Adi Hayon Tomer Teller

Similar documents
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Detecting the One Percent: Advanced Targeted Malware Detection

Fine-grained covert debugging using hypervisors and analysis via visualization

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis

Storm Worm & Botnet Analysis

File Disinfection Framework (FDF) Striking back at polymorphic viruses

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Security Intelligence Services. Cybersecurity training.

Full System Emulation:

The Value of Physical Memory for Incident Response

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

PE Explorer. Heaventools. Malware Code Analysis Made Easy

for Malware Analysis Daniel Quist Lorie Liebrock New Mexico Tech Los Alamos National Laboratory

Understand Performance Monitoring

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

Operating Systems. Lecture 03. February 11, 2013


Run-Time Deep Virtual Machine Introspection & Its Applications

WildFire. Preparing for Modern Network Attacks

Windows Operating Systems. Basic Security

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Host-based Intrusion Prevention System (HIPS)

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Botnets Die Hard Owned and Operated

Analyzing HTTP/HTTPS Traffic Logs

CAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY

CopyKittens Attack Group

Securing Secure Browsers

Evading Android Emulator

Check Point: Sandblast Zero-Day protection

An Introduction to Incident Detection and Response Memory Forensic Analysis

Effective Java Programming. measurement as the basis

Detecting the Presence of Virtual Machines Using the Local Data Table

Getting Ahead of Malware

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Peeking into Pandora s Bochs. Instrumenting a Full System Emulator to Analyse Malicious Software

Privacy Scrubber: Means to Obfuscate Personal Data from Benign Application Leakage

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

Windows 7, Enterprise Desktop Support Technician

Visualizing Compiled Executables for Malware Analysis

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

THE SCRIPTING THREAT GAINING POPULARITY

Hands-On How-To Computer Forensics Training

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Practical Attacks against Mobile Device Management Solutions

Course Content: Session 1. Ethics & Hacking

An Oracle White Paper September Advanced Java Diagnostics and Monitoring Without Performance Overhead

Gigabit Ethernet Packet Capture. User s Guide

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

FORBIDDEN - Ethical Hacking Workshop Duration

Loophole+ with Ethical Hacking and Penetration Testing

CHAD TILBURY.

Abstract. 1. Introduction. 2. Threat Model

Analyzing a New Variant of BlackEnergy 3 Likely Insider-Based Execution

Hands-On Microsoft Windows Server 2008

Memory Forensics & Security Analytics: Detecting Unknown Malware

Big Data for Big Intel

Search and Destroy the Unknown FROM MALWARE ANALYSIS TO INDICATIONS OF COMPROMISE

Recon Montreal

Incident Response. Six Best Practices for Managing Cyber Breaches.

Software Reversing Engineering (a.k.a. Reversing) Spiros Mancoridis. What is Reverse Engineering? Software Reverse Engineering: Reversing

Networks and Security Lab. Network Forensics

Radware s Attack Mitigation Solution On-line Business Protection

Chapter 2 System Structures

This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware

6231B: Maintaining a Microsoft SQL Server 2008 R2 Database

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Combating the Next Generation of Advanced Malware

Monitoring HP OO 10. Overview. Available Tools. HP OO Community Guides

White Paper. No Signature Required: The Power of Emulation in Preventing Malware

Forensic Acquisition and Analysis of VMware Virtual Hard Disks

Security Evaluation CLX.Sentinel

Intrusion Detection System

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Live Disk Forensics on Bare Metal

Breach Found. Did It Hurt?

SecurIMAG Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

You ll learn about our roadmap across the Symantec and gateway security offerings.

2015 ej-technologies GmbH. All rights reserved. JProfiler Manual

Using SNMP to Obtain Port Counter Statistics During Live Migration of a Virtual Machine. Ronny L. Bull Project Writeup For: CS644 Clarkson University

Operating Systems and Networks

Proactive Rootkit Protection Comparison Test

LoadRunner and Performance Center v11.52 Technical Awareness Webinar Training

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Microsoft s Advantages and Goals for Hyper-V for Server 2016

Transcription:

Adi Hayon Tomer Teller

Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump taken at the end of execution No malicious artifacts found in post-mortem analysis

Why are we here? (one of many reasons) Snake/Uroburos rootkit (MD5: 626576e5f0f85d77c460a322a92bb267) Inline interrupt hooks Zeroed image header This evades file carving

Setting the Context Automated system analyzes a new sample Static Analysis - no significant results Dynamic Analysis - no significant results Memory Analysis limited results Evasion tricks are out of scope Focus is on memory analysis enhancement

Static Analysis Challenges Time consuming 35%~ of malicious samples are packed* 90%~ of packed files are protected Obfuscation, Cryptors, Encrypted Resources * https://media.blackhat.com/bh-us-12/briefings/branco/bh_us_12_branco_scientific_academic_slides.pdf

Dynamic Analysis Challenges What you see is what you get Subverting API functions is easy. APIs Lie. Calling undocumented/native functions Custom WinAPI function implementations Reminder: evading dynamic analysis is out of scope

Memory Analysis Advantages Discovers system inconsistencies that might indicate a rootkit Collects hidden artifacts that cannot be retrieved using OS-provided API Advanced malware operates solely in memory Identifies system activity and overall machine state

Memory Analysis Disadvantages Current solutions require manual inspection (not scalable) Interpreting analysis tools output requires in-depth knowledge of OS internals Anti-Forensics tools exist* to: Prevent grabbing of memory dumps Plant fake artifacts in memory as decoys Artifacts from a single memory dump lack context, since there is no baseline to compare it with Taking memory dumps requires accurate timing as memory is volatile * http://scudette.blogspot.co.il/2014/02/anti-forensics-and-memory-analysis.html

Current Automated Approach Execute a sample in a sandbox Terminate execution after X minutes Grab a memory dump of the machine Analyze the memory dump offline Detect malicious/suspicious artifacts in-memory Revert, Rinse, Repeat

Memory Dump Timing Challenge Post-mortem memory dumps (after the program terminates) risks missing in on the action Malicious artifacts may appear and disappear intermittently Example: Memory region is allocated with RWE permissions Code is written to that region and executed Malware unload itself Detecting the additionally code at the end will fail

Possible Solution Interval-Based memory dump Grab a memory dump every X seconds Analyze each dump - search for malicious artifacts Does it solve the problem? No Malware can slip between the intervals Many dumps to analyze make it inefficient (Time/Space) Dump 2 00:00:20 Dump 4 00:00:40... Dump 1 00:00:10 Dump 3 00:00:30 Dump 5 00:00:50

Better Solution Trigger-Based memory dump Dump memory when something interesting happens Interesting points in time: Known malicious API-sequence (behaviors) in user/kernel mode (e.g. Code injection, hollow process) Evidence cleaning attempts (e.g. Process Termination, Un-mapping memory, etc.) Heavy mathematical computation (e.g. unpacking in progress) Sampling CPU performance counters for abnormal process activity Dump 2 Triggered by CPU activity Dump 4 Triggered by API Y Dump 1 Triggered by API X Dump 3 Triggered by a XOR loop Dump 5 Triggered by

Differential Analysis Analyze each dump for malicious artifacts Diff all dump analysis results from last to clean Clean: Taken before Malware execution Last: Taken when time exceeded Produce a list of New/Modified/Deleted artifacts Visualize! Dump 0 Clean Dump Dump 2 Triggered by CPU activity Dump 4 Triggered by API Y Dump n Last Dump Dump 1 Triggered by API X Dump 3 Triggered by a XOR loop Dump 5 Triggered by

Our Approach Execute a sample in a controlled environment (CE) Trace and monitor execution When a trigger is detected Suspend CE -> Dump Memory -> Resume CE Before the sample terminates Suspend CE -> Dump Memory -> Terminate CE Differential Analysis Clean Dump vs. Dump #1 vs. Dump #2,.. vs. Final Dump Generate Report

DEMO #1 - Showcase Malware Trigger-Based vs. Interval-Based Differential analysis Visualization

Differential Analysis Plugins Process Heap Entropy checker Check for entropy changes over time Anti Virus Strings Check for new unpacked strings Hybrid Data Extractor Comparing code in-memory (dynamic) against the code on disk (static) to detect unpacked code/data Modified PE Header Monitor PE header modification and reconstruct it onthe-fly

Taking a (memory) Dump Live Memory Introspection (libvmi/pyvmi) Suspend CE Query memory directly Resume CE Offline Memory Dump (libvirt) Suspend CE Dump memory to disk Resume CE https://code.google.com/p/vmitools/

DEMO #2 - Advanced Features Trigger-based analysis with VMI Hybrid Analysis (Dynamic + Memory) Artifact dumper

DEMO #3 SNAKE/Uroburos Rootkit Kernel Triggers PE header reconstruction Artifact dumper

Implementation Modified Cuckoo Sandbox v1.1 Modified Cuckoo/CuckooMon components New hooks in User/Kernel Mode New static analysis scripts IDA integration (e.g. calculate MD5/ssdeep per function/section) PinTool integration for DBI New Volatility plugins for differential analysis The techniques are generic and can be applied to any sandbox - Read the WP https://github.com/djteller/memoryanalysis

Future Work Brainstorming & Implementing new triggers Automatic verdict (malicious/benign) Plug-in framework Optimization (e.g. grabbing mini-dumps) Extend (non-intrusive) VMI capabilities Define new operations for misbehavior analysis Port solution to other automated malware systems

Thank You Slides White Paper Code https://github.com/djteller/memoryanalysis @djteller @adihayon1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information