I am looking for feedback on the examination steps to identify malware running in memory. I have been trying to learn how to investigate a system infected with malware. One of the areas I have been trying to understand is trying to locate malware in a memory image.
I have been using the following steps but I am interested if I in what areas I am overlooking
* Review the open ports and network connections
* Review the running processes
* Review the system hooks
* Review the loaded dynamic-link libraries (DLLs)
* Review the open files
* Review the loaded drivers
* Review the strings associated with a process or driver of interest
Does anyone have suggestions on what other examination steps could be done to locate malware running in memory?
Thanks
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Does anyone have suggestions on what other examination steps could be done to locate malware running in memory?
Two sources that would be of use, listed by ISBN;
1597494224
159749268X
What tools have you evaluated so far for memory dumps?
What/how are you looking at running processes live?
Server, workstations or both?
XP, Vista or 7?
32bit or 64bit?
>Two sources that would be of use, listed by ISBN
Thanks for the suggestion and I have been using both of those as well as 0783254041295.
>What tools have you evaluated so far for memory dumps?
For acquiring the memory image I have tested the following win32dd, FTK imager lite, Mandiant memoryze, HBgary's fastdump (the free version which doesn't acquire the page file), and Encase Enterprise. I was looking at the different features of all of those tools. The majority of the testing has involved acquiring the memory image then storing it to a thumb drive but I have also done tests of acquiring the memory remotely.
For analyzing the memory image I have only tested the volatility framework with various plugins, Mandiant's Memoryze with Auditviewer, and Encase Enterprise with the memscript. The majority of the testing has been using Mandiant's tools against a memory image.
>What/how are you looking at running processes live?
Server, workstations or both?
XP, Vista or 7?
32bit or 64bit?
So far I have mostly been looking at XP SP2 and SP3 32bit systems. I opted for this because this platform has the most support for tools.
I image the memory then I review everything including the processes in the memory dump. So far I have noticed a few things that are not as straight forward to examine such as distinguishing between remotely or locally logged on users, routing cache, and DNS cache.
I have only been using memory image examination in a testing environment so I am interested in what other examination steps and information people have found useful in identifying malware in volatile data.
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Its one thing to acquire the memory, and the tools suggested sound useful
For acquiring the memory image I have tested the following win32dd, FTK imager lite, Mandiant memoryze, HBgary's fastdump (the free version which doesn't acquire the page file), and Encase Enterprise. I was looking at the different features of all of those tools. The majority of the testing has involved acquiring the memory image then storing it to a thumb drive but I have also done tests of acquiring the memory remotely.
Looking at what you are trying to achieve
* Review the open ports and network connections
* Review the running processes
* Review the system hooks
* Review the loaded dynamic-link libraries (DLLs)
* Review the open files
* Review the loaded drivers
* Review the strings associated with a process or driver of interest
…would perhaps require you to setup a VM session and replicate whats going on with these processes, system hooks, open files, etc. One tool that comes to mind to review open ports and network connections is nmap with the -A flag to obtain version information of all running applications and underlying OS. Capturing app data and OS kernel version will allow you to look for exploits in a penetration test for malware. Next step would be to find out what tools allow you to run a VM of captured memory?Sun VirtualBox? VMWare Workstation?
Yes on the VM. VMs are my petri dishes.
You can move back and forward with them in snapshots to compare just about every environmental change in an operating system.
Look at not only the RAM artifacts but the system files, registry files and files created when the threads are invoked. It is rare form what I have seen to have something solely exist in memory.
Free Diff -
Reg Shot -
FTK Lite - Export the dir and file listings
MFT Ripper -
RegRipper -
Also use the process explorer in the SysItnernals suite to really watch the malware "grow" in the VM's.
These are good suggestions and tools so you have given me some more things to think about and test. Thank you everyone for your feedback.
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Hi Corey,
regshot and procmon are two that I use to monitor the Windows Registry when analyzing malicious files. Set up good filters in procmon for the Registry auditing so you don't get overwhelmed with entries! 😉
Cheers!
farmerdude
Consider taking a look at Volatility, then google for moyix's plugins called malfind. Ideally use Linux with volatility to configure the required dependencies as Windows has some limitations here.
Eventually I'm confident farmerdude will include volatility framework in his excellent forensicbootcd. If it isnt already there ! 😉
Hey funny man Jon - volatility has been in the FBCD for a couple years now. Good to see _you're_ (finally) catching on! 😉
Cheers!
farmerdude