Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The memory remains

420 views

Published on

Fileless malware makes cyber attacks even more difficult to detect nowadays.Simple signatures are too easy for an intruder to circumvent. Cyber criminals can also program fileless malware to gain persistence after it was written directly to RAM. Fileless malware is not a revolutionary approach, However 2016 certainly saw a dramatic rise in this type of attack as the criminals worked to perfect it. This talk is about triage a system potentially impacted by fileless malware by memory analysis.

Published in: Technology
  • Hi there! Get Your Professional Job-Winning Resume Here - Check our website! http://bit.ly/resumpro
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The memory remains

  1. 1. How do I know I’m secure?
  2. 2. Are my devices Infected?
  3. 3. What if!
  4. 4. Incident Response
  5. 5. What if!?!
  6. 6. Or…
  7. 7. We need to analyze malware
  8. 8. Malware become smarter Encrypted Network Communications(c&c) Persistence (Auto Start) Privilege Escalation (run as admin) Data exfiltration Evades modern antivirus
  9. 9. Fileless Malware
  10. 10. Case Study
  11. 11. We need a sample Contagio Malware Dump: Free; password required Das Malwerk: Free FreeTrojanBotnet: Free; registration required KernelMode.info: Free; registration required MalShare: Free; registration required Malware.lu’s AVCaesar: Free; registration required MalwareBlacklist: Free; registration required Malware DB: Free Malwr: Free; registration required Open Malware: Free theZoo aka Malware DB: Free Virusign: Free VirusShare: Free
  12. 12. Let's get infected
  13. 13. Win7x86/64
  14. 14. Before infected 1.Regshot 2.Memory dump
  15. 15. After infection Compare regshot
  16. 16. But....
  17. 17. The memory remains.
  18. 18. Memory dump Vmware (Fusion/Workstation/Server/Player) — .vmem = raw memory. (.vmss and .vmsn = contain memory image) (each snapshot will have its own .vmem file) Microsoft Hyper-V — .bin = raw memory image Parallels — .mem = raw memory image VirtualBox — .sav = partial memory image (Memory file only holds memory actively in use, not the entire amount of memory assigned to the virtual machine.
  19. 19. Volatility
  20. 20. Shellcode loading….
  21. 21. But....
  22. 22. The memory remains.
  23. 23. vol.py -f afterinfected.raw --profile=Win7SP1x86 printkey -- key="SoftwareMicrosoftWindowsCurrentVersionRun" vol.py -f afterinfected.raw --profile=Win7SP1x86 pslist vol.py -f afterinfected.raw --profile=Win7SP1x86 malfind -p 3312 vol.py -f infected.raw --profile=Win7SP1x86 envars -p 3276 vol.py -f infected.raw --profile=Win7SP1x86 hivedump -o 0x8ced15c0 vol.py -f infected.raw --profile=Win7SP1x86 hivelist
  24. 24. Yara
  25. 25. dump the memory.
  26. 26. Writing code for fun and food. Security enthusiastic. @nahidupa Nahidul Kibria Co-Founder, Beetles

×