A new approach in identifying malware with memory image analysis

Authors

1 Master's degree, Faculty of Information Communication Technology and Security, Malik Ashtar University of Technology, Tehran, Iran

2 PhD student, Command and Control Center, Social Networks Laboratory, Tehran, Iran

3 Professor, Faculty of Information, Communication and Security Technology, Malik Ashtar University of Technology, Tehran, Iran

Abstract

Detection methods based on analysis of memory contents have achieved great popularity in recent years.
Researches in this area have great progress and powerful analysis frameworks has been innovated. Although these
frameworks provide detailed examination of a memory snapshot, interpretation and correlation of these details to
extract inconsistencies require a comprehensive knowledge of the internal structure of the operating system. In this
paper, our proposed scanner focus on extracting information from the memory structure along with addressing the
inconsistencies created by defense techniques used by malwares. In the proposed method, memory forensics is used,
for the first time, to investigate the main functionality of malware by extracting function calls from the user space
memory. In other words, in this method memory structures are described to extract the effective indicators related to
registry changes, access to library files and operating system function calls. At last to evaluate the extracted features,
Samples have been classified based on the selected feature. Best result include detection rate of 98% and false positive
rate of 16%, which demonstrates the effectiveness of the memory contents.

[1] L. O. Murchu and E. Chien, “W32.Stuxnet dossier,”    Symantec Security Response, Tech. Rep., Oct. 2010.
[2] P. O'Kane, S. Sezer, and K. Mclaughlin, “Obfuscation: The Hidden Malware,” in Security & Privacy, IEEE, Sept-Oct. 2011.
[3] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on Automated Dynamic Malware-Analysis Techniques and Tools,” ACM Computing Surveys (CSUR), February 2012.
[4] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, “Automatic Reverse Engineering of Malware Emulators,” in Security and Privacy, 2009 30th IEEE Symposium on, 17-20 May 2009.
[5] C. Ries, “Inside Windows Rootkits,” in Vigilant Minds Inc., 4736, May 2006.
[6] J. Butler and P. Silberman, “Raide: Rootkit analysis identification elimination,” in Black Hat USA, vol. 47, 2006.
[7] A. Kristine, “Techniques and Tools for Recovering and Analyzing Data from Volatile Memory,” 2009. [Online]. Available:http://www.sans.org/?utm_source=web&utm_medium=text-ad&utm_content=generic_rr_pdf_(c)_text1&utm_campaign= Reading_Room&ref=36914.
[8] S. Vomel and H. Lenz, “Visualizing Indicators of Rootkit Infections in Memory Forensics,” In IT Security Incident Management and IT Forensics (IMF), 2013 Seventh     International Conference on IEEE, pp. 122-139, March 2013.
[9] “Windows Rootkit Overview,” Symantec Corporation, 2010.
[10] A. Aljaedi, D. Lindskog, P. Zavarsky, R. Ruhl, and F. Almari, “Comparative Analysis of Volatile Memory   Forensics: Live Response vs. Memory Imaging,” in     Privacy, Security, Risk and Trust (passat), International Conference on and 2011 IEEE third, International       Conference on Social Computing (socialcom), 9-11 Oct. 2011.
[11] “SQL Slammer Worm Propagation,” 2003. [Online].  Available: http://xforce.iss.net/xforce/xfdb/11153.
[12] A. White, B. Schatz, and E. Foo, “Surveying the User Space Through User Allocations,” in Digital Investigation 9,  August 2012.
[13] M. E. Russinovich and D. A. Solomon, “Windows       Internals,” 4th ed., Redmond: Microsoft, 2005.
[14] B. Dolan-Gavitt, “The VAD Tree: A Process-eye View of Physical Memory,” in Digital Investigation, September 2007.
[15] M. Ligh, S. Adair, B. Hartstein, and M. Richard, “Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code,” Wiley, 2010.
[16] M. Ligh, S. Adair, B. Hartstein, and M. Richard, “Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code,” Wiley, 2010.
[17] A. Schuster, “Searching for Processes and Threads in  Microsoft Windows Memory Dumps,” Digital              Investigation 3, pp. 10-16, 2006.
[18] A. Tevanian and e. al, “A UNIX Interface for Shared Memory and Memory Mapped Files Under Mach,” in USENIX Summer, 1987.
[19] M. Ligh, “Malfind Volatility Plugin,” [Online]. Available: http://mnin.blogspot.com, 2009.
[20] T. C. Keong, “Dynamic Forking of Win32 EXE,” [Online]. Available: http://www.security.org.sg/ code/loadexe.html, 2004.
[21] A. Walters and B. Dolan-Gavitt, “Volatility: an advanced memory forensics framework,” 2007.
[22] “GMER - Rootkit Detector and Remover,” [Online].  Available: http://www.gmer.net/, 2012.
[23] B. Cogswell and M. Russinovich, “Rootkit                   Revealer,” [Online]. Available: www. sysinternals. com/ntw2k/freeware/rootkitreveal. shtml , 2006.
[24] J. Pan, “Ice Sword,” [Online]. Available: http://www.xfocus.net /tools/200509 /1085.html, 2005.
[25] G. Palmer, “A Roadmap for Digital Forensic Research,” First Digital Forensic Research Workshop (DFRWS), 2001.
[26] R. Harris, “Examining how to define and control the      anti-forensics problem,” Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS ’06),   Digital Investigation 2006, 3(Suppl. 0), 2006.
[27] T. Haruyama and H. Suzuki, “One-byte Modifications for Breaking Memory Forensic Analysis,” In Proceedings of Blackhat Europe, 2012.
[28] L. Milkovic, “Defeating Windows Memory Forensics,” In Proceedings of the 29th Chaos Communications          Conference, 2012.
[29] J. Stüttgen and C. M, “Anti-forensic Resilient Memory Acquisition," In The Proceedings of the Thirteenth Annual DFRWS Conference, August 2013.
[30] H. Inoue, F. Adelstein, and R. Joyce, “Visualization in Testing a Volatile Memory Forensic Tool,” In Digital Investigation, 2011.
[31] D. Bilby, “Low down and Dirty: Anti-forensic Rootkits,” In: Proceedings of Black Hat, Japan, 2006.
[32] S. Vömel and F. Freiling, “Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition,” In Digital Investigation, November 2012.
[33] B. D. Carrier and J. Grand, “A hardware-based Memory Acquisition Procedure for Digital Investigations,” in   Digital Investigation, February 2004.
[34] A. Boileau, “Hit by a Bus: Physical Access Attacks with Firewire,” In Ruxcon Computer Security Conference, 2006.
[35] J. Wang, F. Zhang, K. Sun, and A. Stavrou,         “Firmware-assisted Memory Acquisition and Analysis Tools for Digital Forensics,” Systematic Approaches to Digital Forensic Engineering (SADFE),IEEE Sixth     International Workshop on. IEEE, 2011.
[36] C. Tilbury, August 2012. [Online]. Available: https://code.google.com/p/mft2csv/wiki/SetRegTime.
[37] J. Williams and A. Torres, 2014. [Online]. Available: http://code.google.com/p/attention-deficit-disorder/.
[38] L. Milković, 28 December Communication Congress in Hamburg 2012. [Online]. Available: http://code.google.com/p/dementia-forensics/downloads/detail?name=Defeating Windows memory forensics.pdf.
[39] T. Haruyama and H. Suzuki, 16 March 2012. [Online]. Available: https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf.
[40] D. Brendan, “Forensic Analysis of the Windows Registry in Memory,” in Digital Investigation, September 2008.
[41] A. Wichmann and E. Gerhards-Padilla, “Using Infection Markers as a Vaccine Against Malware Attacks,” In Green Computing and Communications (GreenCom),            International Conference on, 20-23 Nov. 2012.
[42] [Online]. Available: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=142626.
[43] R. B. Van Baar, W. Alink, and A. R. Van Ballegooij, “Forensic Memory Analysis: Files Mapped in Memory,” In Digital Investigation, 2008.
[44] “Volatility Labs,” Black Hat USA & DFRWS 2014, July 2014. [Online]. Available: http://volatility-labs.blogspot.ae/.
[45] S. Almarri and P. Sant, “Optimised Malware Detection in Digital Forensics,” International Journal of Network   Security & Its Applications 6.1, 2014.
[46] “ntoskrnl.exe,” [Online]. Available: http://en.wikipedia.org/wiki/Ntoskrnl. [Accessed 2014].
[47] V. Zwanger and F. C. Freiling, “Kernel Mode API      Spectroscopy for Incident Response and Digital          Forensics,” Proceedings of the 2nd ACM SIGPLAN   Program Protection and Reverse Engineering Workshop. ACM, 2013.
[48] “Malware Research & Data Center,” [Online]. Available: http://www.virussign.com/.
[49] “Computer Virus Collection,” [Online]. Available: http://vxheaven.org/vl.php. [Accessed 2014].
[50] Melville, “WEKA Tutorial,” [Online]. Available: http://www.cs.utexas.edu/users/ml/tutorials/Weka-tut/. Accessed 2014.