upping the ‘anti’: using memory analysis to fight malware · state of malware • volume of new...

EMPOWERING INVESTIGATORS

VOLATILE SYSTEMS

Upping the ‘Anti’:

Using Memory Analysis to Fight Malware

SANS Incident Response and Forensics Summit

October 13, 2008

AAron Walters

2 VVVV LATILESYSTEMS

About Volatile Systems

• We provide the solutions and knowledge to address volatile memory analysis needs:• Software customizations, integrity assessments, incident response, malware analysis, training

• Proven technology• 5 yrs of published university research • Technology licensed (commercial, government, etc)• Volatility (contributors: experts/organizations) • LEO/investigators worldwide

• Field experienced analysts• Focused on volatile memory analysis (5 yrs)• Universities, government, military, LE, commercial• Thousands of memory images/malware

VVVV LATILESYSTEMS

State of Malware

• Volume of new malware increasing (2007)– Symantec: 2/3 of malware (711,912)– F-Secure: 1/2 of malware (20 yrs)

• A/V detection ineffective (Bailey, 2007)

– 6 weeks worth of malware/ 5 A/V vendors

– 1 month later → 56% detected

– ~6 months later → 66% detected

Malware Detected by Year(Source: Security Fix)

010000002000000

3000000

40000005000000

6000000

1985

1987

1989

1991

1993

1995

1997

1999

2001

2003

2005

2007

VVVV LATILESYSTEMS

Malware Trends

• Targeted Attacks• Financially/politically motivated• Zero-day vulnerabilities (documents)

• Proliferation of stealth technology (memory)• Kernel rootkits (Storm)• Code injection (DLLs, etc)

• Commercialization of malware• Quality assurance• Performance guarantees

• Evolving malware• Refining methods → successes/failures• Tactics escalation

• Upping the “Anti”• Anti-detection, Anti-debugging, Anti-forensics


Incidents: Defense Industry

• Attacks• Government contractors• Upper management• Sophisticated spear phishing

• Agent• Undetected (AV/anti-rootkit)• Quickly evolving variants (weeks)• Small system footprint

• Command and Control• Messages: steganography/encoded• Channel: protocols/ports/servers

• Lay dormant ......

VVVV LATILESYSTEMS

Incidents: Financial Industry

• Attacks• Targeting online money

• Bank accounts, online payment, CCNs

• Multi-platform (Windows, Linux)

• Clients• Undetected (AV/anti-rootkits)

• Stealth technology (i.e. rootkits, packers)

• Exfiltrating data• Usernames, passwords, etc (browser)• Process memory (i.e. Canvas)

• Servers• Hijacking servers

• User-mode rootkits (i.e. code injection)

• Hiding artifacts in memory

VVVV LATILESYSTEMS

Now what?

• Detection is just the beginning!

• Actionable data

• Identify other systems involved (triage)• Determine how they gained entry• Elucidate intent• Evaluate capabilities• Assess damage• Quantify current state/measure improvement

• Across the enterprise!

VVVV LATILESYSTEMS

Opaque Enterprise

• Opaque components of information infrastructure• What is running? (patches,malware,etc)

VVVV LATILESYSTEMS

Digital Crime Scene


Consistent Picture


Runtime State

• Order of Volatility (RFC 3227)• Data life expectancy

• Volatile state/active objects

• Ceases to exist when power is removed

• Valuable data (context)

• Volatile media “trusted” (pswds, keys, malware)

• Goals (Carrier, 2003):

• Minimize obtrusiveness

• Minimize trust

• Understand effects


Volatile Memory Analysis

• Entire contents of physical memory (RAM)

• Direct analysis of raw bit “image”

• Artifact persistence/unallocated memory (Chow,2005)

• Advantages:

• Analysis does not depend on OS (trust)

• Reduce and simplify obtrusiveness (acquisition)

• Removes the active adversary (freeze state)

• Verifiable (3rd Party: data and tools)

• Unconstrained analysis (raw data)

• Challenges

• Acquisition/Temporal proximity

VVVV LATILESYSTEMS

In the beginning…..

• Old school memory analysis• dd, crash dumps, kcores, swap• Printable character sequences• strings, less, grep, hexedit, text editor

• Investigative leads• Passwords, email addresses, IP addresses, commands, domain names, file names, URLs

• Large quantity of data• 2GB Memory → 818MB

• Context free data• Spatial proximity (paging, unallocated, etc)• 259621376:Netcat network data redirector.• 259621376 [2936:412200 ] Netcat network data redirector.


Memory Analysis Types

Physical Memory Analysis

Virtual Memory Analysis

Application Analysis

Physical Address Space

Kernel Address Space

Application Address Space

User Address Space

Swap

Context


VOLATILITY

VVVV LATILESYSTEMS

Volatility

• Volatile memory forensics framework• Completely open source (Python)• Cross platform analysis: Windows, Linux

• No MS DLLs! (Windows, Linux, OS X, etc)• 32-bit XP SP2/SP3* (PAE/NOPAE)

• Extendable to other hardware/operating systems

• Command-line tools• Places you can find Volatility

• PyFlag, DFlabs PTK, VolShell, PlainSight, SIFT, Helix

• Powerful modular architecture!• Practitioners, trainers, researchers


Community: Order of Volatility

• Code Contributers:• Michael Cohen• David Collett

• Brendan Dolan-Gavitt

• Blake Matheny

• Andreas Schuster

• Research Collaborators:

• Jide Abu

• Jose Nazario

• Doug White

• Matthieu Suiche

• Testing/Bugs:

• Joseph Ayo Akinyele

• Testing/Bugs (Cont)

• Tommaso Assandri

• Harlan Carvey

• Eoghan Casey

• Jim Clausing

• Jon Evans

• Robert Guess

• Jesse Kornblum

• Jamie Levy

• Eugene Libster

• Erik Ligda

• Tony Martin

• Golden G. Richard III

• Sam F. Stover

Credits

VVVV LATILESYSTEMS

Volatility

• Types of information (live response)• Running processes• Strings to process mappings• Open network connections• Process to files (DLLs)• Process to port mappings• System time

• Techniques• Data structure traversal (list walking, table crawling, tree climbing)

• Fixed offsets (symbols)• Linear scanning

• Object oriented scanning framework (Schuster, Cohen)

VVVV LATILESYSTEMS

Volatility 1.3: Highlights

• Data view modules ( > 13 new modules!)• raw2dmp• rejobjkeys• procdump

• Dynamic plugin support• VolShell (Dolan-Gavitt)• ssdt (Dolan-Gavitt), getsids (Dolan-Gavitt)• 11 Linux modules

• Address Spaces• PrivacyPreservingAddressSpace (experimental)

• Only stores necessary data

• WindowsCrashDumpSpace32 (Schuster)

• Microsoft’s crash dump format (full dumps)

• HiberfilSpace32 (Suiche, Dolan-Gavitt)

VVVV LATILESYSTEMS

Volatility 1.3: Hibernation File

• Microsoft’s hibernation file format (hiberfil.sys)• SandMan project (Matthieu Suiche)

• http://sandman.msuiche.net

• Microsoft Interoperability Initiative• [MS-DRSR] DecompressWin2k3()

• Compressed chunks of physical memory (Xpress)• xpress.py (Dolan-Gavitt)

• Maps physical address to decompressed offset

• Limitations

PrivacyAddrSpaceStore

HiberfilSpace32

IA32PagedMemoryPae

FileAddressSpace

VVVV LATILESYSTEMS

Integrating Memory

• DFRWS 2008 Forensics Challenge• Evidence fusion: memory, hard disk, network• PyFlag/Volatility (Cohen, Collet, Walters)

• Role of memory forensics• Carving memory image

• Exfiltration script• Encryption keys

• SSL decryption• Volatile targeting

• Network traffic/open files• Attribution

• User activity (strings)• Temporal information

• Time zone/timestamps


Temporal Reconstruction

• It’s about time…… (timeline)

• "the most potentially valuable forensic tool in your digital detective toolkit" (Farmer,2000)

• Temporal relationships between artifacts

• Volatile Time: absolute vs. relative

• Temporally link disparate events

• Visualization• Presentation

• Instantaneous events, duration events• Knowledge discovery


Temporal Reconstruction

VVVV LATILESYSTEMS

Component Age Diagrams

• Visualize anomalies in component timestamps (Vostokov, 2008)

12/6/1999

4/19/2001

9/1/2002

1/14/2004

5/28/2005

10/10/2006

2/22/2008

Modules

Date


Integrity Matters

• Evaluate the runtime state of machine (audit)• Trusted, suspicious, compromised

• Deriving trust (Petroni, 2008)• Immutability (roots of trust)

• Kernel/user text (executable instructions)• Control flow integrity

• Static function tables (IDT,SSDT,IAT, etc.)• Dynamic data structures (heap, stack, etc.)

• Semantic integrity • Semantic relationships in dynamic data• Policy enforcement (ports, registry, exe versions, etc)

• Statistics/clustering• Measured integrity• Cluster machines


Deriving Trust: Stack

0x22c000

sp

0xb0618a

0xb000000x22c844

0x230000

0x22c6e4 0xb00000

0x22c83c

0x22ca1c

0x10000000

0x10000000

ext783937.dll

metsrv.dll

24

22metsrv.dll

ext783937.dll

0xb00000


Delta Detective™

• Automated malware analysis (real systems)• State changes in memory (semantic model)

• Objects (committed/free)• Data structures (i.e., VAD Tree, Loaded DLLs)• Control flow changes (hooking, text changes)

• Semantic Diff™• Persistant changes to volatile storage• Automatically generate a malware profile

• Malware library (global collection)• Volatile Intelligence Network• Crawling, spam traps, honeypots (updated daily)• Threat reports/profiles


Automated Malware Analysis

Malware Database

Report Database

Malware Cluster

Delta Detective

Malware Installed

Acquire RAM + Swap

Acquire RAM + Swap


Objects: Set Difference

After \ Before = { x : x∈∈∈∈After and x∉∉∉∉Before}


Data Structures (VAD)


Control Flow Changes


Extracting Malware

Header

reloc

text

idata

Header Header

edata

▲▲

▲ ▲▲

▲

Disk Memory Extract

VVVV LATILESYSTEMS

Volatile Systems Voltage

• Real-time access to runtime state• Physical memory• pagefile.sys

• Combine detection with response • Temporal proximity• Acquisition capabilities

• Continuous independent monitoring• Visibility into the enterprise• Verify the state of systems

VVVV LATILESYSTEMS

F-Response 2.0

• Remote forensics & eDiscovery• Windows 2000, XP, Vista, 2008• Linux, OSX (Beta)

• Authenticated read only access• Hard disk (swap)• Physical memory (Beta)

• Minimal system impact (obtrusiveness)• Memory, processor, network

• Real-time access to the data you need!

http://www.f-response.com/


Voltage Demo


Conclusions

• Volatile state is a critical component of the digital crime scene

• Memory analysis “Ups the Anti”

• Columbia Pictures et al. v. Justin Bunneli

• RAM is Electronically Stored Information

according to the Federal Rules of Evidence

Download Volatility 1.3http://www.volatilesystems.com/

Join the community!


Questions?

Feedback, questions, comments...awalters [at] volatilesystems.com


Resources

• Acquisition• Open source:

• mdd: https://sourceforge.net/projects/mdd/• win32dd: http://win32dd.msuiche.net/

• Commercial• F-Response 2.0: http://www.f-response.com/• Kntdd: http://gmgsystemsinc.com/knttools/

• Conferences• Open Memory Forensics Workshop (OMFW)• Digital Forensics Research Workshop (DFRWS)

• Mailing Lists• www.volatilesystems.com/mailman/listinfo

• Research References• www.4tphi.net/fatkit


Resources (Cont.)

• Blogs• http://volatility.tumblr.com/• http://volatilesystems.blogspot.com/• http://moyix.blogspot.com• http://computer.forensikblog.de/en/• http://windowsir.blogspot.com/• http://jessekornblum.livejournal.com/

• Books• Malware Forensics (Aquilina, Casey, and Malin)• Windows Forensic Analysis (Harlan Carvey)• Forensic Discovery (Farmer and Venema)

upping the ‘anti’: using memory analysis to fight malware · state of malware • volume of new...

Documents