SANS EU Malware in Memory
Written by Peter Silberman
Next Monday, April 18th, I’ll be presenting at SANS EU Forensic Summit. I’m really impressed with the line up of this SANS EU conference. It has a very eclectic mix of people talking. Ero Carrera will be dicussing malware analysis. While Ero isn’t a forenscitar, his insight into malware is pretty expansive, and his exposure to advanced malware is also pretty impressive. It will be a great talk.
Matthieu Suiche of MoonSols is also presenting. His presentation is always fun and very informative. There are a lot of other talks going on that run the gamut from traditional forensics to legal discussions. It should be a great conference.
I’ll be doing a 2 1/2hr presentation/training at 7pm. This hybrid presentation/training is actually taken directly from the Advanced Memory Forensics in Incident Response class that Jamie Butler and I teach at Blackhat. We will go over malware in memory, why checking for malware in memory is important, what you can look for, generic malware behaviors, etc. All attendees will be given a boot camp in how to use and get the most out of Audit Viewer, Memoryze and how to write Malware Rating Index (MRI) rules. They’ll also be given new copies of Audit Viewer and Memoryze (x64 support anyone?. Heck, if I stop traveling so much, we might even have support for Windows 7 32-bit or 64-bit, but I am not going to promise Jamie’s time.)
We will then spend the rest of the class, hopefully an hour or more, examining case studies. The case studies are designed to mimic real world incidents from mass malware infection, to insider threats and targeted attacks. Our case studies involve answering specific questions about an incident. Sometimes, especially when MRI is enabled, we’ll set time limits just to keep it sporting. It should be a lot of fun, and hopefully everyone will learn something new. I’m certainly looking forward to teaching it.
I’ll also be on a panel on Tuesday answering the question: “Discuss new ways to find malware on a machine? Which technique is the best?”
Tags: incident response summit, memory forensics training, SANS
SANS WhatWorks Summit in Forensics and Incident Response
Written by Jamie Butler
The SANS WhatWorks Summit is quickly approaching, and I am excited to attend for the first time this year. Peter Silberman and I will be presenting on memory forensics. There has been some recent public debate about the usefulness of memory forensics. You can read some of my thoughts on particular issues at DailyDave. While we will not have time in 40 minutes to dive into the finer points of this argument, I believe we have some pretty compelling use cases. You can be the judge. Of course, if you want to stick around after the talk, Peter and I will be happy to engage in the discourse.
I look forward to seeing everyone at the conference. Rob Lee has put together what I believe everyone will find is an informative show. Do not forget to catch Kris Harms’ talk and see if you can find evil or not.
Speakers: Jamie Butler and Peter Silberman
Date: Tuesday, July 7, 3:10pm – 3:50pm
Title: Memory Forensics and Analysis
The memory in today’s business desktops is now larger than the hard drives that were in systems just a few years ago. Traditionally, forensic analysis has meant taking an image of the hard drive and sifting through files. This is only half of the story and can no longer be considered sufficient. Attackers are writing less to disk and hiding more in the ample memory users now enjoy. Memory analysis – once a niche function performed by only the most advanced forensic investigators – is now mainstream and common in professional investigations. Tools have been written to make memory analysis as easy for the investigator if not easier than hard drive analysis and in a fraction of the time. In this talk, we will show you how to quickly identify suspicious things in memory without having to be a reverse engineer. This talk will feature research, use cases, and real world examples.
Speaker: Kris Harms
Date: Tuesday, July 7, 9:30am – 10:30am
Title: Evil or Not? Rapid Confirmation of Compromised Hosts Via Live Incident Response
During this presentation, attendees will learn practical, tried, and true methods to review live incident response information. You will obtain the skillful eye required to quickly confirm or dispel if a system is compromised. Recent case data from PCI credit card breaches as well as the Advanced Persistent Threat (APT) will be used as samples. Armed with this knowledge, you will excel as an initial responder to any incident.
Tags: DailyDave, Find Evil, forensics, incident response, memory, SANS
The 2009 CWE/SANS Top 25 (and security in unmanaged code)
Written by Chuck Willis
Over the past couple months, I had the good fortune of providing some input to the process of creating the “2009 CWE/SANS Top 25 Most Dangerous Programming Errors”. The goal of the project was to create a “list of the most significant programming errors that can lead to serious software vulnerabilities”.
I think that the team came up with a really good list of weaknesses that cut across programming languages and platforms. I am also a big fan of the way that the list was written. The discussion of each item on the list is informal, not preachy, and very easy to read and understand.
The Top 25 is general in nature in that it tried not to be specific to any application type, language, or platform (though it did end up including a couple web application specific issues). While this general nature makes the list useful in some situations (such as in a University course), it does limit the usefulness of the Top 25 in other circumstances. For example, if you want to educate web developers or incorporate security into procurement of a web application, the OWASP Top Ten is certainly more applicable than the CWE Top 25.
Unfortunately, the limitation of the list to 25 items meant that some pretty important security issues got left off, particularly weaknesses that primarily affect unmanaged code (such as C or C++). For example, format string vulnerabilities are not mentioned in the Top 25 at all (though they could be seen as a child of CWE-20: Improper Input Validation and/or CWE-116: Improper Encoding or Escaping of Output). Weaknesses related to the parsing of data files or streams (the source of so many web browser and desktop application vulnerabilities) are also absent (unless those issues are considered part of CWE-682: Incorrect Calculation).
Overall, I think that the Top 25 does a good job working within the parameters that it was given, but it suffers from trying to be too many things to too many people. What the process highlighted for me, however, is that there is not a concise, generally accepted, security reference available for development in unmanaged languages. So much of software security is focused on the web and managed languages, but there is still a lot of unmanaged code in use and being written today. There are excellent books available on writing secure software, and SANS provides some materials that could be used as a reference on the GIAC Secure Software Programmer (GSSP) Certification web site, but I think that the community would be well served by a short, easily digestible list similar to the OWASP Top Ten or the CWE/SANS Top 25 focused on security issues in unmanaged code.
Anyone interested in creating that list?
Chuck
Tags: CWE/SANS, managed code, OWASP, Programming errors, SANS, Software vulnerabilities
. 26 Jan 09 | General | Comments (0)
Recent Posts
- Stuxnet Memory Analysis and IOC creation
- Malware Persistence without the Windows Registry
- State of the Hack: M-Trends: State of Remediation
- Memory acquisition and the pagefile(s)
- Web Historian: Reloaded
Follow us on Twitter
- Mandiant: Security on ATMs needs to be revisited http://bit.ly/aPfu48 @jamierbutler #blackhatevents -hb
- Mandiant: RT @kanyewest It is even better than I could have imagined. -mjg
- Mandiant: Thanks for hitting the M party last night, y'all. See you next year and next webinar. http://bit.ly/aGfY6q mjg #blackhatevents