Friday, October 23, 2009

Although I quite like this blogging lark, you will notice from the total lack of activity in recent months that I’m not very good at it. Fact of the matter is that I’ve been extremely busy, which I guess in the current climate I should be thankful for. Computer Forensics is a good career choice in a recession as, simply put, there are always bad people. In fact there is some evidence that white collar crime (and today that almost always involves computers) is on the rise as people worry about jobs, mortgages etc and when an opportunity to pilfer away a quick buck is found, many will succumb.

I’m writing this on a train to the Midlands where I’m helping a Bank improve its analysis of Malware written specifically to target its customers. This too is on the rise with phishing attacks commonplace. The problem with Malware written specifically for a task is that the AV products often don’t have a signature for it and hence it renders itself fairly invisible even from the ‘Heuristic’ scanners. To counter this it seems that the AV companies are lowering the bar, almost every time I write a script or compile a new piece of code, Kaspersky or AVG or McAfee scream that its Root Ware, or a Trojan or something equally nasty.

If you download virtually any of the fabulously useful tools from Nirsoft (www.nirsoft.com) such as their password recovery, USB key parser or Wifi tool and, wham, ‘It’s a virus!!’. No its not. Cain and Able password recovery tool recently started triggering an alert, Nessus fires an alert….what is going on. It feels at the moment that any software tool not in their database is automatically a Trojan come to steal your car, wallet and way of life.

Anyhow, rant aside, there has to be a better way of analysing Malware and I think RAM is the answer. Nothing can hide in RAM, processes hidden from the OS can be uncovered in RAM. Many tools do a process called List Walking to discover processes running in live RAM or a RAM dump however manipulating the DKOM object can render a process out of the ‘flow’ and essentially invisible from the OS or from list walking programs. Psscan2 in the volatility suite overcomes this by scanning the dump file for process objects whether or not they are connected to others. Outputting this view in a dot format and opening in something like graphwiz provides a fantastic, clean view of the running processes and their threads. Simply invoke by:-

Python volatility psscan2 –d –f > output.dot

Analysing the process start times, thread and parents, exe path and other variables provides a very ‘quick win’ when searching for malware of any type.

This is a manual process and would be tricky to automate but very worthwhile to do if malware analysis is your business.

Few minutes til the train is due in so will speak later, hopefully sooner!