IJSART - volume 1 Issue 3 –MARCH 2015 ISSN [ONLINE]: 2395-1052 Malware Memory And Network Forensics Rushita Dave1, Darsh Patel2, Anisetti Anjaneyulu3 1 Digital Forensics Analyst esF Labs Ltd. Abstract- This paper presents a malware behaviourin different states of computers that are infected by malicious codes or signatures. Malicious programs spy on users' behavior and compromise their privacy. Malicious information access and processing behavior is the fundamental trait of numerous malware categories breaching users' privacy (including key loggers, password thieves, network sniffers, stealth backdoors, spyware and rootkits), which comes from malicious binary codes. In this paper introduce malware behavior in network and memory of suspect system. This malware forensic analysis done using all memory processes & network activities. These all processes can help for Memory analysis identify malicious code and explain how the specimen was used on the suspect system. Index Terms- MSF Encode, Trojan Binary Signature, Exe File Carving, Process Dump Analysis, Credential Analysis In Memory Dump I. INTRODUCTION A program that is designed to carry out malicious operation is known as malware, which is a term short for “malicious software”. If the initiator of a program is malicious, then they can abuse the supremacy available to the program to carry out malicious exertion. Depending on the access control systems in place, which restrict what each user is authorize to do, the program will typically be able to misuse the authority of the user that runs the program. If the code is run by a end user, then it typically has explosion to all of the user’s personal files, and if it manipulate to be run by a superuser (root/Administrator), then it can typically make changes to any aspect of the system, including replacing other programs and deleting achieve files. A striker just needs to find achieve way to get the malware onto a victim’s computer. II. USING MSF TO CREATE TROJAN OPERABLE The Metasploit framework (MSF) is one of the most powerful tools in an ethicalhacker’s software collection. MSF contains an immense library of exploits and a framework for developing exploits, as well as numerous other security features, such as tools for information gathering. Page | 38 A payload refers to the malicious code that we want to run on a victim’ssystem. Metasploit comes with a huge collection of different kinds of payloads that it can generate. Fig.1 - MSF Payload for encode For creating a Trojan horse that simply adds a new user to a victim’s Windows system.that there are a number of structure options, along with their absence values.The above command will check the password for complexity requirements, and confirm the settings will be applied correctly. Executed will result in attacker’s payload: a new user will be added to the system.To generate a C code version, simply append “C”. Fig.2 - Binary Signature of Trojan For creating a Trojan horse, the next step is to create an executable program that will actually run this code. To do this we specify “X” as attacker’s output type, and sendthe result to a new file.This has generated a windows executable incurrentdirectory. www.ijsart.com IJSART - volume 1 Issue 3 –MARCH 2015 Fig.3 - Payload of exe file Start a Web server to share Trojan.Start by creating a directory to place user files: Copy new Trojan to this location.cpGame.exe /var/www/share/ Start the Apache Web server: ISSN [ONLINE]: 2395-1052 system, registry, and provides the mastery to ascertain investigative leads that have been unbeknownst to most cyber forensics analysts. Malicious nemesis have been controlling this knowledge disparity to undermine many aspects of the digital investigation process with such things as anti-forensics expertise, memory resident malware, kernel rootkits, encryption (file systems, network packet traffic, etc), and Trojan denial. The only way to turn-the-tables and defeat a creative digital human adversary is through talented analysts. LIVE ANALYSIS Fig.4 - Shared .exe File Run the Trojan horse and just downloaded in the Windows VM.Open a command prompt and view a list of the users on the system.the Trojan has done its activity and a new Administrator user exists on the Windows system.it known as user ESF. Full content packet captures can provide valuable insight into an analysis or investigation. Depending on the installation of the capture mechanism an analyst is sometimes able to recreate an exact timeline of events between two or additional hosts. A key component of this method is being able to replicate content transferred between hosts based solely on the packet traffic capture. With a full content packet data capture it is possible to extract a bit-for-bit copy of files transferred between hosts across many application-layer protocols,TCP and UDP based. In the live detection of malware wireshark capture exe file(Game.exe) in packet no:7& also capture Source ip address & destination ip address..in the frame section there is destination ip address(192.168.0.45) which known as attacker’s ip of kali Linux platform. Fig.5 - New User (ESF) created by .exe Targeted attacks or what have come to be known as “advanced persistent threats (APTs)” are extremely successful. However, instead of focusing on the attack methods and effects to improve network defenses, many seem more concerned with debating whether they are “advanced” or not from a technical perspective. The ability to perform digital investigations and incident response is becoming a critical skill for many occupations. Regrettably,digital examiner frequently lack the training or experience to take advantage of the volatile artifacts found in physical memory. Volatile memory contains precious information about the runtime state of the system, provides the ability to link sediments from traditional forensic analysis like network, file Page | 39 Fig.6 - .Exe Packet of Source IP In the other technique for malware analysis there is one function in wireshark which known as expert info..In this function www.ijsart.com IJSART - volume 1 Issue 3 –MARCH 2015 ISSN [ONLINE]: 2395-1052 there are packet details.in details capture particular packet of exe file which is share from attacker’s platform. Fig.7 - Expert Info Detail Packet This will demonstrate a simple method of extracting an executable transferred across an FTP session identified in a packet traffic capture. The only tool needilable is Wireshark which is freely available for Mac, Linux, and Windows platforms. There are tools available which automate this operation in many scenarios, but forensic analysts should perceive the centraling concepts so, in the case that an automated tool falls short, files can be separate manually. Other technique for live malware detection in network miner first capture packets .In the analysis section detect direct link of exe file & found where particular exe stored in victim system which known as reconstruction file path. Fig.9 - Attacker’s Platform Information DEAD ANALYSIS This paper walks through the analysis of an application hang caused by a chain of RPC calls. The first part of the paper discusses the manually generated application memory dump (user mode dump) and the second part focuses on the manually generated kernel mode dump (complete memory dump).first take process dump of victim browser.In analysis time found the destination path with ipaddress (192.168.0.45) & exename (game.exe) in winhex editor. There are also detect MAC address of attacker’s machine,platform,ip address & port connection of TCP protocol. Fig.10- Shared .Exe File In Memory Dump With a hex editor, a user can see or edit the raw and exact contentsof a file,asopposed to the interpretation of the same content that other, top- level application software may equate with the file format. For example, this could be raw image data, in contrast to the way assembling software would interpret and show the same file. Fig-8 - Destination Host IP Packet Page | 40 In the other side found USERNAME & PASSWORD for user account which set by attacker’s to direct access the user system. www.ijsart.com IJSART - volume 1 Issue 3 –MARCH 2015 ISSN [ONLINE]: 2395-1052 ActiveXcontrols, and other executable file formats that run on MS Windows 32-bit platforms. Fig.11 - Credential Of Account User Have you ever wondered exactly how Windows is assigning physical memory, how much file contain is cached in RAM, or how considerable RAM is used by the kernel and device drivers?RAMMap is an approached physical memory usage analysis utility for Windows XP and higher. In the RAMMap found a particular process id is 2072 and session 1 of game.exe file. Fig.13 - DLL Processes In Dump File Though anti-virus software is continually getting better, a very significant percentage ofmalware escapes the automated screening process. PE Explorer offers an in-depth look atthe inner workings of downloaded executable files, and helps software companiesdetermine if a binary is harmful by examining it manually and without relying on theautomated scanning engines. Fig.12 - Process ID Of .Exe File A computer program is a passive collection of instructions; a process is the actual execution of those instructions. Several operations may be associated with the same program. In the process monitor comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. After analysis of game.exe process found process name, PID,created file operation,file location path.detail part will show file attributes,created time,last access time,last write time and change time. Reverse engineers within the anti-virus, vulnerability research and forensics companies facethe challenge of analyzing a large number of maliciuos software appearing at an incrediblerate. Software developers look for an effective way to safely inspect and dissect potentiallyharmful Windows executable files. Meeting this need, Heaventools offers PE Explorer, anintegrated collection of tools that provide a framework for working with EXE, DLL, Page | 41 Fig.14 - User Credential In Processes PE Explorer canhelp you learn the minimum set of DLL files required for the EXE file to load and run, andthe complete path to modules loaded by the EXE file. It is helpful in discovering missing orinvalid modules, import/export mismatches, circular dependencies and other module-relatedproblems, and introubleshooting system errors caused by theloading or executing ofmodules. III. CONCLUSION This paper provided a memory level introductionto the topic of malware analysis, andsome practical techniques and tools that can be used to conduct limited analysis of Windowsprograms ofunknown functionality in forensics way.In this chapter two platforms were used for attack and analysis.In memory forensics part analyze signature base DLL process,credential of user, and memory dump tools for malware behaviour and also used network tools for file carving and live activity of exe using packet analysis. www.ijsart.com IJSART - volume 1 Issue 3 –MARCH 2015 ISSN [ONLINE]: 2395-1052 REFERENCES [1].http://www.solutionary.com/resourcecenter/blog/2012/12/hunting-malware-with-memory-analysis/ [2]http://www.porcupine.org/forensics/forensicdiscovery/chapter6.html [3]http://as.wiley.com/WileyCDA/WileyTitle/productCd1118825098.html [4]http://www.tekdefense.com/news/2013/12/3/review-malwareand-memory-forensics-with-volatility.html [5]http://eforensicsmag.com/download/a-practical-approach-tomalware-memory-forensics-with-eforensics-open/ [6]http://en.wikipedia.org/wiki/Deep_content_inspection [7]https://community.mcafee.com/docs/DOC-1513 [8]https://www.blackhat.com/presentations/bh-dc07/Kendall_McMillan/Presentation/bh-dc-07Kendall_McMillan.pdf [9]http://www.hindawi.com/journals/acisc/2014/197961/ [10]http://scholar.google.co.in/scholar?q=malware+NETWORK+ ANALYSIS&hl=en&as_sdt=0&as_vis=1&oi=scholart&sa=X&e i=qYrAVP3iHYHM8gWE3YLYCA&ved=0CB0QgQMwAA Page | 42 www.ijsart.com
© Copyright 2024