Welcome!

Microservices Expo Authors: Elizabeth White, Todd Matters, Harry Trott, Pat Romanski, Yeshim Deniz

Related Topics: Cloud Security, Java IoT, Microservices Expo, Linux Containers

Cloud Security: Article

Malware Analysis | Part 1

How to use a number of tools to analyze a memory image file from an infected windows machine

Having your network environment protected with the latest virus protection, control what software is installed and allowed to run, restrict ingress and egress network access, protect web browsing, limit user account access, update security patches, change management practices, etc. All these efforts are critical to follow in the corporate environment but all will fall short if you don't have the proper monitoring in place to detect badness on your network and to respond quickly and effectively when it happens. When your network has the proper monitoring in place and knowledgeable engineers to monitor for outbreaks you will begin to have better visibility of how network traffic flows in your environment. When you understand how traffic flows on your network you can respond better when badness happens.

I will demonstrate how to use a number of tools to analyze a memory image file from an infected windows machine. I will demonstrate how to acquire a memory image from a windows machine that is currently running will malware infection and the process of memory analysis using various tools.

To gather an image file from an infected machine can be performed a number of ways. If you have an enterprise version of EnCase you can acquire evidence very fast and from various devices such as laptop, desktop, and mobile devices like smartphones and tablets. For most of us our IT budget is limited and this option is not viable. Using something like F-Response TACTICAL is a solution and requires only two usb sticks. One is labeled TACTICAL Subject and the other is TACTICAL Examiner, you put the Examiner one in the box you are researching malware. Next you put the Subject on the box that is infected with Malware. Below I demonstrate how this is performed with the subject on a windows box (infected with malware) and the examiner installed on a Linux platform (SANS SIFT workstation) to acquire the image.

Once the usb stick is loaded on the windows box install the program so it can listen on its external interface (see Figure #1).

Figure #1

Running the subject program on the infected windows box, remember to enable physical memory

On your SIFT workstation insert the usb stick examiner, make sure it shows up as loaded on your workstation (See Figure #2). Next execute the program f-response-tacex-lin.exe using the following syntax (see Figure #3). Notice that it connects to the following:

  • · iqn.2008-02.com.f-response.cr0wn-d00e37654:disk-0
  • · iqn.2008-02.com.f-response.cr0wn-d00e37654:disk-1
  • · iqn.2008-02.com.f-response.cr0wn-d00e37654:vol-c
  • · iqn.2008-02.com.f-response.cr0wn-d00e37654:vol-e
  • · iqn.2008-02.com.f-response.cr0wn-d00e37654:pmem

Figure #2

Make sure the examiner usb is loaded on the SIFT workstation

Figure #3

Perform the connection between the SIFT workstation and the infected windows box

Next we are going to login to iqn.2008-02.com.f-response.cr0wn-d00e37654:disk-0 with the following command (see Figure #4):

# iscsiadm -m node -targetname=iqn.2008-02.com.f-response.cr0wn-d00e37654:disk-0 --login

Figure #4

Successfully connected to windows box at 192.168.1.129

The iscsiadm command is an open-iscsi administration utility that allows discovery and login to iSCSI targets, as well as access and management of the open-iscsi database. The -m specify the mode which is node it can also be defined as: discoverydb, fw, host iface or session. With the mode selected as node we use the -targetname= and specify the location of the target drive.

After successfully connecting to the remote machine run fdisk -l and see our new device located at /dev/sdd1 (see Figure #5)

Figure #5

Results after running fdisk -l

Next we will mount the partition /dev/sdd1 which is located in the screenshot above (Figure #5) using the following mount command.

# mount -o ro,show_sys_files,streams_interface=windows /dev/sdd1 /mnt/windows_mount

Using the mount command with the -o option: ro - mount the file system read-only, show_sys_files - show all system files as normal files, streams_interface=windows - this option controls how named data streams in WIMfiles are made available with "windows" the named data stream. This will mount the memory from our windows box to /mnt/windows_mount. After changing into that directory and list files you will see the following (see Figure #6)

Figure #6

List of files after mounting the memory from our target windows box following by login to the pmem location

Now we need to login to the process memory of the target which is the pmem location (see Figure #3 ‘F-Response Target = iqn.2008-02.com.f-response.cr0wn-d00e37654:pmem'). We will use the iscsiadm open-iscsi administration utility to perform this task with the following command:

# iscsiadm -m node -targetname=iqn.2008-02.com.f-response.cr0wn-d00e37654:pmem -login

Again we are using the isciadm utility specifying the node with targetname of where the pmem file is located. Now we will run fdisk -l and see the partition tables (see Figure #7).

Figure #7

Results after running fdisk -l notice the HPFS/NTFS system at /dev/sdd1. This is the result after login to the pmem location.

Now we can image the remote systems memory using dc3dd which was developed by Jesse Komblum at the DoD Cyber Crime Center. Dc3dd is similar to dd but allows us to use for forensic work, allowing you to take hashes and split an image all from one command. Open up a terminal and type the following:

# dc3dd if=/dev/sde of=/cases/remote-system-memory8.img progress=on hash=md5 hashlog=/cases/remote-system-memory8.md5

Here is a breakdown of the command:

  • · if=DEVICE or FILE - Read input from a device or a file, in this case /dev/sde (see Figure #7 ‘Disk /dev/sde: 2466 MB, 2466250752 bytes
  • · of=FILE or DEVICE - Write output to a file or device, in this case /cases/remote-system-memory8.img
  • · progress=on - Will show progress on screen
  • · hash=ALGORITHM - Compute an ALGORITHM hash of the input and also of any outputs specified using hof=, hofs=, phod=, or fhod=, where ALGORITHM is one of md5, sha1, sha256, or sha512
  • · hashlog=FILE - Log total hashes and piecewise hashes to FILE.

This will do a forensic copy of the windows memory file to your computer; you can see a screenshot of the progress (see Figure #8).

Figure #8

Performing a forensic copy of the windows memory file using dc3dd

Now that we have an image file of the windows memory we can analysis for existence of malware. There are a couple of tools that you can use one is for the windows platform called Redline by Mandiant which I will be going over in greater detail later. The second tool which is open source is Volatility implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples. I will be discussing both in very limited bases in this month's article.

If the memory image was acquired from an unknown system and although this was a closed lab environment and I know what system it came from you will need to identify the operation system using Volatility (see Figure #9).

Figure #9

Using Volatility to identify what operation system the dump came from

We use the imageinfo plug-in for Volatility to find out the operation system the memory dump belongs to. Here we see in the suggested profile portion of the output it is a WinXP SP2x86 system, you will need this information to perform more work using Volatility on this memory image file.

To look at the running processes we use the following command:

$ vol.py -profile=WinXPSP2x86 pslist -f remote-system-memory8.img

You can also use the psscan plugin to scan the memory image for EPROCESS blocks with the following command:

$ vol.py -profile=WinXPSP2x86 psscan -f remote-system-memory8.img

Use the psscan to enumerate processes using pool tag scanning that can find processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit (see Figure #10).

Figure #10

Volatility with the psscan invoked

Now for a quick view of Mandiant Redline application we copy the windows memory images off our SANS Investigate Forensic Toolkit (SIFT) and on to a separate Windows workstation where you have Mandiant Redline installed. Next you will analysis your memory image with Redline (see Figure #11).

Figure #11

Loading memory image to be analyzed by Mandiant Redline followed by choosing ‘I am Reviewing a Full Live Response or Memory Image'.

Mandiant Redline is a free tool that provides host investigative capabilities to users and finds signs of malicious activity through memory and file analysis to develop a threat assessment profile. After I infected the test windows box with a known malware variant and allowed the system to react the machine wanted to restart at that moment I acquired a memory image and loaded it into Redline. I then allowed the machine to reboot and took another memory image. The total processes that are running on the system are in Figures #12 (left before reboot & right after reboot).

Figure #12

Total numbers of processes running after installing of malware then list of processes running after reboot

After comparing the two different lists we see that after reboot we have new processes running (jh MRI Score 61 PID - 38533 and svchost.exe MRI Score 61 PID - 1560). MRI Score is the Redline analyzes of each process and memory section to calculate a Malware Risk Index (MRI) score for each process.

Next month I will dive deeper into further information you can learn from analysis of memory images using both Mandiant Redline and Volatility.

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

@MicroservicesExpo Stories
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
For most organizations, the move to hybrid cloud is now a question of when, not if. Fully 82% of enterprises plan to have a hybrid cloud strategy this year, according to Infoholic Research. The worldwide hybrid cloud computing market is expected to grow about 34% annually over the next five years, reaching $241.13 billion by 2022. Companies are embracing hybrid cloud because of the many advantages it offers compared to relying on a single provider for all of their cloud needs. Hybrid offers bala...
The margins of cloud products like virtual machines are still in the 50% range. In essence, price drops are going to be a regular feature for the foreseeable future. This begets the question - are hosted solutions becoming irrelevant today? Boston-based market research firm, 451 Research, has been publishing their ‘Cloud Price Index' for a few years now. The quarterly study looks into the pricing of various offerings in the cloud market to understand the shifting dynamics in the public, privat...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
"Tintri focuses on the Ops side of the DevOps, which basically is pushing more and more of the accessibility of the infrastructure to the developers and trying to get behind the scenes," explained Dhiraj Sehgal of Tintri in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo Silicon Valley which will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is at the intersection of technology and business-optimizing tools, organizations and processes to bring measurable improvements in productivity and profitability," said Aruna Ravichandran, vice president, DevOps product and solutions marketing...
Managing mission-critical SAP systems and landscapes has never been easy. Add public cloud with its myriad of powerful cloud native services and this may not change any time soon. Public cloud offers exciting new possibilities for enterprise workloads. But to make use of these possibilities and capabilities, IT teams need to re-think everything they have done before. Otherwise, they will just end up using public cloud as a hosting platform for their workloads, aka known as “lift and shift.”
There's a lot to gain from cloud computing, but success requires a thoughtful and enterprise focused approach. Cloud computing decouples data and information from the infrastructure on which it lies. A process that is a LOT more involved than dragging some folders from your desktop to a shared drive. Cloud computing as a mission transformation activity, not a technological one. As an organization moves from local information hosting to the cloud, one of the most important challenges is addressi...
The reality of data ubiquity is here—data is buried in operational statistics, machine logs, stacks of overflowing tickets and customer details, among other things. How can any user get valuable information amid this rapid influx of data? Imagine a situation where your firm’s revenue takes a hit owing to an unexpected failure in some business process. It would be a nightmare for IT admins to sift through the interminable piles of data to deduce exactly why and where the problem occurred. To sav...
Hybrid IT is today’s reality, and while its implementation may seem daunting at times, more and more organizations are migrating to the cloud. In fact, according to SolarWinds 2017 IT Trends Index: Portrait of a Hybrid IT Organization 95 percent of organizations have migrated crucial applications to the cloud in the past year. As such, it’s in every IT professional’s best interest to know what to expect.
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
In the decade following his article, cloud computing further cemented Carr’s perspective. Compute, storage, and network resources have become simple utilities, available at the proverbial turn of the faucet. The value they provide is immense, but the cloud playing field is amazingly level. Carr’s quote above presaged the cloud to a T. Today, however, we’re in the digital era. Mark Andreesen’s ‘software is eating the world’ prognostication is coming to pass, as enterprises realize they must be...
A common misconception about the cloud is that one size fits all. Companies expecting to run all of their operations using one cloud solution or service must realize that doing so is akin to forcing the totality of their business functionality into a straightjacket. Unlocking the full potential of the cloud means embracing the multi-cloud future where businesses use their own cloud, and/or clouds from different vendors, to support separate functions or product groups. There is no single cloud so...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...