Malware Memory And Network Forensics

IJSART - volume
1 Issue 3 –MARCH 2015
ISSN [ONLINE]: 2395-1052
Malware Memory And Network Forensics
Rushita Dave1, Darsh Patel2, Anisetti Anjaneyulu3
1
Digital Forensics Analyst esF Labs Ltd.
Abstract- This paper presents a malware behaviourin different
states of computers that are infected by malicious codes or
signatures. Malicious programs spy on users' behavior and
compromise their privacy. Malicious information access and
processing behavior is the fundamental trait of numerous
malware categories breaching users' privacy (including key
loggers, password thieves, network sniffers, stealth backdoors,
spyware and rootkits), which comes from malicious binary codes.
In this paper introduce malware behavior in network and
memory of suspect system. This malware forensic analysis done
using all memory processes & network activities. These all
processes can help for Memory analysis identify malicious code
and explain how the specimen was used on the suspect system.
Index Terms- MSF Encode, Trojan Binary Signature, Exe File
Carving, Process Dump Analysis, Credential Analysis In Memory
Dump
I.
INTRODUCTION
A program that is designed to carry out malicious
operation is known as malware, which is a term short for
“malicious software”. If the initiator of a program is malicious,
then they can abuse the supremacy available to the program to
carry out malicious exertion.
Depending on the access control systems in place, which
restrict what each user is authorize to do, the program will
typically be able to misuse the authority of the user that runs the
program. If the code is run by a end user, then it typically has
explosion to all of the user’s personal files, and if it manipulate to
be run by a superuser (root/Administrator), then it can typically
make changes to any aspect of the system, including replacing
other programs and deleting achieve files.
A striker just needs to find achieve way to get the
malware onto a victim’s computer.
II. USING MSF TO CREATE TROJAN OPERABLE
The Metasploit framework (MSF) is one of the most
powerful tools in an ethicalhacker’s software collection. MSF
contains an immense library of exploits and a framework for
developing exploits, as well as numerous other security features,
such as tools for information gathering.
Page | 38
A payload refers to the malicious code that we want to run
on a victim’ssystem. Metasploit comes with a huge collection of
different kinds of payloads that it can generate.
Fig.1 - MSF Payload for encode
For creating a Trojan horse that simply adds a new user to
a victim’s Windows system.that there are a number of structure
options, along with their absence values.The above command will
check the password for complexity requirements, and confirm the
settings will be applied correctly.
Executed will result in attacker’s payload: a new user will be added
to the system.To generate a C code version, simply append “C”.
Fig.2 - Binary Signature of Trojan
For creating a Trojan horse, the next step is to create an
executable program that will actually run this code. To do this we
specify “X” as attacker’s output type, and sendthe result to a new
file.This has generated a windows executable incurrentdirectory.
www.ijsart.com
IJSART - volume
1 Issue 3 –MARCH 2015
Fig.3 - Payload of exe file
Start a Web server to share Trojan.Start by creating a directory to
place user files:
Copy new Trojan to this location.cpGame.exe /var/www/share/
Start the Apache Web server:
ISSN [ONLINE]: 2395-1052
system, registry, and provides the mastery to ascertain investigative
leads that have been unbeknownst to most cyber forensics analysts.
Malicious nemesis have been controlling this knowledge disparity
to undermine many aspects of the digital investigation process with
such things as anti-forensics expertise, memory resident malware,
kernel rootkits, encryption (file systems, network packet traffic,
etc), and Trojan denial. The only way to turn-the-tables and defeat
a creative digital human adversary is through talented analysts.
LIVE ANALYSIS
Fig.4 - Shared .exe File
Run the Trojan horse and just downloaded in the
Windows VM.Open a command prompt and view a list of the
users on the system.the Trojan has done its activity and a new
Administrator user exists on the Windows system.it known as user
ESF.
Full content packet captures can provide valuable insight
into an analysis or investigation. Depending on the installation of
the capture mechanism an analyst is sometimes able to recreate an
exact timeline of events between two or additional hosts. A key
component of this method is being able to replicate content
transferred between hosts based solely on the packet traffic
capture. With a full content packet data capture it is possible to
extract a bit-for-bit copy of files transferred between hosts across
many application-layer protocols,TCP and UDP based.
In the live detection of malware wireshark capture exe
file(Game.exe) in packet no:7& also capture Source ip address &
destination ip address..in the frame section there is destination ip
address(192.168.0.45) which known as attacker’s ip of kali Linux
platform.
Fig.5 - New User (ESF) created by .exe
Targeted attacks or what have come to be known as
“advanced persistent threats (APTs)” are extremely successful.
However, instead of focusing on the attack methods and effects to
improve network defenses, many seem more concerned with
debating whether they are “advanced” or not from a technical
perspective.
The ability to perform digital investigations and incident
response is becoming a critical skill for many occupations.
Regrettably,digital examiner frequently lack the training or
experience to take advantage of the volatile artifacts found in
physical memory. Volatile memory contains precious information
about the runtime state of the system, provides the ability to link
sediments from traditional forensic analysis like network, file
Page | 39
Fig.6 - .Exe Packet of Source IP
In the other technique for malware analysis there is one
function in wireshark which known as expert info..In this function
www.ijsart.com
IJSART - volume
1 Issue 3 –MARCH 2015
ISSN [ONLINE]: 2395-1052
there are packet details.in details capture particular packet of exe
file which is share from attacker’s platform.
Fig.7 - Expert Info Detail Packet
This will demonstrate a simple method of extracting an
executable transferred across an FTP session identified in a packet
traffic capture. The only tool needilable is Wireshark which is
freely available for Mac, Linux, and Windows platforms. There are
tools available which automate this operation in many scenarios,
but forensic analysts should perceive the centraling concepts so, in
the case that an automated tool falls short, files can be separate
manually.
Other technique for live malware detection in network
miner first capture packets .In the analysis section detect direct
link of exe file & found where particular exe stored in victim
system which known as reconstruction file path.
Fig.9 - Attacker’s Platform Information
DEAD ANALYSIS
This paper walks through the analysis of an application
hang caused by a chain of RPC calls. The first part of the paper
discusses the manually generated application memory dump (user
mode dump) and the second part focuses on the manually
generated kernel mode dump (complete memory dump).first take
process dump of victim browser.In analysis time found the
destination path with ipaddress (192.168.0.45) & exename
(game.exe) in winhex editor.
There are also detect MAC address of attacker’s
machine,platform,ip address & port connection of TCP protocol.
Fig.10- Shared .Exe File In Memory Dump
With a hex editor, a user can see or edit the raw and exact
contentsof a file,asopposed to the interpretation of the same content
that other, top- level application software may equate with the file
format. For example, this could be raw image data, in contrast to
the way assembling software would interpret and show the same
file.
Fig-8 - Destination Host IP Packet
Page | 40
In the other side found USERNAME & PASSWORD for
user account which set by attacker’s to direct access the user
system.
www.ijsart.com
IJSART - volume
1 Issue 3 –MARCH 2015
ISSN [ONLINE]: 2395-1052
ActiveXcontrols, and other executable file formats that run on MS
Windows 32-bit platforms.
Fig.11 - Credential Of Account User
Have you ever wondered exactly how Windows is
assigning physical memory, how much file contain is cached in
RAM, or how considerable RAM is used by the kernel and device
drivers?RAMMap is an approached physical memory usage
analysis utility for Windows XP and higher.
In the RAMMap found a particular process id is 2072 and session
1 of game.exe file.
Fig.13 - DLL Processes In Dump File
Though anti-virus software is continually getting better, a
very significant percentage ofmalware escapes the automated
screening process. PE Explorer offers an in-depth look atthe inner
workings of downloaded executable files, and helps software
companiesdetermine if a binary is harmful by examining it
manually and without relying on theautomated scanning engines.
Fig.12 - Process ID Of .Exe File
A computer program is a passive collection of
instructions; a process is the actual execution of those instructions.
Several operations may be associated with the same program.
In the process monitor comprehensive event properties
such session IDs and user names, reliable process information, full
thread stacks with integrated symbol support for each operation,
simultaneous logging to a file, and much more.
After analysis of game.exe process found process name,
PID,created file operation,file location path.detail part will show
file attributes,created time,last access time,last write time and
change time.
Reverse engineers within the anti-virus, vulnerability
research and forensics companies facethe challenge of analyzing a
large number of maliciuos software appearing at an incrediblerate.
Software developers look for an effective way to safely inspect and
dissect potentiallyharmful Windows executable files. Meeting this
need, Heaventools offers PE Explorer, anintegrated collection of
tools that provide a framework for working with EXE, DLL,
Page | 41
Fig.14 - User Credential In Processes
PE Explorer canhelp you learn the minimum set of DLL files
required for the EXE file to load and run, andthe complete path to
modules loaded by the EXE file. It is helpful in discovering
missing orinvalid modules, import/export mismatches, circular
dependencies
and
other
module-relatedproblems,
and
introubleshooting system errors caused by theloading or executing
ofmodules.
III.
CONCLUSION
This paper provided a memory level introductionto the
topic of malware analysis, andsome practical techniques and tools
that can be used to conduct limited analysis of Windowsprograms
ofunknown functionality in forensics way.In this chapter two
platforms were used for attack and analysis.In memory forensics
part analyze signature base DLL process,credential of user, and
memory dump tools for malware behaviour and also used network
tools for file carving and live activity of exe using packet analysis.
www.ijsart.com
IJSART - volume
1 Issue 3 –MARCH 2015
ISSN [ONLINE]: 2395-1052
REFERENCES
[1].http://www.solutionary.com/resourcecenter/blog/2012/12/hunting-malware-with-memory-analysis/
[2]http://www.porcupine.org/forensics/forensicdiscovery/chapter6.html
[3]http://as.wiley.com/WileyCDA/WileyTitle/productCd1118825098.html
[4]http://www.tekdefense.com/news/2013/12/3/review-malwareand-memory-forensics-with-volatility.html
[5]http://eforensicsmag.com/download/a-practical-approach-tomalware-memory-forensics-with-eforensics-open/
[6]http://en.wikipedia.org/wiki/Deep_content_inspection
[7]https://community.mcafee.com/docs/DOC-1513
[8]https://www.blackhat.com/presentations/bh-dc07/Kendall_McMillan/Presentation/bh-dc-07Kendall_McMillan.pdf
[9]http://www.hindawi.com/journals/acisc/2014/197961/
[10]http://scholar.google.co.in/scholar?q=malware+NETWORK+
ANALYSIS&hl=en&as_sdt=0&as_vis=1&oi=scholart&sa=X&e
i=qYrAVP3iHYHM8gWE3YLYCA&ved=0CB0QgQMwAA
Page | 42
www.ijsart.com