Responder Pro DDNA How to Flip Bookx 817.54 KiB
Download
Report
Transcript Responder Pro DDNA How to Flip Bookx 817.54 KiB
How to use Digital DNA
with Responder Pro
Detect
Malware
Diagnose
It
Respond
with
Actionable
Intelligence
Quick Start Flip Book v1.0
Getting Started with Digital DNA
HBGary Digital DNA is a revolutionary capability for malicious code
detection that goes beyond current solutions to identify and report
advanced malicious code in Random Access Memory. The system is
extremely powerful, flexible and effective out of the box but should be
fine tuned in order to maximize the efficiency and success of your DDNA
usage during incident response investigations or during a malware
outbreak. Digital DNA is a learning system that will continually get smarter
over time as HBGary continues to populate new malware traits and build
out the Global Threat Genome. This guide is written to help you become
an effective analyst of Digital DNA to defend your enterprise against
malicious code.
In order to detect malicious code in the enterprise as rapidly as possible
HBGary recommends you adopt the following best practices.
DDNA CONFIGURATION BEST PRACTICES
Create White Lists to Identify “Known” Code in RAM
Knowing the DDNA of each authorized process, driver, and module on your
systems will enhance zero day malware detection. Work with your
HBGary Team to create White Lists specific to your environment and
baseline machine builds.
•
•
•
•
A White list should be created for all “gold builds” your organization supports.
This includes servers and workstations.
The White List includes DDNA scores for all system executables and applications
installed inside the image. This includes all processes, drivers, DLL’s, etc.
The White List defines what traits should be present on a particular system
based on the installed applications and operating system binaries.
A Digital DNA score will be generated for all trusted applications, modules, and
drivers.
Getting Started with Digital DNA
What If I Don’t Have DDNA Whitelists?
No Whitelist? No problem, DDNA still provides tremendous value. If you
don’t have a current DDNA white list for your environment you can best
prepare your organization to respond to an to identify malware rapidly by
following these simple rules.
1.
Have available a list of ALL supported and installed applications and
programs authorized by your organization.
•
This list is used to cross reference with process, modules, and
driver names with DDNA data to deduce known, unknown
•
The Digital DNA database includes an HBGary provided
whitelist for common Microsoft Operating system programs
and system files. Keep in mind this list is not all inclusive*.
Fine Tuning DDNA Is A Process
Digital DNA is about mapping code behaviors to executable code running
on machine. You should always strive to “know” all processes, modules
and drivers running on the workstations and servers you investigate in
your environment.
1.
All “unknown” processes, drivers and modules should be investigated
and proven to be 1 of 3 options.
1. Trusted and “Known Good”
2. Known Bad - malware
3. Unknown – “guilty until proven innocent”
Detecting Malware continues on next
page…
Detect
Detecting Malware in RAM
How to Interpret Digital DNA Results?
Step 1: Review Highest Scoring Items First
Digital DNA sequences are weighted. The higher the weight, the more
likely the program is malware or has malware-like capabilities. The
score of a process is the sum of all traits found in the process or
module.
A score of 40
or higher
indicates
malware like
activity.
In practice, look for scores above 40.0, which should be marked in RED. Scores
marked in ORANGE are most often not suspicious and BLUE are not considered
suspicious.
1. Start by analyzing all processes, modules, and drivers that have a score of 40 and
higher (RED)
Keep in mind:
• Some malware can score lower than 40!
• Some legitimate programs can score higher than 40!
2. Then filter through the processes, modules, and drivers that have a score of 30 and
higher and then 20 and higher.
3. Continue through this process until you can verify the integrity of every process, driver
and module on all machines by name and DDNA score.
To analyze for malware,
you need to compare the
traits of highly scored
processes against your
standard installation base.
Next Step: Identify Behaviors with Traits
Goal: Is it Malware or not?
Detect
Identify Suspicious Behaviors
of software with DDNA Traits
Step 2: What To Look For?
• The Highest Scoring Processes and Modules combined with:
• Process names you recognize or not recognize
• Processes by name that are not authorized by policy
• Process that have known malicious traits
• Be aware that malware can score below 40
•Example – A process not using all of its capabilities at once might score low
or a piece of malware performing a staged execution or installation
Some Traits are 99% Malicious
Digital DNA contains behavioral traits that when found either
alone or combined are very strong indicators of malware. These
traits should be considered “evil and malicious” unless part of
your gold build.
Known Bad Malware Traits
Packing like UPX, aspack, &
Themida
IRC Protocol
Changing Memory Permissions
Changing security permissions
Searching for security software
Screen Shot Capture
Audio Capture
SSDT Hooks
IDT Hooks
Detour Patching
Attaching to TCP Stack
Next Step:
Traits common to types
of malware
Goal:
Classify the Threat
Detect
The Nature of the Threat?
The DDNA traits listed below are common to specific types of
malware. Usually a single trait by itself does not indicate malware
(see exceptions on previous slide). It is usually a combination of traits
acting together that indicate malicious capability.
Example - If the program ‘Solitaire.exe’ has the traits of capturing
keystrokes, injecting dll, and connecting to the internet, it is
behaving in an non-standard manner, and should be considered
malware and analyzed in more depth.
Example - A Program like Skype contains many traits common to
malware like packing and IRC functionality.
Keyloggers
Rootkits
Intercepting keystrokes
Hooking Windows Messaging
Chain
Walking list of open windows
Reading memory from other
processes
Writing to temp file on disk
Rootkit or Hidden Driver
Network driver is accessing files
System call table hooks
Installs as a service
Attaches to internal IP stack
Injecting into other processes
Botnets
Bank Info Stealers
Communicate to IRC server
Supports IRC protocols
Support a proxy server
Backdoor may be supported
Appears to use encryption
Packer Characteristics
Currency checking
Intercepting keystrokes
Install itself as explorer extension
Searches for Security Software
Bank URL references
Detect
The Nature of the Threat?
Listed below are traits that describe actions typical of malware. Someone trying
to steal intellectual property might create a malware to search, identify, encrypt,
and send files to a hotmail email address. Another piece of malware looking for
personal information might install itself as a Browser Helper Object inside of
Internet Explorer to monitor and intercept , then use encryption to send the data
out to a password protected message board.
Identity Theft
Backdoor may be supported
Appears to use encryption
Acts a backup program to read files
Attempts to act as administrator
Monitoring keystrokes
Intellectual
Property Theft
Is Searching for / Is deleting files
Backdoor may be supported
Appears to use encryption
Acts a backup program to read files
Attempts to act as administrator
Other Key Malware
Traits
Walking list of open windows
Reading memory from other processes
Manipulates other processes
May load a dll into svchost.exe
Can kill other processes
Modifying access control list
Uses registry to survive reboot
Creates a service
walking list of open windows
Uses shell startup directory
Monitor video screen
Contains and unloads a dll
What Next?
Diagnose Suspected Malware
See Triage Checklist
“Freeze the Crime Scene”…
Detect
Incident Response Checklist
for Computer Memory
It is important to have a logical method for triaging a
computer with Responder to identify signs of malicious
code infection. The following is a guide to help you
understand what to look for in each section.
Triage Goals And Checklist
The goal is to answer the question:
“Is the machine compromised or not? Yes or No.”
Approach:
•
•
•
Separate the known from the unknown:
What programs should be installed Vs what is new and unknown?
Understand network activity – What is known ? What is new?
Questions you must answer:
•What is part of gold build and what is not?
•What new processes, drivers, modules or code has been added?
•Are there Rootkit Signs?
•What processes were running?
•What files were opened, written to
•What files were deleted?
•What network connections are currently open?
•Any current network connections?
Triage Tools
The Project Tab – Exposes all system objects
The Strings Window – List all strings in process memory
The Symbols Window – List all function calls in memory
The Data View or Binary View - Hex View of memory
What Next?
Go To: Triage Checklist
Continued
Detect
Incident Response Checklist
for Computer Memory
The Project Tree is designed to assist you in quickly
identifying all the artifacts found in the memory image.
The Project Tab & Tree
The Project Tree organizes related data and categorizes it for you. This allows
you to manually triage a computer system quickly via the folder structure under
the Project Tab:
1.
2.
3.
4.
5.
6.
Network connections
Processes, Drivers, Modules and Paths
Internet history
Registry Keys
Open Files
SSDT
Right Click
on any
suspicious
item to
Send To
Report
Step 1 - Examine Open Network Connections
Questions to answer:
•What processes are listening on a port for an incoming connection?
•Are these processes approved by policy? If no, then go to step 2 “Examine Process”
•Is a process actively connecting out to an unauthorized remote IP address?
•Notice port numbers –Which ports are not part of the corporate policy?
•Notice which processes are connecting - Are there unexpected or unknown process
names?
Step 2 - Examine Processes
Questions to answer:
•Are there hidden processes?
•Are there orphaned processes i.e. a process without a PPID
•What command line parameters are being used?
•Note the start times: Are there odd startup times or sequences?
•Examine the paths and working directories:
•Are there any non-standard paths used? Such as c:\win\tmp
•Are any dll’s loaded from non-standard directories
What Next?
Go To: IR Checklist for RAM continued
Detect
Incident Response Checklist
for Computer Memory
Searching for Signs of a Rootkit
Step 3 - Search the System Call Table (SSDT)
It is common for root kits to hook the System Service Descriptor Table (SSDT). These
locations must be checked for trusted code. Rootkits in these locations can intercept
system messages and return false information
If you find programs listed here that are not security related and not part of the core
operating system, then those programs need to be investigated.
It is also important to note the path reported for any target listed. Paths other than
‘\Windows\System32\ntoskrnlpa.exe’ need to be investigated.
1.
2.
Is ntoskrnl.exe the only Target Module listed? No? Investigate.
Is \Windows\System32\ntoskrnlpa.exe the only path reported? No? Investigate
Rootkit Example – SSDT Hook beep.sys
Normal Behavior
Malicious Behavior – Note: Unknown Functions, Different Target, Different Path
What Next?
Go To: Interrupt Descriptor Table (IDT)
Detect
Incident Response Checklist
for Computer Memory
Check for signs of a Kernel Rootkit in the IDT.
Step 4 - Examine Interrupt Descriptor Table (IDT)
The IDT represents the lowest level software gateway between the kernel and the
actual CPU. The only code that usually runs here are HAL.dll and NTOSKRNL.exe
or a variation of the kernel. The only other programs that run here are kernel
debuggers, security software, and Rootkits.
•Sort the Hooked Column – Do you see a value of TRUE? This indicates presence
of an IDT hook. Check for kernel debuggers or rootkits
Debugger Example – IDT Hook
Normal Behavior
Malicious Behavior – Note: Unknown Functions, Different Target, Different Path
What Next?
Go To: Triage Checklist
Continued
Detect
Incident Response Checklist
for Computer Memory
Internet History and Open Registry Keys can provide a
wealth of actionable intelligence towards detection,
containment, and mitigation.
Step 5- Search the Internet History
Internet History is a list of all the URL visited by all the processes on the machine. Very
important connection details can be found by examining this list and noting what kind of
websites were visited and what web pages were accessed.
•Search & Manually browse through harvested Internet History
•Search for domain names of foreign countries - .cn, .kr, .ru, .ua
•Look for URL’s that upload and download files – load.php, update.asp
•Look for URL’s that have uploaded executable content - pdfupdate.exe, srv, swf, exe
Right click on any suspicious URL’s and SEND TO REPORT for reference.
Step 6 - Search Open Registry Keys
The Registry is often used by malware for installation and to survive reboot. This
information is often critical for finding malware variants across the network and
possibly malware remediation.
Common Start up locations
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, the "run" and Load"
keys.
What Next?
Go To: Search Keys and Passwords
Detect
Incident Response Checklist
for Computer Memory
Usernames, Passwords, Keys, Symbols….
Step 6 - Search the Keys and Passwords Table
User accounts, keys, and passwords might be found here.
This table displays the results of a generic search for usernames and
passwords. If a username or password is not visible in this table it doesn’t
necessarily mean that there isn’t one inside of memory.
•Take note of all usernames for clues to other accounts– Gmail, hotmail, yahoo
•Look for recovered passwords
HBGary encourages you to perform additional searches for usernames and
passwords inside of memory utilizing the background knowledge you have about
the specific case and suspect.
We Found Something Suspicious! Now What?
What Next?
How To Analyze Processes and Drivers
For Malicious Properties
Diagnose
How To Analyze Processes, Modules,
and Drivers For Malicious Properties
You found something suspicious, Now What?
You need to analyze the process in all of it’s low level parts. The following details are
provided after Responder disassembles them .
• Strings View– Shows all of the recovered strings from process memory
• Binary View- Displays the physical memory of the process
• Symbols View– Lists all of the recovered functions found in process
This data is viewable after right clicking on a process in the DDNA list and selecting
View Strings, Binary or Symbols.
Understanding The Strings View
The Strings View lists all of the ASCII strings found within a given process. These strings
can often provide a clear indication of what the process is doing.
•Functions called – Connecting to the internet, Changing Security…
•IP Address and URL pages accessed – Foreign addresses…
•Commands being sent and received – Read Files, Delete Files…
Understanding The Binary View or Data View
The Binary View is similar to a hex view of the physical and virtual memory layout. This
allows you to manually browse and search through the physical file. This allows you to
see contextual information and identify relationships rapidly:
- Runtime Information
- Is it really a DLL?
Understanding The Symbols View
The Symbols Table displays the names of the functions a process imports from the
operating system to execute properly. This describes the codes capabilities.
Below is a list of types of API function calls to look for in the symbols table.
See Malware Reference for functions
names to search for.
What Next?
See Strings, Binary, Symbols
Diagnose
Analyzing Processes - Strings
The Strings View
The Strings View lists all of the strings found within a given process. These strings
usually give a very clear indication of what the process is doing along with
artifacts particular to the author(s) of the application/malware.
•Functions called – Connecting to the internet, Changing Security…
•IP Address and URL pages accessed – Foreign addresses…
•Commands being sent and received – Read Files, Delete Files…
Look for strings that belong to Various Malware Analysis Factors.
Examples of strings to search for:
• URLDownloadToFile
• IP addresses to foreign sites
• html, PHP and ASP URL references
Right Click
on any item to
perform Google
Search!
Getting familiar with Programming API calls, Malware Related API calls will
dramatically improve the speed and efficiency of which you can analyze malware.
Things to become familiar with are:
•Functions/API’s related to –
• Communications
• Defensive techniques
• Information Security Factors
• installation And Deployment Factors
• Development Factors
• Command and Control Factors
•IP Address and URL pages accessed – Foreign addresses…
•Commands being sent and received – Read Files, Delete Files…
Diagnose
Analyzing Processes - Strings
Step 1: Search the Strings of Process
A good first step to begin your searching:
1.
2.
Select the Binoculars from the toolbar.
Perform 4 separate searches for:
•Software
CreateRemoteThread
•Exe
API call,.exe, Run,
•Reg
CMDShellExecute
•Run
Haxor, l337
These initial 4 searches will help you find many functions and registry keys that
are used by malware for installation and execution. Finding these doesn’t
absolutely mean malware. It reveals program capabilities.
First search…..
Second Search…..
Diagnose
Analyzing Processes Using
the Strings View
Step 2: Understanding The Search Results
Examine the list of returned strings and determine what possible impact that string
might have .
For example,
1.
RunDllAsExe string might be returned, and indicate the process is running dll’s as
executables.
2.
ShellExecute might be returned and indicate that the program is launching hidden
command line shell processes.
3.
Software\Microsoft\Windows\CurrentVersion\Run might indicate the process is auto
run.
1st Search Results Example: Registry Keys Group
The graphic below highlights the ‘Software’ registry keys found in the process
rpcsetup.exe . This information tells the investigator how the malware is installing
itself and surviving a reboot..
2nd Search Results Example: Executable Function Group
The graphic to the right
shows a sequence of
functions found inside the
process that are capable of
executing commands.
Right Click
on any item to
perform Google
Search!
What Next?
See Graphing Behavior
See Searching Memory
Diagnose
Analyzing Processes Using The
Binary View
Understanding The Binary View
The Binary View is a powerful way to examine a process space of an executable.
It allows us to see and search all data inside the physical and virtual address
space. Binary View is often used to get contextual information in and around a
search hit.
Step 3: Search The Binary View
To look for evidence of specific activity, such as a socket connection,
1. Click the Search button from the toolbar
2. Enter the term ‘Socket’
3. Examine the result window, which is a pop-up
4. Double click on a result that is of interest
5. The result will be displayed beginning at the address point
6. Examine program flow to see what calls this function, and what follows
Step 4: Understanding the Search Results
Results show the exact address where string is found within the memory of that
process block. This allows one to see what calls that function, what the
parameters are for that function, and what calls are made afterwards. This is very
useful for tracing activity around a particular behavior, such as making internet
connections.
Questions that might be answered by examining binary data in this window are:
What IP address was connected to?
What was the port number?
What Next?
See Graphing Behavior
See Searching Memory
Diagnose
How To Analyze Processes
Using The Symbols View
Understanding The Symbols View
Symbols are the names of functions shared by the operating system and the Symbols
View is a powerful tool for examining which functions called by the process. It allows us to
see all the functions that a process uses, and thereby gain understanding of what kinds
of activity the process can perform.
A good process for using this window is to perform multiple searches looking for groups of
functions and send these finding to the report.
Step 5: Searching Symbols View
To begin finding groups of related functions, Perform several separate searches.
Search For:
•
Reg – for Registry related functions such as OpenRegKey
•
Exe – for execution related functions such as rundll.exe
•
Sock – for internet related functions
See Factor Layer Reference for Complete list of function names to search for by category
Search Example for Process Execution
To look for evidence of specific activity, such as hidden process execution,
1.
Click the Search button from the toolbar
2.
Enter the term ‘Exe’
3.
Examine the result list
4.
Locate all related strings – ShellExecute, cmd.exe, WinExec, RunDll.exe
5.
Right click on a result that is of interest to Google search for more data
6.
Right click send to report
Step 6: Understanding the Search Results
The power of the search window is in being able to show all the similarly named
functions, such as RegOpenKey, RegCreateKey, and RegCloseKey.
We can then send these to the report and drop these items onto the Working Canvas
Window to begin tracing their functionality.
Right Click
on any suspicious
item to
Send To Report
What Next?
See Graphing Behavior
See Searching Memory
Diagnose
How To Analyze Processes
By Searching Global Memory
Searching memory is a very powerful way to locate artifacts and identify behavior.
Step 7: Searching Global Memory Window
This is the primary tool for searching
memory.
To search Global Memory:
1st Double click the name of the memory
image in the Project Tree. This will be
located directly under the Physical
Memory Snapshot node on the tree.
2nd Click the Binoculars in the toolbar of
the Data View window to bring up the
Search Dialog box.
3rd Enter the search terms
It allows you to search for regular text
such as contents of a document, or the
names of functions and commands.
It allows you to search for specific Hex
and binary sequences such as the
assembly code to change the security of
the CRO register.
Tip: Always make sure to select Unicode
Step 8: Tying an Artifact to a Specific Process
When you find a specific artifact in memory, the result also shows which process space this item was
found in. It is very important to note this and to then being examining that process space for further
evidence.
Drag this item to the Report Tree, and put it in a proper behavior layer.
•Put IP addresses in the IP Addresses under Communications sub-folder for the process it
was found in
•Put network connection information such as Connect, Listen, and Socket in the Network
Protocols folder.
•Put autorun registry keys in the Installation folder
Diagnose
How To Analyze Processes
By Searching Global Memory
Here is a specific example of searching for all IP addresses listed in memory.
Search Example IP Address Collection
First: Create a Regular Expression
Here is an example of a regular expression or regex, that will work to find all sequences in
memory that map to the format of a an IP address.
\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
To apply this expression in a search:
1.
From the main Responder Menu,
click View
2.
Select Panels menu item
3.
Strings View
4.
From the Strings View Toolbar,
Select the Binoculars
5.
Select the Regular Expression
option
6.
Enter the expression
7.
Click OK
Examine the resulting list and
associate findings with process
names
In our results list we find one IP
address in particular,
213.155.4.82, tied to the
unnamed memory module in
svchost.exe, which is highly
suspicious,
Diagnose
How To Analyze Processes
By Searching Global Memory
Here is a specific example of searching for and finding evidence of malicious
network activity.
Search Example for Hidden Network Connection Activity
First: Search for the term controller, which we saw in the strings list.
Searching for ‘controller’ results in 126 hits.
Second: Sorting by Process, and examine the results.
We find a URL string: /new/controller.php Note also that it was found in an unidentified
module, which indicates hidden.
Third: Double clicking the result and examining the binary data for contextual information,
We see that an IP address, 213.155.4.82 is found right beside it.
Here is a piece of evidence we can use to look up in our router or FireWall logs.
Right Click
on any suspicious
item to
Send To Report
What Next?
See Graphing Behavior
See Building Reports
Respond
Building Your Report:
Malware Analysis Report with
Actionable Intelligence.
Building The Malware Analysis Report
Building a report based on the
evidence discovered from the
searches and tracing consists of
grouping behaviors into the
following categories:
•Information Security
•Development
•Installation
•Command and Control
•Communications
•Defense
•These folders are automatically
built for you by Responder.
Responder assists you by
automatically adding suspicious it
finds items during it’s analysis to
these folders.
Responder automatically adds items like:
•IP addresses
•Harmful function calls like CreateRemoteThread
•Security function calls it finds
•Network protocol functions
Step 1: Organizing The Report
You build the behavior groups
by adding artifacts you find to
the corresponding folders
There are 2 ways to do this:
1. Dragging items from other
windows
2. Adding/Editing Bookmarks
Categorize behaviors by placing appropriate strings, functions, & data into the proper
malware analysis factor directory.
Diagnose
Building Your Report:
Malware Analysis Report with
Actionable Intelligence.
Example Report Notes
Example 1: Dragging an Item from String View window
1.
2.
3.
4.
5.
6.
Open the Report Tab
Expand the Report Tree to the Folder you want the item to appear in
Open the String View Window
Find the string item you want copied to the report
Drag the item to the report by left clicking and holding down the left mouse
key until item is over the folder you wish it to appear in. A drag icon wlll
appear to assist you, and will disappear once the item it dropped onto the
desired folder.
Release the left mouse button to drop the item
Example 2: Editing a Bookmark
To Edit or annotate a bookmark
about a particular piece of
evidence:
1.
2.
3.
4.
Right click on the item in the
report tree
Select Edit
Enter relevant notes
Select OK to save
What Next?
See Generating the Report
Building Your Report:
Malware Analysis Report with
Actionable Intelligence.
Diagnose
Step 3: Generating The Report
To Generate a report:
1.
2.
3.
Select the ‘ToolBox’ tab
located on the left side of the
main application window
Select ‘Malware Assessment
’ dropdown option
Select RTF report
This will automatically start MS Word with an RTF document containing the data from
the Report Tree. It will be organized with an executive summary containing the project
case information, followed by a technical summary containing the information
organized and bookmarked in the Report Tree.
Any graph layers created will also be added to the report to highlight the behaviors
found in the investigation
What Next?
See Creating Actionable
Intelligence
How To Identify Actionable
Respond
Intelligence
The following data can be used to update Enterprise
Security Policy based on malware analysis factors
Network Ports, DNS Names, IP Addresses
1.
2.
3.
Check firewall logs to correlate discovered IP address to other internal
hosts
Scan the network for other internal hosts listening on discovered ports
Block traffic based on discovered connections
Network Protocols
1.
2.
Block protocol traffic at firewall
Generate report from Firewall for host using that protocol
File & Registry Paths
1.
2.
Search hosts for discovered files
Perform remote registry searches for discovered keys
What Next?
Implement Policy Changes to Minimize Risk and
Exposure to Threat
Respond
Take Action….
It is important to collect & share incident
response information that can be used to
defend your network and mitigate the threat.
Actionable Intelligence- What to Look For
IP Addresses or DNS Names – Use these for blacklisting or monitoring
File Paths or Filenames – What is the program looking for and where?
Web URL filenames – What is the location of collection or control point?
Unpacked strings and functions – What is now exposed?
Non-Professional Word Strings – How might the language reveal clues?
Send to Anti-Virus Vendor
You can send suspect Livebin binaries to your anti-virus vendor for inclusion
into their signature database. This facilitates updating endpoint protection for
the enterprise as quickly as possible.
Contact the virus submission team for procedure for uploading suspected
viruses.
Send to HB Gary Portal
You can send binaries to HB Gary for further analysis by going to
https://portal.hbgary.com/
1.
2.
3.
4.
5.
6.
Create an Account
Log In
Go ‘My Analysis Jobs
Zip the binary to be submitted
Click ‘Add Job’ and upload zipped binary
Multiple jobs can be uploaded at a time, up to 50, by including them all in
a single zip file
What Next?
Search Tips Reference
The following is a reference of
tips to aid in searching memory
for evidence.
Faster Searching with Dual Monitor
Having multiple search windows open at a time is one of the best ways to increase searching
speed and save time. Because there is so much data to search, the more screen space that can
be given to search windows, the faster that data can be searched.
Tip 1: Use a second monitor for viewing search results
1.
2.
3.
4.
5.
Connect a second monitor to your analysis workstation
Drag a search results window to second monitor
Double click on a search result hit
Result will appear in window of the first monitor
Now you are able to see both windows at the same time for faster searching
Refining Searches
It is easy to create a search that returns to hits making it hard to find useful evidence. Effective
searching is process refined over time by knowing terms that have a high likelihood of not
being used often.
TIPS:
Be as specific as possible : Example ‘TerminateProcess’ or an exact file name
Avoid generic search terms: Example ‘HTML’ or Internet
When too many hits are returned, it is time to use a more specific term
TIP
Make sure to check both ASCII and Unicode boxes in the search options.
Search Result Tips
1.
2.
3.
Examine and note what process name is listed with the result. This means
that the result was found in that processes memory space.
Double click on search result to go to Binary View.
In Binary View, review the contextual information in memory surrounding the
result. This can help to solidify your decision making process intelligence
gathering.
Often times memory non-referenced, meaning no connection to a process can be made. This means that
the program which used that memory is no longer running, or has released that memory. But we can know
at least some process used that memory.
Note that binary searches may give results found in other processes. This points to other processes that
may need to be examined.
For evidence pertaining to the process we are investigating, we need to make sure we only report artifacts
listed in that process space.
Malware Reference:
Installation Factors
The following is a reference of
strings and API calls that can be
used by malware to perform the
actions necessary to create and
install files, and set the system
to autorun executables.
File and Directory Creation
CreateDirectory
GetSystemDirectory
CreateFile
DeleteFile
CopyFile
OpenFile
ExpandEnvironmentStrings
%PROGRAM FILES%
%SYSTEMROOT%
C:\ .EXE DLL
\\ (double backslash)
MoveFile
\\TEMP
WINDOWS
SYSTEM32
cmd /c del
del %s
GetTempPath
.SYS
.INI .INF .BAT *.*
Registry Manipulation
Search symbols for “reg”
RegOpenKey
RegCreateKey
“CurrentControlSet”
“CurrentVersion”
“SOFTWARE” (all caps)
ServiceMain
ServiceDll
StartService
RegCreateKey
RegOpenKey
.REG
regedit
RegCloseKey
CreateService
DeleteService
OpenSCManager
AutoRun Registry Keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, the "run" and Load" keys.
Malware Reference:
Command and Control
Factors
The following is a reference of
strings and API calls that can be
used by malware to perform the
actions necessary to create
process and execute code.
Process Creation
The following function calls and commands can be used by malware to execute
hidden code, such as a hidden command shell that is running a port listener. The
API ShellExecute could do this if called from with in a process such as a Browser
Helper Object.
CreateProcess
Rundll32.exe
cmd.exe
cmd /c
execve
System
ShellExec
ShellExecute
ShellExecuteA
WinExec
Shell32.DLL
exec
RootKit Insertion
The following function calls are how malware can install rootkits into the system.
Some program, typically called a dropper, calls these API’s to install and run the
rootkit. An executable containing only these functions would be highly suspect ed
of being a rootkit dropper.
PsCreateSystemThread
\\DosDevices
.sys
drivers
IoCreateSymbolicLink
IoDeleteSymbolicLink
IoCreateDevice
IoDeleteDevice
KeInitialize
SpinLock
ObReferenceObjectByHandle
FindResource
SizeOfREsource
Malware Reference:
Communications
Factors
The following is a reference of
strings and API calls that can be
used by malware to perform
network communications.
Malware usually needs to
connect to some remote system
Via a protocol to receive
commands, and send data.
Network Protocols
Listen
Bind
Connect
UDP
TCP
URLDownloadToFile
OpenURL
ReadEntireFile
Pasv
Put
FetchURL
GET
POST
Server
Username
Password
Port
HTTP/HTTPS
Openrequest
SendRequest
IRC/Chat Protocols
ADMIN
AWAY
CONNECT
DIE
ERROR
INFO
INVITE
ISON
JOIN
KICK
KILL
LINKS
LIST
LUSERS
MODE
MOTD
NAMES
NICK
NOTICE
OPER
PART
PASS
PING
PONG
PRIVMSG
QUIT
REHASH
RESTART
SERVICE
SERVLIST
SERVER
SQUERY
SQUIT
STATS
SUMMON
TIME
TOPIC
TRACE
USER
USERHOST
USERS
VERSION
WALLOPS
WHO
WHOIS
WHOWAS
Malware Reference:
Defensive Factors
The following is a reference of
strings and API calls that can be
used by malware to perform
harmful actions…..
Check Rootkit Installation
API Calls used for installation of RootKits
PsCreateSystemThread
\\DosDevices
.sys
drivers
IoCreateSymbolicLink
IoDeleteSymbolicLink
IoCreateDevice
IoDeleteDevice
KeInitialize
SpinLock
ObReferenceObjectByHandle
Check for Debugging
IsDebuggerPresent
WMIService,
ExecQuery
Manufacturer
VMWare KeysHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\
{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\
{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
The following is a reference of
strings and API calls that can be
used by malware to perform
harmful actions…..
Malware Reference:
Information Security
Factors
KeyLogging
GetKeyState
SetWindowsHook
UnHookWindowsHook
AttachThreadInput
GetMessage
TranslateMessage
DispatchMessage
Scancode
Scan code
Key scan code
GetAsyncKeyState
Directx – uses API’s from DINPUT.DLL
File Searching
FindFirstFile
FindNextFile
FindFirstFileName
*.doc
*.pdf
*.lxs
SearchPath
GetFullPathName
GetFileType
GetFileAttributes
ReadFile
OpenFile
FileIOCompletionRoutine
CopyProgressRoutine
LockFile/UnLockFile
SetFilePointer
CreateFile
CopyFile