DAMM ? Differential Analysis Of Malware In Memory
To contribute to addressing this problem we will be launching Cynomix.org at the opening of Black Hat USA 2014. Cynomix will include three key, novel capabilities that we hope will broadly impact the way malware analysis is performed:
DAMM – Differential Analysis of Malware in Memory
Detecting malware is difficult, and analyzing a detected piece of malware's behavior is even more difficult. Techniques for analysis generally fall into one of three camps: static analysis of the malicious binary on disk, dynamic analysis as the binary executes, or a hybrid approach using a snapshot of physical RAM taken as the malware executes. As the result of our DARPA Cyber Fast Track (CFT) funded research, we extend this third approach. We present a novel technique for leveraging information including multiple snapshots of physical RAM for malware detection and analysis. The technique is implemented as DAMM, a tool for differential analysis of malware in memory. DAMM functions by leveraging multiple snapshots of RAM, domain knowledge about known-benign in-memory artifacts, and indicators of malicious activity to present to the user a powerful view of malicious execution in memory.
Differential Analysis of Malware in Memory (DAMM) is a tool built on top of Volatility. Its main objective is as a test bed for some newer techniques in memory analysis, including performance enhancements via persistent SQLite storage of plugin results (optional); comparing in-memory objects across multiple memory samples, for example processes running in an uninfected samples versus those in an infected sample; data reduction via smart filtering (e.g., on a pid across several plugins); and encoding a set of expert domain knowledge to sniff out indicators of malicious activity, like hidden processes and DLLs, or windows built-in processes running form the wrong directory.
DAMM is a tool for Differential Analysis of Malware in Memory built on top of Volatility. Its main objective is as a test bed for some newer techniques in memory analysis, including performance enhancements via persistent SQLite storage of plugin results (optional); comparing in-memory objects across multiple memory samples, for example processes running in an uninfected samples versus those in an infected sample; data reduction via smart filtering (e.g., on a pid across several plugins); and encoding a set of expert domain knowledge to sniff out indicators of malicious activity, like hidden processes and DLLs, or windows built-in processes running form the wrong directory. DAMM is free and open source. Walk through and more information available with the download link.
* Differential analysis: the most important feature of DAMM allows you to compare the memory objects in one memory image with those in another and display only the differences, for instance displaying only the new processes, or changes in existing processes. This can be used in controlled environments where you can acquire a memory sample from a machine before a malware infection and one from after the infection; and even using an infected memory sample and comparing against a stock memory image from the same OS version.
Static malware analysis: Static or Code Analysis is usually performed by dissecting the different resources of the binary file without executing it and studying each component. The binary file can also be disassembled (or reverse engineered) using a disassembler such as IDA.
The machine code can sometimes be translated into assembly code which can be read and understood by humans: the malware analyst can then make sense of the assembly instructions and have an image of what the program is supposed to perform. Some modern malware is authored using evasive techniques to defeat this type of analysis, for example by embedding syntactic code errors that will confuse disassemblers but that will still function during actual execution.
Dynamic malware analysis: Dynamic or Behavioral analysis is performed by observing the behavior of the malware while it is actually running on a host system. This form of analysis is often performed in a sandbox environment to prevent the malware from actually infecting production systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state after the analysis is complete.
The malware may also be debugged while running using a debugger such as GDB or WinDbg to watch the behavior and effects on the host system of the malware step by step while its instructions are being processed. Modern malware can exhibit a wide variety of evasive techniques designed to defeat dynamic analysis including testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input.
Geometric altitude data from a combined Global Navigation Satellite System (GNSS) and inertial measurement unit (IMU) system on the University of Wyoming King Air research aircraft are used to estimate acceleration effects on static pressure measurement. Using data collected during periods of accelerated flight, comparison of measured pressure with that derived from GNSS/IMU geometric altitude show that errors exceeding 150 Pa can occur which is significant in airspeed and atmospheric air motion determination. A method is developed to predict static pressure errors from analysis of differential pressure measurements from a Rosemount model 858 differential pressure air velocity probe. The method was evaluated with a carefully designed probe towed on connecting tubing behind the aircraft - a "trailing cone" - in steady flight, and shown to have a precision of about 10 Pa over a wide range of conditions including various altitudes, power settings, and gear and flap extensions. Under accelerated flight conditions, compared to the GNSS/IMU data, this algorithm predicts corrections to a precision of better than 20 Pa. Some limiting factors affecting the precision of static pressure measurement on a research aircraft are examined.
Coarsely digitized maximum levels recorded in blown fuses. Circuit feeds power to accelerometer and makes nonvolatile record of maximum level to which output of accelerometer rises during measurement interval. In comparison with inertia-type single-preset-trip-point mechanical maximum-acceleration-recording devices, circuit weighs less, occupies less space, and records accelerations within narrower bands of uncertainty. In comparison with prior electronic data-acquisition systems designed for same purpose, circuit simpler, less bulky, consumes less power, costs and analysis of data recorded in magnetic or electronic memory devices. Circuit used, for example, to record accelerations to which commodities subjected during transportation on trucks.