A Framework for Differential Analysis of Malware in RAM

April 10, 2013

Current analysis methods for images of RAM are limited in that they are designed to analyze a single memory image at a time. When attempting to analyze malware, it is a common technique to spin up a clean VM, infect it with that malware and then acquire a snapshot of RAM. This infected snapshot is then the starting point for analysis. What should be apparent is that large portions of such a memory capture can effectively be ignored – namely any part that the malware did not make use of (read, write, execute, etc.). With a single image, the only way to determine the changes made by the malware is to inspect its process representation in memory, scour kernel memory, and combine that with an analysis of the disassembled code itself to auger the actions the malware took. This is a tedious, time consuming, error prone process, which requires the effort of highly skilled analysts. 504ENSICS Labs is currently researching a different tactic, which should significantly reduce the effort required to analyze an unknown piece of malware: differential analysis of multiple types of in-RAM artifacts.

The tools and techniques developed during this research effort will give the analyst a wealth of information on which actions the malware took, such as hooking system calls, opening files for writing, opening network connections, creating or deleting files, or setting registry keys for persistence. Automatically generating this information would significantly reduce the amount of time required to figure out which actions the malware performed, without having to manually parse a code disassembly. This effort will result in a prototype GUI application which will allow the analyst to browse the differences in two successive memory samples detected by the set of plugins selected to run.