Thursday, January 19, 2012

Ramnit, Zeus and the BAT! Part 3


After parts 1 and 2 we can safely say the machine is infected.This next part will go through the building of the MandiantIOC using Ioc Editor in order to hopefully identify other infected hosts.

One issue I am keeping an eye on is trying to identify indicators that would hopefully be present in numerous samples. Malware writers are incorporating new ways to subvert AV identification techniques (And have been know to brag online that the malware is not detected).

Driver Inspection

I’m going to start with the driver (imjvxcsr.sys) associated with the misspelled service: Micorsoft Windows Service.
Looking at the drivers name it looks randomly generated but after infecting the same host a few times the driver name is consistent on the host.

The directory where the driver is located always seems to be C:\Documents and Settings\User\Local Settings\Temp as seen in the SSDT hooks tab in Audit Viewer and Redline

image

Using Redline to review Drivers and Devices we can see that we have a device also associated with the driver








By selecting the Driver and reviewing the driver information we can review any strings associated with the driver.






















Upon reviewing the Strings we can see an number of possible IOCs
  • \systemsroot\temp\%x
  • \Device\631D2408D44C4f47AC647AB96987D4D5
  • \DosDevices\631D2408D44C4f47AC647AB96987D4D5
  • c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Chae Jong Bin @2gg also tweeted that the demetra project path was located in a sample.
Using the OpenIOC Framework we can start with the following
  • Driver StringList is c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
  • Driver StringList is \Device\631D2408D44C4f47AC647AB96987D4D5
  • Driver StringList is \DosDevices\631D2408D44C4f47AC647AB96987D4D5

Hook Inspection

If we then review the Hooks section using Redline or Audit Viewer we can use it to further enhance our indicator.






Using the evidence above we can use the Hooking Module, Hooked Module and Hook Description.
Using the OpenIOC Framework we can use the following to enhance our IOC
  • Hook HookDescription is SystemCall
  • Hook Hooking Module contains \Local~1\Temp\
  • Hook Hooked Module is ntoskrnl.exe

Process Inspection

Using the default indicator from Redline and Audit Viewer we can build an IOC for the svchost.exe with unexpected arguments (this can be expanded on if your environment has additional valid svchost arguments) .
  • Process name is svchost.exe
  • Process arguments is not C:\WINDOWS\System32\svchost.exe -k netsvcs
  • Process arguments is not C:\WINDOWS\system32\svchost -k rpcss
  • Process arguments is not C:\WINDOWS\System32\svchost.exe -k LocalService
  • Process arguments is not C:\WINDOWS\System32\svchost.exe -k NetworkService
  • Process arguments is not C:\WINDOWS\system32\svchost -k DcomLaunch
  • Process arguments is not C:\WINDOWS\system32\svchost.exe -k imgsvc
In turn pick one of the suspicious svchost.exe to review using Redline and Audit Viewer to review Process Handles, Mutex’s and Strings. From the analysis we can use the following IOC’s as possible indicators (Please note Ramnit is quite verbose and as such offers a lot of string values to review, the items below can easily be expanded on/removed due to false positives).

There are other string values that look to be passwords, email addresses and DNS hostnames.

By reviewing the String List below we can also make the assumption that Ramnit has integrated some of the components seen in Zeus, these references can be found in the leaked source code which can be found online.
  • Process Handle contains \Start Menu\Programs\Startup\
  • Process Handle contains CTF.Compart.MutexDefaultS-1-5-21
  • Process Handle contains CTF.Layouts.MutexDefaultS-1-5-21
  • Process Handle contains CTF.TMD.MutexDefaultS-1-5-21
  • Process Handle contains CTF.TimListCache.FMPDefaultS-1-5-21
  • Process Handle contains CTF.Asm.MutexDefaultS-1-5-21
  • Process Handle contains CTF.LBES.MutexDefaultS-1-5-21
  • Process String contains LOCALS~1\Temp\~TM4.tmp
  • Process String is Hide Browser v1.1
  • Process String is 220 220 RMNetwork FTP
  • Process String is Ftp Grabber v1.0
  • Process String is Virus Module v1.0 (exe, dll only)
  • Process String is VNC Module v1.0 (Zeus Model)
  • Process String is Byob Ernie Gild Lotto 2002-2006
  • Process String is Reich.exe
  • Process String is \Start Menu\Programs\Startup\
When we review a number of the other processes we can also find the following Process Strings and Handle which seems to be in multiple processes.
  • Process String is <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST
  • Process Handle Name is !IETld!Mutex
  • Process StringList is \\.\631D2408D44C4f47AC647AB96987D4D5
Next its the additional executable that was dropped during one of the infections, this already gives us an insight into the functionality available to Ramnit I.E the ability to drop and execute additional files.

By reviewing the NETWORK ACTIVITY Section for Install.exe (PID 3424) we can assume this is our spamming engine. By reviewing the Process Strings can can confirm this functionality.


Further review shows reference to Delphi and in particular what looks to be a backup location for the source code. A number of stings also mention a few Email clients\providers(Outlook,The Bat, POPPeeper).
Using the OpenIOC one possible IOC could be the following:
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas
  • Process StringList isX:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas
  • Process StringList isX:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas
  • Process StringList is TModule_POPPeeper
  • Process StringList is TModule_Eudora
  • Process StringList is TModule_Gmail
  • Process StringList is TModule_IncrediMail
  • Process StringList is TModule_GroupMailFree
  • Process StringList is TModule_VypressAuvis
  • Process StringList is TModule_The_Bat
  • Process StringList is TModule_Outlook0
  • Process StringList is TOutlookIdentItem

Published IOC

All we need to do now is put it together and introduce the logic to get the hits.A complete IOC that has been tested is below, the IOC has been tested against multiple audit files and did not produce and false positives.
OR:
  • DriverItem/StringList/string is ' c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb'
  • DriverItem/StringList/string is ' \Device\631D2408D44C4f47AC647AB96987D4D5'
  • DriverItem/StringList/string is ' 631D2408D44C4f47AC647AB96987D4D5'
  • ProcessItem/HandleList/Handle/Name is ' !IETld!Mutex'
  • ProcessItem/StringList/string is ' \\.\631D2408D44C4f47AC647AB96987D4D5'
  • ProcessItem/StringList/string contains ' <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST'
  • AND:
    • HookItem/HookDescription is ' SystemCall'
    • HookItem/HookedModule is ' ntoskrnl.exe'
    • HookItem/HookingModule contains ' \LOCALS~1\Temp\'
  • AND:
    • ProcessItem/StringList/string contains ' Micorsoft Windows Service'
    • ProcessItem/StringList/string contains ' TANGrabber'
    • ProcessItem/name is ' services.exe'
  • AND:
    • ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k netsvcs'
    • ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost -k rpcss'
    • ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k LocalService'
    • ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k NetworkService'
    • ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost -k DcomLaunch'
    • ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost.exe -k imgsvc'
    • ProcessItem/name is ' svchost.exe'
  • AND:
    • ProcessItem/name is ' svchost.exe'
    • OR:
      • ProcessItem/HandleList/Handle/Name contains ' CTF.Compart.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.Layouts.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.TMD.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.TimListCache.FMPDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.Asm.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.LBES.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' \Start Menu\Programs\Startup\'
      • ProcessItem/StringList/string contains ' LOCALS~1\Temp\~TM4.tmp'
      • ProcessItem/StringList/string is ' Hide Browser v1.1'
      • ProcessItem/StringList/string is ' 220 220 RMNetwork FTP'
      • ProcessItem/StringList/string is ' Ftp Grabber v1.0'
      • ProcessItem/StringList/string is ' Virus Module v1.0 (exe, dll only)'
      • ProcessItem/StringList/string is ' VNC Module v1.0 (Zeus Model)'
      • ProcessItem/StringList/string is ' Byob Ernie Gild Lotto 2002-2006'
      • ProcessItem/StringList/string is ' Reich.exe'
  • AND:
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas'
    • ProcessItem/StringList/string is ' TModule_POPPeeper'
    • ProcessItem/StringList/string is ' TModule_Eudora'
    • ProcessItem/StringList/string is ' TModule_Gmail'
    • ProcessItem/StringList/string is ' TModule_IncrediMail'
    • ProcessItem/StringList/string is ' TModule_GroupMailFree'
    • ProcessItem/StringList/string is ' TModule_VypressAuvis'
    • ProcessItem/StringList/string is ' TModule_The_Bat'
    • ProcessItem/StringList/string is ' TModule_Outlook0'
    • ProcessItem/StringList/string is ' TOutlookIdentItem'
A published IOC can be located on the Mandiant Forums as well as on the http://ioc.forensicartifacts.com/ website
Happy Hunting, Please leave feedback if the IOC produces false positives and needs amending or improving.

Ramnit, Zeus and the BAT! Part 2

Memory Analysis

Please note the memory sample reviewed in this next section does not correlate with the logs reviewed above (I.E PIDs are different, and one other artifact occurred during the memory dump. All will be revealed)

After the VM was snapshot and paused analysis could be conducted on the vmem file.

A number of tools were used to conduct the analysis including the following:

  • Mandiant’s Redline (and also AuditViewer with Memoryze)
  • Volatility

The reason a number of tools were used was because each tool has advantages and disadvantages.

Process List and Process Tree

The output below was generated from Volatility using the pslist command. As can been seen below Sample1.exe is the ParentPID of two svchost.exe processes  (The snapshot was taken before Sample1.exe terminated see Ramnit Zeus and Bat part 1).

During one of the infections an additional process was started by one of the svchost.exe (PID 2000) the process was called install.exe (PID 3424). We will analyse the file later.

Offset(V)  Name                 PID    PPID   Thds   Hnds   Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x823c8830 System                    4      0     67    510 1970-01-01 00:00:00      
0x82193da0 smss.exe                556      4      3     19 2012-01-11 22:13:40      
0x81fff978 csrss.exe               624    556     12    732 2012-01-11 22:13:43      
0x81f67978 winlogon.exe            648    556     21    519 2012-01-11 22:13:43      
0x81ef7880 services.exe            692    648     20    298 2012-01-11 22:13:43      
0x81f91418 lsass.exe               704    648     27    424 2012-01-11 22:13:43      
0x82209198 vmacthlp.exe            860    692      5     40 2012-01-11 22:13:44      
0x81e654f0 svchost.exe             872    692     25    223 2012-01-11 22:13:44      
0x81ea7360 svchost.exe             956    692     15    284 2012-01-11 22:13:45      
0x81f42c10 svchost.exe            1068    692     93   1600 2012-01-11 22:13:45      
0x81e9c528 svchost.exe            1200    692     10     93 2012-01-11 22:13:46      
0x822adbf0 svchost.exe            1300    692     18    177 2012-01-11 22:13:46      
0x822bc840 spoolsv.exe            1428    692     18    133 2012-01-11 22:13:46      
0x81e1e6a0 svchost.exe            1532    692      9    116 2012-01-11 22:13:55      
0x81e28da0 EngineServer.ex        1604    692      8     53 2012-01-11 22:13:55      
0x81e755e8 FrameworkServic        1628    692     14    238 2012-01-11 22:13:55      
0x820353e8 VsTskMgr.exe           1692    692     28    273 2012-01-11 22:13:58      
0x82194a58 mfevtps.exe            1716    692     10    157 2012-01-11 22:13:59      
0x822537a8 naPrdMgr.exe           1724    872      9     98 2012-01-11 22:13:59      
0x81ee8760 VMwareService.e        1928    692      7    157 2012-01-11 22:13:59      
0x81e4dda0 Mcshield.exe           2012    692     17    131 2012-01-11 22:14:00      
0x81de7968 mfeann.exe              204   2012     13    127 2012-01-11 22:14:05      
0x81eff6a0 explorer.exe            708    492     23    616 2012-01-11 22:14:08      
0x81fb0a20 alg.exe                 524    692     10    117 2012-01-11 22:14:32      
0x8223bda0 VMwareTray.exe         1048    708      5     50 2012-01-11 22:14:33      
0x81ecb588 wscntfy.exe             416   1068      5     51 2012-01-11 22:14:33      
0x821ec918 VMwareUser.exe         1464    708     10    212 2012-01-11 22:14:34      
0x8225f6a8 UdaterUI.exe           1612    708     10    121 2012-01-11 22:14:35      
0x81f22a20 shstat.exe              900    708      0 ------ 2012-01-11 22:14:35      
0x81e81550 AdobeARM.exe           2092    708     12    197 2012-01-11 22:14:38      
0x81d1fda0 ctfmon.exe             2216    708      5     89 2012-01-11 22:14:39      
0x81f047c8 McTray.exe             2296   1612      5     46 2012-01-11 22:14:39      
0x81f8d7b0 mcconsol.exe           3796    900      9    176 2012-01-11 22:15:12      
0x81cf3a20 cmd.exe                2108    708      5     53 2012-01-11 22:15:47      
0x81f1c5c8 CaptureBAT.exe         2992   2108      0 ------ 2012-01-11 22:16:13      
0x81fc8ab0 CaptureBAT.exe         3788   2108     10     56 2012-01-11 22:16:57      
0x8213f458 Sample1.exe                 4000    708      0 ------ 2012-01-11 22:17:04      
0x821e1bf0 svchost.exe            2640   4000     13    125 2012-01-11 22:17:05      
0x82070200 svchost.exe            2000   4000     10    119 2012-01-11 22:17:05      
0x820b9ad0 install.exe            3424   2000     12    159 2012-01-11 22:17:42      
0x82049b60 iexplore.exe           2200    708      0 ------ 2012-01-13 19:36:33      
0x81a629b8 iexplore.exe            516    708     26    367 2012-01-13 19:37:49      
0x81a535a0 iexplore.exe           2480    516     27    550 2012-01-13 19:37:51

Upon analysing the memory dump using Redline the following processes are flagged straight away and highlighted red.

svchost.exe PID 2000

svchost.exe PID 2640

image

Redline reports that the reason the processes were flagged was due to both processes having unexpected arguments in fact the processes don't have any.

 “C:\WINDOWS\system32\svchost.exe”

We get a different visual representation of the memory dump using Mandiant’s Memoryze and Audit Viewer.

The reason for all the additional flags is due to the fact that Audit Viewer has identified the injected memory sections.

image

Redline also displays the Injected Memory Sections and upon initial analysis it can be seen that they nearly all start at the the same Region address:0x20010000

image

Network Activity

Offset(V)  Local Address             Remote Address            Pid  
---------- ------------------------- ------------------------- ------
0x820c0008 192.168.0.18:1806         173.194.41.95:80            2480
0x81e307a8 192.168.0.18:1810         173.194.67.104:80           2480
0x81ab0008 192.168.0.18:1807         209.85.147.94:80            2480
0x82066a58 192.168.0.18:1802         204.212.40.2:25             3424
0x81f65a50 192.168.0.18:1052         209.85.147.105:80           2000
0x81a994f0 192.168.0.18:1809         209.85.147.94:80            2480
0x81a994f0 192.168.0.18:1805         209.85.147.94:80            2480
0x81f29720 192.168.0.18:1033         209.85.147.105:80           2000
0x82055008 192.168.0.18:1500         209.85.229.99:80            2000
0x8206c370 192.168.0.18:1803         74.125.43.27:25             3424
0x81a9db28 192.168.0.18:1799         202.136.110.213:25          3424
0x81a9db28 192.168.0.18:1715         202.136.110.213:25          3424

Straight away the interesting connections that stand out are the connections to port 25 (SMTP) this will be expanded on later. The IP Addresses are located in Australia, and  The United States

Services

Using Volatility (svcscan) we can review the Services that were running at the time the snapshot was taken, upon first analysis nothing really seems to be amiss apart from the misspelled: Micorsoft Windows Service

Offset(P)  #Ptr #Hnd Start        Size Service key          Name
0x01f26f38    3    0 0xb2746000 333952 'Srv'                'Srv'        '\\FileSystem\\Srv'
0x01fe0190    3    0 0xf8b72000  15488 'mssmbios'           'mssmbios'   '\\Driver\\mssmbios'
0x01fe0838    3    0 0xf80f5000 384768 'Update'             'Update'     '\\Driver\\Update'
0x01fe3950    2    0 0xb2102000  68512 'mfeapfk'            'mfeapfk'    '\\Driver\\mfeapfk'
0x01fffa08    5    0 0xf8ab6000  11008 'vmscsi'             'vmscsi'     '\\Driver\\vmscsi'
0x02042a18    5    0 0xb1e81000 264832 'HTTP'               'HTTP'       '\\Driver\\HTTP'
0x0204bf38    5    0 0xf88ba000  56576 'mfetdik'            'mfetdik'    '\\Driver\\mfetdik'
0x0204cb10    4    0 0xb2cc0000 113152 'vmhgfs'             'vmhgfs'     '\\FileSystem\\vmhgfs'
0x0204f300    3    0 0xf883a000  41472 'RasPppoe'           'RasPppoe'   '\\Driver\\RasPppoe'
0x02060df0   19    0 0xf8376000 333376 'mfehidk'            'mfehidk'    '\\Driver\\mfehidk'
0x02061860    5    0 0xf83c8000 105344 'Mup'                'Mup'        '\\FileSystem\\Mup'
0x02061ce8   17    0 0xf83e2000 182656 'NDIS'               'NDIS'       '\\Driver\\NDIS'
0x02064bb8    3    0 0xf882a000  51328 'Rasl2tp'            'Rasl2tp'    '\\Driver\\Rasl2tp'
0x02071168    6    0 0xf853b000 125056 'Ftdisk'             'Ftdisk'     '\\Driver\\Ftdisk'
0x0207b240    3    0 0xf8a82000  21760 'TDTCP'              'TDTCP'      '\\Driver\\TDTCP'
0x0207d178    2    0 0xb21db000  11648 'CaptureFileMonitor' 'CaptureFileMonitor' '\\FileSystem\\CaptureFileMonitor'
0x02091790    3    0 0xf88ca000  34688 'NetBIOS'            'NetBIOS'    '\\FileSystem\\NetBIOS'
0x02092f38    5    0 0xb2cfe000 162816 'NetBT'              'NetBT'      '\\Driver\\NetBT'
0x02095838    5    0 0xf8153000 196224 'rdpdr'              'rdpdr'      '\\Driver\\rdpdr'
0x02096030    4    0 0xf8263000  12160 'mouhid'             'mouhid'     '\\Driver\\mouhid'
0x02098030    7    0 0xf8bb0000   7936 'Fs_Rec'             'Fs_Rec'     '\\FileSystem\\Fs_Rec'
0x0209cf38    6    0 0xf8972000  23040 'Mouclass'           'Mouclass'   '\\Driver\\Mouclass'
0x020ab1b0    6    0 0xf84fd000  96512 'atapi'              'atapi'      '\\Driver\\atapi'
0x020ab2a8    5    0 0xf86ba000  52352 'VolSnap'            'VolSnap'    '\\Driver\\VolSnap'
0x020ab3a0    4    0 0xf8922000  19712 'PartMgr'            'PartMgr'    '\\Driver\\PartMgr'
0x020b2030    4    0 0xf87fa000  40704 'es1371'             'es1371'     '\\Driver\\es1371'
0x020bcf38    3    0 0xf89c2000  19072 'Msfs'               'Msfs'       '\\FileSystem\\Msfs'
0x020bd030    3    0 0xf8b52000  13952 'CmBatt'             'CmBatt'     '\\Driver\\CmBatt'
0x020bd560    3    0 0xf89ca000  30848 'Npfs'               'Npfs'       '\\FileSystem\\Npfs'
0x020c2548    3    0 0xf86ea000  42368 'agp440'             'agp440'     '\\Driver\\agp440'
0x020e8be0    3    0 0xf8c26000   7296 'CaptureRegistryMonitor' 'CaptureRegistryMonitor' '\\Driver\\CaptureRegistryMonitor'
0x020fd788    4    0 0xb2c25000 455296 'MRxSmb'             'MRxSmb'     '\\FileSystem\\MRxSmb'
0x02101790    3    0 0xb2cdc000 138496 'AFD'                'AFD'        '\\Driver\\AFD'
0x02101be0    7    0 0xb2d74000 361600 'Tcpip'              'Tcpip'      '\\Driver\\Tcpip'
0x02103678    6    0 0xf88aa000  59520 'usbhub'             'usbhub'     '\\Driver\\usbhub'
0x02106bd8    3    0 0xf8bb6000   4224 'RDPCDD'             'RDPCDD'     '\\Driver\\RDPCDD'
0x02126928    3    0 0xb27e8000 180608 'MRxDAV'             'MRxDAV'     '\\FileSystem\\MRxDAV'
0x02128970    4    0 0xb1c2d000 143744 'Fastfat'            'Fastfat'    '\\FileSystem\\Fastfat'
0x02130730    3    0 0xf89a2000  16512 'Raspti'             'Raspti'     '\\Driver\\Raspti'
0x02134360    2    0 0xb20ed000  84352 'mfeavfk'            'mfeavfk'    '\\Driver\\mfeavfk'
0x02134880    3    0 0xb25a6000  60800 'sysaudio'           'sysaudio'   '\\Driver\\sysaudio'
0x02161160    4    0 0xf8b9e000   5504 'IntelIde'           'IntelIde'   '\\Driver\\IntelIde'
0x02164cc0    3    0 0xf8d3a000   2944 'Null'               'Null'       '\\Driver\\Null'
0x0216f030    7    0 0xf8cd2000   3072 'audstub'            'audstub'    '\\Driver\\audstub'
0x02170110    5    0 0xf89d2000  32128 'usbccgp'            'usbccgp'    '\\Driver\\usbccgp'
0x0218f6e0    3    0 0xf885a000  35072 'Gpc'                'Gpc'        '\\Driver\\Gpc'
0x0218fbb8    5    0 0xf8183000  69120 'PSched'             'PSched'     '\\Driver\\PSched'
0x021905f0   13    0 0x00000000      0 '\\Driver\\Win32k'   'Win32k'     '\\Driver\\Win32k'
0x021a1030    4    0 0xf896a000  24576 'Kbdclass'           'Kbdclass'   '\\Driver\\Kbdclass'
0x021ada30    6    0 0xf8515000 153344 'dmio'               'dmio'       '\\Driver\\dmio'
0x021adc48    3    0 0xf8ba0000   5888 'dmload'             'dmload'     '\\Driver\\dmload'
0x021f09f8    5    0 0xf887a000  40704 'TermDD'             'TermDD'     '\\Driver\\TermDD'
0x021fdec8    3    0 0xf8325000  12032 'WS2IFSL'            'WS2IFSL'    '\\Driver\\WS2IFSL'
0x02209030    3    0 0xf881a000  36352 'intelppm'           'intelppm'   '\\Driver\\intelppm'
0x0220bda0    3    0 0xf87da000  48256 'vmci'               'vmci'       '\\Driver\\vmci'
0x02222460    3    0 0xf8bb4000   4224 'mnmdd'              'mnmdd'      '\\Driver\\mnmdd'
0x02230270    5    0 0xb2411000  83072 'wdmaud'             'wdmaud'     '\\Driver\\wdmaud'
0x02232f38    3    0 0xb2c95000 175744 'Rdbss'              'Rdbss'      '\\FileSystem\\Rdbss'
0x02236408    3    0 0xf8335000   8832 'RasAcd'             'RasAcd'     '\\Driver\\RasAcd'
0x02236ca8    3    0 0xf89ba000  20992 'VgaSave'            'VgaSave'    '\\Driver\\VgaSave'
0x0223bcc0    3    0 0xf8bb2000   4224 'Beep'               'Beep'       '\\Driver\\Beep'
0x022f11e8    3    0 0xf8952000  32768 'Micorsoft Windows Service' 'Micorsoft Windows Service' '\\Driver\\Micorsoft Windows Service'
0x02349500    3    0 0xb17f2000 172416 'kmixer'             'kmixer'     '\\Driver\\kmixer'
0x02389bb8    9    0 0xf8bac000   4352 'swenum'             'swenum'     '\\Driver\\swenum'
0x0238ef38    6    0 0xf826b000  10368 'hidusb'             'hidusb'     '\\Driver\\hidusb'
0x0239b7f0    6    0 0xf899a000  17792 'Ptilink'            'Ptilink'    '\\Driver\\Ptilink'
0x0239c5d8    3    0 0xf88ea000  36864 'vmdebug'            'vmdebug'    '\\Driver\\vmdebug'
0x023a04b8    4    0 0xf87ca000  57600 'redbook'            'redbook'    '\\Driver\\redbook'
0x023a6418    3    0 0xf8b96000  10624 'gameenum'           'gameenum'   '\\Driver\\gameenum'
0x023e9030    3    0 0xf873a000  63744 'Cdfs'               'Cdfs'       '\\FileSystem\\Cdfs'
0x023ea5d0    3    0 0xf8c1e000   6272 'CaptureProcessMonitor' 'CaptureProcessMonitor' '\\Driver\\CaptureProcessMonitor'
0x023fcf38    2    0 0xb21bb000  36288 'mfebopk'            'mfebopk'    '\\Driver\\mfebopk'
0x02405740    3    0 0xb2dcd000  75264 'IPSec'              'IPSec'      '\\Driver\\IPSec'
0x024178d0    5    0 0xf878a000  52480 'i8042prt'           'i8042prt'   '\\Driver\\i8042prt'
0x02437da0    3    0 0xb1eea000 139520 'RDPWD'              'RDPWD'      '\\Driver\\RDPWD'
0x02439030    3    0 0xf8be2000   6784 'ParVdm'             'ParVdm'     '\\Driver\\ParVdm'
0x02439430    3    0 0xb2a59000  14592 'Ndisuio'            'Ndisuio'    '\\Driver\\Ndisuio'
0x02439da0    3    0 0xf8be4000   7680 'VMMEMCTL'           'VMMEMCTL'   '\\Driver\\VMMEMCTL'
0x02450f38    3    0 0xf88fa000  44544 'Fips'               'Fips'       '\\Driver\\Fips'
0x02458a50    3    0 0xb2d4e000 152832 'IpNat'              'IpNat'      '\\Driver\\IpNat'
0x0245d030    3    0 0xf87aa000  42112 'Imapi'              'Imapi'      '\\Driver\\Imapi'
0x0245d610    3    0 0xf87ba000  62976 'Cdrom'              'Cdrom'      '\\Driver\\Cdrom'
0x024682a0    4    0 0xf8234000  91520 'NdisWan'            'NdisWan'    '\\Driver\\NdisWan'
0x02468d78    6    0 0xf8b56000  10112 'NdisTapi'           'NdisTapi'   '\\Driver\\NdisTapi'
0x02472640    4    0 0xf8309000  80128 'Parport'            'Parport'    '\\Driver\\Parport'
0x024ad8a8    3    0 0xf898a000  29696 'vmxnet'             'vmxnet'     '\\Driver\\vmxnet'
0x024b3b70   16    0 0xf84c5000 129792 'FltMgr'             'FltMgr'     '\\FileSystem\\FltMgr'
0x024c00b0    7    0 0xf86aa000  42368 'MountMgr'           'MountMgr'   '\\Driver\\MountMgr'
0x024edca8    3    0 0xf890a000  34560 'Wanarp'             'Wanarp'     '\\Driver\\Wanarp'
0x024ef838    3    0 0xf884a000  48384 'PptpMiniport'       'PptpMiniport' '\\Driver\\PptpMiniport'
0x024efb30    3    0 0xf89aa000  20480 'Flpydisk'           'Flpydisk'   '\\Driver\\Flpydisk'
0x024f9150    3    0 0xf8ba8000   4736 'vmmouse'            'vmmouse'    '\\Driver\\vmmouse'
0x0250d290    4    0 0xf897a000  27392 'Fdc'                'Fdc'        '\\Driver\\Fdc'
0x0250e278    4    0 0xf8982000  20608 'usbuhci'            'usbuhci'    '\\Driver\\usbuhci'
0x0250f200    4    0 0xf8b4a000  15744 'serenum'            'serenum'    '\\Driver\\serenum'
0x0250f378    3    0 0xf87ea000  57216 'vmx_svga'           'vmx_svga'   '\\Driver\\vmx_svga'
0x0250f9f8    4    0 0xf879a000  64512 'Serial'             'Serial'     '\\Driver\\Serial'
0x02517c78    3    0 0xf888a000  40576 'NDProxy'            'NDProxy'    '\\Driver\\NDProxy'
0x02519778    4    0 0xf840f000 574976 'Ntfs'               'Ntfs'       '\\FileSystem\\Ntfs'
0x02519988    3    0 0xf849c000  92288 'KSecDD'             'KSecDD'     '\\Driver\\KSecDD'
0x02519b98    7    0 0xf84b3000  73472 'sr'                 'sr'         '\\FileSystem\\sr'
0x0251ccc8    4    0 0xf86ca000  36352 'Disk'               'Disk'       '\\Driver\\Disk'
0x0253e218    4    0 0xf8aae000  10240 'Compbatt'           'Compbatt'   '\\Driver\\Compbatt'
0x025ab560    5    0 0x00000000      0                      'RAW'        '\\FileSystem\\RAW'
0x025acf38   81    0 0xf855a000  68224 'PCI'                'PCI'        '\\Driver\\PCI'
0x025af2d8    4    0 0x00000000      0 '\\Driver\\ACPI_HAL' 'ACPI_HAL'   '\\Driver\\ACPI_HAL'
0x025c5308    4    0 0xf869a000  37248 'isapnp'             'isapnp'     '\\Driver\\isapnp'
0x025e2980   64    0 0xf856b000 187776 'ACPI'               'ACPI'       '\\Driver\\ACPI'
0x025e6ce8    4    0 0x00000000      0 '\\Driver\\WMIxWDM'  'WMIxWDM'    '\\Driver\\WMIxWDM'
0x025eb290   65    0 0x00000000      0 '\\Driver\\PnpManager' 'PnpManager' '\\Driver\\PnpManager'

Using the driverirp Volatility command we can output a drivers IRP (Major Function) table, here we can see that we have a driver (imjvxcsr.sys) associated with the misspelled Micorsoft Windows Service

0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE                        0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_NAMED_PIPE             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLOSE                         0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_READ                          0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_WRITE                         0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_INFORMATION             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_INFORMATION               0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_EA                      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_EA                        0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_FLUSH_BUFFERS                 0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_VOLUME_INFORMATION      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_VOLUME_INFORMATION        0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DIRECTORY_CONTROL             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_FILE_SYSTEM_CONTROL           0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CONTROL                0xf89541d8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_INTERNAL_DEVICE_CONTROL       0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SHUTDOWN                      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_LOCK_CONTROL                  0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLEANUP                       0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_MAILSLOT               0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_SECURITY                0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_SECURITY                  0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_POWER                         0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SYSTEM_CONTROL                0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CHANGE                 0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_QUOTA                   0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_QUOTA                     0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_PNP                           0x804f355a   ntoskrnl.exe     -            -

Hooks

If we review the Hooks tab in Audit Viewer or the Hooks section in Redline  and in particular the System Service Descriptor Table Hooks we see our driver (imjvxcsr.sys) identified in the previous section

image

This can also be verified using the ssdt or the threads –F HookedSSDT Volatility commands.

ssdt command
Entry 0x0029: 0xf89546ac (NtCreateKey) owned by imjvxcsr.sys
Entry 0x0077: 0xf8954562 (NtOpenKey) owned by imjvxcsr.sys

threads –F HookedSSDT command

ETHREAD: 0x81f1cbc8 Pid: 692 Tid: 3980
Tags: HookedSSDT
Created: 2012-01-11 22:18:34
Exited: -
Owning Process: 0x81ef7880 'services.exe'
Attached Process: 0x81ef7880 'services.exe'
State: Waiting:WrQueue
BasePriority: 0x9
Priority: 0x9
TEB: 0x7ffd9000
StartAddress: 0x7c8106f9
ServiceTable: 0x80553020
  [0] 0x80501b9c
      [0x29] NtCreateKey 0xf89546ac imjvxcsr.sys
      [0x77] NtOpenKey 0xf8954562 imjvxcsr.sys
  [1] -
  [2] -
  [3] -
Win32Thread: 0x00000000
CrossThreadFlags:
Eip: 0x7c90e514
  eax=0x77e76c7d ebx=0xffffffff ecx=0x00090640 edx=0x0072fb78 esi=0x000ac2e8 edi=0x00000000
  eip=0x7c90e514 esp=0x006efeac ebp=0x006efed8 err=0x00000000
  cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 efl=0x00000246
  dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000

Part 3 Building an IOC to follow.

Wednesday, January 18, 2012

Ramnit, Zeus and the BAT! Part 1

Please note the samples analysed were provided by Andre M. DiMino @sempersecurus (http://sempersecurus.org).

Sample No MD5 Executable name
Sample1 2f5d28f9792c7d114bed7fdcec00f550 Sample1.exe
Sample2 76991eefea6cb01e1d7435ae973858e6 Sample2.exe

 

Initial File Analysis

Initial analysis of the files show that both files are packed using UPX and import 3 libraries

Kernel32.dll

6 functions (LoadLibraryA,GetProcAddress,VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess)

Comctl32.dll

1 Functions (InitCommonControls)

SHLWAPI.dll

1Function (StrCharA)

 

Dynamic Analysis

Both samples were analysed using Dynamic analysis techniques using various monitoring tools (CaptureBat.exe  and Preservation( see Malware Analysis Cookbook Chapter 9)).

The process below was used to setup the environment

  • Start Monitoring tools (see Preservation and Capturebat section below)
  • Execute samples
  • Snapshot Virtual Machine

    After the final stage was completed the VM was rolled back to a previous state and the same process used for the next sample.

    Monitoring Tools

    The analysis was conducted by first executing preservation.exe with the preservation.exe ln argument this logs everything to the c:\preservation\ directory

    CaptureBat was executed next and configured to capture file, process and registry access as well as capture network activity using the following arguments.

    capturebat.exe –cn –l c:\preservation\Capture.txt

    Initial Log Review

    Preservation Output

    Please note!! Various sections of the log below have been removed

    Upon initial execution of Sample1.exe we can see it starts an instance of  the svchost.exe process (PID 4048)

    [PROCESS START] explorer.exe (PID:2140) started Sample1.exe (PID 2496)
    [THREAD START] explorer.exe (PID:2140) started thread (TID 2520)
    [IMAGE LOAD] Sample1.exe (PID:2496) loaded \Device\HarddiskVolume1\Documents and Settings\nosuchuser\Desktop\ramnit\Sample1.exe


    First SVCHOST Instance

    [PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 4048)

    [THREAD START] Sample1.exe (PID:2496) started thread (TID 1244)

    [IMAGE LOAD] svchost.exe (PID:4048) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

    Second SVCHOST Instance

    The malware sample then starts another instance of svchost.exe (PID 2384)

    [PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 2384)
    [THREAD START] Sample1.exe (PID:2496) started thread (TID 3020)
    [IMAGE LOAD] svchost.exe (PID:2384) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

    Sample1 Third Process Initiated

    Sample 1 then goes onto create another pseudo-randomly named executable located in the \Temp directory.The pseudo-randomly nature has been observed by restoring the VM to a previous state and re-infecting the machine(with the same sample) each time the file is named the same apart from the last 2 characters.My assumption at this point is the file name is created using some information from the host machine.

    On the host infected the following remained static during a number of infections: sggjahylqiethd<XX>.exe

    After the randomly named executable is initiated the original executable Sample1.exe is terminated.

    By reviewing the log below it can also be ascertained that services.exe  starts a new service , during each infection the Service name was identical the misspelled:

    Micorsoft Windows Service

    After the service starts we then see System (PID:4) load a suspicious driver: imjvxcsr.sys from the Temp directory.


    [PROCESS START] Sample1.exe (PID:2496) started sggjahylqiethdj (PID 3900)
    [THREAD START] Sample1.exe (PID:2496) started thread (TID 2972)
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \Device\HarddiskVolume1\DOCUME~1\nosuchuser\LOCALS~1\Temp\sggjahylqiethdjp.exe
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \SystemRoot\System32\ntdll.dll
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\kernel32.dll
    [PROCESS TERMINATE] Sample1.exe (PID:2496) terminating Sample1.exe (PID 2496)
    [THREAD START] System (PID:4) started thread (TID 1416)
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\comctl32.dll
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\advapi32.dll
    [THREAD START] System (PID:4) started thread (TID 2900)
    [THREAD START] services.exe (PID:760) started thread (TID 3968)
    [DRIVER LOAD] services.exe (PID:760) loading driver \Registry\Machine\System\CurrentControlSet\Services\Micorsoft Windows Service
    ----Removed Multiple Thread Starts and Image Loads ----

    [IMAGE LOAD] System (PID:4) loaded \??\C:\DOCUME~1\nosuchuser\LOCALS~1\Temp\imjvxcsr.sys
    [FILE DELETE] System (PID:4) deleting file \systemroot\temp\3ab95fd5
    [THREAD START] System (PID:4) started thread (TID 4020)

    CaptureBat Output

    The CaputureBat log has all the associated artifacts identified above with the addition of registry entries, file creation and network activity.

    A number of other observations can be seen from the log below:

  • An additional executable (bbioufwf.exe) is created on the file system
  • The file is added to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key
  • The file is also added to the users Startup folder to add persistence (Note when reviewing the file system this file does not appear due to the rootkit)
  • A number of logs are written to by svchost on the local system (log names again appear to be pseudo-randomly generated).
  • A number of temporary files  ~TM<N>.tmp files are created in the Temp folder. This file contains some references to IE cookies but also seems to contain encrypted data.
  • svchost also infects a number of files located in the Program Files directory

    "16/1/2012 13:16:30.23","file","Write","System","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\bbioufwf.exe"

    "16/1/2012 13:16:30.616","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BbiOufwf"

    "16/1/2012 13:16:27.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Start Menu\Programs\Startup\bbioufwf.exe"

    "16/1/2012 13:16:27.429","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\cclgvecb.log"

    "16/1/2012 13:16:27.491","file","Delete","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\px3.tmp"

    "16/1/2012 13:16:34.601","file","Write","C:\Documents and Settings\nosuchuser\Local Settings\Temp\sggjahylqiethdjp.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\imjvxcsr.sys"

    "16/1/2012 13:17:30.929","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\hlgbbwvv.log"

    "16/1/2012 13:17:31.804","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\dsstrbjb.log"

    "16/1/2012 13:17:37.7","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\~TM4.tmp"

    "16/1/2012 13:20:34.335","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Acrobat_com\Acrobat_com.exe"

    Part 2 Memory Analysis to follow.

  • Thursday, December 15, 2011

    Attack the Kill Chain MindMap

    If we look at the past 12 months it hardly seems a day goes by, whereby a news article is posted of an attack or compromise.

    These range from small family businesses trying to gain an online advantage (especially in todays climate) to large scale businesses which provide services which impact our everyday life.

    In 2009 Mike Cloppert posted Security Intelligence: Attacking the Kill Chain the article was an excellent example of foresight (And from someone deep in the trenches).
    The article was part of a series on Security Intelligence which I feel has even more importance as we come to an end of 2011.

    I’m not really big on predictions, but i will make this one.

    I guarantee that more articles will be written in 2012 which describe online attacks.(Fairly certain this will be a safe bet).

    As an Industry we need to stop using the old Ostrich approach and “bury our heads in the sand”. The attacks are going to come, lets try and find a way to deal with them through being open and sharing the experience of how the compromise occurred.

    “Defence in Depth” is not just about multiple layers of technology, its also about Knowledge Sharing, if i know what to look for its also my duty to pass that on so others can prevent the same mistake\compromise from happening.

    I have produced a Mindmap of what I feel are the key points of the article. The Mindmap is based on my interpretation of the original article.

    Please read the original article, if you work in the Information Security space try to incorporate  them in to your everyday life.
    Attacking_the_Kill_Ch

    A higher resolution image can be found here

    Tuesday, May 31, 2011

    Volatility Script for Windows

    Well I've decided to make more of an effort to use my blog.

    First article will be a a new windows based volatility script I've developed based on the one from lg's blog (http://lorgor.blogspot.com/2010/11/volatility-mem-forensics-ivputting-it.html)

    There are few prerequisites, just follow the instructions on the Volatility Wiki site:

    The report also makes use of the malware.py script from http://code.google.com/p/malwarecookbook/
    just download the plugin and drop the file in the plugins directory.

    Set-up
    Make sure all your environment variables have been set up for Python and Perl (Instructions can be found on numerous sites ).

    Drop the batch file into the volatility directory and make sure you update the following:

    Your Case Directory and dumps directory, this can be where ever you like on your machine.
    • mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%
    • mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%\dumps
    You should also check and set-up the following:

    set VOLDIR="C:\Forensics\vol\vol1.4\%VOLDIR%\vol.py-1.4_rc1"
    set PYTHON="C:\Python27\python.exe"
    set PERL="C:\Perl\bin\perl.exe"

    Running the script
    I generally run the script in the following way:
    1. Open a command prompt and change directory to the volatility directory.
    Next to run the script type the following, remember if the path contains spaces use quotes around the parameter.

    volscript.bat <path-to-memory-dump> <name-of-report>


    The script can take a while to complete but once the script has finished you will have one report which you can analyse.

    That was the easy part, the hard part comes with analysing the report and identifying if the machine is compromised in some way.

    Over the coming weeks I will provide more posts on analysing the output from the images hosted at Michael Hale Ligh's site: http://code.google.com/p/malwarecookbook/

    In my opinion the Malware Analyst Cookbook has to be considered the de-facto standard when it comes to analysing malware and memory analysis, simply put you have to buy this book.


    I'll periodically post updates to the script.

    The script can be found here just rename the file to .bat there is also a sample report taken from the zeus sample from the Malware Cookbook site.

    ---Update 13/03/2012---
    Added naft by Didier Stevens http://blog.didierstevens.com/2012/03/12/naft-release/ to automate dumping network traffic as part of the automated script.

    Just download all the files and put naft-gfe.py in the same directory as vol.py and volscript remember to add to naft_pfef and naft_uf to C:\Python27\Lib

    Once the pcap file has been created you can use NetWitness, Netminer or Wireshark to analyse the file.

    Monday, April 02, 2007

    Security Podcasts

    The following is a list of Security Podcasts i love to listen to:
    Cyberspeak
    PaulDotCom Security Weekly
    Martin Mckeays Network Security Podcast
    SploitCast
    Hack5

    Thursday, August 17, 2006

    Must Reading

    Post's you just have to read if you are interested in Computer/Network Security or Digital Forensics.

    http://www.realdigitalforensics.com/
    http://taosecurity.blogspot.com/
    http://windowsir.blogspot.com/