Wednesday, January 19, 2011

A Brief Update

After a bit of an equipment failure, I'm rebuilding my test machine prior to doing the dynamic analysis of the BEAST.  Hope to have it back up and running very soon.

I've been continuing to experiment with things I read about in the Malware Analysts Cookbook in my spare time.  I set up INetSim on a Linux machine after reading about it in the book.  After one brief test, it seems to work very well and should make dynamic analysis of malware files more interesting and productive.  I'm still figuring out some things about it, but I'm very impressed with how easy it is to set up and configure.

I had planned to do some more work with INetSim today, but since the test machine I was going to execute the malware on bit the proverbial dust, I spent my time setting up a new Linux based internal mail server for the sheriff's office.  The server is running Ubuntu 10.10 Server and uses Dovecot and Postfix for mail. It's also running Apache with Squirrelmail so the deputies can choose between using an email client, like Outlook, etc, or accessing their mail via a web interface. I finished getting it running tonight and all seems to be working well.  Just have to get the user list and the IP address it will be assigned to and I can put it in service for them.

Finally, I'm no longer involved in writing a book.  My partners and I were unable to work out some conflicts with the publisher, so we and the publisher have amicably parted ways. I hope to one day be involved in writing a book, but I think it just wasn't meant to be at this point.

That's about it for now. Hope to be back with another installment in my relentless pursuit of the BEAST in the near future.

Wednesday, January 5, 2011

Cyber Crime 101 podcast appearance

Just wanted to do a quick post and say I was interviewed by my friend, Joe Garcia, for his Cyber Crime 101 podcast.  You can listen to his excellent show at and the specific show I'm on is at .  Thank you to Joe for asking me to join him for the show!

Tuesday, January 4, 2011

Taming the Wild Beast--Part Two

When last we left our hero, he was trying to figure out how the BEAST got on a church computer.  The BEAST being BEAST.exe on a Windows XP Home computer owned by a church.  Since that time, I have spent time looking at the Master File Table, a Super Timeline created from the system and taken a look at prefetch files.  I'd like to say after all that I had come to an "ah ha!" moment and I would know how the malicious file managed to get on the system.  I would also like to say I was given a billion dollars, but that wouldn't be any more true than my saying I figured out where this file came from.  But I digress...

As I said in the last post and above, I created my Super Timeline and started looking through it around the date and time this file appeared on the system (August 10, 2010 at 13:51:06).   I noticed a flurry of activity all around that time, with the folders C:\DATA and C:\DATA\FILES, along with the files BEAST.exe and Desktop.ini  being "born" then on the system.  The two files were both placed in the C:\DATA\FILES folder.  Also at the same time, more than 30 of the restore points on the system had new "ini" files added to them.  All of those ini files were copies of the Desktop.ini mentioned above.  Prior to that, a little unremarkable looking web browsing took place.

Next, I used the excellent AnalyzeMFT python script, created by my good friend, David Kovar, to parse the Master File Table.  I wanted to compare the standard info file times to the filename info times, just to make sure no file times had been fiddled with.  Nothing appeared out of line, so I moved on for the time being.

(Edited to fix something I didn't very clearly state at first)
Using X-Ways Forensics, I opened the drive image and looked at the Windows\Prefetch directory to see if there were any references to the BEAST.  Sure enough, BEAST.EXE-3696224B had been there but was deleted.  However, X-Ways was able to display it and tell me it had a total run count of 2 and last run date of 11/17/2010  08:42:55, which was quite awhile prior to my receipt of the machine.The MAC times were the same as the last run date/time.  Because the file had been deleted, it did not show up in my timeline or MFT report.

So now what?  Not to fear, there is always more to do when trying to figure these things out.  While I still have no real idea beyond a basic theory how this thing got on the system, I will continue with part three after doing some more analysis, including executing the file on a stand-alone computer and doing a live capture, which will hopefully give me a better idea of what all was going on here.  I have a computer similar to the actual victim system that I refurbished for just this purpose and plan to execute the malware on it.  I will be capturing RAM and using RegShot along with a few other programs to see just what happens when the BEAST is executed.  Sure, I could just submit the file to Joebox, Anubis or ThreatExpert and get a detailed report, but what fun would that be?


After making this post, I went back and looked at things I previously missed.  I went back to the timeline and looked for the date and time of the above mentioned prefetch file.  I found that a registry key had its "creation" time updated to the same date/time.  That key is HKEY_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/StreamMRU.  From the little bit of reading I've done about it, it seems that key is where Windows saves the size and location of a window when it is closed.  Not too sure how this goes along with the malware yet, but I plan to find out!