tag:blogger.com,1999:blog-70552430342015307502024-03-18T22:50:42.721-04:00Security BraindumpBugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.comBlogger51125tag:blogger.com,1999:blog-7055243034201530750.post-81470730826714768512013-11-26T17:21:00.000-05:002013-12-05T07:05:23.830-05:00Finding Cryptolocker Encrypted Files using the NTFS Master File TableFor the most part, everyone seems to be familiar with the new variants of Cyptolocker making the rounds these days. To quickly summarize, this form of ransomware that encrypts documents and pictures found on local and mapped network drives in an attempt to obtain payment for the decryption keys. The attackers are using decent encryption and the malware is very efficient. A good write up can be found <a href="http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information" target="_blank">here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoOhd0BkdPJzF9nkX89mzoTmEM14Ycz1llVYmAy9uKYZ0EcxAKa-gJ3nfoGYuy-PbUrVcqIpBfOoMyJdN9fii54-_L-YIgaOZwVsFr8dQYWvq1-QNifWrWfFCDYgnX8o47N-7Y46V7nnor/s1600/CryptoMessage.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoOhd0BkdPJzF9nkX89mzoTmEM14Ycz1llVYmAy9uKYZ0EcxAKa-gJ3nfoGYuy-PbUrVcqIpBfOoMyJdN9fii54-_L-YIgaOZwVsFr8dQYWvq1-QNifWrWfFCDYgnX8o47N-7Y46V7nnor/s640/CryptoMessage.PNG" width="640" /></a></div>
<br />
Recently, I dealt with an infection and during forensic analysis noted that the NTFS Master File Table $SI Creation and Modified dates remained unchanged on files encrypted. I made a note of this for later and circled back around during post analysis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBdYNKoV3cwlIYibqaXiyXOh8Cvtk_407U0Hvoz0sP-q_fWikqafCSWfTcKfXWyKbXIyvx-wW2GhXRkem0r-WFG-umBEV9HG_XyfBg6BSrk6ldkUSpmBI-tOWCiWSYG2F83NtfoeeNmRKj/s1600/MFT_Record.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBdYNKoV3cwlIYibqaXiyXOh8Cvtk_407U0Hvoz0sP-q_fWikqafCSWfTcKfXWyKbXIyvx-wW2GhXRkem0r-WFG-umBEV9HG_XyfBg6BSrk6ldkUSpmBI-tOWCiWSYG2F83NtfoeeNmRKj/s640/MFT_Record.PNG" width="470" /></a></div>
<div style="text-align: center;">
<br /></div>
Since the infection not only encrypted all the documents on the user's local drive but also files located on mapped file shares too, I decided to grab the MFT from the Windows file server. Using <a href="https://github.com/dkovar/analyzeMFT" target="_blank">analyzeMFT</a> and <a href="http://redwolfcomputerforensics.com/downloads/MFT_Parser_08b_Setup.exe" target="_blank">MFTParser</a>, I was able to parse the 9 GB $MFT in a reasonable time frame. Identifying some known encrypted files by the $FN file name, I noted the only date in the MFT record that coincided with the infection was the MFT Entry Date or date the MFT record itself was modified. Using this, I filtered out all records that had $SI or $FN time stamps that preceded this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHP1r_5awl5vqCMNAfxhkQ_yBFyB20cK5kyTc3MSwiIp_PZnVQ29WooNHQ5LkcDTG7G1mHESJUNa8rBmjKKAvCwL-2EyURMySBiDA8nrf3wCMmPwSLPEjazGYX_HsPTET06qxzXUVeG8zT/s1600/MFT_Records.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHP1r_5awl5vqCMNAfxhkQ_yBFyB20cK5kyTc3MSwiIp_PZnVQ29WooNHQ5LkcDTG7G1mHESJUNa8rBmjKKAvCwL-2EyURMySBiDA8nrf3wCMmPwSLPEjazGYX_HsPTET06qxzXUVeG8zT/s640/MFT_Records.PNG" width="640" /></a></div>
<br />
The result was I was able to identify over 4400 files encrypted on the file share. Not bad for an infection that only lasted a few hours before being caught by the most recent Antivirus signature. Load up the backup tapes boys! <br />
<br />
Happy Hunting!<br />
<br />
<i>Updated November 27, 2013 2:15 PM</i><br />
<br />
After exchanging a few emails with some people in the industry, I think what we are seeing here is an example of <a href="http://support.microsoft.com/?kbid=172190" target="_blank">File System Tunneling</a>. To be specific, if a file is removed and replaced with the same file name (in the same folder) of a NTFS drive within fifteen seconds (default with NTFS) it will retain the original NTFS attributes. I have seen this <a href="http://securitybraindump.blogspot.com/2013/05/zaccesssirefefp-artifacts.html" target="_blank">before</a> with other Trojans as a way to avoid detection. Just an educated hunch. More info on File System Tunneling can be found <a href="http://windowsir.blogspot.com/2010/04/linksand-whatnot.html" target="_blank">here</a>. Thanks to all who responded to me.<br />
<br />
<i>Updated November 27, 2013 3:00 PM</i><br />
<br />
Just a quick update of some of the IOC's (Indicators of Compromise: MD5, SHA1, Location) for this particular variant;<br />
<br />
<blockquote class="tr_bq">
2a790b8d3da80746dde3f5c740293f3e 7d27c048df06b586f43d6b3ea4a6405b2539bc2c \\.\PHYSICALDRIVE1\Partition 2 [305043MB]\NONAME [NTFS]\[root]\ProgramData\Symantec\SRTSP\Quarantine\APEA53C866.exe
<br />
f1e2de2a9135138ef5b15093612dd813 ea64129f9634ce8a7c3f5e0dd8c2e70af46ae8a5 \\.\PHYSICALDRIVE1\Partition 2 [305043MB]\NONAME [NTFS]\[root]\Users\%userprofile%\AppData\Local\Temp\e483.tmp.exe
<br />
714e8f7603e8e395b6699cea3928ac81 36f40d0be83410e911a1f4231eeef4e863551cee \\.\PHYSICALDRIVE1\Partition 2 [305043MB]\NONAME [NTFS]\[root]\Users\%userprofile%\AppData\Roaming\dhsjabss\dhsjabss
<br />
17610024a03e28af43085ef7ad5b65ba 77f9d6e43b8cb1881396a8e1275e75e329ca7037 \\.\PHYSICALDRIVE1\Partition 2 [305043MB]\NONAME [NTFS]\[root]\Users\%userprofile%\AppData\Roaming\dhsjabss\egudsjba.exe
<br />
621f35fd095eff9c5dd3e8c7b7514c1e f03233e323f9a49354f2d6c565b6ec95595cc950 \\.\PHYSICALDRIVE1\Partition 2 [305043MB]\NONAME [NTFS]\[root]\Users\%userprofile%\Desktop\Iqbcxbvszzgdxjvbp.bmp</blockquote>
I wanted to also comment on using software restriction policies in Windows to block executable's from running from locations such as C:\Users\%userprofile%\AppData\Local\Temp. With no local admin rights, users only have the ability to write to three locations on modern versions of Windows (by default). Thee are;<br />
<br />
C:\$Recycle.Bin<br />
C:\ProgramData<br />
C:\Users\%Userprofile%<br />
<br />
The attackers know this and 99% of infections I see in my environment are using these locations efficiently (including this one).<br />
<br />
Unfortunately, a lot of legitimate software also use these locations. So using, suggestions such as Software Restriction Policies, to stop the execution from these locations in a large enterprise environment may or may not be realistic. I suspect adding rules, to check if the executable is legitimately signed, would reduce false positives. I am, however, seeing malicious code signed on occasion. In conclusion, there is no silver bullet here but I personally plan to explore these defenses more and will update what I find as I do.<br />
<br />
Lastly, some online posts of this malware has mentioned the use of the HKEY_CURRENT_USER\Software\CryptoLocker location in the Windows registry as a way to determine what files have been encrypted. I just wanted to mention, that I did carve the ntuser.dat file from the compromised system and noted that this location did exist in the registry. It however, did not contain any entries on what files were encrypted.<br />
<br />
<i>Updated December 05, 2013 3:00 PM</i> <br />
<br />
Since Michael Mimosa over at Threat Post was kind enough to link back to my post, I thought I would return the favor. <a href="http://threatpost.com/forensics-method-quickly-identifies-cryptolocker-encrypted-files/103049" target="_blank"><span class="current">Forensics Method Quickly Identifies CryptoLocker Encrypted Files</span></a>Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com1tag:blogger.com,1999:blog-7055243034201530750.post-56145849033225978722013-05-23T16:53:00.000-04:002013-05-23T16:53:10.630-04:00ZAccess/Sirefef.P ArtifactsI wanted to share a few interesting artifacts from two ZAccess/Sirefef.P compromises I recently had to deal with. In both infections, malicious files were written to hidden sub directories located in the User and System accounts $Recycle.Bin's. Much like other variants of this Trojan, these files were injected into legitimate processes including explorer.exe and services.exe. At first I thought the infection had mucked with the permissions of the hidden sub directories within the Recycle.Bin but then noticed the S-1-5-18 SID, indicating the use of the SYSTEM account.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipeDIN2KvyQ-24T3WJZc3MqlhrFkRgWNgx6C9IJP_gL5YX3LmDz3P0rpqj9BV8puJerWGUQ218cwjLXdHdbx4bj-saN_5AR85l2MKa9PLvblKkEeJpWQ6gh-M4ctHlgMxTW5Rq5dM7HW8k/s1600/ZaccessRecycleBin.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipeDIN2KvyQ-24T3WJZc3MqlhrFkRgWNgx6C9IJP_gL5YX3LmDz3P0rpqj9BV8puJerWGUQ218cwjLXdHdbx4bj-saN_5AR85l2MKa9PLvblKkEeJpWQ6gh-M4ctHlgMxTW5Rq5dM7HW8k/s1600/ZaccessRecycleBin.png" /></a><br />
<br />
<br />
<br />
The first compromise went a step further and overwrote the Wdf01000.sys driver under <span class="st">\SystemRoot</span>\System32\Drivers. I would have missed this if I had not dumped the <a href="http://pauldotcom.com/2011/03/tim-mugherini-presents-ntfs-mf.html" target="_blank">NTFS Master File Table</a> and used the $SI Entry Date when creating my timeline. By overwriting the existing file, it would appear the other NTFS timestamps were preserved due to File System Tunneling (ref: <a href="http://support.microsoft.com/?kbid=172190" target="_blank">KB172190</a> and <a href="http://windowsir.blogspot.com/2010/04/linksand-whatnot.html" target="_blank">WIR Blog</a>). A very interesting artifact indeed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSWIb_MJkimLNLUoEAXrRj-TMg5uRKdo6iDtdpDV4g7AMAzXIB81br2WPIiS0wyQx4uf2rwins2LIsMvU2ldXMs-mwMY0pFiYH0ZjMOFh24aGf5WGsQ_sGp1mh6mThzrAQYouhMA6uWPLU/s1600/img_ZAccessFileSystemTunneling.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSWIb_MJkimLNLUoEAXrRj-TMg5uRKdo6iDtdpDV4g7AMAzXIB81br2WPIiS0wyQx4uf2rwins2LIsMvU2ldXMs-mwMY0pFiYH0ZjMOFh24aGf5WGsQ_sGp1mh6mThzrAQYouhMA6uWPLU/s1600/img_ZAccessFileSystemTunneling.png" /></a></div>
<div style="text-align: center;">
<br /></div>
The first variant loaded some typical Fake Antivirus into the C:\ProgramData folder. Nothing new there but with the second variant, I noted the creation of a lot of Internet cache files under <span class="st">\SystemRoot</span>\System32\Config\Systemprofile\AppData in what appeared to be the presence of click fraud. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBlMZ3_P5zKhwXDIG2NgdsUAgwrRu-SPzngzuIGOU6ttFS4kI7uOjJhMOF4FCvPaBwQUCrnw4qVA7TI-q1gGDUZO8ev2pnbkfaAzi4BH5G7adXdCdreXsj9hqZawqF2l2_keFXGHa0Hiez/s1600/ZAccessClickFraudArtifacts.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBlMZ3_P5zKhwXDIG2NgdsUAgwrRu-SPzngzuIGOU6ttFS4kI7uOjJhMOF4FCvPaBwQUCrnw4qVA7TI-q1gGDUZO8ev2pnbkfaAzi4BH5G7adXdCdreXsj9hqZawqF2l2_keFXGHa0Hiez/s640/ZAccessClickFraudArtifacts.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
Overall, a couple of interesting variants that I enjoyed playing with. Here's the hashes for reference.<br />
<blockquote class="tr_bq">
[root]\$Recycle.Bin\S-1-5-18\$a032773db1be215125d280696ec7b357\n<br />
MD5: 3aaac8a9352dde4e2073a7814514bd9d<br />
SHA1: 321132983c3fc25448e19ae63e65cb127f28c5b7 <br />
<br />
[root]\$Recycle.Bin\S-1-5-18\$f58c247e192203c97063e19c12229833\n<br />
MD5: cfaddbb43ba973f8d15d7d2e50c63476<br />
SHA1: 34206a971fe3cbb1acf2ce8bb9f145bfd78e256e </blockquote>
Happy Hunting! Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-20803886617452302492013-02-05T08:30:00.003-05:002013-05-29T11:31:07.166-04:00The WTF of the WeekLast week someone mentioned to me you can retrieve your Wireless SSID
and Encryption key for the Verizon FIOS Actiontec router via the
support menu of the TV guide. Somehow this did not surprise me and since
the router is most likely sitting next to your TV, well physical access
has been gained anyways.But it did get me curious on if Verizon allowed
this functionality via the customers online account. Five minutes
later...Well I'll just let these screen shots speak for themselves.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb878dJNwvLOlexRBJcBLAjziHtSoxWCJu6zLcufCrcVXmNKOihu-Vkkz21jeBMvX4GFKoL0ACvnr20VQOkDnlUWU0c5f1OwH4I0PxshoUksphb_YxWhCXEWtOjNE55B2ipIoQRiV21Ia0/s1600/FIOSFail1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb878dJNwvLOlexRBJcBLAjziHtSoxWCJu6zLcufCrcVXmNKOihu-Vkkz21jeBMvX4GFKoL0ACvnr20VQOkDnlUWU0c5f1OwH4I0PxshoUksphb_YxWhCXEWtOjNE55B2ipIoQRiV21Ia0/s640/FIOSFail1.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGip2lNI46IOIidQgdyME5qryTIRHUr37gTxcJnCEqmV2RmyP04we2yR8FjfP6P40AuRtf5QSK6JLibgWBtPtuvQK6vAJIJVMUWsb8UQDiy0azdox5GhVS1SNquJaYzO1K_GDHLlxpQwk-/s1600/FIOSFail2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGip2lNI46IOIidQgdyME5qryTIRHUr37gTxcJnCEqmV2RmyP04we2yR8FjfP6P40AuRtf5QSK6JLibgWBtPtuvQK6vAJIJVMUWsb8UQDiy0azdox5GhVS1SNquJaYzO1K_GDHLlxpQwk-/s400/FIOSFail2.png" width="301" /></a></div>
<br />
<br />
Now
I could insert a rant here. But really what's the point? We all know
this is just a bad idea. So remember to shred your bills or as I prefer
put them to good use with the fire pit on a Saturday night.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9DwLdYWBs0GSx-a10DGrdrKpyI3SeTXC9w74JvlISm2vktloY3t7cdiS0g9XpqwCzZuUBt_QxiprR98M57VpjGsnPrh2bRJq27WtrXDpocNfLjKjmpUnCK2XxDeS_QZZSgcocCM_a1a5E/s1600/img_FirePit.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9DwLdYWBs0GSx-a10DGrdrKpyI3SeTXC9w74JvlISm2vktloY3t7cdiS0g9XpqwCzZuUBt_QxiprR98M57VpjGsnPrh2bRJq27WtrXDpocNfLjKjmpUnCK2XxDeS_QZZSgcocCM_a1a5E/s1600/img_FirePit.jpg" /> </a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
Happy Hunting! </div>
Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-11230355307419226502012-10-17T17:14:00.005-04:002012-10-18T10:53:38.233-04:00Incident Response in 3.08 MBI don't normally post anything on specific software products but occasionally I come across a commercial tool that truly excites me. One recent example is a tool called <a href="http://www.carbonblack.com/" target="_blank">Carbon Black</a> from <a href="http://www.kyrus-tech.com/" target="_blank">Kyrus</a>. I had participated in the beta testing of the product last year and I recently decided to revisit the production release. <br />
<br />
For years, defensive strategies I helped to implement such least privilege, patch management, user account control, and system hardening has kept the majority of the malicious binaries off the hosts I have supported. Recently, these defenses seem to be working less and less, however. The bad guys are getting better and I suspect this has to do with organizations implementing the aforementioned strategies in a much more efficiently and consistent manner which has forced the attackers to adapt. <br />
<br />
Attackers have graduated to using exploits against third party software and browser plugin's such as Java and Flash. They are writing to the Microsoft Windows users profile and HKCU registry keys when local administrator rights are not present. It seems to be working well and organizations I speak with are left relying on lagging AV and IPS signatures for detection and prevention. The issue is compounded for smaller companies, that do no have a full time IR team in place.<br />
<br />
The idea behind Carbon Black (CB) is to monitor code execution. A small Windows agent is deployed to each host throughout the enterprise. This agent hashes each process, monitors the sub processes, module loads, registry edits, file writes, and network connections. Digital signatures and the activity of each binary is stored on the CB server.<br />
<br />
The interface is well thought and intuitive. You can easily filter and drill down or up the relational data easily and quickly based on any of these aforementioned data points. Once potential indicators have been identified, it is easy to correlate the related activity. <br />
<br />
For example, there was a recent string of well done phishing emails that got pass my org's spam filters. Claiming to be from ADP Internet Services, the email contained a malicious link that brought the unsuspected user to a web server that was hosting a JAR file. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcSBPbzD82qem6EkAFW9im33LpVKQxR4NzJOwtXfOlUwz5Q7JJm714UaBubFcqoaGY8dGrZMS8JAhRSeI_PmU4Xsf3sa7eqc-_BptFUEh4dCGiXhBGQPDr2SfTfldV2o5oUdor6YFa8P6H/s1600/Capture1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcSBPbzD82qem6EkAFW9im33LpVKQxR4NzJOwtXfOlUwz5Q7JJm714UaBubFcqoaGY8dGrZMS8JAhRSeI_PmU4Xsf3sa7eqc-_BptFUEh4dCGiXhBGQPDr2SfTfldV2o5oUdor6YFa8P6H/s640/Capture1.JPG" title="ADP Phish Email" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
The user, realizing the error of her actions, forwarded the email to me. Our corporate AV and IPS never detected the incident. Using CB to filter for unsigned files, I determined that an exe was dropped to temp folder in the Windows user profile.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3ASv7VbLwXaFAX0_fzeCYIEtF21l9alSWl5DHpOywSLar16scD0Nv1tuwkIpISstVUoCtVVmA4KKmzZNJ-hMEKPdljamvS88MEWUUq8yYwzELUZfrwksr6FmdMHN9ujf2zFgiZoaZW-cq/s1600/Capture2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3ASv7VbLwXaFAX0_fzeCYIEtF21l9alSWl5DHpOywSLar16scD0Nv1tuwkIpISstVUoCtVVmA4KKmzZNJ-hMEKPdljamvS88MEWUUq8yYwzELUZfrwksr6FmdMHN9ujf2zFgiZoaZW-cq/s640/Capture2.JPG" title="Filtering Unsigned Files" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
From there I was able to quickly drill down to the sub process loaded, file writes, and registry edits. Not only did I know exactly what was changed on the system but now I had the MD5's of the indicators.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMnqVYGGl4-kqpvcAVgkBzukv_jGAvVy1Hb5nj0xp59ZL0QJE3gwfUlSZiqlmwz7LPQzQ3uDjfLpZEQwKehjnai4EQGaEdSevQQDKK62oNJyfd4uWU3bsmZT_qf_DyP0j4aAsdE6LUTF7L/s1600/Capture3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMnqVYGGl4-kqpvcAVgkBzukv_jGAvVy1Hb5nj0xp59ZL0QJE3gwfUlSZiqlmwz7LPQzQ3uDjfLpZEQwKehjnai4EQGaEdSevQQDKK62oNJyfd4uWU3bsmZT_qf_DyP0j4aAsdE6LUTF7L/s640/Capture3.JPG" title="Sub-Processes" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3SUwT5Paz-Y5VdntfNFG-WBQIS8DSxN9TorgecKkrWi80Gpg5D5xwNk3rsCiIVZWAkqlQvWpU5WUhAhMESO2Mj7CNiFAfb3z0Zv7lBybRTkBSb_0NNxA6ubj_wjvbhcZIuqp8DacR2w5Q/s1600/Capture4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3SUwT5Paz-Y5VdntfNFG-WBQIS8DSxN9TorgecKkrWi80Gpg5D5xwNk3rsCiIVZWAkqlQvWpU5WUhAhMESO2Mj7CNiFAfb3z0Zv7lBybRTkBSb_0NNxA6ubj_wjvbhcZIuqp8DacR2w5Q/s640/Capture4.JPG" title="FIle Writes" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx8Ok8iKrT720InD30_BAVvN8I-t9JoXH5ERvz3mNPiN00pV0aInLpW4aWCR93kLM52dUi3_4sSGzNHftJEQGi0wQ_S8PzB0Fy2_4BDbFhHdnYh8iwmcO6k2egrwsDOvxP-cxGdpUMIX6F/s1600/Capture5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx8Ok8iKrT720InD30_BAVvN8I-t9JoXH5ERvz3mNPiN00pV0aInLpW4aWCR93kLM52dUi3_4sSGzNHftJEQGi0wQ_S8PzB0Fy2_4BDbFhHdnYh8iwmcO6k2egrwsDOvxP-cxGdpUMIX6F/s640/Capture5.JPG" title="Registry Mods" width="640" /></a></div>
<br />
Using these hashes to filter for processes and sub-processes on all my hosts, I could determine if anyone else clicked the link and was compromised.<br />
<br />
CB FTW!<br />
<br />
The team at CB have also started to add some plugin's to the toolkit. These include; an autorun's checker, virurtotal submission using the VT API, and csv data exports to list just a few. These have some great potential and I cannot wait to see more developed. Additionally, I would like to see support *nix and OSX. But overall, I think the tool is a fantastic asset and am looking forward to demoing it to the rest of my team.<br />
<br />
Happy Hunting! Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com2tag:blogger.com,1999:blog-7055243034201530750.post-7073916154188750592011-10-06T20:40:00.000-04:002011-10-07T06:30:38.806-04:00You've Got Mail! - The PFF File Format<div class="separator" style="clear: both; text-align: center;">
</div>
My recent experimentation and <a href="http://securitybraindump.blogspot.com/2011/09/windows-desktop-search-indexes.html">blog post</a> on the analysis of the Microsoft Extensible Storage Engine (ESE) database used by Microsoft Windows Desktop Search (WDS) prompted me to begin looking at other ways Microsoft utilizes the ESE file format. Microsoft Outlook also utilizes the ESE in the form of the Personal Folder File (PFF) format. This includes the Personal Storage Table (PST) and Outlook Storage Table (OST) files which are commonly known as Outlook Data Files. The former (PST) is used in a non-enterprise setting when configuring outlook with email services such as pop/smtp and the later is created in enterprises with Outlook cached mode is enabled. Other forms of PFF include the Personal Address Book (PAB).<br />
<br />
Joachim Metz has also done a fair amount of research on the PFF file structure as part of his <a href="http://sourceforge.net/projects/libpff/">libpff project</a>. During the time of his research, the PFF file format was largely unknown. In 2010, however, Microsoft published the open specification on the PFF format and made it available as part of the <a href="http://msdn.microsoft.com/en-us/library/ff385210.aspx">MSDN Library</a>.<br />
<br />
The first four bytes of the file header contains the file signature of "!BDN " (0x2142444e). The 9th and 10th byte contain the content type which is 'SM' for PST (0x534D) and 'SO' (0x534F) for OST.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiruRz2bkNBPH0ANpAoZqCMFNZT1KsGXyh8t1jPiz0o6-eavW0e8T9znbVpFZBhrarML6qzLAB4ZCStQo8sDKoWrZumK8UXnWIxmRy9v75HoBuTUN-tJbx2Tvk32myAdhtukFKfF6HHREBI/s1600/PFFFileFormat.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiruRz2bkNBPH0ANpAoZqCMFNZT1KsGXyh8t1jPiz0o6-eavW0e8T9znbVpFZBhrarML6qzLAB4ZCStQo8sDKoWrZumK8UXnWIxmRy9v75HoBuTUN-tJbx2Tvk32myAdhtukFKfF6HHREBI/s640/PFFFileFormat.PNG" width="640" /></a></div>
<br />
Metz's libpff pffexport utility will parse either file type. Once parsed, pffexport exports the following information on messages;<br />
<ul>
<li> <b>Internet Email Headers</b></li>
<li><b>Outlook Headers</b></li>
<li><b>Conversation Index</b></li>
<li><b>Recipients</b></li>
<li><b>Message Body </b> </li>
<li><b>Attachments </b></li>
</ul>
Prior to Outlook 2007 there were three forms of file encryption available for PFF files; none, compressible, and high encryption. Metz documents the following about the two later options;<br />
<blockquote>
...actually more of a way to obfuscate the information in the PFF than real means to ensure confidentiality....</blockquote>
Microsoft's <a href="http://download.microsoft.com/download/2/4/8/24862317-78F0-4C4B-B355-C7B2C1D997DB/%5BMS-PST%5D.pdf">Open Specification document on the PST file structure</a> also confirm Metz's findings on PFF encryption prior to Outlook 2007. They now recommended the use of Encrypted File System (EFS) or BitLocker Encryption to secure these files. Consequently, versions of Outlook after 2007 use compressible encryption and high encryption is no longer available.<br />
<br />
Additionally, Microsoft Outlook allows users to set a password on their PST files. This password however, is a weak 32-but Cyclic Redundancy Check (CRC32) and consequently, is subject to collisions. This has been know for quite some time and Microsoft has documented this;<br />
<blockquote>
The PST Password, which is stored as a property value in the Message store, is a superficial mechanism that requires the client implementation to enforce the stored password. Because the password itself is not used as a key to the encoding and decoding cipher algorithms, it does not provide any security benefit to preventing the PST data to be read by unauthorized parties.</blockquote>
Metz clarifies this a bit more in his research. Applications, such as Microsoft Outlook, are conforming to the password protection but in reality, none of the data is actually protected by the password. Consequently, the libpff pffexport utility can export all items stored in the PFF file without supplying the password. <br />
<br />
The libpff utility was able to parse the email headers and content on both the PST and OST files during my testing.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhToebzxMI6gsrPLi4dT9VJHrPEklqNsFU4CWp4B4Sy_v1fBYMXrYqfoRjqhkaR4zIRnQaGKG48QoP2YNupoZbe29JNbHrq_61KeMEYM66nv3d_SDnuXOLAJbVuSCIwRG9zL3KRad88WzJO/s1600/pffexport.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhToebzxMI6gsrPLi4dT9VJHrPEklqNsFU4CWp4B4Sy_v1fBYMXrYqfoRjqhkaR4zIRnQaGKG48QoP2YNupoZbe29JNbHrq_61KeMEYM66nv3d_SDnuXOLAJbVuSCIwRG9zL3KRad88WzJO/s640/pffexport.PNG" width="640" /></a></div>
<br />
This certainly could be useful to forensics practitioners. The aforementioned, lack of security of these files however got me thinking more about the use of products such as Outlook Anywhere (RPC over HTTP) in the corporate world. Outlook Anywhere allows users to access corporate email on their personal computers using Microsoft Outlook. Consequently, corporate email would be stored in the local PFF file on the user's home system. Unless Whole Disk Encryption or other means were being used to secure the file system, then the potential risk to the intellectual property of corporation could be significant.<br />
<br />
Happy Hunting!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-49795612319394856482011-09-08T17:24:00.000-04:002011-09-09T17:14:24.957-04:00Windows Desktop Search IndexMicrosoft Extensible Storage Engine (ESE) database is used by a variety of Microsoft services including Exchange, Windows Mail, Active Directory, and Windows Desktop Search. I recently began wondering what forensic artifacts might be indexed by <a href="http://www.microsoft.com/windows/products/winfamily/desktopsearch/default.mspx">Windows Desktop Search</a> (WDS) and available to an analyst. By default, user documents and IE internet history are indexed, but Outlook 2007/2010 also integrates with WDS. Consequently, this might be an additional source of email artifacts. While there can be a wealth of information available to a responder in an enterprise that utilizes Microsoft Exchange and any of a variety of email archiving solutions, the WDS ESE database may still be useful in non-enterprise settings. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq88ZDydCziq-8g4oUJxsmKnd1vp943S_p8JmHw3Px8T0z57AxcisKWuA-Yl0f0DErlZLSXXpRo7BclEVNn2pX4O7pXVrx0b4WtUKCFYNEaLPo0CLfZDO7uBDm0t3QuE_8EK19PVC69z8G/s1600/IndexOptions.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq88ZDydCziq-8g4oUJxsmKnd1vp943S_p8JmHw3Px8T0z57AxcisKWuA-Yl0f0DErlZLSXXpRo7BclEVNn2pX4O7pXVrx0b4WtUKCFYNEaLPo0CLfZDO7uBDm0t3QuE_8EK19PVC69z8G/s400/IndexOptions.PNG" width="367" /></a></div>
<br />
After some searching, I came across Joachim Metz research on the ESE format and WDS as part of the <a href="http://sourceforge.net/projects/libesedb">libesedb project</a>. Metz <a href="http://sourceforge.net/projects/libesedb/files/Documentation/">documents</a> the ESE database structure, data obfuscation, and compression thoroughly. Consequently, I am not going to summarize all of his research but fully recommend you read it if interested. <br />
<br />
The libesedb project contains two tools; esedbinfo and esedbexport. Esedbinfo provides detail about the structure of the ESE file and Esedbexport allows you to extract the tables for analysis. The following is an example of running Esedbexport on the WDS database (the default location is C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb). It should be noted that the Windows Search (WSearch) service needs to be stopped to access this file on a live system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJJbRrFbjyzFrim9Yq_V_7yOjfrOa0mzcBUSuOto6jkImqowbmLSKShi2VXPQKQjGVk2T6OPUdPSlJt_HjGkv3hcuObJ-SKCtwgxh9_fONqP1HYYjG90P0hMf2pXqT0zA4dfTa4DuJBbei/s1600/esedbexport.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJJbRrFbjyzFrim9Yq_V_7yOjfrOa0mzcBUSuOto6jkImqowbmLSKShi2VXPQKQjGVk2T6OPUdPSlJt_HjGkv3hcuObJ-SKCtwgxh9_fONqP1HYYjG90P0hMf2pXqT0zA4dfTa4DuJBbei/s400/esedbexport.PNG" width="400" /></a></div>
<br />
The SystemIndex_0A table contains the bulk of useful information. The following is an example of the Outlook Welcome email obtained from the parsed table.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGRPzRHh01q-rn6RQ0VZhangAreSBJy8V1tw6JYYrFkhR36XIZYwo3cxCW-dcwMZXB_OOPCvZ6xJ1_m-vGP2kzOyV08t5reNle2xDiDGKUlINbp6ULO4ztJKCyOPyO7gpNM9p3WI0_4szE/s1600/esedbexport_useful.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGRPzRHh01q-rn6RQ0VZhangAreSBJy8V1tw6JYYrFkhR36XIZYwo3cxCW-dcwMZXB_OOPCvZ6xJ1_m-vGP2kzOyV08t5reNle2xDiDGKUlINbp6ULO4ztJKCyOPyO7gpNM9p3WI0_4szE/s640/esedbexport_useful.PNG" width="640" /></a></div>
<br />
To the best of my knowledge, it is unknown how long indexed data is kept <strike>but I was able to obtain previously deleted emails from several days prior without issue. This included the full body of the email </strike>(see update below). Again, I am unsure how often a forensicator would need to utilize these artifacts. In addition to the aforementioned resources available in an enterprise, Microsoft Outlook also utilizes the Personal Folder File (PFF) format for Personal Storage Table (PST) and Outlook Storage Table (OST) files. These are both commonly known as Outook Data Files. The former (PST) is used in a non enterprise setting when configuring outlook with email services such as pop/smtp and the later is created in enterprises with Outlook cached mode is enabled. <br />
<br />
In addition to the libesedb project, Joachim Metz also runs the <a href="http://sourceforge.net/projects/libpff/">libpff project</a>. His <a href="http://sourceforge.net/projects/libpff/files/documentation/">research</a> there provides a tremendous amount of insight into the PFF file structure and usefulness. <br />
<br />
So what do you say? Is the Microsoft ESE file format a useful artifact for file forensics?<br />
<br />
Happy Hunting!<br />
<br />
<i>Updated: September 09, 2011</i><br />
<br />
Dave Hull was kind enough to post a comment and share some of his experiences with WDS and deleted files. This consequently got me to revisit my testing with a larger poking stick. After several hours I determined a few things about deleted emails and the affects on the WDS index.<br />
<br />
First and foremost, I could not duplicate finding deleted emails in the index. I am unsure if my initial testing was flawed or if there is internal workings unknown to me. I did however note the following behavior when deleting emails.<br />
<br />
When an email is sent to the Deleted Items folder in Outlook the "System_IsDeleted" is marked as True and the "System_ItemFolderPathDisplay" value is changed to reflect this new location. This comes as no surprise. This was the case with my initial testing and the example I gave of the Outlook Welcome Email.<br />
<br />
Once the email is removed from the Deleted Items folder, the Index Record is removed very quickly. I confirmed this multiple times. This leaves a missing DocID in the table which is eventually re-used for another index record. This is very similar to the behavior of the NTFS Master File Table when a files/folders are deleted. <br />
<br />
I re-read Joachim Metz's initial research and he does mention that the WDS index can contain deleted file information and content but was unsure how long this is kept. He also mentions a table called "SystemIndex_DeletedDocIds" which contains the deleted DocId's in Windows Vista and above. Unfortunately, the Esedbexport tool does not seem to extract this table as of yet.<br />
<br />
All things considered, a very interesting experiment.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com2tag:blogger.com,1999:blog-7055243034201530750.post-50211356954277663212011-08-04T17:00:00.004-04:002011-08-04T17:25:45.702-04:00Carving Symantec VBN FilesThose of you who perform IT support or incident response are most likely intimate with corporate antivirus products. While the usefulness of antivirus can be debated, the purpose of this post is to provide some insight into the file structure of Symantec's quarantine files. It is not uncommon for an IT practitioner or an incident responder to restore and perform further analysis on a malicious file to verify the attackers intent. Someone recently posted to the <a href="http://tech.groups.yahoo.com/group/win4n6/">Windows Forensics email group</a> about having issues restoring quarantined files from Symantec Endpoint Protection (SEP) 11 which prompted me to put together this quick post. <br />
<br />
Symantec does provide a utility called <a href="http://www.symantec.com/business/support/index?page=content&id=TECH95328">QExtract</a> that allows for the extraction of quarantined files. Documentation on the syntax of the command line utility can be found in Symantec's <a href="http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/95000/TECH95328/en_US/QuarantineExtract.html">online knowledge base</a>. As an example, the following is the output obtained from using the /DETAILED switch with qextract.exe on a system that the Mebroot rootkit payload was detected on.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil_0YEDyzqN2FVk7jZZhY_VZu-A7RiYJ5YEHfDPCAYJCg-hYm1Y6BAEJMxQ10JuBzZR5TSq-Ns3Erjh0c9ifm3VvsXgWi_wDqz83aiNE_sXu5E1jzgBKM9y_71_BK_-JHiLRlE9FWuGLwA/s1600/QEEXTRACT_DETAILED.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil_0YEDyzqN2FVk7jZZhY_VZu-A7RiYJ5YEHfDPCAYJCg-hYm1Y6BAEJMxQ10JuBzZR5TSq-Ns3Erjh0c9ifm3VvsXgWi_wDqz83aiNE_sXu5E1jzgBKM9y_71_BK_-JHiLRlE9FWuGLwA/s1600/QEEXTRACT_DETAILED.PNG" /></a><br />
<br />
QExtract can restore the malicious file by using the session ID, file name, or risk name obtained from this output (see the aforementioned documentation for syntax). The utility works, but is limited. It only runs on Windows. Additionally, you cannot point QExtract to an alternate source location. If SEP is not installed, then the default path to the quarantine files must be manually created. Moreover, when restoring something from a quarantine file, the original path of the file must exist or restoration will fail. <br />
<br />
The file structure of the quarantine files in Symantec's AV products has been known for some time, however. Since 2007 there has been an <a href="http://www.forensickb.com/2007/07/extracting-quarantined-files-from.html">Encase script</a> available that will extract these files. SEP Quarantine files, also known as Virus Bin (VBN) files, are located in the C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine folder. For the purpose of this post, I am looking at the detection of the aforementioned Mebroot rootkit. Some details including hashes and statistics from Virus Total are as follows.<br />
<blockquote>Symantec: Trojan.Mebroot<br />
MD5: fd543137a51fc24e07e00f9bc7c3c06e <br />
SHA1: 357ac149ba2c864a5f0fc2276c2fa437b5c5533b <br />
<a href="http://www.virustotal.com/file-scan/report.html?id=43cafc4464ac08a6b1be53958be377c70ded28ed6f0602449fbd7872604074fe-1303095131">http://www.virustotal.com/file-scan/report.html?id=43cafc4464ac08a6b1be53958be377c70ded28ed6f0602449fbd7872604074fe-1303095131</a></blockquote>Looking at a VBN file using <a href="http://www.x-ways.net/winhex/index-m.html">X-Ways WinHex Editor</a> we see the file begins with the original location of the detected malware. At offset 0x00000184 (byte 388) SEP stores additional information on detection of the malicious file including the system name, original location/name of file, time of detection, and Symantec unique record ID. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFWsp6cPvnssfQBNXhNMoqP9Xb2luHvBVVHrRH9kJKuRfuzyxu1AQx2HX7bDWqUawec3WowioM2HR7ak07cWSXwhFzJCTCnLMgOk_fLObjKZqPYHNu6PCHvgaCy9SycNF6wTHgRAOKERv/s1600/VBNFileStructure.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFWsp6cPvnssfQBNXhNMoqP9Xb2luHvBVVHrRH9kJKuRfuzyxu1AQx2HX7bDWqUawec3WowioM2HR7ak07cWSXwhFzJCTCnLMgOk_fLObjKZqPYHNu6PCHvgaCy9SycNF6wTHgRAOKERv/s1600/VBNFileStructure.PNG" /></a></div><br />
At offset 0x00000E68 (byte 3688) we see something else. It appears that the data has been obfuscated or encrypted. Note the that the value 0x5A is common throughout the file. What are the chances that these are actually spaces (0x20) and the data was XOR'd with the value of 0X5A? <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8iCwGw8KuL4VVptYLOhb1fH8wH_BRM33Jxis-u53q8daKor57Ib3UemWpIhCJCyiTS7hl5dLsAnhL5suvScHuLxLaet7I3QZlc7iNrDBMVQe9p8Mjhpc9HPAI76l2nNyjvN10_c9_6f4T/s1600/mebroot_xor.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8iCwGw8KuL4VVptYLOhb1fH8wH_BRM33Jxis-u53q8daKor57Ib3UemWpIhCJCyiTS7hl5dLsAnhL5suvScHuLxLaet7I3QZlc7iNrDBMVQe9p8Mjhpc9HPAI76l2nNyjvN10_c9_6f4T/s1600/mebroot_xor.png" /></a></div><br />
Using Winhex to inverse XOR with the value of 0x5A gives us the malicious file. Note: the file signature of 0x4D5A (MZ) which is for a Windows/DOS executable file. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6F-ZAHi1m64muS3Ve4_3HhLVq5INJ28iHrM1SmJ945_6CsLEGCmN8DWBD12xLr-cEfyKUhu48q3ufHF4JaAIKfxqzwrE_Do-ULNE-NQ5n31ptvy7K8HxOg8YFB47oj-5UaIYwOeLwXOZq/s1600/mebroot_dxor.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6F-ZAHi1m64muS3Ve4_3HhLVq5INJ28iHrM1SmJ945_6CsLEGCmN8DWBD12xLr-cEfyKUhu48q3ufHF4JaAIKfxqzwrE_Do-ULNE-NQ5n31ptvy7K8HxOg8YFB47oj-5UaIYwOeLwXOZq/s1600/mebroot_dxor.PNG" /></a></div><br />
To carve out the Mebroot payload, simply copy the selected block to a new file and save it. <br />
<br />
I would imagine this will work with previous versions of Symantec Corporate Edition but the offsets may be different. If anyone has any experience in that regard let me know. <br />
<br />
Happy Hunting!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com1tag:blogger.com,1999:blog-7055243034201530750.post-15111589569985769642011-07-29T07:30:00.001-04:002011-07-29T07:51:02.376-04:00Dear Diary: AntiMalwareLab.exe File_CreatedI have previously posted about the usefulness of <a href="http://pauldotcom.com/2011/03/tim-mugherini-presents-ntfs-mf.html">parsing the NTFS Master File Table during static malware analysis</a>. The Master File Table ($MFT) is only one of the twelve metadata files in NTFS file system however. The $Extend object ($MFT Record Entry 11) is used for optional extensions to NTFS. Beginning with Windows 2000, Microsoft added change journaling ($UsnJrnl) to this list of NTFS extensions. $UsnJrnl is turned on by default in Windows Vista and 7, and records all changes that are made to the file system. It should be noted that changes recorded do not include what specific data changed, rather just the type of change and time stamp of when the change occurred.. This can still be useful however when attempting to establish a timeline of malicious changes to a system.<br />
<br />
The $UsnJrnl is stored on the root of the volume in the \$Extend\$UsrJrnl file. The file has two $DATA attributes, the $Max attribute which contains general information about the journal and the $J attribute which contains the actual list of changes. Each journal record varies in size and includes an Update Sequence Number (USN). The USN is 64 bit in size and is stored in byte 64-71 of the $STANDARD_INFORMATION ($SI) attribute of the $MFT. The following output is an example of the $SI XXD of a file named malicious.dll.<br />
<br />
Searching a dd (raw) image for a suspected malicious file called malicious.dll with the <a href="http://www.sleuthkit.org/">The Sleuth Kit (TSK)</a> tool “fls” produces the $MFT Record Number of the file.<br />
<blockquote>fls -f ntfs -r /media/Passport/Images/Image001.dd | grep malicious.dll<br />
<br />
++ r/r 1618-128-1: malicious.dll</blockquote><blockquote><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo7FFb6CgHMRU4g2_qgFX1aBqpLvPoCegrYmJImG6us8GciyU5cp_ItkztITcodCh5qIz0zZnrrjogf_Boe0GHu-tLeOG0E_yV3GmYtgtlNuwXYfSpN6LUDR2VgerY9J-w2_pUjVLAq9wk/s1600/Find_MaliciousFile.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo7FFb6CgHMRU4g2_qgFX1aBqpLvPoCegrYmJImG6us8GciyU5cp_ItkztITcodCh5qIz0zZnrrjogf_Boe0GHu-tLeOG0E_yV3GmYtgtlNuwXYfSpN6LUDR2VgerY9J-w2_pUjVLAq9wk/s1600/Find_MaliciousFile.PNG" /></a></div></blockquote>Using this entry number (1618) we can display the $SI attribute (type=16) from the $MFT record $SI (type=16) with the TSK "icat" tool. <br />
<blockquote>icat -f ntfs /media/Passport/Images/Image001.dd 1618-16 | xxd</blockquote><blockquote><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJlnZLyCyqU5H9keUuikMx6CpSb48iUaulhnq1QvLTWbFcK0QtweAdSyNqQFhXjKTv1NAN7c5w0XUeoWp-zH0kplW8pRLKe-_wkjM40yCH7dUeq3UZOxTzOIkeYL-PnAfIR3uGjKDEl0-M/s1600/%2524SI_USN.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJlnZLyCyqU5H9keUuikMx6CpSb48iUaulhnq1QvLTWbFcK0QtweAdSyNqQFhXjKTv1NAN7c5w0XUeoWp-zH0kplW8pRLKe-_wkjM40yCH7dUeq3UZOxTzOIkeYL-PnAfIR3uGjKDEl0-M/s1600/%2524SI_USN.PNG" /></a></div></blockquote>The USN, in the above example, represents the byte offset in the $UsnJrnl (remember each record varies in size). It should also be noted that the $Usnjrnl is a sparse file, meaning it has a maximum size but old records are overwritten with zero's and any updates to it will be written to the end of the file and perpetually increase the USN (based on byte offset from the beginning of the file).<br />
<br />
Microsoft MSDN has a fair amount of <a href="http://msdn.microsoft.com/en-us/library/aa365722%28v=vs.85%29.aspx">documentation</a> on the structure of the $UsnJrnl $J file and what fields it stores. Additionally, Brian Carrier does a great job of breaking down the data structure and byte offsets in his book <a href="http://www.digital-evidence.org/fsfa/">File System Forensic Analysis</a>. The following is an example of a $UsnJrnl record structure.<br />
<br />
We can obtain the $MFT entry address of the $Usnjrnl $J file by using the TSK "fls" tool (note: the $Extend Object will always be $MFT entry 11).<br />
<blockquote>fls -f ntfs /media/Passport/Images/Image001.dd 11</blockquote><blockquote><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2pIRyO5JqTZVRQ_e303nFuBU84MvoULoyFbT6tePwkznuI8muGQmo2bsxOlxOX_cWUcCDSyOiLy5DaY4NgQ6oWFo10xiDUdK4KQarQ4LTz7hZPvjzTPaA54t3O-7wNZBz1YFopeQtt2Hh/s1600/fls_out.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2pIRyO5JqTZVRQ_e303nFuBU84MvoULoyFbT6tePwkznuI8muGQmo2bsxOlxOX_cWUcCDSyOiLy5DaY4NgQ6oWFo10xiDUdK4KQarQ4LTz7hZPvjzTPaA54t3O-7wNZBz1YFopeQtt2Hh/s320/fls_out.PNG" width="320" /></a></div></blockquote>Once the location of the $J file is obtained, the contents can be displayed by using the TSK "icat" tool as follows. Please note that the -h option skips holes in the sparse file.<br />
<blockquote>icat -h –f ntfs /media/Passport/Images/Image001.dd 41455-128-3 | xxd</blockquote>A quick search for our "malicious.dll" provides a good example of the structure a $UsnJrnl record.<br />
<blockquote><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcyAkSjVNafhuMfJnl7yd-rUN1h4OrxqbqXX8ymQvWhEhCLdcRrRZoJwHHJu04oIgQnystQDEbw4YRBSa4vQPoBPCuYx_cCFO0flgQ75oKDigVM-d2Bgqv5_i97cHEi7d347Ngv1CnXVRF/s1600/USN_MaliciousFile_MarkedUp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcyAkSjVNafhuMfJnl7yd-rUN1h4OrxqbqXX8ymQvWhEhCLdcRrRZoJwHHJu04oIgQnystQDEbw4YRBSa4vQPoBPCuYx_cCFO0flgQ75oKDigVM-d2Bgqv5_i97cHEi7d347Ngv1CnXVRF/s1600/USN_MaliciousFile_MarkedUp.PNG" /></a></div></blockquote>Byte 40-43 is the USN_CHANGE flag and is well documented on MSDN. For reference purposes the following table summarizes the type of flags and their hexadecimal values recorded in the $UsnJrnl. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHfPPpjTTFUa1KAvZbKAM3IzHvyBrJCNsZjHtK1hna8VlWuZUPSiKL-npo5ByWovYAhefzxpbFhU8SafPBfpqYSga30KYtyRYRrzPeSQitr5gdBpSvRNbmjEAwDqmx4tKgNhE4XRWi2Vrf/s1600/USN_RECORD_REASON_FLAGS.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHfPPpjTTFUa1KAvZbKAM3IzHvyBrJCNsZjHtK1hna8VlWuZUPSiKL-npo5ByWovYAhefzxpbFhU8SafPBfpqYSga30KYtyRYRrzPeSQitr5gdBpSvRNbmjEAwDqmx4tKgNhE4XRWi2Vrf/s640/USN_RECORD_REASON_FLAGS.PNG" width="640" /></a></div><br />
There are a few utilities and scripts available to automate the parsing of the records but for the purpose of this post I am using one I recently became aware of through the <a href="http://tech.groups.yahoo.com/group/win4n6/">Windows Forensic Analysis Email</a> list. The <a href="http://www.tzworks.net/prototype_page.php?proto_id=5">Windows Journal Parser (JP)</a> is available for Windows, Linux, and Mac. JP pulls the allocated clusters from the sparse file and parses the records. Information pulled includes Time/Date of change, File/Folder Affected, Type of Change, and by using the verbose option (-v) it will add the $MFT Entry Number and Sequence Number. JP is able to parse a the $UsnJrnl from a live volume, dd image, or carved $J file and export to a variety of formats.<br />
<br />
I recently came across a compromised Windows 7 system and had the opportunity to use JP during analysis. The following is the location, hash values, and Virus Total stats of the malicious (unsigned) process that was found on the system.<br />
<blockquote><a href="http://www.blogger.com/"></a>File name: VD90c_2121.exe<br />
Submission date: 2011-07-21 14:13:39 (UTC)<br />
<a href="http://www.virustotal.com/file-scan/report.html?id=54e80b6d08bedf9210e6a0cead297a36d34f12170568c672e70ff6f750a69a00-1311257619">Result: 14 /43 (32.6%)</a><br />
MD5 : c8a695e4c411af859fa358eabb4127d1 <br />
SHA1 : 78e10150b3fd91b199adf0457a2e3902bc70eaf6 <br />
SHA256: 54e80b6d08bedf9210e6a0cead297a36d34f12170568c672e70ff6f750a69a00 </blockquote>After parsing the $UsnJrnl with JP, I searched for the aforementioned malicious process and was quickly able to obtain a timeline of changes made during infection.<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-UFphZWzFKeXxSZJ8SQkG7JomKH-AHOJj45-dzqedx8nOU3J8LGtohPiQkVv46FPEv5zA0fv2di-JgekbZGA4DLwMxzIWEa_KaYxVtxLmFm5YEdpehjauFwxCSNqRfsnFWS1RwfPkQOu2/s1600/FakeAVUsnJrnlRec.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-UFphZWzFKeXxSZJ8SQkG7JomKH-AHOJj45-dzqedx8nOU3J8LGtohPiQkVv46FPEv5zA0fv2di-JgekbZGA4DLwMxzIWEa_KaYxVtxLmFm5YEdpehjauFwxCSNqRfsnFWS1RwfPkQOu2/s640/FakeAVUsnJrnlRec.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-xd5hQev3uqg/TjID3muYOuI/AAAAAAAAALg/cyJVRnlk7P8/s1600/FakeAVUsnJrnlRec.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>Within a few minutes of analyzing the output from the $Usnjrnl I recognized some of the files and locations created as being similar of a malicious program I analyzed previously last November and outlined <a href="http://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html">here</a>. Hence significantly reducing the time necessary to find the origin, payload, and other infection locations on disk.<br />
<br />
It should be noted again that $UsnJrnl records are not going to kept indefinitely. Moreover, if a file is deleted, related $MFT entries may be overwritten. More info on carving old $UsnJrnl records from unallocated space and other $UsnJrnl parsing utilities is posted over at the <a href="http://forensicsfromthesausagefactory.blogspot.com/2010/08/usn-change-journal.html">Forensics From the Sausage Factory Blog</a>. I recommend you check it out.<br />
<br />
Happy Hunting!<br />
<br />
References:<br />
<br />
Carrier, Brian (2005). <a href="http://www.digital-evidence.org/fsfa/">File System Forensic Analysis.</a> Addison Wesley.<br />
.<br />
Microsoft MSDN <a href="http://msdn.microsoft.com/en-us/library/aa365722%28v=vs.85%29.aspx">USN Record Structure</a>.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com1tag:blogger.com,1999:blog-7055243034201530750.post-76136349351063084122011-05-27T15:15:00.004-04:002011-05-27T15:25:02.870-04:00Virtualizing Raw Disk Images<div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaCGmNywJDOZ4WhOUpCGzKda8dObCIDH6ROt8NPw1b9otQ3Jf3hTWX0wqFiNLuGTqJnTe_1I9GdxhSFJR2x63gBWZ-XIPORFXy250gt_a4PnMUbw2H9SyPjxE0g0x4F9CcH4QgVRYz3mMh/s1600/vmdk-2777.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaCGmNywJDOZ4WhOUpCGzKda8dObCIDH6ROt8NPw1b9otQ3Jf3hTWX0wqFiNLuGTqJnTe_1I9GdxhSFJR2x63gBWZ-XIPORFXy250gt_a4PnMUbw2H9SyPjxE0g0x4F9CcH4QgVRYz3mMh/s1600/vmdk-2777.png" /></a></div>I have heard a lot of people ask about how to forensically handle raw (dd) disk images of systems that have been encrypted with whole disk encryption. Both PGP and Truecrypt support the use Recovery/Rescue ISO's to decrypt drives without booting the OS (Note: an administrator pass phrase is still going to be required). So if you could boot the raw image in VMware, for example, then you could mount the ISO and decrypt the image.<br />
<br />
One Windows tool, <a href="http://liveview.sourceforge.net/">Live View</a>, can be used to convert dd images to a <a href="http://www.vmware.com/technical-resources/interfaces/vmdk.html">vmdk</a> (Virtual Machine Disk Format) file. Live View was created at Carnegie Mellon University in 2009 but it unfortunately has not been updated since then. Consequently, there is no support for modern versions of Windows or VMWare Workstation or Server.<br />
<br />
Fortunately, <a href="https://github.com/Zapotek/raw2vmdk">Tasos Laskos</a>, expanded on their work and created the <a href="http://sourceforge.net/projects/raw2vmdk/">raw2vmdk</a> utility. Raw2vmdk is an open source, OS independent (requires JRE 1.6.0_18 or higher), command line utility that can create a vmdk file with the appropriate disk type parameters that will allow you to boot directly from a dd image.<br />
<br />
The <a href="https://github.com/Zapotek/raw2vmdk/blob/2be2d169b672f364a68154b9a6b77e2be8b5e905/README">readme</a> outlines the syntax of the utility (Note: if disk type is not specified then it defaults to IDE).<br />
<blockquote>java -Dtype=<ide|buslogic|lsilogic|legacyESX> -jar raw2vmdk.jar <raw image> <vmdk outfile></blockquote>Note the syntax of the slashes when running the command on a Windows system.<br />
<blockquote>java -jar raw2vmdk.jar D:\\data001.dd D:\\data001.vmdk</blockquote>Once run, the analysis and creation of the vmdk file only takes a few seconds.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcaTZVdz7XzEHhN3AqUc6k1TiHfRxh3YmoqyynHVwPqNAJAlOoS4Dh7LmgPnLZN1q5rQtoBnXobKI2h1exq5x3AL_O5xfI6F1ozvxhyphenhyphencaro3G1BKzz3NrUHFU-wFPMb1_qH5DMsik2O-Dm/s1600/rawtovmdk.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcaTZVdz7XzEHhN3AqUc6k1TiHfRxh3YmoqyynHVwPqNAJAlOoS4Dh7LmgPnLZN1q5rQtoBnXobKI2h1exq5x3AL_O5xfI6F1ozvxhyphenhyphencaro3G1BKzz3NrUHFU-wFPMb1_qH5DMsik2O-Dm/s320/rawtovmdk.PNG" width="320" /></a></div><br />
Raw2vmdk creates a properly formatted vmdk with the appropriate path to the raw image, disk type, and parameters. <br />
<blockquote># Disk DescriptorFile<br />
version=1<br />
encoding="UTF-8"<br />
CID=5c643bba<br />
parentCID=ffffffff<br />
isNativeSnapshot="no"<br />
createType="monolithicFlat"<br />
<br />
# Extent description<br />
RW 156301488 FLAT "D:\data001.dd" 0<br />
<br />
# The Disk Data Base <br />
#DDB<br />
<br />
ddb.virtualHWVersion = "7"<br />
ddb.longContentID = "bf304434123a064225efde635c643bba"<br />
ddb.uuid = "60 00 C2 91 8e 73 27 62-43 58 3b f8 05 ae 2e a0"<br />
ddb.geometry.cylinders = "1023"<br />
ddb.geometry.heads = "255"<br />
ddb.geometry.sectors = "19"<br />
ddb.adapterType = "ide"</blockquote>The <a href="http://sanbarrow.com/vmdk/disktypes.html#monolithicFlat">monolithic flat disk type</a> is a pre-allocated disk type that is stored in one file. This format also supports raw dd images. Once the creation of the file is complete, create a new virtual system as you normally would within Vmware Workstation or Server and point the hard disk to the newly created vmdk file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5nNypC6HoY29vdQq6xEvNy9cC6hexFx1OflY_vqHrlvkizfr3b5ENz3a0lS_1Cjiqd7hhYLnSFA6AqLmFE9ZJmMqvTWzs9W6LhjsfF3cKkmaG4qBGrjWVebzvlErbr9mXyE2UqHSd9Eio/s1600/VmwareHDSettings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5nNypC6HoY29vdQq6xEvNy9cC6hexFx1OflY_vqHrlvkizfr3b5ENz3a0lS_1Cjiqd7hhYLnSFA6AqLmFE9ZJmMqvTWzs9W6LhjsfF3cKkmaG4qBGrjWVebzvlErbr9mXyE2UqHSd9Eio/s400/VmwareHDSettings.PNG" width="400" /></a></div><span id="goog_1265757129"></span><span id="goog_1265757130"></span><br />
You should now able to boot your image within VMware (assuming it includes the boot partition). A word of caution, however. Always follow IR and Forensics best practices and use a second copy of your raw image. I also like to create the virtual system and vmdk in a separate folder from the raw dd image, so if the VM is accidentally deleted it does not also delete your raw disk image.<br />
<br />
Happy Hunting.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-7723399069780445492011-05-18T17:18:00.003-04:002011-05-19T06:51:55.111-04:00Herding Cats: Windows Object Access Analysis on a Budget<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIx1m_MkCsPJH1p66oYOWagD5VySiUDzugcNInFR3tU5HjclDGnLSjjY3ixkz7ysgNKURXlIPyjrxJM4NDU8yXf3yLD0qMClniJHoKFY8N4Kd14TyQTfuEyvhWlArM4mvBYaiqCCK74BVU/s1600/HerdingCats.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIx1m_MkCsPJH1p66oYOWagD5VySiUDzugcNInFR3tU5HjclDGnLSjjY3ixkz7ysgNKURXlIPyjrxJM4NDU8yXf3yLD0qMClniJHoKFY8N4Kd14TyQTfuEyvhWlArM4mvBYaiqCCK74BVU/s1600/HerdingCats.jpg" /></a></div><a href="http://4.bp.blogspot.com/-gTZFIBY28GM/TdQu-UY93AI/AAAAAAAAAKg/27qxN0PVOMA/s1600/logs.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br />
</a><br />
I recently had to deal with a lot of archived Windows Security Logs (evtx files) spanning a fairly lengthy period of time. The evtx binary was introduced with Windows Vista and can be found on all modern version of windows. The <a href="http://computer.forensikblog.de/en/%20">author</a> of EVTX Parser has posted his work on documenting the evtx file structure <a href="http://computer.forensikblog.de/en/topics/windows/vista_event_log/%20">here</a> and has created a utility called EVTX Parser that will parse evtx binaries and store them as xml. A good overview of his research and tool is posted in a slide deck from the <a href="http://computer.forensikblog.de/files/talks/SANS_Summit_Vista_Event_Log.pdf">SANS Forensic Summit in 2010</a>.<br />
<br />
There are a few additional free tools available to search and filter Windows event logs if you don't have a log management product. While the Windows event log supports the import of multiple evtx files, I can tell you through experience that the MMC will puke if you feed it a large amount of files. Moreover, there is limited <a href="http://msdn.microsoft.com/en-us/library/aa385231%28VS.85%29.aspx">support</a> for many of the <a href="http://www.w3.org/TR/xpath/#section-String-Functions">xpath string functions</a> such as "contains" and "starts-with" which can be hindrance. All the same, I managed to come up with some useful expressions to query Object Access logs from Windows 7 and 2008 R2 Server.<br />
<br />
Microsoft provides a decent <a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3a15b562-4650-4298-9745-d9b261f35814&pf=true">spreadsheet </a>on Windows Security Event ID's and some <a href="http://msdn.microsoft.com/en-us/library/aa385201.aspx">documentation</a> on the schema of events. Looking at the XML of a few events, however, will certainly give you what you need. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXye2nrBBAVPA7HWNyM06pqelGxRCG20gzienK7gLYj8kmnaHeg_RTfxfwkuNoyLNluCy_kDVdzTrYs4C6e2YLU4bSOBHTNzB5RppwhMXMxhdkOCB4aMNk_YrlnaneNZ0nu0w8iS6MGQ_O/s1600/EventLogXML.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXye2nrBBAVPA7HWNyM06pqelGxRCG20gzienK7gLYj8kmnaHeg_RTfxfwkuNoyLNluCy_kDVdzTrYs4C6e2YLU4bSOBHTNzB5RppwhMXMxhdkOCB4aMNk_YrlnaneNZ0nu0w8iS6MGQ_O/s640/EventLogXML.PNG" width="640" /></a></div><br />
When dealing with object access logs, you are going to need to distinguish between the types of access granted on the file system and registry. After much googling and experimentation I managed to scrape together the following <a href="http://msdn.microsoft.com/en-us/library/aa374902%28v=vs.85%29.aspx">Access Mask</a> values and their associated bit wise equivalents used in the Windows Event log. These are the permissions that were exercised on the audited object(s).<br />
<br />
<blockquote>1537 (0x10000) = Delete <br />
4416 (0x1) = ReadData(or List Directory)<br />
4417 (0x6) = WriteData(or Add File) (0x2 on Windows 2008 Server)<br />
4418 (0x4) = AppendData (or AddSubdirectory)<br />
4432 (0x1) = Query Key Value<br />
4433 (0x2) = Set Key Value<br />
4434 (0x4) = Create Sub Key</blockquote><br />
So for example if you need to write and expression to see all successful and failed modifications by a particular user on files and folders.<br />
<blockquote><querylist><br />
<query id="0" path="Security"><br />
<select path="Security">*[EventData[Data[@Name='SubjectUserName']='bugbear' and [@Name='AccessMask']='0x6']]</select><br />
</query><br />
</querylist></blockquote>After playing with different variations of this query, I began to get creative during dynamic analysis of the Renocide worm and its effects on the System32 and HKLM registry keys. After enabling auditing on both objects, I came up with the following query to produce all changes made by the payload and malicious process. Note: the syntax when working with an externally saved evtx file.<br />
<blockquote><querylist><br />
<query id="0" path="file://C:\Worm.evtx"><br />
<select path="file://C:\Worm.evtx">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4663 and (Task = 12800 or Task = 12801)] and EventData[Data[@Name='ProcessName']='\Device\HarddiskVolume2\02MAY2011\scffog.exe' or Data='C:\Windows\System32\csrcs.exe']]</select><br />
</query><br />
</querylist></blockquote>This produced some interesting logs I used for further analysis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjq8n8JZRUBJuuknKXJX8inxvA_w6unwceTlabNJsPKsOFV4X0TLGq0KEwIJOYPABmk2agEA4N5Pn3oA4pAhIGxf6Uug64rTi_L6ywKC87jSmyC9CvTzcpvOrrHMgLs5OkuGN9VldkcFiZ/s1600/EventLogSample.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="385" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjq8n8JZRUBJuuknKXJX8inxvA_w6unwceTlabNJsPKsOFV4X0TLGq0KEwIJOYPABmk2agEA4N5Pn3oA4pAhIGxf6Uug64rTi_L6ywKC87jSmyC9CvTzcpvOrrHMgLs5OkuGN9VldkcFiZ/s400/EventLogSample.PNG" width="400" /></a></div><br />
If filtering multiple archived evtx files you can import the files into the mmc event viewer, create a view including them, and filter on that view. But dont expect to be able to work with a large amount of data. In fact, Microsoft will generate a warning if you attempt to import more than ten evtx files. Fortunately, there are faster and more flexible alternatives. <a href="http://technet.microsoft.com/en-us/scriptcenter/dd919274">Microsoft Log Parser</a> will parse the binary (specify evt as the input type). Specifying a wild card in the filename will parse multiple files located in a specified folder and Log Parser also provides additional flexibility by allowing the use of statements such as "LIKE". The following are valid data fields that can be used when parsing evt/evtx binaries.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKLw4M6dF-2dvoF07HAkwXMqGdNOQpCT24wHntbtUT0Vde8VJ7jXMES7S1w_VY2uflV-pNNNgJfGAdFMtxqncexk-asfVcZFwVfrvFWOImjT5uLoz3j15e-JarKq_-jaloFJeOP-U5tsW_/s1600/LogParserEVTFields.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKLw4M6dF-2dvoF07HAkwXMqGdNOQpCT24wHntbtUT0Vde8VJ7jXMES7S1w_VY2uflV-pNNNgJfGAdFMtxqncexk-asfVcZFwVfrvFWOImjT5uLoz3j15e-JarKq_-jaloFJeOP-U5tsW_/s640/LogParserEVTFields.PNG" width="640" /></a></div><br />
Note: If filtering by user you will need to use the SID and much of the event data, such as access masks, are combined as a string in the "Message" data field. The following is an example of a query that will pull events from multiple evtx binaries that contain the specified WriteData and Delete Access Mask values.<br />
<br />
<blockquote>LogParser.exe -i:evt -o:csv "Select * from C:\Logs\*.evtx where EventID=4663 and (Message Like '%Access Mask: 0x6%' or Message Like '%Access Mask: 0x10000%')" > C:\Logs\Out.csv</blockquote><br />
Another alternative is Windows Powershell. The following is a similar example as the one given above (all WriteData and Delete Access Masks) using the <a href="http://technet.microsoft.com/en-us/library/dd367894.aspx">Get_WinEvent</a> and <a href="http://technet.microsoft.com/en-us/library/ee177028.aspx">Where_Object</a> Cmdlet'. <br />
<br />
<blockquote> get-winevent -path "C:\Logs\Comp1.evtx", "C:\Logs\Comp2.evtx" | where {$_.Id -eq "4663" -and $_.message -like "*0x10000*" -or $_.Id -eq 4663 -and $_.message -like "*0x6*"} > C:\Logs\Out.csv</blockquote><br />
Using "| Format-List" provides a view of the data fields available for use with the "Where" statement.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVQHgkurnn4WsuiRE22kCrYfLk2x92QAxoS-ACWw6vjZCsCcpW9ui6nFWTZNSyMMTIr2XB0IM44poh-RoRf0Lk0lI3evuvS6Rmq0s3UxIvgmdpk830vwC-6sfrHWrdng0k5qC4RwkWZv9D/s1600/sample_output_powershell_format-list.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVQHgkurnn4WsuiRE22kCrYfLk2x92QAxoS-ACWw6vjZCsCcpW9ui6nFWTZNSyMMTIr2XB0IM44poh-RoRf0Lk0lI3evuvS6Rmq0s3UxIvgmdpk830vwC-6sfrHWrdng0k5qC4RwkWZv9D/s640/sample_output_powershell_format-list.PNG" width="640" /></a></div><br />
While not ideal, the IT Practicioner or Incident Responder can certainly wrangle with evtx files without a SIEM or Log management system. The recent release of the <a href="http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf">Verizon DBIR</a> report (2011) included a statement on page 60 that notes an interesting but not unexpected finding.<br />
<br />
"...discovery through log analysis and review has dwindled down to 0%. So the good news is that things are only looking up from here..." - Verizon DBIR 2011 <br />
<br />
Happy Hunting!<br />
<br />
<i>Updated May 19, 2011 </i><br />
<br />
I intentionally did not provide any detail on enabling Object Access auditing in Windows since there is a fair amount of documentation available on that. In retrospect, however, I did want to mention a few things and share a few tips.<br />
<br />
First, choose what Accesses you audit carefully. Accesses such as "List Folder/Read Data" are very noisy and will only increase the amount of logs you have to parse and may fill up the event log completely so it begins to overwrite itself (note: there are settings for the size of the log too).<br />
<br />
Second consider what user or group you audit access for carefully. The "Users" group may be fine for auditing access to files stored on a file server but consider using the "Everyone" group if auditing changes made by malicious code. This group will include the System account.<br />
<br />
Lastly, enabling auditing of changes to the system folders or registry may become resource intensive and non-manageable in a production environment. Use with caution. That said, I do believe it can be useful during analysis of malicious code. I would include a few more locations than just the System32 and HKLM however. The C:\Users, C:\ProgramData, and HKCU keys come to mind.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com2tag:blogger.com,1999:blog-7055243034201530750.post-35171686755547743572011-05-13T16:55:00.000-04:002011-10-05T21:28:45.252-04:00Renocide Worm: Hiding in Plain SightI recently came across a sample of <a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRenocide.gen%21H">Renocide</a> which has been circulating for some time now. Microsoft recently published some of its infection numbers on the <a href="http://blogs.technet.com/b/mmpc/archive/2011/03/16/win32-renocide-the-aftermath.aspx">MSRT blog</a> if you are interested. The malicious code takes advantage of the auto run settings in Windows and spreads via mapped drives and USB storage devices. <a href="http://www.virustotal.com/file-scan/report.html?id=135eecc03ae72898974ace686157428a175116c34881426c2f7e5127f823dfdc-1304430638">Virus Total</a> shows decent coverage by the AV industry. While not particularly unique, I did note something interesting when I parsed the NTFS $MFT table during analysis. The malicious code seems to manipulate NTFS $MFT Timestamps on several malicious files it creates in the %windir%\System32 folder. The following screen shot is the $MFT attributes for the process csrcs.exe which the payload creates.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi74fcuig7h-iWub_41ROG93RLmn2Puz2t_bbI6eIGuycrW7GqUSgiRiiXJxzLwxVW9LHUqbaus-6W0moFCzqWLg4ub49Av7uvc9ZeEkRU8tYnvSHPVJ2QStRQX9LhwnAsV41gO0D0jGv9z/s1600/mft_parser_attrib.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi74fcuig7h-iWub_41ROG93RLmn2Puz2t_bbI6eIGuycrW7GqUSgiRiiXJxzLwxVW9LHUqbaus-6W0moFCzqWLg4ub49Av7uvc9ZeEkRU8tYnvSHPVJ2QStRQX9LhwnAsV41gO0D0jGv9z/s640/mft_parser_attrib.PNG" width="430" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">csrcs.exe (MD5: 989460dc5f8ac5c886078f50720d71e8)</td></tr>
</tbody></table>
<div style="text-align: center;">
</div>
<div style="text-align: center;">
</div>
<br />
There a few things that struck me about the time manipulation. While it is not unusual to find the $SI born (creation) and modified attributes altered, I have never seen the $FN Born attribute changed. A closer look at the hex values of the $SI Born Attribute revealed something else.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSacxM9wGO3Y9sM-oiyBXnEwMiu3DleACfIno0436kgHyHIrPfo5O9SmXB3FY1ndotQ1uSB9keMsvij7jZenJ_KH14bbFChYmL_0F-wqd6HH4mjpTGx8wugIgiasRFHaji3aOL6_EFdm53/s1600/mft_xxd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSacxM9wGO3Y9sM-oiyBXnEwMiu3DleACfIno0436kgHyHIrPfo5O9SmXB3FY1ndotQ1uSB9keMsvij7jZenJ_KH14bbFChYmL_0F-wqd6HH4mjpTGx8wugIgiasRFHaji3aOL6_EFdm53/s400/mft_xxd.PNG" width="400" /></a></div>
<br />
The $SI Born time of "20e6 980c a303 ca01" converts more specifically to 2009-07-13 06:16:55.938000 . The usec value is not zero which is unusual. My first thought was that the date/time values were copied from another file but while the date mirrors other system files, the time correctly coincides with the time of infection. Things that make you go hmm.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-11203383377023551682011-03-27T10:04:00.010-04:002011-06-07T05:46:27.506-04:00An Overdue Rant: The RSA Compromise<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1z577cFzJSUMTMGHtYSV5sH-9K8vK6vEN-S4trsN3_s3E20atPdNYrDlwe2XJu-xk_q5L16vkk6EcRQCuYlI4v0icnxqvXLHbzuK2nWvOdTlI9X7lZoH5nFcGC30DCDNhBAaZn2fGHblG/s1600/team_jackhole.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1z577cFzJSUMTMGHtYSV5sH-9K8vK6vEN-S4trsN3_s3E20atPdNYrDlwe2XJu-xk_q5L16vkk6EcRQCuYlI4v0icnxqvXLHbzuK2nWvOdTlI9X7lZoH5nFcGC30DCDNhBAaZn2fGHblG/s1600/team_jackhole.jpg" /></a>OK I haven't had a good rant in a while on the blog, so be warned, there may be some pent up rage in the paragraphs ahead. Read on at your risk.<br />
<br />
<br />
I do not usually write posts on the latest compromise as I always feel there is enough coverage, speculation, and commentary from smarter people than I. There is a lot of speculation about the recently announced <a href="http://www.rsa.com/node.aspx?id=3872">RSA breach</a> both on the technical details of the compromise and on who may have been behind the attack. Yeah everyone is throwing three letter acronyms around again. The Digital Underground Podcast recently posted a great discussion on the technical side <a href="http://threatpost.com/en_us/blogs/paul-kocher-rsa-attack-032211">here</a> and there as been some good posts on <a href="http://isc.sans.edu/diary/The+Recent+RSA+Breach+-+Imagining+the+Worst+Case+And+Why+it+Isn+t+Time+to+Panic+Yet+/10609">mitigation techniques</a>. <br />
<br />
The part I really have issue with is RSA's lack luster disclosure of this compromise. Some have suggested that they should be praised for publicly announcing the breach. I'm not sure when we set the bar so low. Since when is posting a written notification with vague details and little to no information on when and what was compromised and who is affected become acceptable?<br />
<br />
A lot of organizations have paid a lot of money to increase the security of their information systems and data by purchasing the RSA SecureID solution. Don't forget even if your not a customer of RSA (Disclosure: I am not) it is still your family's data being protected by such solutions. In short, I find RSA's actions post compromise disgusting and inept.<br />
<br />
While knowing the technical details of the compromise would benefit the security community by giving everyone an opportunity to learn where things went wrong, the reality is we will probably never know the details and this is OK with me. What needs to be done, on the part of RSA however, is to step up and fix where things went wrong, notify those clients affected, and offer them replacements or fixes for the technology they already purchased. Thus far the advice given by RSA is nothing more than best practice and common sense. I would like to think those implementing RSA's authentication solutions are probably already familiar with such administration controls.<br />
<br />
To use a bad analogy. This is the equivalent of a new home owner hiring a Master Locksmith to replace all the locks in their new home with a more secure solution, only to have the locksmith keep a copy of the keys and tell the customer at a later date that the key has been stolen and the customer should go buy a bigger guard dog or better alarm system at their own expense. Would this be acceptable?<br />
<br />
Not the greatest analogy but I did say their were more intelligent people than I posting about this didn't I?<br />
<br />
The truth is, everyone gets owned at some time or another. It is the actions of the compromised organization during the aftermath that will distinguish it from other competitors. Asking other security solution providers to sign an <a href="https://twitter.com/RonGula/status/51244901328879616">NDA</a> to learn more about the compromise is not looking out for the best interests of your customers.<br />
<br />
/Rant<br />
<br />
<i>Updated June 01, 2011</i><br />
<br />
It appears that there may have been several attacks against U.S. defense contractor's that leveraged information from the RSA compromise. Last Friday, Reuters <a href="http://www.reuters.com/article/2011/05/27/us-usa-defense-hackers-idUSTRE74Q6VY20110527">reported</a> that there was a breach at Lockheed Martin Corporation. On Monday, Wired <a href="http://www.wired.com/threatlevel/2011/05/l-3/">reported</a> that L-3 Communications had also been targeted and leaked memo suggested the attackers were using inside information on their SecureID system gained by the RSA hack. Today, Fox news is <a href="http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/">reporting</a> a possible attack against Northrop Grumman. With all these reports flooding the internet it is difficult to know how much is based on fact but I did want to share a gem of a quote from the <a href="http://www.wired.com/threatlevel/2011/05/l-3/">Wired report</a>.<br />
<blockquote>Asked if the RSA intruders did gain the ability to clone SecurID keyfobs, RSA spokeswoman Helen Stefen said, “That’s not something we had commented on and probably never will.”</blockquote><i>Updated June 7, 2011</i><br />
<br />
It appears RSA has updated their <a href="http://www.rsa.com/node.aspx?id=3891">Open Letter to RSA SecurID Customers</a>. The update provides verification of the Lockheed Martin attack and offers long awaited replacements of SecurID tokens, although for what appears to be a limited subset of SecurID customers. Thanks to <a href="https://www.twitter.com/wimremes">Wim Remes</a> for the heads up on the updated post.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-7815192365559926732011-03-24T03:38:00.029-04:002011-03-24T15:36:06.451-04:00Pauldotcom Security Weekly: I am Talking about What?<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLv_7hMZ7eNEmcbPtQ57Wa-vsYS3uGis9iizBX44_4t23T106trG5ITpYPmsxfsTpxZ-VqDiJ1UsTaPCDSmNP6ReicyXZtfjG9RxJ-UT_Zuzr9_w72DCENynn6r9mjbLnidPugv4yERqR/s1600/images.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLv_7hMZ7eNEmcbPtQ57Wa-vsYS3uGis9iizBX44_4t23T106trG5ITpYPmsxfsTpxZ-VqDiJ1UsTaPCDSmNP6ReicyXZtfjG9RxJ-UT_Zuzr9_w72DCENynn6r9mjbLnidPugv4yERqR/s1600/images.jpg" /></a></div>On Thursday March 24, 2011 I will be presenting the <a href="http://pauldotcom.com/wiki/index.php/Episode236#Special_Guest_Tech_Segment:_Tim_Mugherini_presents_NTFS_MFT_Timelines_and_malware_analysis">tech segment</a> on Episode 236 of PaulDotCom Security Weekly. The segment will cover the use of NTFS MFT timeline forensics in the static analysis of malware. This is a geekier version of my NAISG BOS presentation back in January and will cover some additional tools and technique's. The podcast begins around 8:00 PM and a live feed is available at <a href="http://www.pauldotcom.com/live">http://www.pauldotcom.com/live</a>. So if you are around, kick back with a beer, cigar, and listen live! I am looking forward to it.<br />
<br />
Updated March 24, 2011 3:30 PM<br />
<br />
As part of the tech segment this evening, <a href="https://twitter.com/markmckinnon">Mark Mckinnon</a> of <a href="http://redwolfcomputerforensics.com/">RedWolf Computer Forensics</a> has release the Windows beta of <a href="http://redwolfcomputerforensics.com/downloads/MFT_Parser_05b_Setup.exe">mft_parser</a> which supports $MFT $SI and $FN bodyfile output from both the CLI and GUI. Big thanks to Mark from the Incident Response and Forensics community.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-40342258049374492532011-01-27T15:44:00.000-05:002011-01-27T15:44:12.372-05:00Shmoocon or Bust<span style="font-size: small;">What would you do to get to Shmoo?<br />
<br />
Woke up at 4:00 AM <br />
2.5 hours shovelling snow<br />
1 hour to get to train station<br />
1 hour on local commuter rail to BOS<br />
2 minutes to find my train to PVD cancelled<br />
1 hour on on first commuter rail to PVD<br />
Finding my 12:50 train to DC only five minutes late = priceless<br />
<br />
In about four hours I will be at <a href="http://www.shmoocon.org/schedule">Shmoocon</a> and it will to be Epic. This years schedule contains a lot of fresh blood and new faces (which is not a bad thing IMHO). The schedule is so packed with goodness, that I am going to have to make some tough decisions on which sessions to attend. In addition, the after hours action is packed full of awesomesauce. There is the return of <a href="http://www.novainfosecportal.com/2011/01/12/shmoocon-2011-firetalks/">Firetalks</a> on both Friday and Saturday evening, Podcasters meetup (including free booze), Jason Scott is previewing his new documentary called <a href="http://www.getlamp.com/">Get Lamp</a> on Saturday evening (first computer program I wrote was a text based Adventure game on my TI99-4A), and of course there are the parties and meet-ups that will certainly include scotch and cigars.<br />
<br />
On Friday we begin with, <a href="http://www.shmoocon.org/speakers#opendlp">Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP</a> with Andrew Gavin. Leveraging enterprise defense products = sexy in my book. Following that there are several cool sessions including a long awaited update from <a href="http://www.hackersforcharity.org/">Johnny Long</a> (who is back in the states for the con), and keynote by Peiter "Mudge" Zatko of DARPA.<br />
<br />
On Saturday, I am hoping that Jon Oberheide and Zach Lanier has the cure for my much anticipated hangover with their talk; <a href="http://www.shmoocon.org/speakers#teamjoch">TEAM JOCH vs. Android: The Ultimate Showdown</a> which will highlight their work on subverting the Android OS. I plan to follow-up with <a href="http://www.shmoocon.org/speakers#harddrive">Hard Drive Paperweight: Recovery from a Seized Motor!</a> being delivered by Scott Moulton. Scott is a super smart dude who never disappoints. I am guaranteed to learn something there.<br />
<br />
<a href="http://www.shmoocon.org/speakers#printerwild">Printers Gone Wild!</a> with Ben Smith is in the next slot. Next I need to make some of those tough decisions I mentioned earlier. There is <a href="http://www.shmoocon.org/speakers#3g4g">Attacking 3G and 4G mobile telecommunications networks</a> with Enno Rey & Daniel Mende and <a href="http://www.shmoocon.org/speakers#evite">An Evite from Surbo? Probably an invitation for trouble</a> with Trent Lo aka "Surbo" from <a href="http://i-hacked.com/">i-hacked.com</a><a href="http://www.i-hacked.com/">http://www.i-hacked.com/</a>. There is no doubt that mobile tech has definetly come of age and consequently will become a target but Trent is also a smart, entertaining dude. Then in at 16:00 there is <a href="http://www.shmoocon.org/speakers#mtans">Defeating mTANs for profit</a> with Axelle Apvrille and Kyle Yang (mTAN = one-time bank password by SMS) and G W Ray Davidson's talk on designing a network for a conferance entitled <a href="http://www.shmoocon.org/speakers#shmoocollege">ShmooCon Labs Goes To College</a>. Both decisions will most likely be down to the wire. On Sunday, the talk that seems to be on averyone's agenda is Georgia Weidman's <a href="http://www.shmoocon.org/speakers#botnetsms">Transparent Botnet Control for Smartphones Over SMS</a> in which she will release POC for a sms controlled botnet.<br />
</span><br />
<span style="font-size: small;">Total estimated time to get to the con = 15 hours (and worth it). See you in a few hours Shmoocon</span>Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-43694176256789862422011-01-14T06:52:00.002-05:002011-02-01T16:38:52.559-05:00NAISG: Leveraging NTFS Master File Table Timeline Forensics in the Analysis of Malware<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGQaWrooJC8saZG5o-uIuFk5FKUTCi5AZOHmSO0gyEXY0iiHmLGoY3e5Vzr6CrIdZqxixhKhGLrP3l2DVD_6gGSiJi5YMyQ7lfMcd5r8yB7IVcKQxkfXQEeg5qpGkbRQdqSUsTkv7YIqek/s1600/IncidentResponse.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGQaWrooJC8saZG5o-uIuFk5FKUTCi5AZOHmSO0gyEXY0iiHmLGoY3e5Vzr6CrIdZqxixhKhGLrP3l2DVD_6gGSiJi5YMyQ7lfMcd5r8yB7IVcKQxkfXQEeg5qpGkbRQdqSUsTkv7YIqek/s200/IncidentResponse.jpg" width="200" /></a></div><span style="font-size: large;">What is in your incident response kit? </span><br />
<br />
Next week I am delivering a talk at the Boston Chapter of National Information Security Group (NAISG) on Thursday January 20, 2011. I will be speaking on the use of NTFS Master File Table Timeline Forensics in the Analysis of Malware. The meeting and talk is open to everyone and more information can be found <a href="http://boston.naisg.org/meetings.asp">here</a>. If you are in the Boston area come down and check it out. NAISG will post the talk and slides at a later date and I will make sure I link back to it here.<br />
<br />
<i>Updated: February 1, 2011</i><br />
<br />
NAISG has posted the video for my presentation <a href="mms://boston.naisg.org/media/201101Forensics.wmv">here</a>. The slide deck can be found on Slideshare <a href="http://slidesha.re/fYTAXq">here</a>. I also wanted to say thank you to NAISG Boston chapter for having me. It was a blast!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-27624112256200888632010-12-23T15:36:00.000-05:002010-12-23T15:36:36.556-05:00The More Things Change The More They Stay The Same: Reading "The Cuckoo's Egg"<div class="separator" style="clear: both; text-align: center;"><a href="http://ecx.images-amazon.com/images/I/51sSd8+SI7L._SS500_.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="http://ecx.images-amazon.com/images/I/51sSd8+SI7L._SS500_.jpg" width="200" /></a></div>What rock was large enough that I somehow was unaware of this book's existence the last 20 years of my life? <br />
<br />
I just finished reading <a href="http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/ref=sr_1_1?s=books&ie=UTF8&qid=1293135998&sr=1-1">The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage</a> by Cliff Stoll. The book is based on the true account of Cliff Stoll's experience tracking a hacker through a laboratory computer network at Berkeley in the mid 1980's. The author quickly finds himself in a year long obsession that involved military targets, several US government agencies, and law enforcement from multiple continents.<br />
<br />
The story completely sucked me in. The amazing part is more than 25 years later, with the exception of bandwidth and the shear number of targets, not much has really changed. Detective book fans will enjoy it. Security geeks will love it. Incident Responders should be required to read it.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-28162405601792881472010-12-23T11:49:00.002-05:002010-12-30T11:20:12.723-05:00Not Just Another Analysis of Scareware<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGf2RehCxJmNsm2nt9r-dDxrRheimBvCOeFTg2XCP4ffY4M4qh98d3dH48QAWMeXM6Qlss0BEKx5J-JMmXKBd0EkPIaWiVoB_Ax81KhCX_RXitaBO-hTzZBEXhteFNT2_IQDwh0qZ3xiX8/s1600/woman_screaming.gif" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGf2RehCxJmNsm2nt9r-dDxrRheimBvCOeFTg2XCP4ffY4M4qh98d3dH48QAWMeXM6Qlss0BEKx5J-JMmXKBd0EkPIaWiVoB_Ax81KhCX_RXitaBO-hTzZBEXhteFNT2_IQDwh0qZ3xiX8/s200/woman_screaming.gif" width="180" /></a></div><span style="font-size: large;">Introduction to our Sample </span><br />
<br />
The initial infection came to my attention from an end user. He had reported all Google searches from his browser seemed to be forwarding to hxxp://findgala.com and he was getting warnings about malware on his computer. The system infected was a reasonably up to date Windows 7 notebook. The system was missing the latest patch for Adobe Flash (v 10.1.102.64). The user did not have administrator privileges, the windows firewall was enabled, Internet Explorer 8 with the default of medium/high security was set for the Internet Zone, and Symantec Endpoint 11.X was installed with up to date definition files. Note that Windows UAC was NOT enabled. <br />
<br />
A quick assessment of the system determined it had been infected with some form of scareware. All existing desktop shortcuts had been removed and two shortcuts named "Computer" and "Internet Security Suite" remained. These pointed to "C:\ProgramData\891b6\ISe6d_2229.exe /z" and "C:\ProgramData\e6db66\ISe6d_2229.exe /hkd" respectively. The folder containing the executable was marked hidden and I noted the process was running via TACKIST /SVC. An icon running in the system tray when accessed presented the following screen.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBwi-g73d8Y7zf9rH6Bn1ZApS2uHMZ_GdPjwPYMnEF-_dRCXiOajY53c_pl27paH_-5nrw-fq2nNBKJn3NpWBrqAC1TU81sNdzOqDzYi3MjhZ30nLG7zuVbGfYuI68Q7a09biW-X9zTW70/s1600/ScreenShot1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="459" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBwi-g73d8Y7zf9rH6Bn1ZApS2uHMZ_GdPjwPYMnEF-_dRCXiOajY53c_pl27paH_-5nrw-fq2nNBKJn3NpWBrqAC1TU81sNdzOqDzYi3MjhZ30nLG7zuVbGfYuI68Q7a09biW-X9zTW70/s640/ScreenShot1.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
Symantec Endpoint Protection seemed to be neutered by the infection as did several other Windows tools including Task Manager. Initial searching on the internet for the title of the malware only pulled links to legitimate Anti Malware products including CA, Zone Alarm, and Verizon's <a href="http://www22.verizon.com/residential/services/securitysuite/securitysuite.htm">Internet Security Suite</a> service.Virus Total returned the following <a href="http://www.virustotal.com/file-scan/report.html?id=19f7bd2c7a74caa586232abefb22aeea224ba14c7d599c89561fba34f33bdf22-1289922742">analysis</a>. Here is a summary of the file submitted:<br />
<blockquote>File Name: ISe6d_2229.exe<br />
File Type: Windows 32 bit Portable Executable<br />
MD5: 699ebebcac9aaeff67bee94571e373a1<br />
SHA1: ed763d1bc340db5b4848eeaa6491b7d58606ade2<br />
File size: 3590656 bytes<br />
First seen: 2010-11-14 01:20:29<br />
Last seen: 2010-11-16 15:52:22</blockquote>My general impression of the GUI was this was a well designed piece of code. I imaged the system with dd and instructed the desktop engineers to wipe the system and reset all the user passwords. This proved to be a mistake on my part as I did not verify my image before they wiped the system. Later I found myself unable to boot the raw image in VMware after converting it to a VMDK with <a href="http://sourceforge.net/projects/raw2vmdk/">Raw2VMDK</a> (blue screen on loading the OS). <br />
<br />
<span style="font-size: large;">Static Analysis</span><br />
<br />
I began with static analysis of the file system by mounting the image with <a href="http://accessdata.com/support/adownloads">FTK Imager Lite</a>. I exported the Master File Table and parsed it with <a href="http://www.integriography.com/">analyzeMFT </a>. With the estimated time of infection obtained from the victim I was able to pinpoint the file's created and modified during the initial infection.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9APey-lx8fEGohgpjNESJegQcozSa5PCfxp2eC65ZWKKfrwf7DClKP3o9pG99BIIEWP5R6-GGXjvloc-yvcAO9ic2WRiJfTdB8MDZYf1Y0MZhHXhWh1SE5BrkqEwzbNNStN0Gj64MaNrK/s1600/MFT_ScreenShotOrignalInfection.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9APey-lx8fEGohgpjNESJegQcozSa5PCfxp2eC65ZWKKfrwf7DClKP3o9pG99BIIEWP5R6-GGXjvloc-yvcAO9ic2WRiJfTdB8MDZYf1Y0MZhHXhWh1SE5BrkqEwzbNNStN0Gj64MaNrK/s640/MFT_ScreenShotOrignalInfection.PNG" width="640" /></a><br />
<br />
The initial few files listed in the MFT caught my attention first.<br />
<blockquote><table border="0"><tbody>
<tr> <td><b>Record </b></td> <td><b>Type</b></td> <td><b>Parent </b></td> <td><b>Filename</b></td> </tr>
<tr> <td>63861 </td> <td>Folder </td> <td>602 </td> <td>e6db66</td> </tr>
<tr> <td>63915 </td> <td>File</td> <td>2755</td> <td>TASKKILL.EXE-8F5B2253.pf</td> </tr>
<tr> <td>63926</td> <td>File </td> <td>2755</td> <td>SETUP_2229[1].EXE-11C68EE8.pf</td> </tr>
<tr> <td>63923</td> <td>File </td> <td>63861</td> <td>ISe6d_2229.exe</td> </tr>
</tbody></table></blockquote>The two prefetch files should give a hint of the name and location of the payload. I use <a href="http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55">Prefetch Parse</a>r to parse the C:\Windows\Prefetch folder to obtain some more details:<br />
<blockquote><table border="0"><tbody>
<tr> <td><b>Record </b></td> <td><b>File</b></td> <td><b>Times Run </b></td> <td><b>UTC Time</b></td> </tr>
<tr> <td>SETUP_2229[1].EXE-11C68EE8.pf </td> <td>SETUP_2229[1].EXE </td> <td>1</td> <td>Sat Nov 13 01:16:53 2010</td> </tr>
<tr> <td>TASKKILL.EXE-8F5B2253.pf </td> <td>TASKKILL.EXE </td> <td>1</td> <td>Sat Nov 13 01:16:53 2010</td> </tr>
<tr> <td>RUNDLL32.EXE-80EAA685.pf</td> <td>RUNDLL32.EXE</td> <td>1</td> <td>Sat Nov 13 01:17:16 2010</td> </tr>
</tbody></table></blockquote>Further analysis of the .pf files gave me the location and names.<br />
<blockquote><span style="font-size: small;"><b>SETUP_2229[1].EXE-11C68EE8.pf </b> </span><br />
<span style="font-size: small;">\USERS\%USERNAME%\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\G4KYBRHH\SETUP_2229[1].EXE</span><br />
<br />
<b><span style="font-size: small;">TASKKILL.EXE-8F5B2253.pf </span></b><br />
<span style="font-size: small;">\USERS\%USERNAME%\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\G4KYBRHH\ANPRICE=85[1].HTM</span><br />
<br />
<b><span style="font-size: small;">RUNDLL32.EXE-80EAA685.pf</span></b><br />
<span style="font-size: small;">\PROGRAMDATA\E6DB66\ISE6D_2229.EXE</span></blockquote>It does appear the sample originated from the web. Unfortunately, I could not locate SETUP_2229[1].EXE or ANPRICE=85[1].HTM in the image. Most likely overwritten after several days of use post infection, I moved on the parsing the Internet browser history by using MiTeC <a href="http://www.mitec.cz/wfa.html">Windows File Analyzer</a> and began parsing the last few web sites and searches completed by the user. Unsuccessful in locating the source of the payload, I was not able to verify if it was delivered via a vulnerability or user interaction.<br />
<br />
<span style="font-size: small;">I moved on to use the MFT to locate all files associated with the infection and export the hashes. Here is a summary files found in the /[root]/ProgramData folder:</span><br />
<blockquote><table border="0"><tbody>
<tr> <td width="40%"><b>MD5</b></td> <td width="60%"><b>File</b></td> </tr>
<tr> <td>cd407baa9a55b9c303f0c184a68acc5c</td> <td>\E6DB66\6139ba67beb5a1febb1e8cfc73a42e9c.ocx</td> </tr>
<tr> <td>699ebebcac9aaeff67bee94571e373a1</td> <td>\E6DB66\ISE6D_2229.EXE</td> </tr>
<tr> <td>2e317d604f25e03b8e8448c6884f64e3</td> <td>\E6DB66\ISS.ico</td> </tr>
<tr> <td>3ee5ee57af2f62a47d2e93e9346b950f</td> <td>\E6DB66\mcp.ico</td> </tr>
<tr> <td>be44f801f25678e1ffdd12600f1c0bc7</td> <td>\ISKPQQMS\ISXPLLS.cfg</td> </tr>
</tbody> </table></blockquote>The following summarizes files found in the /[root]/users/%username%/ folder:<br />
<blockquote><table border="0"><tbody>
<tr> <td width="40%"><b>MD5</b></td> <td width="60%"><b>File</b></td> </tr>
<tr> <td>2b7509a2221174a82f6a886bbdd2e115</td> <td>\Desktop\Computer.lnk</td> </tr>
<tr> <td>fb16300f2f9799376807b13ad8314ca2</td> <td>\Desktop\Internet Security Suite.lnk</td> </tr>
<tr> <td>fd00cfeecc333aedc56fd428f2b9b5ba</td> <td>\AppData\Roaming\Internet Security Suite\Instructions.ini</td> </tr>
<tr> <td>4635f17db7d2f51651bebe61ba2f4537</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll</td> </tr>
<tr> <td>6032703c3efc5f3d3f314a3d42e2a500</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\cb.exe</td> </tr>
<tr> <td>12ddf77984d6f2e81a41f164bea12a1c</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\cid.sys</td> </tr>
<tr> <td>81c9ad6037c14537044b3e54d8b84c99</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\ddv.exe</td> </tr>
<tr> <td>f28c20c6df79e9fe68b88fb425d36d57</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\eb.sys</td> </tr>
<tr> <td>6274e77cd16d6dbec2bb3615ff043694</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\energy.drv</td> </tr>
<tr> <td>a3342f285bfb581f0a4e786cc90176d2</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\energy.sys</td> </tr>
<tr> <td>1ac2fb2dbd0023b54a8f083d9abbf6db</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\exec.exe</td> </tr>
<tr> <td>2dc3df846ff537b6c3e6d74475a0d03d</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\FW.drv</td> </tr>
<tr> <td>a32f789b1b6f281208fa1c8d54bf8cdc</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\gid.dll</td> </tr>
<tr> <td>b48d1cc8765719a79a9352e2b8f891ef</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\hymt.exe</td> </tr>
<tr> <td>532c6465f4dd9c7bce31b7a7986e3270</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\hymt.sys</td> </tr>
<tr> <td>f941f6eedf5b33a0b49b9787d5f0dfc2</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys</td> </tr>
<tr> <td>2ff0c3a804b85d3e7e6487d9bece6416</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\PE.dll</td> </tr>
<tr> <td>454f06575c9214f7b9cb01c606fd72fe</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\PE.sys</td> </tr>
<tr> <td>243b5a8a95bb4f8822790b8f0c81b82a</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe</td> </tr>
<tr> <td>9d34330ec68d148cc5701d6cd279c84c</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv</td> </tr>
<tr> <td>493fc17532f9b6ac330dbdb3a01a5361</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\sld.drv</td> </tr>
<tr> <td>d0d210a62cb66ff452e9a5cfc8e8f354</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\SM.sys</td> </tr>
<tr> <td>a2ca707ee60338ac5ec964f7685752ba</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\std.dll</td> </tr>
<tr> <td>a1e25ab2f19565f707d85e471f41e08f</td> <td>\AppData\Roaming\Microsoft\Windows\Recent\snl2w.dll</td> </tr>
</tbody> </table></blockquote><span style="font-size: small;">I also noted that the hosts file had been modified at the time of infection. The following is a sample of entries that had been added (note: additional countries root domain entries for the top search engines were also added but are not included in this analysis for </span>simplicity's sake<span style="font-size: small;">):</span><br />
<blockquote>74.125.45.100 4-open-davinci.com<br />
74.125.45.100 securitysoftwarepayments.com<br />
74.125.45.100 privatesecuredpayments.com<br />
74.125.45.100 secure.privatesecuredpayments.com<br />
74.125.45.100 getantivirusplusnow.com<br />
74.125.45.100 secure-plus-payments.com<br />
74.125.45.100 www.getantivirusplusnow.com<br />
74.125.45.100 www.secure-plus-payments.com<br />
74.125.45.100 www.getavplusnow.com<br />
74.125.45.100 safebrowsing-cache.google.com<br />
74.125.45.100 urs.microsoft.com<br />
74.125.45.100 www.securesoftwarebill.com<br />
74.125.45.100 secure.paysecuresystem.com<br />
74.125.45.100 paysoftbillsolution.com<br />
74.125.45.100 protected.maxisoftwaremart.com<br />
69.72.252.252 www.google.com <br />
69.72.252.252 google.com <br />
69.72.252.252 www.google.no<br />
69.72.252.252 www.google-analytics.com<br />
69.72.252.252 www.bing.com<br />
69.72.252.252 search.yahoo.com <br />
69.72.252.252 www.youtube.com</blockquote>Using bintext to pull the strings from ISe6d_2229.exe provided a few interesting things of note. Specifically a company and product name of "limnol" and file and product version of "1.1.0.1010". Searches for this reference with some added keywords found some additional submissions to virus total but nothing that was not already known from my earlier submission.<br />
<br />
There were also strings associated with a Microsoft Windows <a href="http://msdn.microsoft.com/en-us/library/bb756929.aspx">manifest file</a>. Such a file can be embedded in software by the developer to instruct Windows Vista and Windows 7 on what Privileges the software needs to run as. The default setting of "run as the user" was obtained from the strings:<br />
<blockquote><security><br />
<requestedprivileges><br />
<requestedexecutionlevel level="asInvoker" uiaccess="false"></requestedexecutionlevel><br />
</requestedprivileges><br />
</security></blockquote>I continued the analysis by taking a look at the Windows registry. This was done by exporting the HKCU and HKCM hives from the raw image and using both <a href="http://regripper.net/">RegRipper</a> and MiTeC <a href="http://www.mitec.cz/wrr.html">Windows Registry Recovery</a> to analyze the entries. The HKCU Run key contained an entry to autostart the executable on startup.<br />
<blockquote>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]<br />
"Internet Security Suite"="\"C:\\ProgramData\\e6db66\\ISe6d_2229.exe\" /s /d"</blockquote>In addition, I was able to verify that the registry contained an entry for findgala.com under:<br />
<blockquote>[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]<br />
"URL"="http://findgala.com/?&uid=2229&q={searchTerms}"</blockquote>The [HKEY_CURRENT_USER\Software\Internet Security Suite] key contained several subkeys within it. The entries here seemed to be similar to the contents of the Instructions.ini file found earlier in the appdata folder of the user profile. This file resided in a hidden folder with the same name as the registry key. I have listed one entry as an example here.<br />
<blockquote>[HKEY_CURRENT_USER\Software\Internet Security Suite\23071C180E1E]<br />
"3016131C2F0B18311F0CF4D5EBEEE1"="4746574B4E544E4D4F4FA0B0B8B2B5BFB7BEA8D9C7"<br />
"23071C180E1E31180D0CE1E6E7"=""<br />
"2205012C0A1F2814131A"="4746574B4E544E4D4F4FA0B0B8B3BDBFB2B7A8D9C7"<br />
"3A160B0D2E090534100CF4F3F7E0F0ECE9E9"="4746574B4E544E4D4F4FA0B0B8B2B5BFB7BEA8D9C7"<br />
"3A160B0D3C1E19192E3BCD"="4746574B4E544E4D4F4FA0B0B8B3BDBFB2B7A8D9C7"<br />
"3A160B0D2F0B181C0A1A"="4746574B4E544E4D4F4FA0B0B8B3BDBFB2B7A8D9C7"<br />
"3A160B0D34140E101F13D5F1E6E2F0E0"="4746574B4E544E4D4F4FA0B0B8B2B5BFB7BEA8D9C7"<br />
"3E22081D1B0F19"="46"<br />
"24181415181A1F16"=""<br />
"2205012C0A1F1D091B2DF5EFC1ECF1EBF2"="46"<br />
"3E1E1C1D1F15290D1A1EF4E4C1ECF1EBF2"="46"<br />
"3B1E0A0B15093F120B11F4"="46"<br />
"3218151813154C"=""<br />
"23071C180E1E"="46"</blockquote>Lastly, the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\] key had several entries for what appeared to be legitimate software, tools, and other forms of malware. Entries included; taskmgr.exe, rtvscan.exe (Symantec Endpoint Protection), and dozens of other programs. All legitimate and illegitimate software was being blocked via an entry for debugger with a value of "svchost.exe". <br />
<br />
<span style="font-size: large;">Dynamic Analysis</span><br />
<br />
I began dynamic analysis by first attempting to infect a virtualized Windows 7 system in my lab (Note: all initial attempts were with administrator privileges with UAC disabled). Running the executable seemed to generate a runtime error, so I attempted to run it from the command prompt with the /hkd switch found in the desktop shortcut during static analysis. <a href="http://technet.microsoft.com/en-us/sysinternals/bb896645">Process Monitor</a> was used in an attempt to capture all file, registry, and network connection changes during infection. The following error was displayed;<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqT4DQdiOSbj34zR5a8KTLTZ98GAxXir2DkkFn3zmOq50a1SU51GiI0vSQ6CCQiIX78gdiEAHaL3KUHjCZgI7MUxNP8pniaZ0nKXztdUq0jgsNRXrxxcWc0AmB1dCytiA0lzLLxSqQegRD/s1600/MonitorProgramFound.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqT4DQdiOSbj34zR5a8KTLTZ98GAxXir2DkkFn3zmOq50a1SU51GiI0vSQ6CCQiIX78gdiEAHaL3KUHjCZgI7MUxNP8pniaZ0nKXztdUq0jgsNRXrxxcWc0AmB1dCytiA0lzLLxSqQegRD/s320/MonitorProgramFound.PNG" width="320" /></a></div><br />
Thinking it picked up on Process Monitor, I tried again but without procmon.exe but I was presented with the same error. It seemed that this sample was VM aware. Again I attempted to infect a clean install of Windows 7 on physical hardware with procmon.exe and again, I was met with failure. I turned to utilizing <a href="https://www.honeynet.org/node/315">CaptureBat</a> to monitor file and registry changes during install. Infection proceeded but I noted my sample used for analysis had been removed. On further inspection, it appeared that a .bat file was the culprit. The contents of the file were as follows;<br />
<blockquote><b>MD5 </b> <b>FileName</b><br />
329e8a313f20cd8b4ebf67642331c007 \Users\bugbear\AppData\Local\Temp\del.bat<br />
<br />
:Repeat<br />
del "C:\Users\bugbear\Desktop\e6db66\ISE6D_~1.EXE"<br />
if exist "C:\Users\bugbear\Desktop\e6db66\ISE6D_~1.EXE" goto Repeat<br />
del "C:\Users\bugbear\AppData\Local\Temp\del.bat"</blockquote>I also noted the name of the files and folders associated with the malware seem to vary on each infection. Verification of hashes proved that it was indeed the same malicious program however. File and registry monitoring verified the findings from the static analysis and I noted some additional changes as well. It appeared the rogue software attempts to disable UAC by editing the following registry keys;<br />
<blockquote>registry: SetValueKey C:\Users\bugbear\Desktop\e6db66\ISe6d_2229.exe -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin<br />
registry: SetValueKey C:\Users\bugbear\Desktop\e6db66\ISe6d_2229.exe -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser<br />
registry: SetValueKey C:\Users\bugbear\Desktop\e6db66\ISe6d_2229.exe -> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</blockquote>Additional registry entries in HKEY_Current_User were also modified. Including the Internet Explorer proxy and wpad settings under [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]. Additionally, rather than modify the host file directly, the executable seemed to create a temporary host file, remove the old one, and replace it with this new version.<br />
<blockquote>file: Write C:\Users\bugbear\Desktop\e6db66\ISe6d_2229.exe -> C:\Windows\System32\drivers\etc\host_new<br />
file: Delete C:\Users\bugbear\Desktop\e6db66\ISe6d_2229.exe -> C:\Windows\System32\drivers\etc\hosts<br />
file: Write C:\Users\bugbear\Desktop\e6db66\ISe6d_2229.exe -> C:\Windows\System32\drivers\etc\hosts<br />
file: Delete C:\Users\bugbear\Desktop\e6db66\ISe6d_2229.exe -> C:\Windows\System32\drivers\etc\host_new</blockquote>Typical "features" associated with scareware seemed to be included with this sample. The rogue software begins a "scan" of the infected system immediately upon execution. Scan results display "infected" files located in [root]\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent\ folder identified during static analysis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyUXa4CuH5YZpcvYVwrEjMvXM_pLLrnUE6pp3OK9Nv6PeoadsCWOSV9fhyHjQUl4h7gQZ1x6Y4RpuTQehPa4eGQXV1szea9D4ghX4HCkv_HE1WkNof9LgnjJcBE3Ij6ywKUFivCZwx2e0w/s1600/ScreenShot2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="459" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyUXa4CuH5YZpcvYVwrEjMvXM_pLLrnUE6pp3OK9Nv6PeoadsCWOSV9fhyHjQUl4h7gQZ1x6Y4RpuTQehPa4eGQXV1szea9D4ghX4HCkv_HE1WkNof9LgnjJcBE3Ij6ywKUFivCZwx2e0w/s640/ScreenShot2.PNG" width="640" /></a></div><br />
Please note, no attempt was made to identify these files as legitimate malware by myself, although that may be an interesting exercise for another time. Not unlike an episode of the Soprano's, the victim is intimidated into buying protection and is offered several opportunities to buy a subscription. Multiple subscription options are available.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPXHmkFsx-_JPM3Y_Pwl3oJ6PxwhcccDfMpU1g4ud5jUBKzxcNo2lU1GyS865MN375xpk26v_57XN3CPoIPCfQZ5oUGKXXkkmwpY8oiu9S_s3Dl28rIixcySmG_HA9oiHgK_1sk83HT_sh/s1600/ScreenShot4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPXHmkFsx-_JPM3Y_Pwl3oJ6PxwhcccDfMpU1g4ud5jUBKzxcNo2lU1GyS865MN375xpk26v_57XN3CPoIPCfQZ5oUGKXXkkmwpY8oiu9S_s3Dl28rIixcySmG_HA9oiHgK_1sk83HT_sh/s640/ScreenShot4.PNG" width="640" /></a></div><br />
At one point my lab system spewed a blood curdling scream from its speakers before displaying yet another option to "protect" oneself (a little over the top if you ask me). My favorite feature goes to Chat Support however.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2M4WB06H2NPm_cY6jMXaS2pewOxVs_0ypT9yiZUNBkg2y4KXa_PR2P56OtoURNBzDvZiSU_-G3HjiofetTLZ3-9ZwAbNkxPWEE36PyG8FHuIkChcjQYDZ8Civ2t94dPFOiIleVQ0DGgrV/s1600/Support_Chat.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2M4WB06H2NPm_cY6jMXaS2pewOxVs_0ypT9yiZUNBkg2y4KXa_PR2P56OtoURNBzDvZiSU_-G3HjiofetTLZ3-9ZwAbNkxPWEE36PyG8FHuIkChcjQYDZ8Civ2t94dPFOiIleVQ0DGgrV/s400/Support_Chat.PNG" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQH-eETJkiq57bgr9IPXodVUsYNRJl9cDxoVGjpAm56ntzEpkhR3ohEdKcxPV8ups2meO4T_3gWSBNKuZHTtZnmTbVnptVSOUBDEv4mBKKrEDm4s0Da3GXjKYRtV6kFeoHVacgNm9uXZyT/s1600/ScreenShot5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>I do not think Jane appreciated my bluntness. Network connections for both the subscription service and chat support sessions were collected with the following script which leverages the netstat command.<br />
<blockquote> for /L %1 in (0,0,0) do netstat -anob>>C:\netstat.txt</blockquote>Both IP addresses associated with the subscription service and chat support sessions were registered to hosting providers here in the US. The strangest behavior observed however, was captured with Process Explorer and Wireshark post infection. Multiple instances of ping.exe running under cmd.exe were noted. Upon examination of the packet capture, it appeared the processes were spewing ICMP and SYN packets to two IP Addresses registered to .RU domains.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6zSJjlG1UpLydXLqcMUqUCUnnRCyW-ngzkc1rfAVkU5LTjlFuF2-5tqh8FnNntxdzexh6VvcVWYRNHNd7k_mojRZtZboZAZMv9hpnifesZn3WvWX9-9PoF0_FCRsF2EUDkP7L050SBJbA/s1600/PacketCapture1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6zSJjlG1UpLydXLqcMUqUCUnnRCyW-ngzkc1rfAVkU5LTjlFuF2-5tqh8FnNntxdzexh6VvcVWYRNHNd7k_mojRZtZboZAZMv9hpnifesZn3WvWX9-9PoF0_FCRsF2EUDkP7L050SBJbA/s640/PacketCapture1.PNG" width="640" /></a></div><br />
Soon after this behavor was noted. The executable associated with the infection was mysteriously removed from the system. Attempts to duplicate this behavior later failed. <br />
<br />
Further analysis of the infection and sample was done without administrator rights and with UAC disabled. No edit of the hosts file or registry keys in HKLM were noted, however. The malware still setup shop within the ProgramData and User Profile locations noted with the earlier analysis but the fact the user with the original infection had no administrator rights and the host file and HKLM keys were modified remains a bit of a mystery. One might speculate, the original payload might behave differently.<br />
<br />
Further Google searching utilizing these findings led me to Microsoft's Malware Protecton Center write-up on <a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Rogue%3aWin32%2fFakeVimes&threatid=141340">Rogue:Win32/FakeVimes</a>. Although Virus Total had not indicated such, it would seem our sample has had many aliases and upgrades.<br />
<br />
<span style="font-size: large;">Lessons Learned </span><br />
<br />
All in all I learned a lot and had fun analyzing the sample (it beats watching sitcoms). Few things I noted for future analysis attempts.<br />
<ul><li>Always verify your images and keep the original copy if possible (aka don't be a dumbass Tim)</li>
<li>Static file forensics techniques can be very useful during malware analysis</li>
<li> Have multiple tools that can perform similar tasks is sometimes needed</li>
<li>Fear is a powerful marketing angle and the bad guys are getting better at it<br />
</li>
</ul><br />
Feel free to ping me if you would like a copy of the sample. I would be more than happy to trade notes with others.<br />
<br />
<span style="font-size: large;">Update: Questions Unanswered</span><br />
<br />
<i>Updated on December 30, 2010.</i><br />
<br />
<a href="http://perpetualhorizon.blogspot.com/">Curt Wilson</a> was kind enough to <a href="http://securitybraindump.blogspot.com/2010/12/not-just-another-analysis-of-scareware.html#comments">comment</a> on my analysis earlier this week. He brought up an interesting tidbit that I had missed. The title of error message displayed when attempting to perform dynamic analysis in a virtualized environment references <a href="http://www.oreans.com/themida.php">Themida</a>, a known packer used in malware. The following screen shot obtained from Google images is telling:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhooQ09feBqJw7za80P051iKTSStZnH9oQ0i67JfcdMFqJxgOibW9CEw5tBl8wzu0zfiosMdpw_3kprRX4FZXSlNAApWOEDBpX1qhT7qY3SdDHALYFIEj58fr-3e3Y7dR18JZd-5by3EG7P/s1600/themida.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="524" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhooQ09feBqJw7za80P051iKTSStZnH9oQ0i67JfcdMFqJxgOibW9CEw5tBl8wzu0zfiosMdpw_3kprRX4FZXSlNAApWOEDBpX1qhT7qY3SdDHALYFIEj58fr-3e3Y7dR18JZd-5by3EG7P/s640/themida.png" width="640" /></a></div><br />
According to the results of my initial Google searches, Themida has been around for some time. There are some scripts available for OllyDbg to unpack executables using this tech so I hope to continue down the rabbit hole.<br />
<br />
Moreover, I think the files placed in the recent folder of the user profile is worth a quick look, as is the payloads of packet captures. Looks like I have some interesting commutes ahead of me on the train. Until Part II of the analysis, Happy Hunting!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-71296834406610577822010-10-13T06:20:00.003-04:002010-11-30T12:39:20.800-05:00Hacking a FixThere have been many discussions, rants, and commentary on what it means to be a hacker. Many of us in the security community use the term in its original intended use and despise the way the media and popular culture portrays it. Hacking to many of us is about learning and using that knowledge to make improvements upon software and hardware. I have previously <a href="http://securitybraindump.blogspot.com/2010/05/why-hackers-make-best-it-support.html">posted</a> about the resourcefulness of people that define themselves as hackers. My coding skills are certainly not L337 and I am certainly not dropping 0-day but what I am very skilled at is understanding technical issues and finding unique solutions to them. This post is on one such issue and my obsession to fix it.<br />
<br />
<span style="font-size: large;">The Backstory</span><br />
<br />
I recently exchanged emails with APC support on their use of a self signed certificate for SSL access to the web management interface of Powerchute Network Shutdown (PCNS). Powerchute Network Shutdown is used in conjunction with APC Universal Power Supplies (UPS). The product is used to manage and shutdown servers during power issues and outages. The most recent <a href="http://www.apc.com/products/family/index.cfm?id=127">release</a> is version 2.2.4.<br />
<br />
In previous releases, APC <a href="http://www.cvedetails.com/cve/CVE-2005-4326/">did not support SSL</a> for remote access to the web interface of PCNS. Although the current version now defaults to https, it only supports the use of a self signed certificate provided by APC. The risks of self signed certificates are well recognized. Such configurations can make a Man-in-the-Middle attack on an https session trivial.<br />
<br />
While using a firewall to limit access to the web application or disabling the web service are certainly viable options in some environments, it may not be in others. Since I have a lot of free time during my commute and I tend to obsess about such things, I decided the fix the issue myself.<br />
<br />
<span style="font-size: large;">Poking the Source Code</span><br />
<br />
By default APC PCNS can be found in the C:\Program Files\APC\PowerChute\group1 directory of a Windows system. The software is also available for several *nix distros, so consult the documentation as needed. The web server runs on port 6547 and is hosted on <a href="http://jetty.codehaus.org/jetty">Jetty</a> (Version 6.0.0). By default, version 1.5.0.18 of the Java Runtime Environment (JRE) is installed in C:\Program Files\AP\jre\jre1.5.0_18 directory. <br />
<br />
Although this version of JRE has had its share of <a href="http://www.cvedetails.com/version/79636/SUN-JRE-5.0.html">vulnerabilities</a>, that is not the focus of this post (although if your reading this APC you may want to consider updating your shit).<br />
<br />
I began by decompiling the .jar files associated with the application with <a href="http://java.decompiler.free.fr/">Java Decompiler</a> by Emmanuel Dupuy. A nice feature of Java Decompiler is its search capabilities. This is very useful to find what you’re looking for quickly or in my case stumble through the source code awkwardly. I quickly located the WebServerSettings class in the webServer.jar file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4w7iPlnPTk9zmzS_Ss71U2qpdAVzr1bKW7WhLdcO7hWEeBDKtl91QOu_qWnSOzIEb3642CP1i-bPIhi7zcjZY-MwTiKnGb-uM8ydd_M9UsmEKY_vBbU1uf8SoOn_pusGEFqDYOHH53CcE/s1600/Decompile_WebServer_KeyStorePassword.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4w7iPlnPTk9zmzS_Ss71U2qpdAVzr1bKW7WhLdcO7hWEeBDKtl91QOu_qWnSOzIEb3642CP1i-bPIhi7zcjZY-MwTiKnGb-uM8ydd_M9UsmEKY_vBbU1uf8SoOn_pusGEFqDYOHH53CcE/s640/Decompile_WebServer_KeyStorePassword.png" width="640" /></a></div><br />
<br />
Yes that is the password to the Java keystore hardcoded. Convenient isn’t it?<br />
<br />
<span style="font-size: large;">Certificate Management Hell</span><br />
<br />
So using this newly obtained password we can view the current self signed certificate within the Java keystore with <a href="http://download.oracle.com/javase/1.5.0/docs/tooldocs/windows/keytool.html">keytool utility</a> included with the runtime environment.<br />
<blockquote><i>>keytool -list -v -keystore "C:\Program Files\APC\PowerChute\group1\keystore"</i></blockquote><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8ebAi2Sh8Nh1fflYEvKY5CIAb5H1UQs9JWrqltz432Kk-YyfffTH505j8XZ3EemoCPEebT4RgUYGFBDWw1SwmZpYeKyqfSmecNsW9TUwqGYkBkcBchbchvlJLwYTlx0uPki2q9NGEQmFS/s1600/viewing_contents_keystore_full.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8ebAi2Sh8Nh1fflYEvKY5CIAb5H1UQs9JWrqltz432Kk-YyfffTH505j8XZ3EemoCPEebT4RgUYGFBDWw1SwmZpYeKyqfSmecNsW9TUwqGYkBkcBchbchvlJLwYTlx0uPki2q9NGEQmFS/s640/viewing_contents_keystore_full.PNG" width="566" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div>Once found, I removed the current keystore entry, generated a new one, and created a csr for submission to my CA.<br />
<blockquote><i><span style="font-size: small;">>keytool -delete -alias securekey -keystore "C:\Program Files\APC\PowerChute\group1\keystore"</span></i><br />
<i><span style="font-size: small;">>keytool -genkey -alias securekey -keystore "C:\Program Files\APC\PowerChute\group1\keystore" -dname CN=win7.securitybraindump.com,OU=Infosec,O=SecurityBraindump,L=Boston,S=Massachusetts,C=US"</span></i><br />
<i><span style="font-size: small;">>keytool -certreq -alias securekey -keystore "C:\Program Files\APC\PowerChute\group1\keystore" -file securekey.csr</span></i></blockquote>Please note the following are the default values for the keytool -genkey option. You may want to change these to suit your requirements.<br />
<blockquote><i><b>-keyalg</b> "DSA"</i><br />
<i><b>-keysize</b> 1024</i><br />
<i><b>-validity</b> 90</i><br />
<i><b>-sigalg</b> (Depends on the key algorithm chosen.) If the private key is "DSA", -sigalg defaults to "SHA1withDSA" or if "RSA", the default is "MD5withRSA". </i></blockquote>For the purposes of this post I used a Windows 2003 CA (yes that is as ugly as it sounds but it is what I had readily had available at the time). To submit the csr to the CA, obtain my certificate, and export the CA Root certificate (for the chain) I used <a href="http://technet.microsoft.com/en-us/library/cc725793%28WS.10%29.aspx">certreq</a>. <br />
<blockquote><i>>certreq -Submit -attrib "CertificateTemplate: WebServer" securekey.csr securekey.cer</i><br />
<i>>certutil -ca.cert rootca.cer</i></blockquote>The base-64 certificates can then be imported into the keystore using the -import option.<br />
<blockquote><i>>keytool -import -trustcacerts -v -alias rootca -file rootca.cer -keystore "C:\Program Files\APC\PowerChute\group1\keystore"</i><br />
<i>>keytool -import -v -alias securekey -file securekey.cer -keystore "C:\Program Files\APC\PowerChute\group1\keystore"</i></blockquote>Once imported, verification can be accomplished by using the keytool -list option again.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrN6kTLV7rV1hklk9xALiFbNbGvo-m2R5_z3E_mHRSrpDVBRA4pJF-RhPplI4LvAobtpUCDAm1iJhB2No7_inmF9E5mORYz69kGPbGwFVV1c1a2u29uGBzIZiWysUnbonauUfZDU5_rM8b/s1600/ImportedCerts.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="601" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrN6kTLV7rV1hklk9xALiFbNbGvo-m2R5_z3E_mHRSrpDVBRA4pJF-RhPplI4LvAobtpUCDAm1iJhB2No7_inmF9E5mORYz69kGPbGwFVV1c1a2u29uGBzIZiWysUnbonauUfZDU5_rM8b/s640/ImportedCerts.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
After, installation, you must restart the PCNS1 service. Once restarted you can now enjoy your new, shiny, valid certificate. You may also want to consider changing the keystore password. While this is trivial to do using the keytool utility, the webserver.jar file will need to be altered to reflect the change and then recompiled using the JDK. For this reason, most of the Java development forums I read noted that hard coding the password is not practical. From a security perspective, no matter where the password is stored, you must trust the system storing it. Although I would suspect using the same static password across multiple independent systems is not ideal. If you have experience with the development and security of such systems I am interested in hearing your thoughts on this.<br />
<br />
<span style="font-size: large;">The "R" Word</span><br />
<br />
So what is the <u>Risk</u>? As I mentioned earlier, using a self signed certificate is risky in regards to Man-In-The-Middle attacks. Users tend to ignore certificate warnings. Moreover, it is very feasible to pass a victim the legitimate self signed certificate during an attack. Consequently, the use of a self signed certificate is not providing much protection except against passive sniffing. If the web session to APC PCNS is hijacked, then the credentials to the application could become compromised. Once access is gained, one obvious scenario would be a Denial of Service (DOS) attack by shutting down the systems controlled by the application. I wanted to find something a bit more nefarious, however. It so happens that PCNS allows administrators to not only shutdown systems when events are triggered but also run command files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjxFO8aQLX4reZYafcAEwOWmgXKi0mgnW4slmf8XILmXyt2Lp7xt37EzOzhPjLaO8orj62faK03eWcp2w6yHZpMGRdiaO_Afp3njjXio9HKhYou9tLF4EPB5GNcwjktlcMc6ztjl1gro_1/s1600/powerchute_runcommand_remote.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjxFO8aQLX4reZYafcAEwOWmgXKi0mgnW4slmf8XILmXyt2Lp7xt37EzOzhPjLaO8orj62faK03eWcp2w6yHZpMGRdiaO_Afp3njjXio9HKhYou9tLF4EPB5GNcwjktlcMc6ztjl1gro_1/s1600/powerchute_runcommand_remote.PNG" /></a></div><br />
Note that the command file does not need to be located on the server being attacked. It also should be noted that if running multiple executables from a command file, the following syntax needs to be followed due to a bug in the current release (thank you readme.txt). Note: quotes are only needed if the path contains spaces.<br />
<blockquote><i>@START "some path\evil.exe" arguments</i><br />
<i>@START "some otherpath\pwn.exe" arguments</i></blockquote>I'll let the output from my evil.cmd file containing the "whoami > whoami.txt" command speak for itself;<br />
<blockquote><span style="font-size: large;"> nt authority\system</span></blockquote>NUM! Happy Hunting!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-9170882934154822732010-08-08T16:46:00.001-04:002010-10-12T13:10:22.010-04:00HacKid Conference<div class="separator" style="clear: both; text-align: center;"></div><i>Updated: New Date! Registration and Schedule is live!</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkPh42mbguKhZgWw2_LrnboneETEnE-9ZQTYsk1SfZmaP7etk6BS4UPEYgrpk44hS4rn3mWwXIU9f1_ibKsc7e6Qg9c29P5cXh_-uRy_yRTWGuqKOOJtiI6qTOA3Qlg3lXW8mtXz53sGRH/s1600/hackid.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkPh42mbguKhZgWw2_LrnboneETEnE-9ZQTYsk1SfZmaP7etk6BS4UPEYgrpk44hS4rn3mWwXIU9f1_ibKsc7e6Qg9c29P5cXh_-uRy_yRTWGuqKOOJtiI6qTOA3Qlg3lXW8mtXz53sGRH/s200/hackid.jpg" width="200" /></a></div> I was at <a href="http://www.securitybsides.com/BSidesBoston">SecurityBSides Boston</a> talking to <a href="http://www.csoonline.com/article/592818/The_HacKid_Conference_A_kid_friendly_idea_whose_time_has_come">Bill Brenner</a> and his two sons about Lego's when <a href="http://twitter.com/beaker">Chris Hoff</a> shared a brilliant idea on twitter. A hacking/security conference for kids and their parents. Soon after <a href="http://www.hackid.org/">Hackid</a> was born and the dates for the first conference were set. <br />
So put aside the weekend of October 9-10, 2010. The first conference will be held at the Microsoft New England Research & Development (NERD) Center in Cambridge, MA. The community driven content has been <a href="http://www.hackid.org/HacKid/Schedule.html">posted</a> and <a href="http://www.regonline.com/register/checkin.aspx?EventId=879779">registration</a> is live. It is the hope of the organizers that this will become the template that can be used at other locations and dates.I think I share a lot of others sentiment when I say this is going to rock!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-90773094556303871982010-06-29T23:03:00.002-04:002010-09-07T16:37:33.016-04:00Firefox Add-ons FTW!Just a quick post on passwords saved in the browser. After my <a href="http://securitybraindump.blogspot.com/2010/06/post-exploitation-pivoting-with-windows.html">post</a> on credentials stored in the Windows 7 Vault, I started to think about browser passwords and the risks that lurk there. Chris Gates had a similar <a href="http://carnal0wnage.blogspot.com/2010/06/firefox-saved-passwords.html">thought</a> which he posted about yesterday, and Larry Pesce wrote up a detailed <a href="http://pauldotcom.com/2009/09/recovering-firefox-passwords-f.html">analysis</a> last September. <br />
<br />
I personally disable this feature in Firefox but a strong master password would certainly be advisable if you do save passwords within Firefox. While I do not use this feature, I do use a lot of Firefox add-on's. Gmail Notifier, Xmarks Bookmarks, and Echofon Twitter add-on's to name a few. So I naturally turned my attention to those. <br />
<br />
I pondered where these add-on's were storing saved credentials. The answer is in same place Firefox stores them. What a more ironic way to verify this than to use a Firefox add-on (<a href="https://addons.mozilla.org/en-US/firefox/addon/5817/">SQLLite Manager</a>) to query the signons.sqlite database.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxNv3x0NSRkexwH79cMgWVqjXy6HffSpX-US9LvrhBAu0TEFmBBXaS7viTfkoN9W-GbXNdYOwWAZ0zwa-1_DUzSudgG0XfmcDii-GjxNSFo14ItCy4qpGep5xdpMSKn0_c2Pmc2Yzziip9/s1600/ff_logins.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxNv3x0NSRkexwH79cMgWVqjXy6HffSpX-US9LvrhBAu0TEFmBBXaS7viTfkoN9W-GbXNdYOwWAZ0zwa-1_DUzSudgG0XfmcDii-GjxNSFo14ItCy4qpGep5xdpMSKn0_c2Pmc2Yzziip9/s400/ff_logins.png" width="400" /></a></div><br />
As previously covered by Gates and Pesce, conversion of the encrypted passwords is trivial as long as you also have access to the key3.db and there is no master password configured. If you are interested in the details of this, I suggest checking out the documentation <a href="http://kb.mozillazine.org/Password_Manager">here</a> and tool available <a href="http://wejn.org/stuff/display_ff3_passwords_wejn.html">here</a>.<br />
<br />
While this may have been obvious to others, it was not to me. That is one of the many reasons I love this field.<br />
<br />
<br />
<i>Update August 09, 2010</i>: Jeremiah Grossman presented his work entitled <a href="http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html">Breaking Browsers: Hacking Auto-Complete</a> at Black Hat last week. The presentation included examples of using XSS to steal saved credentials in the Firefox and Chrome password managers.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-87599305406943228712010-06-16T08:01:00.006-04:002011-02-16T06:38:51.098-05:00Post Exploitation Pivoting with the Windows 7 Vault<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCWyhFq28JB-WwZNZ7JoAbLtjOWz20Z9Fd0Vrn9RztQNRWv_P4wl69stDhqus6bcxUmjNuCNcX_gkQ4Jdm8BZ1daA7LETDKswW2if2fZdVgfxADWZQq5Ucz9-96KnJT27x8NzAX1NBAK8v/s1600/safe_fail.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCWyhFq28JB-WwZNZ7JoAbLtjOWz20Z9Fd0Vrn9RztQNRWv_P4wl69stDhqus6bcxUmjNuCNcX_gkQ4Jdm8BZ1daA7LETDKswW2if2fZdVgfxADWZQq5Ucz9-96KnJT27x8NzAX1NBAK8v/s200/safe_fail.png" width="200" /></a>I have been poking around with the updated version of Credential Manager in Windows 7 which has been commonly referred to as "Stored User Names and Passwords" in previous version of Windows. Much like its predecessors, the current version of Credential Manager still uses <a href="http://msdn.microsoft.com/en-us/library/Aa302353">Data Protection API (DPAPI)</a>, but Windows 7 now stores saved credentials within the <a href="http://www.neowin.net/news/main/09/03/07/windows-7-exploring-credential-manager-and-windows-vault">Windows Vault</a>. Such credentials can include; user names and passwords used to log on to network shares, websites that use Windows Integrated Authentication, Terminal Services, and many third party applications such as Google Talk .<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWYQUrT2KNAmTke4t1SsltbQQV5ZzzYxmKo6o2waDFBvwZW1Q4Mw89JtBOiirsIdD5sCFGvvELE-OVMj2G1ftNV-8_PKBpfLfgGep9KXhCyEwzIYlSd387p_IliIq8gL1YdKiNFjMSX-MU/s1600/cred_mgr_capture.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWYQUrT2KNAmTke4t1SsltbQQV5ZzzYxmKo6o2waDFBvwZW1Q4Mw89JtBOiirsIdD5sCFGvvELE-OVMj2G1ftNV-8_PKBpfLfgGep9KXhCyEwzIYlSd387p_IliIq8gL1YdKiNFjMSX-MU/s400/cred_mgr_capture.png" width="400" /></a></div><br />
Credential Manager and DPAPI has been under scrutiny in the past. Cain & Able has had a <a href="http://www.oxid.it/ca_um/topics/credential_manager_password_decoder.htm">decoder</a> for some time. More recently, researchers from Standford University presented at <a href="http://www.blackhat.com/presentations/bh-dc-10/Picod_Jean-Michel/BlackHat-DC-2010-Picod-DPAPI-slides.pdf">Black Hat DC 2010</a> about their <a href="http://www.dpapick.com/index.php?p=home">DPAPI research</a>.<br />
<br />
While breaking the crypto associated with this feature might be useful (i.e. if credentials are re-used elsewhere), it is not always necessary. The purpose of the Credential Manager is to pass saved credentials to resources commonly accessed by the user. Once you have gained access to a host as the unprivileged user (take you pick of code execution bugs, Adobe pdf's seem to be popular these days), then you can certainly leverage this feature to pivot to resources referenced within the Windows Vault. Keeping a low forensics profile would be preferred, so I attempted to find existing command line tools that were already available on the host. After poking at Windows 7 for a while, I found an undocumented utility called vaultcmd.exe in the System32 folder that appeared useful. The following is the output of the supported switches for vaultcmd;<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUSeQ6fB52XZP4GrJhRMOU1BhIqKIY_UPa5kP4kLLzR0chLdLhuCwuVglg750iaCfZUR_A60DPtWbt0VTdLYlJIWHm38aOdvJit4sp5If3j0l4mDjKgPD8ZnuLeX3IC9B1cWebesq95E1W/s1600/vaultcmd_help.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUSeQ6fB52XZP4GrJhRMOU1BhIqKIY_UPa5kP4kLLzR0chLdLhuCwuVglg750iaCfZUR_A60DPtWbt0VTdLYlJIWHm38aOdvJit4sp5If3j0l4mDjKgPD8ZnuLeX3IC9B1cWebesq95E1W/s640/vaultcmd_help.png" width="640" /></a></div><br />
The /list switch allows us to view all Windows Vaults available on the host for the current authenticated user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNL6lKULu7lOrV_z8RJpPKavHrNO1ap0sY8X6T0rXQ27_M0Z2pcqjr1oc59ibBOmUUtAWPDgpLaehn6FG2drF8K4HS0PW8KSaHe0nJvHpR-kuLjKsy9a1wmIG4aJiN8gvrWzD4wGJwXgLw/s1600/vaultcmd_list.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNL6lKULu7lOrV_z8RJpPKavHrNO1ap0sY8X6T0rXQ27_M0Z2pcqjr1oc59ibBOmUUtAWPDgpLaehn6FG2drF8K4HS0PW8KSaHe0nJvHpR-kuLjKsy9a1wmIG4aJiN8gvrWzD4wGJwXgLw/s640/vaultcmd_list.png" width="640" /></a></div><br />
It appears in this example, the two default Vaults are the only ones that exist on this host. Also note that since the user is already authenticated, the vaults are in an unlocked state. Running the /listproperties switch against each vault lists some more details, including the number of credentials saved in each location.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSd78VaAkJXkAu2OS2k0POE82ozAgMktnE2KmBlfhauK02em1icIhqfj0d8ckkEyt-ApzuWfaHgxME4tAE-dc8mvgVyFI0Ss5T5GIDcAeIlR6Mzg5aZJVqWRE8YYjUPYhz8me5zQCm2leg/s1600/vaultcmd_listproperties.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSd78VaAkJXkAu2OS2k0POE82ozAgMktnE2KmBlfhauK02em1icIhqfj0d8ckkEyt-ApzuWfaHgxME4tAE-dc8mvgVyFI0Ss5T5GIDcAeIlR6Mzg5aZJVqWRE8YYjUPYhz8me5zQCm2leg/s640/vaultcmd_listproperties.png" width="640" /></a></div><br />
Finally, the /listcreds switch gives us our newly found targets.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXc5unXXKL30WScdihhHUQ9U70lRXbuOrNznGTOk7d7tZ4LyXyJzqmcAIiCMmcrwv8ATxH95qm8bBYhuHsd1BLH3TG2IxasjKxDhSZz0bSTTAmYAI7_84sjyo-mDAHZGvZ5awDf-L8OPq2/s1600/vaultcmd_listcreds.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXc5unXXKL30WScdihhHUQ9U70lRXbuOrNznGTOk7d7tZ4LyXyJzqmcAIiCMmcrwv8ATxH95qm8bBYhuHsd1BLH3TG2IxasjKxDhSZz0bSTTAmYAI7_84sjyo-mDAHZGvZ5awDf-L8OPq2/s640/vaultcmd_listcreds.PNG" width="640" /></a></div><br />
It appears, our unprivileged user has stored domain administrator credentials for two domain controllers. While this is certainly more secure than running as domain administrator locally, DPAPI adds no added security in this scenario since local access to this host has been gained. Now that we have completed our reconnaissance, we can pivot and access the servers by simply using the installed tools at our disposal. In the following example, I use psexec and the SET command to verify I have domain administrator access to DC-01 without having to specify a user name and password.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioPVX6wm4o_ETDPo3kiZj9bgcYGGk-38XPtD24a5yEnzmL85Pi5Xx88_WlYHxzAZh0nMzubIgh5x-UbfSHUb-iFDlB7FvU1HYywpiXiZ7xhcrFo0g68MxuGoG2FRN1_-6jtSJFFaZbWctc/s1600/remotecmd_usingsavedcreds.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioPVX6wm4o_ETDPo3kiZj9bgcYGGk-38XPtD24a5yEnzmL85Pi5Xx88_WlYHxzAZh0nMzubIgh5x-UbfSHUb-iFDlB7FvU1HYywpiXiZ7xhcrFo0g68MxuGoG2FRN1_-6jtSJFFaZbWctc/s640/remotecmd_usingsavedcreds.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />
I was also able to access the the domain controller's Admin shares via the NET USE command using stored credentials within the Windows Vault.<br />
<blockquote>net use P: \\dc-01\C$ </blockquote>In addition, since the Windows Server Administrator tools were also already installed on the host, I also verified that the Windows Vault was passing these credentials to Active Directory Users and Computers and the Remote Desktops Client.<br />
<br />
I attempted to change some of the default settings for the vault using the /setproperties switch. For Example; it appears that vaultcmd has the ability to set a password on a vault;<br />
<blockquote>vaultcmd /setproperties:"Windows Vault" /set:AddProtection /value:Password <br />
vaultcmd /setproperties:"Windows Vault" /set:DefaultProtection /value:Password</blockquote>But any attempt I made was met with the error; "The request is not supported.". So I would be interested to see if anyone can find additional documentation on this utility or the Windows Vault. I have not been successful in finding anything to date.<br />
<br />
Some have suggested that any password management tool that hooks into the browser or operating system is more of a risk than a stand alone application that requires additional authentication mechanisms. While I generally agree with this, the emerging capabilities of attack and forensic tools that acquire volatile memory from a host (and consequently decrypted credentials), only require a bit more patience. Of course such tools, must be loaded on the compromised host increasing the forensic footprint the intruder leaves behind.<br />
<br />
Happy Hunting!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-88437246551487191102010-06-07T21:43:00.008-04:002011-06-10T08:13:40.794-04:00Forensics Analysis: Windows Shadow CopiesMicrosoft Windows Vista and 7 includes the <span id="intellitxt" name="intellitxt">Volume Shadow Copy Service (VSS) which are leveraged by </span><span id="intellitxt" name="intellitxt">System Restore and Windows Backup features of the Operating System. By default, this service is turned on and the amount of backups stored depends on the disk size and settings. There is a potential wealth of forensic evidence available within Shadow Copies and </span>even though I am not the first to write about leveraging Shadow Copies for forensic purposes, I thought it was worth writing a quick post here.<br />
<br />
<a href="http://technet.microsoft.com/en-us/library/cc754968%28WS.10%29.aspx">Vssadmin</a> is a command line tool that can be used to display current VSS backups. To do so, use the syntax;<br />
<blockquote><b><i>vssadmin list shadows /for=c:</i></b> (where c: is the volume your working with). </blockquote>Here is an example of the output;<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Qiz0TYjGUJMKmLmUejNfY7xDaN4vO9MYkRW8XBaK2GmHrGQAEUVEzcnDetO2l5p3xEFroqOxIgzWsemGhyphenhyphengdgjQI_9nD0T2ix0kT0dtj5Se1A3jN85WqLAZ6-kyC4otdAXh3v0AVRw6J/s1600/vssadmin_list_shadows.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Qiz0TYjGUJMKmLmUejNfY7xDaN4vO9MYkRW8XBaK2GmHrGQAEUVEzcnDetO2l5p3xEFroqOxIgzWsemGhyphenhyphengdgjQI_9nD0T2ix0kT0dtj5Se1A3jN85WqLAZ6-kyC4otdAXh3v0AVRw6J/s640/vssadmin_list_shadows.PNG" width="640" /></a></div><br />
Make sure to note the Shadow Copy Volume you want to analyze and use it with <a href="http://technet.microsoft.com/en-us/library/cc753194%28WS.10%29.aspx">Mklink</a> to create a symbolic link to the backup. For example<b>;</b><br />
<blockquote><b><i>mklink /d C:\shadow_copy1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ </i></b>(note: the trailing back slash as it is needed). </blockquote> Once created you can browse the symbolic link as you would any folder and restore files of interest by copying them out.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZPhaMvrZ_JkjDhQtORFU45o8h7tFx2dz0MK9loEKaYRuauVzEsV0XrHAuQMzU-pTfZmFusTpV50cqyfCGQ_mAMmlWMLld0xxAx_BhXfAzMEfIu6MYTXcIq5D8D2O7abGhxHwrwPocqfV6/s1600/browse_symbolic_link.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZPhaMvrZ_JkjDhQtORFU45o8h7tFx2dz0MK9loEKaYRuauVzEsV0XrHAuQMzU-pTfZmFusTpV50cqyfCGQ_mAMmlWMLld0xxAx_BhXfAzMEfIu6MYTXcIq5D8D2O7abGhxHwrwPocqfV6/s640/browse_symbolic_link.PNG" width="640" /></a></div><br />
Happy Hunting.<br />
<br />
References:<br />
<a href="http://blogs.msdn.com/b/adioltean/archive/2008/02/28/a-simple-way-to-access-shadow-copies-in-vista.aspx">MSDN Blog: A Simple Way to Access Shadow Copies in Vista</a><br />
<br />
<i>Updated June 10, 2011</i><br />
<br />
I came across a <a href="http://computer-forensics.sans.org/blog/2011/06/09/vscs-logparser">great post</a> from <a href="https://twitter.com/4n6woman">@4n6woman</a> on using Log Parser to parse mounted VSC's and preserve the MD5 HAshes and Metadata for easy querying. Thought I would share.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-11112559625814765462010-06-03T14:35:00.001-04:002010-06-03T14:36:44.909-04:00PaulDotCom EP200: The Hackers for Charity Podcast-a-ThonTomorrow I will be trekking south the hang with the PaulDotCom crew for the 8 hour recording of <a href="http://pauldotcom.com/wiki/index.php/Episode200">Episode 200</a>. They will be <a href="http://pauldotcom.com/live/">streaming live</a> and it looks like they are pulling out all the stops for this episode. There will be interviews, tech segments, and appearances from HD Moore, Johnny Long, Lenny Zeltzer, Ron Gula, Jack Daniel, and a couple of surprise guests. <br />
<br />
The show is dedicated to raising awareness and money for Johnny Long's <a href="http://www.hackersforcharity.org/hackers-for-charity/get-involved/">Hackers for Charity</a>. If you are not familiar with the work Johnny is doing with HFC, <a href="http://www.hackersforcharity.org/">take a look</a>! Donations can be made via the donate button on the <a href="http://pauldotcom.com/2010/06/episode-200-with-hd-moore-sock.html">PaulDotCom website</a> or via the HFC <a href="http://www.hackersforcharity.org/hackers-for-charity/get-involved/">Get Involved Page</a>. So help out with a donation and listen live tomorrow!Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-3200846627105012782010-05-24T21:50:00.001-04:002010-05-24T21:50:39.559-04:00The Security Bloggers Network<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><a href="http://www.blogger.com/goog_2011169533"></a>Rich Mogull of <a href="http://www.securosis.com/">Securosis</a> recently published a blog post entitled <a href="http://securosis.com/blog/is-twitter-making-us-dumb-bloggers-please-come-back">Is Twitter Making Us Dumb? Bloggers, Please Come Back</a>. Rich summarizes his experience starting a blog and shares his perspective on the diminishing amount of blogging.<span class="fn"> Alan Shimel</span> who runs the <a href="http://www.securitybloggersnetwork.com/">Security Blogger Network</a> quickly followed up with his own <a href="http://www.ashimmy.com/2010/05/calling-all-security-bloggers-come-out-come-out-where-ever-you-are.html">post</a>.<br />
<br />
I too have noticed that my RSS reader is not nearly as full as it once was. Many of the resources I have today in my RSS Reader came from the Security Bloggers Network after stumbling upon it several years ago. The blogs I was introduced to through the SBN opened up a new world for me. I was introduced to thoughts and opinions from every corner of the security community. Many of which I had never considered. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrBYWX468BD4dGk1S8RIordRfUnjQDo3JSZImeF0qU7KLuL2-b8uIq8eWxIHWDDbGe_z1pRUS3brhElorU5Oh9sMZtJYAXK-Mp02liCcBW8ZRMTkTsFiD87_qUmPrBBCEe_HYRcP3LPqx8/s1600/sbn-logo.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrBYWX468BD4dGk1S8RIordRfUnjQDo3JSZImeF0qU7KLuL2-b8uIq8eWxIHWDDbGe_z1pRUS3brhElorU5Oh9sMZtJYAXK-Mp02liCcBW8ZRMTkTsFiD87_qUmPrBBCEe_HYRcP3LPqx8/s320/sbn-logo.gif" /></a></div><br />
When I started my own blog about a year ago, it never occurred to me to even join. In retrospect, it may have been lack of confidence, as I was not sure what I was going to write about. I just knew that there were some thoughts I needed to rant about and blogging seemed like a logical medium. But I quickly found blogging to be an rewarding experience and I am currently backlogged with so many ideas for posts, I have enough material for the remainder of the year.<br />
<br />
So I am proud to announce, I am a new member of the Security Bloggers Network. If you have a blog, I recommend you consider joining. If you do not have a blog I ask you to consider starting one, as it can be a rewarding experience to both the author and the reader, alike.<br />
<div class="separator" style="clear: both; text-align: center;"></div>Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0tag:blogger.com,1999:blog-7055243034201530750.post-49429936619330404182010-05-03T21:33:00.000-04:002010-05-03T21:33:02.551-04:00Why Hackers make the Best IT Support ProfessionalsThis is a thought that I have had brewing for some time and I will attempt to not rant too much. Throughout my IT career, I have been watching many IT Support professionals immediately go for a quick fix to technology issues. This is not to say a quick fix isn’t always warranted. The constant barrage of support issues, end users broad siding you as you attempt to grab lunch, and evolving technology is indeed a challenge. I feel your pain. I've been there, I've done that, and I still do it on a daily basis. The beating support people take can cause even the most saintly to lose his/her patience.<br />
<br />
However, I feel the trend of the quick fix, seems to be worsening. In InfoSec, the quick fix is often used in conjunction with FUD (fear, uncertainly, and doubt) to sell those magical products with blinking lights that are going to make the latest attack vectors just magically disappear. The problem with this concept is the same in all subsets of Information Technology, however. How many of us have told colleagues, friends, and family to reboot as a solution to an issue? How many of us have told them to do so more than once for the same issue? See the quick fix is not really a fix at all, it is procrastination. <br />
<br />
I like to think that we as IT Professionals, whether desktop support, enterprise architects, coders, or InfoSec pursued our career because we all had the common love of technology. Many of us have the inquisitive nature that would rival any scientist. This makes us all brothers and sisters alike. The inquisitive nature that I felt when powering on my TI99-4A in 1981 is still with me today. This is why I chose this career. <br />
<br />
Some of the most inquisitive people I have met while working in IT have been those who have self dubbed themselves "hackers". These are not the "hackers" the media would have you believe are hijacking your wireless and stealing your digital valuables. These are self proclaimed geeks who love computers. They are not always InfoSec professionals. They may work on a helpdesk, as a systems administrator, or at the local Radio Shack. They enjoy taking things apart and putting them back together in ways that improve the technology. See hackers understand the concepts of efficiency and availability. These concepts are the foundation of supporting any business. It is what our employee’s pay us our salaries for, regardless of the subset of IT we may fall under.<br />
<br />
Efficiency and availability is not about reboots and resets. It is about getting to the root of an issue, learning from it, and improving the system(s) from what you have learned. So take the time to understand the technology issues you come across. It can be fun and productive. If you are not feeling the love for your technology career of choice, then ask the hacker working at the local Radio Shack if he or she is willing to trade careers with you. I suspect they would jump at the chance.Bugbearhttp://www.blogger.com/profile/14247847449190414614noreply@blogger.com0