Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Malware Can Run, But Can't Hide... in memory

Norval West
October 19, 2017

Malware Can Run, But Can't Hide... in memory

This talks is intended to show how memory forensics can be used during incident response to detect the presence of running zero-day malware.

Norval West

October 19, 2017
Tweet

More Decks by Norval West

Other Decks in Technology

Transcript

  1. About Me 20 years in Information Technology 5 years focused

    on Information Security Management Vice President of ISACA Kingston Jamaica (formed 2015) Proud husband and father Twitter: @norvalwest Credentials: MBA, CISSP, GCIH, GCFA, GPEN
  2. Life of a Cyber Defenders Asked to do the seemingly

    impossible: Is malware on my computer? Has the antivirus removed all malware? Do we know if other computers are infected?
  3. Example of Malware Evasion Consists of three components: ◦ Driver

    ◦ Downloader ◦ Three Payloads REFERENCE: https://blog.ensilo.com/furtim-the-ultra-cautious-malware 2016 Furtim Malware
  4. Furtim Malware (Attacker View) Analysts observed the following malware activity:

    Check for security products, virtualization, and sandboxing Replaces DNS filtering services Replaces the Windows Host File Force a reboot Installs at Kernel level Blocks user access to command line and task manager Disable windows notification and popup mechanisms Sends unique computer info to C&C server
  5. Furtim Malware (Attacker View) The three payloads did the following:

    Disable Sleep and Hibernation Runs a Commercial-grade Credential Sends a list of processes to Russian Implement persistence mechanisms
  6. Malware on Compromised Systems Three possible scenarios, related to a

    compromised computer: Active Malware Inactive Malware No Malware
  7. Active Malware Detection Start Using Memory Analysis  It helps

    to answer the question, “is malware running on my computer?  WHY? Everything in the OS traverses RAM  Combined with other areas of digital forensics, it also shows how and when the computer was compromised
  8. The Process of Analysis 1) Disconnect from the network (maybe)

    2) Acquire Memory Image 3) Copy image to the Analyst’s machine 4) Determine if the machine is compromised, using Memory Analysis 5) Consider possible next steps? 6) Repeat on other machines
  9. Common Memory Analysis Tools Memory Image Acquisition: ◦ F-Response ◦

    Encase by OpenText (formerly Guidance Software) ◦ Winpmem by Rekall Framework ◦ FTK Imager by AccessData Memory Analysis Tools: ◦ Redline ◦ Volatility ◦ Rekall
  10. What are you looking for Six step process of memory

    analysis 1. Identify rogue processes 2. Analyze process DLL and handles 3. Review network artifacts 4. Look for evidence of code injection 5. Check for signs of a rootkit 6. Dump suspicious processes and drivers
  11. Furtim Malware (Forensicator View) Memory Analysis Steps EnSilo Analytical Findings

    1 Identify rogue processes - 2 Analyze process DLLs and Handles - 3 Review network artifacts Network Connections 4 Look for evidence of code injection Process Injection (Commonly used with Root Kits) 5 Check for signs of a rootkit API Hooking 6 Dump suspicious processes and drivers System Driver Installation
  12. Online Courses and References Online Training Courses ◦ SANS Institute

    ◦ FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting ◦ FOR526: Memory Forensics In-Depth Online References ◦ SANS Posters / Cheat Sheets: https://digital-forensics.sans.org/community/cheat-sheets ◦ Volatility: ◦ Rekall: ◦ Mandiant Redline: ◦ http://resources.infosecinstitute.com/finding-and-enumerating-processes-within-memory-part-1/#gref ◦ https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#apihooks ◦ https://www.wired.com/2011/04/coreflood/ ◦ https://en.wikipedia.org/wiki/Coreflood ◦ Reference: https://www.scmagazine.com/furtim-malware-can-run-and-it-can-hide/article/527732/
  13. Conclusion Malware Analysis provides a great opportunity for identify running

    active malware Pros ▪ Identifies Rootkits ▪ Identifies anomalies associated with malware ▪ Support incident response activities Cons ▪ It is a manual process ▪ Does not efficiently scale to finding malware on a large computer network