Threat Research

Redline 1.1 Released

Six months ago, MANDIANT released Redline as a free tool designed to simplify memory analysis and visually guide users through the steps needed to investigate a potentially compromised system. Today, we're pleased to announce the release of Redline Version 1.1 with some exciting new features and enhancements. We've taken some of the "power-user" functions previously only available by hacking Memoryze's XML configuration files and integrated them into the Redline interface and workflow. We've also been able to add new features based on some great user feedback we've received from the Mandiant Forums, students in our incident response classes and elsewhere. Redline 1.1 will also be the first version to include complete user documentation (which we are still putting the finishing touches on).

We're going to stick to the basics for this blog post, and look at how you can incorporate the following new Redline features into your investigative processes:

  • Portable Agent mode
  • Memory, Process, and Driver acquisition
  • Customizing Malware Risk Index scoring

Portable Agent

You can now use Redline to build a customized memory analysis toolkit on a USB drive or other portable device - perfect for simple "fire and forget" live response review of a potentially compromised host. After launching Redline, click on the big "R" menu icon in the top-left, and select the "Create a Portable Agent" option as shown in Figure 1.

Figure 1: "Create a Portable Agent" menu option

You will be prompted to select your audit options and choose a target drive on which the portable agent will be saved.

Figure 2: Portable Agent Audit Configuration

The generated files include all the binaries and dependencies needed to run Redline on any supported 32 or 64-bit OS, along with a brief "Readme.txt" to remind you of what's what. Simply insert your portable agent drive into the target system and execute "RunRedlineAudit.bat". Redline will load your previously selected configuration, auto-detect the current host operating system and collect audit data onto the same drive from which you launched the script. Typical analysis results will be under 100MB (excluding an acquired memory image - more on that in a bit).

Figure 3: Portable Redline Agent

Once you have collected results from the target machine, you can bring them back to your analysis host and import into Redline using the "Start a New Analysis Session - From a Memoryze Output Directory" startup option.

Memory, Process and Driver Acquisition

In its default configuration, Redline conducts memory analysis but not acquisition - the distinction being that the Redline's output files contain all of the metadata related to processes, memory sections, handles, hooks, drivers, etc. but not the actual contents of memory. In Redline 1.1, we've added the ability to include memory acquisition as an audit option when either analyzing the current running system or building a portable agent. The resulting audit will include a standard DD memory image, saved as a ".img" file, that will be compatible with most other 3rd party memory forensics tools.

Figure 4: "Acquire Memory Image" is a new Custom Audit option

One of the benefits of retaining a memory image along with the Redline analysis files is the ability to do offline acquisition of a process' memory space and / or loaded drivers. This functionality was previously available only via the Memoryze command-line, but is now fully integrated into Redline's user interface.

Let's walk through a simple example of how you might use this feature:

Figure 5 illustrates a Redline analysis session of a host infected with Stuxnet malware. The process overview page for "lsass.exe", PID 1928, is displayed - it has been "redlined" due to a high Malware Risk Index score of 93.

Figure 5: Memory image infected with Stuxnet

As we've discussed in previous blog posts, Stuxnet suspends and unmaps the "lsass.exe" section and injects a full binary into the process - both characteristics result in the high MRI score. If we look at the "Memory Sections" listing underneath the process, we can sort on the "Injected" column to take a closer look at the three sections of interest, paying note to the "Region Start" and "Region Size".

Figure 6: Reviewing injected sections

The next analysis step, especially if we were dealing with unknown malware, would be to acquire the process memory space for this instance of "lsass.exe" and review the contents of the injected sections. Returning to the process overview page, you'll note that you can now select "Acquire Process Address Space" (you can also right-click on the process you want to acquire in the Host process listing view).

Figure 7: New "Acquire Process Address Space" option

Redline will acquire the entire contents of the process' memory space. Mapped sections will be represented by their full path and original filename; unmapped sections (such as the injected ones we're interested in) are saved as ".VAD" files named after the region start address.

Figure 8: Acquired contents of "lsass.exe" process memory space

In the Stuxnet example, one of the injected "lsass.exe" sections was 1.219 MB with region start 0x00870000 - the corresponding file from the acquisition is "1928__SystemMemory%5c0x00870000-0x009a7fff.VAD". A quick peek at the file in a hex editor confirms that it is a full PE file (rather than just shellcode, for example), and we could thereby proceed with malware analysis against this sample.

Figure 9: Excerpt of Stuxnet injected PE in "lsass.exe" memory

Redline will automatically archive the entire process' memory space into a password protected ZIP file. This helps ensure you don't accidentally infect yourself and helps keep anti-virus from eating any of the files. The "Acquisition History" menu in the big "R" toolbar tracks your acquisitions, shows the path to your acquired files, and lets you edit these options. You can also always review your audit and memory image locations in the "Analysis Session Information" menu as shown in Figure 10.

Figure 10: Analysis Session Information

Acquisition isn't just limited to Process Memory - you can also acquire drivers if you've collected a memory image with Redline. Simply right-click on the driver in the "Device Tree" or "Drivers Enumerated by Walking List" and select "Acquire this Driver" as shown in Figure 11. Once again, all these acquisitions can be performed using only the memory image and Redline audit data - you don't need to be on the running machine from which the acquisition took place.

Figure 11: Acquiring Drivers - right-click menu

Customizing Malware Risk Index Scoring

Redline's Malware Risk Index uses a combination of behavioral and signature-based traits to assign a score to each running process (when reviewing memory analyzed by Redline, Memoryze or MIR). Although MRI scoring is designed to make malicious processes stand out, the countless combinations of operating system configurations and 3rd party application characteristics can result in false positives or false negatives. Since Redline is first and foremost a tool to facilitate analysis rather than a signature-based scanner, we've chosen to make it easier for users to edit the MRI rules so that you can better tune Redline to the systems in your environment or areas of focus for an investigation.

The "Redline Options" button, available in the "R" menu, has a new section labeled "MRI Rules Configuration" where all of these settings are exposed as shown in Figure 12. Here you can tweak whitelist and blacklist settings for the various MRI Rules, as well as adjust global settings such as the frequency of occurrence threshold used for memory section trust calculations.

Figure 12: MRI Options

A few examples of situations that might lead you to change these rules include:

  • You wish to exclude legitimate but not digitally signed DLLs from third party applications common to your environment from being flagged under "Suspicious Imports". For example, my version of VMWare loads unsigned but valid versions of "msvcp80.dll" and "msvcr80.dll". Due to their low frequency of occurrence and lack of digital signatures, these DLLs will be scored under Negative Factors. Instead of manually trusting these modules each time I open a Redline analysis session, I can change the "Suspicious Imports" setting to always trust them.
  • You have foreign language installations of Windows and want to whitelist the non-English equivalents of built-in accounts (such as "Administrator" or "NetworkService") under "Expected Users". The same can occur for "Expected Paths" that are translated differently on non-English systems. (Whitelisting some of the more common translations is on our to-do list!)
  • A malware sample that you have identified and analyzed in your environment has a unique combination of imported functions, or a unique process handle (such as a mutant), that you want flagged as an automatic MRI "hit". (We included a handful of common mutants for malware like Poison Ivy and Zeus as basic examples).
  • You have third party application common in your environment running as a Windows service, and you would like to whitelist its arguments to "svchost.exe" (i.e. "svchost -k TrustedService").
  • You would like to add or remove trusted signature authorities that Redline uses when evaluating digital signatures.

Note that any changes to MRI rules will result in MRI scores for all processes in both the current session and future sessions to be recalculated.

Conclusion

We hope that this update to Redline makes it easier than ever for you to triage a system and conduct memory analysis. Please be sure to check out the new user documentation for more details on these added features, and drop by the Redline section of our Mandiant Forums if you have any questions or feedback!

Also, keep an eye out for an upcoming blog post where we'll detail how you can use Redline with our recently released OpenIOC schema and tools!