malware detection in memory forensics current issues and
play

Malware Detection in Memory Forensics: Current Issues and Challenges - PowerPoint PPT Presentation

Oct 15, 2023 •129 likes •540 views

Malware Detection in Memory Forensics: Current Issues and Challenges Ricardo J. Rodrguez All wrongs reversed under CC-BY-NC-SA license rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Dept. of Computer Science and

  1. Malware Detection in Memory Forensics: Current Issues and Challenges Ricardo J. Rodríguez � All wrongs reversed – under CC-BY-NC-SA license rjrodriguez@unizar.es ※ @RicardoJRdez ※ www.ricardojrodriguez.es Dept. of Computer Science and Systems Engineering University of Zaragoza, Spain November 16, 2019 NoConName 2019 Barcelona, Spain

  2. $whoami Assistant Professor at University of Zaragoza Research lines : Performance/dependability/security system analysis Program binary analysis / forensics RFID/NFC security Speaker and trainer in several security-related conferences (NcN, HackLU, RootedCON, STIC CCN-CERT, HIP , MalCON, HITB. . . ) Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 2 / 30

  3. $whoami Assistant Professor at University of Zaragoza Research lines : Performance/dependability/security system analysis Program binary analysis / forensics RFID/NFC security Speaker and trainer in several security-related conferences (NcN, HackLU, RootedCON, STIC CCN-CERT, HIP , MalCON, HITB. . . ) Research team – we make really good stuff! Memory forensics Program binary analysis Exploiting/reversing Privacy issues (Tor) Miguel Martín-Pérez Daniel Uroz Open PhD positions, ping me after the talk! PhD. student PhD. student Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 2 / 30

  4. Agenda Introduction 1 Current Issues and Challenges 2 Conclusions 3 Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 3 / 30

  5. Introduction A little bit of recap... Preparation Post-incident Detect and activity Analysis Containment, Eradication, and Recovery Incident response as defined by NIST Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 4 / 30

  6. Introduction Incident response Figure out what the heck happened , while preserving data related to the incident Ask the well-known 6 W’s (what, who, why, how, when, and where) Common incident: presence of malicious software (malware) Different types of analysis to get hints : Computer forensics: disks + memory Network forensics Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 5 / 30

  7. Introduction Disk forensics : analysis of device drives Memory forensics : analysis of the data contained in the memory of the system under study Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 6 / 30

  8. Introduction Disk forensics : analysis of device drives Memory forensics : analysis of the data contained in the memory of the system under study Disk vs. memory Sometimes, access to physical device drives are difficult to achieve Think about current limits of storage capacity versus memory capacity Terabytes versus gigabytes Facilitates the initial triage Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 6 / 30

  9. Introduction How is memory forensics carried out? Dump the system’s memory into a data file 1 It stores the current state of the system The output file is known as memory dump Take the file offsite 2 Analyze with appropriate tools 3 For instance, Volatility or Rekall Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 7 / 30

  10. Introduction What does the memory dump contain? Full of data to analyze Every element susceptible to analyze is termed as a memory artifact Retrieved through appropriate internal OS structures or using a pattern-like search Snapshot of the running processes, logged users, open files, or open network connections – everything running at the time of acquisition It may contain also recent system resources freed Normally, memory is not zeroed out when freed Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 8 / 30

  11. Introduction How is the memory dump analyzed? Common tools : Volatility and Rekall Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 9 / 30

  12. Introduction How is the memory dump analyzed? Common tools : Volatility and Rekall Volatility De facto standard for analyzing memory dumps in computer forensics Released in 2007 at BH USA, Volatools . Open source under GNU GPLv2 Currently maintained by The Volatility Foundation. Implemented in Python Supports the analysis of memory dumps from Windows, Linux, and Mac OS, in both 32-bit and 64-bit Provides a rich, scriptable API to implement your own analysis plugins Stay tuned for Volatility version 3! Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 9 / 30

  13. Introduction A little more of recap... Malicious software (malware) analysis Determine what the heck the malware does as harmful activities Static analysis (or cold analysis ) Executable files are analyzed without being executed Every possible execution path is considered. Undecidable problem Dynamic analysis Executable files are analyzed when they are executed Only an execution path is considered – depends on inputs, current environment, etc. Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 10 / 30

  14. Introduction Talk guided by a demo Windows 7 x86 machine Alina malware (slightly modified for local connection) + system files Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 11 / 30

  15. Agenda Introduction 1 Current Issues and Challenges 2 Conclusions 3 Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 12 / 30

  16. Current Issues and Challenges Issue #1 A process file DOES NOT match its executable file counterpart! A process is a memory representation of an executable file Let me recap you some terminology here: executable file means the binary file as resides in disk Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 13 / 30

  17. Current Issues and Challenges Issue #1 A process file DOES NOT match its executable file counterpart! A process is a memory representation of an executable file Let me recap you some terminology here: executable file means the binary file as resides in disk Why is it possible? Windows PE loader pays his debts . IAT resolved, PE sections removed when mapped into memory (e.g., .reloc or Auhtenticode signatures) Pagination issues (pages are 4K-byte length, by default) Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 13 / 30

  18. Current Issues and Challenges Issue #1 Executable file Process Headers Headers .text .text .rdata .rdata .data .data DLL DLL file Heap DLL reallocation done by Windows PE loader Stack Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 14 / 30

  19. Current Issues and Challenges Issue #1 Executable file Process Headers Headers .text .text .rdata .rdata .data .data DLL DLL file Heap DLL reallocation done by Windows PE loader Stack Our solutions so far Plugin ProcessFuzzyHash : rely on approximation matching algorithms (instead of cryptographic hashes) [RMA18] Plugin pefile (Python) adapted for undoing the work done by Windows PE loader ( will be released soon! ) Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 14 / 30

  20. Current Issues and Challenges Issue #1 Introducing Approximation Matching Algorithms Identify similarities between different digital artifacts Level of granularity: Bytewise : Rely on byte stream Syntactic : Rely on internal structure Semantic : Use contextual attributes to interpret the artifact Type of similarity: Containment : Identify an object inside an artifact Resemblance : Similarity of similar size objects Similarity measure: m ∈ [ 0 , 1 ] ( m ∈ R ) Versus m ∈ { 0 , 1 } ( m ∈ Z ) , from cryptographic hashes Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 15 / 30

  21. Current Issues and Challenges Issue #1 Plugin ProcessFuzzyHash Integrates 4 different algorithms for approximate matching hash computation Bytewise granularity and resemblance dcfldd , ssdeep , SDhash , and TLSH Allows (easy) extension to support other algorithms Included in the official Volatility Framework (under GNU GPLv3 license) Approximation matching algorithms Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 16 / 30

  22. Current Issues and Challenges Issue #1 Plugin ProcessFuzzyHash hashing example $ python vol.py --plugins=ProcessFuzzyHash/ -f Win7.elf \ > --profile=Win7SP1x86 processfuzzyhash -A ssdeep,SDHash \ > -S pe,.text -N winlogon ,services Volatility Foundation Volatility Framework 2.6 Name PID Create Time Sec Algori Hash winlogon.exe 500 131483892000 pe ssdeep 6144:pzP/qv... winlogon.exe 500 131483892000 .text ssdeep 768:U+ucmmy... winlogon.exe 500 131483892000 pe SDHash sdbf:03:0::... winlogon.exe 500 131483892000 .text SDHash sdbf:03:0::... services.exe 544 131483892003 pe ssdeep 6144:Q/6kXE... services.exe 544 131483892003 .text ssdeep 1536:9RbbyD... services.exe 544 131483892003 pe SDHash sdbf:03:0::... services.exe 544 131483892003 .text SDHash sdbf:03:0::... Malware Detection in Memory Forensics: Issues and Challenges (R. J. Rodríguez) NoConName 2019 17 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE U NIVERSITY Common Types of Attacks Phishing Malware SQLi XSS MITM DoS Brute-force &

858 views • 55 slides
FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux

FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux

FuncTracker Discovering Shared Code (to aid malware forensics) Presenter: Charles LeDoux University of Louisiana at Lafayette Shifting Focus of Malware Research New focus is on forensics tasks Old question: What? New questions:

523 views • 19 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School What is Anti-Forensics? Computer Forensics: Scientific Knowledge for collecting, analyzing, and presenting evidence to the courts

322 views • 15 slides
D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command & Control Automotive Consumer Energy & Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&D of malware with exotic C&C

781 views • 34 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software Architect 1 Agenda Problem Description Fileless Attacks Overview Common Injection Techniques Current Challenges with memory

870 views • 22 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of

1.04k views • 52 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Connecting people: WebRTC and the Pexip collaboration platform TF-WebRTC : May 19, 2015 Who are

Connecting people: WebRTC and the Pexip collaboration platform TF-WebRTC : May 19, 2015 Who are

Connecting people: WebRTC and the Pexip collaboration platform TF-WebRTC : May 19, 2015 Who are Pexip? Founded in April 2012 Strong video heritage Manufacture Infjnity a pure-software, virtualized, distributed, scalable

553 views • 38 slides
WebAudio Deep Note DeveloperWeek Nov 7, 2018 Austin, TX

WebAudio Deep Note DeveloperWeek Nov 7, 2018 Austin, TX

Stoyan Stefanov @stoyanstefanov WebAudio Deep Note DeveloperWeek Nov 7, 2018 Austin, TX youtube.com/results?search_query=simpsons+thx Story time THX James Andy Moorer (interview) ASP Chaos to order inspiration: J.S.Bach:

886 views • 51 slides
Exploring HTML 5 Thierry Sans Geolocation Get GPS coordinates

Exploring HTML 5 Thierry Sans Geolocation Get GPS coordinates

Exploring HTML 5 Thierry Sans Geolocation Get GPS coordinates navigator.geolocation.getCurrentPosition (success); function success(position) { let lat = position.coords.latitude ; let long = position.coords.longitude ; } and use Google

949 views • 31 slides
Using Video and Adding Graphical Elements with a Canvas Gill Cleeren @gillcleeren Hear and see

Using Video and Adding Graphical Elements with a Canvas Gill Cleeren @gillcleeren Hear and see

Using Video and Adding Graphical Elements with a Canvas Gill Cleeren @gillcleeren Hear and see with the new audio and Outline video elements Drawing with JavaScript on a Canvas Target of This Module Well have added a video to our coffee

572 views • 41 slides
Distributed Training on HPC Presented By: Aaron D. Saxton, PhD Statistics Review Simple y =

Distributed Training on HPC Presented By: Aaron D. Saxton, PhD Statistics Review Simple y =

7/11/19 Distributed Training on HPC Presented By: Aaron D. Saxton, PhD Statistics Review Simple y = $ + regression Least Squares to find m,b With data set { ) , ) } )-.,..,0 Very special, often hard to

433 views • 16 slides
Non-Standard Behavior of Density Estimators for Functions of Independent Observations Wolfgang

Non-Standard Behavior of Density Estimators for Functions of Independent Observations Wolfgang

Non-Standard Behavior of Density Estimators for Functions of Independent Observations Wolfgang Wefelmeyer (University of Cologne) based on joint work with Anton Schick (Binghamton University) mailto:wefelm@math.uni-koeln.de

235 views • 9 slides
Stanford CS193p Developing Applications for iOS Fall 2017-18 CS193p Fall 2017-18 Today Emoji

Stanford CS193p Developing Applications for iOS Fall 2017-18 CS193p Fall 2017-18 Today Emoji

Stanford CS193p Developing Applications for iOS Fall 2017-18 CS193p Fall 2017-18 Today Emoji Art Demo continued UITextField to add more Emoji Persistence UserDefaults Property List Archiving and Codable Filesystem Core Data Cloud Kit

788 views • 59 slides
Concurrent Revisions A novel determinis2c concurrency model Daan

Concurrent Revisions A novel determinis2c concurrency model Daan

Concurrent Revisions A novel determinis2c concurrency model Daan Leijen Microso9 Research Side effects and TPL TPL is great for introducing parallelism

532 views • 37 slides

More recommend