Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ------| Malware Memory Forensic
- Jika merujuk pada buku Malware Analyst’s Cookbook, "Memory forensics refers
- to finding and extracting forensic artifacts from a computer’s physical memory,
- otherwise known as RAM". Informasi yang bisa diperoleh dari memory sudah
- dijelaskan oleh patusacyber pada echo ezine[1].
- Dari temuan-temuan informasi yang didapat selanjutnya akan menjadi bahan anlisis.
- Dalam tulisan ini tidak ada proses akuisisi memorynya karena saya menggunakan sample memory
- yang terinfeksi trojan yang diunduh dari internet[2] dan Saya menggunakan tool Volatilty[3].
- Pertama mulailah dengan apa yang kamu ketahui. Seperti trojan-trojan lainya, tentu akan
- melakukan hubungan dengan server c&c.
- b33ns@b33ns:~$ export VOLATILITY_PROFILE=WinXPSP2x86
- b33ns@b33ns:~$ export VOLATILITY_LOCATION=~/sample/volatile/spyeye.vmem
- b33ns@b33ns:~$ md5sum ~/sample/volatile/spyeye.vmem
- 15dd403be9021bdb711091e946a3ba64 /home/b33ns/sample/volatile/spyeye.vmem
- b33ns@b33ns:~$ vol.py connscan
- Volatility Foundation Volatility Framework 2.3.1
- Offset(P) Local Address Remote Address Pid
- ---------- ------------------------- ------------------------- ---
- 0x01eacc00 192.168.16.129:1039 65.55.185.26:443 1068
- 0x01fd3170 192.168.16.129:1040 207.46.21.58:80 1068
- 207.46.21.58 adalah alamat server yang mengontrol trojan.
- Kita cari tahu proses id 1068 milik siapa
- b33ns@b33ns:~$ vol.py pslist -p 1068
- Volatility Foundation Volatility Framework 2.3.1
- Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
- ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
- 0x822a0758 svchost.exe 1068 704 58 1256 0 0 2010-11-11 22:02:17 UTC+0000
- nah ternyata milik svchost.exe, svchost.exe jelas sudah terinfeksi karena
- tidak seharusnya svchost melakukan koneksi keluar. Ok, sekarang fokus kita di svchost.exe
- b33ns@b33ns:~$ vol.py apihooks -p 1068
- [skip]
- Hook mode: Usermode
- Hook type: Inline/Trampoline
- Process: 1068 (svchost.exe)
- Victim module: USER32.dll (0x7e410000 - 0x7e4a1000)
- Function: USER32.dll!TranslateMessage at 0x7e418bf6
- Hook address: 0xea53fc6
- Hooking module: <unknown>
- Disassembly(0):
- 0x7e418bf6 e9cbb36390 JMP 0xea53fc6
- [skip]
- b33ns@b33ns:~$ vol.py volshell
- Volatility Foundation Volatility Framework 2.3.1
- Current context: process System, pid=4, ppid=0 DTB=0x319000
- Welcome to volshell! Current memory image is:
- file:///home/b33ns/sample/volatile/spyeye.vmem
- To get help, type 'hh()'
- >>> cc(pid=1068)
- Current context: process svchost.exe, pid=1068, ppid=704 DTB=0xa940120
- >>> dis(0x7e418bf6, length=32)
- 0x7e418bf6 e9cbb36390 JMP 0xea53fc6
- 0x7e418bfb 56 PUSH ESI
- 0x7e418bfc 8b7508 MOV ESI, [EBP+0x8]
- 0x7e418bff 66817e08e500 CMP WORD [ESI+0x8], 0xe5
- 0x7e418c05 0f84667e0200 JZ 0x7e440a71
- 0x7e418c0b 6a00 PUSH 0x0
- 0x7e418c0d 56 PUSH ESI
- 0x7e418c0e e806feffff CALL 0x7e418a19
- 0x7e418c13 5e POP ESI
- 0x7e418c14 5d POP EBP
- 0x7e418c15 c2 DB 0xc2
- >>> db(0xea50000, length=256)
- 0x0ea50000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
- 0x0ea50010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0x0ea50020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x0ea50030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................
- 0x0ea50040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
- 0x0ea50050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is.program.canno
- 0x0ea50060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t.be.run.in.DOS.
- 0x0ea50070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
- 0x0ea50080 aa fd bf f4 ee 9c d1 a7 ee 9c d1 a7 ee 9c d1 a7 ................
- 0x0ea50090 2d 93 8e a7 e6 9c d1 a7 ee 9c d1 a7 ef 9c d1 a7 -...............
- 0x0ea500a0 c9 5a ac a7 e9 9c d1 a7 c9 5a aa a7 ec 9c d1 a7 .Z.......Z......
- 0x0ea500b0 c9 5a bc a7 d3 9c d1 a7 2d 93 8c a7 fe 9c d1 a7 .Z......-.......
- 0x0ea500c0 ee 9c d0 a7 1e 9c d1 a7 b7 bf c2 a7 ed 9c d1 a7 ................
- 0x0ea500d0 c9 5a af a7 ef 9c d1 a7 c9 5a bf a7 df 9c d1 a7 .Z.......Z......
- 0x0ea500e0 c9 5a ad a7 ef 9c d1 a7 c9 5a a9 a7 ef 9c d1 a7 .Z.......Z......
- 0x0ea500f0 52 69 63 68 ee 9c d1 a7 00 00 00 00 00 00 00 00 Rich............
- kita dump aja untuk memudahkan untuk proses analisis selanjutnya
- b33ns@b33ns:~$ mkdir vaddump && vol.py vaddump -p 1068 -D vaddump
- [skip]
- b33ns@b33ns:~$ cd vaddump && ls -l | grep 0ea50000(masih ingat hex ini kan, lihat atas)
- -rw-rw-r-- 1 b33ns b33ns 188416 Feb 18 18:23 svchost.exe.22a0758.0x0ea50000-0x0ea7dfff.dmp
- kita cari lagi informasi yang menarik
- b33ns@b33ns:~$ strings vaddump/svchost.exe.22a0758.0x0ea50000-0x0ea7dfff.dmp > strings_svchost.txt
- b33ns@b33ns:~$ cat strings_svchost.txt
- [skip]
- SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- [skip]
- b33ns@b33ns:~$ vol.py printkey -K "SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"
- [skip]
- Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
- Key name: Run (S)
- Last updated: 2011-01-06 14:36:52 UTC+0000
- Subkeys:
- Values:
- REG_SZ cleansweep.exe : (S) C:\cleansweep.exe\cleansweep.exe
- [skip]
- nah ketahuan lokasi nongkrongnya....
- Dan ketika dieksekusi akan membuat registry key agar trojan aktif ketika startup
- kita cari tahu proses id cleansweep.exe
- b33ns@b33ns:~$ vol.py pslist | grep cleansweep.exe
- Volatility Foundation Volatility Framework 2.3.1
- Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
- ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
- 0x82226b48 cleansweep.exe 2268 1008 0 -------- 0 0 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000
- Trojan dieksekusi pada 2011-01-06 14:36:52 UTC+0000
- biar lebih yakin kita lihat mft record
- b33ns@b33ns:~$ vol.py mftparser > mftparser.txt
- b33ns@b33ns:~$ cat mftparser.txt | grep cleansweep.exe
- Creation Modified MFT Altered Access Date Name/Path
- ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe\CLEANS~1.EXE
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe\cleansweep.exe
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe\config.bin
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe\config.bin
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe\CLEANS~1.EXE
- 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 2011-01-06 14:36:52 UTC+0000 cleansweep.exe\cleansweep.exe
- Jika dikaitkan dengam temuan sebelumnya, trojan berada di C:\cleansweep.exe lengkap dengan file konfigurasinya
- lalu bagaimana spyeye bisa berada tereksekusi di komputer victim?, sengaja di taruh & sengaja dieksekusi sama victim :D
- Creation Modified MFT Altered Access Date Name/Path
- ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
- 2011-01-06 14:36:04 UTC+0000 2010-10-04 17:17:25 UTC+0000 2010-10-04 17:17:25 UTC+0000 2011-01-06 14:36:04 UTC+0000 Documents and Settings\Administrator\Desktop\spyeye.zip
- b33ns@b33ns:~$ md5sum ~/sample/volatile/spyeye.vmem
- 15dd403be9021bdb711091e946a3ba64 /home/b33ns/sample/volatile/spyeye.vmem
- ------| Refrensi
- [1]http://ezine.echo.or.id/issue28/007.txt
- [2]http://code.google.com/p/volatility/wiki/MemorySamples
- [3]http://code.google.com/p/volatility
- -
- -
- -
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement