Report SPAM (eMail)

October 29, 2009

The Federal Anti-Spam law (Effective January 1, 2004) requires that you have implicit permission to send a commercial email to a new prospect that promotes a product or service-for-pay. Your valid postal mailing address must also be present in all mailings.  If the prospect notifies you by messaging back to be removed, you must honor their opt-out request within 10 days as indicated in the 2004 Anti-Spam law.

Note that the web site you are sent to when you open unsolicited commercial email (SPAM) is rarely the domain which sent the SPAM. Reporting the web page to SPAM filtering services does not get SPAM filters improved. The domain to report is in the email header, not the email body.

Don’t worry about figuring out the header. Send unsolicited commercial email (SPAM) to SpamCop.net, KnujOn and spam@uce.gov.

Figuring out the header: How do I get my email program to reveal the full, unmodified email? Interpret the results using http://mxtoolbox.com/EmailHeaders.aspx or the “Message Analyzer” tab of https://testconnectivity.microsoft.com/.

Defend against SPAM with MailWasher.

URIBL.COM is a service that distributes information about domain names as they are related to email, primarily Unsolicited Bulk/Commercial Email (UBE/UCE). URIBL.COM serves this information via Public DNS, RSS Feeds, as well as local Data Feeds via rsync. Our data is used primarily to complement your existing Anti-Spam software. URIBL is enabled by default in the popular open source SpamAssassin software and several other commercial offerings.

Other SPAM advice at AdOut.org.


Web Browser Forensics

October 7, 2009

What question were you trying to answer? Could it be:

  • Where did this malicious software come from?
  • What web sites has this person been visiting?

What access do you have? Could it be:

  • A single machine, and I have local access
  • Multiple machines, and I have remote access

Don’t forget that you may wish to search unallocated disk space for deleted web cache information. See Digital Forensics Links.

Is this actually a Forensics examination (where you care about preserving evidence) or is this an Incident Response root cause examination, where discovery (and not legally admissible evidence) is the goal?

The answers affect the tool you choose and how you use it. For example, in a “concerned parent” scenario there is a single Windows machine using Internet Explorer, for which you have local access, and  you want to learn the web sites visited. Use Mandiant Web Historian and inspect the C:\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat file. (A firewall log of successful web connections would be of more help.)

On the other hand, consider a large environment that investigates web-based malware alerts. Here the questions are: where was the threat encountered and what else arrived from that site or around that time. As part of the alert, you have the machine name and user id and the name of the malicious file.

An appropriate tool to collect web browser history and evidence would be CacheGrab and its companion interpreter CacheBack.

CacheGrab® is our standalone cache and history recovery tool that can be used on any logically mounted volume or virtual file system, including disks mounted using Physical Disk Emulation. CacheGrab does not require any purchase or licensing and may be used freely. Users should note that this version of the program only searches logical volumes at this time, and the ability to search physical disks and unallocated space will be available with the release of CacheGrab® Version 2, sometime in early 2010.

Note the features of CacheBack:

  • Multiple browser support. Rebuild cached web pages and examine Internet histories for Internet Explorer (ver. 5-8), Firefox (ver. 2-3), Opera (ver. 9-10), Safari (ver. 3-4), and Google Chrome (ver. 1-4).
  • View cached web pages and pictures in a single consolidated thumbnail gallery making it easy to zero in on artifacts of interest.
  • Comb through complex histories and large cache repositories using the powerful multi-tabbed, multi-functional WYSIWYG interface.
  • Combine the built-in Query Manager window, Quick Queries and compound query filtering options to drill down efficiently on large datasets.
  • Produce visually compelling, rich HTML reports of rebuilt web pages and picture evidence with valuable metadata.
  • Publish reports to any destination folder or removable media keeping the evidence intact and portable.
  • Display timestamps in any selected time zone and choose to observe daylight savings for any region. Completely system independent.
  • Powerful Link Analysis to identify matches between history URLs and hyperlinks found in web pages (e.g., which links might have been clicked or visited).
  • Multiple tabbed views of the same evidence (Browser, Text, Hex, Picture, Audit and Links).

These features may be more that you need.

If you only need to be concerned about Internet Explorer, then grab copies of the Index.dat files, saving them with names that make them distinguishable later. Use Pasco (http://www.sourceforge.net/projects/fast) to make tab-separated text files from the dat files.

A batch file to make this task easier:

@echo off
if (%2)==() goto ERR_SYNTAX
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\index.dat" "%1_%2_cache_index.dat"
attrib -s -h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"%1_%2_history_index.dat"
attrib +s +h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"%1_%2_history_index.dat"
pasco "%1_%2_cache_index.dat" > "%1_%2_cache_index.txt"
pasco "%1_%2_history_index.dat" > "%1_%2_history_index.txt"
GOTO EXIT
:ERR_SYNTAX
Error - requires two parameters, machine name (or IP address) and userid
:EXIT

When loading the text separated text file into Excel, some columns won’t line up. Close enough for my purposes, though.

Note that this problem in Excel is because some of the original fields in the index.dat file contain tabs; using pasco to create a tab-separated text file when some fields contain tabs is problematic. If you wish to be consistent, fields rarely contain pipe characters; creating a pipe character-separated text file will produce a more consistently formatted Excel spreadsheet.

The questions again were: Where was the threat encountered and what else arrived from that site (or around that time).

Search the resulting text file for the detected malicious file. This turns up a lot of undetected malware. A malicious site rarely sticks to only one threat. A site typically hangs on to the older, already detected threats when breaking in a new, undetected threat. Get a sample of the new, undetected threat and submit it to vendors. You will also turn up a pattern of sites and ASNs. Report sites, blacklist sites, and the count of detected threats goes down.

Related articles:

Utilities:

Where to find browser history

Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\History\History.IE5
index.dat
Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\Temporary Internet Files
index.dat
Mozilla C:\Documents and Settings\<windows login>\Application Data\Mozilla\Profiles\default\bsczxlvc.slt\Cache\572222B7d01
history.dat
Netscape history.dat
Firefox C:\Documents and Settings\<windows login>\Application Data\Mozilla\Firefox\Profiles\ygeipybb.default
history.dat
Safari history.plist
Opera global.dat

Check query history

Google toolbar C:\Documents and Settings\[userid]\Application Data\Google\Local Search History

Where to find passwords

Firefox C:\>C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons.sqlite
C:\Users\Russ\[username]\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons3.txt

Where to find chat logs

Trillian C:\Program Files\Trillian\users\default\logs
MSN Messenger post version 7.0 C:\Documents and Settings\\My Documents\My Received Files\\History
AOL Messenger C:\program files\users\default\log\AIM\Query
Yahoo Messenger 6.0 C:\Program Files\Yahoo!\Messenger\Profiles\\Archive\Messages
mIRC C:\program files\mirc\logs
GAIM *nix: ~/.gaim/logs
Windows: \Documents and Settings\user\Application Data\.gaim\logs
Look for the screenname under the protocol directory.
Miranda Messenger C:\Program Files\Miranda IM\Logs
Exodus 0.9.x C:\Documents and Settings\\My Documents\Exodus-Logs\<user>_<server>.html
iChat /Users//Documents/iChats

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis


Lessons from the Heartland Data Breach

September 14, 2009

View “Lessons from the Heartland Data Breach” on Vimeo to hear from Robert O. Carr, the particular victim. Read his testimony before the United States Senate Committee on Homeland Security and Government Affairs. An apparently secure (even audited, pen tested and forensically examined) organization was breached. You can be PCI DSS compliant, and pay the penalties of an information breach.

My take-aways from the Heartland breach: Note that a SQL injection vulnerability was discovered, then remediated.  Too late, as it turns out; the damage was done. Previously undetected malware was running on the system. Even though an intrusion was suspected, this malware escaped the detection of auditors, pen testers and (for a long time) forensic examiners. In the end, forensics examiners found the vital clue that revealed that a security breach had occurred, was occurring and the intrusion response procedure needed to be invoked.

Why so long? Undetected malware is not the sort of problem auditors would look for. Pen testers would fail since the system had been hardened after the breach. A more efficient approach to a forensic examination would been to have a set of hash values of known good files, and compute the hash values of current files. Inspect the files that do not match the “known good” list. See Simple Malware Discovery Measures for additional approaches.

The Hannaford Brothers breach is also attributed to undetected malware.

My theory is that malware never (perhaps rarely) travels alone. Previously undetected malware is always (perhaps usually) accompanied by detected malware. Reliance upon anti-virus software to detect all malware is false confidence. Investigation of detected malware yields information you want to use. and that information may be about previously undetected malware or information about where malware is coming from. Was there detected malware that accompanied the undetected malware in the Heartland breach example?

I do agree that encryption of data is an additional defense, an additional preventative measure. There is also a need for readily available detective measures; reliable mechanisms to confirm or deny an incident quickly.

See also: Online Trust Alliance (OTA) 2011 Data Breach & Loss Incident Readiness Guide


Incident

May 26, 2009

Start with Creating a Computer Security Incident Response Team: A Process for Getting Started. Review DataLossDB, the research project aimed at documenting known and reported data loss incidents world-wide. You want an Incident Response procedure and an Incident Response team created and tested before you need it. Members of the team should have copies of the procedure, and Lenny Zeltser’s cheat sheets. Test your plan regularly. Learn the gaps and revise. Search for “Incident Response Plan” and you will find many examples of published Incident Response Plans. See ENISA’s Support For CERTs/CIRTs for examples and practice exercises.

However, which came first: the incident or the declaration of the incident? The incident. If an incident occurs in a forest, and there’s no one there to notice it, does it still occur? Yes.

From the U.S. Army Information Assurance Security Officer (IASO) Training

Signs of an incident fall into one of two categories: indications and precursors. A precursor is a sign that an incident may occur in the future. An indication is a sign that an incident may have occurred or may be occurring now. Too many types of indications exist to exhaustively list them, but some examples are listed below:

  • The network intrusion detection sensor alerts when a buffer overflow attempt occurs against an FTP server.
  • The antivirus software alerts when it detects that a host is infected with a worm.
  • The Web server crashes.
  • Users complain of slow access to hosts on the Internet.
  • The system administrator sees a filename with unusual characters.
  • The user calls the help desk to report a threatening e-mail message.
  • The host records an auditing configuration change in its log.
  • The application logs multiple failed login attempts from an unfamiliar remote system.
  • The e-mail administrator sees a large number of bounced e-mails with suspicious content.
  • The network administrator notices an unusual deviation from typical network traffic flows.

One should not think of incident detection as being strictly reactive. In some cases, the organization can detect activities that are likely to precede an incident. For example, a network IDS sensor may record unusual port scan activity targeted at a group of hosts, which occurs shortly before a DoS attack is launched against one of the same hosts. The intrusion detection alerts regarding the scanning activity serve as a precursor of the subsequent DoS incident. Other examples of precursors are as follows:

  • Web server log entries that show the usage of a Web vulnerability scanner
  • An announcement of a new exploit that targets a vulnerability of the organization’s mail server
  • Information stating that the Unit will receive a cyber attack

Not every attack can be detected through precursors. Some attacks have no precursors, whereas other attacks generate precursors that the organization fails to detect. If precursors are detected, the organization may have an opportunity to prevent the incident by altering its security posture through automated or manual means to save a target from attack. In the most serious cases, the organization may decide to act as if an incident is already occurring, so that the risk is mitigated quickly. At a minimum, the organization can monitor certain activity more closely—perhaps connection attempts to a particular host or a certain type of network traffic.

A Mandiant presentation at Black Hat in 2006 reported that organizations detected attacks:

  • Sometimes through anti-virus alerts, although most alerts are uninvestigated. (Note that this is my point as well; investigation of anti-virus alerts yields results.)
  • Sometimes through an Intrusion Detection System (IDS), although attacks through SSH, HTTPS and VPN escape IDS detection. (Note that with a largely mobile or remote workforce, relying upon VPN and public network availability, IDS does not involved.)
  • More often through client reports, outside the company.
  • Sometimes through end user problem reports.

End user problem report symptoms that may be indicators of an incident:

  • Continual termination of anti-virus software.
  • Installing new applications does not work.
  • Commonly used applications will not run.
  • You cannot “Save As”.
  • Task Manager closes immediately after you open it.

You do not know if an incident should be declared until you are well into an investigation (the Identification stage of Incident Response). An unexpected restart in an event log might be an incident. A port scan might be an incident. You won’t know if the incident response procedure should be invoked until you have learned more about the specific restart or more about the specific port scan. (In the military? Unexpected restarts and port scans are ALWAYS incidents. Report them.)

Many sources will help make the determination that an incident has occurred. Get LennyZeltser’s Security Incident Survey Cheat Sheet for Server Administrators now, and be comfortable with it. Read John D. Howard & Thomas A. Longstaff’s A Common Language for Computer Security Incidents.

Once you have determined that an incident has occurred, your (previously established and tested) incident response procedure must be invoked.

Grab a bound notebook (not spiral bound, you don’t want to be accused of tearing out pages), preferably with numbered pages and write down the events which have occurred so far. Use details. Imagine that you will be reading this seven years from now and need to reconstruct the events. That is, mentally rewinding and replaying the steps prior to declaring an incident needs to be the first task of your incident response procedure. This is particularly problematic if a criminal investigation may be involved. When that is the case, the forensic process, including establishing a chain of custody, must be followed. There will be steps you wish you had done differently prior to the declaration of an incident. That happens; that’s prudent. Once you recognize an incident, however, your actions must adapt.

The steps of incident response. Most lists include only the PICERL steps. The full team events of notification and post-incident review should also be included.

  1. Preparation
  2. Identification or Assessment
  3. Notification
  4. Containment
  5. Eradication or Remediation
  6. Recovery
  7. Post-Incident Review
  8. Lessons Learned (or Follow Up)

Determining if an incident should be declared is part of the Identification step in incident response.

Note that this list assumes that preparation and declaration of an incident are not within the scope of the incident response. Once a specific incident has been declared, the specific incident life cycle begins. General preparation is outside the scope of specific response.

Regarding Notification: there’s internal notification and external notification. Internal notification is to the Incident Response team. A member of the Incident Response team should be responsible for external notification. There are incidents which require external notification, which is why a lawyer is on the Incident Response team. They may not be the person who makes the notification, but they would review the incident for notification requirements.

If you find yourself in the extremely unusual situation of knowing that a notification is required but is not being done, you may believe that your choice is between making the notification (and losing your job) or not making the notification. Get legal advice. Consider the long term possibilities. Possible outcome if you make the notification: lose job. Possible outcome if you choose to not make the notification: lose job, face prosecution, lose savings, serve time, and become unemployable.

That notebook … is it for all incidents, or only security incidents? A burst pipe in the building or a natural disaster are also incidents. Without the notebook, Lessons Learned becomes difficult.

Test: City of Norfolk hit with code that takes out nearly 800 PCs. What lessons do you take away?

Cluff’s team noticed that computers were taking longer than normal to shut down around 4:30 p.m. on Feb. 9. Those machines could not then be restarted. After investigating, his team discovered that a virtual print server was pushing out malicious code. The team pulled the virtual server offline, scrubbed it and reverted it to a previous instance of the print server software, he said.

Regrets: Did not preserve the virtual print server for further investigation. How did this happen? What could have prevented this? Evidence is lost.

Online Trust Alliance Data Breach and Incident Readiness Planning Guide

Privacy Rights  Clearinghouse including actual reported breaches

Mozilla InvestiGator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. Masche adds memory forensics capabilities to MIG.

On TTPs


Finding Suspicious Filenames

April 8, 2009

In Finding the DNS Hijacking Victims, Microsoft Systems Management Server (SMS) and a SQL query were used to find unusual DNS settings.

In Hidden Files, one technique mentioned (under the “hide in plain site” tactic) was to “use extended ASCII characters”. When SMS inventories files, it converts the extended ASCII characters to “?”. This makes finding file names that use extended ASCII characters a simple WQL query:

select SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Name, SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, SMS_G_System_WORKSTATION_STATUS.LastHardwareScan, SMS_G_System_SoftwareFile.FileName, SMS_G_System_SoftwareFile.FilePath, SMS_G_System_SoftwareFile.FileSize, SMS_G_System_LastSoftwareScan.LastScanDate from  SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_LastSoftwareScan on SMS_G_System_LastSoftwareScan.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName like "%?%"

This query uncovered an oddly named w?nlogon.exe file in a “C:\Program Files\Common Files\?racle\” folder. Extended ASCII characters would present what appears to be “C:\Program Files\Common Files\Oracle\winlogon.exe” to the untrained eye. The filename doesn’t sort as you might expect. Bypassing the untrained eye with an SMS query makes finding these cases easy.

VirusTotal confirmed that some vendors (Avast, AVG, CAT-QuickHeal, DrWeb, eSafe, Ikarus, Microsoft, NOD32v2, Panda, Prevx1, Sunbelt) already detect the sample as adware from the PurityScan family.

In a large environment, a more comprehensive approach that would produce many benign conditions (cases to ignore) is to find file names that seldom occur. These files are suspicious only because their names occur infrequently.

There are places where malware is likely to reside. The System32, Downloaded Program Files, and each user’s “\Local Settings\Temp\” folder are common locations. An across-the-organization search for out-of-the-ordinary files in those locations will usually yield undetected malware.

To look for unusual files in System32:

SELECT COUNT(*) AS 'Count', v_GS_SoftwareFile.FileName AS 'File name' FROM v_GS_SoftwareFile WHERE v_GS_SoftwareFile.FilePath IN ('C:\WINNT\System32\', 'C:\Windows\System32\') GROUP BY v_GS_SoftwareFile.FileName  ORDER BY COUNT ASC

Now that you have file names that you want to learn more about, use whatever mechanism you are comfortable with to find those files. For example, a VB Script like the following would identify the machines with the specific peculiar file names. (Note that SERVER and CITE CODE must be changed.)

OPTION EXPLICIT
Const ForAppending = 8
Dim winmgmt1
Dim SystemSet
Dim strQuery
Dim strOddFilename
Dim objEnumerator, instance
Dim objFSO_results, objResultsFile
Dim intWriteHeader
Dim strResultsFilename
Dim strHeader
strOddFilename = Wscript.Arguments.Named("Filename")
If strOddFilename = "" Then
WScript.Quit
End If
strResultsFilename = Wscript.Arguments.Named("Result")
If strOddFilename = "" Then
strResultsFilename = "OddFilename.txt"
End If
strHeader = "Resource Domain or Workgroup" & vbTab & "Name" & vbTab &_
"Last Logon User Domain" & vbTab & "Last Logon User Name" & vbTab &_
"FileName" & vbTab & "FilePath" & vbTab & "Last Software Scan Date"
Set objFSO_results = CreateObject("Scripting.FileSystemObject")
If objFSO_results.FileExists(strResultsFilename) Then
intWriteHeader = 0
Else
intWriteHeader = 1
End If
Set objResultsFile = objFSO_results.OpenTextFile(strResultsFilename, ForAppending, True)
' 800A0046 Permission denied when file is in use
If intWriteHeader Then
objResultsFile.WriteLine(strHeader)
End If
'The following line connects to the SMS Server through the WMI layer.
'For SERVER put in your SMS Server name.
'For XXX put in the site code for that server
winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//SERVER\root\sms\site_XXX"

‘The following section echoes the connection then gets the object.

Set SystemSet = GetObject(winmgmt1)
strQuery = "select SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Name, " &_
"SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, " &_
"SMS_G_System_SoftwareFile.FileName, SMS_G_System_SoftwareFile.FilePath, " &_
"SMS_G_System_LastSoftwareScan.LastScanDate from SMS_R_System " &_
"inner join SMS_G_System_SoftwareFile on " &_
"SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId " &_
"inner join SMS_G_System_LastSoftwareScan on " &_
"SMS_G_System_LastSoftwareScan.ResourceID = SMS_R_System.ResourceId " &_
"where SMS_G_System_SoftwareFile.FileName in ( """ & strOddFilename & """ ) " &_
"and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\system32\\"", ""C:\\WINNT\\system32\\"" )"
'  "and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\Downloaded Program Files\\"",  ""C:\\WINNT\\Downloaded Program Files\\"" )"
'  "and SMS_G_System_SoftwareFile.FilePath LIKE ""%\\Local Settings\\Temp\\%"""
Set objEnumerator = SystemSet.ExecQuery(strQuery)
for each instance in objEnumerator
' 80041017 - no instances?
objResultsFile.WriteLine(instance.SMS_R_System.ResourceDomainORWorkgroup & vbTab &_
instance.SMS_R_System.Name & vbTab &_
instance.SMS_R_System.LastLogonUserDomain & vbTab &_
instance.SMS_R_System.LastLogonUserName & vbTab &_
instance.SMS_G_System_SoftwareFile.FileName & vbTab &_
instance.SMS_G_System_SoftwareFile.FilePath & vbTab &_
instance.SMS_G_System_LastSoftwareScan.LastScanDate)
Next
objResultsFile.Close

Run the VB script with a batch file such as the following. “FilenameDownloadDir.txt” is a text file of file names to search for.
@ECHO OFF
rem Does not find filenames with a space in the name
FOR /F "DELIMS=" %%F IN (FilenameDownloadDir.txt) DO (
wscript OddFilenameDownloadDir.vbs /filename:%%F /result:OddFilenameDownloadDir.txt
)

To look for unusual files in “Downloaded Program Files”:

SELECT COUNT(*) AS 'Count', v_GS_SoftwareFile.FileName AS 'File name' FROM v_GS_SoftwareFile WHERE v_GS_SoftwareFile.FilePath IN ('C:\WINNT\Downloaded Program Files\', 'C:\Windows\Downloaded Program Files\') GROUP BY v_GS_SoftwareFile.FileName ORDER BY COUNT ASC

To find the machines with the unusual files in “Downloaded Program Files”:

OPTION EXPLICIT
Const ForAppending = 8
Dim winmgmt1
Dim SystemSet
Dim strQuery
Dim strOddFilename
Dim objEnumerator, instance
Dim objFSO_results, objResultsFile
Dim intWriteHeader
Dim strResultsFilename
Dim strHeader
strOddFilename = Wscript.Arguments.Named("Filename")
If strOddFilename = "" Then
WScript.Quit
End If
strResultsFilename = Wscript.Arguments.Named("Result")
If strOddFilename = "" Then
strResultsFilename = "OddFilename.txt"
End If
strHeader = "Resource Domain or Workgroup" & vbTab & "Name" & vbTab &_
"Last Logon User Domain" & vbTab & "Last Logon User Name" & vbTab &_
"FileName" & vbTab & "FilePath" & vbTab & "Last Software Scan Date"
Set objFSO_results = CreateObject("Scripting.FileSystemObject")
If objFSO_results.FileExists(strResultsFilename) Then
intWriteHeader = 0
Else
intWriteHeader = 1
End If
Set objResultsFile = objFSO_results.OpenTextFile(strResultsFilename, ForAppending, True)
' 800A0046 Permission denied when file is in use
If intWriteHeader Then
objResultsFile.WriteLine(strHeader)
End If
'The following line connects to the SMS Server through the WMI layer.
'For SERVER put in your SMS Server name.
'For XXX put in the site code for that server
winmgmt1 = "winmgmts:{impersonationLevel=impersonate}!//SERVER\root\sms\site_XXX"
'The following section echoes the connection then gets the object.
Set SystemSet = GetObject(winmgmt1)
strQuery = "select SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Name, " &_
"SMS_R_System.LastLogonUserDomain, SMS_R_System.LastLogonUserName, " &_
"SMS_G_System_SoftwareFile.FileName, SMS_G_System_SoftwareFile.FilePath, " &_
"SMS_G_System_LastSoftwareScan.LastScanDate from SMS_R_System " &_
"inner join SMS_G_System_SoftwareFile on " &_
"SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId " &_
"inner join SMS_G_System_LastSoftwareScan on " &_
"SMS_G_System_LastSoftwareScan.ResourceID = SMS_R_System.ResourceId " &_
"where SMS_G_System_SoftwareFile.FileName in ( """ & strOddFilename & """ ) " &_
"and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\Downloaded Program Files\\"", ""C:\\WINNT\\Downloaded Program Files\\"" )"
'  "and SMS_G_System_SoftwareFile.FilePath in ( ""C:\\WINDOWS\\system32\\"", ""C:\\WINNT\\system32\\"" )"
'  "and SMS_G_System_SoftwareFile.FilePath LIKE ""%\\Local Settings\\Temp\\%"""
Set objEnumerator = SystemSet.ExecQuery(strQuery)
for each instance in objEnumerator
' 80041017 - no instances?
objResultsFile.WriteLine(instance.SMS_R_System.ResourceDomainORWorkgroup & vbTab &_
instance.SMS_R_System.Name & vbTab &_
instance.SMS_R_System.LastLogonUserDomain & vbTab &_
instance.SMS_R_System.LastLogonUserName & vbTab &_
instance.SMS_G_System_SoftwareFile.FileName & vbTab &_
instance.SMS_G_System_SoftwareFile.FilePath & vbTab &_
instance.SMS_G_System_LastSoftwareScan.LastScanDate)
Next
objResultsFile.Close

A batch file to read a list of file names to search for and report machines with those files would be very similar to the previous example.

To look for unusual files in every user’s “\Local Settings\Temp\”:

SELECT COUNT(*) AS 'Count', v_GS_SoftwareFile.FileName AS 'File name' FROM v_GS_SoftwareFile WHERE v_GS_SoftwareFile.FilePath LIKE '%\Local Settings\Temp\%' GROUP BY v_GS_SoftwareFile.FileName

The VB script changes to make are included in the previous example as remarks. A batch file to read a list of file names to search for and report machines with those files would be very similar to the previous example.

Note that if you do not have a system inventory tool which collects information about files, then a specialized product which searches for specific files is an option. Consider the Sophos Application Discovery Tool.


Finding the DNS Setting (DNSChanger) Victims

April 8, 2009

As mentioned in Can You Clean a Virus?, client domain name server setting is a malicious code payload that no vendor reports. This payload consists of specifying explicit domain name server (DNS) addresses.

People do not specify their DNS addresses, as a rule. DNS addresses are delivered by the DHCP server. DNS addresses are managed by their Internet Service Provider (ISP). However, if you do specify explicit DNS addresses, they will quietly override those delivered through DHCP and managed by the ISP.

Consider what a malicious person could do if they managed your DNS server. They learn which addresses you need to resolve; they know what URLs you visit. If you do online banking, they know who your bank is. They can, one day, divert you to a web site that looks like your bank. When you try to logon on, they could give you a plausible error message. Meanwhile, they capture the credentials you attempted to use. They then “correct” their DNS server and make the actual bank web site available. They wouldn’t want their DNS server to be diverting traffic for more than brief periods in a day. Meanwhile, customers think the bank is having problems while customers are giving away their credentials.

In reality, almost all banks have measures in place to prevent this. Less secure web sites do not.

It is easy to correct the problem, once found. See the network adapter’s properties, choose “Internet Protocol (TCP/IP)” and view its Properties. Frequently, “Obtain DNS server address automatically” is specified. If, on the other hand “Use the following DNS server addresses” is specified, it should be an address you can trust. If it is an address that begins with 85.255. (for example), then you have been affected.

It is generally difficulty to find machines that have had their DNS settings modified. Microsoft Systems Management server (SMS) can make this task easy.

By default, sms_def.mof will have SMS_Report of DNSServerSearchOrder set to FALSE. Change it to TRUE; let SMS collect this information.

When you have collected the DNS addresses, you can use a SQL query like the following to learn if there are any unusual DNS server settings:
SELECT COUNT(*) AS 'Count', v_GS_NETWORK_ADAPTER_CONFIGUR.DNSServerSearchOrder0 AS 'DNS ServerSearchOrder' FROM v_GS_NETWORK_ADAPTER_CONFIGUR Group by DNSServerSearchOrder0

Note: DNS Hijacking refers to the unauthorized modification of a DNS server or to the ISP’s modification of their DNS server to divert traffic. For example, in 2007, Time Warner diverted traffic intended for bot command and control servers to a site with a script which removed the bot. Exstatica has a compilation of what they observed.

The FBI has made public a step-by-step guide (“DNSChanger Malware”) [pdf] for determining if you have been effected by this malware.

30-Jun-2012: IID DNSChanger information

IID infographic detailing the DNSChanger malware infection.

Hidden Files

April 8, 2009

You might suspect that malicious code exists on a machine because …

  • It accessed a web site or IP address known to have hosted malicious code.
  • Anti-virus software detected malicious code. That’s a good reason to suspect additional malicious code escaped the anti-virus software. Anti-virus software could be making a false report, of course. Before you remediate (which usually means “reimage”), you should learn if there is any additional malicious code that has gone undetected.

What steps you can take to confirm (or partially deny) your suspicions? You look at running processes, but after you’ve looked at running processes and you still think there’s something malicious, look for the files that someone has made an effort to hide. “Hidden” is not synonymous with “invisible;” to go unnoticed will do.

Where could I find hidden files?

    • The “hide in plan sight” strategy is at least as old as Poe’s “The Purloined Letter.” Its longevity reflects its effectiveness. Finding files that don’t belong amongst the hundreds of files that do is a challenge. Having a table of known good files and their hash codes can help eliminate suspects. Using a utility to find unsigned executables and confirming that the signatures that are found are authentic will produce a long list that includes many benign conditions. See, for example, sigcheck from Sysinternals.

sigcheck -s -v c:\ >result.csv

    • Suspect recently created files in C:\Winnt\System32 (or C:\Windows\System32). The date stamp is often unmodified. Similarly, suspect recently created files in C:\Winnt (or C:\Windows) and in the user’s temporary files (C:\Documents and Settings\Local Settings\Temp). These files often have names like svchost.exe, spoolsv.eve, symwsc.exe, swupdtmr.exe or winservices.exe, names which resemble Windows components but are not.
    • Suspect files that do not sort “correctly”. In an attempt to “hide in plain sight,” malware may use extended ASCII characters to create innocent looking filenames. Use the Character Map application to review the available ASCII characters, such as U+0441. While it is a Cyrillic small letter Es, it strongly resembles a Latin small letter c. Using the Cyrillic characters, a file named “C:\Program Files\Common Files\Οracle\wіnlogon.exe” can be created; but the “i” in winlogon.exe is not a Latin “i” and the “O” in Oracle is not a Latin “O”. The Cyrillic characters will not sort as their Latin counterparts do.
    • The non-breaking space character (decimal 160, hexadecimal A0) can be used as a file name or folder name character. (Alt+160 on the numeric keypad types a non-breaking space character.) A file and a folder has an icon as well, but the Properties Customize tab, Change Icon button reveals many clear icons. The result is an easily missed file or folder name.
    • Hide in a system folder, such as “C:\Windows\Downloaded Program Files” (or “C:\Winnt\Downloaded Program Files”) or “C:\$RECYCLE.BIN”. There is a real “Downloaded Program Files” folder, but you won’t see its contents using Windows Explorer. Use a command window instead. Expect hidden, system files and search subdirectories.

dir "C:\Windows\Downloaded Program Files" /ah /s
dir "C:\Windows\Downloaded Program Files" /s

    • Hide using the Directory and System attributes. Foundstone’s hfind utility hunts for files with the hidden attribute, directories with the hidden attribute and directories with the system attribute. There are a lot of hidden files and folders, a lot of benevolent conditions to ignore.

hfind C: >> local.txt
hfind \\remote\c$ >> remote.txt

streams -s *.*

    • Rootkit technologies employ techniques to hide files from standard file system utilities. There are many utilities to find these technoolgies and what they are hiding. Sysinternals’ Rootkit Revealer reports some benevolent conditions. When used in conjunction with psexec (also a Sysinternals utility), it can scan remote systems.

psexec \\remote -c rootkitrevealer.exe -a c:\windows\system32\rootkit.log

See Invoke-PsExec when invoking psexec on multiple targets.

Note that the above are aggressive but not exhaustive measures. To search rigorously for rootkits, for example, boot from an alternate drive and to search the suspect drive. The measures given show how you can search for undetected malware at little cost.

Hidden data is a larger subject. There are many more places to hide data, within files, within slack space and within space no file is using (including sectors that have been marked as “bad”). If malware was hidden using these approaches, then non-standard file system drivers would be required to execute it. Find those files, the driver files, in order to find the additional hidden malware.

Read the rest of this entry »


Root Cause Inspection

April 8, 2009

Take, for example, the following virus detection alert:

From: servername [mailto:servername]
Sent: (Date and time)
To: AV Alerts – HQ
Subject: EXPL_EXECOD.A on machine(user)

Virus alert.
EXPL_EXECOD.A is detected on machine(user).
Infected file: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NXXZUEMP\exp4[1].htm
Detection date: (date and time)
Action: Virus successfully detected, cannot perform the Clean action (Cannot perform the Delete action)

Antivirus software has detected a virus in exp4.htm and prevented it from running.

Case closed?

A look at the index to the browser cache shows that exp4.htm is among the many web pages from statrafongon.biz.

http://statrafongon.biz/adv/new.php?adv=183
http://statrafongon.biz/adv/new.php?adv=45
http://statrafongon.biz/adv/new.php?adv=96
http://statrafongon.biz/strong/045/
http://statrafongon.biz/strong/045/exp1.htm
http://statrafongon.biz/strong/045/exp2.htm
http://statrafongon.biz/strong/045/exp3.htm
http://statrafongon.biz/strong/045/exp4.htm (EXPL_EXECOD.A)
http://statrafongon.biz/strong/045/exp5.htm
http://statrafongon.biz/strong/096/
http://statrafongon.biz/strong/096/exp1.htm
http://statrafongon.biz/strong/096/exp2.htm
http://statrafongon.biz/strong/096/exp3.htm
http://statrafongon.biz/strong/096/exp4.htm (EXPL_EXECOD.A)
http://statrafongon.biz/strong/096/exp5.htm
http://statrafongon.biz/strong/183/
http://statrafongon.biz/strong/183/exp1.htm
http://statrafongon.biz/strong/183/exp2.htm
http://statrafongon.biz/strong/183/exp3.htm
http://statrafongon.biz/strong/183/exp4.htm (EXPL_EXECOD.A)
http://statrafongon.biz/strong/183/exp5.htm

There was a different exploit at each exp?.htm page. We were detecting the use of one of the five exploits, but only one of the five.

WHOIS statrafongon.biz? [66.96.248.117]
A web site in the Russian Federation.

Domains registered to this address:
Fdghewrtewrtyrew.biz
Babes-babes.com
Statrafongon.biz

Samples of the files were submitted to virustotal.com for verification and to the specific anti-virus vendor for analysis.

The  URL was submitted to a public malware block list (malware.com.br) and to the specific anti-virus vendor for inclusion in their web filtering product.

The IP address was blacklisted in the client firewall.

The vulnerabilities that these malware samples attempted to exploit had already been remediated (software updates and patches installed).

I have provided links to utilities that make reviewing web browser history easier. When malware arrives through a web browser, you want to learn where it came from.

  1. What else came from the same source? Is it also malicious, but undetected?
  2. Do you want to blacklist that source? If detected malware was delivered once, are you betting that the next malware will also be detected? Why take that chance?
  3. Submit suspicious links to a central reporting site, such as Malware Block List.
  4. Keep a log (spreadsheet, table, database) of what you have detected. The URL (http://), its IP address, the reason it caught your attention, what you did with the information, and the date seen are basic fields. Tip: convert the dotted decimal IP address to a decimal IP address. 58.53.128.112 = 112+(128*256)+(53*256*256)+(58*256*256*256) = 976584816. You will find a large IP address number easier to sort than a set of octets.

hpHosts may be helpful. You can use it to learn if this IP address or URL has been reported as malicious, or if other malicious sites are at that IP address. For example, to see if there are malicious hosts whose IP address starts with 63.246.20, use http://hosts-file.net/pest.asp?show=63.246.20.

hpHosts uses the following abbreviations to categorize their reasons for including IP addresses in the malicious list:
ATS: ad/tracking server
GRM: grass roots marketing (astroturfing)
EMD: malware distributor (adware, spyware, viruses etc). (Classification: )
HJK: hijacking
EXP: exploits and social engineering
FSA: fraudulent security (and non-security) applications
WRZ: Warez and keygens
PSH: Phishing
HFS: spammed the hpHosts forums

Targeted Forensics: Mapping a Process to a Malicious Command and Control describes how to determine which process is connecting to a malicious command and control center, using Volatility and a memory dump.

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 1 of 2) (Part 2 of 2) describes finding evidence of a remote desktop connection to or from a Windows device, using the registry and log parser.