Volatility 2.0 Plugin Vscan

I came across a program the other day that is very powerful when it comes to IR (Incident Response).  So wanting to learn more about the platform I dived right in and decided to create a plugin. What if you could automatically carve out a file from a memory image and submit  said carving to an online virus scanning service?  That’d be awesome and make for quick work to triage any memory dumps you may have laying around, assuming you can isolate the suspicious process.  This idea was born out of a larger project in development called Avalanche.  It’s goal is to bring a lot of these tools together for a quick analysis ala Mandiant Redline or HB Gary Responder Pro but built around Python.

For those who don’t know what Volatility is.  It’s a great open source memory forensics framework written in python.  It’s being actively developed by a great community (it even supports Windows 8 at the time of this writing).  The tool operates on memory dumps.  These are dumps of physical ram to an image much like a disk image but just has snapshots of the current state of your machine.  There are some advantages to full disk dumps such as size and context.  Some information exists in memory that is difficult to discern from disk images (api hooking, process injection, listening sockets, current and previous ip connections, hidden processes).  Memory dumps make these data points easily accessible.

Volatility has some practice images on their wiki that you can play with as well.  The install of the plugin is pretty simple.  Download the file and unzip it to the plugins directory.  Now if you want to use VirusTotal you will need to hardcode your api key into avsubmit.py as well as download SimpleJson.  AVsubmit is code that was shared via MHL in the Malware Analyst’s Cookbook.  All of it’s code snippets are freely available here.  I’ve heard great things about the book and mine is in the mail.

So usage is pretty simple.  Run this command.

python vol.py vscan -f target.img -p 100 -s Jotti

Volatile Systems Volatility Framework 2.0
************************************************************************
Dumping explorer.exe, pid:   1724 output: executable.1724.exe
[-] Uploading to a virus scan service.  Results may be slow on queue
File already exists, initialization not required.
[*] Using Jotti...
Initialized session cookie: sessionid=800d68a1e60bf4a8c7f3c3f0a0c983d0ab03c3d2
Initialized APC: 1b38781678971428acde9fe921396eecabecc8a2
Checking Jotti's databse for file with MD5: 7161D1047247D94471CBA21ACB8BAB9E
The file does not already exist on Jotti...
Attempting to upload the sample, please wait...
You can find the new analysis here:

http://virusscan.jotti.org/en/scanresult/eb435d81ffc22b032cbba262f52382b202b65b

3a
Trying to get results for the next 600 seconds...
Try 0
Try 1
Try 2
Try 3
Try 4
Try 5
drweb => scan clean
fsecure => scan clean
cpsecure => scan clean
arcavir => scan clean
fprot => scan clean
avast => scan clean
vba32 => scan clean
clamav => scan clean
gdata => scan clean
kaspersky => scan clean
bitdefender => scan clean
panda => scan clean
sophos => scan clean
avira => scan clean
ikarus => scan clean
avg => scan clean
nod32 => scan clean
emsisoft => scan clean
quickheal => scan clean
virusbuster => scan clean
Added sample to database with ID 4
Finished.

This dumps a target process from a memory image and submits it to the service of your choosing.  Be warned that if the process has code injected into it may yield some false positives (Zeus/Zbot).  In this case I use the malfind plugin via MHL’s malware.py scripts and it will dump out a process based on the VAD tree entries that it finds suspicious.  After these items are dumped to disk you can still use the avscan plugin by just passing the -F flag to specify a file that has recently been dumped.

python vol.py -f zeus.vmem vscan -E c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp -S jotti
Volatile Systems Volatility Framework 2.0
[*] Submitting [c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp] to [jotti
File already exists, initialization not required.
[*] Using Jotti...
Initialized session cookie: sessionid=7e90a75eb406c0f64ac3662a3a5e0ca325bc94f6
Initialized APC: 55521be59f3ec0b6385dfb43eb6a3a7885ded3c7
Checking Jotti's databse for file with MD5: B5CAE4218DC957F4419AEAA675C21B7F
You can find the existing analysis here:

http://virusscan.jotti.org/en/scanresult/7f8bccd75f6d538fda4bbec15c8e600c2cc2b3

37
Trying to get results for the next 600 seconds...
Try 0
drweb => Trojan.PWS.Panda.199
fsecure => Trojan.Spy.Zbot.EHO
cpsecure => scan clean
arcavir => scan clean
fprot => W32/Zbot.AF.gen!Eldorado
avast => Win32:Zbot-BCW
vba32 => scan clean
clamav => scan clean
gdata => Trojan.Spy.Zbot.EHO
kaspersky => scan clean
bitdefender => Trojan.Spy.Zbot.EHO
panda => scan clean
sophos => Sus/Behav-1010
avira => TR/Hijacker.Gen
ikarus => Trojan-Spy.Zbot
avg => Win32/Cryptor
nod32 => Win32/Kryptik.AY
emsisoft => Trojan-Spy.Zbot!IK
quickheal => scan clean
virusbuster => scan clean
Added sample to database with ID 8
Finished.

You could also extend the plugin to do this for files that are going to be dumped on disk by malfind.py.  I hope you find the plugin useful and perhaps have inspired you to contribute something as well to this awesome project!  Download the plugin here.

~ by malwareninja on September 17, 2011.

3 Responses to “Volatility 2.0 Plugin Vscan”

  1. The problem with the API is that simplejson does not work well with authed proxies. This is a good plugin and I’m looking forward to using it, but it’s going to take a bit of additional coding to make it useful for me. Thanks for the write up.

  2. Sorry I should have added that scripting to run through proxychains should make it work fine.

  3. […] VolatilityHere‘s a post on the malwarereversing blog that discusses (and provides) the vscan.py plugin for Volatility 2.0, which allows you to submit malicious stuff you’ve found in a Windows memory dump to an online AV scanning site (the post uses Jotti). […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: