MindSniffer, Updated Audit Viewer released

Written by Peter Silberman

I’m currently writing this blog post from my hotel room at Blackhat Federal. Jamie and I wrapped up our “Advanced Memory Forensics in Incident Response” class on Tuesday. It went very well and we are both looking forward to teaching it again in Las Vegas. I just finished giving my talk “Snort my Memory.” I detailed the talk in a previous blog post. This post now includes links to available software. MindSniffer is available here. If you have any questions comments suggestions please feel free to contact me peter.silberman@mandiant.com.
Following the release of MindSniffer I am thrilled to announce a NEW version of Audit Viewer. This version includes the following features:

• Process are marked in red if they have injected dlls
• View imports/exports of PE files in memory. This can be done by right clicking on memory sections
• Signature Manager built into Audit Viewer to support py files generated by MindSniffer
• Added sections and semaphore handle types
• Memoryze Launcher – this a GUI wrapping Memoryze and allowing you to configure Memoryze all from a user interface. No more batch scripts or xml files. To utilize Memoryze Launcher, click “Launch Memoryze.” You can configure multiple jobs to run at once once they will all run, then the results are auto loaded into Audit Viewer for easier integration. This is a huge feature and I’m very excited to get feed back on it.
• Numerous bug fixes
• Updated documentation

Grab the new audit viewer at its new location Audit Viewer
Please feel free to e-mail comments suggestions ideas and anything else you think I should know regarding Audit Viewer.
Enjoy,
Peter

Tags: Audit Viewer, blackhat, Memoryze, mindsniffer, peter silberman, Snort My Memory

Snort My Memory – Blackhat DC 09

Written by Peter Silberman

For those of you who have not checked the speaker lineup for Blackhat DC, I will be there giving a presentation entitled “Snort My Memory.” This talk will address some research that has been going on internally here at MANDIANT for the past couple of months. The research is focused on how to identify common malware samples in memory using Memoryze and the Audit Viewer. The specific idea behind this presentation is to take existing Snort signatures and apply them to strings in memory. The theory being that Snort uses strings to identify malware going over the network. These malware samples create network traffic using “strings” these “strings” must be in memory prior to going out over the wire. So why not just use Snort on the network? Well, when searching an entire enterprise for malware, you need to know every host that is infected and not just the ones that are communicating. Also, the attacker’s communications may be encrypted using SSL or other techniques, which makes network detection harder. With a little luck, the protocol strings such as commands for the botnet are hanging around statically unencrypted in memory, and we can detect them.

 

This research led me to write two new components. The first component is MindSniffer. This tool takes a Snort rule file and generates either Xpath filters for Memoryze to use or plugins for the Audit Viewer.

 

python mindsniffer.py
 Written by Peter Silberman (peter.silberman@mandiant.com)
 USAGE: mindsnort.py

    <-r|–rules RULE FILE>  snort rule file to parse

   <-x|–xpath>            generate xpath signatures

    <-p|–py>                 generate py files for use in AuditViewer

    [-o|--output]           specify output directory

 

 The second component written is a plugin framework/manager for the Audit Viewer. This new component allows users to apply Snort “signatures” to Audit Viewer results (strings must be turned on during the process audit).

 

The presentation will cover the above research, what was learned, and how Memoryze accesses/parses physical memory and associates strings to processes. As always there will be live demonstrations of Snort signatures working in memory. You can see the official abstract https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Silberman

 

I hope to see you guys there in February. Feel free to e-mail me if you have questions or want to see the demo from Hack In The Box Malaysia ‘08 (http://conference.hitb.org/hitbsecconf2008kl/).

 

As final note and shameless plug, stay tuned for some major updates to the Audit Viewer in the coming month or so. 

Tags: Audit Viewer, blackhat, blackhat dc, memory, mindsniffer, snort

Recent Posts

• Stuxnet Memory Analysis and IOC creation
• Malware Persistence without the Windows Registry
• State of the Hack: M-Trends: State of Remediation
• Memory acquisition and the pagefile(s)
• Web Historian: Reloaded

Follow us on Twitter

• Mandiant: Security on ATMs needs to be revisited http://bit.ly/aPfu48 @jamierbutler #blackhatevents -hb
• Mandiant: RT @kanyewest It is even better than I could have imagined. -mjg
• Mandiant: Thanks for hitting the M party last night, y'all. See you next year and next webinar. http://bit.ly/aGfY6q mjg #blackhatevents

MANDIANT News

• Advanced Persistent Threat – Intelligence Brief
• Oktoberfest - The MANDIANT Incident Response Con (MIRCON)
• Fresh Prints Webinar Series
• Don’t Believe the APT Hype: Incident Detection and Response That Works