The changing battlefield in Memory
Written by Peter Silberman
Steve Davis and I gave a talk at Blackhat and at Defcon called Metasploit Autopsy: Reconstructing the scene of the crime. Giving the talk was a blast; both Steve and I were thrilled to be given an opportunity to give a defensive security talk on the Metasploit track. During our talk and in several interviews, we stated that some aspects of computer security are a cat and mouse game. When you make a technique, tool, or other knowledge public people have a chance to analyze what you have done. This analysis can lead to better code, improvements to ideas, or in some cases the breaking of said tools. In the case of Metasploit Forensic Framework (MSFF), the newest release of Metasploit flat out broke MSFF. First, let me give you some background. When we first started writing the tool, we quickly realized that breaking MSFF would take a single line change to Meterpreter. The fix is simple. In our talk, we discussed that when meterpreter called free the received/sent packets were not scrubbed and lay around memory for hours. MSFF capitalized on this using Memoryze to acquire the processes address space which included the process’s freed memory. HD and crew were nice enough to wait to patch Meterpreter until after our talk. Meterpreter was patched Saturday with memset’s, which zero out the packet data before the memory is freed.
With this fix, our current technique to reconstruct what Meterpreter sent or received does not work. The Metasploit project has broken that ability successfully (something we expected). Our detection will evolve, and HD discussed some ideas he had to make detecting the Meterpreter binary harder. Currently, MSFF can still be used to identify the injected binaries in a process’s address space. The Meterpreter binary contains too much code and has too many features to effectively hide in memory. If and when HD patches the reflective loader to scrub Meterpreter’s binary data, we’ll update MSFF with some fix, more as a proof concept than anything else, to continue to identify the injected DLLs. Hope everyone’s recovered from Vegas!
A huge thanks go to Ping, Nikita, Jeff Moss, Val Smith and HD for putting the Metasploit track together. It was not easy, but it went great. A huge thanks to the defcon speakers, who were very flexible.
Tags: blackhat, MANDIANT, Memoryze, metasploit, metasploit forensic framework, meterpreter, msff
. 13 Aug 09 | General | Comments (0)
MindSniffer, Updated Audit Viewer released
Written by Peter Silberman
I’m currently writing this blog post from my hotel room at Blackhat Federal. Jamie and I wrapped up our “Advanced Memory Forensics in Incident Response” class on Tuesday. It went very well and we are both looking forward to teaching it again in Las Vegas. I just finished giving my talk “Snort my Memory.” I detailed the talk in a previous blog post. This post now includes links to available software. MindSniffer is available here. If you have any questions comments suggestions please feel free to contact me peter.silberman@mandiant.com.
Following the release of MindSniffer I am thrilled to announce a NEW version of Audit Viewer. This version includes the following features:
- Process are marked in red if they have injected dlls
- View imports/exports of PE files in memory. This can be done by right clicking on memory sections
- Signature Manager built into Audit Viewer to support py files generated by MindSniffer
- Added sections and semaphore handle types
- Memoryze Launcher – this a GUI wrapping Memoryze and allowing you to configure Memoryze all from a user interface. No more batch scripts or xml files. To utilize Memoryze Launcher, click “Launch Memoryze.” You can configure multiple jobs to run at once once they will all run, then the results are auto loaded into Audit Viewer for easier integration. This is a huge feature and I’m very excited to get feed back on it.
- Numerous bug fixes
- Updated documentation
Grab the new audit viewer at its new location Audit Viewer
Please feel free to e-mail comments suggestions ideas and anything else you think I should know regarding Audit Viewer.
Enjoy,
Peter
Tags: Audit Viewer, blackhat, Memoryze, mindsniffer, peter silberman, Snort My Memory
. 19 Feb 09 | General | Comment (1)
Snort My Memory – Blackhat DC 09
Written by Peter Silberman
For those of you who have not checked the speaker lineup for Blackhat DC, I will be there giving a presentation entitled “Snort My Memory.” This talk will address some research that has been going on internally here at MANDIANT for the past couple of months. The research is focused on how to identify common malware samples in memory using Memoryze and the Audit Viewer. The specific idea behind this presentation is to take existing Snort signatures and apply them to strings in memory. The theory being that Snort uses strings to identify malware going over the network. These malware samples create network traffic using “strings” these “strings” must be in memory prior to going out over the wire. So why not just use Snort on the network? Well, when searching an entire enterprise for malware, you need to know every host that is infected and not just the ones that are communicating. Also, the attacker’s communications may be encrypted using SSL or other techniques, which makes network detection harder. With a little luck, the protocol strings such as commands for the botnet are hanging around statically unencrypted in memory, and we can detect them.
This research led me to write two new components. The first component is MindSniffer. This tool takes a Snort rule file and generates either Xpath filters for Memoryze to use or plugins for the Audit Viewer.
python mindsniffer.py
Written by Peter Silberman (peter.silberman@mandiant.com)
USAGE: mindsnort.py
<-r|–rules RULE FILE> snort rule file to parse
<-x|–xpath> generate xpath signatures
<-p|–py> generate py files for use in AuditViewer
[-o|--output] specify output directory
The second component written is a plugin framework/manager for the Audit Viewer. This new component allows users to apply Snort “signatures” to Audit Viewer results (strings must be turned on during the process audit).
The presentation will cover the above research, what was learned, and how Memoryze accesses/parses physical memory and associates strings to processes. As always there will be live demonstrations of Snort signatures working in memory. You can see the official abstract https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Silberman
I hope to see you guys there in February. Feel free to e-mail me if you have questions or want to see the demo from Hack In The Box Malaysia ‘08 (http://conference.hitb.org/hitbsecconf2008kl/).
As final note and shameless plug, stay tuned for some major updates to the Audit Viewer in the coming month or so.
Tags: Audit Viewer, blackhat, blackhat dc, memory, mindsniffer, snort
Recent Posts
- State of the Hack Webinar – Thursday March 11th
- Malware Behaving Badly: Preview
- Audit Viewer: Malware Rating Index Undocumented Features and Caveats
- Combat the APT by Sharing Indicators of Compromise
- DOD Cyber Crime: New Audit Viewer/Memoryze
Follow us on Twitter
- Mandiant: Webinar presenter Christopher Glyer breaks down tomorrow's webinar, "State of the Hack: Silent But Deadly" 2PM EST http://bit.ly/b3tvS1
- Mandiant: M's Butler & Silberman to teach 2 day course "Advanced Memory Forensics in Incident Response" @ CanSecWest Mar. 22-23 http://bit.ly/c9esQO
- Mandiant: Successful IR requires both mjg RT @llcoolj The educated do not share a common body of information, but a common state of mind