official update releases of Memoryze/Audit Viewer and Webinars/presentations.

Tags: , , , , , , ,

. 15 Mar 10 | Conferences, General | Comments (0)
« Previous Posts