Digital Forensics Blog

Interesting Malware Trick

2011-08-13T00:15:00.012-05:00

Sometimes it's hard to keep from admiring the tricks the various malware purveyors come up with. A couple days ago, my friend Luby (Luby Warning Luby Warning Luby Warning) sent me a malware sample he'd received as an email attachment. The filename was "Changelog_08_08_201atdoc" and its icon gave it the appearance of being a Microsoft Word document:

It would be easy to see that icon and not notice the "doc" part of the filename had no dot between it and the rest of the name to make a proper filename extension. Fortunately, Luby knows better than to open such an attachment and he started looking into it further, hashing it with FTK Imager. He noticed that when viewing the spreadsheet produced by FTK Imager, that the filename appeared as "Changelog_08_08_201at[U+202E]cod.exe" while copying and pasting the file using Windows Explorer, the filename looked like "Changelog_08_08_201atexe.doc".

He did some research and found that the characters within the brackets represent a Unicode Right to Left Override, where anything after the inserted Unicode control character is reversed in the way it is displayed. Thus, the "cod.exe" is displayed as "exe.doc" but the system still knows what it is and executes it when you double click it. You can read about similar uses of Unicode in this Microsoft Malware Protection Center blog post that came out the same day I received the file from Luby.

I'm sure this is nothing new to many people, but I must admit I'd never heard of such a thing. Like I said above, it's almost hard to keep from admiring cool tricks, but then I remember the reason for the trick and it's not so cool.

I found the executable file was packed with the UPX packer. I uploaded it to Virustotal and found 32 of the virus checkers there recognized the file as malicious:

Notice most everything listed under the File name (Submission date, Current Status, etc) is backwards. The Unicode in the file name even affected the VirusTotal display.

Not satisfied with what I'd found so far, I executed the malware file in a Windows XP virtual machine and obtained an image of RAM using the new free tool from Moonsols called DumpIt. I'd been wanting a good opportunity to try out DumpIt and this seemed like as good as any.

I saved the RAM image and moved to my analysis machine where I proceeded to examine it with the awesome Volatility Framework. I decided to obtain a copy of the unpacked executable from RAM and Volatility is perfect for that, using the procexedump plugin. After obtaining the unpacked executable, I uploaded it to VirusTotal and found this:

Only 10 out of 43 antivirus products on VirusTotal recognized the unpacked malware. I thought that was kind of interesting. My AV of choice was one of those that didn't recognize it in either the packed or unpacked versions, so I submitted both samples to them so signatures could be created (signatures for both now exist for Vipre Antivirus).

I searched online for some of the names given for this malware by the various AV vendors and only found a little information. I submitted the packed version of the malware to ThreatExpert.com and got a good report. Instead of me retyping it, you can have a look here: ThreatExpert Report.

By the way, I checked the headers from the original email sent to Luby and found it came from Austria. I'm planning to spend a little more time looking at this file soon, but have a couple other projects to take care of first. If I find anything new and interesting, I'll be sure to post about it.

Addendum: I wanted to give the MD5 of the packed exe for those who create their own signatures: FE84E712F52AF7B0F0F3FC58296FEE00.

Cheat Sheets

2011-07-29T00:37:00.002-05:00

Mark Morgan has a couple of intrusion discovery cheat sheets over on his blog. He has one for Windows XP Pro, Server 2003 and Vista, along with a separate one for investigating Linux machines. I really appreciate him taking the time to do these and make them available. I always enjoy seeing how people approach their investigations and adapting their methods to my work when possible. Lenny Zeltser also has some great Information Security cheat sheets over on his site.

My good buddy Joe Garcia has a review of Windows Registry Forensics over on the CyberCrime 101 blog. Nice job Joe!

I've been beta testing a new tool called Registry Decoder for Windows Registry parsing and searching. Registry Decoder is being developed by Andrew Case and Vico Marziale over at Digital Forensics Solutions. It's plugin based and has a nice search function as well. It's still in early beta stage and not ready for prime time, but I can definitely see it will be a fine addition to my forensic toolbox.

I've been spending a lot of my off time studying for the Network+ exam and hope to take it in the near future. I've also taken the time lately to set up a couple of Untangle firewall/router machines, one at home and another for my employer. I'll be talking more about all of that later.

That's it for now. Everyone stay safe!

Upcoming Class

2011-07-25T14:35:00.001-05:00

I've seen posts by several people as of late talking about digital forensic classes they'll be teaching in which they plan to use Digital Forensics with Open Source Tools for the text book. I mentioned in my review that I thought it would be a good book for introductory digital forensics courses and it seems others felt the same way. I'm happy to say that I'll be teaching a brand new DF course starting in the Spring, 2012 semester at Lincoln Trail College and I'm planning to use DFwOST as my text book as well. When I was first asked to teach this course, I started trying to decide on a good book that beginners and those with some experience would benefit from that I felt would cover all the topics I wanted covered. DFwOST is definitely that book.

On a related note, I'll be teaching Computer Ethics at LTC beginning in the Fall, 2011 semester. This course is required if the student is pursuing the Computer Forensics certificate. I'll be using Ethics for the Information Age by Michael J. Quinn as the text book. I've only had a short time to look at the book, but it looks like it's going to cover the topic very well.

I'm very excited to be teaching for the very first time and hope I will do a good job at it. I've never taught before and was pretty surprised when I was contacted by the college.

A few links

2011-06-29T00:40:00.000-05:00

Corey Harrell has a review of Digital Forensics with Open Source Tools up on his Journey Into Incident Response blog. He recommends the book, just as I and quite a few others have done as well. If you don't normally read Corey's blog, you should start doing so. He's always got great content there.

Claus has a very interesting and helpful post up on the Grand Stream Dreams blog titled Anti-Malware Tools of Note. This is an excellent write-up about the tools and some of the methods he uses in combating malware infections. This is another excellent blog that is well worth taking the time to read regularly.

Over on the Windows Incident Response blog, Harlan Carvey has a new post titled Meetup, Tools and Other Stuff. In addition to several other topics, he talks about his research into Windows 7 Jump Lists, as well as information on the Master Boot Record. Jump Lists have become a topic of interest lately and deservedly so. Harlan has done a great job researching them and provides a nice write-up of what he's discovered thus far. Kudos to him for sharing this information and to everyone who does research and shares what they find.

Also, the talk about the MBR is quite interesting. Harlan mentions some tools and other resources for further study. I plan to try out the tools he links to and see for myself if they'll do the job I need done.

This topic is quite timely, given this post at the Microsoft Malware Protection Center blog on Technet about the 'bootkit' they call Trojan:Win32/Popureb.E. According the MS, the solution when your system is infected by this particular malware is to "simply" do an MBR repair followed by an operating system reinstall. I plan to do considerably more reading about this in the very near future, as the number of pc's being brought to me for malware cleanup has been increasing greatly as of late. If I learn anything useful, I'll post it here.

I still hope to learn how to reverse engineer malware and bought "Introduction to 80x86 Assembly Language and Computer Architecture" to help me learn that part of the reverse engineering process. I just started reading it, so I'm far from knowing much about the subject now, but hope to be able to put what I learn from it to good use soon.

I'm still catching up on all my favorite blogs, so I'm sure I've left out more than a few posts by others. I'm hoping to get caught up on all my reading in the next day or two and I'll post if I see something of interest.

Quick Post

2011-06-22T11:18:00.000-05:00

Wanted to do a quick post here to say my review of Digital Forensics with Open Source Tools is now up on the SANS Computer Forensics Blog. As a frequent user of open source forensic tools, I found this book an excellent addition to my library. I think most forensic examiners will benefit from it in some way, while I think it could be essential reading for newcomers to the field.

On another subject, it's not often I give props to Microsoft, but today will be one of those rare moments. I think it's great that they've released their Microsoft Safety Scanner for both 32 bit and 64 bit versions of Windows. This tool will create either a bootable cd, usb flash drive or an .iso image for later burning. Just this morning I used it on an infected system brought to me and was impressed with the ease of use. Basically, it's a stand alone version of their Microsoft Security Essentials antivirus and it seems to work very well. It's nice to get new tools from vendors to help clean up the messes created by the various malware people find accidentally every day. You can download the tool from Microsoft Safety Scanner webpage.

Speaking of malware, I've been seeing a lot of infections by yet another fake security application. Most recently I've been receiving quite a few machines for clean up that are infected with variants called XP Recovery, Windows Vista Repair and so on. This one sets the hidden attribute on most every file and folder on the system and then does a fake scan claiming all sorts of terrible problems exist on your system and encourages you to ~~pay the ransom~~ register the program so it can fix your problems and get your files back. It doesn't seem to do any serious damage at first, but the one I'm repairing now did get the extra gift of a rootkit patch to the C:\Windows\System32\drivers\volsnap.sys file. It would be really nice if those responsible for creating this fake security programs would find new jobs as speed bumps for trains.

An excellent resource for information on fake security app and other malware is the S!RI.URZ blog. The information there has been helpful to me on quite a few occasions.

That's all for now.

And..... it's over

2011-06-16T16:03:00.005-05:00

Over, as in my two weeks of conferences are now complete. Last time, I talked about my plans to attend both the SANS 2011 Digital Forensics and Incident Response Summit in Austin, Tx followed the next week by the 2nd Annual Sleuth Kit and Open Source Digital Forensics Conference in McLean, Va. Those two events are now history and I'm happy to say I enjoyed both very much. As seems to always happen, I looked so forward to them and then once it was time for them they just flew by. Ah well, perhaps I'll have the good fortune to attend one or both of them again next year.

One of the truly great things these conferences were good for, aside from the excellent presentations, were the tremendous opportunities to network with others in the field. I have been so happy to find that the "superstars" of this field are just like the rest of us, except way smarter ;-) Seriously, they're really good people and I was glad to meet and greet with them. Both conferences provided multiple opportunities to interact with the other attendees and speakers. Both were very well run and well attended as well, which is understandable given the quality of the speakers and the topics they were presenting.

Without a doubt, the best part of the two conferences for me was finally getting the chance to meet some of the people I've "known" online for several years but never met in person. Finally putting a face with the name for people I'd never even seen before was really cool. I talked with several of them over the two conferences about how we all have considered each other as friends, despite the lack of actually ever actually meeting in person. In most cases, we've managed to connect via Twitter and some of us have forged very close friendships with other "tweeps" who share our job interests and duties. There are many social media websites and services, but I would find it hard to believe any have a greater ability to unite people in the digital forensics and security fields than Twitter.

Each conference was great overall, with each only having one presentation I was a little disappointed in, though for different reasons. In fact, I wouldn't even say I was disappointed in the second one I'll talk about, but it was the one I got the least out of for reasons I'll explain.

I really enjoyed every speaker at SANS but one, even though some talked about subjects pretty far over my head. Unfortunately, one speaker seemed far more interested in promoting his product and showing his arrogance than conveying information. That seemed to be the general consensus of most everyone in the room from what I was able to tell and that's a shame, as the talk could have been very good. As he went on, it got better and more informative, but by that time he'd already lost most of the crowd. I read more than a few tweets by other attendees and heard many whispered comments complaining about this speaker while he was still talking.

At the open source conference, all speakers were likable and informative. Unfortunately, one spoke only very broken English, making it hard to really follow what he was talking about. He was aware of that and started off his talk by apologizing for his poor English. Just the same, he did his best and completed his talk. The information he provided was interesting and the slides he used were helpful, so I really hesitate to say I was "disappointed" exactly. The subject of his talk was something I was really interested in, but it was hard to come away with anything useful.

Overall, these two conferences where chock full of great information, both in the talks and in the informal meet-ups. I truly hope I can attend one or both next year, as they were both great learning experiences. Thanks to Rob Lee and Brian Carrier for all their hard work in getting these conferences up and running each year.

Huge Month of June is Almost Here!

2011-05-17T20:21:00.001-05:00

This may be the most I've ever looked forward to the month of June. The first couple weeks of the month are going to be absolutely filled with forensic geeky goodness.

First comes the 2011 Digital Forensics and Incident Response Summit in Austin, TX, which I'll be attending this year. I was presented with "an offer I couldn't refuse" and am very excited to say I'll be there. A look at the agenda shows what is bound to be a fantastic learning experience. The lineup of speakers and topics is top notch and I can't wait to get there. Besides, I'm gonna get to hang out with my good buddy Joe Garcia, host of the Cybercrime 101 podcast. Joe and talk several times a week and I know he's as excited as I am to head to Austin.

I'm also excited because one of my posts on the SANS Computer Forensics Blog, entitled "I'm Here, Now What?" has been nominated for a Forensic 4Cast Award. The awards will be presented at the Summit. I have to admit, my post wasn't as good as the posts by Rob Lee, entitled "Digital Forensic SIFTing: SUPER Timeline Analysis and Creation" and Matt Churchill, entitled "Free Digital Forensics Triage Tool" and I think either one of them could easily be the right one to vote for. Still, I'm more than a little honored to be nominated and will enjoy myself, regardless of the outcome.

The following week, I'll be driving eastward to McLean, VA with good friend Brad Garnett for the 2nd Annual Sleuth Kit and Open Source Digital Forensics Conference. This is going to be an excellent conference with presentations by some of my forensics heroes, such as Cory Altheide, Harlan Carvey, Simson Garfinkle and Brian Carrier. We'll be attending one of the pre-conference workshops as well.

There are several people I "know" online that I hope to meet at both conferences. Some of them I already have established friendships with in the online world and there's no doubt I'll enjoy meeting them in person. I'll be writing recaps of my travels here once they're over with. I may post some from the conferences if time and circumstances allow.

It has ARRIVED!

2011-05-09T19:24:00.000-05:00

A book I have greatly anticipating arrived at my door step today, courtesy of the UPS man. Digital Forensics with Open Source Tools is one of those books I've been excited about, ever since I heard it was being written. Authored by two very well known guys in the forensics and incident response field, I knew it would be a good one.

Open source tools hold a special place in my heart. Like so many of us, I got my first real start in forensics using the Sleuth Kit, Autopsy, RegRipper and so on. Without these free, open source tools I would probably not be doing forensics today. Fortunately, they were there for me and, honestly, I enjoy using them. Even though I now have a few closed source, "payware" tools, I still use open source tools like those I mentioned, all the time.

I look forward to starting the book tonight when I get home from work. I'll be writing a review of it soon after I finish it and post it here.

Sleuth Kit and Open Source Digital Forensics Conference

Speaking of open source tools, I am happy to report I will attending this years Sleuth Kit and Open Source Digital Forensics Conference in McLean, VA. I will be submitting my registration tonight. Barring some catastrophe keeping me from getting there, I hope to attend and meet old friends and those I only know through their work. It's sure to be a great learning experience, as well as a great chance to network and do a lot of geek speak.

bin Laden related malware links

2011-05-01T23:38:00.002-05:00

Okay, we all know Osama bin Hidin is now DRT (dead right there). The next obvious thing to come will of course be billions of spam and other type messages leading to malware related sites. Remember, don't click on any of that crap. Remind your friends and family that they aren't likely to see autopsy photos or anything of the sort if they click a link on Facebook or in an email. Help stop the spread of malware!

Also, more importantly, thank you to our troops and all who serve for doing an awesome job, all the time!

A Quick Note

2011-04-28T15:38:00.000-05:00

Just wanted to mention that, according to Amazon, Digital Forensics with Open Source Tools has been released. This is a book I've really been looking forward to. The two authors, Cory Altheide and Harlan Carvey are well known in the field and bring a lot experience and knowledge to this book, so I know it's going to be great. I'll be posting a review after I receive and read my copy.

Related to the use of Open Source, I also wanted to mention some interesting posts being made over on the SANS Forensic Blog by Dave Hull. He's made two related recent posts on the use of the Linux command line to aid in data reduction during an investigation. The posts are called "Least Frequently Occurring Strings?" and "Data Reduction redux and map-reduce." I love reading things like this, because these are methods anyone can use without buying high dollar forensic software. The Linux operating system comes as an almost ready made forensics investigation platform, with just a few things still needed to do the job. I still work in both Linux and Windows and make use of paid software in both, but my heart is with the open source tools available to all.

I hope to be putting out a new blog post in the near future that contains info on some research I've been doing lately, but I haven't had time to finish things up yet. I'll be back with a new post "soon".

Addendum

2011-04-15T11:23:00.000-05:00

The only thing I hate about blogging is finishing up a post, publishing it, going to bed and then realizing the next morning I left things out of the post unintentionally. In my last post, I had three other things I wanted to mention, so here they are.

First, my friend Tom (@cdtdelta) has started his own blog. The name of the blog is RAM Slack and he writes about digital forensics. I'm mad at him, because he came up with a way better name for his blog than I did for mine ;-)

Also, Jason Andress has two books coming out in June, one of which he authored and the other he co-authored. Syngress is the publisher of both books. Jason solo-authored The Basics of Information Security and co-authored Cyber Warfare with Steve Winterfeld. Both look really interesting and I plan to buy both.

Okay, I think that's it for now, but who knows?

A few links

2011-04-15T00:48:00.002-05:00

What's this??? Me with another blog post in the short span of 2 whole days? Yep, it's true. I'm really going to try to start posting more often, so we'll see how it goes. I don't have a lot planned for this one, but wanted to mention some other blog posts I thought were worthwhile.

Andre M. DiMino, on his SemperSecurus blog posted a nice write-up on using Volatility 1.4 to analyze a memory capture from a machine infected by the recently disclosed Adobe 0-day (CVE-2011-0611). Andre does a great job of detailing the work he did, complete with screenshots. I've only dabbled in memory analysis occasionally, but greatly enjoy reading posts like this that explain in detail how a goal was accomplished and providing the reader with the means of repeating the process in their own lab environment.

On his TaoSecurity blog, Richard Bejtlich recently posted his slides entitled "Cooking the Cuckoo's Egg" from his talk at the DOJ Cybersecurity conference back in February. I just recently bought the book "The Cuckoo's Egg" but haven't started reading it. From looking at the slides, I can tell I would have enjoyed the talk and would love to get the chance to hear Richard speak sometime.

My good friend Brad Garnett has re-titled his blog Digital Forensic Source. Brad is a smart guy and excellent forensics analyst as well. I say nice things about him, even though he calls me old ;-)

I wanted to thank Harlan Carvey for his blog post in which he referred to my review of Windows Registry Forensics. I looked my blogs stats over and found the overwhelming number of visits to this blog come directly from his.

Speaking of Harlan, the book he co-authored with Cory Altheide will be out soon. The book is called Digital Forensics with Open Source Tools. This is yet another of those books I plan to get as soon as it's released. I love working with open source tools in both Linux and Windows (especially Linux), so I'm really excited about getting this one soon. I've never met Cory, but I follow him on Twitter and he seems like someone I'd enjoy meeting one day. Very funny guy. Now, if I could just convince Chris Pogue to write a second edition of Unix and Linux Forensic Analysis, all would be well. Unfortunately, last I heard, such a project is not in his plans

Ira Victor posted a new Case Leads over on the SANS Computer Forensics blog. I really like those Case Leads posts. Everyone who does them really does a fine job of bringing a lot of good info into each post.

Also on the SANS blog, Lenny Zeltser posted an interesting new article entitled Context-Specific Signatures for Computer Security Incident Response. I've thought about creating my own signatures for use with ClamAV before, but so far haven't taken the time to try it. Lenny makes a good case for doing that during an incident to help identify the scope of the incident.

Finally, Corey Harrell created something cool...a digital forensics specific search tool. This was a really cool idea and it works great. It's nice to have that option when needing info on some forensic artifacts, saving you the time of wading through all the irrelevant hits just to find that one little nugget of information you need. Well done Corey and thanks for sharing it!

That's about it for now. Hope to be posting again in the near future.

Books I recommend

2011-04-12T23:30:00.001-05:00

Just me, back from the blogging dead again for another drive-by blog post! I wanted to mention a couple of books I've read recently that I wanted to recommend. Notice I said "mention" the books, not review. Frankly, I suck at doing book reviews, so I'm just going to talk about them briefly without going into a full scale breakdown. If you want to read well written book reviews, I refer you to the master of that domain, Richard Bejtlich

The first book I wanted to mention I actually finished quite a while back. There aren't many books (or anything else) that I pre-order. I usually figure that I'll get it when it comes out, no need to pre-order. However, I also have certain favorite authors whose work I look so forward to that I want it as soon as possible after it becomes available. One of those author's is my friend, Harlan Carvey.

Many of us in the computer forensics world consider Harlan's blog as one of those "must read" blog's. His interest and knowledge in the area of the Windows Registry is well known, with his RegRipper tool one of those many of us (including me) use on pretty much every case. So when I heard he was going to be writing a new book called Windows Registry Forensics, I placed my order at the first opportunity.

If you're looking for a book that will teach you step by step how to use some commercial tool, this isn't it. For that, I am thankful. When Harlan first started talking about doing this book, I remember some people asking in comments on his blog if he was going to cover this commercial tool or that for registry analysis. I replied in a comment that if it were up to me, no commercial tools would be concentrated on in the book. Frankly, I'm going to learn a lot more about the registry by actually studying the registry itself, not a commercial tool I likely may never have. In my opinion, it's far better to concentrate on the registry and get my hands dirty, looking under the hood with open source tools, leaving it to the various commercial vendors to teach you how to use their particular tools . Fortunately, Harlan felt the same way and took the approach I had hoped he would take, resulting in a book I've already referred back to on several occasions while doing case work.

The book is just over 200 pages and divided up into four chapters. The author makes it clear that he isn't going to provide you with every single registry key that may come in handy some day. Rather, he takes the "teach a man to fish" approach and starts you down the path of registry forensic analysis, giving you the knowledge to continue on your own.

Chapter One is a good introduction to just what registry analysis is and reasons you might do it. One thing I liked in this chapter was that he points out the importance of preparing yourself ahead of time, deciding what the goals of your analysis are instead of wasting time just grabbing everything. I know after reading this book that I have changed the way I approach all of my investigative work, not just that which involves the registry.

Chapter Two covers the various free and free open source tools available for doing registry analysis. I had already used some of them, but others were new to me. Examining the registry on a live machine, as well as post-mortem analysis are discussed in this chapter and good examples are given. Tools available for documenting changes to the registry after certain actions are performed (e.g.: using RegShot after running a program) are also covered. I thought this chapter did a good job of covering those tools that are out there for anyone to use, such as RegRipper, Regshot, Autoruns and so on.

I was pleased with the whole book, but I have to say I especially enjoyed the final two chapters. Chapter Three is titled "Case Studies: The System," while Chapter Four is "Case Studies: Tracking User Activity." I love reading examples of just how I might put all that I've learned thus far into practical use. I also like "war stories" if you will; real stories of registry analysis telling just how the analysis was conducted and how it turned out. These two chapters do all of that, with real world cases discussed and examples of how to accomplish your goals.

I most certainly recommend Windows Registry Forensics to anyone who wants to learn more about the Windows registry and how it can help you make or break a case. The book is suitable for all forensic examiners, both in the public and private sectors, as well as students and others who simply want to learn more on the subject.

The other book I wanted to mention briefly is Kingpin, by Kevin Poulsen. I just finished reading this book the night before last and must say I really enjoyed it. The book details the criminal exploits of Max Butler, aka Max Vision, who is now doing time in federal prison for the crimes detailed in this book. Butler became a leader in the underground marketing of stolen credit card information, among other "cyber" crimes.

I liked the fact that Poulsen didn't just report the facts, but rather looked at who Max Butler is and perhaps what led to his eventual downfall. Butler's motivations were an important part of the story and I thought all of that was covered well. I have read where others have somewhat criticized Poulsen's approach, as they felt it made Butler more of a sympathetic character than he deserved, but I disagree with that assertion.

Max Butler founded the website Carders Market, where stolen credit card data was traded openly and also where vendors of equipment, such as card skimmers and such could offer their products for sale. Butler took the unprecedented step of taking down rival sites and absorbing those sites members without their permission or desire to do so in the spirit of bringing the entire carding world together on one site. I remember hearing about this when it happened and found it very interesting indeed. Kevin Poulsen did a great job telling the story of how it all came to be, as well as the stories of the law enforcement agents that finally brought Butler down.

I recommend this book to pretty much anyone who enjoys a great story. One need not be overly techno savvy to enjoy it, though I'll admit having some passing knowledge of some of the terminology used in the world of computers and networks doesn't hurt.

That's about all I have time for now. I hope to be back with more posts on a semi regular basis soon, but I don't make any promises.

Dereliction of Duty

2011-03-08T15:34:00.000-06:00

Once again, I have been derelict in posting regularly to this blog. I enjoy writing and documenting the cool stuff I'm working on, but lately it seems there's been too many other things going on in life to post on a regular basis. One of these days, things will slow down and I can do more fun stuff, like testing, experimenting and blogging about it all. Until then, it's going to be on an "as I have time" basis. I had a few things I wanted to talk about today, so away we go...

Have you ever been examining a system and found it was just too "clean?" I'm not talking about the absence of cobwebs and dust here, but rather the absence of practically any signs of use at all?

I recently examined a computer that only had user created data on it from a couple weeks earlier up until the time it was brought to me. I knew the alleged illegal use of the machine had occurred several months ago, so this made little sense. I pulled the registry files and also did a time line of the system. Using RegRipper, I took a look at the SOFTWARE hive and found the install date for the Windows 7 OS was only a couple weeks earlier. I followed up by looking at the time line, discovering the $MFT was created within a short time of the OS install date shown in the registry. Just to be extra thorough, I also extracted the $MFT and used David Kovar's excellent AnalyzeMFT python script to create a csv listing of the master file table information. All the data I was seeing was in agreement, so I knew something was up.

I immediately suspected the "factory reset" utility had been run and wondered if the purpose had been to destroy evidence. Continuing to look at the time line, it was pretty clear that the factory reset had taken place. After doing a bit more investigation, it turned out that a non-suspect user of the computer had run the reset after the suspect had acquired a virus on the machine they hadn't been able to get rid of. While the intent of the reset wasn't malicious, it did wipe out a lot of information. File carving with X-Ways Forensics and the use of the Hstex tool that comes with NetAnalysis provided a considerable amount of recovered data to the case and I was able to conclude the exam soon thereafter.

And now for something completely different.....

I wanted to mention some good stuff I've read lately that I found valuable. Harlan wrote an interesting post on MBR Infectors. I've never run into one, so it gave me some good ideas on things to check for in future exams. Seems like I'm running into more and more malware situations lately, which I enjoy, so I'm always glad to read things like this.

I also read a tweet this morning that mentioned Cuckoo, a malware analyzer sandbox. I haven't had the opportunity to try it out yet, but from reading over the website, it looks like it could prove useful. I'll post further after I've had time to dive into it (sometime next century, possibly, with my life ;-) ) From the project website, here is a list of it's capabilities:

• Retrieve files from remote URLs and analyze them.
• Trace relevant API calls for behavioral analysis.
• Recursively monitor newly spawned processes.
• Dump generated network traffic.
• Run concurrent analysis on multiple machines.
• Support custom analysis package based on AutoIt3 scripting.
• Intercept downloaded and deleted files.
• Take screenshots during runtime.

I can definitely use this if it does all that. I am looking very forward to giving it a look.

Interesting Registry Keys with FakeAV Infection

2011-02-17T10:26:00.001-06:00

So there I was (don't you love it when a story starts like that?), arriving at work recently when I was asked to look at a co-workers laptop that was infected with a fake antivirus program. Another co-worker had already done what I would have done, in that he ran MalwareBytes (MBAM) on the machine. However, I was surprised that MBAM hadn't even detected the infection. Neither had the installed real antivirus, Microsoft Security Essentials.

Upon starting the laptop and logging, I was greeted by the fake antivirus, "AntiViraAv". Of course, it started pretending to scan the hard drive and began presenting the traditional dire warnings of fatal virus infection and so on. I had read about this one on the S!Ri.URZ recently, so I went back and read that post again. It said running MBAM would fix the problem, although in our case it hadn't. I ran MBAM again, along with Super AntiSpyware, but again nothing was detected. MBAM is usually my go-to program for stuff like this, so I was surprised that hadn't worked. I took the machine to my forensics office, removed the hard drive and attached it via usb cable to another machine and ran MBAM and Vipre Antivirus against it, again coming up empty.

I pulled the registry files and took a look at the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key, finding an obviously suspicious entry listed showing "podnkiwd: "C:\DOCUME~1\<USERNAME>\LOCALS~1\Temp\lyxnxvrky\rciprogsika.exe." Okay, this isn't the interesting part. Lots of different malware programs insert something in the Run key.

But that's not what I wanted to tell you about.

I wound up finding two copies of the malware with identical MD5 hashes, one in the Local Settings\Temp folder called "6.129952833419995E7.exe" and the other in a newly created folder called "lyxnxvrky" inside the Temp folder .This new folder contained the "rciprogsika.exe" file referenced above and it is identical in every way, except its name, to the "6.129952833419995E7.exe." I decided to test the malware further to see what all happened. I submitted it to VirusTotal and found that only 17 of the 43 scanners there detected it. Based on that plus the fact MBAM didn't recognize it, I believe this is a newer variant of the AntiViraAV rogue AV. As of this writing, my submission is still the only one for this particular version at VirusTotal.

So you're probably wondering, what's the big deal. What was interesting to me may not mean much, but I hadn't seen it before. Seasoned malware experts and incident responders may have seen the other registry additions/modifications I'm about to describe, so this may not be anything earth shattering. You have been warned.

I set up a Windows XP virtual machine in VMWare Workstation and placed a copy of the "6.129952833419995E7.exe" file in the Local Settings\Temp folder. I ran RegShot, got my baseline and then executed the malware file. Nothing visible happened, unless you were looking in the Local Settings folder. However, all sorts of things were happening in the Registry.

Three new keys were created in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKEY_CURRENT_USER\Software\g043oqxanu

Also, the following four keys had some new values added to them. The last one I already knew about, but the first three were new to me and seemed especially interesting. I had never seen them before and still have only a partial idea of their purpose. I have not researched them yet, but it looks like perhaps this has the net effect of setting a policy for the user lowering Windows guard with .exe files. Again, this is only a semi-educated guess. That's only a guess, but I'll be doing further research in that area soon. If anyone out would know and like to share, I'd love to hear.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

RunInvalidSignatures = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]

LowRiskFileTypes = ".exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]

SaveZoneInformation = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

rqluxpqp = "%Temp%\lyxnxvrky\rciprogsika.exe"

Finally, the value in this key was changed from "yes" to "no".

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]

CheckExeSignatures ="no"

At this point, the executable had still never done anything visible to the user. I decided to reboot the VM and see if the fake AV finally reared it's ugly head. Again, nothing happened. I hadn't had an active network connection for the AV and I wondered if perhaps it would wait for one before showing up. I activated the network and rebooted. This time I was greeted by this:

My intent now is to learn a bit more about those new registry keys and values.

EDIT: By the way, the MD5 for this file is c6a3a4477e17570a5c1da58e34312b4b

A Brief Update

2011-01-19T00:07:00.001-06:00

After a bit of an equipment failure, I'm rebuilding my test machine prior to doing the dynamic analysis of the BEAST. Hope to have it back up and running very soon.

I've been continuing to experiment with things I read about in the Malware Analysts Cookbook in my spare time. I set up INetSim on a Linux machine after reading about it in the book. After one brief test, it seems to work very well and should make dynamic analysis of malware files more interesting and productive. I'm still figuring out some things about it, but I'm very impressed with how easy it is to set up and configure.

I had planned to do some more work with INetSim today, but since the test machine I was going to execute the malware on bit the proverbial dust, I spent my time setting up a new Linux based internal mail server for the sheriff's office. The server is running Ubuntu 10.10 Server and uses Dovecot and Postfix for mail. It's also running Apache with Squirrelmail so the deputies can choose between using an email client, like Outlook, etc, or accessing their mail via a web interface. I finished getting it running tonight and all seems to be working well. Just have to get the user list and the IP address it will be assigned to and I can put it in service for them.

Finally, I'm no longer involved in writing a book. My partners and I were unable to work out some conflicts with the publisher, so we and the publisher have amicably parted ways. I hope to one day be involved in writing a book, but I think it just wasn't meant to be at this point.

That's about it for now. Hope to be back with another installment in my relentless pursuit of the BEAST in the near future.

Cyber Crime 101 podcast appearance

2011-01-05T10:57:00.000-06:00

Just wanted to do a quick post and say I was interviewed by my friend, Joe Garcia, for his Cyber Crime 101 podcast. You can listen to his excellent show at www.cybercrime101.com and the specific show I'm on is at www.cybercrime101.com/episode-23-forensics-on-a-budget . Thank you to Joe for asking me to join him for the show!

Taming the Wild Beast--Part Two

2011-01-04T23:09:00.003-06:00

When last we left our hero, he was trying to figure out how the BEAST got on a church computer. The BEAST being BEAST.exe on a Windows XP Home computer owned by a church. Since that time, I have spent time looking at the Master File Table, a Super Timeline created from the system and taken a look at prefetch files. I'd like to say after all that I had come to an "ah ha!" moment and I would know how the malicious file managed to get on the system. I would also like to say I was given a billion dollars, but that wouldn't be any more true than my saying I figured out where this file came from. But I digress...

As I said in the last post and above, I created my Super Timeline and started looking through it around the date and time this file appeared on the system (August 10, 2010 at 13:51:06). I noticed a flurry of activity all around that time, with the folders C:\DATA and C:\DATA\FILES, along with the files BEAST.exe and Desktop.ini being "born" then on the system. The two files were both placed in the C:\DATA\FILES folder. Also at the same time, more than 30 of the restore points on the system had new "ini" files added to them. All of those ini files were copies of the Desktop.ini mentioned above. Prior to that, a little unremarkable looking web browsing took place.

Next, I used the excellent AnalyzeMFT python script, created by my good friend, David Kovar, to parse the Master File Table. I wanted to compare the standard info file times to the filename info times, just to make sure no file times had been fiddled with. Nothing appeared out of line, so I moved on for the time being.

(Edited to fix something I didn't very clearly state at first)
Using X-Ways Forensics, I opened the drive image and looked at the Windows\Prefetch directory to see if there were any references to the BEAST. Sure enough, BEAST.EXE-3696224B had been there but was deleted. However, X-Ways was able to display it and tell me it had a total run count of 2 and last run date of 11/17/2010 08:42:55, which was quite awhile prior to my receipt of the machine.The MAC times were the same as the last run date/time. Because the file had been deleted, it did not show up in my timeline or MFT report.

So now what? Not to fear, there is always more to do when trying to figure these things out. While I still have no real idea beyond a basic theory how this thing got on the system, I will continue with part three after doing some more analysis, including executing the file on a stand-alone computer and doing a live capture, which will hopefully give me a better idea of what all was going on here. I have a computer similar to the actual victim system that I refurbished for just this purpose and plan to execute the malware on it. I will be capturing RAM and using RegShot along with a few other programs to see just what happens when the BEAST is executed. Sure, I could just submit the file to Joebox, Anubis or ThreatExpert and get a detailed report, but what fun would that be?

EDIT

After making this post, I went back and looked at things I previously missed. I went back to the timeline and looked for the date and time of the above mentioned prefetch file. I found that a registry key had its "creation" time updated to the same date/time. That key is HKEY_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/StreamMRU. From the little bit of reading I've done about it, it seems that key is where Windows saves the size and location of a window when it is closed. Not too sure how this goes along with the malware yet, but I plan to find out!

Quick Update

2010-12-27T18:40:00.000-06:00

I was reminded by a friend today that it had been quite awhile since the last post here. With all of the family obligations at Christmas time, I simply haven't had enough time to put part 2 of the Beast post together yet. I hope to get it out sometime this week. Thanks for checking in!

Taming the Wild Beast--Part One

2010-12-17T21:42:00.000-06:00

Recently, I was asked to look at a pc owned by a church. The machine had been running poorly and was being used for nothing more than playing music for the pastor while he worked in his office, as its performance was so bad it just wasn't good for much else. This didn't start out as a malware investigation, per se, so some of the steps I initially took probably weren't appropriate for that. However, after finding some interesting stuff, I decided to look into it further.

I set the computer up in my home lab and booted it. The OS was Windows XP Home, service pack 2. I noticed right away it was not running any antivirus. Given the lack of recent Windows updates or antivirus, I figured I'd find some kind of malware. A quick run with Malwarebytes Anti-Malware proved I was correct in that assumption. In addition to a registry key, which I'll describe later in this post, it identified an infected file at C:\DATA\FILES\BEAST.exe.

I opened up My Computer and then the C: drive to take a look before doing anything else. Strangely enough, no folder called DATA was there. Enabling the display of hidden files also failed to show the folder. Finally, unchecking the box to hide operating system files revealed my folder. Inside DATA, as expected, was a folder called FILES. I expected to find the BEAST.exe file in there, but much to my surprise I saw the contents of the Recycle Bin and no beasts in sight. This is the first malware I've dealt with in quite awhile that puts itself in a brand new location it creates and then hides it with system attributes.

This was getting interesting for a malware noob like me. Honestly, I found it ironic and kinda funny that "the beast" was in a church computer and wondered if an exorcism was more in order than a malware removal. I had several friends on Twitter inquire as to whether the malware was running with PID 666.

Instead of imaging memory on the church machine, I decided to grab a copy of the malware and run it later in a controlled environment in order to grab a memory capture. I haven't had time to do that part yet, but plan to do so in the next day or two. I shut the system down, imaged the disk and made a "super" timeline from it, all using the superb SANS Sift Workstation VM running in VMWare Workstation.

The Sift workstation is something I use all the time. It has so many things included in it, so it makes getting things done much easier. In this case, I used it for making the timeline, as well as browsing the filesystem in the image from the relative safety of the Linux operating system so as to protect myself from "the beast". For those unfamiliar, a Super Timeline is created using Kristinn Gudjonsson's Timescanner from Log2Timeline, along with fls and mactime from the Sleuthkit by Brian Carrier and the regtime.pl perl script by Harlan Carvey. It provided me with some interesting info which I'll talk about in part two.

During this time, I also extracted the registry files from the system32\config directory, as well as the ntuser.dat from the main user account on the system. I find that I use Harlan's RegRipper on nearly every type of exam I do these days. If you're doing forensics and not using RegRipper, you're shorting yourself because it provides an amazing amount of information in an easily readable format. It, too, provided me with some very relevant information related to this exam and I will cover it all as well in part two.

This didn't start out to be a multi-part post, but I'm finding this one is already very long. Therefore, I shall continue in part two as soon as I can.

Just a Quick Post

2010-11-28T23:51:00.005-06:00

I was reading Harlan's blog tonight and saw his reference to Corey's blog post about timeline analysis and using the Calc spreadsheet program in OpenOffice.org to view the timeline. He had run into the 65,000 row limit in Calc when his 100,000+ line timeline was truncated.

He got around that by testing a release candidate for OpenOffice 3.3, which does support a million rows. Version 3.2.1. is still the actual current version, but apparently 3.3 will be out soon. I went to the OpenOffice site tonight to try to download a copy of the release candidate, but all the links to the RC were taken down in preparation for the release of RC 7, so I wasn't able to check it out.

I ran into the 65,000 row issue awhile back while reviewing the output from Mark Menz's MFTRipper program. Given the low budget outfit I work for, I don't have Microsoft Office, which started supporting more than a million rows with Office 2007. I did some searching at the time to find the answer to my problem and came up with a version of OpenOffice called Go-OO. The version of Calc included with it has support for a million rows.

That's all I have right now, but thought I should get this out there in case anyone else was in the same boat.

Back on track

2010-11-24T00:05:00.002-06:00

A day later than planned, but I'm finally back on here and adding some content. I've gotten a lot of positive feedback regarding starting the blog and I really appreciate that.

A great deal is going on in my life these days with regards to digital forensics and it's really exciting. First, not many know this, but I'm co-writing a book with two very good friends, Brad Garnett and Joe Garcia. The title will be The Basics of Digital Forensics. We just recently got started, so lots to do yet. We're trying to write the book we wished we had back when we were first getting started. More on this later!

Next, I got a surprise phone call from the local junior college a few days ago asking if I'd be interested in helping develop and teach a computer forensics course. I'm very excited by the possibilities and plan to meet with them next week to discuss it further.

Meanwhile, I continue reading the Malware Analysts Cookbook in my spare (ha!) time. Kudos to Michael Hale Ligh, Steven Adair, Blake Hartstein and Matthew Richard for creating this excellent book. I'm only up to chapter 7 at this point, but I'm finding it very interesting indeed. I like the writing style and the exercises and examples are very well done. I do wish I had a background in programming, especially javascript and Python, just so I would better understand some things I've read so far. However, the way the book is written helps make up for my lack of programming knowledge.

Finally, I repaired my sisters computer recently when it had a rogue defrag program on it. This is similar to the rogue antivirus programs, but instead of bogus virus infection reports, the rogue defrag pretends to scan your hard drive and finds all sorts of dire problems with the drive and the file system. What it's really doing during the "scan" is installing itself to your hard drive, complete with program group in the All Programs listing and icons. They only want $80 to register the defrag so it can fix the physical errors on your hard drive...what a deal!
Prior to starting the removal process, I imaged RAM using windd and then imaged the hard drive. I created a Super Timeline from the drive image, though I haven't had sufficient time since doing it to really look it over. I also used the excellent Volatility Framework to look at the memory image. I was able to find some interesting info in that, which I'll detail in a near-future blogpost, along with other details of the malware I found. But for now, it's late and I'm tired, so I'm ending this post here. I hope everyone has a great Thanksgiving!

Welcome

2010-11-21T19:01:00.002-06:00

Welcome to the new Digital Forensics Blog! You're probably thinking we don't need another forensics blog and you might be right. Still, I find there are times I'm researching some forensic and/or malware artifacts and learn something I think is worth sharing.

My plan to keep this blog focused on computer and malware forensics, as those are my primary interests these days. In addition to this, I also write for the SANS Forensic Blog but thought I'd start my own for when I want to write about something that doesn't really fit in there.

I intend to add some actual content today or tomorrow, so in the immortal words of Paul Harvey, stand by for news! I welcome comments, but try to be nice ;-)