SANS EU Malware in Memory

Written by Peter Silberman

Next Monday, April 18th, I’ll be presenting at SANS EU Forensic Summit. I’m really impressed with the line up of this SANS EU conference. It has a very eclectic mix of people talking. Ero Carrera will be dicussing malware analysis. While Ero isn’t a forenscitar, his insight into malware is pretty expansive, and his exposure to advanced malware is also pretty impressive. It will be a great talk.
 
Matthieu Suiche of MoonSols is also presenting. His presentation is always fun and very informative. There are a lot of other talks going on that run the gamut from traditional forensics to legal discussions. It should be a great conference.
 
I’ll be doing a 2 1/2hr presentation/training at 7pm. This hybrid presentation/training is actually taken directly from the Advanced Memory Forensics in Incident Response class that Jamie Butler and I teach at Blackhat. We will go over malware in memory, why checking for malware in memory is important, what you can look for, generic malware behaviors, etc. All attendees will be given a boot camp in how to use and get the most out of Audit Viewer, Memoryze and how to write Malware Rating Index (MRI) rules. They’ll also be given new copies of Audit Viewer and Memoryze (x64 support anyone?. Heck, if I stop traveling so much, we might even have support for Windows 7 32-bit or 64-bit, but I am not going to promise Jamie’s time.)
 
We will then spend the rest of the class, hopefully an hour or more, examining case studies. The case studies are designed to mimic real world incidents from mass malware infection, to insider threats and targeted attacks. Our case studies involve answering specific questions about an incident. Sometimes, especially when MRI is enabled, we’ll set time limits just to keep it sporting. It should be a lot of fun, and hopefully everyone will learn something new. I’m certainly looking forward to teaching it. 
 
I’ll also be on a panel on Tuesday answering the question:  “Discuss new ways to find malware on a machine?  Which technique is the best?”

 

Tags: incident response summit, memory forensics training, SANS

Fresh Prints of Mal-Ware: Choose Your Own Adventure!

Written by Christopher Glyer

Kyle Dempsey and I have been busy putting together content for the upcoming Fresh Prints webinar, “Choose Your Own Adventure,” being held this Thursday, April 15th at 2PM EDT. If you thought of the Choose Your Own Adventure® book series when you saw the title, you understand where we’re going with this.
 
This webinar’s content was developed based on feedback we received from registrants, specifically:

• How does MANDIANT “Find Evil”
• Malware internals

 
After gathering responses, what we found was that people know the basics about the APT – and what they are most interested in knowing is how our consultants go out in the field and actually find the attackers.
 
I have seen some presentations pop-up that speak at a high level on this threat, but they always stop short of showing you how the attackers compromise an organization’s network or how an investigation was conducted. Kyle and I wanted to create a webinar that showed how we actually conduct an investigation (tools used, screenshots of results…etc.) using real client data (used with their permission).
 
The webinar details what we would do with traditional drive based forensics to find malware and contrasts it with real examples of using an approach that scales to an enterprise environment with tens of thousands of hosts (without using an army of investigators and imaging every system under the sun).
 
I hope you can join us Thursday for the webinar. As always, there will be plenty of time at the end of the presentation for Q&A.

Tags: Advanced Persistent Threat, Fresh Prints of Mal-Ware, malware analysis, webinar

Blackhat Europe, State Of Malware: Family Ties

Written by Peter Silberman

Ero and I will be in Barcelona presenting at Blackhat Europe 2010. Our talk is called State of
Malware: Family Ties. This talk focuses on malware families.  We thought about interesting research we could do in the same vein as our last talk, State of Malware: Explosion of the Axis of Evil. We decided to look at malware families.
 
There’s a lot to gather from malware families, from a mass malware perspective looking at conficker, bagel, waldeac, storm worm, rustock, etc. Equally important is examining APT families. MANDIANT tracks over 20 different families. Each family means something different to us. When we see one family at a client site, we might immediately pull Indicators of Compromise (IOC) for other APT families that are closely related. If we find another group, we might quickly start figuring out what was exfiltrated because we know that group and its actors are solely there to move information out. A lot can be extracted from the families we track and that is why clustering malware into families from a targeted perspective is so important.
 
Ero and I wonder about a few things:

• Do mass malware families share enough common attributes across families? Example, does conficker share code with waledac? If so, is it enough so that we could consider them members of a sub family. Also maybe proving they were written by the same author(s) or group of authors.
• Do mass malware families share code amongst APT samples? Example, this could mean that we find samples of subseven that match some of our APT backdoors (again just an example).

 
These two questions alone are very interesting because the results could indicate some author of a mass malware sample is also authoring malware for targeted attacks.
 
But we didn’t stop there. We also wondered:

• Do rootkits from rootkit.com have very high similarities to rootkits found by MANDIANT and out in the wild?
• Do APT samples of family A share enough in common to be also classified as part of family B? We can draw a lot of interesting conclusions if this is the case.

 
These are all interesting questions, but we had a lot of disappointments when doing the research and some ah ha moments where we thought about theories and realized why some wouldn’t be true. We also had some finds that we were surprised with, specifically regarding APT. We’ll be sharing the results on April 14th at 4:45. It should be fun. Our talk has a lot of diagrams, a lot of IDA screen shots, and a great video that Ero made.
 
If you can’t make it to Barcelona, we will be posting our slides and a follow up blog post. Stay tuned! I also have recently updated the slides for Advanced Memory Forensics in Incident Response for Black Hat USA to include an APT case study and a ton of additional information on observing the behavior of malware in memory.

Tags: Advanced Persistent Threat, APT, blackhat, MANDIANT

Honeynet Project: Challenge 3 of the Forensic Challenge 2010

Written by Helena Brito

The Honeynet Project has posted a forensic challenge centered around analyzing a memory image. The image represents the physical memory acquired from a host at a fictitious bank, which was the victim of an intruder. The Honeynet Project has come up with a series of questions that you must answer in order to solve the case. While the challenge organizers will be doing all the judging, we would like to promote the cause by giving additional prizes to those who place in the top three and solve the challenge using Memoryze and Audit Viewer.

The prizes MANDIANT will be offering to those that place in the top three are:

First Place: $100 gift card to Best Buy
Second Place: Backpack
Third Place: MANDIANT swag

In the event of a tie, we will divide the prize(s) equally.

The submission deadline is April 18th so act fast.
Banking Troubles

Please do not send your submissions to MANDIANT. If you are a winner of the challenge, contact info at MANDIANT after the winners are announced. Peter Silberman and other MANDIANT employees may submit a solution; however, employees are not eligible for prizes. If a MANDIANT employee places in the top three of submissions, all prizes will be allocated to the remaining, non-employees to place in the top three.

Tags: Audit Viewer, Forensic Challenge, Honeynet Project, Memory analysis, Memoryze, prizes

Memory Analysis on Windows 2003 64-bit and What’s Next

Written by Jamie Butler

Peter and I have been busy planning for CanSecWest in a week. The course, Advanced Memory Forensics in Incident Response, is constantly evolving. It has been about a year and a half since Memoryze was released, and just over a year for Audit Viewer. Honestly, it seems a lot longer, but that is not a bad thing. This week my team will be handing over to QA Windows 2003 64-bit support. While that is in testing, Peter will be making improvements to Audit Viewer that you the user have recommended, and he will be verifying everything works correctly with the 64-bit output. The Malware Rating Index (MRI), which is in Audit Viewer, really changes the case studies in the training. For some exercises, we have to turn MRI off because the malware becomes obvious if you know how to use the tool. I expect MRI will evolve a lot over the next six months as we think of news ways to visualize, sort, and search the data as well as identify new pieces of data to collect. If you are curious how visualization and sorting can help, check out how Harlan Carvey and Chris Pogue use it.

We have gotten a lot of great feedback from the user community, but what Windows operating system support or feature would you like see next? Yes, MANDIANT Intelligent Response has a roadmap, but Memoryze allows us to play a little bit. It is really a labor of love. So let us know what you think. You can reach us at peter.silberman or james.butler plus company name.com. We currently support:

- Windows 2000 SP4
- Windows XP SP2 and SP3
- Windows Vista SP1 and SP2 (better installer coming in next release)
- Windows 2003 SP1 and SP2
- Windows 2003 SP2 64-bit (** next release **)

So if you cannot make the training at CanSecWest in a week, Black Hat USA has just opened their training schedule, and we will be there for the weekend and weekday offerings of Advanced Memory Forensics in Incident Response. I hope to see you soon. Keep your eyes open for official update releases of Memoryze/Audit Viewer and Webinars/presentations.

Tags: Audit Viewer, Black Hat USA, CanSecWest, Malware Rating Index, Memory analysis, memory forensics, Memoryze, MRI

State of the Hack Webinar – Thursday March 11th

Written by Christopher Glyer

Michael J. Graven and I will be presenting MANDIANT’s State of the Hack webinar titled “Silent But Deadly” this Thursday, March 11th at 2PM EST.

I’ve had the opportunity to lead a number of MANDIANT’s APT investigations recently, and am looking forward to sharing some of my experiences with our audience. One common thread in many of the investigations I have worked is that the APT will use simpler malware, methods, and techniques – until it no longer works and they are forced to break out something a little more advanced from their arsenal.

The attackers will use more sophisticated methods as needed, and can get incredibly advanced and inventive and just “disappear” from the radar of responders if they really have to.  There has been a lot of chatter on the Internet lately about recent attacks and how the malware and the Command and Control channels aren’t very sophisticated.  But why use sophisticated techniques if you don’t have to?

Think about it – if you are a car thief and the car you are going to steal is not locked and has the key in the ignition – why pick the lock and hotwire the car? It doesn’t mean that the thief can’t pick the lock; it just means they don’t need to.  That same thief may be capable of breaking in to a car that has a locked door, a car alarm, the club, and low-jack – and still get away with it if they are advanced enough and really want the car bad enough (think “Gone in 60 seconds“) .  We have seen everything from the very simple – placing malware in a user’s start-up folder (yes, I actually saw this on one of my engagements) – to the pretty advanced – malware that dropped an NDIS driver capable of monitoring and modifying network traffic at the kernel level, implementing its own TCP/IP stack in the kernel, and providing remote access to a machine that would bypass host-based firewalls, IPS…etc.

During the webinar we will talk about the techniques the attackers use and will go into more depth on a few of the case studies in our recently released M-Trends report.

Oh, and you may be asking yourself what the link is between the name of the webinar “Silent But Deadly”, and what we will be discussing.  We have seen evidence of the APT active and undetected in many victim networks for very long periods of time – up to years in some cases.  Hence, the “silent”.  And, while the result of these prolonged intrusions may not be deadly, they can often be costly, which is very bad for business.

We hope to see you on Thursday!

Tags: Advanced Persistent Threat, Case Study, M-Trends, State of the Hack, webinar

Recent Posts

• DLL Search Order Hijacking Revisited
• Find Evil and Solve Crime, Part 1: Focus
• Reversing Malware Command and Control: From Sockets to COM
• The Challenges to Remediating from the APT
• Stuxnet Memory Analysis and IOC creation

Follow us on Twitter

• Mandiant: M's @nickharbour revisits DLL Search Order Hijacking to propose his solution to the problem http://bit.ly/ctmxM7
• Mandiant: The slides and recording are now posted for the Fresh Prints of Mal-ware: 0x1, 0x2, 0x3s of IOC webinar http://bit.ly/dutt9E #m_fp
• Mandiant: Registration now up for M's State of the Hack webinar ft. Josh Corman/@the451group 9/23 @ 2PM EDT http://bit.ly/c08atu #M_SOH

MANDIANT News

• Advanced Persistent Threat – Intelligence Brief
• The State of the Hack - The Advanced Persistent Threat
• The State of the Hack - The Advanced Persistent Threat
• MANDIANT Incident Response Conference (MIRcon)