Threat Research Blog

zynamics VxClass and memory analysis

First, let me start by saying thanks to our users for the more than 10,000 unique downloads of Memoryze and Audit Viewer in 2010. Peter and I have been working with a lot of different people over the past couple of months to bring you this new release. You can download version 1.4.4200 of Memoryze and Audit Viewer now. I will just touch on a few things of most interest. You can read the User Guides for the rest.

zynamics VxClass Integration

If you have not checked out VxClass from zynamics, now is a good time. For those at MIRcon, you got to see Thomas Dullien's presentation. VxClass automatically classifies malware into families. This allows the incident responder to leverage intelligence from prior investigations and focus on the most important threats. Since it is fast and automated, VxClass is a great addition to your arsenal whether you have a malware team or not. VxClass can also generate private byte signatures (in ClamAV format) for a whole family of malware samples. Imagine finding 160 pieces of malware that VxClass automatically classifies as a single family and generates one byte pattern that you can use to find every variant. It is now possible, and you can take that byte signature and scan all the physical memory in your enterprise with MANDIANT Intelligent Response or a host at a time with Memoryze and Audit Viewer.

Thomas has a great write-up of how this process works here. I will not attempt to explain the article, but below is a glimpse.

Two pieces of malware and how they overlap

Report Generation

Our users have really liked the wealth of information and the detailed analysis and scoring Memoryze and Audit Viewer provides, but sometimes you need all that data in a format you can rearrange. Audit Viewer has attempted to address this in different ways over time including the ability to cut-n-paste and comment almost every row of data. If you have not tried the comment feature, I encourage you to today. But how do you get all that information out of Audit Viewer as you work the incident? Well, Audit Viewer now includes the ability to automatically generate a report in text or Microsoft Word format with MRI results, case comments, handles, sections, ports, etc. Simply click on Operations->Generate Report.

Here is a brief example of the lsass.exe process that was infected. Note: if you are using this feature across every process with all the options turned on, it can generate large documents that Word and most editors may take a long time to process.

Searching Process Address Space

If you do not have access to zynamics VxClass, I encourage you pursue that; however, you can still search every process' address space. Memoryze will only return the processes that match your search criteria. Memoryze can also search for more than one pattern. It will look for the patterns and return the process if any pattern was a match. There are many applications of this technology. You could search for email addresses, partial domain names, URLs, Social Security numbers, credit card numbers, arbitrary byte patterns, etc.

Currently, Audit Viewer is customized for VxClass so if you want to use this feature you must edit ProcessAuditMemory.Batch.xml and run Memoryze from the command-line.

Memoryze.exe -o -script ProcessAuditMemory.Batch.xml -encoding none

You can also use the batch files included with Memoryze.

Process.bat -handles true -sections true -ports true -injected true -digsig true -content conficker

Training at CanSecWest

If you would like to sharpen your memory forensics skills, Peter and I will be teaching at CanSecWest.