SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)

  • 1,688 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,688
On Slideshare
0
From Embeds
0
Number of Embeds
7

Actions

Shares
Downloads
147
Comments
0
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 1 2 Malware Memory Forensic Nguyễn Chấn Việt | vietwow@gmail.com
  • 2. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 2 Who am ISenior Security Researcher+4 years in Information Security. Focusing on 2Malware Analysis and Exploit DevelopmentTwitter : https://twitter.com/vietwow
  • 3. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 3 AgendaWhy Memory Forensics?What is Memory Forensics? 2Our approach : Rootkit DetectionWindows PlatformLinux PlatformReal-world Malwares
  • 4. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Why4 Memory Forensics ?In past, Forensic Analysis = File SystemForensic 2Why memory forensics ?Malware AnalysisIncident Respone (IR)HOT Topic for researchers
  • 5. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Why5 Memory Forensics ?Everything in the OS traverses RAM•Processes and threads•Malware (including rootkit technologies) 2•Network sockets, URLs, IP addresses•Open files•User generated contentPasswords, caches, clipboards•Encryption keys•Hardware and software configuration•Windows registry keys and event logs
  • 6. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensics Questions… 6What processes were running on the suspect system atthe time memory image was taken?What (hidden or closed) 2processes existed?Are there any (hidden or closed) network connections?Are there any (hidden or closed) sockets?What is the purpose and intent of the suspected file?Are there any suspicious DLL modules?Are there any suspicious URLs or IP addressesassociated with a process?
  • 7. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensics Questions… 7Are there any suspicious open files associated with aprocess?Are there any closed or hidden files associated with any 2process?Are there any suspicious strings associated with aparticular process?Are there any suspicious files present? Can you extractthem?Can you extract malicious processes from the memoryand analyze it?
  • 8. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensics Questions… 8Can you identify the attackers and their IP addresses?Did the attacker create a user account on the system?Did the malware modify 2 add any registry entry? orDoes the malware use any type of hooks to hide itself?Did the malware inject itself to any running processes?What is the relationship between different processes?What is the intent and purpose of this malware?
  • 9. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! What 9is Memory Forensics?Là kỹ thuật/quá trình phân tích dấu vết dựa trênmemory (RAM) của 1 hệ thống 2Bao gồm physical memory (RAM) và Page File/Swap
  • 10. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Acquisition 10Winen (Guidance Software)FastDump Pro (HB Gary) - Limited Free versionavailable 2FTK Imager - FreeDD Free but limited - May not work on later versions ofWindowsWinHex - Has some limitationsNigilant32 - Free but for 32-bit systems onlyMemoryze (Mandiant) - Free
  • 11. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!Virtual Machine Memory Acquisition 11 2
  • 12. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensic ToolsVolatility 12https://www.volatilesystems.com/default/volatilityFree & Open Source 2Mandiant Redlinehttp://www.mandiant.com/resources/download/redline/FreeHBGary Responderhttp://www.hbgary.com/responder-pro-2$$$ - ProCommunity Edition available
  • 13. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 13 VolatilityAn advanced memory forensics frameworkOpenSource 2Written by PythonPrimarily Windows-focusedLinux (Android) & Mac support now availableModular, portableMain reason why I’m here :D
  • 14. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 14 VolatilityVolatility supports the following extraction capabilities for memory images:Image date and timeRunning processes 2Open network socketsOpen network connectionsDLLs loaded for each processOpen files for each processOpen registry keys for each processMemory maps for each processExtract executable samplesScanning examples: processes, threads, sockets, connections, modules
  • 15. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 15 2 General checking
  • 16. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 16 2 Windows Platform
  • 17. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 17 Volatility pslistList the processes of a system. This walks the doubly-linked list pointed to by 2 PsActiveProcessHead. It doesnot detect hidden or unlinked processes.
  • 18. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 18 Volatility connectionsTo view the active connections 2
  • 19. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 19 Volatility dlllistPrint all loaded DLLs 2
  • 20. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 20 Volatility svcscanList Windows services 2
  • 21. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 21 2 Linux Platform
  • 22. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 22 Volatility linux_lsmodPrint all loaded modules 2
  • 23. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 23 2 Rootkit Dection
  • 24. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 24 2 [1] Windows Platform
  • 25. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 25 2 [1.1] DLL Injection
  • 26. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Normal DLL Interaction 26 2
  • 27. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Injected DLL Interactopn 27 2
  • 28. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 28 DLL InjectionDLL Injection là kỹ thuật rất phổ biến được sử dụng bởimalware 2VirtualAllocEx( ) và CreateRemoteThread( )SetWindowsHookEx( )
  • 29. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! DLL Injection Detection 29 ldrmodules Là module để detect DLL Injection 2 Trong mỗi process, các DLL sẽ được track trong 3 linked-list Stealthy malware sẽ unlink dll của chúng trong các linked-list này Plugin này sẽ query các linked-list này và hiển thị thông tin để ta có thể so sánh
  • 30. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 30 2[1.2] Usermode & Kernelmode Hooking
  • 31. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Levels31 Access in Windows of Ring 3 – User Land  User  Administrator 2  System Ring 0 – Kernel Land  Drivers
  • 32. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 32 OS Internals • Readfile() called on File1.txt • Transition to Ring 0 • NtReadFile() processed 2 • I/O Subsystem called • IRP generated • Data at File1.txt requested from ntfs.sys • Data on D: requested from dmio.sys • Data on disk 2 requested from disk.sys
  • 33. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 33 OS Internals • Binary replacement eg modified Exe or Dll 2 • Binary modification in memory eg He4Hook • User land hooking eg Hacker Defender • IAT hooking
  • 34. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 34 OS Internals • Kernel Hooking • E.g. NtRootkit 2 • Driver replacement • E.g. replace ntfs.sys with ntfss.sys • Direct Kernel Object Manipulation – DKOM • E.g. Fu, FuTo
  • 35. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 35 OS Internals • IO Request Packet (IRP) Hooking • IRP Dispatch Table 2 • E.g. He4Hook (some versions)
  • 36. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 36 OS Internals • Filter Drivers • The official Microsoft method • Types 2 • File system filter • Volume filter • Disk Filter • Bus Filter • • E.g. Clandestine File System Driver (CFSD)
  • 37. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Current Rootkit Capabilities 37Hide processesHide filesHide registry entries 2Hide servicesCompletely bypass personal firewallsUndetectable by anti virusRemotely undetectableCovert channels - undetectable on the networkDefeat cryptographic hash checkingInstall silentlyAll capabilities ever used by viruses or worms
  • 38. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 38 2 [1.2.1] Usermode Hooking
  • 39. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!Windows39GUI Subsystem HookingMalware có thể dùng SetWindowsHookEx để interceptcác window message 2
  • 40. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!Windows GUI Hooking Detection 40 messagehooks Là module để detect Windows GUI Hooking 2
  • 41. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 41 IAT HookingHook vào IAT Tablecủa process 2
  • 42. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 42 IAT HookingIAT Hook 2
  • 43. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 43 IAT Hookingvoid hookFunction( PVOID * thunk, HookedFunction & hookedFunction ){ MEMORY_BASIC_INFORMATION mbi; //The IAT is marked as read-only memory so we mark it as read-write for the update. 2 ZeroMemory( &mbi, sizeof( MEMORY_BASIC_INFORMATION ) ); SIZE_T s = VirtualQuery( thunk, &mbi, sizeof( MEMORY_BASIC_INFORMATION ) ); BOOL b = VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect ); if ( hookedFunction.RealFunction == 0 ) { hookedFunction.RealFunction = *thunk; } *thunk = hookedFunction.HookFunction; DWORD oldProtect; VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &oldProtect);}
  • 44. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Inline Hooking 44Thay đổi các byte (thường là 5) đầu tiên của chươngtrình 2
  • 45. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Usermode Hooking Detection 45 apihooks Là module để detect IAT Hook và Inline Hook 2
  • 46. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 46 2[1.2.2] Kernelmode Hooking
  • 47. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking 47Hook vào SSDT Table 2
  • 48. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking 48 2
  • 49. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking 49 2
  • 50. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking• Hook the call when the device is created 50NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP Irp){ NTSTATUS status = STATUS_SUCCESS; if ( !CanWriteToSSDT() ) 2 { //Change the read-only SSDT memory block to read/write EnableWritingToSSDT(); OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange( (PLONG)&g_MappedSystemCallTable[0xAD], (LONG) NewQuerySytemInformation); } Irp->IoStatus.Status = status; IoCompleteRequest(Irp,IO_NO_INCREMENT); return status;}
  • 51. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Kernelmode Hooking Detection 51 ssdt_ex Là module để detect SSDT và Inline Hook 2
  • 52. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 52 OthersIDT(Interrupt Descriptor Table) HookingSử dụng module “idt” để detectSYSENTER / SDT Hooking 2Hooking SST (KiServiceTable)Hooking KiSystemServiceIRP HookingSử dụng module “driverirp” để detect=> not enough time to cover all 
  • 53. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 53 2 [1.3] Process Hiding
  • 54. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 54 DKOMThay đổi cấu trúc EPROCESS để unlink process cầnhideNgoài việc hide process, 2 DKOM còn có thể sử dụngđể :Add Privileges to TokensAdd Groups to TokensManipulate the Token to Fool the Windows Event ViewerHide PortsHide drivers=> FU là rootkit sử dụng kỹ thuật này
  • 55. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! EPROCESS Linked List 55 2
  • 56. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! EPROCESS Linked List 56 2
  • 57. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Rootkit Detection 57 psxview (FU Rootkit) 2
  • 58. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 58 2 [1.4] Driver Hiding
  • 59. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 59 Driver HidingRootkit sẽ sử dụng kỹ thuật DKOM unlink nó ra khỏilist of loaded module của kernel 2
  • 60. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding the Kernel Module Detection 60 modscan Là module để detect hiding kernel module 2
  • 61. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 61 2 [2] Linux Platform
  • 62. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 62 2[2.1] Hiding the Kernel Module
  • 63. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding the Kernel Module 63Rootkit thường tìm cách “giấu” bản thân bằng cáchunlink nó ra khỏi linked-list loaded kernel modules 2List này được export thông qua /proc/modules (lsmodchính là đọc từ list này và show ra)
  • 64. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding the Kernel Module Detection 64 linux_check_modules Là module để detect hiding kernel module 2 Hoạt động dựa trên sysfs để tìm các module đã bị remove ra khỏi module list nhưng vẫn đang active sysfs là 1 kernel to userland interface, giống như /proc, export các info & statistics của kernel
  • 65. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 65 2[2.2] Hooking System Call Table
  • 66. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hooking System Call Table 66System call là cơ chế để userland code có thể triggerevent handling ở kernel 2Giống API trên WindowsĐược quản lý bởi System call tableSystem call table là 1 array các function pointer. Mỗi 1function pointer sẽ tương ứng với 1 syscall handler (vd :sys_read sẽ handle read system call)Rootkit thường sẽ focus vào việc overwrite table này
  • 67. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!Hooking System Call Table Detection 67 linux_check_syscall Là module để detect System Call Table Hooking 2 Hoạt động dựa trên cơ chế là enumerate và verify từng entry trong System Call Table
  • 68. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 68 2[2.3] Hiding Network Connections
  • 69. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Network Connections 69Hook vào cấu trúc “tcp4_seq_afinfo”, thay đổi member“show” 2
  • 70. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Network Connections Detection 70 linux_check_afinfo Là module để detect hiding network connection 2 Hoạt động dựa trên cơ chế là duyệt cấu trúc “file_operations” và “sequence_operations” của tất cả cấu trúc UDP and TCP protocol
  • 71. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 71 2 [2.4] Hiding Processes
  • 72. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 72Phương pháp 1 :Linux kernel chứa 1 array các cấu trúc task_struct 2Cấu trúc task_struct giống như EPROCESS trên Windowstask_struct bao gồm 2 pointer là prev_run và next_run trỏ tớiprocess trước và sau nó tương ứngĐể hide process, ta chỉ cần unlink process ra khỏi list prev_taskvà next_task này
  • 73. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 73 task_array PID PID PID PID Process 0 2 1901 State State State State *next_task *next_task *next_task *next_task *prev_task *prev_task *prev_task *prev_task *next_run *next_run *next_run *next_run *prev_run *prev_run *prev_run *prev_run *p_pptr (null) *p_pptr *p_pptr *p_pptr *p_cptr *p_cptr *p_cptr *p_cptr *p_ysptr *p_ysptr *p_ysptr *p_ysptr *p_osptr *p_osptr *p_osptr *p_osptr ... ... ... ... ... ... ... ...
  • 74. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 74 task_array PID PID PID 1901 Process 0 2 State State State *next_task *next_task *next_task *prev_task *prev_task *prev_task *next_run *next_run *next_run *prev_run *prev_run *prev_run *p_pptr *p_pptr *p_pptr *p_cptr *p_cptr *p_cptr *p_ysptr *p_ysptr *p_ysptr *p_osptr *p_osptr *p_osptr ... ... ... ... ... ...
  • 75. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 75Phương pháp 2 : Hooking /proc :Mỗi process sẽ có 1 directory tương ứng trong /proc 2Để hide process, rookit sẽ hjack hàm “readdir” và filter out tênprocess cần
  • 76. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 76static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t offset,u64 ino, unsigned d_type){ //our hidden PID :) 2 if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){ return 0; } return original_filldir(__buf,name,namelen,offset,ino,d_type);}static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_filldir = filldir; return original_proc_readdir(filp,dirent,fuckit_proc_filldir);}
  • 77. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes Detection 77 linux_check_fop Là module để detect hiding process 2 Hoạt động dựa trên cơ chế là enumerate /proc filesystem và rất các opened file, verify từng member của từng file ops structure là hợp lệ
  • 78. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 78 2 Anything else ?
  • 79. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Scan for Registry Artifacts 79 volatility hivescan -f dumped.vmem volatility hivelist -f dumped.vmem -o 0x212cb60 2
  • 80. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Data80 Carving Using Foremost Foremost foremost -c foremost.conf -t exe –i <PID>.dmp -o 2 output3
  • 81. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! [3] Real-world Malwares 81Mixed many concepts :VirTool:WinNT/Exforel.A 2TDSS RookitZeusStunex / DuquFlame
  • 82. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! VirTool:WinNT/Exforel.A 82Là malware implement lại toàn bộ TCP/IP Stack 2
  • 83. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 83 TDSS RootkitGồm 4 biến thể :TDL-1TDL-2 2TDL-3TDL-4
  • 84. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 84 ZeusLà 1 dạng trojan chuyên ăn cắp thông tin trong các côngty/tập đoàn tài chính 2Có 1 số tính năng như 1 rootkit
  • 85. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 85 Stunex / DuquLà 1 dạng worm, gồm 2 phiên bản :Stunex : focus vào việc phá hủy hạ tầng lò phản ứng hạt nhân (PLC) của Iran 2Duqu : forcus vào việc ăn cắp thông tin
  • 86. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 86 FlameCòn có tên là sKyWiperLà malware nổi tiếng nhất gần đây, phức tạp hơn nhiều 2so với Duqu. Vừa là 1 backdoor, vừa là trojan, và cũngcó những tính năng như 1 worm
  • 87. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 87 Comparison 2
  • 88. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 88 2 Other cases
  • 89. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Password Keeper 89Password Keeper is a small utility useful for storing ourfrequently used passwords. Password information canbe stored, edited and printed with this easy to use 2program.No mention of protection against memory analysis
  • 90. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Password Keeper 90With volatilty we dump the PasswordKeeper processes 2And strings our password on it
  • 91. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 91 ConclusionVolatility is a great tool for memory forensicWant to learn more ? 2SANS FOR526: Windows Memory Forensics In-DepthWindows Memory Forensics Training for Analysts by VolatilityDevelopers
  • 92. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Any Questions ? 92 2
  • 93. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 93 Thank you very much ! 2