You are browsing the archive for 2012 January.

Forensic Riddle #9b – Answer

January 29, 2012 in Forensic Riddles - Answers

NTFS file system is by design case-sensitive, yet this option is disabled by default.

One needs to change the following option in Registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"obcaseinsensitive"=dword:00000001

and restart the system to be able to create files and directories that are case-sensitive.

Notably, Windows APIs e.g. CreateDirectoryA/W are mapped to NtCreateFile API with OBJ_CASE_INSENSITIVE flag on, so they can’t be used to create case-sensitive files/directories.

Comments Off

Forensic Riddle #9b

January 26, 2012 in Forensic Riddles

This is a second part of the riddle – this time there is no Unicode characters, no GUI attacks, nothing malicious.

Question: What happened here?

Answer here

Comments Off

Forensic Riddle #9a – Answer

January 24, 2012 in Forensic Riddles - Answers

There are many answers here and the very same result could be achieved in many ways:

  • Unicode/homomorph attack

using Unicode characters e.g. from Russian alphabet; this can be usually easily detected from a command line level:

  • GUI attack

it is relatively easy to modify the content of any other window, including windows used by Explorer to display file names (window class is a standard ‘SysListView32′); some malware use GUI attacks to remove their processes’ names from a list of processes shown by Task Manager

  • API hooking

trivial to return two exact file names for two different entries

  • patching the file system entry directly

and probably a few more…

 

Comments Off

The shortest anti-forensics code in the world

January 21, 2012 in Anti-Forensics

Everyone knows about anti-forensics… from timestomping, secure deletions, wiping out internet history and event logs to monitoring I/O requests in order to provide fake data (e.g. original content of MBR sector) and Shadow Walker… there are some excellent presentations out there with the fantastic work of Bill Blunden from BH 2009 nicely wrapping it all up.

Many of our IR/forensics activities rely on enumerating list of processes from an investigated system. The tools we use often show command line arguments of all processes. Process Explorer, Task Manager in Vista+ and command line tools e.g. tlist.exe or cmdline.exe show the content of processes’ command lines by copying the command line buffers directly from these processes’ address space.

Enter the smallest anti-forensics code in the world.

It wipes out the content of the command line buffers stored under addresses returned by GetCommandLineA/GetCommandLineW. It takes 25 bytes of code.

CleanupCMDLineArg:
call GetCommandLineA
call Cleanup
call GetCommandLineW
Cleanup:
cld
xchg eax,edi
xor  eax,eax
xor  ecx,ecx
dec  cl
rep  stosb
retn

Once the code is ran, command line arguments are no longer visible in any of the aforementioned tools.

I had a silly idea to demonstrate it by writing a command line arguments scroller for Task Manager and Process Explorer. The way I envisioned it would work is that I would be changing the content of buffers storing command line arguments of my process every second or so. The assumption was that anytime Task Manager or Process Explorer would refresh the list of the processes, they would copy the buffer containing my scrolled text and show it on their GUI. By manipulating the buffers I would be able to achieve the scrolling effect. Well, it didn’t work out as it seems the command line arguments are not updated anytime the process list is updated by these tools. A bug or a feature?

Comments Off

Forensic Riddle #9a

January 21, 2012 in Forensic Riddles

This is a riddle with multiple answers – some are super trivial, some are probably not and actually raise interesting questions about Windows. We will explore some of them one by one.

Question: What happened here?

Answer here

Comments Off

Forensic Riddle #8 – Answer

January 15, 2012 in Forensic Riddles - Answers

There is a less known LoadModule API from kernel32.dll that can be used to launch applications the same way as WinExec and others.

Comments Off

OpenIOC – why it may work, but more importantly – why it may not… OpenHFA?

January 13, 2012 in Preaching

Recently there is a lot of buzz about OpenIOC. The idea is great – you come across a new IOC (Indicator of Compromise), you describe it in XML, add it to a globally shared collection, and next time you or someone else runs a new case, you or them may get lucky and can use the global intel and solve the case in no time.

Everyone wins.

Hmmm not really.

Why it may work

This is the shortest part of this article. Sharing intel is a no-brainer. It is truely a great idea. Seriously. Finally someone not only realized that talking about sharing data about forensic artifacts in an unified, foolpropof way in a forensics world is not good enough, but it is time to actually create a platform to do so. I personally don’t like XML, but hard to think of a better way of sharing data w/o losing time on parsing badly-formatted CSV files, proprietery formats, etc.. The other great thing about OpenIOC is that someone was brave enough to admit that forensic artifacts shared so far within the community go beyond just a file name, its size, MD5, and as many versions of SHA as possible. Plus, of course a fuzzy hash :-) .

This MAY actually work. But before it works, it’s good to try analyze what it may not.

Why it may not work

Tl;DR; Writing good quality IOCs is NON-TRIVIAL.

The examples of IOC presented on OpenIOC web site are decent, yet they focus on specific samples of malware. This may be a great approach for a family of malware that doesn’t change often, is usually targeted, and stays under radar of Antivirus companies because… they never see the samples until it is really too late. Usually this kind of malware is distributed within a small, niche environment and Stuxnet, ATM malware, or malicious software used by carders to attack POS systems is a good example. Good as an example, but not that useful practically speaking.

So, what are the potential challenges of OpenIOC?

The first problem is that malware / intruders’ activities:

  • are highly intelligent (never underestimate your opponent)
  • are randomized
  • are metamorphic or recompiled for new environments
  • use constantly changing reg entries, file names, domain names and rely on peer to peer network & fast-flux and many other techniques to avoid static and heuristic detection by whatever forensic artifact possible
  • rely on tools that prevent finding artifacts (timestomping, secure deletion, browser cache cleanup, DNS cache cleanup, etc.)

Second problem comes as a result of the first one – knowing about constantly changing artifacts potential IOC creators are forced to either not write IOC at all (waste of time, etc.), or… automate it.

But you see.. you can’t automate it.

Depending on dynamic analysis is really not good enough. Malware often creates, modifies, deletes, and amends system’ state in many different ways, often affecting ‘clean’ system areas that are accessed/created by clean components indirectly loaded/used by malware, let it be a WebControl, external application called directly by malware, or even registry settings of protectors used by both legitimate software and malware. Of course, the other problem is that dynamic analysis is not good enough to discover hidden paths in an analyzed code, e.g. code dependent on a file location, current account name, presence of specific triggers, let alone code that is executed based on incoming messages from Command & Control.

Is it worth then to do in-depth analysis for a sole purpose of creating a very good IOC?

No. If the malware shows signs of randomization, anti-heuristic behaviour, fast-flux, you better leave it.

Now, imagine that IOCs are actually created as a side effect of in-depth malware analysis. How often will you really see these specific artifacts in the future? I tried similar approach in the past and it does work for a specific environment or niche market, but not _globally_. Maybe I was just not lucky enough, yet the question remains. Working your future cases, ask yourself – even if you see similar stuff, how often it is really something that can be so easily framed into a simple logical formula? It is rare, and that’s the exact reason that makes this job so interesting! :-)

The first and second problem create a combined problem. Loosely collected IOCs based on specific patterns/artifacts, even if shared globally are nothing more than a blacklist. And blacklists simply don’t work (AV vendors struggle with the same problem for years and that’s why they focus their efforts so much on improving behavioural and heuristical detection instead of pattern or even algorithmical (but still static) detection).

The third problem is the speed. It is not visible at the moment, but assuming that new IOC entries will start being created often and eagerly and then shared globally, tools that handle them won’t be able to cope with a number of checks they need to perform on the evidence. Think of IDS/IPS systems or AV engines. The rules used to detect network anomalies or malware patterns are always converted to some clever structures, let it be a trie, DFA, NFA, or some patent-covered solutions – they are superoptimized, because they _need_ to be superfast to scan files for hundreds of thousands if not millions of signatures in a processing time as close as possible to linear! I don’t know the internals of tools currently relying on OpenIOC, but just pointing out that search speed should maintain relatively constant independently on number of sigs.

The fourth problem is quality. IOCs need to be reviewed, revised, rejected. FPs or one-off IOCs will bring a lot of noise and managing a collection of IOC is as challenging as it is with IDS/IPS/AV sigs, if no more (AV sigs are maintained within 1 company, OpenIOC could potentially be a hivemind) .

The fifth problem is the ‘open’. Yes, sadly. There already exist portals to verify safely (no submission to AV vendors) if a new malware sample is detected by any AV. Adding  a feature to pull latest OpenIOC repository and check if system modifications introduced by sample to the system trigger any OpenIOC entries is trivial.

How to make it work?

The focus should be not on malware, constantly changeable intrusion artifiacts, but on highlighting artifacts that have a universal use to forensic investigators. Examples include artifacts that can be parsed, analyzed, basically, can help to solve the case.

Examples include:

  • names and locations of log files + their format/parsers
  • all possible known autorun entries
  • timeline anomalies
  • discrepancies that could be described as subtle variation from the OS baseline (but not hashes!) – examples include calculating Levenshtein distance between active process names and known clean process names, anomalous locations for active processes using names of known clean processes, discovering homographic attacks by finding Unicode characters in files/process names, clustering file system entries,
  • and many others

Alternative solution

Collecting IOCs may be helpful short-term, but collecting HFAs (Helpful Forensic Artifact) is the way to go.

OpenHFA anyone?

Updates:

- reviewed and clarified the language to remove ambiguity

4 Comments »

Forensic Riddle #8

January 13, 2012 in Forensic Riddles

Malware is often using one of these 3 APIs to launch new processes:

  • WinExec
  • ShellExecute (Ansi and Wide versions)
  • CreateProcess (Ansi and Wide versions + all CreateProcess* family e.g. CreateProcessInternal, CreateProcessAsUser, etc.)

 

Question:

There is at least one more API function that could be also used to launch executables. What is its name?

 

Have a good weekend!

Answer here

Comments Off

DeXRAY – simple XORcarver

January 5, 2012 in DeXRAY, Software Releases

It is a well-known fact that the most common encryption algorithm used by malware authors relies on an eXclusive OR (a.k.a. XOR) operation using a static, one byte long key. It is used so often that many researchers already have their own scripts and tools that attempt to cryptanalyse encrypted files and discover hidden data. And in case you don’t – you will now have one as well :-) .

DeXRAY

DeXRAY is a simple perl script that tries to discover encrypted executables and DLLs (or, more generically – Portable Executables a.k.a. PE) within a given data file e.g. it could be an encrypted PE that is embedded inside a malicious dropper (including non-PE files e.g. PDFs) or network traffic.

How it works

DeXRAY relies on a simple technique known as X-RAY. The technique is probably as old as an antivirus industry itself and relies on a simple fact that xoring two values from analyzed data will produce the same result as the result obtained from xoring these values if they have been previously encrypted with a static key.

A xor B = (A xor key) xor (B xor key) = same value

Since all Portable Executables start with letters ‘M’ and ‘Z’, xoring ‘M’ and ‘Z’ will produce the same value as xoring (‘M’ xor key) with (‘Z’ xor key)

‘M’ xor ‘Z’ = (‘M’ xor key) xor (‘Z’ xor key) = 0×17

In other words, it is a known plain-text attack.

Supported files

DeXRAY attempts to decrypt

  • Any binary file (using X-RAY)
  • Symantec Quarantine files (VBN/QBD)
  • McAfee Quarantine files (BUP)

Quarantine files are supported specifically for a very simple reason: they often rely on a XOR-based encryption algorithm and X-RAY is a very suitable technique to decrypt them. To make things easier, DeXRAY recognizes file extensions of known Quarantine files and uses (widely) known hard coded keys to decrypt these files while maintaining some flexibility in case some keys have changed.

Usage:

perl DeXRAY.pl <filename or directory>

What is the output?

If it works, you will get files saved as <original filename.XXXXXXXX.YY.out>

where:

  • XXXXXXXX is the offset (hexadecimal) where the file starts in the original file
  • YY is the encryption key (hexadecimal)

There may be more files than one. In some cases the log from the script may show two output files with the same name (one obtained from de-xoring with a hard coded value and second one from X-RAY; in such case, only one file is produced).

Examples and Notes

  • Symantec Quarantine files (.VBN) – xor 0x5A

DeXRAY won’t work with some Symantec Quarantine files. As far as I can tell, it is because not all VBN files are actualy encrypted, so it’s worth looking at a hex dump of such files first. It may also not work if the Quarantined file is not Portable Executable – X-RAY only supports Portable Executable. Adding support for other files (e.g. Flash, PDF) is trivial. Finally, note that there are often two VBN files associated with one Quarantine entry – one contains some metadata, second is the actual encrypted file and is located in a Quarantine subdirectory named similarly to the first VBN file.

The content of the decryptable VBN file is metadata at the top of the file (clear text and strings visible, but header format is unknown) that is followed by the encrypted content we want to grab. One more note here – the location of the encrypted data within the VBN file is not static as some blogs suggest. DeXRAY script is trying to ‘guess’ the offset to the encrypted by reading first 32-bit value from the file (while it is not documented, it appears to be actually pointing to the encrypted content).

  • Symantec/Norton Quarantine files (.QBD) – xor 0xB3 / xor 0x4C

DeXRAY decrypts the whole file using static key 0xB3. This allows to decrypt the metadata at the top of the file. It then uses X-RAY and finds the encrypted malware (it’s encrypted with the key 0x4C)

  • McAfee Quarantine (.BUP) – xor 0x6A

DeXRAY decrypts the whole file using static key 0x6A. This allows to decrypt the metadata at the top of the file. It then relies on X-RAY to find and extract the encrypted malware

  • only PE files are supported by X-RAY, but adding support for known malicious files is trivial and you could add it yourself, or drop me a line and I will add it.

I am not sure if all static keys are always correct as I didn’t have enough samples to test, but it seemed to work in all tests. If you come across files that you know for sure they should be containing malware and DeXRAY fails to decrypt them, feel free to send them over and I will have a look.

Download

Comments Off

Forensic Riddle #7 – Answer

January 2, 2012 in Forensic Riddles - Answers

The answer is pretty straightforward to anybody who is a programmer. Registry is just a configuration data that is read at some stage. The way the configuration affects OS or application (or DLL) depends on whether it has been read during the system-wide initialization (one off initialization that sets some flags only once after system restart), process/module-specific initialization (that is a one-off for a specific process or module), or is read anytime certain function is executed (thus, changing registry has an immediate effect).

It’s 2012 and time for something new, so I am suspending riddles for the time being. I still have a few more to post, yet from now on it won’t be that frequently.

Comments Off