How do you compare memory snapshots to detect malware persistence and stealth?

2 Memory comparison

Memory comparison is the process of finding differences and similarities between two or more memory snapshots. Memory comparison can help to detect malware persistence and stealth by revealing changes in memory regions, processes, threads, modules, handles, registry keys, network connections, or other indicators of compromise. Memory comparison can be performed by using tools such as VolDiff, Memtriage, or Malfind, which can automate the analysis and highlight the anomalies.

3 Memory persistence

Memory persistence is the ability of malware to remain active and functional in memory even after the initial infection vector is removed or the system is rebooted. Memory persistence can be achieved by using techniques such as injecting code into legitimate processes, creating hidden or protected processes, modifying boot or service entries, or exploiting vulnerabilities. Memory persistence can be detected by comparing memory snapshots taken before and after the infection, or before and after the reboot, and looking for suspicious processes, modules, or code.

4 Memory stealth

Memory stealth is the ability of malware to conceal its presence and activity in memory by using techniques such as hooking, process hollowing, encryption, or obfuscation. Memory stealth can make malware analysis more difficult by interfering with the normal execution and observation of processes, modules, or code. Memory stealth can be detected by comparing memory snapshots taken from different sources, such as kernel or user mode, or different tools, and looking for discrepancies, anomalies, or inconsistencies.

5 Memory forensics

Memory forensics is the discipline of analyzing memory snapshots to investigate security incidents, identify malware, or extract evidence. Memory forensics can provide valuable insights into the behavior, capabilities, and intentions of malware, as well as the impact and scope of the infection. Memory forensics can also help to verify or complement the results of other analysis methods, such as static or dynamic analysis, or network monitoring.

6 Memory comparison best practices

Memory comparison is a powerful technique to detect malware persistence and stealth, but it also requires some best practices to ensure its effectiveness and accuracy. To start, one should use reliable and updated tools that support the target system and memory format. It's also important to employ consistent and relevant parameters and filters when taking and comparing memory snapshots. Additionally, multiple tools and sources should be used to cross-check and validate the findings. A baseline or clean memory snapshot should be used as a reference to identify the normal and expected memory state, as well as a systematic and logical approach to interpret and correlate the results.

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?