Malware

1. ------|  Malware Memory Forensic
2. Jika merujuk pada buku Malware Analyst’s Cookbook, "Memory forensics refers
3. to finding and extracting forensic artifacts from a computer’s physical memory,
4. otherwise known as RAM". Informasi yang bisa diperoleh dari memory sudah
5. dijelaskan oleh patusacyber pada echo ezine[1].
6. Dari temuan-temuan informasi yang didapat selanjutnya akan menjadi bahan anlisis.
7. Dalam tulisan ini tidak ada proses akuisisi memorynya karena saya menggunakan sample memory
8. yang terinfeksi trojan yang diunduh dari internet[2] dan Saya menggunakan tool Volatilty[3].
9. Pertama mulailah dengan apa yang kamu ketahui. Seperti trojan-trojan lainya, tentu akan
10. melakukan hubungan dengan server c&c.
11.  
12. b33ns@b33ns:~$ export VOLATILITY_PROFILE=WinXPSP2x86
13. b33ns@b33ns:~$ export VOLATILITY_LOCATION=~/sample/volatile/spyeye.vmem
14. b33ns@b33ns:~$ md5sum ~/sample/volatile/spyeye.vmem
15. 15dd403be9021bdb711091e946a3ba64  /home/b33ns/sample/volatile/spyeye.vmem
16.  
17. b33ns@b33ns:~$ vol.py connscan
18. Volatility Foundation Volatility Framework 2.3.1
19. Offset(P)  Local Address             Remote Address            Pid
20. ---------- ------------------------- ------------------------- ---
21. 0x01eacc00 192.168.16.129:1039       65.55.185.26:443          1068
22. 0x01fd3170 192.168.16.129:1040       207.46.21.58:80           1068
23.  
24. 207.46.21.58 adalah alamat server yang mengontrol trojan.
25. Kita cari tahu proses id 1068 milik siapa
26.  
27. b33ns@b33ns:~$ vol.py pslist -p 1068
28. Volatility Foundation Volatility Framework 2.3.1
29. Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
30. ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
31. 0x822a0758 svchost.exe            1068    704     58     1256      0      0 2010-11-11 22:02:17 UTC+0000  
32.  
33. nah ternyata milik svchost.exe, svchost.exe jelas sudah terinfeksi karena
34. tidak seharusnya svchost melakukan koneksi keluar. Ok, sekarang fokus kita di svchost.exe
35.  
36. b33ns@b33ns:~$ vol.py apihooks -p 1068
37. [skip]
38. Hook mode: Usermode
39. Hook type: Inline/Trampoline
40. Process: 1068 (svchost.exe)
41. Victim module: USER32.dll (0x7e410000 - 0x7e4a1000)
42. Function: USER32.dll!TranslateMessage at 0x7e418bf6
43. Hook address: 0xea53fc6
44. Hooking module: <unknown>
45.  
46. Disassembly(0):
47. 0x7e418bf6 e9cbb36390       JMP 0xea53fc6
48. [skip]
49.  
50. b33ns@b33ns:~$ vol.py volshell
51. Volatility Foundation Volatility Framework 2.3.1
52. Current context: process System, pid=4, ppid=0 DTB=0x319000
53. Welcome to volshell! Current memory image is:
54. file:///home/b33ns/sample/volatile/spyeye.vmem
55. To get help, type 'hh()'
56. >>> cc(pid=1068)
57. Current context: process svchost.exe, pid=1068, ppid=704 DTB=0xa940120
58. >>> dis(0x7e418bf6, length=32)
59. 0x7e418bf6 e9cbb36390                       JMP 0xea53fc6
60. 0x7e418bfb 56                               PUSH ESI
61. 0x7e418bfc 8b7508                           MOV ESI, [EBP+0x8]
62. 0x7e418bff 66817e08e500                     CMP WORD [ESI+0x8], 0xe5
63. 0x7e418c05 0f84667e0200                     JZ 0x7e440a71
64. 0x7e418c0b 6a00                             PUSH 0x0
65. 0x7e418c0d 56                               PUSH ESI
66. 0x7e418c0e e806feffff                       CALL 0x7e418a19
67. 0x7e418c13 5e                               POP ESI
68. 0x7e418c14 5d                               POP EBP
69. 0x7e418c15 c2                               DB 0xc2
70. >>> db(0xea50000, length=256)
71. 0x0ea50000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
72. 0x0ea50010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
73. 0x0ea50020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
74. 0x0ea50030  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00   ................
75. 0x0ea50040  0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68   ........!..L.!Th
76. 0x0ea50050  69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f   is.program.canno
77. 0x0ea50060  74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20   t.be.run.in.DOS.
78. 0x0ea50070  6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00   mode....$.......
79. 0x0ea50080  aa fd bf f4 ee 9c d1 a7 ee 9c d1 a7 ee 9c d1 a7   ................
80. 0x0ea50090  2d 93 8e a7 e6 9c d1 a7 ee 9c d1 a7 ef 9c d1 a7   -...............
81. 0x0ea500a0  c9 5a ac a7 e9 9c d1 a7 c9 5a aa a7 ec 9c d1 a7   .Z.......Z......
82. 0x0ea500b0  c9 5a bc a7 d3 9c d1 a7 2d 93 8c a7 fe 9c d1 a7   .Z......-.......
83. 0x0ea500c0  ee 9c d0 a7 1e 9c d1 a7 b7 bf c2 a7 ed 9c d1 a7   ................
84. 0x0ea500d0  c9 5a af a7 ef 9c d1 a7 c9 5a bf a7 df 9c d1 a7   .Z.......Z......
85. 0x0ea500e0  c9 5a ad a7 ef 9c d1 a7 c9 5a a9 a7 ef 9c d1 a7   .Z.......Z......
86. 0x0ea500f0  52 69 63 68 ee 9c d1 a7 00 00 00 00 00 00 00 00   Rich............
87.  
88. kita dump aja untuk memudahkan untuk proses analisis selanjutnya
89. b33ns@b33ns:~$ mkdir vaddump && vol.py vaddump -p 1068 -D vaddump
90. [skip]
91. b33ns@b33ns:~$ cd vaddump && ls -l | grep 0ea50000(masih ingat hex ini kan, lihat atas)
92. -rw-rw-r-- 1 b33ns b33ns   188416 Feb 18 18:23 svchost.exe.22a0758.0x0ea50000-0x0ea7dfff.dmp
93.  
94. kita cari lagi informasi yang menarik
95. b33ns@b33ns:~$ strings vaddump/svchost.exe.22a0758.0x0ea50000-0x0ea7dfff.dmp > strings_svchost.txt
96. b33ns@b33ns:~$ cat strings_svchost.txt
97. [skip]
98. SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
99. [skip]
100.  
101. b33ns@b33ns:~$ vol.py printkey -K "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"
102. [skip]
103. Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
104. Key name: Run (S)
105. Last updated: 2011-01-06 14:36:52 UTC+0000
106.  
107. Subkeys:
108.  
109. Values:
110. REG_SZ        cleansweep.exe  : (S) C:\cleansweep.exe\cleansweep.exe
111. [skip]
112.  
113. nah ketahuan lokasi nongkrongnya....
114. Dan ketika dieksekusi akan membuat registry key agar trojan aktif ketika startup
115. kita cari tahu proses id cleansweep.exe
116.  
117. b33ns@b33ns:~$ vol.py pslist | grep cleansweep.exe
118. Volatility Foundation Volatility Framework 2.3.1
119. Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
120. ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
121.  
122. 0x82226b48 cleansweep.exe         2268   1008      0 --------      0      0 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000
123.  
124. Trojan dieksekusi pada 2011-01-06 14:36:52 UTC+0000
125. biar lebih yakin kita lihat mft record
126. b33ns@b33ns:~$ vol.py mftparser > mftparser.txt
127. b33ns@b33ns:~$ cat mftparser.txt | grep cleansweep.exe
128. Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
129. ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
130.  
131. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe
132. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe
133. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\CLEANS~1.EXE
134. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\cleansweep.exe
135. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\config.bin
136. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\config.bin
137. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\CLEANS~1.EXE
138. 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   2011-01-06 14:36:52 UTC+0000   cleansweep.exe\cleansweep.exe
139.  
140. Jika dikaitkan dengam temuan sebelumnya, trojan berada di C:\cleansweep.exe lengkap dengan file konfigurasinya
141. lalu bagaimana spyeye bisa berada tereksekusi di komputer victim?, sengaja di taruh & sengaja dieksekusi sama victim :D
142. Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
143. ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
144. 2011-01-06 14:36:04 UTC+0000 2010-10-04 17:17:25 UTC+0000   2010-10-04 17:17:25 UTC+0000   2011-01-06 14:36:04 UTC+0000   Documents and Settings\Administrator\Desktop\spyeye.zip
145.  
146. b33ns@b33ns:~$ md5sum ~/sample/volatile/spyeye.vmem
147. 15dd403be9021bdb711091e946a3ba64  /home/b33ns/sample/volatile/spyeye.vmem
148.  
149.  
150.  
151. ------|  Refrensi
152. [1]http://ezine.echo.or.id/issue28/007.txt
153. [2]http://code.google.com/p/volatility/wiki/MemorySamples
154. [3]http://code.google.com/p/volatility
155. -
156. -
157. -