More Related Content
Similar to Hunting malware via memory forensics
Hunting malware via memory forensics
- 1. 0Document Title Hunting Malwarevia Memory Forensics Sriram Krishnan 02-May-2015
- 2. 1Document Title About theSession The session is aimed at introducing the concept of memory forensics This presentation will provide insight into malware behavior and variety of stealth technique used by malware authors We will focus on concepts and technique relating to Windows
- 3. 2Document Title Agenda Settingthe Context Malware Potential Need for Memory Forensics Memory Forensics Demo
- 4. 3Document Title Setting theContext
- 5. 4Document Title Malware AttacksMaking Headings
- 6.
- 7. 6Document Title Types ofMalware MalwareVirus Worms Trojan Rootkit Backdoor Spyware Scareware
- 8. 7Document Title Malware Behaviour Backdoor Botnet RAT Reverse-Shell Credentials Stealers HashDumping Key Logging GINA Interception Persistence Mechanism Windows Registry DLL Load-Order Hijacking Trojanized System Binaries
- 9. 8Document Title Impact Impactof malware attack is a worst-case-scenario for organizations Command & Control Data Theft Consume network/system resource Further exploitation of network
- 10. 9Document Title Need forMemory Forensics
- 11. 10Document Title Limitation inTraditional Computer Forensics Traditional views of digital investigation focused on obtaining evidence without changing its state. Victim machine is powered off, the storage media is duplicated then analysed in controlled environment. Evidence acquisition process focused on minimizing the distortion of the file system. Less or little focus provided to other critical sources such as RAM, device memory. Selective preservation of data may impact the reliability of derived evidences. Thus traditional digital forensics allows malware authors to exploit the limitation in the investigation procedure.
- 12. 11Document Title Covert Operation As computing has become sophisticated, malware, has also evolved Malware authors have developed various techniques to blend malware into the normal system functions to avoid detection Malware analysts need to understand code constructs and coding patterns to detect malware that are covertly launched Malware covert loading techniques can be broadly classified as: Launchers Process Injections Hook Injections
- 13. 12Document Title Covert Operation Launcher Often contain malware that are designed to load in the victim machine Goal of launcher is to set-up things so that malicious behaviour is concealed from the user Common technique is loading malware stored in resource section (Windows PE file format). For example icons, images, menus etc. Launcher uses resource manipulation API such as FindResource, LoadResource, SizeofResource DOS Header PE Signature COFF Header Optional Header Section Table Mappable Section IMAGE_DIRECTORY_ENTRY_RESOURCE : Location of the resource directory
- 14. 13Document Title Covert Operation ProcessInjection Injecting malicious code into a running process in the victim’s machine Technique to conceal the malware behaviour from the user and malware protection software Process Injection can be classified into: DLL Injection Direct Injection Process Replacement
- 15. 14Document Title Example -DLL Injection Hardware RAM Launcher Malware Malicious DLL Iexplore.exe Launcher Malware Injection Iexplore.exe Malicious DLL Launcher obtains a handle to victim’s process CreateToolhelp32Snapshot(), Process32First(), and Process32Next() Retrieves the PID of target process OpenProcess() Creates memory space for malicious library string name and writes the string into the allocated memory space VirtualAllocEx(), WriteProcessMemory() Executes new thread for remote process CreateRemoteThread() Malicious DLL will be loaded LoadLibrary()
- 16. 15Document Title Covert Operation HookInjection Achieve process injection via Windows Hook mechanism Allows to run the malicious code whenever particular message is intercepted by an application Technique used in malicious keylogger application to record keystrokes of the victim SetWindowsHookEx() Win32 API is used to load the malicious code as hook procedure into the hook chain When appropriate event is received, the malicious code will be executed by the target process USER USER Windows OS Windows OS Threads Application/ Process Application/ Process Event Event Message Malicious DLL Message Threads
- 17. 16Document Title Hence….Memory Forensics Provides unprecedented visibility into the runtime state of the system Enables the full reconstruction of the events and ability to understand the behaviour of the malware Critical data only exist in the memory – hence enables the investigators to collect evidences that cannot be found elsewhere in the system. Memory Forensics is certainly the most productive and challenging realm of digital forensics.
- 18.
- 19. 18Document Title Overview Analysisof the data captured from the volatile memory of a victim machine Physical memory data (RAM) as well as Page File data are captured for the study Memory Acquisition • Capture contents of RAM • Extract data from Hibernation File / Page File Establish Context • Set-up the environment • Dump suspicious processes and drivers • Identify memory offsets to be analyzed Analysis • Analyze the data (heuristic or another technique) • Indicator of Compromise analysis
- 20.
- 21. 20Document Title Stuxnet Malware Stuxnet is computer worm that targeted industrial control systems such as gas pipeline, power plants etc. Stuxnet exploited zero-day vulnerabilities in Microsoft Windows operating systems – basically targeted systems using Windows operating system According to various report the worm affected nuclear power plants of certain countries
- 22. 21Document Title Wrapping Up Any final questions? Thanks for listening Sriram Krishnan Sriramk.21@gmail.com +91-98409-57647