The Security Shoggoth

Tools and News

2011-12-19T10:05:00.004-05:00

So first an announcement. At the beginning of December (or close to that) I left my previous position and went back to KoreLogic Security, where I will be working to start up their malware services group, amongst other things. While I am definitely missing my old co-workers, this is a good move for me. Look for some interesting posts here.

A few weeks ago I tweeted: Want to find out how good someone is? Take away all their tools and say, "Now do it.". I wanted to make expand upon that because I got into a good discussion with @jwgoerlich and @rogueclown concerning it, and its hard to really explain what you mean in 140 characters or less.

A few years ago, Harlan Carvey posted about "Nintendo forensics". This was a statement that the forensic industry was becoming more "point and click" and analysts were understanding less and less of what the tools were doing. While some signs have pointed that this is starting to become less prevalent, I believe there are still niches in security where this is either in full-force or starting to become more so.

Fast forward to the present. In the last few weeks I've been building my new work computer while analyzing malware as I get the time. Unfortunately, I do not have all the tools I am used to since I'm waiting for things to be purchased, arrive, etc. This got me thinking - how much do I rely on tools? Could I perform the analysis I needed using that I know?

Now I realize that in information security, or IT in general, its almost impossible to do anything without having tools. Thats not my point - I'm not suggesting that we take away everyone's tools and tell them to analyze malware or perform a pen-test with nothing but a blank OS. Is it possible? I'm sure it is. Would anyone want to? Hell no!

My point was that you never really know how good you are, until you are faced with a situation when you are taken out of your comfort zone and have to rely upon your knowledge and the tools available to you at the moment. I don't always have access to a commercial version of IDA Pro. Does that mean I can't disassemble malware and analyze it? No - I just need to be flexible, use tools that I'm not as used to and use my brain just a little bit more.

I think its a useful exercise in anyone's career to do this. Imagine for a moment that you didn't have the tool(s) you use most in your job - how would you perform your job? What alternatives are available to you and how familiar you are with them? I'm as guilty as anyone else for relying upon specific tools, but this little exercise has helped me look and see where my weak areas are and how I can supplement them.

Perhaps I should have instead tweeted "Want to find out how good you are? Take away all your tools and say, Now do it." That seems to fit my point better.

Answers to the NEOISF Crypto Challenge

2011-11-02T13:33:00.004-04:00

If you were at the 2011 Information Security Summit last week, you may have come across the Northeast Ohio Information Security Forum's booth and saw the crypto challenge I created for it.

The challenge was a series of three encoded messages, each more difficult than the last. It seemed to be popular as I had printed off 50 copies of the challenge and they were all gone by Friday morning. Only 2 people, that I know of, finished it (although more may have and just not told me).

The first encoded message was:

Olgrf Rapelcgrq Ner Yrff Rnfl!

This was a ROT13 message that when decoded changed to:

Bytes Encrypted Are Less Easy!

The second message was a bit harder.

Tymxmu Svpvwmeh sg xhp fpskwiu ms elf oej

To make it a little easier, a hint was given to use the first letter of every word from the first solution as the key. This was actually another hint that a key was even required to decode the message. The original message had been encrypted using a Vignere Cipher. Decrypting the message, using the key "BEALE" would produce the following message:

Summit Overview of the booklet is the key

The final puzzle was the hardest of all. The encoded message was:

10 11 32 35 177 42 50 54 44 50 42 82 132 71 100 157 54 60 147 66 50 193 3 60 81 100 157 75 36 106

The hint for this puzzle was "Items from the first two solutions will help you figure this one out!" Each of the first two solutions gave some type of clue as to the cipher used for the last one. The first puzzle's hint was the key for the second puzzle: BEALE.

If anyone searched for BEALE, they would have eventually come across the Beale Ciphers, encoded messages that supposedly point to buried treasure. The only message successfully decoded thus far used the Declaration of Independence as a key. To decode it, you find the word corresponding to the number you are given and take its first letter. IE. If you have a 10, find the 10th word and use its first letter. When you put all of these together you get the decoded message.

This is what you would have to do in order to solve the third puzzle. But what book do you use to decipher it? That is where the answer to the second message comes in. The solutions tells you to use the welcome page in the information security summit booklet. By taking the first letter of each word of the corresponding number, you would eventually get the following message:

now there are no more secrets for you

I hope that those who did this found it fun. I'd love to do another next year, but on a bigger scale. If anyone has any suggestions, I'd love to hear them!

Malware Analysis and Malicious Document Analysis Training Courses

2011-08-19T15:33:00.003-04:00

This is a totally self-serving, marketing post. Feel free to click that little X in the upper right corner of your browser.

The Ohio Information Security Summit is coming up again from October 27-28 The conference agenda is starting to fill in and lots of great talks look to be scheduled! I will be speaking there with Greg Feezel and the NE Ohio Honeynet Project.

There will also be pre-conference training from October 24-26. There are more classes this year than last year, many of which look great!

I will be giving my 2-day hands-on Malware Analysis training course again this year. It is a 2-day course that covers the basics of malware analysis. The training is geared towards those who have never done, or performed very little, malware analysis. Plus, if you take the 2-day course, you'll get into my new 1-day Malicious Document course for free!

The Malicious Document training course I am doing for the first time this year will cover how to analyze malicious documents (duh). Specifically, I will cover malicious JavaScript, PDFs and touch on malicious Word documents. This is a 1 day course where the students will be very hands-on - analyzing malicious documents from the wild.

If you have any questions on the courses, please feel free to contact me!

Proactive Incident Response

2011-05-12T14:17:00.000-04:00

A little while ago Harlan Carvey posted on Proactive Incident Response. I've been thinking about this for a while, but have a different perspective on Proactive IR than he does. (I agree with his take on it, I just look at Proactive IR differently.)

Computer Incident Response Teams (CIRTs) are often referred to as fire fighters. This analogy is very true - most of the time CIRTs are fighting fires; the fire being a hacked server, a malware outbreak or a targeted phishing campaign. We're often jumping from one problem to the next, determining who got in, how they did it, what damage they caused and how to prevent it in the future. However, is that all CIRTs should be doing?

The CERT Handbook for Computer Incident Response Teams states that CIRTs should offer three different services: reactive, proactive and security quality management services. Reactive services are the fire fighting done on a daily basis. Security quality management services include project and security consulting for other business units; you know, those meetings you get pulled into where they ask you what you think. What about proactive services?

If we look back at actual fire fighters, we see that they don't just spend their time putting out fires. One of their duties is to help fire prevention through education and fire inspections. In the security world, this is analogous to doing user education, vulnerability scanning and penetration tests. This is what proactive services are. But I believe these is another aspect of proactive services that CIRTs tend to miss.

One of my co-workers has coined a term: hunting trips. This basically boils down to proactively looking around the interwebs for attackers you've seen in the past. Since attackers tend to use the same, or similar tools and tactics, indicators of their compromises in other organizations appear if you know where to look. You can then use the new indicators you've just found to check for signs of compromise in your network.

Where can you look? Anywhere that information on security analysis can be found. This includes blogs, twitter, forums, online sandboxes, AV signature descriptions, etc. All of these places (and more) have information you can use to tie attackers to new attacks and malware they are using.

Of course, I wouldn't recommend hand-searching each of these places for information. Google is the obvious place to start, but be prepared to get back hundreds of results (at best) that are not of interest to you. I would recommend using the Google Malware Analysis Search, created by those behind the Hooked on Mnemonics Worked for Me blog, that narrows Google's search to 75 different security sites and feeds.

So, an example so this might actually make sense. In the last few days there has been an uptick in spammed emails that contain a link to a zip file named order.zip. Within this file is a SpyEye trojan. Analysis of the trojan shows that it drops itself as c:\recycle.bin\recycle.bin.exe (which to my knowledge is not a default location for SpyEye). This location is fairly unusual and can be a good indicator to use on a hunting trip.

Using the Google Malware Analysis custom search to look for "recycle.bin.exe", we come across a ThreatExpert report from March 2011 for the same filename being dropped for a SpyEye trojan. The TE report also shows that it attempts to contact zweor.com for its C&C server. We now have a new indicator to search our network for and to go hunting with.

This is a very simple scenario, but demonstrates the usefulness of performing information gathering to find additional indicators. I have a feeling most CIRTs are not doing this and would benefit greatly from setting aside time to make sure this is done.

Wanna be a mule?

2011-01-20T10:37:00.002-05:00

Its been a while since I've posted and I apologize. As things get busy I find I have less time to post on there. However, one of my new year's goals is to post more so there should be more in the coming weeks.

I received an email today from my mother who received an email for a job and wanted to know if its legit. After skimming it my alarms went off and were soon verified. To be honest, I've always heard about money mule job requests but have never seen one so I found it interesting.

I'm currently trying to get mail headers to see where it actually came from. It is nice to know they offer insurance and a 401K. :)

From: "Ella D Dickinson"
Subject: RE: [1] Message from Careerbuilder: You have received a new job opportunity
Date: Wed, 19 Jan 2011 23:49:34 -0000

Hello,

Please allow me to introduce myself: my name is Ella D. Dickinson and I am the International Human Resource Manager of Medline Financial Industries PLC I am pleased to inform you that we have an open position for you within our company.

Medline Financial Industries PLC was founded in 1980 and has quickly grown to be one of the largest resellers of medical equipment and apparatus in the United Kingdom as well as in the rest of Europe. We work exclusively with hospitals and other medical companies and groups supplying several hundred types of products ranging from surgical needles and syringes to EKG and MRI machines and everything in between. We have dozens of agreements and contracts with top manufacturers around the world such as GE Healthcare, Medtronic, Baxter International, Cardinal Health, Tyco Healthcare, Siemens Medical Solutions, Philips Medical Systems, Zimmer Holdings, et cetera. Our company has grown very fast during the last few years so now we have expanded our market and business to the United States as well. As such we have a big number of openings in almost every state and we are looking for dedicated and hard working individuals to work for us and help us expand.

The reason for our success is the fact that we are able to meet our customer's demands wherever and whenever. We are very flexible and we can honor our orders when others cannot. This is due to the fact that we accept almost any type of payments and we have a very fast delivery system which combined with the great customer support we provide took us to where we are today. We take great pride in what we do because it is not always easy to satisfy all customer demands while still processing the orders very fast and receiving payments for the products in a timely manner. This is why we need you and bellow you will find the job description and what is asked of you.

Description:

-NO SALES INVOLVED
-While performing this job you will encounter no fees to be paid in advance whatsoever;
-No employee from our company will ever ask you for any sensitive information;
-You will not be involved in any contact with our customers;
-Everything you will do is legal under the European Union/United States and International laws as they are currently applied.

Your duties are:

1. Receive payment from our customers. All check will be write in your name. All checks are US checks, no international. You wil receive all checks via USPS (no signature required).
2. Cashing the checks at your existing bank account.
3. Deduct 10% which will be your percentage/pay on each payment processed.
4. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to. (Payment is to be forwarded by Western Union Money Transfer).

Your benefits are:

-10% from each check your will process in the first month. Within one month after receiving the first check you will receive $1,000 as fixed salary. This is a commission based job, the faster your process orders the more your income will increase. This bonus is given to also cover internet, phone or gas bills. Please note that this salary will be sent after 30 days have passed since you received your first payment to process.

After two months of working for us an increase to 15% commission from all payments might be applied to your contract if you process and send all the transfers to us in a timely manner. In this case you will be earning around $1,200-1,300 per week as well as the $1,000 salary at the end of the month.

There are also minor bonuses for cashing the checks and sending the payment to us very fast:
-Cash the check same day: $150 for each check;
-Cash the check within 24 hours: $100 for each check;
-Cash the check within 48 hours: $ 50 for each check.

The $1,000 salary will be sent to you in form of a cashier check.

The today's situation on the financial market requires us to open and fill several of these job positions within our company; the job opening is that of a Representative within the US. This opening will help our company to reduce the time it takes to receive funding from orders that we receive each month. And we offer you one of the highest incomes on the market today and the minimal expenditures of time.

Presently with the number of orders we have we cannot put them on hold for fear of losing our customers, secondly we cannot cash these payments from the US soon enough, as international checks take about 28 working days to cash anywhere in Europe. We lose a lot of time and money each month because we have money transfer delays. Our clients could pay us where we want by sending checks to an US address. What we need you to do is to provide us an address where you can receive our customer checks. We need someone who can receive the money through this method of payment. Regarding the check process all you have to do is to receive the checks our customers will send to your address, take them to your bank, cash them and send the remainder amount to us after deducting all fees incurred and your commission. All fees for transferring the funds will be supported from our share. Bonuses will apply for cashing checks within 24 hours upon receiving a check. You will always take your commission upfront.

We make direct contact for sales of products. Once orders are received and processed we deliver the product to our customer (usually through USPS). The customer receives and checks the product and proceeds to send the payment. We accept all forms of payment but most of our customers pay using Bank Checks and so to solve this problem and not lose any of our customers we have decided to open this new job position. This job is legal according to the U.S. legislation as it is today. Local money transfers take but a few hours, so it will give us a possibility to get customer's payment almost immediately.

PAYMENT AND SALARY:

For example you receive a check as payment for 3000.00 USD, you deduct your commission (10%): 300.00 USD and then send to us the balance: 2700.00 USD. In the first month you will receive around 15-20 orders under 3,000.00 USD to process and after checking your performance records during that first month the orders you will receive, may increase from 3,000.00 upwards to 6,000.00 USD. For example 20 transactions each around 3000.00 USD gives you a total income of 6,000.00 USD per month and after establishing a close co-operation with us you'll be able to operate with larger orders and you'll be able to earn more. You will also deduct fees that are related to this job (gasoline, western union fees, bank commissions, etc) from our balance, not from your commissions. At first the checks you will receive will vary from: $500.00 to $3,000.00. We will also send you a 1099 Form for tax deduction on
your part. Our payments will be issued out in your name and you can have them cashed in your existing bank account, we don't accept newly created bank accounts because it slows the cashing process. Deduct your percentage and forward the balance to the company attorney manager via a western union money transfer, the name will be given to you later after cashing a payment.

This job takes only 3-7 hours per week. You'll have a lot of free time for taking up another job; you'll get good income and a regular job. This job is very challenging and you should understand it. We are looking only for the employee who satisfies our requirements and will be an earnest assistant.

We have health insurance and the 401K retirement savings plan as well as all the other standard benefits that a major company usually provides. Unfortunately we can only start talking about this after the first month has passed since you're working for us. We consider the first month as a trial period. In any case you do not have to pay for anything in advance; there are no hidden costs for performing this job. Any fee you might encounter will be deducted from our share of the funds before you send it to us.

You will receive next instructions step by step.

Unfortunately we cannot setup any interviews now, as we do not have any representatives in US. We will be able to come to meet within the next few months when the new offices will be opened in your area!

Please let me know if you are still interested. Within 24 hours after we will receive this information we will forward you a copy of the contract you have to fill in, sign and e-mail back to us.

Ella D. Dickinson
Medline Financial Industries PLC
Euston Road, London, NW1
United Kingdom
FAX 011-44-132-656-8743

You never get a second chance...

2010-08-16T10:18:00.003-04:00

Have you ever heard the saying "You never get a second chance to make a first impression"? The same applies to malware analysis, and information security in general.

This morning I was doing some research into some malicious spam emails that were coming in. They were your normal click-on-a-link-and-be-redirected-to-50-sites emails and I had tracked it down to the last site. After decoding the JS it gave out, I could see the attacks it was going to perform and the URLs it was going to go to. So close to the malicious executable...so close.

So I typed the followed at my prompt:

curl -D header.txt "http://badsite.com/welcome.php?id=12&pid=10&1=12"

See any problems?

Curl writes anything it downloads to standard output by default. In other words, since I didn't redirect the output to a file or use the -O option, the file from the malicious site was written to my screen. Normally, this wouldn't have been such a bad thing except it was gzip compressed, so my screen was filled with binary characters.

No problem, right? All I have to do is download it again, this time redirecting. Here's what happened:

curl -D header.txt "http://badsite.com/welcome.php?id=12&pid=10&1=12" > 1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

0 bytes downloaded? What happened?

Many web-based malicious toolkits used by attackers have an option to only allow the attack file to be downloaded once per IP address. This prevents multiple re-infections on clients and analysts (like me) from exploring their site. When I initially requested the file and didn't redirect the output, I used my one shot. The second time I went to download it, the site saw me and didn't let me access it again. Of course, there are ways around this, but thats for another post.

So, what did I take away from this?

1. Everyone makes mistakes. Hell, I make alot of them. If anyone tells you they don't, they're lying. Learn and move on.
2. I need better web download tools. Well, the tools (eg. curl) work fine. I'm flawed. I've already started to create a script that does all that needs done for me. No more mess ups.

I hope others can read this and learn from my mistake. I'd love to hear how others download malicious websites.

Introduction to Malware Analysis Course

2010-08-13T11:05:00.003-04:00

Once again I will be teaching my Introduction to Malware Analysis course this year at the NE Ohio Information Security Summit that takes place on October 11-15, 2010 in Cleveland, Ohio. My course is in the pre-conference training and will take place on Oct 12-13.

The 2 day introduction to malware analysis class is geared to those who want to learn malware analysis or are just starting out. We'll cover all of the basics for malware analysis including setting up your analysis lab, static analysis and dynamic analysis. In the end, you'll walk out of the class with the knowledge of how to take a malware sample and determine what it does, who it contacts and what risk it poses.

The class is structured around labs where you'll use the techniques taught to analyse live malware. Since we will be analyzing actual malware, students will need to bring their own laptops (requirements will be posted closer to the class).

The end of the class will also feature an analysis contest where students will compete to win some cool prizes. Last year I gave away a copies of Hacker and Pandemic...so we'll see what happens this year!

Even if you don't take my course, I highly recommend attending the conference. Its an amazing conference for the price ($300 until 9/15). There are lots of great speakers (many of which speak at Black Hat, Defcon, Shmoocon, etc.).

Look forward to seeing you there!

Simulating the User Experience: Part 3

2010-05-12T13:10:00.006-04:00

In the first two parts of this blog series, I detailed an issue I found where not all of the user environment variables were set for a program run with winexe. This was causing an issue during analysis of some malware since the samples were looking for those variables. As a work-around, a batch script was uploaded to the Windows sandbox and scheduled to run. When the scheduled job ran, all of the environment variables were set and the malware ran as it normally would.

The whole situation got me thinking - are public sandboxes setting all of the environment variables? As was seen, some malware rely on these variables and if they aren't set the malware won't run. If someone were to use a public sandnet to test malware that relies on these variables and the malware didn't run, they could be under the false impression that the program is benign.

Before I go on I should state that this post is not a knock against public sandboxes. They provide a great service to the security community. I did not do this to find any weaknesses in them to exploit or publish maliciously. My goal here was to determine which sandboxes, if any, miss some variables that may be required for malware to run.

To test this, I wrote a program that would obtain the environment variables and write each one to its own registry key/value pair. Since the public sandboxes report any registry modifications made by the program, I would be able to see all of the environment variables available to the program. This program was then uploaded to a number of different public sandboxes and the results analyzed. The sandboxes I used were Anubis, Comodo, CWSandbox, Joebox, ThreatExpert, BitBlaze and the Norman Sandbox.

In my testing, none of the sandboxes set all 30 of the environment variables I originally saw in my test. BitBlaze set 29; Anubis, Comodo, CWSandbox and Joebox set 28; and the Norman Sandbox only set 16. For some reason, ThreatExpert did not report anything back from my program - this could be a problem with my program or some type of security measure on their part.

* Note: I will not say which variables were and were not set. That information could be used by malware to determine it was running in one of these sandnets and that is not my purpose.

Due to the way the malware is executed in my system, I think that having only 28 or 29 environment variables is a perfectly normal variation. Therefore, my conclusion to all of this is that with the exception of Norman Sandbox, the sandnets appear to be setting the variables they should and represent a likely variation in the systems malware would run on.

As for Norman Sandbox, they are setting a small number of environment variables. This is perhaps a likely scenario for some systems. However, the variation of such a small amount being set would concern me as I don't know if all malware would work as it normally would. Only further testing can tell.

Simulating the User Experience: Part 2

2010-05-08T11:38:00.008-04:00

In my last post I discussed the problem I found with winexe and how it did not set all the Windows environment variables needed to simulate a complete user experience. This problem was preventing some malware from running in my malware analysis sandnet - a problem I needed to overcome.

The way I looked at it, I had 3 options:

Modify the source code for winexe to get it to work as I wanted. However, this was more than I wanted to do at this time. Maybe later.
Use a program like webjob to provide another means to remotely execute the program. However, this would require me to modify the Windows analysis host which, for reasons I won't go into, is a huge PITA. Any solution that required me to modify the host was out for now.
Figure out a way to remotely execute the malware on the Windows system using already present tools and still get the user environment I wanted.

I decided to start with the third option. I knew I couldn't use winexe to directly execute the malware as I wouldn't get the correct environment variables set. But, what if I used winexe to execute another program to launch the malware?

Using winexe to run 'cmd /c malware.exe' was out as this was the method I was using before. I then tried creating a batch script to run the malware and executing it with winexe. No luck there either; the environment variables weren't created. Finally, I had an idea...what if I scheduled a job to run the malware? If I scheduled it as the user it should inherit all of the correct variables and run correctly.

To test it out I created a batch script (named test.bat) in the Windows system that would run set and redirect the output into a file. I then ran the following command (from the Linux box):

winexe -U administrator%mypass //192.168.1.5 'schtasks /create /tn testjob /tr c:\temp\test.bat /sc minute /mo 1 /ru administrator /rp mypass'

Success!!! When the script ran and dumped the environment variables into a file, all 30 were there! The next step was to create a script to run the malware in the system.

The automation script was modified to upload the malware to the Windows box along with a batch script that performs the following commands:

schtasks /delete /tn jobname /f
start c:\path\to\malware.exe

The automation script then schedules a job to run the uploaded script. When the scheduled job kicks off, the batch file runs. The batch file deletes the scheduled job and run the malware.

Why delete the scheduled job? When scheduling the job, it is scheduled to run every minute. By deleting the scheduled job there's no worry the malware will run more than once. Why schedule it to run every minute? Call it paranoia. :)

After making the modifications to my automation script and testing it, I ran it with the Koobface sample that started all my problems and...success! The results showed the sample ran correctly, dropped the right files and set the right registry keys. Tests with additional malware have shown that its working correctly as well.

This test got me thinking...how do publicly available sandnets work? Are they setting the environment settings correctly? I'll discuss this in the part 3 of this post.

Simulating the User Experience: Part 1

2010-05-08T10:04:00.012-04:00

Part of malware analysis, especially automated malware analysis, is to simulate the user environment as closely as possible. After all, our goal is to determine how malware behaves when it is run by a user. For the last few months I've worked on an automated malware analysis system which I thought did just that.

Let me explain my automated analysis system. It is similar to the one I described in my Hakin9 articles last year. Basically I have a host system running Linux that executes an automation script. The automation script starts up a VM, launches some monitoring tools, uploads and executes the malware, records the results and performs cleanup. In all, it takes about 5-7 minutes per malware, depending on the settings I am running. So far it performed extremely well and cut my analysis time down dramatically.

Imagine my frustration this week when I ran a new Koobface sample in it only to find the malware didn't do anything. It would launch, perform some start-up operations, then exit. No registry modifications, no process injection, no network traffic. However, when I would manually launch it or run it through ThreatExpert, it would run fine.

In looking closer, I found out that the malware was trying to place a copy of itself in the %APPDATA% directory. Since %APPDATA% is an environment variable for the user, it should have been set - or so I thought.

I took a step back and started to examine the method I was using to execute the malware. My "host" system which executes the automation scripts runs Linux. In order to execute the malware in the Windows system, smbclient is used to upload the malware and winexe is used to execute it. After some thought, I came up with a theory that winexe was not setting all of the environment variables when it executed malware. I was right.

It turns out that in a default Windows XP SP3 system, 30 environment variables are set. With the way I was running winexe (--system --interactive=1), only 22 of the variables were set - %APPDATA%, %CLIENTNAME%, %HOMEDRIVE%, %HOMEPATH%, %LOGONSERVER%, %SESSIONNAME%, %USERDOMAIN% and %USERNAME% are missing.

To make sure it wasn't because of the way I was running winexe, I ran a number of tests. Each test consisted of running winexe with different settings. The command that was run was "cmd.exe /c set > outfile". To be fair, I also tested PsExec (from another Windows system). These are the results I found:

	winexe
	no settings	interactive	interactive + system
%APPDATA%
%CLIENTNAME%
%HOMEDRIVE%
%HOMEPATH%
%LOGONSERVER%
%SESSIONNAME%
%USERDOMAIN%
%USERNAME%

	psexec
	no settings	interactive	interactive + system
%APPDATA%	X	X
%CLIENTNAME%	X	X
%HOMEDRIVE%	X	X
%HOMEPATH%	X	X
%LOGONSERVER%	X	X
%SESSIONNAME%	X	X
%USERDOMAIN%	X	X
%USERNAME%	X	X

It turns out that no matter what options you use, winexe does not set the environment variables above. Note that I also ran winexe with the --runas option and got the same results. PsExec sets all of the environment variables, except when you specify it to run as SYSTEM. This makes sense as most of those variables are used to specify user settings and SYSTEM would not have those.

Obviously, winexe wasn't going to cut it any more because it wasn't setting a complete user environment which, in turn, was preventing malware from running. So, what to do? Winexe was my only way to remotely execute a program on a Windows system from a Linux system (without modifying the Windows system and installing other programs). To find out what I did, you'll have to stay tuned for part 2! :)

As a side note, if anyone knows of another program similar to winexe, please let me know. Also, if anyone knows of a way to get winexe to run correctly, I'd love to hear it.

/Launch Malicious PDF

2010-04-27T13:35:00.006-04:00

Wow - I'm posting!! :)

Today I, and others around the Internet, received an email that stated:

Subject: setting for your mailbox are changed

SMTP and POP3 servers for YOUREMAILADDRHERE mailbox are
changed. Please carefully read the attached instructions
before updating settings.

The email had a PDF attached to it. Given the number of malicious PDFs that have been seen lately, this was likely a bad thing.

Examining the PDF with Didier Steven's pdfid.py showed that there was an OpenAction in the PDF, but no JavaScript. Interesting. Using pdf-parser.py, the object pointed to by the OpenAction was examined:

This shows that the /Launch vulnerability/feature of PDFs is being used to drop a VB script and execute it. What is interesting is the VB script (named script.vbs) parses the original PDF for another VBS to run! A quick look at the PDF finds the other VBS:

(The image above has had code removed for brevity.)

The new VBS (named batscript.vbs) contains an executable broken up into its hex bytes. The script will write each byte out to a file named game.exe and then will execute it. After executing, it sleeps for 3 seconds then covers its tracks by deleting game.exe, batscript.vbs and script.vbs.

game.exe, meanwhile, will copy itself to c:\program files\microsoft common\svchost.exe and set itself up to run in the registry whenever explorer.exe runs.

While I know the /Launch vulnerability has been exploited recently, this is the first I've seen on a mass-email scale (but isn't the first ever). I'm sure we'll be seeing more of these as time goes on.

Who are the APT targets?

2010-01-31T17:25:00.004-05:00

I've been publicly quiet on the whole APT discussions as of late, with good reason. There are lots of blogs out there which share (and do not share) my opinion, so there is no need for me to chime into the myriad of voices out there.

However, an anonymous comment on one of the recent taosecurity posts brought up a point that I have not seen anyone else talk about. The comment stated:

Reading the Mandiant Report, we see:

1.) Government
2.) Defense Contractors
3.) Fortune XXX acquiring a Chinese compnay
4.) A Law Firm involved in a Chinese civil litigation case
5.) A non-profit trying to spread "democracy and free enterprise in China" (maybe they could also do that in the USA).

Look, it doesn't take Arthur Conan Doyle to piece together the storyline here. This clearly isn't "everyone's problem". It's a problem for those that are seen as an enemy of certain nation-states.

The part I'd like to focus on is the last statement. The APT problem is not only the problem of those seen as the enemy of certain nation states. It is the problem of everyone.

If you read Mandiant's excellent report, you will see specific examples (mentioned in the comment above) which are documented APT targets. Yes, these are what you think of as nation-state attack targets.

However, I have personally seen the APT attack and compromise systems in networks which have no ties to that nation-state and you would not consider enemies of that nation-state (or any for that matter). In these cases, the organizations were small-medium sized companies whose systems were compromised in order to be used as command and control systems for the APT's backdoors.

Of course, there are those that will say that this is the same technique that all attackers use - compromise less secure systems and use them as a go-between to attack other systems. And I will 100% agree with them on that! But that re-enforces my point as well! No one is safe from attack from APT and therefore there should be no reason why organizations should not take every reasonable precaution to against these (or any) attackers and learn as much as they can.

Yes, there will be those companies that use the term APT as a marketing tool. Yes, there will be those who say this is a limited threat to some organizations (and to some extent I agree with that). But in the end, it is a real threat that exists and any organization that does not perform the due diligence to at least learn about the potential threat will be at a disadvantage when they do get attacked; maybe not by the APT but by the next threat.

Funky Ivy

2010-01-21T16:43:00.002-05:00

I was testing out some functionality with the Poison Ivy backdoor today when I grabbed this screenshot. Very psychedelic!

Malware Analysis in the Incident Response Process followup

2010-01-12T18:32:00.004-05:00

I just finished giving my webcast of Malware Analysis in the Incident Response Process at brighttalk.com. A few questions came in after the presentation ended so I'll answer them here and hopefully those who asked will see it.

You indicated it is inevitable to get malware. What is the best prevention…having dedicated PCs for missions critical functions (e.g. online banking)?

I honestly believe that the best way to prevent getting malware on systems is to run users with reduced privileges. I have seen first hand where restricting what activities a user can do on their system (install software, etc) will significantly decrease the amount of malware compromises you have.

Of course, there are other options as well. A good defense in depth strategy will make it more difficult for malware to compromise your systems. Using up-to-date AV on the desktop and your email systems, restricting Internet access and requiring all web-traffic to go through filtering proxy servers will help.

Are there any books you would recommend for beginners to learn malware analysis?

There are lots of great books out there that I would recommend to anyone who wants to learn malware analysis. The following are just a few of the ones I've read.

Malware Forensics by Aquilina, Casey and Malin
The Art of Computer Virus Research and Defense by Peter Szor
Malware: Fighting Malicious Code by Skoudis and Zeltser

There are others, but these are a good start.

Can you post a recent example of an analysis?

Unfortunately, I do not have one. However, I recommend checking out the results from the 2008 Malware Challenge for some analysis reports. I will also try to post something in the next few weeks.

Thanks to those who listened to the webcast. If you have any other questions, feel free to post them in the comments or send me an email!

Malware Analysis in the Incident Response Process

2010-01-08T11:15:00.003-05:00

Next week I'll be giving an online presentation at BrightTalk on Malware Analysis in the Incident Response Process. The description of the talk is:

Malware has become the primary vector of compromise within organisations. Due to this, it has become necessary for incident response teams to have the ability to perform in-house malware analysis. This presentation will discuss how malware analysis can benefit an organisation and what options are available.

The talk is scheduled for next Tuesday, January 12 at 6PM EST and is part of their Intrusion Prevention Summit. The summit has alot of interesting talks all day, so I recommend checking it out.

To attend my talk, you can go to the following URL:

http://www.brighttalk.com/webcasts/7977/attend

Hope you can join!

SANS Incident Detection Summit Wrapup

2009-12-12T14:56:00.005-05:00

This past week I was able to attend the SANS Incident Detection Summit in Washington DC. [In full disclosure, I should point out that I was on two of the panels so I did not have to pay admission to attend.] I'll fully admit that the summit blew away all expectations I had of it!

The SANS 'What Works' Summits are not like their typical SANS conferences. The summits, or at least this one, are a single track where each session will either have a briefing (a presentation by someone) or a panel of experts discussing a specific topic. The audience gets to participate by asking questions via yellow note cards that are given to the moderator. The moderator then chooses which questions to ask.

Many of the briefings and panels were amazing and gave great insights into different techniques to detect bad guys. if I had to choose my favorites they probably were Seth Hall discussing Bro, the Honeynet Project briefing and AAron Walters and Brendan Dolan-Gavitt's talk on memory analysis. Matt Richard's after-hours talk on analyzing PDF and office malware was amazing as well.

As great as the panels and briefings were, the best part was being able to talk to the people afterwards. The whole summit had less than 100 people (I'm guessing here) and everyone was willing and happy to talk. Where else do you get a chance to sit down and talk with people such as AAron Walters, Matt Jonkman, Andre Ludwig, Bamm Visscher, David Bianco, Ken Bradley, Matt Olney and Ken Dunham in one place?

I will definitely be coming back next year if I can.

SANS Intrusion Detection Summit

2009-11-23T20:52:00.003-05:00

On December 9th and 10th I will be at the SANS Intrusion Detection Summit in Washington DC. speaking on two different panels, UNIX and Windows: Tools and Techniques and CIRTs and MSSPs. I highly recommend attending if you can. There are going to be a number of amazing speakers there. (Yes, I'm not sure how I got on the panels either.)

Following the success of the 2008 and 2009 editions of the SANS WhatWorks in Forensics and Incident Response Summits, SANS is teaming with Richard Bejtlich to create a practioner-focused event dedicated to incident detection operations. The SANS Incident Detection Summit will share tools, tactics, and techniques practiced by some of the world's greatest incident detectors in two full days of content consisting of keynotes, expert briefings, and dynamic panels.

Hope to see you there!

http://www.sans.org/incident-detection-summit-2009/

Tracking the Defenders

2009-10-22T08:30:00.002-04:00

I've been working hard the last few weeks to get my malware analysis class ready, but something popped up that got me thinking. In the last few days a number of blogs have reported about avtracker.info, a site which is tracking the IP addresses that AV companies use to research malware.

According to the supposed author*, the reason this site is in existence is:

If you DDoS them, then you will lame down the whole AV business, then there won’t be any new detections for the time you cut them from the internet. The IP list is also useful for software that downloads something from the internet, in order to hide it from automatic analyzers like Anubis. You can simply exit the program when the IP matches with one of the AV list – and then your program stays secure from automatic analysis.

I have to admit that I'm not surprised at these reasons, or even that this is happening. In fact, I suspect its been happening a long time and this is just the first time a public list has been made.

Think about it - we watch where the attackers are coming from. We have honeypots, block lists, and share information amongst each other - why should we think the attackers are doing any differently?

This does illustrate a good point, however. In my class I teach that you should never allow malware you are analyzing to contact its home servers from your organization. When you do, the attackers can figure out where you are coming from and, in the best case, block your access. In the worst case you would be on the receiving end of a DDoS attack.

* I say supposed because I have no proof one way or another.

Quick Backup Script

2009-09-18T11:20:00.003-04:00

I often create scripts and programs (Perl mostly) to help me do things. When I'm developing these scripts, I will typically write a chunk of code, test it, add more functionality, test it, rinse, repeat.

However, there are times where I'll delete a chunk of code to try something different and end up breaking my entire script. Of course, when this happens I don't have a backup of the old code available to go back to.

To help me, I made this small script which will backup a file given to it to a directory. All it does is copy the file to a backup directory and tack on a date string to the end of it so every backup copy is unique. Yes, this is a simple copy, but it makes it nice to have to do things quickly.

#!/bin/bash

# quick script to backup files

DEFAULTDIR=${HOME}/backup
DATE=`date +%s`
if [ $# -lt 1 ] ; then
echo $0 file-to-backup [path to backup dir]
exit
fi

# set the backup dir location
BACKUPDIR=${2:-$DEFAULTDIR}

if [ ! -d ${BACKUPDIR} ] ; then
echo ${BACKUPDIR} did not exist. Creating.
mkdir -p ${BACKUPDIR}
fi

# make sure the file exists
if [ ! -f $1 ] ; then
echo $1 does not exist.
exit
fi

cp $1 $BACKUPDIR/${1}-${DATE}
if [ $? -eq 0 ] ; then
echo Successfully copied $1 to $BACKUPDIR/${1}-${DATE}
else
echo Error copying $1 to $BACKUPDIR/${1}-${DATE}
fi

I just copied it to /usr/local/bin, called it myback, and chmod +x'd it. Now, whenever I want to backup a script quickly I just run "myback script".

Introduction to Malware Dissection

2009-08-20T17:11:00.003-04:00

This October 29-30th the annual Ohio Information Security Summit will be held. I highly recommend attending it if you can. The conference features two days of great talks, keynotes, labs and networking. It has been going on for a few years now and never fails to disappoint anyone who attends, especially for the price ($275 until Oct 1, $350 after). In addition to the normal talks, the summit is offering a number of pre-conference training courses.

I will be teaching a 2 day introduction to malware analysis class as one of the pre-conference training courses. The course is geared to those who want to learn malware analysis or are just starting out. We'll cover all of the basics for malware analysis including setting up your analysis lab, static analysis and dynamic analysis. In the end, you'll walk out of the class with the knowledge of how to take a malware sample and determine what it does, who it contacts and what risk it poses.

In the courses I have taken, I've found that I learn alot more by actually doing things rather than watching a powerpoint presentation for 8 hours. Because of this, the class will be structured around a number of labs which have you do the analysis using various tools on actual malware. I've collected a number of cool malware samples which will be analyzed in the course in various ways and I'm really excited about it. At the end of the class they'll also be an analysis contest where prizes will be given out.

Since we will be handling live malware there are some laptop requirements listed in the course description.

If anyone has any questions on the course or the laptop requirements, please contact me. I look forward to seeing you there!

Its Not Always A Security Issue

2009-08-16T16:15:00.005-04:00

I've been spending this weekend fixing my in-laws computer. Like most of you, I'm the family "tech support" for anything that goes wrong with a computer. This past week I received a call from my mother-in-law that she was getting pop ups on her computer stating that it was infected and that the program would remove it if they paid for the full version. Classic sign of fake anti-virus.

After some quick research, we were able to determine that it was Advanced Virus Remover. It appeared to be pretty simple to get off (delete some files, clear out some of the registry, etc) but since I was not there I decided the best way was to have her reboot into safe mode and perform a system restore. (Unlike some of my relatives, my m-i-l can actually do things like that without me hand-holding.) Of course, when she tried to go into safe mode, it blue screened.

The next day I went over to see if I could figure out what was going on. I was able to remove the malware (and two others) fairly quickly, but we were still getting errors. In short time I realized that part of the hard drive had gotten corrupted and was causing the BSODs - not the original malware.

This made me remember another story from a job in a previous life. I had been called down to another department by a friend. The entire department were having some odd problems. Whenever they tried to print their machines would BSOD. Since I was the resident "malware guy", they decided to call me in to see if I could find anything. When I got there, some Windows admins were also there looking at some of the systems. My friend took me to the system with the original problem and I started to examine it.

After a few minutes I couldn't find anything indicative of malware on the sytem. I even booted with a Helix CD just in case there was a rootkit on the system. Nothing. After a few minutes the Windows admins came over and asked me what I thought. I replied I didn't see anything but there were reports of a 0-day attack against the Windows printer system that day which were indicative of what we were seeing. However, I stressed, I didn't know and didn't think this was related.

Of course, within minutes the Windows admins had me on a call where they were explaining how I thought we had been hacked using a Windows 0-day attack against the printers. It took at least 45 minutes for me to sort through everything that was being said and to finally point out that I had not found any proof of any attack and that I didn't think this was the problem. When the Windows admins finally went back to troubleshooting the problem, they found that a corrupt Windows printer driver had gotten pushed to these systems and thats what was causing the issue.

I learned two things that day:

1. Never say that you think something has been compromised (or even could be compromised) until you have some type of proof. People love to over-react in a situation like that and that just provides fuel for the fire.

2. Not everything is a security incident. Just like my in-laws computer, the presence of malware may not be the reason for the overall problem. A corrupt hard drive could just be a corrupt hard drive. If you start reading compromises into everything you see, you may miss what is actually there.

Automating Malware Analysis Part 2

2009-08-07T09:47:00.003-04:00

I've heard rumors that the latest issue of Hakin9 is on stands now. This issue contains the second part of my article on automating malware analysis and adds memory analysis and sandnet capabilities to the analysis script.

In the script, memory analysis is performed by suspending the virtual machine (as opposed to shutting it down as the first script did). When a VMWare VM is suspended, the memory for the machine is dumped into a file which can then be analyzed. This file is analyzed using the Volatility Framework.

Volatility is an amazing tool which can extract information from Windows XP SP2 & SP3 memory images. The analysis script in the article uses Volatility to extract the process list, network connections, list of loaded DLLs and list of loaded modules of the VM memory. However, Volatility can do so much more that I highly recommend extended what is in the article.

In addition to memory analysis, the article adds sandnet capabilities to the script. In the original script, the VM was set up in host-only networking mode which prevented the malware from communicating to anything over the network. This really limited the analyst in what they could see. For example, if the malware wanted to download additional files from a web server, the analyst would never see it.

To allow network connectivity, and still keep the network the analyst was on safe from infection, the script uses a tool set called InetSim to create a fake Internet for the malware to interact with. InetSim loads a number of localized servers (DNS, HTTP, etc) and logs any data sent to it. Now, when malware attempts to connect to a web server it will be able to and the analyst will see what it is attempted to download. I blogged about InetSim and how to install InetSim back in February.

I hope everyone enjoys the article. Please send me any feedback on the article or enhancements to the script. It does not appear that Hakin9 has posted the code listing for it yet, but as soon as they do I'll link to it from here. Of course, feel free to contact me to get the code if you want.

Black Hat Recap

2009-08-04T12:02:00.005-04:00

Wow...its been a few months since I've last posted. Sorry about that! Things have been nuts IRL which has kept me away from posting, but if you actually read my blog you'll be happy to know I have some things lined up.

Last week I had the opportunity to attend Black Hat USA in Las Vegas. While I won't go over every single talk I attended, the highlights are below.

Advanced Malware Deobfuscation - This was actually a training course written by Scott Lambert and Jason Geffner. The course is essentially about the different techniques used to unpack malware, an area I needed some training on. If you know how to RE and are comfortable in a debugger, I highly recommend this course.

Win at Reversing - This talk was given by Nick Harbour from Mandiant on a new tool called API Thief. When performing behavioral analysis of a malware sample, the analyst typically wants to see what calls the malware is making and uses a program like Process Monitor to do so. The problem with this only system calls are grabbed and misses some potentially important API calls. Nick's tool uses inline hooking to record API calls instead of system calls. This allows the analyst to get more information and potentially do some tricks to unpack the software. I'm going to be checking out the tool more to see how I can utilize it. Currently it can be downloaded at http://rnicrosoft.net.

Reverse Engineering by Crayon - The next talk was on performing hypervisor based malware analysis and visualization. Essentially, the presenters used a software called Ether which integrates with a Xen VM in order to perform malware analysis. To be honest, I had not looked into using Xen for sandnets, but after this presentation I think it has alot of promise and will be doing some more research into it. All of the slides and notes are posted on http://offensivecomputing.net.

Fast & Furious Reverse Engineering with TitanEngine - This was the last talk of the con I attended and it really didn't get the attention it deserved. TitanEngine is an open-source SDK and framework the authors are releasing which is used to perform and automate a large number of tasks needed when unpacking malware. The framework is very impressive in what it can do and how mature it is for something that is just being released. The presenters gave a number of live demos of programs written with the framework being used to unpack programs. The last demo they gave was done using TheMida, a packer which is notoriously difficult to unpack. They packed a sample program during the presentation turning on all capabilities of the packer and then unpacked it in a few seconds with a program they made with TitanEngine. This is definitely a program I will be looking into. http://titan.reversinglabs.com

I had a great time at Black Hat and met alot of people. Unfortunately, I wasn't able to stay for Defcon but maybe another year.

Detecting Malicious PDFs

2009-05-21T10:36:00.003-04:00

Last night at the NE Ohio Information Security Forum I gave a presentation on Detecting Malicious PDFs. I'm still not sure if I'm going to release the presentation, but I am going to release a Snort signature that I've found useful for detecting evil PDFs.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential Malicious PDF (OpenAction JavaScript)"; flow:from_server,established; content:"%PDF-"; content:"<</OpenAction <</JS"; within:128; nocase; classtype:trojan-activity;)

This signature looks for the PDF header (indicating we're dealing with a PDF) then an /OpenAction followed by /JS. This indicates that JavaScript will be executed as soon as the document is open.

Yes, I realize this signature can be easily bypassed with PDF obfuscation. However, I've found that attackers are not yet using this very much. Let me know if this is useful to you.

Automating Malware Analysis article

2009-05-07T09:13:00.004-04:00

In the latest Hakin9 issue (3/2009), I have an article on automating malware analysis. The article discusses how one can set up their own malware analysis automation system using VMWare, some analysis tools and two scripts. The article uses a Linux system as the base system and a Windows XP Pro as the guest/analysis OS, but I don't see why one couldn't use Cygwin on Windows for a base system with a few tweaks.

The scripts I created for the article are meant to be used as a base for your own automated analysis system - they are meant to be expanded upon. I encourage others to add other tools and capabilities to the scripts and share them here on the blog. The scripts used are available on Hakin9's site. However, if anyone wants the actual files let me know and I'll send them out.

I should point out that the system and scripts in this article assume you are in VMWare's host-only network mode. This is to prevent malware from accidentally infecting other systems on your network, the Internet, etc. However, since the system is set up host-only mode your malware will not be able to communicate with any hosts. The only network traffic you will see are DNS requests and probes to systems that go unanswered.

I encourage others to implement this into their automation system using software such as Truman, fakedns, or InetSim to create a virtual network. Don't want to take the time? Then you'll have to wait for the next issue of Hakin9 where I have part 2 to this article and show how to set this up (along with some other cool things).

I'd love to hear any feedback on the scripts, tools, or the article...including anything you use to expand upon it.