Web Historian: Reloaded
Written by Aaron LeMasters
We’ve been busy here on team agent at MANDIANT. In the spirit of our long-standing support of free software in the Incident Response community, we are happy to announce the release of Web Historian 2.0. This release is a complete rewrite and revamp of our very popular web history extraction tool. This version of Web Historian comes packed with features and supports Firefox 2/3+, Chrome 3+, and Internet Explorer versions 5 through 8. Here is a quick run-down of some of the new features:
- Collects web history, cookie history, file download history, and form history into data sets
- Simple/powerful UI based on tabbed organization of datasets
- Perform a live artifact scan of the local system
- Perform an artifact scan of one or more arbitrary history files from all supported browsers
- Import results from existing XML scan documents
- Data displayed in gridview style with full search, sort, and filter capabilities
- Custom filters can be created and applied to one or more data sets
- Export data sets to XML, HTML or CSV
- Extract and export history files used in live artifact scan
- Quick copy/paste selected gridview rows to clipboard
- Customizable scan settings can tweak the scan to target specific browsers and data sets
- Right-click context menu for narrowing gridview data instantly
- Select which columns to display in each dataset
- View page thumbnails and indexed content
- Export sanitized version of history results to distribute to others
- Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
- Website Profiler shows a quick “report card” of artifacts for various websites
The custom filters mentioned above are extremely useful for narrowing the scope of your web history investigation. Web Historian ships with several pre-defined filters that allow you to quickly cull through large web history data sets. For example, you can instantly filter the web history data by visit type to only show hidden page views caused by ads; or, filter the file download history data to only show downloaded media (movies, images, etc.), PDF’s, or plain text files. You can easily create your own filters using the filter editor and configure Web Historian to automatically save any of your searches as filters. Finally, more filters are accessible with a simple right-click on any web history item.
Also new in Web Historian 2.0 are the Website Analyzer and Website Profiler features. The Website Analyzer allows you to visualize web history data (rather than scrolling through pages of records) and generate useful bar graphs, pie charts and timeline plots that can be used in an external report. The Website Profiler generates a quick “report card” summary of any domain in your web history data, showing all artifacts created on your system when it was visited (page titles, cookies, cached files, form data, etc). This feature allows you to get a quick impression of how a site behaves. The screenshot below shows the profile of CNN.com:
We hope you enjoy the new features in this release of Web Historian. As usual, if you have any questions, comments or feedback, please head on over to the user forum.
Stay tuned for even more exciting features coming soon! If you would like a demo or talk to me about features, I will be at Blackhat USA in Las Vegas this summer and hope to be accepted to demo Web Historian 2.0 at Blackhat Arsenal. And finally, don’t miss out on our memory forensics training at Blackhat: Advanced Memory Forensics in Incident Response.
Tags: blackhat, browser forensics, free tools, MIR 1.4, Web Historian
Blackhat Europe, State Of Malware: Family Ties
Written by Peter Silberman
Ero and I will be in Barcelona presenting at Blackhat Europe 2010. Our talk is called State of
Malware: Family Ties. This talk focuses on malware families. We thought about interesting research we could do in the same vein as our last talk, State of Malware: Explosion of the Axis of Evil. We decided to look at malware families.
There’s a lot to gather from malware families, from a mass malware perspective looking at conficker, bagel, waldeac, storm worm, rustock, etc. Equally important is examining APT families. MANDIANT tracks over 20 different families. Each family means something different to us. When we see one family at a client site, we might immediately pull Indicators of Compromise (IOC) for other APT families that are closely related. If we find another group, we might quickly start figuring out what was exfiltrated because we know that group and its actors are solely there to move information out. A lot can be extracted from the families we track and that is why clustering malware into families from a targeted perspective is so important.
Ero and I wonder about a few things:
- Do mass malware families share enough common attributes across families? Example, does conficker share code with waledac? If so, is it enough so that we could consider them members of a sub family. Also maybe proving they were written by the same author(s) or group of authors.
- Do mass malware families share code amongst APT samples? Example, this could mean that we find samples of subseven that match some of our APT backdoors (again just an example).
These two questions alone are very interesting because the results could indicate some author of a mass malware sample is also authoring malware for targeted attacks.
But we didn’t stop there. We also wondered:
- Do rootkits from rootkit.com have very high similarities to rootkits found by MANDIANT and out in the wild?
- Do APT samples of family A share enough in common to be also classified as part of family B? We can draw a lot of interesting conclusions if this is the case.
These are all interesting questions, but we had a lot of disappointments when doing the research and some ah ha moments where we thought about theories and realized why some wouldn’t be true. We also had some finds that we were surprised with, specifically regarding APT. We’ll be sharing the results on April 14th at 4:45. It should be fun. Our talk has a lot of diagrams, a lot of IDA screen shots, and a great video that Ero made.
If you can’t make it to Barcelona, we will be posting our slides and a follow up blog post. Stay tuned! I also have recently updated the slides for Advanced Memory Forensics in Incident Response for Black Hat USA to include an APT case study and a ton of additional information on observing the behavior of malware in memory.
Tags: Advanced Persistent Threat, APT, blackhat, MANDIANT
The changing battlefield in Memory
Written by Peter Silberman
Steve Davis and I gave a talk at Blackhat and at Defcon called Metasploit Autopsy: Reconstructing the scene of the crime. Giving the talk was a blast; both Steve and I were thrilled to be given an opportunity to give a defensive security talk on the Metasploit track. During our talk and in several interviews, we stated that some aspects of computer security are a cat and mouse game. When you make a technique, tool, or other knowledge public people have a chance to analyze what you have done. This analysis can lead to better code, improvements to ideas, or in some cases the breaking of said tools. In the case of Metasploit Forensic Framework (MSFF), the newest release of Metasploit flat out broke MSFF. First, let me give you some background. When we first started writing the tool, we quickly realized that breaking MSFF would take a single line change to Meterpreter. The fix is simple. In our talk, we discussed that when meterpreter called free the received/sent packets were not scrubbed and lay around memory for hours. MSFF capitalized on this using Memoryze to acquire the processes address space which included the process’s freed memory. HD and crew were nice enough to wait to patch Meterpreter until after our talk. Meterpreter was patched Saturday with memset’s, which zero out the packet data before the memory is freed.
With this fix, our current technique to reconstruct what Meterpreter sent or received does not work. The Metasploit project has broken that ability successfully (something we expected). Our detection will evolve, and HD discussed some ideas he had to make detecting the Meterpreter binary harder. Currently, MSFF can still be used to identify the injected binaries in a process’s address space. The Meterpreter binary contains too much code and has too many features to effectively hide in memory. If and when HD patches the reflective loader to scrub Meterpreter’s binary data, we’ll update MSFF with some fix, more as a proof concept than anything else, to continue to identify the injected DLLs. Hope everyone’s recovered from Vegas!
A huge thanks go to Ping, Nikita, Jeff Moss, Val Smith and HD for putting the Metasploit track together. It was not easy, but it went great. A huge thanks to the defcon speakers, who were very flexible.
Tags: blackhat, MANDIANT, Memoryze, metasploit, metasploit forensic framework, meterpreter, msff
. 13 Aug 09 | General | Comments (0)
MindSniffer, Updated Audit Viewer released
Written by Peter Silberman
I’m currently writing this blog post from my hotel room at Blackhat Federal. Jamie and I wrapped up our “Advanced Memory Forensics in Incident Response” class on Tuesday. It went very well and we are both looking forward to teaching it again in Las Vegas. I just finished giving my talk “Snort my Memory.” I detailed the talk in a previous blog post. This post now includes links to available software. MindSniffer is available here. If you have any questions comments suggestions please feel free to contact me peter.silberman@mandiant.com.
Following the release of MindSniffer I am thrilled to announce a NEW version of Audit Viewer. This version includes the following features:
- Process are marked in red if they have injected dlls
- View imports/exports of PE files in memory. This can be done by right clicking on memory sections
- Signature Manager built into Audit Viewer to support py files generated by MindSniffer
- Added sections and semaphore handle types
- Memoryze Launcher – this a GUI wrapping Memoryze and allowing you to configure Memoryze all from a user interface. No more batch scripts or xml files. To utilize Memoryze Launcher, click “Launch Memoryze.” You can configure multiple jobs to run at once once they will all run, then the results are auto loaded into Audit Viewer for easier integration. This is a huge feature and I’m very excited to get feed back on it.
- Numerous bug fixes
- Updated documentation
Grab the new audit viewer at its new location Audit Viewer
Please feel free to e-mail comments suggestions ideas and anything else you think I should know regarding Audit Viewer.
Enjoy,
Peter
Tags: Audit Viewer, blackhat, Memoryze, mindsniffer, peter silberman, Snort My Memory
. 19 Feb 09 | General | Comment (1)
Snort My Memory – Blackhat DC 09
Written by Peter Silberman
For those of you who have not checked the speaker lineup for Blackhat DC, I will be there giving a presentation entitled “Snort My Memory.” This talk will address some research that has been going on internally here at MANDIANT for the past couple of months. The research is focused on how to identify common malware samples in memory using Memoryze and the Audit Viewer. The specific idea behind this presentation is to take existing Snort signatures and apply them to strings in memory. The theory being that Snort uses strings to identify malware going over the network. These malware samples create network traffic using “strings” these “strings” must be in memory prior to going out over the wire. So why not just use Snort on the network? Well, when searching an entire enterprise for malware, you need to know every host that is infected and not just the ones that are communicating. Also, the attacker’s communications may be encrypted using SSL or other techniques, which makes network detection harder. With a little luck, the protocol strings such as commands for the botnet are hanging around statically unencrypted in memory, and we can detect them.
This research led me to write two new components. The first component is MindSniffer. This tool takes a Snort rule file and generates either Xpath filters for Memoryze to use or plugins for the Audit Viewer.
python mindsniffer.py
Written by Peter Silberman (peter.silberman@mandiant.com)
USAGE: mindsnort.py
<-r|–rules RULE FILE> snort rule file to parse
<-x|–xpath> generate xpath signatures
<-p|–py> generate py files for use in AuditViewer
[-o|--output] specify output directory
The second component written is a plugin framework/manager for the Audit Viewer. This new component allows users to apply Snort “signatures” to Audit Viewer results (strings must be turned on during the process audit).
The presentation will cover the above research, what was learned, and how Memoryze accesses/parses physical memory and associates strings to processes. As always there will be live demonstrations of Snort signatures working in memory. You can see the official abstract https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Silberman
I hope to see you guys there in February. Feel free to e-mail me if you have questions or want to see the demo from Hack In The Box Malaysia ‘08 (http://conference.hitb.org/hitbsecconf2008kl/).
As final note and shameless plug, stay tuned for some major updates to the Audit Viewer in the coming month or so.
Tags: Audit Viewer, blackhat, blackhat dc, memory, mindsniffer, snort
