ISC-SANS recently had a handler's diary entry that got my attention.
MANDIANT Red Curtain
In it, Jim Clausing reflects on the free malware analysis software MANDIANT Red Curtain.
...a tool that attempts to characterize files to point an investigator at files that might require more careful investigation. Earlier this week, Russ McRee sent us info on a nice little presentation he gave on malcode analysis techniques for incident handling. In it, he shows use of MRC and a couple of other tools that I'm quite fond of for malware analysis. His presentation can be found here (PDF). Russ has also written another article (PDF) on MRC that will appear in the December issue of ISSA Journal.
Both of linked articles were well written and provide a great overview of the design and usage of this application. If you are interested in this tool, but aren't familiar with its capabilities, take a moment to read them.
- Mandiant Red Curtain: Malware - ISSA Journal | December 2007 (PDF)
- Malcode Analysis Techniques for Incident Handlers - Seattle Secureworld Expo 2007 (PDF)
I had earlier taken a close look at MRC and really was impressed. It has quickly become a great tool of mine in looking at systems that were impacted by malware or other hostile software. The main application must be installed on a host system. However, you can deploy a scanning "agent" in Roaming Mode for use off a USB stick on a target system. Then return the log file back to your primary host system and open and examine it with the Red Curtain Console application proper.
Three More Suite Analysis Tools
As I read the presentation papers, I came across three other sets of malware analysis tools (suites) that looked very fascinating. I'm sure these are well known to "professional" security experts, but I was thrilled to find them and wanted to pass them on to you as well. All are freeware.
RAPIER - (freeware) - This Google Code project is a branch of the Intel RPIER tool. RAPIER stands for the Rapid Assessment & Potential Incident Examination Report. "RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst."
Download the zip file and unpack. Most of the utilities it uses are bundled with it. However, there are a handful of tools that must be downloaded separately by you from their source locations. The applications are located in the "Modules" subfolder. Check the key ones and review the readme file in each one. They provide clear and working links to the file sources. Once you have downloaded and obtained them, copy the needed/listed files into the appropriate locations. It took a bit of time to collect them all, but once obtained, everything worked great. Once you have built all the files, you are free to copy the tool folder to USB and use it portably on other systems.
Two great PDF papers are worth reading to get more familiar with the tool and it's application in looking for and analyzing malware:
- 2007 Q3 SANS PDX 2007.pdf - SANS GCIH 2007 Presentation
- RAPIER31.pdf - RAPIER 3.1 usage article
SYSANALYZER // iDefense Labs - (freeware) - From the developer's description "SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:
- Running Processes
- Open Ports
- Loaded Drivers
- Injected Libraries
- Key Registry Changes
- APIs called by a target process
- File Modifications
- HTTP, IRC, and DNS traffic
SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:
- Create a memory dump of target process
- parse memory dump for strings
- parse strings output for exe, reg, and url references
- scan memory dump for known exploit signatures
I need to be clear and careful with this tool. It is not a "sandbox" tool. What it does is monitor the system at key points as the target file under suspicion is executed "live" and takes "snapshots". These are then compared and logged for the analyst to sort through. Best run in a virtualized environment or on a test-lab system that is isolated from the network. Primarily designed and tested under Windows 2000, noted to run under XP with some issues.
iDefense Labs has also provided a great Overview as well as a Video Tour.
Malcode Analysis Pack // iDefense Labs - (freeware) - From the developer's description "The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis. Included in this package are:
- ShellExt - 4 explorer shell extensions
- socketTool - manual TCP Client for probing functionality.
- MailPot - mail server capture pot
- fakeDNS - spoofs dns responses to controlled ip's
- sniff_hit - HTTP, IRC, and DNS sniffer
- sclog - Shellcode research and analysis application
- IDCDumpFix - aids in quick RE of packed applications
- Shellcode2Exe - embeds multiple shellcode formats in exe husk
- GdiProcs - detect hidden processes
Sclog Trainer (video) and a very light MAP Overview have been provided by iDefense Labs.
I will probably stick mostly with MANDIANT Red Curtain and RAPIER for deep system inspections and analysis. Holding SYSAnalyzer for only the most intensive studies.
I'm not really tasked (or have the time) for deep-diving an infected system. I really just need to quickly be able to evaluate an infected system, identify malware processes and files, capture samples for uploading to virus scanners for more information, and then clean the workstation or reimage it. However, having these at my disposable gives me an added degree of flexibility.
It's all good when your fighting the bad!
--Claus
Just ran across this. Glad to see RAPIER is getting external use. My co-author and I really pushed to make it freeware so others could benefit from it.
ReplyDelete