Honeynet Memory Forensics Challenge

The Honeynet project released a memory forensics challenge a few months ago. I read over the winning three submissions and was very impressed with the creative solutions they came up with. The submitters used freeware tools and clearly spent a significant amount of time putting their answers together. These sort of academic challenges are fun and a great way to hone your skills. In a business setting however, time is money. I downloaded the sample memory image and ran it through Responder Pro with Digital DNA to see how quickly an answer can be obtained as to the integrity of the target system.
In Figure 1 below you can clearly see five modules that score red (high severity) in DDNA. The “memory-mod…” nomenclature tells us that there is injected code into these host processes. So now within 10 seconds of reviewing this memory image we know the system has indications of compromise. Granted it will require further inspection to determine the extent of the compromise but we’ve answered the first and most important question already.
Figure 1:

It is always a good idea to examine the module’s traits which caused it to score red. Figure 2 reveals some highly suspicious traits that further confirm our initial findings.
Figure 2:
Another quick source of intelligence is to right-click on an injected memory module and “View Strings”. Remember that when dealing with code in memory you are much more likely to find interesting strings than an obfuscated binary on disk. This particular injected code reveals some tell-tale signs of the Zbot/Zeus trojan. The hardcoded file paths in Figure 3 are a dead giveaway.
Figure 3

This memory image also reveals a clue in the sockets listing. Notice Adobe creating an outbound connection on port 80.
Figure 4

One can then search the memory image for IP and tie back to a domain. Although you could do a DNS lookup at the time of the investigation it is valuable to see how the IP resolved at the time of the compromise. See Figure 5 for an example of proximity searching an unknown IP in memory.
Figure 5

Finally, malwaredomains.com validates our suspicions regarding this domain name and IP address.
Figure 6:
 Clearly this host has security issues. This challenge went a step further than just determining if the system was compromised. It also required the winning submissions to extract PDF’s from the raw memory image to determine HOW the system was compromised. Responder has the ability to extract image fragments and HTML fragments today through the plugin mechanism. These plugins work in a similar way to the Foremost tool that looks for headers of various file types. HBGary will provided additional plugins which cover other popular file types such as PDF and Office Documents. In the near-term please contact your sales resource to obtain the existing plugins.
Consider the scenario where you have determined which file had performed the exploit and you would like to recover it. Results such as shown in Figure 7 could be transformed into an extracted file for more detailed analysis.
Figure 7:


In summary, when you are in a professional environment where every hour of labor costs money and there are more security incidents than your analysts can handle, you must work efficiently to answer the most pressing questions. HBGary’s technology enables an analyst to speedily and accurately accomplish their organization’s mission.


Category Article

What's on Your Mind...

Thank f' u C0mment