Congratulations to all the participants! This year's contest resulted in a ton of new and exciting functionality
available to law enforcement agents, DF/IR practitioners, malware
analysts, and researchers around the globe, which can immediately be
transitioned into their workflows. That's the whole spirit of open
source memory forensics with Volatility, and we're once again very proud
to sponsor a contest with such impressive results.
After over 10 years of development with the Volatility Framework and 4 years of previous plugin contests, you might think that there's nothing left to do, but the community continuously proves otherwise. This year, in particular, we were super impressed not only with the creativity and quality of the submissions, but the fact that several works were influenced by or in support of submissions from previous contests.
After over 10 years of development with the Volatility Framework and 4 years of previous plugin contests, you might think that there's nothing left to do, but the community continuously proves otherwise. This year, in particular, we were super impressed not only with the creativity and quality of the submissions, but the fact that several works were influenced by or in support of submissions from previous contests.
Everyone is a winner in this contest. Although a
few developers will walk away with prizes, they all solved a problem
that they (and inevitably others) faced, gained experience writing
Python plugins, and learned some intricacies of memory analysis
internals. The capability to program around technical issues and
design/implement solutions is a gift. You can applaud by following the
authors on Twitter/GitHub/LinkedIn, providing feedback on their ideas,
and helping to improve their code with testing, documentation, or
contributing patches.
Here is a break down of the placements and prizes
1st place and $1500 USD cash or a Free Seat at Malware and Memory Forensics Training by the Volatility Project goes to:
Xabier Ugarte-Pedrero from Cisco Talos for PyREBox
2nd place and $500 USD cash goes to:
KSL Group (Kyle Ness, Shachaf Atun, and Liam Stein) for Threadmap3rd place and $250 USD cash goes to:
Peter Kálnai and Michel Poslušný from ESET for Browserhooks4th place and Volatility Swag goes to:
(tie) Michael Brown for SQLite Artifacts and Adam Bridge for Linux (X) Windows
5th place and Volatility Swag goes to:
Frank Block for Linux Glibc Heap Analysis
Here is a detailed summary of the submissions. If you have feedback for the authors, we're sure they'd love to hear your thoughts.
1st: Xabier Ugarte-Pedrero (Cisco Talos): PyREBox
PyREBox provides an extensible reverse engineering sandbox that combines debugging capabilities with introspection. The analyst can interact with the whole system emulator, QEMU, guest either manually, using IPython, or by creating Python scripts. Unlike previous reverse engineering platforms, PyREBox, is explicitly designed for modern threat analysts and the tasks they commonly perform. PyREBox also leverages Volatility to help bridge the semantic gap challenges typically associated with virtual machine introspection.
2nd: Liam, Shachaf and Kyle (KSL Group): Threadmap
The KSL Group (Kyle Ness, Shachaf Atun, Liam Stein) submitted the threadmap plugin, which is the result of their extensive research comparing and contrasting weaknesses in existing tools for identifying code injection based on process hollowing. The authors found an obvious gap between the prevalence of attacks in the wild that leverage process hollowing and the strength of tools that can perform detection reliably. Based on the documentation provided alongside the Volatility plugin, the authors not only analyzed existing malware samples (i.e. a reactive approach) but also developed their own variations of process hollowing that are likely to be seen in the near future - and included coverage for those types of attacks as well.
3rd: Peter Kalnai and Michal Poslusny (ESET): Browserhooks
https://www.virusbulletin.com/conference/vb2017/abstracts/browser-attack-points-still-abused-banking-trojans
https://www.virusbulletin.com/uploads/pdf/conference_slides/2017/Kalnai-VB2017-browser-attack-points-trojans.pdf
4th (tie): Michael Brown: SQLite Artifacts
Michael Brown wrote a seriously cool set of Volatility plugins to interrogate SQL artifacts in RAM. Influenced by Dave Lassalle's previous work for the 2014 Volatility Plugin Contest, Michael wrote a more generalized version of the SQL tools that can search for any table schema. In his own words, "You can enter your own schema, but Sqlitefind can also automatically find table definitions in the sqlite_master table, so the user doesn't need to know the schema beforehand! You can even discover tables that you didn't know were in memory." Given the number of applications that rely on sqlite3 under the hood, this opens doors to an unexplored world of application artifacts.
https://github.com/mbrown1413/SqliteFind
4th (tie): Adam Bridge: Linux (X) Windows & Atoms
Adam's contribution to this year's contest is the first of its kind - a set of plugins to analyze forensic artifacts of the X Window System environment on Linux. The data structures recovered by the plugins are tied to the X server itself, thus they work independently of the Linux distribution or window manager. Captured information includes details about each window, such as X and Y co-ordinates, width and height dimensions, parent window objects, window IDs, color schemes, and atom associations. Natively, the plugins can be used to determine titles of browser windows (URLs visited), titles of LibreOffice applications (opened documents), and in the future - potentially even a screen shots plugin for Linux!
https://twitter.com/bridgeythegeek
https://github.com/bridgeythegeek
https://github.com/bridgeythegeek
5th: Frank Block: Linux Glibc Heap Analysis
https://opus4.kobv.de/opus4-fau/frontdoor/index/index/docId/8340
https://insinuator.net/author/fblock/
The following submissions appear in the order they were received. As previously mentioned, these developers deserve huge props. We look forward to seeing future work by these authors!
Mark McKinnon: Volatility Autopsy Modules
https://github.com/markmckinnon
https://www.linkedin.com/in/mark-mckinnon-9b08715
https://medium.com/@markmckinnon_80619
https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility
https://medium.com/@markmckinnon_80619/volatility-autopsy-plugin-module-8beecea6396
Javier Vicente Vallejo: Symbolizemod
As a malware analyst, Javier starts most of his work with Windbg or Volatility and then pivots to IDA Pro to gain a detailed understanding of the malicious code. In this line of work, having access to symbols for the malware being disassembled or debugged is practically a requirement if you want to be efficient. The symbolizemod plugin lets you extract variables and symbols from a particular memory region and exports them as a DBG file, which is a common format understood by IDA Pro and Windbg. The end goal is similar to Volatility's existing impscan plugin, except impscan only exports in text and IDC formats. In fact, symbolizemod also includes a command line switch to leverage impscan's engine for enumerating symbols. By default, however, symbolizemod uses its own engine (called "raw mode") which in some cases can produce different results.
https://vallejo.cc/https://github.com/vallejocc
https://twitter.com/vallejocc
Alessandro De Vito: Chrome Ragamuffin
Chrome Ragamuffin is part of a larger research project started by Alessandro over a year ago. Although the research is ongoing, Alessandro's Volatility plugin is already full of features and it's one of the most compelling examples of recovering application level artifacts that we've seen. Overcoming challenges such as incognito mode and the fact that Chrome updates automatically nearly every time you launch it, Alessandro managed to dissect critical in-memory data structures related to the browser's DOM and the user's navigation. Alessandro has presented his work at OSDFC and Bsides Zurich, showing how to analyze memory to detect CSRF, clickjacking, phishing, and malicious redirects.
Here are a few additional resources regarding previous contests and community-driven plugins:
Volatility Foundation Contest Home Page: http://www.volatilityfoundation.org/contest
Volatility 2016 Plugin Contest Results: http://www.volatilityfoundation.org/2016
Volatility 2015 Plugin Contest Results: http://www.volatilityfoundation.org/2015
Volatility 2014 Plugin Contest Results: http://www.volatilityfoundation.org/2014-cjpn
Volatility 2013 Plugin Contest Results: http://www.volatilityfoundation.org/2013-c19yz
Volatility Community GitHub Repository: https://github.com/volatilityfoundation/community
No comments:
Post a Comment