Presentation is loading. Please wait.

Presentation is loading. Please wait.

Physical Memory Forensics of Computer Intrusion

Published byPhillip Weaver Modified over 6 years ago

Similar presentations

Presentation on theme: "Physical Memory Forensics of Computer Intrusion"— Presentation transcript:

1 Physical Memory Forensics of Computer Intrusion
Greg Hoglund HBGary, Inc

2 complete investigation
Why Memory Forensics? A more complete investigation

3 To execute, it must exist in RAM
Traditional Forensics & Security Software

4 Memory Virtual Memory(s) Physical Memory Memory (RAM) Operating System

5 Total Logical Memory Sum of all Virtual Memory Physical Memory OS
2 GB Memory (RAM) 4GB Physical Memory Virtual Memory 6 x 4GB = 24 GB of Logical Memory OS

6 Memory Block Individual Pages for this Block Block Length Unreferenced Pages

7 User Virtual Memory Process specific Windows system structures
0 GB 2 GB Process specific Windows system structures Windows System DLLs Windows and Application DLLs or Allocated Memory DLLs or Allocated Memory Application Binary Stack Heap or Allocated Memory

8 Responder provides a complete picture of contents in memory
Stack Might be Heap Application DLLs System DLLs Responder provides a complete picture of contents in memory

9 Why Live Memory Forensics?
Today it’s easy! Mission-critical systems % availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable information in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.

10 Useful Information in RAM
Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat

11 The Bad Guys are Winning
Cybercrime & espionage is the dominant criminal problem globally, surpassing the drug trade Russians made more money last year in banking fraud than the Columbians made selling cocaine Chinese are crawling all over commercial & government networks The largest computing cloud in the world is controlled by Conficker 6.4 million computer systems* 230 countries 230 top level domains globally 18 million+ CPUs 28 terabits per second of bandwidth *

12 Payment system developer
$500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $ per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%

13 Installs Marketplace

14 Intelligence Spectrum
Blacklists Net Recon C2 Developer Fingerprints TTP Social Cyberspace DIGINT Physical Surveillance HUMINT  Nearly Useless Nearly Impossible  SSN & Missile Coordinates of the Attacker MD5 Checksum of a single malware sample Sweet Spot IDS signatures with long-term viability Predict the attacker’s next moves

15 Developer Fingerprints
Archaeology layer Net Recon C2 Developer Fingerprints TTP Actions / Intent (attacker’s behavior, as opposed to code) Installation + Deployment method Command + Control (primary outer loops) CNA (spreader) CNE (search and exfil tools) COMS (code level view, as opposed to network sniff) Defensive / Antiforensics (usually a packer, easily changed) Exploit weaponization / delivery vehicle Shellcode DNS, C2 Protocol, Encryption Method (high rate of change)

16 Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years
Blacklists ATTRIBUTION-Derived Developer Toolmarks Signatures Algorithms NIDS sans address Hooks Protocol Install DNS name IP Address Checksums

17 Rule #1 The human is lazy The use kits and systems to change checksums, hide from A/V, and get around IDS They DON’T rewrite their code every morning

18 Rule #2 Most attackers are focused on rapid reaction to network-level filtering and black-holes Multiple DynDNS C2 servers, multiple C2 protocols, obfuscation of network traffic They are not-so-focused on host level stealth Most malware is simple in nature, and works great Enterprises rely on A/V for host, and A/V doesn’t work, and the attackers know this

19 Rule #3 Physical memory is King
Once executing in memory, code has to be revealed, data has to be decrypted

20 OS Loader In memory, traditional checksums don’t work
DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Software Traits remain consistent MD5 Checksum reliable

21 OS Loader Physical memory tends to get around the ‘packing’ problem
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Physical memory tends to get around the ‘packing’ problem Starting Malware As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Packed Malware Software Traits remain consistent

22 Toolkits can be detected Toolkit traits are apparent
IN MEMORY IMAGE OS Loader Toolkits can be detected Malware Tookit Different Malware Authors Using Same Toolkit Toolkit traits are apparent Packed

23 Same malware compiled in three different ways OS Loader
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Software Traits remain consistent

24 Memory Analysis is Not Hard
If you can read a packet sniffer, you can analyze malware Yes, this means more people in your organization can do this Focus on strings and human-readable data within a malware program In most cases, code-level reverse engineering is not required

25 Architecture Diagram Kernel mode User mode Executive Base Kernel HAL
Device Drivers USER and GUI support User Applications Services Windows API Environment Subsystems System Support Processes

26 The Flow of Forensic Toolmarks
Machine Developer Core ‘Backbone’ Sourcecode Sample Tweaks & Mods Compiler Malware Time 3rd party Sourcecode Paths Packing MAC address 3rd party libraries Runtime Libraries

27 Developer Fingerprints
Communications Functions Developer Installation & Deployment Method Sample Malware Command & Control Functions Compiler Environment Packing Stealth & Antiforensic Techniques

28 Example: Gh0stNet

29 GhostNet

30 NOTE: Packing is not fully effective here
GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Packer Signature MZx90 This progRy. y cannot be run in DOS mode Embedded executable NOTE: Packing is not fully effective here

31 GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ Resource Culture Code 0x0804 MZx90 The embedded executable is tagged with Chinese PRC Culture code This progRy. y cannot be run in DOS mode

32 GhostNet: Dropper UPX! ¶üÿÿU‹ìƒìSVW3ÿÿ The embedded executable is extracted to disk. The extracted module is not packed. PDB path reveals malware name, E: drive. 0x0804 MZx90 MZx90 This program cannot be run in DOS mode This progRy. y cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb Embedded PDB Path

33 Link Analysis “gh0st\” The web reveals Chinese hacker sites that reference the “gh0st\” artifact

34 GhostNet: Backdoor The dropped EXE is loaded as svchost.exe on the victim. It then drops another executable, a device driver. UPX! MZx90 MZx90 This program cannot be run in DOS mode E:\gh0st\Server\Release\install.pdb MZx90 MZx90 e:\gh0st\server\sys\i386\RESSDT.pdb Another embedded EXE Another PDB path

35 What do we know… i386 directory is common to device drivers. Other clues: sys directory ‘SSDT’ in the name SSDT means System Service Descriptor Table – this is a common place for rootkits and HIPS products to place hooks. Also, embedded strings in the binary are known driver calls: IoXXXX family KeServiceDescriptorTable ProbeForXXXX KeServiceDescriptorTable is used when SSDT hooks are placed. We know this is a hooker.

36 What do we know… IofCompleteRequest, IoCreateDevice, IoCreateSymbolicLink, and friends are used when the driver communicates to usermode. This means there is a usermode module (a process EXE or DLL) that is used in conjunction with the device driver. When communication takes place between usermode & kernelmode, there will be a device path.

37 Link Analysis “RESSDT” A readme file on Kasperky’s site references a Ressdt rootkit.

38 What are Device Drivers?
Dynamic, loadable modules that run in kernel mode and can provide hardware I/O support, and/or user I/O translation. Again, as with all kernel components, device drivers have unrestricted access to the system (dangerous)!

39

40 Doc/View is usually MFC
TMC Rootkit e:\gh0st\server\sys\i386\RESSDT.pdb e:\job\gh0st\Release\Loader.pdb Cgh0stView Cgh0stDoc e:\job\gh0st\Release\gh0st.pdb C:\gh0st3.6_src\HACKER\i386\HACKE.pdb \gh0st3.6_src\Server\sys\i386\CHENQI.pdb Dropper GUI (MFC) Doc/View is usually MFC Rootkits Already at version 3.6

41 gh0st _RAT, source code, team, and forum

42 Format Strings These are written by humans, so they provide good uniqueness

43 Logging Strings Searching for: “Unable to determine” & “Unknown type!”
Reveals that the attacker is using the source-code of BO2k for cut-and-paste material.

44

45 Mutex Names Mutex names remain consistent at least for one infection-push, as they are designed to prevent multiple-infections for the same malware.

46 Link Analysis

47 Communication Malware is often designed to communicate over networks for various reasons: Signal initial infection Receive commands Send sensitive data Scan internal networks Infect other machines DDoS other machines

48 Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

49 C&C Hello Message this queries the uptime of the machine..
checks whether it's a laptop or desktop machine... enumerates all the drives attached to the system, including USB and network... gets the windows username and computername... gets the CPU info... and finally, the version and build number of windows.

50 Command and Control Server
The C&C system may vary Custom protocol (Aurora-like) Plain Old URL’s IRC (not so common anymore) Stealth / embedded in legitimate traffic Machine identification Stored infections in a back end SQL database

51 Aurora C&C parser Command is stored as a number, not text. It is checked here. Each individual command handler is clearly visible below the numerical check After the command handler processes the command, the result is sent back to the C&C server

52 Open Network Sockets Examine

53 Internet History Examine

54 Detecting Internet Downloads
The WININET.DLL API InternetOpenFile InternetReadFile InternetOpenURL InternetConnect winsock API socket WSASocket connect WSAConnect Addresses, URL, and web requests www .com HTTP/1.0 Content-Type

55 What is a Dropper? Malware is delivered in steps
Dropper is initial downloaded package Can be a Trojan or embedded exploit The dropper carries the malware in a payload Once dropped, the dropper decompresses and executes a secondary payload

56 Steps in Malware Deployment
Dropper Embedded Resource Embedded Resource Decompressed to Disk Embedded Resource is Launched as an EXE

57 Things to look for… CreateProcess Rundll32.exe cmd.exe cmd /c
command.com /c %s ShellExec ShellExecute ShellExecuteA WinExec Shell32.DLL exec execve system

58 Cleanup using BAT files
@echo off :%s del %%1 if exist %%1 goto %s rem %s"

59 Detecting embedded resources
Starting points for Resource Extraction Possible embedded kernel drivers FindResource SizeOfResource PsCreateSystemThread \\DosDevices .sys drivers IoCreateSymbolicLink IoDeleteSymbolicLink IoCreateDevice IoDeleteDevice KeInitialize SpinLock ObReferenceObjectByHandle

60 What are Processes? Processes are containers for executing a program
Private virtual memory space Unique identifier called a Process ID (PID) At least one thread of execution Security context

61

62 Services User mode programs that provide functionality independent of the current user For example: Task scheduler Print spooler Windows Update

63 Services Services.exe Svchost.exe Others (see VMWareService.exe)

64 Registry A system database that contains important system information
For example: Startup settings Hardware configurations Application configurations Current user data

65 Malware Boot Registry Keys
Registry API RegCreateKey RegOpenKey Try searching… CurrentControlSet CurrentVersion SOFTWARE (all caps) Common registry keys to survive reboot HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\SYSTEM\CurrentControlSet\Services\{Service Name}

66 The Run Keys HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

67 Services Registry Key HKLM\SYSTEM\CurrentControlSet\Services\{Service Name} For any given service, there may be a value called ImagePath that indicates the path to the file that implements the service. If the file in question ends in .sys, there is a good chance that it’s a kernel mode driver. To be sure, check the type value: 1 : Kernel mode driver 2 : File system driver 4 : Adapter Arguments 8: File system service 16: Win32 program that runs as it's own process 32: Win32 program that shares a process w/ other services (think services.exe)

68 Directory and File Creation
Starts with these strings and symbols: CreateDirectory ExpandEnvironmentStrings %ProgramFiles% %SystemRoot% File extensions .exe .dll .sys

69 What to look for… CreateDirectory GetSystemDirectory CreateFile
DeleteFile CopyFile OpenFile ExpandEnvironmentStrings %PROGRAM FILES% %SYSTEMROOT% C:\ .EXE *.* \\ (double backslash) MoveFile \\TEMP WINDOWS SYSTEM32 cmd /c del del %s GetTempPath .DLL .SYS .INI .INF .BAT

70 Advanced Fingerprinting

71 GhostNet: Screen Capture Algorithm
Loops, scanning every 50th line (cY) of the display. Reads screenshot data, creates a special DIFF buffer LOOP: Compare new screenshot to previous, 4 bytes at a time If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match. Offset in screenshot Len in bytes Data….

72 GhostNet: Searching for sourcecode
Large grouping of constants Search source code of the ‘Net

73 GhostNet: Refining Search
Has something to do with audio… Further refine the search by including ‘WAVE_FORMAT_GSM610’ in the search requirements…

74 GhostNet: Source Discovery
We discover a nearly perfect ‘c’ representation of the disassembled function. Clearly cut-and-paste. We can assume most of the audio functions are this implementation of ‘CAudio’ class – no need for any further low-level RE work.

75 On link analysis…

76 Example: Link Analysis with Palantir™
Implant Forensic Toolmark specific to Implant Searching the ‘Net reveals source code that leads to Actor Actor is supplying a backdoor Group of people asking for technical support on their copies of the backdoor

77 Keylogger (link analysis)

78 Working back the timeline
Who sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products

79 Penetrating Cyberspaces
Maintaining and building digital cover Non-attrib pop on ‘net Multiple identities Contribution for bonafides

80 carders.cc Final

81 Defining Threat Groups
Smallest atomic unit: the individual Largest cloud unit: the scam Fraud, IP-theft, access reseller A.B.C  narrowing cloudspace to individual Developers Less than number of malware (with malware defined before MD5 created aka pre-packing) Users Larger than number of developers

82 Fingerprint.exe

83 Fingerprint Utility Developer Fingerprint Utility, Copyright 2010 HBGary, INC File: 1228ad2e39befa e98d8ed2890.livebin Original project name: RESSDT Developer's project directory: e:\gh0st\server\sys\i386 Compiler: Microsoft Visual C release User interface: Windows GDI/Common Controls Media: Windows multimedia API Media: Microsoft VfW (Video for Windows) Compression: Inflate Library version: 1.1.4 Networking: Windows sockets (TCP/IP) Networking: Windows Internet API Source directory: e:\gh0st\server\sys\i386

84 The set of Mark Russinovich’s free system tools
The set of Mark Russinovich’s free system tools. You can see which ones are just variants of the same source base, or were compiled on the same platform in or around the same time.

85 Clustering a malware collection
Large number of samples Need to group self-similar items into “clusters” Like a “strange attractor” From the cluster, perform link analysis into social cyberspaces to find “participants” Some participants may “resolve” into a developer, user, or other archetype

86 system32 directory – Windows 7 64 bit Professional
Old-school DOS command EXE’s These were very small binaries with almost no fingerprint data More old school, but these have extra cmd-parsing features Hypigon Rebel Base Virut Autorun infecting sysinternals Language support binaries (NLS) tskill, tsdiscon, logoff, changelogon, etc Vobfus 1/41 on virtualtotal Azero YahLover Rungbu

87 HBGary, Inc.

88 HBGary, Inc.

89 HBGary, Inc.

90

91 Conclusion

92 Takeaways Actionable intelligence can be obtained from malware infections for immediate defense: File, Registry, and IP/URL information Existing security doesn’t stop ‘bad guys’ Go ‘beyond the checkbox’ Adversaries have intent and funding Need to focus on the criminal, not malware Attribution is possible thru forensic toolmarking combined with open and closed source intelligence

93 Fingerprint Download Get fingerprint from www.hbgary.com -- or --
Stop by the HBGary booth to get a CD

94 Thank You HBGary, Inc. (

Download ppt "Physical Memory Forensics of Computer Intrusion"

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
14 Step-by-Step Instructions for an Upgrade Installation n Prepare for the installation Verify that all devices and applications are Windows 2000 compatible.

14 Step-by-Step Instructions for an Upgrade Installation n Prepare for the installation Verify that all devices and applications are Windows 2000 compatible.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Topic 5: Basic Security.

Topic 5: Basic Security.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
CSC190 Introduction to Computing Operating Systems and Utility Programs.

CSC190 Introduction to Computing Operating Systems and Utility Programs.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Similar presentations

Ads by Google