As a forensic and malware analyst, I have always been a big fan of Volatility, the Python coded memory analysis tool that keeps growing day by day. Thus, since I readed the Michael Ligh’s article on his blog about the extraction of the ZeuS’ encryption keys, I was willing to try out the same thing with another malware family as well.
I’ve chosen Citadel in this case, that is one of the most widely used ZeuS’s variants since its source code leakage. Specifically the version 1.3.4.5 that, while not the last one, will be the basis for subsequent versions (although it is rumored that 1.3.5.1 could be the last we see) or other families.
When using Volatillity and Yara together, the power available for automatic malware processing increases. “zeusscan2“, one of the plugins resulting from the article mentioned above, is based on both things. It makes use of Yara rules against an infected machine’s memory to detect and access those memory regions that likely contains the information we want to extract from the binary file. This requires a thorough analysis on the family prior to “automate”, which in this case, being a variant of the well known and documented Zeus family, the work is limited to detecting differences within it.
read more....http://blog.buguroo.com/?p=10291&lang=en