Nothing to See Here

Dark Reading posted an interesting article yesterday about a new tool called Dementia created by Luka Milkovic.  Dementia demonstrates an approach that could be used by malware to circumvent memory forensics tools.  These forensic tools allow a malware analyst to export the contents of an infected machine’s memory to a dump file.  The analyst can examine this file looking for processes or threads running on the infected machine that indicate a malware infection. Dementia intercepts and alters the dumps to selectively remove artifacts. This means that it can be used to hide running processes, threads, or other footprints of an active piece of malware.

Attackers attempting to hide their tracks is not a new concept.  We have seen malware alter logs, hide from the Task Manager, verify that it has access to the real internet, and refuse to load on virtual machines.  These practices are designed to hide from detection and to make analysis of the malware more difficult.  Once these techniques required a certain amount of technical capability, but now they are baked into most rootkits and malware construction kits. 

Up until the release of this tool, there was a perception that at least the system memory could be trusted.  Malware could hide from disk analysis and could cloak it’s processes, but if it was running it had to show up in memory.  There have been several approaches to prevent memory forensics- either through breaking memory acquisition or corrupting the memory file.  An example of this is the one-byte modification technique (Haruyama and Suzuki) which manages to corrupt the dump file and make it unsuitable for analysis by replacing a single byte.  This technique, while effective, has a serious drawback. 

Corrupting the dump file is a bit like jamming a radio transmission.  You may succeed in preventing two parties from communicating by jamming their signal, but they will know that they are being jammed.  The Dementia technique is more analogous to intercepting the radio transmission, altering it’s contents, and then passing it on.  This results in a sort of man in the middle attack between the contents of the infected machine’s memory and the dump that will be used for analysis.  If the forensics are confined to memory analysis and the attacker has done his job correctly, the analyst may conclude that the machine was not infected.  Even if he knows the machine is infected, he will not have anything of value to analyze. 

Dementia has it’s own drawbacks.  It isn’t doing anything to hide the malware in the memory itself- just the copy of the memory that will be used for analysis.  This means that an analyst with physical access to the machine can use firewire for real time analysis.  Still, it will have a very big impact on memory forensics.  There are a host of problems you encounter when trying to analyze the memory live aside from the requirement that you have physical access to the machine.  There are other techniques designed to cloak the active memory like Shadow Walker (Butler and Sparks) but the Dementia approach is much easier to implement. 

This illustrates the main problem with host based detection and forensics- you can’t trust an infected host.  Once an attacker has obtained root access either manually or with malware- they can potentially control all aspects of the machine.  Everything you see on the system can be a lie- logs, processes, files, registry entries, and now the contents of the system’s memory.  Dementia is a proof of concept and not intended to actively hide malware, but now that the technique has been proven, we may see this in the wild shortly.