Documente Academic
Documente Profesional
Documente Cultură
IncidentResponse/MemoryAnalysis CIS4930/CIS5930 OffensiveSecurity Spring2013 Due11:59PMFridayApril26 Electronicturnin(Turninviaemailto:redwood@cs.fsu.edu) Theemailmustbetitledinthefollowingformat: [OffensiveSecurity]hw7<yourlastname> (where<yourlastname>isyourlastname) i.e.:[OffensiveSecurity]hw7redwood
LATESUBMISSIONSWILLNOTBEACCEPTED
Worth:100points
Overview
Youareexpectedtodownloadandinstallthevolatility(2.1or2.2)framework(eitheronyourhost machine,orinavirtualmachine).Youwillalsoneedyourhandsonalinuxsystem(preferably virtualmachine).Theeasiest(toworkwith)routewouldbetotakeadebiandistroofyourchoice (ubuntu,backtrack5R3,etc...)andfollowtherespectiveinstructionsat https://code.google.com/p/volatility/wiki/VolatilityIntroduction?tm=6 Otherwiseforwindowsusers,thestandaloneinstallerat https://code.google.com/p/volatility/downloads/listshouldworkdecently.Butyoullstillneed accesstoalinuxsystemformanyofthesetoolssoitwilljustdoubleyourwork. YouwillalsoneedIDA.
Homework Files
Downloadfromhttps://code.google.com/p/volatility/wiki/SampleMemoryImages zeus.vmem be2.vmem Downloadfromhttp://dougee652.blogspot.com/2011/04/malwarememoryimages.html xpclean.tgz xpinfected.tgz
Questions
Getting Started
Usethexpclean.binandthexpinfected.binmemorydumpswithvolatilitytoanswerthe followingquestions.Thiswillbeagoodstartingpointasyouwillhaveacleanandinfectionstate ofasystemtocomparetheoutputsofthevariousvolatilitypluginsyoumightuse.Forinstance trythemalfindpluginonboththecleanandinfectionversionsandyoumightnoticethatthe tools/pluginsarenotperfect.Infactitisbesttofamiliarizeyourselfwiththedocumentationfor eachplugin: https://code.google.com/p/volatility/wiki/CommandReference22 https://code.google.com/p/volatility/wiki/CommandReferenceMal22 https://code.google.com/p/volatility/wiki/CommandReferenceRegistryApi22 https://code.google.com/p/volatility/downloads/detail?name=CheatSheet_v2.3.pdf 1. [5points]Whatnewprocessesaretherebetweenxpcleanandxpinfected?(Ignore wind32dd)
5. [5points]Oneoftheselibrariesshouldbesuspicious.Listsomeoftheshadyfunctions thatthisprocessisimportingfromthesuspiciousdll.
6. [15points]Dumpallthedllsfromthexpinfected.binimageandfindthesuspiciousDLL mentionedin#5(hintgrepwillbeuseful).FromthisdllanswerthefollowingwithIDA: a. Doesthisdllexportthesamenumberoffunctionsthattheprocessthatusesit importsfromit? b. Howmanydoesitexport? c. Howmanyfromthisdlldoestheprocessfrom#4import? 7. [15points]ProcessesandevenDLLscanloadandunloadDLLsonthefly.Functions fromDLLscanbeaccessedeitherbytheirfunctionstringname,orbytheirordinal.Now analyzethestringsofthisdll(assimpleasrunningstringsonthedllinlinux)and answerthefollowing: a. Whatcryptorelatedfunctionsdoesthisdllseemtoinvolve?
b. Whatnetworking/connectionrelatedfunctionsdoesthisdllseemtoinvolve?
Zeus:
Zeusisaparticularlynastyandaggressivepieceofmalware.Answerthefollowingquestions withthevmemsnapshotofamachineinfectedbyzeus: 1. [5points]Whatprocessesarecurrentrunninginthissnapshot?
2. [10points]HowmanyofthoseprocesseshavebeenpotentiallyinfectedbyZeus?
2. [10points]Whatcanyoutellabouttheprocessorprocessesthattheconnections belongto?Doesabotalwayshavetobeconnectedtothebotnet?