When it comes to malware forensics, it appears
that live response is the best option. Imagine that you have infection -problem
with one family of malware on multiple workstations - miles away. The only way you can reach those
hosts is remote connections via multiple
different technologies agent-less - it
would be great to have some servlet, agent installed - or have prepared team on-site (this rarely
happen). Furthermore, when contacting
user (whose workstation is infected), you should have some policy with you,
clearly explain what is going on, and what do you want. This is not always an
easy task. Moving step away from such discussion, it seems that the only
information needed is memory – dump. It is always better option to get this
first, without ‘old-shool’ approach – which tend to be more aggressive and
evidence destructive. Of course, when
you have Encase, or combo X-Ways + F-Response, the task is much, much
easier. But here, I do not want to be
‘vendor-driven’ and just simply discuss the problem of memory-dump analysis.
After memory is preserved in a forensically sound manner, employ a strategy and associated methods to extract the maximum amount of information relating to the malware incident.
There are –
literally – tons of specialized memory forensic tools for multi-layer
interpretation, and multi-vector analysis. What is more very often those tools
are specialized in memory carving, debugging, or disassembly. On the other hand
there are many information in the dump that can be easily extracted using some
old-school approaches. The first one is ‘strings’. This command can reveal
variety of evidence, such as : URLs, fragments of files, web pages, commands
run in the cli, IPs payloads, prefetch .etc.
This is always the first thing that – I suppose – should be done. It
confirms or not, whether there are multiple hypothesis on the begging of
analysis. (I am assuming here, that we have NBE stored, with accompaniment from
SIEM). As I remember the first step – Encase – is to extract hidden as much information
as it is possible from raw dump. This can be done with success with ‘foremost’
or ‘scalpel’. Those file carving tools
can give us executables, .pdf, and other types of files for further analysis.
In this stage we have : file with readable text extracted from dump, and files
reconstructed from the same RAM file. In my opinion, only reviewing this kind
information is a waste of time. Of course, it gives great context of situation,
but this is it.. When we have a really hard sample of memory, with hidden
malware, I am sure that is would be very difficult just to check manually some
hypothesis and be successful. I would like here to point great methodology that
can be applied here, before moving with analysis on specialized forensic tools.
After file carving procedure we are facing a problem of analysis. Here goes my
question, is it better to analyze dump with forensics tools, looking for
hypothesis and clues and then extract
some suspicious looking object for further examination, or firstly use automated system to examine
all extracted processes and objects? The first approach will end on static analysis of extracted suspicious object. I
think Farmer/Venema introduced nice categorization:
There are many ways to study a program's behavior. With static analysis, we study a program without actually executing it. Tools of the trade are disassemblers, decompilers, source code analyzers, and even such basic utilities as strings and grep.
With dynamic analysis, we study a program as it executes. Here, tools of the trade are debuggers, function call tracers, machine emulators, logic analyzers, and network sniffers. The advantage of dynamic analysis is that it can be fast and accurate. However, dynamic analysis has the disadvantage that "what you see is all you get".
A special case is "black box" dynamic analysis, where a system is studied without knowledge about its internals. The only observables are the external inputs, outputs, and their timing relationships.
Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution.
Taken from: http://www.porcupine.org/forensics/forensic-discovery/chapter6.html, a really
good book by the way.
While
static analysis is understood, I would like to discuss the problem of dynamic
examination. Here it should be mentioned that there are two basic method to
analyze unknown binary. Those are : program confinement with hard virtual
machines and program confinement with soft virtual machines. First example of
the soft environment is ReVirt :
ReVirt system allows an investigator to replay an "incident", and to rewind, pause or fast-forward the virtual machine at any point in time. This is possible because the ReVirt virtual monitor records all interrupts and external inputs including keystrokes and network packet contents. This information, combined with a complete record of the initial file system state, allows an investigator to replay every machine instruction and to view data before, while and after it is modified.
Taken from : http://static.usenix.org/event/osdi02/tech/full_papers/dunlap/dunlap.pdf , for
more about ReVirt please follow : http://www.docstoc.com/docs/91511349/ReVirt.
Another
example of system designed for dynamic analysis is cuckoo. Cuckoo is a sandbox
and can be explained using words taken form documentation
(http://www.cuckoosandbox.org/):
As defined by Wikipedia, “in computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.”. This concept applies to malware analysis’ sandboxing too: our goal is to run an unknown and untrusted application or file inside an isolated environment and get information and what it does. Malware sandboxing is a practical application of the dynamical analysis approach: instead of statically analyze the binary file, it gets executed and monitored in real-time.
Installation
can be tricky when attempting for the first time, for help please follow
http://arisri.tistory.com/entry/Cuckoo-Installing-Cuckoo-Sandbox-on-Ubuntu-1204-LTS-for-Malware-Analysis-Leave-a-comment,and http://www.edwiget.name/2012/07/installing-cuckoo-sandbox-in-backtrack-for-malware-analysis/. Great
cuckoo work-flow graph can be found :
Another awesome solution introduced by Lenny Zeltser (http://zeltser.com/remnux/:
REMnux incorporates a number of tools for analyzing malicious software that runs on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. The toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.
Step back. We have used some tools for memory carving and extracted multiple binaries. Now, this is the moment for automated job. Cuckoo will be awesome only when prepared with plan. Multiple virtual machines should be prepared (with different version of software) , everything up-to-date and ready for malware object submission. All extracted files can be executed in prepared environment - during analysis ‘agent’ will be capturing any information and then report what was going on test machine : traffic, registry changes, files, new jobs and processes, any activity that was spotted during unknown object execution. Having such results we can move on with static dynamic, or using forensic tool for confirming our hypothesis and look for other clues. On the other hand, the process of verification can be done after extracting suspicious files during ‘standard approach’ (without checking everything in virtual machine). For this purposes, you do not have to prepare environment and hard process of installation, instead go to http://malwr.com/ submit you file and wait for analysis! This web page uses cuckoo engine for analysis (check also https://www.virustotal.com/) .
What is the
limit of malware forensics, and how far investigators are pushed to reveal the
true hidden in extracted object? Any digital information found during investigation
can be evidence, and only with context collected during previous steps
(acquisition, ‘old-school’ approach, NBE, and clues found in memory with
forensics tools) can be clearly and fully understood. Simply, there are no limits. Stay focused.
Brak komentarzy:
Prześlij komentarz