Snort My Memory – Blackhat DC 09
For those of you who have not checked the speaker lineup for Blackhat DC, I will be there giving a presentation entitled “Snort My Memory.” This talk will address some research that has been going on internally here at MANDIANT for the past couple of months. The research is focused on how to identify common malware samples in memory using Memoryze and the Audit Viewer. The specific idea behind this presentation is to take existing Snort signatures and apply them to strings in memory. The theory being that Snort uses strings to identify malware going over the network. These malware samples create network traffic using “strings” these “strings” must be in memory prior to going out over the wire. So why not just use Snort on the network? Well, when searching an entire enterprise for malware, you need to know every host that is infected and not just the ones that are communicating. Also, the attacker’s communications may be encrypted using SSL or other techniques, which makes network detection harder. With a little luck, the protocol strings such as commands for the botnet are hanging around statically unencrypted in memory, and we can detect them.
This research led me to write two new components. The first component is MindSniffer. This tool takes a Snort rule file and generates either Xpath filters for Memoryze to use or plugins for the Audit Viewer.
Written by Peter Silberman (firstname.lastname@example.org)
<-r|–rules RULE FILE> snort rule file to parse
<-x|–xpath> generate xpath signatures
<-p|–py> generate py files for use in AuditViewer
[-o|--output] specify output directory
The second component written is a plugin framework/manager for the Audit Viewer. This new component allows users to apply Snort “signatures” to Audit Viewer results (strings must be turned on during the process audit).
The presentation will cover the above research, what was learned, and how Memoryze accesses/parses physical memory and associates strings to processes. As always there will be live demonstrations of Snort signatures working in memory. You can see the official abstract https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Silberman
I hope to see you guys there in February. Feel free to e-mail me if you have questions or want to see the demo from Hack In The Box Malaysia ’08 (http://conference.hitb.org/hitbsecconf2008kl/).
As final note and shameless plug, stay tuned for some major updates to the Audit Viewer in the coming month or so.