Memory Analysis on Windows 2003 64-bit and What’s Next
Written by Jamie Butler
Peter and I have been busy planning for CanSecWest in a week. The course, Advanced Memory Forensics in Incident Response, is constantly evolving. It has been about a year and a half since Memoryze was released, and just over a year for Audit Viewer. Honestly, it seems a lot longer, but that is not a bad thing. This week my team will be handing over to QA Windows 2003 64-bit support. While that is in testing, Peter will be making improvements to Audit Viewer that you the user have recommended, and he will be verifying everything works correctly with the 64-bit output. The Malware Rating Index (MRI), which is in Audit Viewer, really changes the case studies in the training. For some exercises, we have to turn MRI off because the malware becomes obvious if you know how to use the tool. I expect MRI will evolve a lot over the next six months as we think of news ways to visualize, sort, and search the data as well as identify new pieces of data to collect. If you are curious how visualization and sorting can help, check out how Harlan Carvey and Chris Pogue use it.
We have gotten a lot of great feedback from the user community, but what Windows operating system support or feature would you like see next? Yes, MANDIANT Intelligent Response has a roadmap, but Memoryze allows us to play a little bit. It is really a labor of love. So let us know what you think. You can reach us at peter.silberman or james.butler plus company name.com. We currently support:
-
- Windows 2000 SP4
- Windows XP SP2 and SP3
- Windows Vista SP1 and SP2 (better installer coming in next release)
- Windows 2003 SP1 and SP2
- Windows 2003 SP2 64-bit (** next release **)
So if you cannot make the training at CanSecWest in a week, Black Hat USA has just opened their training schedule, and we will be there for the weekend and weekday offerings of Advanced Memory Forensics in Incident Response. I hope to see you soon. Keep your eyes open for official update releases of Memoryze/Audit Viewer and Webinars/presentations.
Tags: Audit Viewer, Black Hat USA, CanSecWest, Malware Rating Index, Memory analysis, memory forensics, Memoryze, MRI
State of the Hack Webinar – Thursday March 11th
Written by Christopher Glyer
Michael J. Graven and I will be presenting MANDIANT’s State of the Hack webinar titled “Silent But Deadly” this Thursday, March 11th at 2PM EST.
I’ve had the opportunity to lead a number of MANDIANT’s APT investigations recently, and am looking forward to sharing some of my experiences with our audience. One common thread in many of the investigations I have worked is that the APT will use simpler malware, methods, and techniques – until it no longer works and they are forced to break out something a little more advanced from their arsenal.
The attackers will use more sophisticated methods as needed, and can get incredibly advanced and inventive and just “disappear” from the radar of responders if they really have to. There has been a lot of chatter on the Internet lately about recent attacks and how the malware and the Command and Control channels aren’t very sophisticated. But why use sophisticated techniques if you don’t have to?
Think about it – if you are a car thief and the car you are going to steal is not locked and has the key in the ignition – why pick the lock and hotwire the car? It doesn’t mean that the thief can’t pick the lock; it just means they don’t need to. That same thief may be capable of breaking in to a car that has a locked door, a car alarm, the club, and low-jack – and still get away with it if they are advanced enough and really want the car bad enough (think “Gone in 60 seconds“) . We have seen everything from the very simple – placing malware in a user’s start-up folder (yes, I actually saw this on one of my engagements) – to the pretty advanced – malware that dropped an NDIS driver capable of monitoring and modifying network traffic at the kernel level, implementing its own TCP/IP stack in the kernel, and providing remote access to a machine that would bypass host-based firewalls, IPS…etc.
During the webinar we will talk about the techniques the attackers use and will go into more depth on a few of the case studies in our recently released M-Trends report.
Oh, and you may be asking yourself what the link is between the name of the webinar “Silent But Deadly”, and what we will be discussing. We have seen evidence of the APT active and undetected in many victim networks for very long periods of time – up to years in some cases. Hence, the “silent”. And, while the result of these prolonged intrusions may not be deadly, they can often be costly, which is very bad for business.
We hope to see you on Thursday!
Tags: Advanced Persistent Threat, Case Study, M-Trends, State of the Hack, webinar
. 09 Mar 10 | General | Comments (0)
Malware Behaving Badly: Preview
Written by Peter Silberman
Hope everyone on the northern east coast is staying warm during snowpaclypse. Since I can’t go anywhere I figured now is the right time to write about an upcoming webinar I am giving with Michael Graven.
The webinar entitled Malware Behaving Badly is on Thursday, February 18, at 2:00 p.m. EST. The webinar title is a cute play on my DOD Cyber Crime (DC3) talk where I first introduced Malware Rating Index (MRI) into Audit Viewer (which is available for download).
If you saw my DC3 talk or viewed the slides and are wondering, “hey is this the same talk?” the answer is…well a little bit. The webinar will build off of a lot of the behaviors and theories I discussed at DC3. We will be addressing new behaviors as well as looking at APT vs Mass Malware behaviors. I’ve added two new configurable behaviors to MRI and did enough research to scrap a third. I’ll share those as well as give more real world examples of how malware exposes itself in memory.
For example the below listing shows the keylogger, the process and the file handle that process has. The file handle is actual the log file the key logger is writing too.
| Keylogger Name | Process | Log File |
| Klog | System | \Klog.txt |
| Advanced Keylogger | Explorer | \WINDOWS\Help\dsclientsock.hlp |
| Spector Pro | Explorer | \WINDOWS\system32\avoxnot\BEC7CA9645B2AF87DEEACD53B38B223FEE1C605C.zup |
If you didn’t catch my DC3 talk and didn’t understand the slides this is a good time to get an updated version of the talk. I’m going to focus on malware behavior, what it does when it’s installed that makes it stand out in memory. We will cover APT and Mass Malware, and specifically where we see their behaviors intersect. Some of these behaviors are horribly simple, i.e. flag svchost launched from directories other than \windows\system32. Some are as simple but may not be as obvious, for example flag svchost, or iexplore if they have a process handle to cmd.exe. These are rules that should never be true.
When discussing rules, I use that term loosely. Basically in Audit Viewer you now have the option to configure all this information. If you go to Operations -> Configure Malware Rating Index you can configure all these things and a few more not mentioned in this post but mentioned in the webinar. We will wrap up the webinar like always with a live demo. Live demos are the most fun really, it’s like NASCAR except it’s just reputation not lives on the line.
I hope you can join us, it should be fun.
If you would like to learn more in-depth about how physical memory analysis works, use Memoryze and Audit Viewer, understand MRI, or write your own malware rules, join Jamie and I at the CanSecWest training. CanSecWest specializes in technical, hands-on classes with an extremely low student-teacher ratio.
Tags: APT, Audit Viewer, CanSecWest, Fresh Prints Malware Behaving Badly, Malware Behaving Badly, Malware Rating Index, Memoryze, MRI, webinar
Combat the APT by Sharing Indicators of Compromise
Written by Matt Frazier
At MANDIANT, we value human intelligence – ground-truth, intelligent decision-making and adapting to your enemy’s tactics. Since expert humans can’t be everywhere, we’ve built a means to exchange enough ground-truth and decision-making so security experts can spend more energy applying expertise, less time parsing and pruning stale datasets and leverage their expertise across organizations and between compromises.
Historically, compromise data has been exchanged in CSV or PDFs laden with tables of “known bad” malware information – name, size, MD5 hash values and paragraphs of imprecise descriptions supplemented by ad-hoc exchanges between targets.
MANDIANT, inspired by field pressures, operation after operation, imagined a way to exchange not only indicators of specific compromises but structures which formalize the human-intelligence of decision-making, rules, exceptions, and ongoing adaptability. Our Indicators of Compromise (IOCs) were shaped operationally detecting real-world threats. We help our clients detect the APT right now, and they’re exchanging information about it using IOCs.
Conventional compromise datasets consist of table after table of immediately-stale data capturing few, if any, relationships. An Indicator of Compromise (IOC), however, is a Boolean decision tree that discriminates an indicator from a false-positive, theory from ground truth. What’s more, when you discover an exception or extension to a well-known-IOC you can describe it concisely and proactively, authenticate its source and re-evaluate your existing data to detect new instances of old compromises. This way, as a threat group adapts to your detections, you retain an IOC’s identity and maintain the value of intelligence shared with other targets over time.
Importantly, IOC is industry-standard XML so you already have tools and a community of experts who can comprehend, transform, and leverage new data immediately. Unlike many XML standards however, it’s simple – developed operationally with an eye toward staying adaptable, transformable, and scalable. IOC describes relationships which indicate compromise – this makes the format resilient to new data formats, data sources and decision engines.
At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned.
Tags: APT, humint, MIR, sizzle, xml
M-Trends: Advanced Persistent Threat Malware
Written by Wendi Rafferty
There are a lot of reports in the news about the types of malware being utilized by the Advanced Persistent Threat (APT) attackers. Our upcoming release of M-Trends will go into great detail about the types of malware, its capabilities, and how the attackers leverage a variety of malware throughout a breadth of victim organizations to accomplish very specific goals. Over the next week, the MANDIANT blog will feature excerpts from our upcoming M-Trends report that illustrate just how difficult it is to identify APT techniques.
The most significant commonality of APT malware is that it hides in plain sight. It avoids detection by using common network ports, process injection and Windows service persistence. Every piece of APT malware cataloged by MANDIANT initiated only outbound network connections. No sample listened for inbound connections. So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts.
A few of the most poignant stats about APT malware are listed below:
APT Malware:
- Average File Size: 121.85 KB
Most Common APT Filenames:
- svchost.exe (most common)
- iexplore.exe
- iprinp.dll
- wiinzf32.dll
APT Malware avoids anomaly detection through:
- Outbound HTTP connections
- Process injection
- Service persistence
APT Malware Communication:
- 100% of APT backdoors made only outbound connections
- 83% used TCP port 80 or 443
- 17% used another port
Because APT malware is so difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives. M-Trends will provide detailed information about how exactly organizations can posture themselves for success when fighting attackers with such specialized and sophisticated capabilities.
If you’d like to register for a copy of “M-Trends,” drop us a note at info(at)mandiant(dot)com otherwise, keep your eyes peeled to our blog and http://www.mandiant.com for the official release of “M-Trends.”
Special Thanks to Peter Silberman, the MANDIANT malware analysis team, and product engineers for their work in developing this information.
Tags: Advanced Persistent Threat, APT, M-Trends, malware analysis
. 15 Jan 10 | General | Comments (0)
M-Trends: The Advance of the Persistent Threat
Written by Wendi Rafferty
The Advanced Persistent Threat (APT) is an advanced persistent reality! It’s all over the news. Everyone seems to be either talking about it or affected by it. MANDIANT defines the APT as a group of sophisticated, persistent, and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China.
MANDIANT has over seven years experience conducting Advanced Persistent Threat (APT) intrusion investigations for the U.S. government, the defense industrial base and commercial organizations. During that time, we’ve learned many things, and we want to share our lessons learned with the security community. A team of our APT experts has been working diligently on a report that we call “M-Trends.” M-Trends focuses on what the APT attackers do and how they do it.
Some highlights from “M-Trends” include:
- The APT isn’t just a government problem; it isn’t just a defense contractor problem; and it isn’t just a military problem. The APT is everyone’s problem.
- No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.
- Classic “prevent and detect” techniques do not effectively counter the APT. The attackers can easily defeat normal defenses. They successfully evade anti-virus software, network intrusion detection and under-equipped incident responders. They use sophisticated techniques to conceal their presence: hiding malware on their target’s own hosts and exfiltrating data in its own network traffic. A staggering 100% of APT malware identified by MANDIANT made ONLY outbound connections from victim networks, 83% of which used TCP port 80 or 443.
- The APT’s goals are twofold:
- to steal information to achieve economic, political and strategic advantage.
- to establish and maintain an occupying force in their target’s environment, a force they can call on at any time. When the APT wants additional data from a target, they don’t need to re-establish a presence. They simply call on their existing assets, locate, steal and exfiltrate the data they need.
We will introduce “M-Trends” at a launch party during the 2010 DoD Cyber Crime conference in St. Louis, MO. The report authors will be there to answer your questions and share their knowledge. If you’ll be in St. Louis stop by and see us on Wednesday, January 27 from 6- 9 in the Crystal Ballroom at the Renaissance Grand.
Register for a copy of “M-Trends” and keep your eyes peeled to our blog and http://www.mandiant.com for the official release of “M-Trends.”
Tags: Advanced Persistent Threat, APT, M-Trends
. 14 Jan 10 | General | Comments (0)
Recent Posts
- Memory Analysis on Windows 2003 64-bit and What’s Next
- State of the Hack Webinar – Thursday March 11th
- Malware Behaving Badly: Preview
- Audit Viewer: Malware Rating Index Undocumented Features and Caveats
- Combat the APT by Sharing Indicators of Compromise
Follow us on Twitter
- Mandiant: The adversary does this, do you? mjg RT @RevRunWisdom You live and learn or you live miserably
- Mandiant: RT @jamierbutler Working on #CanSecWest slides, but what do you want to see - http://tinyurl.com/yjbdx2t ? Let me know.
- Mandiant: Not all online surveys are created equal - FBI says online attackers more devious than year's past http://bit.ly/aVfhs8