M-unition » Training

Jamie Butler named to the Black Hat Review Board

Travis Reese — Thu, 19 May 2011 15:50:08 +0000

MANDIANT would like to congratulate Jamie Butler on his appointment to the Black Hat Review Board. Black Hat is one of the premier technical security conferences, and Jamie’s appointment to its board is a testament to his contributions in advancing the field of computer security. Jamie has been a long-time trainer at this conference and will still be teaching Advanced Memory Forensics in Incident Response there with Peter Silberman. MANDIANT will also be teaching Malware Analysis, Advanced Malware Analysis, and Incident Response: Black Hat Edition at the 2011 show.

We look forward to the cutting-edge presentations and discussions at Blackhat USA 2011 and hope to see you there!

zynamics VxClass and memory analysis

Jamie Butler — Thu, 03 Feb 2011 05:25:39 +0000

First, let me start by saying thanks to our users for the more than 10,000 unique downloads of Memoryze and Audit Viewer in 2010. Peter and I have been working with a lot of different people over the past couple of months to bring you this new release. You can download version 1.4.4200 of Memoryze and Audit Viewer now. I will just touch on a few things of most interest. You can read the User Guides for the rest.

zynamics VxClass Integration

If you have not checked out VxClass from zynamics, now is a good time. For those at MIRcon, you got to see Thomas Dullien’s presentation. VxClass automatically classifies malware into families. This allows the incident responder to leverage intelligence from prior investigations and focus on the most important threats. Since it is fast and automated, VxClass is a great addition to your arsenal whether you have a malware team or not. VxClass can also generate private byte signatures (in ClamAV format) for a whole family of malware samples. Imagine finding 160 pieces of malware that VxClass automatically classifies as a single family and generates one byte pattern that you can use to find every variant. It is now possible, and you can take that byte signature and scan all the physical memory in your enterprise with MANDIANT Intelligent Response or a host at a time with Memoryze and Audit Viewer.

Thomas has a great write-up of how this process works here. I will not attempt to explain the article, but below is a glimpse.

Two pieces of malware and how they overlap

Report Generation

Our users have really liked the wealth of information and the detailed analysis and scoring Memoryze and Audit Viewer provides, but sometimes you need all that data in a format you can rearrange. Audit Viewer has attempted to address this in different ways over time including the ability to cut-n-paste and comment almost every row of data. If you have not tried the comment feature, I encourage you to today. But how do you get all that information out of Audit Viewer as you work the incident? Well, Audit Viewer now includes the ability to automatically generate a report in text or Microsoft Word format with MRI results, case comments, handles, sections, ports, etc. Simply click on Operations->Generate Report.

Here is a brief example of the lsass.exe process that was infected. Note: if you are using this feature across every process with all the options turned on, it can generate large documents that Word and most editors may take a long time to process.

Searching Process Address Space

If you do not have access to zynamics VxClass, I encourage you pursue that; however, you can still search every process’ address space. Memoryze will only return the processes that match your search criteria. Memoryze can also search for more than one pattern. It will look for the patterns and return the process if any pattern was a match. There are many applications of this technology. You could search for email addresses, partial domain names, URLs, Social Security numbers, credit card numbers, arbitrary byte patterns, etc.

Currently, Audit Viewer is customized for VxClass so if you want to use this feature you must edit ProcessAuditMemory.Batch.xml and run Memoryze from the command-line.



Memoryze.exe -o -script ProcessAuditMemory.Batch.xml -encoding none

You can also use the batch files included with Memoryze.



Process.bat -handles true -sections true -ports true -injected true -digsig true -content conficker

Training at CanSecWest

If you would like to sharpen your memory forensics skills, Peter and I will be teaching at CanSecWest We would like to hear your use cases, or drop us a line on the MANDIANT Forums.

Memory acquisition and the pagefile(s)

Jamie Butler — Thu, 08 Jul 2010 01:04:53 +0000

In the past, I have discussed how in reality there may be as many as 16 pagefiles on a single host. The next question is, “How much data could be contained in all these pagefiles”? Why does this matter? Well, the more data in the pagefiles, the longer they will take to acquire.

The size of the pagefiles usually depends on the amount of RAM in the host. If you allow Windows to automatically configure the pagefile(s), it will typically recommend that the total size of the pagefiles should be 1.5 times the size of RAM. Here is an example of the recommended settings on a host with 3.5 GB of memory.

The recommended total pagefile size is 5,371 MB or approximately 1.5 times 3.5 GB. However, you can configure the pagefiles manually. Some Web sites suggest making the size of the pagefile(s) as much as 3 times the size of RAM. This is what Microsoft has suggested as the maximum size for better performance on Windows XP.

As pagefiles get bigger, they will take longer to acquire. Let’s look at how large they could be in x64 / EM64T, which is generically referred to as 64bit. On 64bit Windows hosts, 32bits or 2^32 are used to represent the offset in the pagefile where the page was stored. Each page in the pagefile is 4096 bytes or 2^12. We know there can be as many as 16 pagefiles or 2^4. Putting it all together:

(Pagefile Offset) * (Page Size) * (Number of Pagefiles) = Total Size of Paging Data

(2^32) * (2^12) * (2^4) = Total Size of Paging Data

2^48 = Total Size of Paging Data

281,474,976,710,656 = Total Size of Paging Data

256 TB = Total Size of Paging Data

Now, I know 256 TB is not going to be typical, but acquiring even 4 GB to 12 GB of paging files can take a long time. The pagefiles are in use and locked by the operating system. To gain access, tools typically parse the filesystem for access to the sectors that represent the pagefiles. This prolongs the time required to acquire the files.

Next time in this series, we will discuss more about time and its implication on the paging files. If this series is boring you, the memory forensics class at Black Hat contains more hands-on applications and use cases. This year, Aaron LeMasters, author of Web Historian 2.0, will be helping with the class. I hope to see you there.

New Memoryze, Audit Viewer, and Training

Jamie Butler — Sun, 06 Jun 2010 21:17:14 +0000

For those who are not on our mailing list for Memoryze or Audit Viewer, we released a new version a little over a week ago. The new version of the software includes all of the memory analysis features that are available in the newly released MANDIANT Intelligent Response (MIR) 1.4.

So what is included in Memoryze and Audit Viewer 1.4? Well, here is the short of it.

Memoryze:

Support for Windows 2003 x64 SP2
Improved support of Vista SP1 and SP2 including port enumeration and a better installer
Enumeration of digital signatures for all loaded modules in a processes’ address space, hooked and hooking drivers, and all drivers found by driver signature scans
Enumeration of MD5/SHA1/SHA256 hash on disk for all loaded modules in a process’ address space and all drivers found by driver signature scans
Updated documentation
Single installer for 64-bit and 32-bit versions

Audit Viewer:

Improvements to the Malware Rating Index (MRI)
Report visualization of MRI results
MRI rule editors that will allow users to graphically edit the MRI rule file
Handle Trust view to help identify suspicious handles
Ability to search results within a specific process
Multi-select with copy
Multi-select and export to a CSV file

Those who attended the CanSecWest Training in March have already been enjoying many of these features in beta form for months, and we are committed to ensuring that those who attend the Advanced Memory Forensics in Incident Response class at Black Hat will get early access to the next version of Memorzye, which will support Windows 7 64-bit.

As for the Black Hat training, there is a lot of new and updated content for 2010.

Coverage of 64-bit operating systems
New section on malware covering different malware techniques and how they stand out in memory
Four new case studies ranging from real Advanced Persistent Threat (APT) incidents, to spear phishing attacks, and everything in between
Student receive early access Memoryze and Audit Viewer for Windows 7 64-bit
Students receive the only free tool to analyze Windows Vista
Students receive the only free tool to analyze Windows 2003 64-bit
Better data collection to help identify processes and drivers as malicious or not
Added the Malware Rating Index (MRI), which helps automatically identify many malware behaviors discussed in the class. Through a simple user interface, students learn how to write rules to identify malware in their own work environments. MRI then uses those rules to score processes as suspicious or not.

I would like to thank James Long who pointed out an issue with the batch scripts* and Peter Villadsen who worked so hard to improve the build process and installation for Memoryze. Peter and I would also like to thank all our loyal users. We appreciate all your feedback, and we hope to see you in Las Vegas.

* When specifying an output directory from the command line with the batch scripts in Memoryze, the directory must already exist.