Wednesday, February 04, 2009

Mandiant Memoryze is the 2008 Toolsmith Tool of the Year

Updated: 2/6/09 See update below.

I'm a tool geek, no doubt. You can't write a column like toolsmith and not be one.
I've been mighty excited about a number I've things I've written about in the last year, including PHP IDS, NetworkMiner, and the tools from the Integrity Project.
As much as I enjoy (even love) every tool I write about, they become like family ;-), I have reached a decision.
Mandiant Memoryze is the 2008 Toolsmith Tool of the Year.
The February 2009 toolsmith article on Mandiant Memoryze is here.
Incident handlers and malware analysts rejoice: Memoryze is simply indispensable.
Food, water, air, love, Memoryze...really.
I use it at least three times a week in my virtual analysis sandboxes and I know I haven't realized its full potential.
Here's an example without full specifics as it stems from a work related investigation.
Imagine a scenario where you've been given malicious software to analyze. Said software was purchased from a nefarious and anonymous source based on its ability to wreak havoc, and your mission is to see if there's any way to find out who the actual author is.
Solution: run the malicious software in your VM sandbox, fire up Memoryze as follows:
memoryze.exe -o -script AllAudits.Batch.xml -encoding none
Be sure strings is enabled in AllAudits.Batch.xml like this:
param name="strings"
value xsi:type="xsd:boolean" true

It'll write a mass of junk to your output directory, but there's gold to be found in there.
I scrubbed through the strings output from the malicious process under the assumption that maybe the wanker who developed it left something useful behind (they often do).
Sure enough, Visual Studio attributes and reference to his home (including his user name) directory on his Vista installation showed up in the memory extract.
I combined those findings with some trace identification elements from automated email received during the purchase to pull together the developers full name.

Put simply, as malware anaysis tools go, and incident handling tools for that matter, this is a must for your tool kit.

Keep an eye on the Mandiant blog and Peter Silberman's work and presentations, He wrote the above mentioned AllAudits.Batch.xml and discussed it on OpenRCE.

Update 2/6/09
Principal developer Jamie Butler will be teaching how to write your own memory analysis tool or at least know the right questions to ask before you buy one at Black Hat DC February 16-17 and will also be speaking with Peter at RSA in April about memory analysis and malware reversing.
Expect a new version of Audit Viewer to release in concert with their presentations at Black Hat DC.

Get to know Mandiant Memoryze, you will not be disappointed. | digg | Submit to Slashdot

No comments:

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...