December 12, 2011

Decoding malware SSL using Burp proxy

When performing dynamic analysis of malware, you will occasionally encounter SSL being utilized for network communication, thus preventing you from analyzing the content.  Typically Wireshark is utilized to examine network traffic at the packet level. Wireshark has an SSL dissector that allows for the decryption of SSL traffic if you provide the decryption keys. This technique is described in detail on the Wireshark wiki.   However, I prefer to use an intercepting proxy to attempt the SSL analysis. The proxy will use its own SSL server certificate to negotiate and establish an encrypted session with the remote host. Essentially you are using the proxy to "Man-in-the-Middle" the malware's connection to the remote server.

My proxy of choice is BurpSuite, however you can utilize other proxies such as Paros, Webscarab, or Fiddler.  Burp has a very cool feature called "Invisible proxying" that handles non-proxy style requests.  This can be of good use when the malware you are analyzing generates its own HTTP or HTTPS requests outside of a browser framework.

I'll first provide an example where a particular malware specimen was utilizing SSL to communicate with Craigslist.  In this case, the malware appeared to be retrieving a variety of fake postings associated with various email addresses.  The posting title and description contained what is likely encrypted data.  The following image shows Wireshark displaying SSL traffic between the malware infected host and Craigslist.  The SSL negotiation and data are evident in the stream, however being SSL, you can't read it !


However when using Burp as an intercepting proxy, you can easily see the SSL traffic and get a pretty good idea of what the malware is doing.  Here, you can see the client GET to https://post.craigslist.org


The following images show the Raw, html, and rendered page views of the server response.


Burp also allows you to export the proxied traffic to an XML file. There is also an option to Base64 encode all requests and responses. The image below shows an example of the exported data.



Now that we've seen an example of SSL decoding using Burp, I'll describe the basic setup and configuration of my environment.  You certainly don't have to use this exact setup, as I'm just describing what I do and what works for me.  Make adjustments accordingly to suit what you are using.

  • I use VMWare workstation Version 7 on an Ubuntu Linux 10.04 Server host. My guest virtual machine is Windows XP SP3. The virtual machine is setup in bridged networking mode.  I have the Burp proxy and Wireshark installed on my linux host.

  • You will need to allow the linux host to forward network traffic from the virtual machine. In order to do this, you need to enable IP forwarding via the following:
    • user@linux1:~$ sudo su
    • root@linux1:/home/user# echo 1 > /proc/sys/net/ipv4/ip_forward

    • Next, you'll need to setup an iptables rule to redirect http and https traffic to the Burp proxy which is listening by default on port 8080. This is done via:
      • user@linux1:~$ sudo iptables -P FORWARD ACCEPT
      • user@linux1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
      • user@linux1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080

      • Boot your guest virtual machine and manually configure your network settings as follows:
        • Manually set the IP address of the guest to an unused IP address on the same subnet as your linux host
        • Set the Gateway to the IP address of the your linux host.
        • Set the DNS server IP address to that of a host on your subnet that will forward DNS requests. This isn't strictly required, as you can also set it to any public DNS server. For consistency, I set mine to my local router.

      • Turn OFF the XP Firewall.

      • Configure Burp to do invisible proxying and to listen on all interfaces.  If you don't want Burp to intercept each request, you can disable that at this time.


      • Shutdown your guest virtual machine and take a snapshot.  Restart the guest and test the proxy by browsing to any web site. You should see the traffic in Burp.  If you browse to a site using https, you will also see a browser warning error about the SSL certificate. This is because the certificate presented by Burp is not signed by a trusted authority, so the browser gives a warning.  Keep this in mind as we begin to see malware utilizing SSL certificates.  Now, you can shutdown the guest VM, revert to the recent snapshot, and be ready to go.  I also like to run wireshark on the host to match up the packet level traffic with the Burp data.   I'd recommend using a capture filter on Wireshark that only captures traffic to/from the guest VM.

      This post showed how the use of an intercepting proxy can allow you to decode an SSL traffic stream and better support your dynamic malware analysis efforts.  Decoding SSL traffic is just one small part of what can be done with this tool.  It's well worth the investment to utilize an intercepting proxy with its many other features as a routine part of your analysis process.  




      October 19, 2011

      Welcome to DeepEnd Research

      I wanted to provide a link to another effort I am pleased to be involved in:  DeepEnd Research.

      From the website: "We are pleased to introduce DeepEnd Research, an independent information security research group that will focus on threat and intelligence analysis. Our emphasis will be on malware, exploit analysis, botnet tracking, the underground economy and overall cyberthreats. We will blog about various collection and analysis techniques, observations, and other areas of interest."

      Another primary goal of DeepEnd Research is to foster collaborative research and analysis efforts with other security groups and organizations. We welcome any opportunities or inquiries as to projects involving common areas of interest."

      I just posted DeepEnd's first blog entry, "Dirt Jumper DDoS Bot - New versions, New targets" a combined research and analysis effort with Mila Parkour of Contagio.

      June 19, 2011

      I2P...The *other* Anonymous Network


      One of the more interesting aspects to the Internet, is the area of anonymity and hidden services. While many people are familiar with the Tor network, there is another "network" that is gaining rapidly in popularity. The I2P Anonymous Network is a peer-to-peer network in which all traffic is encrypted end-to-end.  I became interested in I2P after seeing a tweet by @OpBritain where I2P was mentioned.
      While looking into I2P further, I saw several pastebins where it was again mentioned and discussed.

      From the I2P website, "I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. I2P is designed to allow peers using I2P to communicate with each other anonymously — both sender and recipient are unidentifiable to each other as well as to third parties."

      Unlike Tor where a "directory" of the network is maintained, I2P maintains its network database via peer profiling and router info. The I2P network selects its peers by a profiling process that continually ranks performance and updates the "I2P netDb", which is contains constantly updated information on router contact information called "RouterInfos" and the destination contact information, called "LeaseSets". This netDB is distributed via a technique called "floodfill", where a smaller subset of I2P routers, known as the "floodfill routers", will maintain this distributed database. 

      I2P uses virtual, unidirectional tunnels that pass through a series of routers, and are typically 2 to 3 hops. Each round trip message and reply will require four tunnels. One each for the sender and recipient's inbound and outbound traffic. Tunnels are created using what is known as "Garlic Routing" (a shot at Tor's Onion routiing??) A Tunnel build message is sent via Garlic routing to an I2P router requesting that it participate in the tunnel.

      One of the primary uses of I2P is via an I2PTunnel application which allows for familiar TCP/IP applications to be run through the I2P network.

      I2P has been around since 2003 and has a Java client, where it will run on Windows, Linux, and MacOS. After installation, you are presented with a very comprehensive control and informational page.


      Peer profiles and UDP connections

      I2P Services

      There are many anonymous and encrypted services that can be utilized via the I2P tunnels including:
      • EEPSITES
        • Browsing to websites within the I2P network (called eepsites) as well as anonymous browsing to public sites. A custom build of Firefox called I2PFox that is hardened and built specifically for I2P is also available.
        • Hosting of your own eepsite. You can make your eepsite exclusive to I2P, or also available to a public browser.
        • Search. You can search for I2P content and sites via http://eepsites.com. You can also use Google to find http://xxxx.i2P.to websites accessible without I2P proxy.
      • EMAIL
        • Susimail/2IpMail. Anonymous email to/from public Internet. More on this below.
        • I2P-Bote accessible via http://i2pbote.i2p 
      • FILE SHARING
      • IRC AND INSTANT MESSENGER
        • IRC. Anonymous chat via a local IRC tunnel that directs to one of two I2P IRC servers. There is also an I2P Instant Messenger and the ability to run your own anonymous chat servers.  More on this below.
        • I2P-Messenger  encrypted, serverless instant messenger.
        •  Jabber via i2pjabber.i2p
      • DATA STORAGE  
        • Tahoe-LAFS. You can use it from within the I2P network.
      • FORUMS AND BLOGGING
        • Syndie. System for distributed anonymous forums.

      Addressing and Naming Services

      I2P utilizes a 516 byte crypto identifier key to refer to routers and any end point services. All destinations in I2P are referenced by this key. Three local host files are used to map destination names to their crypto key, similar to traditional DNS. I2P users can discover new destinations by subscribing to other published "addressbooks" via a configured "web of trust". I2P uses an "addressbook" application to merge these external host lists with the local host files. A "SusiDNS" application is also provided to facilitate the user's management of their host lists and addressbook configuration. The Subscriptions page allows to add additional public subscription sites in addition to the default http://www.i2p2.i2p/hosts.txt, such as
      • http://i2host.i2p/cgi-bin/i2hostetag
      • http://stats.i2p/cgi-bin/newhosts.txt
      • http://tino.i2p/hosts.txt
      • http://inr.i2p/export/alive-hosts.txt

      Basic Naming Services Architecture

      Default Addressbook
      External Destination List






      EEPSITES
      An "eepsite" is simply a website that is hosted anoymously within the I2P network and accessed via HTTP tunneled back via I2P. This is similar to Tor "hidden services".

      An I2P user would access these sites by setting their web browser's HTTP proxy to localhost:4444, and localhost:4445 for HTTPS.  An I2P eepsite will have a URL with .i2p as its top level domain, such as http://sempersecurus.i2p. By use of an "outproxy", an I2P user will also have access to external HTTP, HTTPS, and email services. The I2P "httpclient" application allows for this outproxying. If the requested hostname does not end in .i2p, a random outproxy will be selected from a user provided list, and the request will be sent there.  These outproxies are basically I2P servers that are voluntarily run specifically as an outproxy. No I2P router instance is an outproxy by default.

      Some eepsite operators will make their sites publicly available outside the I2P network. Those sites can be accessed by appending a ".to" to the I2P domain, such as http://sempersecurus.i2p.to

      There are a wide variety of eepsites running in the I2P network. Just reading through the addressbook listings is interesting and reflects the scope of material you can find in I2P.

      Homepages of various eepsites.

      The internal I2P web landscape reminds one of the public Internet from the mid 90's. Searching is rudimentary, some sites work great while others are barely usable and are functional only for a few hours a day. However, availability is not the objective with eepsites, anonymity is.

      It's very easy to setup your own eepsite within the I2P network. Comprehensive instructions are found within the local help files, as well as from the resources listed below. In a nutshell, a site is created as follows:

      • A site name is selected that won't collide with the name of another eepsite currently listed in the I2P addressbook. Add your new site name to the eepsite I2P tunnel configuration page.
      • Content is placed in a 'docroot' folder which  is created at installation.
      • Start the eepsite from your router control panel.
      • Highlight the full destination crypto key that was created for your site.
      • Enter the eepsite name and the crypto key into your master address book. Additionally, you should now register your .i2p domain in one of the I2P address books. The I2P routers periodically pull address book updates from these sites, so eventually your site will be listed across the I2P network. 

      The images below show a test eepsite I setup within minutes. There is also a pcap of the browsing session, but note that the traffic is via an encrypted tunnel




      EMAIL- SusiMail basics
      A java email client called Susimail can be accessed directly from the I2P router console window at http://localhost:7657/susimail/susimail. SusiMail allows you to send and retrieve I2P mail and was designed specifically for strong I2P privacy and anonymity. Creating an email account is takes minutes via a Postman HQ site, and chances are good that you can get your coveted address, the one you could never get on Gmail :) Oddly, I2P email only accepts letters and numbers for the password. The interface is spartan, but it works quite well most of the time.
      Webmail login page

      "Your password is too complicated"

      How I2P email works
      The following illustrations indicate the mail flow between the I2P network and the public Internet. They are based on the text explanations kindly provided by the Postman at http://hq.postman.i2p
      I2P mail to the Internet

      Internet mail back to I2P


      I2P Message headers
      According to HQ Postman, the I2P MTA (Mail Transfer Agent) provides the following sanitizing of message headers: 
      "All User-Agent: and X-Mailer: header lines are automatically removed and replaced by the line X-Mailer: smtp.postman.i2p Official I2P Mailer.
      - All X- header lines are completely removed
      - All message IDs are replaced by server-side generated message-IDs
      - All Date: tags are removed and replaced by server-side generated Dates in UTC
      - All Received: tags are removed (apart from the very last one)"
      The following chart shows comparative email headers after testing sending emails between I2P and Gmail.


      Measures to prevent abuse
      There are several good resources online pertaining to the basics of I2P mail, I just want to address a concern often expressed about anonymous mail services - abuse and its potential usage for spam and malware distribution.

      Spam
      To prevent abuse, I2P mail sets a quota for outgoing mail to 20 recipients per day. Every day at 0:00 UTC the quota is reset . You can “buy” up to 80 recipients a day by paying in hashcash tokens / CPU cycles. You cannot “hoard” your recipient quota, the number is reset to 20 every day. Additionally, there are limits on how much mail you can store and for how long. Old mail gets deleted after 180 days, but you can easily download it via POP3.

      Relay and spoofing
      You can use only your own address as the return path and the auth login name has to match the sender. The sender is able to forge the "From" address but the return path is added by the MTA and will match the actual sender.

      Settings available for I2P email accounts 

      Hello snail mail
      Well, not exactly snail speed but by default, messages are delayed 20-50 min to provide further anonymity by skewing the time you appear to be online.  In several testing runs, the delay was seen to be as much as 3 hours. This delay setting can be changed in the Account Management section and set it to deliver ‘immediately’. Testing I2P email to and from Gmail arrived almost instantly.


      All these measures and features make the use of I2P mail for spamming and phishing rather impractical. An attacker would find it easier to use a compromised or misconfigured relay server or free webmail as opposed to I2P mail. Again, the primary goal of I2P email is anonymity.


      IRC

      I2P maintains anonymous IRC servers that can easily be accessed via an IRC client such as mIRC or xchat. After establishing with I2P, pointing the IRC client to 127.0.0.1, port 6668 will get you connected. There are many channels available on the I2P server, and users can create their own.

      Various channels on the I2P IRC server

      An I2P user can also establish their own IRC server and allow other I2P users to access it. The server is established similar to how an eepsite is built where a hostname and crypto key are generated for the particular destination. In order to connect to another I2P user's private IRC server, it was required to modify your subscription list to add the crypto keys of the destination. Next, you would create a tunnel to the destination and add that to your router address book while selecting a connection port (ie. 6669). At that point, pointing your IRC client to localhost, port 6669 would get you connected.

      Since June, 2010, I2P now supports a SOCKS IRC tunnel for clients supporting SOCKS5. By configuring your IRC client to uses SOCKS5 at localhost, port 9052, you can connect to any i2p IRC server through your client, without setting up separate tunnels for each.


      I2P Stats, Additional Information, and Resources


      Stats NETDB - http://stats.i2p.to
      I2P  is a much smaller network, compared to some better known networks like Tor but it has seen continuous growth over the past year. The best source of the current infomation about the total number of routers, the network health, and other data collected over the years about I2P is located at http://stats.i2p.toAs you can see below, at the time of the screenshot, there were 4665 routers available online, roughly twice as many as it were available a year ago.  The number is constantly changing, please see the site for the most current information.


      Official I2Psite - http://www.i2p2.de
      The Official site is the best place to start as it has the most comprehensive information about available services, installation, and resources.

      Papers, Presentations, and Videos about I2P - Site maintained on the primary I2P Website. Updated regularly.

      ZZZ -http://zzz.i2p (Accessible via I2P proxy only)
      Once you are on I2P, this is the best source of information for the patches, updates, tips and help.

      Forum - http://forum.i2p2.de
      A very active I2P user forum. Ask questions, read answers. Full of news, announcements, and discussions.

      Irongeek - http://irongeek.com
      Adrian Crenshaw's Irongeek.com site is an excellent resource for how-to videos, presentations, and security research related I2P. Check out his Black Hat presentation Identifying the true IP/network identity of I2P service hosts

      Privacy-Implications of Performance-Based Peer Selection by Onion-Routers: A Real-World Case Study using I2P - Master's thesis by Michael Herrmann -Technische Universität München

      -------------------------------------------------------------------------------------------------------------------------------
      I want to particularly thank Mila Parkour of Contagio for her excellent assistance, research, and illustrations.



      June 12, 2011

      Malware Sandbox Services and Software

      Whether you are performing digital forensics, or just have an interest in malware, a sandbox environment is an essential part of your analysis program. Sandboxing services can save time and provide a quick and easy glimpse into a suspicious files behavior.  I received an email this morning from Jose' Nazario of Arbor Networks where he provided a link to a list made by Buster (author of Buster Sandbox Analyzer) of various sandboxing tools and services."  I decided to take that list, check out and update each of the links and provide a brief description of the various services. I also added a few other services that I'm aware of.

      For this blog post, I'm not providing any opinions or reviews. I'm just listing the service, URL, and a basic description as quoted by the provider.

      These are the malware analysis services and software that I am currently aware of from the Buster Sandbox link, or via other sources. If you know of any other good malware analysis services, please feel free to drop me an email and I will add it to the list.

      Web Services
      "We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address."
      "View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits"
      "Joe Sandbox is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables being executed"

      Note:  Joe Sandbox has an online service with three account types. It is described more fully here: http://www.joesecurity.org/service.php

      "Anubis is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL"

      "Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files."

      "Submit a Suspicious File for a FREE Malware Analysis"

      "Due to heavy load, the public site does not support: URL or BHO analysis, zipped files or analysis of infected documents."

      "ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode."



      Accepts:
      - Windows executable (exe,dll)
      – Adobe PDF (Beta Testing)
      – Zip file (with password “panda”)
      – RAR compressed file (without password)
      – 7zip Compressed file (without password)
      – Autovin File Extractor compressed file



        "Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. "

        "xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary.
        The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching."

        "Submit your Windows executable(*.exe) and receive an analysis report telling you what it does,
        or submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL."

        A Generic JavaScript Unpacker. Enter a single URL (or paste JavaScript to decode). Upload a PDF, pcap, HTML, or JavaScript file.

        Standalone Malware Sandboxing Software

        "An Open Source dynamic malware analysis system which allows you to get informations on suspicious files in a completely automated fashion.
        Such results include:
            * Relevant Windows API calls tracing of all recursively spawned processes.
            * Network traffic dump generated during malware execution.
            * Files being downloaded and deleted during execution.
            * Screenshots taken during malware the whole analysis process."

        "Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper Mass Malware Analysis: A Do-It-Yourself Kit."

        "Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program. "

        "Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
        The changes made to system can be of several types: file system changes, registry changes and port changes."https://vicheck.ca/

        "This is a free tool for the analysis of malicious PDF documents. Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode."

        jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:
        PDF files - samples/sample-pdf.file
        Packet Captures - samples/sample-http-exploit.pcap
        HTML files
        JavaScript files
        SWF files
        This project contains the source code which runs at the website http://jsunpack.jeek.org/.


        April 21, 2011

        Coreflood botnet - Detection and remediation

        On April 13, 2011, The FBI and the Dept. of Justice announced that they had received a temporary restraining order allowing them to disable the Coreflood botnet. Coreflood is believed to have had over 2 million infected "drones" under its control, and was responsible for a wide variety of nefarious activities including DDoS and bank fraud.

        Now that the Command and Control servers have been disabled, the primary task at hand is in remediation, as well as the notification of victims.

        There often are questions on the best way to identify botnet infections on a local network, and Coreflood is no exception. I've listed below some information that will help identify Coreflood traffic, as well as provide some basic remediation suggestions.

        Indicators:

        • Outbound traffic on port 80 to IP address 149.20.51.124 and/or 207.210.74.74 corresponding to the following dates: 
          • 149.20.51.124   - 4/12/2011 to date
          • 207.210.74.74   - 4/12/2011 to 4/20/2011
        • DNS queries for the following hostnames:
          • taxadvice.ehostville[dot]com
          • taxfree[dot]nethostplus[dot]net
          • onlinebooking[dot]nethostplus[dot]net
          • accounts[dot]nethostplus[dot]net
          • logon[dot]nethostplus[dot]net
          • imap[dot]nethostplus[dot]net
          • pop3[dot]nethostplus[dot]net
          • schedules[dot]nethostplus[dot]net
          • mediastream[dot]nethostplus[dot]net
          • ticket.hostnetline[dot]com
          • flu.medicalcarenews[dot]org
          • vaccine.medinnovation[dot]org
          • ipadnews[dot]netwebplus[dot]net
          • acdsee.licensevalidate[dot]net
          • savupdate.licensevalidate[dot]net
          • wellness.hostfields[dot]net
          • wiki.hostfields[dot]net
          • a-gps.vip-studions[dot]net
          • old.antrexhost[dot]com
          • marker.antrexhost[dot]com
          • spamblocker.antrexhost[dot]com
          • ads.antrexhost[dot]com
          • cafe.antrexhost[dot]com
          • coffeeshop.antrexhost[dot]com
          • dru.realgoday[dot]net
          • brew.fishbonetree[dot]biz
          • jane.unreadmsg[dot]net
          • exchange.stafilocox[dot]net
          • ns1.diplodoger[dot]com


        Remediation




        References:




        April 13, 2011

        Using "volatility" to study the CVE-2011-0611 Adobe Flash 0-day

        I recently had the opportunity to collaborate with Mila Parkour from Contagio in her research of the recent Adobe Flash 0-day (CVE-2011-0611) During this research, I utilized some basic memory forensics in an effort to learn more about the exploit in a running state on a compromised machine. This was also a good opportunity for me to try the latest version of "volatility - An advanced memory forensics framework". I had been a user of version 1.3 and its associated plug-ins, but with the 1.4 beta version recently released, I thought I'd give it a try.

        The setup instructions and documentation for volatility is very good, and the project has wide community support. The best place to start is via the project page at http://code.google.com/p/volatility/  There are versions for both Windows and Linux, with a full set of instructions at http://code.google.com/p/volatility/wiki/FullInstallation

        For the CVE-2011-0611 analysis, I started with a fully patched XP Professional VirtualBox guest. I ensured that I had the latest Flash and Reader versions from the Adobe site.  I also ensured that my Office 2007 installation was fully patched.  I started an instance of wireshark on my host computer and tested that it was only seeing packet traffic from the guest.  One major difference between VMWare and VirtualBox is in its saving of live memory.  If you suspend a virtual guest in VMWare, it will create a suspend file with a .vmem extension that is essentially a memory dump at the time of the suspend. Most memory analysis tools such as volatility will work seamlessly with a .vmem file. VirtualBox handles the suspend, or 'save machine state' a bit differently, in that it will only dump the memory that was actively used at the time of the suspend.  In this case, you will need to use another method to dump out the full RAM contents.  In my case, I utilized win32dd.exe by MoonSols .  Note that using a program such as win32dd.exe will leave artifacts of the program in memory.  Once everything was ready, I launched the infected document and waited until I saw network activity to liciayee.dyndns-free.com at 123.123.123.123.  At this point, I executed win32dd.exe and saved the memory file to my server as "mem.dmp"

        volatility 1.4 includes many default plug-ins and commands  that will allow for some very good preliminary analysis of your memory dump.  The first thing that you should run is the "imageinfo" command which will provide basic info about acquired dump.  This will also tell you the suggested profile to use for subsequent analysis. The image below shows this command being run against 'mem.dmp'. Note that one of the suggested profiles is 'WinXPSP3x86'.  Since I know that my guest VM is SP3, I will use this profile in all my volatility runs against this dump.



        volatility has a number of commands that will detail the running processes. Two such commands are 'pslist' and 'psscan2' .  From the volatility wiki, "To list the processes of a system, use the pslist command. This walks the doubly-linked list pointed to by PsActiveProcessHead. It does not detect hidden or unlinked processes."  The psscan2 command will utilize pool tag scanning to enumerate running processes.  This may help identify terminated processes or those hidden by a rootkit.  For consistency, I ran the pslist command with the "-P" switch, which displays the physical memory offset.

        pslist command


        psscan2 command


        Next, I wanted to view the active connections and the process ID associated with the TCP connection to 123.123.123.123. The command, 'connections' will list active connections, the PID, and the remote IP address. In this case, you can see that process ID 1336 is associated with the TCP connection to 123.123.123.123.



        Since I now know that PID 1336 is associated with the connection to the remote server, I want to now look for any http commands or other strings of interest. The 'malfind' command is a very flexible command that will allow for advanced searching using regex, unicode, or ANSI strings. 'malfind' will also find hidden or injected code in user memory. Since volatility uses the yara malware identification and classification tool, you can create and specify a yara-rules file for your search patterns, or simply specify the search criteria on the command line.  In the figure below, I ran the malfind command against PID 1336 in order to search for the string "http://"  Note in the first block, the interesting strings "SharkConnect", and "http://%s%d/upfile.asp.SetProxy".



        There is a great deal you can do with volatility and a RAM dump of this kind. For example, you could discover loaded DLLs, list a process' open files and registry keys, extract a process to a .exe, extract a DLL to a .exe, get detailed information on Windows services, etc. For this example of CVE-2011-0611, I took a memory snapshot almost immediately after the infected Word doc was opened.  As I look into this further, I'm going to take a series of RAM snapshots over time and compare the memory artifacts and behavior.

        I've placed a link to a password protected copy of the CVE-2011-0611 memory dump (53MB) at the bottom of this post.  Please contact me if you want the password for research purposes. I'll remove the password after Adobe releases a patch for CVE-2011-0611.

        I hope this simple example of using volatility to examine memory behavior of the recent Adobe 0-day encourages you to utilize this awesome tool in your forensics arsenal.

        UPDATE:  On 4/15/2011 Adobe has released a security update for Adobe Flash Player  - CVE-2011-0611. The memory dump file as described above is now available without password protection.

        Welcome to the 'SemperSecurus' blog

        Welcome to my new blog! In this space, I'll be posting various items pertaining to information security, digital forensics, malware / botnet analysis, and e-crime studies. I'll also post on anything of interest that I feel like sharing.   

        As this blog evolves, I welcome any comments and suggestions, as well as any questions.
        Thanks for reading!


        Andre'