I think it would be a good idea to compile a list of the malware that can defeat *any* memory forensics acquisition tool as of January 2013.
Of course the tool should be identified, the technique used to defeat it, and the curent malware that has the capability. Not all tools would be vulnerable to each technique.
Does anyone think this is not a good idea?
Best,
Mike
Hi George, and everyone else on the list.
I don't know if you watched/skimmed through the presentation or the talk,
but I want to emphasize that I really like Volatility and that my work is
not a research against Volatility (or any other tool in particular) in any
way.
Volatility is my primary choice when doing memory analysis both because of
speed, abundance of features and plugins and openness of the tool.
I do however mention Volatility in couple of places, for example, I suggest
creating a plugin for scanning handle table allocations (Obtb) as an
alternative to currently used method.
> It is nice to see someone looking critically at the subject matter, even
> if in an over-simplistic manner. The gist of the article is that you
> can easily scrub evidence from a memory dump as it is being written (in
> plain text) to disk or to the net. Duh!
Thanks for your support.
Although I agree some things were over-simplified, I don't agree that my
research in whole is over-simplistic.
The idea is simple and well known enough, still, it is not that commonly
being taken into consideration when performing forensic analysis, at least
from my experience.
> A few comments on the author's conclusions:
Too bad you pulled out the conclusions since this slide is by far the
weakest in the whole presentation;)
> 1. Acquisition tools should utilize drivers correctly!
> Duh!
I didn't quite understand if you meant that ironically or not. However,
almost all tested acquisition tools utilize drivers incorrectly, meaning
that they transfer the pages back to UM and then write them to dump (usually
with completely inadequate permissions).
> 2. Use hardware acquisition tools, e.g. firewire.
> However, hardware-based acquisition also can be defeated. At a minimum
> you can program an upper limit on the memory address that the firewire
> is allowed to access and then place your rootkit above that address.
> Most new computer systems have more than 4 GiB of memory nowadays.
I didn't say that hardware acquisition methods are infallible. You're
absolutely right regarding the 4 GB limit. But from an attacker's
perspective, this method cannot be used for hiding arbitrary object, and it
might be difficult to "relocate" the driver, allocations and all resources
above the specified limit.
I'm evaluating some additional weaknesses of the firewire acquisition and
methods of hiding arbitrary objects, but so far, my research showed no
progress...
And yes, I am definitely aware of other alternatives (cold boot etc.), but I
think they are highly impractical so I didn't mention them in my
presentation.
> 3. Use crash dumps (native!) instead of raw dumps.
> Should maybe introduce the author to all those rootkits (e.g. Sinowal)
> that remove themselves from crashdump as it is being written.
I thought that I have a very good knowledge of rootkits and low level
malware, but I don't recall Torpig/Sinowal doing anything about removing
itself from the crash-dump.
In fact, I cannot remember any rootkit or malware removing its artifacts
from the crash-dump, so please introduce me to all such rootkits:)
There are some KeBugCheckEx() tampering "malware" variants, but they are
mostly related to PatchGuard bypass.
Crash dump mechanism is fairly complex, involves couple of checksums and
does not use the underlying file system - it writes the dump to raw disk
sectors.
The weakest link in this process from my perspective is the process of
booting the machine and calling of SmpCheckForCrashDump() function - this is
the point when malware can finally see the resulting crash dump and remove
the artifacts from it.
This is far from being trivial, however.
> 4. Perform anti-rootkit scanning before acquisition?
> Easier said than done. Just ask A/V industry.
This is a stupid conclusion on my side. No, really, I said that during the
talk:)
> 5. Live forensic is inherently insecure!
> Duh! Real question is not whether or not you can cheat memory
> acquisition software. It is whether you can cheat memory acquisition
> software and have no one know about it. Knowing that a system is
> infected is 90% of the battle even if you don't know how. Once I know
> that a system is infected I will find the rootkit.
My talk was all about cheating the memory acquisition software and have no
one know about it:)
It's not that my tool is invisible - the truth is actually totally opposite
ON PURPOSE.
I didn't want to add advanced self-hiding features, because I'm not trying
to create a tool that bad guys can use in the wild. I just wanted to raise
awareness and present my research.
And again, it depends on what you are trying to find:) If you're trying to
find _traces_ of malware (mostly orphaned or invalid resources, such as
locks, mutants etc.), you will most certainly succeed in this, because by
theory it is impossible to hide everything (the malware executes, therefore
it is present and visible).
If your goal is to find some more valuable artifacts (processes, memory
allocations, files, etc.), you might fail even if you are certain in rootkit
existance, simply because the rootkit (or my tool in this case) has deleted
such artifacts from the dump.
In the end, I really don't want to be perceived as a guy wearing a wrong
hat. My research is not aimed against any particular product, or the memory
forensics field in general. My research is not a revolutionary new
anti-forensic method. It's an implementation of well known anti-forensic
techniques and proof of concept for removing arbitrary artifacts from the
memory dump with the intention of raising the awareness and creating better
memory forensics software.
Best regards,
Luka
--
Luka Milković
Information security consultant
e-mail: luka.milkovic(a)infigo.hr
INFIGO IS d.o.o.
Horvatovac 20, 10000 Zagreb
www: http://www.infigo.hr
Hello,
We were writing to announce that the next public offering of Windows
malware and memory forensics training by Volatility developers has
been set for March 18-22rd in Chicago.
Full details can be found here:
http://volatility-labs.blogspot.com/2013/01/windows-malware-and-memory-fore…
If you have any questions or comments then please contact me directly
or use the information listed on the blog post.
Thanks,
Andrew (@attrc)
Please forgive my noobness.
I am new to Volatility and just viewed a discussion on memory
acquisition problems and the malware removing itself from the memory
before it was written to file for later analysis.
Does malware such as Rustock.C leave any traces behind such as portions
of the program used to "remove" itself from memory but cannot completely
remove itself?
Of if not, how do the researchers know it was present? Did they do a
controlled infection and watch it remove itself by other means?
Thanx
Julian
I have found that in Volatility 2.1 and 2.2 connscan is not supported for profile Win7SP1x86. Volatility 2.0 does not produce any results. (??)
I see that sockets and sockscan are also not supported in Volatility 2.2. See below.
pslist does work, so some commands are supported.
Is this a known issue?
----------------cut-here-------------------
C:\Python27\volatility-2.2>vol.py imageinfo -f g:\victim1.w32
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (G:\victim1.w32)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x82761be8L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x82762c00L
KPCR for CPU 1 : 0x807c0000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2013-01-04 20:41:23 UTC+0000
Image local date and time : 2013-01-04 14:41:23 -0600
C:\Python27\volatility-2.0>vol.py connscan -f h:\victim1.img --profile=Win7SP1x86
Volatile Systems Volatility Framework 2.0
Offset Local Address Remote Address Pid
---------- ------------------------- ------------------------- ------
C:\Python27\volatility-2.1>vol.py connscan -f h:\victim1.img --profile=Win7SP1x86
Volatile Systems Volatility Framework 2.1
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
ERROR : volatility.plugins.connscan: This command does not support the selected profile.
C:\Python27\volatility-2.2>vol.py connscan -f g:\victim1.w32 --profile=Win7SP1x86
Volatile Systems Volatility Framework 2.2
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
ERROR : volatility.plugins.connscan: This command does not support the selected profile.
C:\Python27\volatility-2.2>vol.py sockets -f g:\victim1.w32 --profile=Win7SP1x86
Volatile Systems Volatility Framework 2.2
ERROR : volatility.plugins.sockets: This command does not support the selected profile.
C:\Python27\volatility-2.2>vol.py sockscan -f g:\victim1.w32 --profile=Win7SP1x86
Volatile Systems Volatility Framework 2.2
Offset(P) PID Port Proto Protocol Address Create Time
---------- ------ ------ ------ --------------- --------------- -----------
ERROR : volatility.plugins.sockscan: This command does not support the selected profile.
Has anyone done any research about parsing prefetch files out of memory images? I was working with the latest version of volatility 2.3 and found the mftparser plugin very helpful. I was looking specifically at prefetch files and looking to possibly parse the prefetch files if they exist in memory to see what files may have been accessed by specific executables.
Just wondering if anyone has looked at this or thought about developing a plugin around this?
Dave
I noticed that the text output and dumped files for the malfind plugin changed from Vol 2.0 to 2.1.
Vol 2.2 looks the same as Vol 2.1.
Is this to be expected? (especially the naming convention of the dump files)
Thanks,
Mike
Hi all,
I was wondering if support for Windows 8 is on the Volatility roadmap?
And if there's anything I can do to help?
I'm certain I'll be of no programming help, but I could certainly provide
Windows 8 memory dumps and testing.
Thanks all,
Bridgey the Geek
Hello,
Sorry for the late notice, but tonight I will be giving a webinar on
analyzing malware in memory with Volatility. This presentation will
showcase many of Volatility's advanced capabilities related to
detecting and analyzing Windows malware. Its free to attend, but you
must pre-register:
http://www.thehackeracademy.com/tha-deep-dive-analyzing-malware-in-memory/
If you have any questions feel free to contact me directly.
Thanks,
Andrew
Hey all.
So..I have a couple questions (clearly) about procexedump and another
one about hidden processes. First, procexedump. Here's the info of the
memdump:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0
0 2012-12-13 15:22:46 2012-12-13 15:25:22
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
-------------------- --------------------
0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13
15:22:46 2012-12-13 15:25:22
I'm attempting to dump this to an exe file, but here's what I'm
getting:
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is
paged
I won't lie in saying I don't really have a handle on the entire memory
structure of Windows XPSP3. What exactly can I do, if anything, to get
this as a sample? Next up, hidden processes:
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x09046008 192.168.0.2:1066 x.x.x.106:443 1448
0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448
0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448
0x09231478 192.168.0.2:1065 x.x.x.106:443 1448
pslist, psscan, and psxview do not show this PID. How do I figure out
what and where this PID is? Thanks for any help you can provide.
James
