New course teaches techniques for detecting the most sophisticated malware in RAM only

One of the most sophisticated kinds of cyberattacks uses memory-resident malware. The software can't be detected using traditional forensic techniques. Security professionals need new skills and a whole new approach to find this most insidious malware, and there's a new course from SANS Institute that covers memory forensics in-depth.

Imagine you've been forced into playing a game of hide-and-seek with The Invisible Man. You can't find him in any of the normal hiding places because, of course, you can't see him. His amazing ability to remain invisible forces you to use different tactics. If you can't see him, maybe you can see the flattened blades of grass where he has walked, or you can feel a slight breeze as he runs past you to another hiding place. Just because he's invisible doesn't mean he isn't there, and he's leaving slight traces that will help you find him. You just need to follow those subtle clues until your opponent is no longer hidden.

Now let's take that analogy and apply it to finding a different kind of opponent: malware on your computer systems. The part of The Invisible Man is now being played by highly sophisticated malware that is memory-resident only. Because it only exists in RAM, the malware never gets written to disk, which is where you would normally look for most kinds of malware. It's a real challenge to find the malware in RAM until you follow the subtle clues that indicate something is there that shouldn't be there. With the right skills and the right tools, you can eventually make this invisible malware stick out like a sore thumb. Then you can capture it and win your game.

[ MORE: The future of malware ]

In a roundabout way, I've just described a new course offered by the SANS Institute called Windows Memory Forensics In-depth. As the name implies, the course teaches you how to use forensic techniques to analyze the memory of Windows-based systems that are actively running. The course is intended for IT security professionals working in industry or organizations that have a constant target on their back -- like financial services, critical infrastructure, military or government -- the kinds of high-value organizations that attackers go after persistently.

Memory-resident malware is at the top of the scale for sophisticated attacks, according to Jesse Kornblum, the developer and trainer of the new SANS Institute course. It's the kind of tool that rogue nations are known to use to infiltrate high-value targets. An attacker would use malware in memory after every other type of attack has not worked. It is notoriously hard to detect, which makes it all the more dangerous.

Kornblum spent years researching memory-resident malware and this course is the culmination of what he has learned. He teaches techniques that help security professionals find what is otherwise well hidden.

"Traditional forensics looks at what is on the disk," says Kornblum. "When malware gets written to disk, it is stored on the server and run on the computer, and that's how it maintains its persistence. In the past several years though, malware authors have realized that if they write their code to the disk, it can be discovered easily. It's right out there for anyone to see. And so what they've started doing is making their malware memory-resident only. In essence, the malware is loaded into RAM and it never touches the disk. Therefore it won't be found using traditional forensic techniques."

This course is almost a course on operating system internals. Students learn to detect what is going on in the operating system and then to use that knowledge of what should be in RAM and compare it to what is really in RAM. "The ultimate goal is to have a sense of what is normal and what should be there, and what is not normal and what should not be there," says Kornblum. "We also want students to learn to use tools that will automatically highlight the things that are not supposed to be there."

Students learn how to acquire a memory image in order to analyze the contents of RAM. Once they've got a picture of what's running in memory, they learn to use various techniques to examine what should be running (i.e., the programs that the operating system knows about) and what is actually running. If there's a mismatch of "should be running" versus "is running," it's likely that the extra program is malware.

Kornblum calls this the "rootkit paradox" -- the more a malware author tries to hide his actions, the more obvious his actions become. "When a malware author is trying to hide a process, he makes it so that the operating system doesn't see it," according to Kornblum. "The program doesn't show up in task manager, it doesn't show up in a list of processes. But the process is still there. It still needs to run. It needs operating system resources, it needs to reserve space in memory, it needs CPU cycles, it needs to talk to the network -- it still needs to be there." By virtue of the fact that the malware is using these resources, its presence can be detected and the program can be pinpointed and removed.

So it is possible to find the malware version of The Invisible Man. Memory-resident malware is a high-level threat for many organizations, and special knowledge and skills are needed to detect the presence of this malware. If this kind of attack is a concern for your organization, check out the new Windows Memory Forensics In-depth course available from SANS Institute.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.