Memory Analysis on Windows 2003 64-bit and What’s Next
Written by Jamie Butler
Peter and I have been busy planning for CanSecWest in a week. The course, Advanced Memory Forensics in Incident Response, is constantly evolving. It has been about a year and a half since Memoryze was released, and just over a year for Audit Viewer. Honestly, it seems a lot longer, but that is not a bad thing. This week my team will be handing over to QA Windows 2003 64-bit support. While that is in testing, Peter will be making improvements to Audit Viewer that you the user have recommended, and he will be verifying everything works correctly with the 64-bit output. The Malware Rating Index (MRI), which is in Audit Viewer, really changes the case studies in the training. For some exercises, we have to turn MRI off because the malware becomes obvious if you know how to use the tool. I expect MRI will evolve a lot over the next six months as we think of news ways to visualize, sort, and search the data as well as identify new pieces of data to collect. If you are curious how visualization and sorting can help, check out how Harlan Carvey and Chris Pogue use it.
We have gotten a lot of great feedback from the user community, but what Windows operating system support or feature would you like see next? Yes, MANDIANT Intelligent Response has a roadmap, but Memoryze allows us to play a little bit. It is really a labor of love. So let us know what you think. You can reach us at peter.silberman or james.butler plus company name.com. We currently support:
-
- Windows 2000 SP4
- Windows XP SP2 and SP3
- Windows Vista SP1 and SP2 (better installer coming in next release)
- Windows 2003 SP1 and SP2
- Windows 2003 SP2 64-bit (** next release **)
So if you cannot make the training at CanSecWest in a week, Black Hat USA has just opened their training schedule, and we will be there for the weekend and weekday offerings of Advanced Memory Forensics in Incident Response. I hope to see you soon. Keep your eyes open for official update releases of Memoryze/Audit Viewer and Webinars/presentations.
Tags: Audit Viewer, Black Hat USA, CanSecWest, Malware Rating Index, Memory analysis, memory forensics, Memoryze, MRI
Malware Behaving Badly: Preview
Written by Peter Silberman
Hope everyone on the northern east coast is staying warm during snowpaclypse. Since I can’t go anywhere I figured now is the right time to write about an upcoming webinar I am giving with Michael Graven.
The webinar entitled Malware Behaving Badly is on Thursday, February 18, at 2:00 p.m. EST. The webinar title is a cute play on my DOD Cyber Crime (DC3) talk where I first introduced Malware Rating Index (MRI) into Audit Viewer (which is available for download).
If you saw my DC3 talk or viewed the slides and are wondering, “hey is this the same talk?” the answer is…well a little bit. The webinar will build off of a lot of the behaviors and theories I discussed at DC3. We will be addressing new behaviors as well as looking at APT vs Mass Malware behaviors. I’ve added two new configurable behaviors to MRI and did enough research to scrap a third. I’ll share those as well as give more real world examples of how malware exposes itself in memory.
For example the below listing shows the keylogger, the process and the file handle that process has. The file handle is actual the log file the key logger is writing too.
| Keylogger Name | Process | Log File |
| Klog | System | \Klog.txt |
| Advanced Keylogger | Explorer | \WINDOWS\Help\dsclientsock.hlp |
| Spector Pro | Explorer | \WINDOWS\system32\avoxnot\BEC7CA9645B2AF87DEEACD53B38B223FEE1C605C.zup |
If you didn’t catch my DC3 talk and didn’t understand the slides this is a good time to get an updated version of the talk. I’m going to focus on malware behavior, what it does when it’s installed that makes it stand out in memory. We will cover APT and Mass Malware, and specifically where we see their behaviors intersect. Some of these behaviors are horribly simple, i.e. flag svchost launched from directories other than \windows\system32. Some are as simple but may not be as obvious, for example flag svchost, or iexplore if they have a process handle to cmd.exe. These are rules that should never be true.
When discussing rules, I use that term loosely. Basically in Audit Viewer you now have the option to configure all this information. If you go to Operations -> Configure Malware Rating Index you can configure all these things and a few more not mentioned in this post but mentioned in the webinar. We will wrap up the webinar like always with a live demo. Live demos are the most fun really, it’s like NASCAR except it’s just reputation not lives on the line.
I hope you can join us, it should be fun.
If you would like to learn more in-depth about how physical memory analysis works, use Memoryze and Audit Viewer, understand MRI, or write your own malware rules, join Jamie and I at the CanSecWest training. CanSecWest specializes in technical, hands-on classes with an extremely low student-teacher ratio.
Tags: APT, Audit Viewer, CanSecWest, Fresh Prints Malware Behaving Badly, Malware Behaving Badly, Malware Rating Index, Memoryze, MRI, webinar
Recent Posts
- Stuxnet Memory Analysis and IOC creation
- Malware Persistence without the Windows Registry
- State of the Hack: M-Trends: State of Remediation
- Memory acquisition and the pagefile(s)
- Web Historian: Reloaded
Follow us on Twitter
- Mandiant: Security on ATMs needs to be revisited http://bit.ly/aPfu48 @jamierbutler #blackhatevents -hb
- Mandiant: RT @kanyewest It is even better than I could have imagined. -mjg
- Mandiant: Thanks for hitting the M party last night, y'all. See you next year and next webinar. http://bit.ly/aGfY6q mjg #blackhatevents