[P]Delete

In this post I'm going to talk about Volatility.  Volatility  is one of  the best tools for memory forensics. It is an open source framework writen in python for incident response and malware analysis. Thanks to  Malware Analyst's Cookbook  we can get a real memory dump from an infected host with Zeus Trojan. You can donwload  zeus.vmem.zip  [41,4 MB]  1) With the option " imageinfo " you can find out what type of OS was running.  python vol.py -f zeus.vmem imageinfo 2) Now, we are going to watch what processes were running on the computer when the memory dump was recorder. python vol.py -f zeus.vmem pstree 3) I couldn't see anything weird... I wanted to know if the machine was making connections... python vol.py -f zeus.vmem connscan 4) Ok. Our machine was making connections with 193.104.47.75 by the 80/tcp port. The proccess Pid is 856. We want to know whether this process belong to an Internet Browser. We run it again: python vol.py -f zeus.v

DETECTING API CALLS If we use the command below, we can see the strings of these exported files in order to try to locate some interesting words... strings evidences/process.* Thank to Volatility we can find the apihooks of this memory dump. In the picture below, you will see the apihooks related with the malicious process 1928. python2 vol.py -f stuxnet.vmem malfind apihooks –p 1928 These calls are directly linked to the Stuxnet worm. You can read the article below from Symantec. http://www.symantec.com/connect/blogs/w32stuxnet-installation-details DETECTING MALICIOUS DRIVERS With modscan we can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits. python2 vol.py -f stuxnet.vmem modscan The first driver draws our attention… Please, take notes of the “Base” value (0xb21d08000) because we will export it with the command bellow. python2 vol.py -f stuxnet.vmem moddump --dump-dir evidences/ --base 0xb21d8000 We ge

Stuxnet could be the first advanced malware. It is thought that it was developed by the United States and Israel to attack Iran's nuclear facilities. It attacked Windows systems using a zero-day exploit and It was focused on SCADA systems in order to  affect critical infrastructures... Also, it may be spread from USB drivers. It is necessary a squad of highly capable programmers with depth of knowledge of industrial processes and an interest in attacking industrial infrastructure to develop this malware. Kaspersky Lab concluded that the sophisticated attack could only have been conducted "with nation-state support" and a study of the spread of Stuxnet by Symantec says that it was spread to Iran (58.85%), Indonesia (18.22%), India (8.31%), Azerbaijan (2.57%).... Thanks to Malware Cookbook we can download a memory dump from an infected host with this malware in the URL below:  http://www.jonrajewski.com/data/Malware/stuxnet.vmem.zip Ok, let’s go. We are going to analyze i