Andrew Malone gives us insight into trends with Cybercrime, his personal tales with social engineering, and gives some practical Tips to help with physical security. After this, he shows us a couple of cool demos on File Signatures and Corporate Identity Theft. Visit Andrew Malone’s site: www.divedeeperevents.com
Product Description
This book constitutes the refereed proceedings of the First International Conference on Applied Cryptography and Network Security, ACNS 2003, held in Kunming, China, in October 2003. The 32 revised full papers presented … More >>
Product Description
Experience your music all around your home – sounding great and at your control, without wires. The Premier Kit is a great way to start your Linksys by Cisco wireless home audio system in any two areas of your home. It i… More >>
Malware Forensics at Large Firms
The malware forensics work-cycle is fairly tight at the day job. It focuses more on answering questions like:
What are we dealing with? (e.g. an adware like Monkif, or an information stealer like Zeus?)
Grab a sample to submit to the AV vendor
Identify network behavior so we can identify infected machines on the wire
How did it get in?
Depending on the workload, resources, etc. we dont always get to answer all of the questions before the demands of keeping the business running or more severe incidents reallocates the response staff.
Smells Like Zeus
Last week, a sharp-eyed user noticed that their on-line bank was asking more questions than they usually do when they log in. During the initial triage I noted that it smelled like Zeus. Once we had got onto the box with EnCase we immediately looked for, and found, c:windowssystem32sdra64.exe on the system. Sure, case-closed. Submit the sample to AV to get them to update their signatures, examine the users proxy logs to identify the phone-home behavior and make signatures from that. There, the organization is protected.
But How Did It Get In?
The final-step in incident handling and the most-often ignored is the root-cause analysis or lessons-learned. With this particular case, I had a timestamp of when sdra64.exe was dropped on the box (if I trusted the MAC times) and could start digging through the web proxy logs for that machine at that time. That sounds like a lot of something-that-isnt-much-fun.
You know what sounds like more fun? Timeline analysis.
(For more on doing your own Timeline Analysis in your environment, I recommend starting here: http://blogs.sans.org/computer-forensics/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/)
In EnCase its not too hard to organize the view of the file system to track what files were modified or added around the time of sdra64.exe. I was at first interested in the files in the Temporary Internet Folders location of the user, since it will help me narrow down what website was hosted the exploit.
Java Applet Cache Files
In addition to the HTML and image files in the Temporary Internet Folders there were also files created in c:Documents and Settings[victim]Application DataSunJavaDeploymentcache[numbers]
There were files that had hash-like names, some with no extension, some with .idx, some with .hst.
The extentionless file is a zip archive of the .class files or bytecode of the java applets downloaded to the system. The .idx file looks suspiciously like the HTTP session used to pull it down, and .hst was the IP of the source.
Thats pretty handy information to have on hand. But what is the significance of java applet? On a whim, I submitted it to virustotal and it tells me that its an exploit for CVE-2009-3867. Neat, now I know how it got in and where it came in from.
Prefetch Files
With the tight deadlines, and the rushed process of identifying the process generating the bot-net traffic, or what dll is getting injected into iexplore.exe I know that Im missing a lot of the other files that get dropped onto the system. If were lucky enough to get a memory snapshot of the system while its doing its evil I can use something like volatility to tell me what files a process has open. If its after-the-fact, I can glean some of that information from the prefetch files. In our zeus case while jumping into look directly for sdra64.exe I also saw SDRA64.EXE-[hash].pf.
The normal forensic value of prefetch files is it will tell you how many times an executable has been run and the last time that it was executed (I refer you to Harlan Carveys Windows Forensic Analysis DVD Toolkit pp 226 in the first edition, pp296 in 2nd ed) The real purpose of a prefetch file is to improve the efficiency of the OS so it tracks what files are opened by the executable. Using something like BinText you can see the list of files open by the application. This gives me an additional list of files to check against the whitelist for. In this particular example the .pf file also had a bit of HTML in there that looked like an iframe, Im not sure if thats a fluke or not, but it held additional clues about the exploit.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
View full post on SANS Internet Storm Center, InfoCON: green
Product Description
Item #: 593293. This is a Special Order Item. Please allow up to 7 business days for product to ship. SonicWALL’s powerful security solutions give you unprecedented protection from the risks of Internet attacks. SonicWA… More >>