Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Malware Behaving Badly: Preview

Written by Peter Silberman

Hope everyone on the northern east coast is staying warm during snowpaclypse. Since I can’t go anywhere I figured now is the right time to write about an upcoming webinar I am giving with Michael Graven.

The webinar entitled Malware Behaving Badly is on Thursday, February 18, at 2:00 p.m. EST. The webinar title is a cute play on my DOD Cyber Crime (DC3) talk where I first introduced Malware Rating Index (MRI) into Audit Viewer (which is available for download).

If you saw my DC3 talk or viewed the slides and are wondering, “hey is this the same talk?” the answer is…well a little bit. The webinar will build off of a lot of the behaviors and theories I discussed at DC3. We will be addressing new behaviors as well as looking at APT vs Mass Malware behaviors.  I’ve added two new configurable behaviors to MRI and did enough research to scrap a third. I’ll share those as well as give more real world examples of how malware exposes itself in memory.

For example the below listing shows the keylogger, the process and the file handle that process has. The file handle is actual the log file the key logger is writing too.

Keylogger Name Process Log File
Klog System \Klog.txt
Advanced Keylogger Explorer \WINDOWS\Help\dsclientsock.hlp
Spector Pro Explorer \WINDOWS\system32\avoxnot\BEC7CA9645B2AF87DEEACD53B38B223FEE1C605C.zup

If you didn’t catch my DC3 talk and didn’t understand the slides this is a good time to get an updated version of the talk. I’m going to focus on malware behavior, what it does when it’s installed that makes it stand out in memory. We will cover APT and Mass Malware, and specifically where we see their behaviors intersect. Some of these behaviors are horribly simple, i.e. flag svchost launched from directories other than \windows\system32. Some are as simple but may not be as obvious, for example flag svchost, or iexplore if they have a process handle to cmd.exe. These are rules that should never be true.

When discussing rules, I use that term loosely. Basically in Audit Viewer you now have the option to configure all this information. If you go to Operations -> Configure Malware Rating Index you can configure all these things and a few more not mentioned in this post but mentioned in the webinar. We will wrap up the webinar like always with a live demo. Live demos are the most fun really, it’s like NASCAR except it’s just reputation not lives on the line.

I hope you can join us, it should be fun.

If you would like to learn more in-depth about how physical memory analysis works, use Memoryze and Audit Viewer, understand MRI, or write your own malware rules, join Jamie and I at the CanSecWest training. CanSecWest specializes in technical, hands-on classes with an extremely low student-teacher ratio.

Tags: , , , , , , , ,

. 12 Feb 10 | Conferences, General | Comments (0)

Audit Viewer: Malware Rating Index Undocumented Features and Caveats

Written by Peter Silberman

Hopefully everyone has had a few weeks to recover from the M-Trends kickoff party in St. Louis and everyone has also had a chance to read the M-Trends report! I hope everyone enjoyed the talk I gave at DOD Cyber Crime Conference. I certainly had fun giving it, sorry to those that got hit with the squishy balls. I wanted to take a second to address some caveats and undocumented features of MRI that couldn’t be discussed in the talk.

A caveat within MRI I that I want to talk about is Process Path Verification. This rule set is very powerful but there are two ways to define to paths. Neither is documented because currently there is no documentation on MRI.. The first method of specifying a process path is to specify an absolute path such as this:
calc.exe:\windows\system32

MRI interprets this as the only valid path for calc.exe is \windows\system32\calc.exe. However, if I wrote the rule like:
calc.exe:\windows\system32\

MRI would interpret this as calc.exe can be run from any sub directory as long it’s a sub directory within \windows\system32\*

The reason this is important is it gives you flexibility in writing definitions. If I don’t want to specify the exact location of iexplore.exe I can say it needs to be launched from \program files\. This may prove to be too loose, and I may change this behavior going forward. For now you have the flexibility to specify absolute paths or sub paths.

The next “undocumented” tidbit that I want to discuss is within two behaviors. These behaviors actually have the ability to use regex when trying to match up their values. I did not build the regex option into the UI so it has to be manually added to the AuditViewerConfig.xml. The two XML lists that can take regex expressions are IgnoreFilesList, and ProcessSuspiciousHandleList. The regex elements are, IgnoreFileRegex, and HandleRegex. An example IgnoreFileRegex looks like:
<IgnoreFileRegex>mshist.*\\index.dat</IgnoreFileRegex>

This rule specifies that any file matching this regular expression should be ignored when doing process scoring. You can get creative just be careful.

An example HandleRegex looks like:
<HandleRegex>*:.*-7$:mutant:known conficker mutant</HandleRegex>

It breaks down like this:
Process: Regular Expressions : handle type: description

It breaks down like this:
Process: Regular Expressions : handle type: description

This allows you to get more out of your suspicious handles definitions.

Finally, I’d like to take a second to reiterate something I stated at DC3. The “Verify Digital Signatures” option in Memoryze and Audit Viewer wizard can ONLY be run when doing live memory. It is not possible to enable it when doing dead memory analysis. Which means the address scoring is not possible on dead memory, behavioral analysis still works on dead memory. If you are going to acquire memory, please run live analysis jobs as well as acquisition. This way you get the most information possible off the machine. The second thing I wanted to reiterate is that verify digital signatures is great, it really helps potentially speed up an analyst’s job. However, we are only verifying the digital signatures exist and are valid on disk. We are not verifying the module in memory hasn’t been modified. If a userland rootkit exists (again shame on the authors) then we won’t report that. It’s important to remember this. Verifying modules in memory short of doing rootkit detection is not a trivial task. The windows loader is a beast, a behemoth it does a lot to make verification in memory to disk is very hard (not impossible). Thanks again for all the interest in M-Trends, Audit Viewer and Memoryze. As always feedback is always appreciated.

Tags: , , , , , , ,

. 09 Feb 10 | Conferences, Products | Comments (0)

DOD Cyber Crime: New Audit Viewer/Memoryze

Written by Peter Silberman

MANDIANT is going to be at DOD Cyber Crime this year. Jamie and I have both been heads down for many weeks now working on some pretty cool stuff. We are starting to come up for air and what that means for you is updates to Memoryze and Audit Viewer. We will be releasing new versions of each that coincide with DC3.  I, along with many of my co-workers, will be presenting and attending. My talk abstract is very ambiguous so I thought I’d take a brief second to discuss both the talk and the changes to Audit Viewer and Memoryze.

The talk is going to be interactive. And dammit I don’t care if you don’t want to interact with me. I’m both very convincing, persistent and well…charming! You will feel compelled to join in on this talk. I promise. I know this because I’m bringing bribes… And yes, I’m bringing what you are thinking.

This talk will contain a brief intro to memory analysis, a FAQ etc. We are not going to waste much time on the nitty gritty since most people are not interested in how we chop off the last 12 bits to get a physical offset from a virtual address. I know, you just fell asleep a little.  During this talk I will make a case for why memory analysis is important. I will pull from pervious APT investigations where disk analysis failed and had to be used in conjunction with memory analysis. Finally, we will discuss MANDIANT’s Malware Rating Index (MRI). We will finish with real APT incident demos where I’ll walk through the investigation of an infected system with APT.

Now, a little more about MRI. MRI is a huge update to Audit Viewer.  Instead of going after a fish (malware) with a hook (signatures), I’m going after fish (malware) with a drag net (MRI). The goal of this feature is twofold. First it is going to  help pinpoint specific processes that should be investigated further while attempting to eliminate some of the non-suspicious processes and get them out of the analyst’s way. It’s also designed to try and make APT detection easier. A lot of work went into looking at our samples and how they behave etc, and coming up with definable behaviors that trap those little creatures. MRI is made up of two components. The first component is a definable behavior rule set that is completely customizable. It is made up of three different types of rules:

  • Process Path Verification – allows users to define what processes should be launched from what directories. This triggers on malware that copies and names itself after svchost or other system processes to subdirectories within system folders. For example a default rule is that svchost can only be executed from \windows\system32. Any time we see it running from somewhere else we flag the process.
  • Process User Verification – allows users to define what processes should be running under what users.  This triggers on malware spawning svchost for purposes of unmapping image bases or hiding dlls within spawned svchost. So, for example, if malware copies itself to system32\dllcache and then names itself svchost.exe, you can define a rule saying svchost.exe should be running as local service, network service, or system. When Audit Viewer see svchost running as administrator it gets flagged.
  • Process Handle Inspection – this allows you to define specific rules pertaining to malware or generic behavior. For example a default rule is to flag svchost or iexplore anytime it has a process handle to cmd.exe. There is just no good reason for this to _EVER_ happen. You can also define rules based on specific malware, for example if a3c mutant is present then flag the process as being infected with sality.

All of these features are configurable from the UI by going to operations -> Configure MANDIANT MRI.

The second component of MRI is a process address space scoring mechanism. We will be releasing an update to Memoryze at DC3. The new release will contain bug fixes as well as a new feature called “Verify Digital Signatures.” When this parameter is turned on memoryze will perform a “digital signature check” on all loaded modules. This can only be enabled on live memory analysis. The digital signature check verifies the module on disk is digitally signed. We do a bunch of math and use our Least Frequency of Occurrence to trust modules that aren’t signed but occur in more than X% of processes. Where X is defined by the user. We won’t flag or catch modified binaries in memory. So if a rootkit is doing userland hooking (it should be ashamed) we won’t know about it because we are checking disk to determine if it is digitally signed. There are a lot of reasons why we can’t verify in memory digital signatures.  It might make an interesting blog to detail all the reasons. With that said, this new feature gives us a good working idea of how much of the loaded modules in the process address space are signed and therefore trusted. It’s had fantastic results thus far. I’ve been using it on old incidents to see if we could have sped up results using these new methods. The answer seems to be yes in a lot of cases.

After DC3 I’ll have more blogs detailing how you can use and write better rules for MRI. But for now there will be a default distribution that you can use and modify. Again, like always, Audit Viewer is open source and free. Which means you can see the logic and rules behind MRI. Memoryze is and will stay free.

If you are going to be at DC3 and want to grab a beer I will be there from Sun (night)-Weds. Unfortunately I’m going to be missing all the great talks on Thurs so I can leave to compete in the Tough Guy Challenge. You are more than welcome to join at this race in Northern England. As I understand it there are still some open slots! See everyone at DC3!

Tags: , , , , , , , ,

. 21 Jan 10 | Conferences | Comments (0)

Flex your Memory Forensic skills at CEIC!!!

Written by Peter Silberman

MANDIANT will be at this year’s Computer Enterprise Investigation Conference (CEIC). I will be there as well running a contest for incident responders. The contest is designed to test your ability to identify malware in memory. We have all heard of the Advanced Persistent Threat, we know the acronym APT.  If you’re not familiar with APT or want to become more familiar check out https://cc.readytalk.com/cc/schedule/display.do?udc=1s8rbdxuuzuf7.

But how many of us have seen these cute cuddly creatures on live systems or in dead memory? This is your opportunity to come see if you can find the malware of an actual APT incident as well as some other incident of my own creation.

The contest will run two days and kick off Monday, May 18 at 9:45 a.m.  The contest will work as follows:  you will be given access to a virtual machine (VM). This VM will be pre-loaded with Audit Viewer and Memoryze. Audit Viewer will already have the audits needed to solve the incident loaded, which will cut down on the time needed at the station. You will have 10 minutes to go through the results of the audit and answer a set of four to five questions. At minutes 4, 6, and 8 you can ask for hints. If you answer three more of the questions on the first day you are eligible to compete on the second day. The second day will work the same. One of these two days will contain actual APT malware taken from an incident we responded too. The contest is designed to simulate what we see on a daily basis and to help attendees learn more about finding malware in memory. The prize will be an iLive IP908B 9″ Portable DVD Player With iPod® Dock And Swivel Screen.

If you are wondering how to prepare for the contest, we recommend you read the Audit Viewer user guide included in Audit Viewer. You should understand the data displayed by Audit Viewer and how to navigate/search Audit Viewer results. You will not have to run Memoryze as all the data you need to solve the case will be preloaded into Audit Viewer. We will have an Audit Viewer training slide deck running at the contest so you can if you’d like cram prior to the competition but as one of my college professors might have said “cramming is not recommended.”

You may say, “well I don’t have much memory analysis experience.” That does not matter! Stop by the booth, I will be there to walk through how to do memory forensics on 15 or so unique memory images. Each memory image is a different type of malware or scenario. All our demonstrations will utilize MemScript, which is a FREE EnCase script written by Kelcey Tietjen that integrates memory analysis into EnCase. This is a great chance to come and learn something new. And, as always, if you have questions about previous talks we’ve given or upcoming research you’ve read about, I’ll be more than happy to chat about those as well. So stop by, watch others compete, come and see the big red box, talk memory, APT, fluffy bunnies and more.

Hope to see you there!

Tags: , , ,

. 11 May 09 | General | Comments (0)

MindSniffer, Updated Audit Viewer released

Written by Peter Silberman

I’m currently writing this blog post from my hotel room at Blackhat Federal. Jamie and I wrapped up our “Advanced Memory Forensics in Incident Response” class on Tuesday. It went very well and we are both looking forward to teaching it again in Las Vegas. I just finished giving my talk “Snort my Memory.” I detailed the talk in a previous blog post. This post now includes links to available software. MindSniffer is available here. If you have any questions comments suggestions please feel free to contact me peter.silberman@mandiant.com.
Following the release of MindSniffer I am thrilled to announce a NEW version of Audit Viewer. This version includes the following features:

  • Process are marked in red if they have injected dlls
  • View imports/exports of PE files in memory. This can be done by right clicking on memory sections
  • Signature Manager built into Audit Viewer to support py files generated by MindSniffer
  • Added sections and semaphore handle types
  • Memoryze Launcher – this a GUI wrapping Memoryze and allowing you to configure Memoryze all from a user interface. No more batch scripts or xml files. To utilize Memoryze Launcher, click “Launch Memoryze.” You can configure multiple jobs to run at once once they will all run, then the results are auto loaded into Audit Viewer for easier integration. This is a huge feature and I’m very excited to get feed back on it.
  • Numerous bug fixes
  • Updated documentation

Grab the new audit viewer at its new location Audit Viewer
Please feel free to e-mail comments suggestions ideas and anything else you think I should know regarding Audit Viewer.
Enjoy,
Peter

Tags: , , , , ,

. 19 Feb 09 | General | Comment (1)

Snort My Memory – Blackhat DC 09

Written by Peter Silberman

For those of you who have not checked the speaker lineup for Blackhat DC, I will be there giving a presentation entitled “Snort My Memory.” This talk will address some research that has been going on internally here at MANDIANT for the past couple of months. The research is focused on how to identify common malware samples in memory using Memoryze and the Audit Viewer. The specific idea behind this presentation is to take existing Snort signatures and apply them to strings in memory. The theory being that Snort uses strings to identify malware going over the network. These malware samples create network traffic using “strings” these “strings” must be in memory prior to going out over the wire. So why not just use Snort on the network? Well, when searching an entire enterprise for malware, you need to know every host that is infected and not just the ones that are communicating. Also, the attacker’s communications may be encrypted using SSL or other techniques, which makes network detection harder. With a little luck, the protocol strings such as commands for the botnet are hanging around statically unencrypted in memory, and we can detect them.

 

This research led me to write two new components. The first component is MindSniffer. This tool takes a Snort rule file and generates either Xpath filters for Memoryze to use or plugins for the Audit Viewer.

 

python mindsniffer.py
 Written by Peter Silberman (peter.silberman@mandiant.com)
 USAGE: mindsnort.py

    <-r|–rules RULE FILE>  snort rule file to parse

   <-x|–xpath>            generate xpath signatures

    <-p|–py>                 generate py files for use in AuditViewer

    [-o|--output]           specify output directory

 

 The second component written is a plugin framework/manager for the Audit Viewer. This new component allows users to apply Snort “signatures” to Audit Viewer results (strings must be turned on during the process audit).

 

The presentation will cover the above research, what was learned, and how Memoryze accesses/parses physical memory and associates strings to processes. As always there will be live demonstrations of Snort signatures working in memory. You can see the official abstract https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Silberman

 

I hope to see you guys there in February. Feel free to e-mail me if you have questions or want to see the demo from Hack In The Box Malaysia ‘08 (http://conference.hitb.org/hitbsecconf2008kl/).

 

As final note and shameless plug, stay tuned for some major updates to the Audit Viewer in the coming month or so. 

Tags: , , , , ,

. 09 Jan 09 | Conferences, General, Products | Comments (0)
« Previous Posts