You are browsing the archive for Security Control.

A few things about EICAR that you may be not aware of…

April 10, 2016 in Incident Response, Malware Analysis, Others, Preaching, Puzzles, Security Control, Silly

Update April 2017

As per info from Vess, the programmer who was responsible responsible for writing the EICAR file was Padgett Peterson.

If you get excited about EICAR file making the news as being able to make AV deleting logs when EICAR is used as a user name, password, User agent, etc. – it’s old news ūüėČ Read the history of the file including first attempts to abuse it here.

Old Post

When my wife studied her MA in graphic design and branding she got a lot of interesting home work. One of them was… ‘The square’. She spent a lot of time brainstorming and eventually produced a large collection of ideas that got her a good mark. Now, the simple purpose of that exercise was to play around with the idea of… ideas. As simple as it sounds, the moment you start exploring one ‘simple’ subject you will soon find yourself deep in a forest.

As I am adding support for many Quarantine files now (to DeXRAY) I suddenly found myself in a world of Antivirus analysis. One thing that somehow connects all of AV products is not their functionality, or Utopian vision of full protection, but… the EICAR file.

I decided to explore the topic of this file a bit – same as my wife was exploring the square. Yup, here’s a boring story SLASH a bunch of ideas associated with EICAR SLASH and other topics like this …

First of all – in case you don’t know – EICAR is a small file that is used as a test for security products (in the past it was mainly antivirus, but nowadays it should apply to any security solution that looks at files/content of any sort really). Once you deploy/install the solution/product, you can drop the EICAR file all over the place and see if solution picks it up. Notably, some AV vendors apparently do not understand what EICAR’s purpose is and decided not to detect it. I won’t be pointing fingers, but upload EICAR file to VirusTotal and you will know who I am talking about.

Naming conventions in AV is a subject to many debates over many years. EICAR looks like a no-brainer though as it’s an artificial file created with a single purpose and its origin and name are well-documented. It doesn’t help though… it would seem that vendors can’t agree on one, single name. Here is a histogram of names used by AV:

EICAR_test_file                  11
EICAR-Test-File                   7
EICAR-Test-File (not a virus)     4
Eicar test file                   3
EICAR (v)                         2
Eicar-Test-Signature              2
EICAR.Test.File                   2
EICAR.TestFile                    2
EICAR Test File (NOT a Virus!)    1
EICAR.TEST.NOT-A-VIRUS            1
EICAR-Test-File (not a virus) (B) 1
EICAR Test String                 1
DOS.EiracA.Trojan                 1
Marker.Dos.EICAR.dymlmx           1
EICAR.Test.File-NoVirus           1
NORMAL:EICAR-Test-File!84776 [F]  1
EICAR-Test-File!c                 1
EICAR Test-NOT virus!!!           1
Win32.Test.Eicar.a                1
Misc.Eicar-Test-File              1
EICAR_Test                        1
NotAThreat.EICAR[TestFile]        1
qex.eicar.gen.gen                 1
TestFile/Win32.EICAR              1
Virus:DOS/EICAR_Test_File         1
EICAR-AV-Test                     1
EICAR-AV-TEST-FILE                1
EICAR-test[h]                     1

And the bonus: one of these even has a typo. Can you spot it?

EICAR is a very strange phenomenon.

It is an organization. It is a file. It has a dedicated web site. It haz a dedicated con. Its original name is inclusive of Europe, and exclusive of other continents (EICAR stands for ‘European Institute for Computer Antivirus Research’; deprecated name, but always…).

Anagrams of EICAR are ERICA, CERIA and AREIC. They serve no purpose in this article.

Properties:

File size: 68 bytes
MD5: 44D88612FEA8A8F36DE82E1278ABB02F
SHA1: 3395856CE81F2B7382DEE72602F798B642F14140
SHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
CTPH: 3:a+JraNvsgzsVqSwHq9:tJuOgzsko
Entropy: 4.872327687

Eicar is a DOS file and can be executed… but only under old versions of Windows.

eicar

The source code is using the same tricks as shellcodes:

  • code is obfuscated

eicar2

  • it is a self-modifying code (patching itself)

eicar3

eicar4

Does your sandbox solution accept EICAR? Test it.

There exist tools that help you to generate EICAR file and its cousins (file formats embedding EICAR).

There exist a close friend of EICAR called AMTSO (Anti-Malware Testing Standards Organization) that focuses on testing antimalware methods. It produces some more test files to support the original idea introduced by EICAR f.ex. Potentially Unwanted Application equivalent of EICAR:

puaeicar

with the histogram of detection names as follows (VT detection rate: 43/56 – mind you that the file was compiled on 2013-04-04 21:26:07 (Thursday)):

Application.Hacktool.Amtso.A                             5
Riskware ( 0040eff71 )                                   2
AMTSO-Test                                               2
PUA_Test_File                                            2
RiskTool.EICAR-Test-File.r5 (Not a Virus)                1
RiskWare[RiskTool:not-a-virus]/Win32.EICAR-Test-File     1
RiskTool.Win32.AMTSOTestFile (not malicious)             1
Amtso.Test.Pua.A                                         1
W32/PUAtest.B                                            1
AMTSO_PUA_TEST                                           1
RiskTool.Win32!O                                         1
Application.Win32.AmtsoTest.a                            1
Riskware.AMTSO-Test-PUA                                  1
Application/AMTSOPUPTestfile                             1
Trojan.Staser.gen                                        1
Application:W32/AMTSOPUATestfile                         1
W32/TestFile.LCMA-1046                                   1
Backdoor.CPEX.Win32.29390                                1
Risktool.W32.Eicar.Test!c                                1
Hacktool.Win32.EICAR-Test-File.aa                        1
RiskTool.Win32.AMTSOTestFile                             1
not-a-virus:RiskTool.Win32.EICAR-Test-File               1
AMTSO-PUA-Test                                           1
PE:Malware.Generic/QRS!1.9E2D [F]                        1
Riskware.Win32.EICARTestFile.dmxhvk                      1
PUA.AMTSOTest                                            1
SpyCar                                                   1
PUA/AMTSO-Test                                           1
Trojan/W32.Agent.33280.TI                                1
Win32/PUAtest.B potentially unwanted                     1
W32/TestFile                                             1
Win32:AmtsoTest-A [PUP]                                  1
AMTSO-PUA-Test (PUA)                                     1
RiskTool.EICAR-Test-File.a                               1
AMTSO Test File PUA (Not a Virus!)                       1
PUP/Win32.AMTSO_Test                                     1

…and the cloudish EICAR file as well. Here’s the histogram of names given to the cloudish EICAR file (only 23/56 vendors detect it on VT; compilation date: ¬†2010-07-08 23:02:46 (Thursday), ouch!):

AMTSO_TEST_CLOUDCAR                    2
Cldcar-Test!3FB121FBBCCB               2
Trojan.Win32.Generic!BT                2
Trojan.Agent/Gen-CloudTest             1
Virus:DOS/EICAR_Test_File              1
Trojan.Generic                         1
Application.Win32.CloudTest.s          1
Win.Trojan.11584714-1                  1
Amtso.Test.Cloudcar.A                  1
Trojan.Brodcom.Win32.366               1
Trojan.Win32.DangerousObject.dlgbhn    1
AMTSO-CLOUD-Test                       1
Trojan.Win32.Z.Agent.7178[h]           1
CLOUDCAR_Test                          1
UDS:DangerousObject.Multi.Generic      1
DangerousObject.Multi.Generic!c        1
W32/GenBl.3FB121FB!Olympus             1
Mal/Generic-S                          1
AMTSO Test File (NOT a Virus!)         1
Trj/CI.A                               1

There also exist a close friend fo EICAR called GTUBE (Generic Test for Unsolicited Bulk Email) for testing anti-spam solutions. It is also 68 bytes long.

Last, but not least – there exists a shorter version of EICAR and it is 12 bytes SHORTER than the original!

The Base64-encoded EICAR looks like this:

WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JDIDYOUSPOTTHISEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNU
LUZJTEUhJEgrSCo=

You may come across it as it is being used in various tests and… it is a method used by Esafe to save Quarantine files. And… maybe you can’t read this post in case your security product is over protective and detected the BASE64-encoded EICAR string. Well, if it does… it shouldn’t, as I included ‘DIDYOUSPOTTHIS’ in the BASE64 encoding above. Well, did you spot that DIDYOUSPOTTHIS?

EICAR is a tool. I use it to test Quarantine files’ encryption. When I find no encryption, or trivial encryption/encoding – I love EICAR. When I have to dig into some actual code to find out how they transform the original EICAR bytes into sth terrible I absolutely hate this little piece of hybrid data/code ;).

SCCM (System Center Configuration Manager) and Incident Response – Part 2

January 30, 2015 in Compromise Detection, Forensic Analysis, Malware Analysis, Security Control

Update

After I posted this piece Ryan (Thanks!) pinged me to highlight a few aspects related to SCCM which are worth mentioning, so I am adding some more notes below:

  • For performances reasons the indexing is often limited to certain directories and file extensions; this is a very important point and it’s good to review the inventory config and adjust it accordingly to your needs (if SCCM admins agree ūüôā )
    • I have seen inventories limited to .exe files, and multimedia files (e.g. mp3)
  • There is an option to copy files to SCCM
  • SCCM can be asked to query the environment for specific file names (even non .exe) – it is kinda similar to sweeps, but it’s relatively slow and quite a burden to the system
  • You may know SCCM as SMS (Systems Management Server), ConfigMgr 2012, ConfigMgr 2007 or ConfigMgr) – see wiki for more details

Old post

A while ago I wrote that SCCM can help IR guys to hunt for anomalies in the environment. I always wanted to come back to this topic with some more concrete examples so that I can show what is actually possible.

As mentioned in the first post – if you never used SCCM or don’t know what it is please ask your admin or whoever owns the ‘win’ platform in your company (the function may be called Desktop Management, Windows Admin, or sth along these lines) to give you the URL (and access rights) to the SCCM reporting tool.

The URL will lead you to a page where you can choose various reports presenting information about asset inventory of your company. I won’t cover the details here – all you need to do is to choose a specific report, fill-in the form and submit it to the web site. In return you will get the report.

An example form looks like this:

sccm1The screenshot comes from some random forum post so I hid the domain name to protect the innocent.

When you submit this form the data will be sent to the web site using a GET request. This is cool, because it means you can dynamically change them in your browser’s address bar – it’s easy to experiment with the variable holding the file name.

Let’s see how it works like in practice.

The URL to your SCCM report looks like this:

http://<SCCM>/Report.asp?ReportID=<###>

where:

  • SCCM = address of your SCCM reporting page – usually sth like “SMSReporting_<org name>/”
  • ### – a number assigned to the report called “Computers with a specific file” (find it on the main SCCM reporting page)

The data you provide is passed via an argument called ‘variable’.

Submitting an example query to show all computers that host ‘tor.exe’ could look like this:

http://<SCCM>/Report.asp?ReportID=<###>&variable=tor.exe

When the page comes back you can get 3 types of reports:

  • No report, because the page timed out ūüėČ – you need to use a different query (most likely, the tor.exe query won’t time out since the name is quite unique, but if you searched f.ex. for notepad.exe the chances are high).
Response object error 'ASP 0251 : 80004005'
Response Buffer Limit Exceeded
[...]
  • No results – this is usually good news, since it means there is no ‘tor.exe’ on any system
  • The actual list of systems hosting ‘tor.exe’ – these you need to chase after ASAP

The example report highlighting one system hosting ‘tor.exe’ looks like this:

sccm2

This is a good example of an actionable data. You can now go directly to the system and investigate. You can question the owner of the system. Finally, you can remove that ‘tor.exe’ instance from the system.

Obviously, to make the best use of the tool you need to know what queries to use. There is (luckily) a long list of tool names and programs both hackers and admins (as well as stupid users) use and you can start the hunting initiative querying f.ex. for:

http://<SCCM>/Report.asp?ReportID=<###>&variable=nmap.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=psexec.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=psexesvc.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=tor.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=vidalia.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=%25torrent%25.exe
http://<SCCM>/Report.asp?ReportID=<###>&variable=[0-9][0-9][0-9].exe

The last 2 examples contain wildcards (looking for torrent clients) and regular expressions (looking for 3-digit file names) – it is very handy that these are supported by SCCM – they not only help us with more complicated queries, but also narrow down the results (otherwise the time out will tell you your query was not that good ūüôā ).

Once you define what queries you want to run on regular basis you can automate it using Visual Basic Script, python, or whatever else you like. You can also start building white lists or exclusions lists. This is because SCCM has a tendency to keep some records ‘forever’ and even if you clean up the system sometimes you may find some old records ‘hanging’ in SCCM for a very long time. You can either delete them manually directly from SCCM DB, or just keep them there, and also use the aforementioned ‘ignore’ lists to automatically exclude these known systems / files from the output of your parser. Going even further you can report it to SIEM, or you can start sending alerts via email.

The web based report is cool, but it has a serious limitation. It only accepts very simple queries. You can add more fields to the form (e.g. location), but still, it will be quite difficult to use it on regular basis. This is because the inner workings of this form rely on a very simple SELECT query.

If you want more (and you should), the natural progression is therefore talking directly to the SQL Database. Once you know the DB schema you can start creating very specific queries f.ex.:

  • Show me all files added to any system that are dropped under c:\windows within last 8h
  • Show me all files dropped under user profile
  • Show me all files with a single letter file name
  • Show me all files made up of digits only
  • etc.

Using time intervals you can build automatic reports about all .exe files added within last XYZ hours. Eyeballing this may be a bit tricky (don’t be surprised to see gazillions of new .exes landing in your corporate environment every day), so implementing some ‘ignore’ lists may really come handy. In any case, the sky is the limit here and a bunch of SCCM queries ran on regular basis can become a very strong complementary detective security control. Note that you don’t need to install anything, build anything, run sweeps, etc. It’s all there, juicy data waiting to be queried.

Btw. if you are wondering why I am not providing example SQL queries it is because they will vary. Table names are usually organization-specific. If you are curious you can just google around for “sccm sql SoftwareFile” and you will find plenty of examples.

While SCCM can’t be obviously as flexible as a dedicated IR solution it can give you an edge if you don’t have plans /or budget/ to deploy something more IR-centric. Apart from a typical malware / hacking angle, it may also help you to keep systems ‘clean’ for auditing purposes, discover malicious insiders, and perhaps even win a few brownie points from your management.