Improve Enterprise Security with Memory Forensics, Malware Analysis & Digital DNA

Air Force Research Labs Dept Homeland Security (HSARPA) HBGary Background Founded in 2003 Government R&D Solutions: Enterprise Host Intrusion Detection Live Windows Memory Forensics & Incident Response Malicious Code Detection Automated Reverse Engineering R&D Funding Air Force Research Labs Next Generation Software Reverse Engineering Tools Kernel Virtual Machine Host Analyzer Virtual Machine Debugger Dept Homeland Security (HSARPA) Botnet Detection and Mitigation H/W Assisted System Security Monitor Subcontractor to AFCO Systems Development

The Problem - Cybercrime Hacking Embezzlement Intellectual property theft Espionage Child Exploitation Etc…

# of New Malware Every Day!

Top 3 AV companies don’t detect 80% of new malware Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware 5

Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Product doesn’t ship until code is undetected by latest Antivirus products

Bad Guys use Memory Tricks Memory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 4+ years Metasploit Framework (meterpreter) www.metasploit.com Canvas www.immunitysec.com Core Impact www.coresecurity.com No good detection mechanism without memory preservation and offline analysis Remember: you cannot trust the operating system!

Drive-by Download – Legitimate website

White-listing on disk doesn’t prevent malware from being in memory Internet Browsers PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White-listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Process is trusted??

HBGary Solution Live Memory (RAM) Forensics

Why Live Memory Forensics? Today it’s Easy! Mission-critical systems 99.999999% availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable info in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.

Why Live Memory Forensics? Detect Malware that Anti-Virus cannot Detect Malware that Host Based IDS/IPS cannot Verify the “Run-Time” state of the system

Useful Information in RAM Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat

Why Memory Analysis is Unique Better Detection Traditional Forensics & Security Software

Demo 1 Preserve Memory & Memory Forensic Analysis

Collect & Preserve Memory HBGary Fastdump Pro Collect and Preserve ALL memory Collect and Preserve Pagefile too… Runs on All Windows Operating Systems Win 2000 – Win 2008 Server 32 and 64 Bit Larger than 4 GB of RAM We’ve imaged up to 64 GB of RAM

A suspicious file… Anti-Virus doesn’t Detect it! Now what?

Perform Malware Analysis This looks suspicious! Understand Malware: Create Signatures Bolster defenses Attribution Computer Network Defense (CND) Identify a binary’s capabilities Recover Command and Control functions Recover passwords and encryption keys View decrypted packets and files Computer Forensics

Why Perform Malware Analysis? I have Anti-Virus…. Goes beyond anti-virus applications… Detection and remediation based on signatures for malware is out dated Answer the following questions: What happened? What is being stolen? How did it happen? How do we clean it up? When did the infection occur? Possibly Who is behind it?

Demo 2 Rapid Malware Analysis “Suspicious DLL”

HBGary Core Technology

Physical Memory Forensics Core Technology Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics

Offline Physical Memory Analysis The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations This is The Advantage! Rebuilds underlying undocumented data structures Rebuilds running state of machine “exposes all objects ” Malware cannot hide itself actively

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Direct Kernel Object Manipulation Detection Hook Detection IDT/SSDT/Driver Chains These tricks expose themselves by interacting with OS Crossview Based Analysis

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Code is Disassembled Integration with Flypaper & RECon Code is extracted from RAM Code Visualization

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations ALL Memory is Scanned A Threat Score is provided for all code Code Behavior Identification White & Black List Code /Behaviors

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Reports can be sent to Enterprise Console Behavioral Analysis Scan and others Custom Reports in XML, RTF, PDF, other Alert on Suspicious Behaviors and coding tricks

Advantages of our approach Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required

Memory Forensics and Incident Response Products

Stand Alone Products 1 Analyst : 1 Machine Responder Professional Comprehensive physical memory and malware investigation platform Host Intrusion Detection & Incident Response Live Windows Forensics Automated Malware Analysis Computer incident responders, malware analysts, security assessments Digital DNA Responder Field Edition Comprehensive Memory Investigation platform. Geared towards Law Enforcement and computer forensic investigators Basic Malware Analysis

HBGary Enterprise Malware Detection

Enterprise Products 1 Analyst : N machines Enterprise Digital DNA – McAfee EPO Solution Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Rapid Response Policy Lockdown Enterprise Responder – Guidance Software Encase Enterprise Solution Suspicious & Malicious Code Detection

Integration with McAfee ePO Available Now! ePO Agents (Endpoints) Digital DNA Module Server SQL HBGary Server Module ePO Console Responder Workstation Schedule Events HBGary Portal WPMA = Windows Physical Memory Analysis

Digital DNA™ for Enterprise Malware Detection, Diagnosis and Response

Design Goals of Digital DNA Rapidly predict and identify: Malicious behaviors inside of running applications in memory and the pagefile Identify DNA (traits) of the malware There are 2500 traits currently Grouped into six behavioral categories

Ranking Software Modules by Threat Severity Software Behavioral Traits Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21 8A C2 0F 51 0F 64 Software Behavioral Traits

B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} What’s in a Trait? 04 0F 51 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains Boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database

How Digital DNA goes beyond MD5 Checksums In memory, once executing, a file is represented in a new way that cannot be easily be back referenced to a file checksum Digital DNA™ does not change, even if the underlying file does Digital DNA is calculated from what the software DOES (it’s behavior), not how it was compiled or packaged

In memory, traditional checksums don’t work DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Digital DNA remains consistent MD5 Checksum reliable

Same malware compiled in three different ways DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Digital DNA remains consistent

Digital DNA defeats packers IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware Packed Malware Digital DNA remains consistent

Digital DNA detects toolkits IN MEMORY IMAGE OS Loader Digital DNA detects toolkits Malware Tookit Different Malware Authors Using Same Toolkit Toolkit DNA Detected Packed

Digital DNA Screenshot

Fuzzy Search

5,000 Malware is sequenced every 24 hours

Over 2,500 Traits are categorized into Factor, Group, and Subgroup. This is our “Genome” We expect to have 10,000 Traits by end of year

Demo 3 Memory Forensic Analysis “Conficker.C in Memory”

Client Testimonials

Client Testimonial 1 of the Largest Pharmaceutical Co’s Under attack every day Uses Enterprise Anti Virus Sends malware to vendor Waits for signature 1-8 hours - Uses Responder Pro – Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data

Client Testimonial 2 1 of the largest Entertainment Co’s Under attack every day & Uses Enterprise Anti Virus When a machine is compromised, they perform various levels of remediation with their antivirus vendor signatures. Once the machine is determined clean by the AntiVirus software, they use our technology to verify the machine is no longer infected… Findings: about 50% of machines are still infected…

Conclusion Improve Enterprise Security Posture With Memory Forensics & Malware Analysis Memory Forensics can detect malicious code that nothing else can… Memory Forensics is not only for Incident Response Memory Forensics can be used during Security Assessments too Malware Analysis should be brought in house Malware Analysis can help you… minimize costs and impact. identify the “Scope of Breach” mitigate the threat before you have a anti-virus signature

Questions? Thank you very much sales@hbgary.com