Sunteți pe pagina 1din 4

Homework7

IncidentResponse/MemoryAnalysis CIS4930/CIS5930 OffensiveSecurity Spring2013 Due11:59PMFridayApril26 Electronicturnin(Turninviaemailto:redwood@cs.fsu.edu) Theemailmustbetitledinthefollowingformat: [OffensiveSecurity]hw7<yourlastname> (where<yourlastname>isyourlastname) i.e.:[OffensiveSecurity]hw7redwood

LATESUBMISSIONSWILLNOTBEACCEPTED
Worth:100points

Overview
Youareexpectedtodownloadandinstallthevolatility(2.1or2.2)framework(eitheronyourhost machine,orinavirtualmachine).Youwillalsoneedyourhandsonalinuxsystem(preferably virtualmachine).Theeasiest(toworkwith)routewouldbetotakeadebiandistroofyourchoice (ubuntu,backtrack5R3,etc...)andfollowtherespectiveinstructionsat https://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6 Otherwiseforwindowsusers,thestandaloneinstallerat https://code.google.com/p/volatility/downloads/listshouldworkdecently.Butyoullstillneed accesstoalinuxsystemformanyofthesetoolssoitwilljustdoubleyourwork. YouwillalsoneedIDA.

Related Help / Tutorial:


Ifyoudliketogetsomepracticewithanalreadysolvedchallengeusingvolatility,see http://www.honeynet.org/challenges/2010_3_banking_troubles.Thereisagreatwriteupwhich willprovideyouaniceguide/howtoreferenceforthisrestofthishomework: http://honeynet.org/files/Forensic_Challenge_3__Banking_Troubles_Solution.pdf

Homework Files
Downloadfromhttps://code.google.com/p/volatility/wiki/SampleMemoryImages zeus.vmem be2.vmem Downloadfromhttp://dougee652.blogspot.com/2011/04/malwarememoryimages.html xpclean.tgz xpinfected.tgz

Questions
Getting Started
Usethexpclean.binandthexpinfected.binmemorydumpswithvolatilitytoanswerthe followingquestions.Thiswillbeagoodstartingpointasyouwillhaveacleanandinfectionstate ofasystemtocomparetheoutputsofthevariousvolatilitypluginsyoumightuse.Forinstance trythemalfindpluginonboththecleanandinfectionversionsandyoumightnoticethatthe tools/pluginsarenotperfect.Infactitisbesttofamiliarizeyourselfwiththedocumentationfor eachplugin: https://code.google.com/p/volatility/wiki/CommandReference22 https://code.google.com/p/volatility/wiki/CommandReferenceMal22 https://code.google.com/p/volatility/wiki/CommandReferenceRegistryApi22 https://code.google.com/p/volatility/downloads/detail?name=CheatSheet_v2.3.pdf 1. [5points]Whatnewprocessesaretherebetweenxpcleanandxpinfected?(Ignore wind32dd)

2. [10points]Whatconnectionshavebeenopenedbetweenxpcleanandxpinfected(Give source=>DestIPinfo)?Whichprocessescontroltheseconnections(GivePID,and processnameifpossible).

3. [5points]Oneoftheprocessesfrompart2mightbeclosed.Itiscommonformalware tomovearoundonasystem,sodidthisprocessspawnanynewprocesses?Ifso providedetails(PID+processname)

4. [10points]Useprocmemdumptodumpthisnewprocessorprocesses.Thenopenup thedumpedfileinIDA(IDAdemo6willworkfine,andisfree: https://www.hexrays.com/products/ida/support/download_demo.shtml). Whatlibrariesistheprocessloading(givetheirnames)?

5. [5points]Oneoftheselibrariesshouldbesuspicious.Listsomeoftheshadyfunctions thatthisprocessisimportingfromthesuspiciousdll.

6. [15points]Dumpallthedllsfromthexpinfected.binimageandfindthesuspiciousDLL mentionedin#5(hintgrepwillbeuseful).FromthisdllanswerthefollowingwithIDA: a. Doesthisdllexportthesamenumberoffunctionsthattheprocessthatusesit importsfromit? b. Howmanydoesitexport? c. Howmanyfromthisdlldoestheprocessfrom#4import? 7. [15points]ProcessesandevenDLLscanloadandunloadDLLsonthefly.Functions fromDLLscanbeaccessedeitherbytheirfunctionstringname,orbytheirordinal.Now analyzethestringsofthisdll(assimpleasrunningstringsonthedllinlinux)and answerthefollowing: a. Whatcryptorelatedfunctionsdoesthisdllseemtoinvolve?

b. Whatnetworking/connectionrelatedfunctionsdoesthisdllseemtoinvolve?

Zeus:
Zeusisaparticularlynastyandaggressivepieceofmalware.Answerthefollowingquestions withthevmemsnapshotofamachineinfectedbyzeus: 1. [5points]Whatprocessesarecurrentrunninginthissnapshot?

2. [10points]HowmanyofthoseprocesseshavebeenpotentiallyinfectedbyZeus?

Black Energy (be2)


BlackEnergyisanotoriousbotnettool(see http://threatpost.com/en_us/blogs/insideblackenergy2botnet072110).Answerthefollowing withthebe2.vmemfile: 1. [10points]Whataretheopenconnectionsinthisvmemfile?

2. [10points]Whatcanyoutellabouttheprocessorprocessesthattheconnections belongto?Doesabotalwayshavetobeconnectedtothebotnet?

S-ar putea să vă placă și