You are browsing the archive for Tips & Tricks.

Finding Alternate Data Streams (ADS) with HMFT

October 4, 2012 in Compromise Detection, Forensic Analysis, HMFT, Malware Analysis, Tips & Tricks

Finding Alternate Data Streams  (ADS) on the whole drive may be quite time consuming so in this quick post I will show you how to do it faster with HMFT.

As you probably know, the latest version of HMFT supports listing of basic attributes directly from $MFT – from both images and live systems. Amongst the features it currently supports is showing type of attribute and its name. Turns out, that this is enough information to find out what named DATA streams are hidden inside the FILE records – and this is essentially what ADSs are.

So…

First, let’s test how HMFT shows ADS-related data:

  • First let’s create a few sample ADSs
echo > f:\test
echo > f:\test:ads
echo > f:\test:ads2
echo > f:\test:ads3
  • Next, we run hmft over the drive and saving it to a file
hmft -l f: f_mft.txt
  • Finally, let’s see the content of the file – scroll down to see file name, first unnamed DATA attribute that is then followed by 3 named DATA attributes – ADS names:
  [FILE]
    SignatureD                    = 1162627398
    OffsetToFixupArrayW           = 48
    NumberOfEntriesInFixupArrayW  = 3
    LogFileSequenceNumberQ        = 4204637
    SequenceValueW                = 1
    LinkCountW                    = 1
    OffsetToFirstAttributeW       = 56
    FlagsW                        = 1
    UsedSizeOfMFTEntryD           = 448
    AllocatedSizeOfMFTEntryD      = 1024
    FileReferenceToBaseRecordQ    = 0
    NextAttributeIdD              = 6
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 16
      LengthOfAttributeD       = 96
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 0
      FlagsW                   = 0
      AttributeIdentifierW     = 0
      --
      SizeOfContentD          = 72
      OffsetToContentW        = 24
      --
        MFTA_STANDARD_INFORMATION
            CreationTimeQ         = 129938289425003390
            ModificationTimeQ     = 129938289502223390
            MFTModificationTimeQ  = 129938289502223390
            AccessTimeQ           = 129938289425003390
            FlagsD                = 32
            MaxNumOfVersionsD     = 0
            VersionNumberD        = 0
            ClassIdD              = 0
            OwnerIdD              = 0
            SecurityIdD           = 261
            QuotaQ                = 0
            USNQ                  = 0
            CreationTime (epoch)    = 1349355342
            ModificationTime (epoch)  = 1349355350
            MFTModificationTime (epoch)  = 1349355350
            AccessTime (epoch)           = 1349355342
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 48
      LengthOfAttributeD       = 104
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 0
      FlagsW                   = 0
      AttributeIdentifierW     = 2
      --
      SizeOfContentD          = 74
      OffsetToContentW        = 24
      --
        MFTA_FILE_NAME
            ParentID6             = 5
            ParentUseIndexW       = 5
            CreationTimeQ         = 129938289425003390
            ModificationTimeQ     = 129938289425003390
            MFTModificationTimeQ  = 129938289425003390
            AccessTimeQ           = 129938289425003390
            CreationTime (epoch)    = 1349355342
            ModificationTime (epoch)  = 1349355342
            MFTModificationTime (epoch)  = 1349355342
            AccessTime (epoch)           = 1349355342
            AllocatedSizeQ        = 0
            RealSizeQ             = 0
            FlagsD                = 32
            ReparseValueD         = 0
            LengthOfNameB         = 4
            NameSpaceB            = 3
     FileName = test
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 40
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 1
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 24
      --
        MFTA_DATA
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 48
      NonResidentFlagB         = 0
      LengthOfNameB            = 3
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 3
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 32
      --
        MFTA_DATA
    AttributeName = ads
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 48
      NonResidentFlagB         = 0
      LengthOfNameB            = 4
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 4
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 32
      --
        MFTA_DATA
    AttributeName = ads2
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 48
      NonResidentFlagB         = 0
      LengthOfNameB            = 4
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 5
      --
      SizeOfContentD          = 13
      OffsetToContentW        = 32
      --
        MFTA_DATA
    AttributeName = ads3

 

  • Knowing all this, we can quickly put together a perl script that can walk through the data and pick up all ADS from the output file:
use strict;
my $f='';
my $l='';
while (<>)
{
  s/[\r\n]+//g;
  $f = $1 if /FileName = (.+)$/;
  print "$f:$1\n" if ($l =~ /MFTA_DATA/&&/AttributeName = (.+)$/);
  $l = $_;
}
  • Save it as ads.pl
  • Run it using the following syntax
perl ads.pl <hmft output>

e.g.:

perl ads.pl f_mft.txt

The output for the example file system is:

$Repair:$Config
test:ads
test:ads2
test:ads3

I suggest you running a test on your local drives  – you are probably going to be quite surprised :-)

Not only you may find plenty of files with ADS, but you may also get to know less-known good ADSs – many of them I have listed previously and a few more e.g. internal ADSs used by OS:

  • $Info in $UpCase:$Info
  • $Config in $Repair:$Config
  • $Max in $UsnJrnl:$Max

and also MAC-related streams (resource forks) added by Safari  (kinda equivalents of IE’s Zone.Identifier)

  • com.apple.quarantine
  • com.apple.metadata:kMDItemWhereFroms

Note on a small bug here: with a larger number of ADSs the ads.pl script will show incorrect entries as ADS attributes that don’t fit within one FILE record will be stored elsewhere and w/o FILENAME attribute, hence the associated file name will be incorrect. Some may be also stored under ATTRIBUTE_LIST that is not supported by HMFT yet.

Comments Off

Finding Smoking Gun and going beyond that – Helpful Forensic Artifacts

August 23, 2012 in Compromise Detection, Forensic Analysis, Malware Analysis, Preaching, Tips & Tricks

While I am quite critical about the idea of collecting IOCs (Indicator of Compromise) describing various malware, traces of hacking, etc in a form of hashes, even fuzzy hashes, file names, sizes, etc., etc.  I do believe that there is a certain number of IOCs (or as I call them: HFAHelpful Forensic Artifact – as they are not necessary relevant to compromise itself) that are universal and worth collecting. I am talking about artifacts that are common to malware functionality and offensive activities on the system in general as well as any other artifact that may help both attackers and… in investigation (thanks to ‘helpful’ users that leave unencrypted credentials in text files, watch movies on critical systems, etc.).

In this post, I will provide some practical examples of what I mean by that.

Before I kick it off, just a quick reminder – the reasons why I am critical about bloated IOC databases is that they have a very limited applicability in a general sense; and the limitations come as a result of various techniques used by malware authors, offensive teams, etc. including, but not limited to:

  • metamorphism
  • randomization
  • encryption
  • data (e.g. strings) build on the fly (instead of hardcoding)
  • shellcode-like payloads
  • fast-flux
  • P2P
  • covert channels
  • etc.

Notably, antivirus detections of very advanced, metamorphic malware rely on state machines not strings and it’s naive to assume that collecting file names like sdra64.exe is going to save the day…

Anyway…

If we talk about good, interesting HFAs I think of things that:

  • are very often used in malware because of a simple fact they need to be there (dropping files, autostart, etc.)
  • traces of activities that must be carried on the compromised system (recon, downloading toolchests, etc.)
  • also (notably) traces of user activity that support attacker’s work (e.g. a file password.txt is not an IOC, but it’s HFA)
  • traces of system being affected in a negative way e.g. if system has been compromised previously by a generic malware, certain settings could have been changed (e.g. disabled tracing, blocked Task Manager, etc.); they are IOCs in a generic sense, but not really relevant to the actually investigated compromise; you can think of it of these aspects of system security that place the system on the opposite side to the properly secured and hardened box; it also included previously detected/removed malware – imho AV logs are not ‘clear’ IOCs as long as they relate to the event that is not related to investigated compromise

If we talk about a typical random malware, it’s usually stupidly written, using snippets copied&pasted from many sources on the internet. The authors are lazy and don’t even bother to encrypt strings, so detection is really easy. You can grep the file or a memory dump of a suspected process for typical autorun strings with strings, BinText, HexDive and most of the time you will find the smoking gun. If the attacker is advanced, all you will deal with is a blob of binary data that has no visible trace of being malicious unless disassembled – that is, a relocation independent, shellcode-like piece of mixed code/data in a metamorphic form that doesn’t require all the fuss of inline DLL/EXE loading, but it’s just a pure piece of code. It’s actually simple to write with a basic knowledge of assembly language and knowledge of OS internals. I honestly don’t know how to detect such malware in a generic way. I do believe that’s where the future of advanced malware is though (apart from going mobile). And I chuckle when I see malware that is 20MB in size (no matter how advanced the functionality).

When we talk about IOC/HFAs and offensive security practices, it is worth mentioning that we need to follow the mind process of an attacker. Let me give you an example. Assuming that the attacker gets on the system. What things s/he can do? If the malware is already there, it’s easy as the functionality is out there and can be leveraged, malicious payload updated and attacker can do anything that the actual payload is programmed to do and within the boundaries of what environment where it runs permits. On the other hand, if it is an attack that comes through a typical hacking attempt, the situation is different. In fact, the attacker is very limited when it comes to available tools/functionality and often has to leverage existing OS tools. This means exactly what it says – attacker operates in a minimalistic environment and is going to use any possible tool available on OS to his/her benefit. If we talk about Windows system, it can be

  • net.exe (and also net1.exe)
  • telnet.exe
  • ftp.exe

but also

  • command.com
  • cmd.exe
  • debug.exe
  • makecab.exe
  • diantz.exe
  • netsh.exe
  • netstat.exe
  • route.exe
  • hostname.exe
  • sc.exe
  • arp.exe
  • shutdown.exe
  • findstr.exe
  • at.exe
  • attrib.exe
  • cacls.exe
  • xcacls.exe
  • ping.exe
  • tracert.exe
  • runas.exe
  • more.com

and OS commands

  • echo
  • type
  • dir
  • md/mkdir
  • systeminfo

and many other command line tools and commands.

So, if you analyze memory dump from a Windows system, it’s good to search for presence of a file name associated with built-in windows utilities and look at the context i.e. surrounding memory region to see what can be possibly the reason of it being there (cmd.exe /c being the most common I guess).

Back to the original reason of this post – since I wanted to provide some real/practical examples of HFAs that one can utilize to analyze hosts, let me start with a simple classification by functionality/purpose:

  • information gathering
    • net.exe
    • net1.exe
    • psexec.exe/psexesvc.exe
    • dsquery.exe
    • arp.exe
    • traces of shell being used (cmd.exe /c)
    • passwords.txt, password.txt, pass.txt, etc.
  • data collection
    • type of files storing collected data
      • possibly password protected archives
      • encrypted data (e..g credit cards/track data)
    • various 3rd party tools to archive data:
      • rar, 7z, pkzip, tar, arj, lha, kgb, xz, etc.
    • OS-based tools
      • compress.exe
      • makecab.exe
      • iexpress.exe
      • diantz.exe
    • type of collected data
      • screen captures often saved as .jpg (small size)
      • screen captures file names often include date
      • keystroke names and their variants
        • PgDn, [PgDn],{PgDn}
        • VK_NEXT
        • PageDown, [PageDown] {PageDown}
      • timestamps (note that there are regional settings)
      • predictable Windows titles
        • [ C:\WINDOWS\system32\notepad.exe ]
        • [ C:\WINDOWS\system32\calc.exe ]
        • [http://google.com/ - Windows Internet Explorer]
        • [Google - Windows Internet Explorer]
        • [InPrivate - Windows Internet Explorer - [InPrivate]]
      • possible excluded window class names
        • msctls_progress32
        • SysTabControl32
        • SysTreeView32
      • content of the address bar
      • attractive data for attackers
        • regexes for PII (searching for names/dictionary/, states, countries, phone numbers, etc. may help)
        • anything that matches Luhn algorithm (credit cards)
      • input field names from web pages and related to intercepted/recognized credentials
        • user
        • username
        • password
        • pin
      • predictable user-generated content
        • internet searches
        • chats (acronymes, swearwords, smileys, etc.)
  • data exfiltration
    • who
      • username/passwords
    • how
      • ftp client (ftp.exe, far.exe, etc.)
      • browser (POSTs, more advanced: GETs)
      • DNS requests
      • USB stick
      • burnt CD
      • printer
    • how
      • just in time (frequent network connection)
      • ‘coming back’ to the system
    • configuration
      • file
      • registry
      • uses GUI (lots of good keywords!)
    • where to:
      • URLs
      • FTP server names
      • SMTP servers
      • mapped drives (\\foo\c$)
      • mapped remote paths (e.g. \\tsclient)
  • malicious code
    • any .exe/.zip in TEMP/APPLICATION DATA subfolders
    • processes that have a low editing distance between their names and known system processes (e.g. lsass.exe vs. lsas.exe)
    • processes that use known system processes but start from a different path
    • areas of memory containing “islands” with raw addresses of APIs typically used by malware e.g. CreateRemoteThread, WriteProcessMemory, wininet functions
  • mistakes
    • Event logs
    • AV logs/quarantine files
    • leftovers (files, etc.)

Many of these HFAs form a very managable set that when put together can be applied to different data sets (file names, file paths, file content, registry settings, memory content, process dumps, etc.).

In other words – instead of chasing after a sample/family/hacking group-specific stuff, we look for traces of all these things that make a malware – malware, a weak system – weak, a hack – hack and attack-supporting user – victim.

Comments Off

Cluester – clustering as a data reduction technique

May 27, 2012 in Cluester, Forensic Analysis, Software Releases, Tips & Tricks

In this post I present a simple technique that can be quite helpful when you hit the wall during your analysis and don’t know what else to do. The idea relies on cluster analysis a.k.a. clustering. Notably, the implementation of this technique is very simple, but is hard to generalize – it depends very much on case and data. In an an example below I focus on Windows file system cluster analysis that are focused mainly on discovering minor, but grouped changes to the system – usually these are associated with a malware infection.

A typical computer forensics case deals with a tremendous amount of data and whether we analyze it in an automated fashion or walk our way through evidence manually we are pretty much wasting our time until we finally find the first clue. Purists could say here that we are not really wasting our time as we are slowly ruling out the possibilities and they are right, but I hope they will agree that such analysis are not fun. It can be quite frustrating, and more so as we know that finding that first trace of suspicious activity is what will shape further analysis – in fact it is what really kicks off the proper investigation (and this is also where the fun begins :) ).

But finding that first piece of puzzle is not a trivial task. For many reasons. If you are lucky you may find malware still running in memory, the evidence has not been contaminated, or the clues are all over the place. In many cases though, the evidence may have been already contaminated by the attackers or ‘helpful’ IT staff that cleaned up the system before the data acquisition. There may be no malware involved at all as the case is dealing with a contraband, fraud, plagiarism or other issues. Also, in many production environment there is a lot changes introduced to the system on regular basis (e.g. via system updates, transaction records, logs, etc.), often saved into separate files generating large amount of small files. Analyzing such systems can be a real nightmare (e.g. a hundreds of thousands files on a single file systems).

Over the years  investigators designed many techniques to sift through the data and adapted them into many useful tools and methodologies. We have got Timelines, Filetyping, various filtering, Least Frequency of Occurrence, and many other system- or artifact-specific analysis e.g. these of processes, registry, prefetch files etc.

A typical Windows system is a mess. Operating system files, applications, user profiles, data copied all over the place by users (often many of them), followed by the content of temp folders, cache directories, recycled folders, admin scripts, registry clutter, and production data (if it applies). And lots more.

How to reduce this data into something useful?

One easy way to make some sense of it is by using filtering e.g. by file typing. Files with specific extensions can be grouped together and such groups assessed one by one. This may work, but is also very inefficient. There could be literally hundreds of thousands files of the same file extension. There are also hundreds, often thousands of different file extensions on the system. On top of that, file extension is not necessary indicative of a file content (.exe file doesn’t need to be an executable, and pictures or executable can be stored in files with misleading extensions).

Another way to look at the file system is to realize that file system changes are logically grouped and often happen in an atomic or almost-atomic way i.e. all at once within a short period of time – forming pretty much a sequence of ‘file system updates’. These are clusters we will try to focus on here. These updates often happen on regular intervals and affect only specific paths. Knowing that one can try to build an improved timeline, based not on all timestamps, but on ranges of timestamps.

First, an example of a typical timeline is shown below – one can see that I have copied grep.exe to the system together with  Cygwin DLLs that are necessary to run the grep.exe (as it was unable to resolve dependencies). I then ran it (as see with a Prefetch files). Next, I copied sleuthkit binaries into a tools directory and ran fls.exe creating a list file that I used for the purpose of this article.

As you can see, the sleuthkit binaries form a nice cluster. The script I used to generate the listing takes into account a number of files created at the same time and if the number of files is higher than 10, it pushes the file list to the right. Under normal conditions, the script wouldn’t need to print them at all, but I do it here for the sake of clarity with a hint to the reader that such a large ‘file update’ may be potentially skipped in analysis. One can easily modify the script to either not show them at all or perhaps apply some more logic before presenting the output. Of course, completely ignoring it is a wrong idea as only by seeing the example above you can tell that I happened to drop some files on the system. Again, depends on what you are looking for, you need to define the criteria that form your clusters and push out of the sight things that are not interesting.

One simple improvement that can be made to the timeline and clustering is timestamp normalization. By normalization I mean a way to glue more timestamps together, even if they do not match perfectly. It can be done in many way, for example:  if we assume that the window of atomic operation or almost-atomic ‘file system update’  is e.g. 10 or even whole 60 seconds, suddenly we will be able to increase our ability to assign more entries into a single cluster. More entries in a cluster, more chances for it to fall out of sight.

In my example above, merging the entries that fall within 60 seconds time window makes all grep-related artifacts be fall into one cluster:

The first column is a normalized timestamp (normalized to minutes i.e. 60 seconds), then actual timestamp, then path.

Clustering is a very interesting technique, yet it would seem not widely used. Applied on top of a timeline it could help reduce the amount of data for manual review and most importantly – may immediately highlight suspicious artifacts based on specific criteria. As I mentioned earlier, in the example above I decide to remove from the view all these entries that form the clusters of 10 or more files. This is arbitrary, but doesn’t have to be. It would be certainly helpful in finding malware, as malware rarely drops more than 10 files on the system, yet it would not helpful finding stashed content that has been copied in bulk. A lot more research is needed to find out how to utilize this technique widely and perhaps generate scenarios that can be converted into usable ‘dynamic smart filters’ that can be applied on top of any data.

The following things may be taken into consideration:

  • various artifacts (on top of timeline across the whole system)
  • various timestamps (one can run cluster analysis for all creation, modification, access, entry creation times)
  • various criteria can be used – across file system, or just directory, or directory and subdirectories
  • less utilized timestamps e.g. timestamps extracted from Portable Executables – these that stand out need to be looked at (standard system binaries are usually precompiled with a specific timestamp or their range)
  • not only timestamps and timelines can be used; e.g. image base of Portable Executables is also a good candidate for finding executables that stand out

The data can be manipulated and analyzed in many ways and ideally there should be an easy way to play with clustering parameters – I am not aware of any interactive tool that could do that in a generic way, but even simple toying around with Excel or a simple script can help here. If you know any free software that already does it, I would appreciate if you let me know.

Last, but not least, before even clustering is applied, one can remove entries using known techniques e.g. clean file hashes, known clean full paths, as well as data obtained from installer analysis extracted from case (run, collect data about file paths, apply as a whitelist), and other data that has a low chance for being interesting (e.g. directories outside of typical scope of system/user activity).

If you want to toy around with the idea, you can download Cluester – an example script that I used for this post.

It can be downloaded from  here.

It works on data obtained from running fls on NTFS system:

    fls -lrm <drive> -i <type> -f <type> \\.\<drive> > <output>

e.g.
    fls -lrm f: -i raw -f ntfs \\.\f:  > list

Update: 2012-05-28

Fixed typos, grammar mistakes, polished it a bit (that’s what happens when you write posts at 2am ;) .

Comments Off

The Curious Case of the Forensic Artifact

May 2, 2012 in Forensic Analysis, Tips & Tricks

Back in March Harlan asked on Twitter if anyone has any information about a Registry value called TrapPollTimeMilliSecs. It triggered my interest and I decided to do some research.

If you run a quick google search on it, you will find lots of AV reports listing it. At this stage it is tempting to quickly draw a conclusion that it might be used by malware. I was not convinced though and researched it further. Few minutes later I was able to provide some (hopefully) reasonable explanation what creates it.

It crossed my mind today that it may be beneficial to explain what I did, so that it will be easier for other investigators to find out what is the source of similar artifacts (if a similar question pops up in the future).

The location

The TrapPollTimeMilliSecs REG_DWORD value is a located under the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters

and is by default set to

TrapPollTimeMilliSecs = 15000 (0x3a98)

but it doesn’t necessarily exist on a typical system.

The explanation

The TrapPollTimeMilliSecs registry value is set/queried by a DLL called inetmib1.dll, and more precisely, by its exported API called SnmpExtensionInit API. This API is used by only two executables:

  • arp.exe
  • netstat.exe

(it could be also used by other tools of course, but these are the only ones that popped up during the research on OS-specific files only)

Once I found out what .exes are responsible for the artifact, I quickly verified it dynamically:

One important thing to note is that the value is created only if these executables are ran from elevated cmd.exe (on systems requiring it).

According to Microsoft’s information about SnmpExtensionInit:

The Microsoft SNMP service calls the SnmpExtensionInit function to initialize the SNMP extension agent DLL. This function is an element of the SNMP Extension Agent API.

I would assume both netstat and arp being network utilities use the functions to talk SNMP to devices on the network, but my knowledge on SNMP internals is too limited to conclude anything here. Still, this is most likely enough information to rule out this artifact from the investigation (and especially if there are prefetch files for arp.exe and netstat.exe on the system).

The recipe

Prerequisites:

  • Generate strings for all files inside your windows and system32 directory e.g. use simple extension e.g. *.s to store the strings
  • Best to keep them as a copy of all files, together with the strings so you can play with the files w/o risking destroying your Windows/system32 directory by accident (shouldn’t normally happen, because of Windows File Protection/ACLs, but well… always work on a copy of the evidence :) )
  • if you have more Windows versions available, run strings on all versions and keep them in separated directories as well

Once you have it in place do as follows:

  • Search (grep/findstr) all *.s for the string you are looking for e.g. TrapPollTimeMilliSecs
  • This will narrow down the scope to the list of DLLs/EXEs that create the artifact
  • Load the suspected binaries into Disassembler e.g.  IDA Pro a.k.a. the god of all disassemblers
  • Find references to string (can be multiple occurrences)
  • Skim/analyze the code to confirm the data is used by registry functions (and maybe how)
  • Profit (or create meme)

For a very specific (unique name) value it is a pretty quick procedure, a few minutes or so.

Apart from playing around with OS binaries, you may also download ReactOS – grepping its source code is one of the best way to understand internal workings of Windows and find how certain artifacts are created (notably, they may be not 100% compatible with Windows, but may give you hints where and what to search for).

Comments Off

Wasted Human cycle a.k.a. How dns-ok.us, dns-ok.de, etc. work

March 1, 2012 in Tips & Tricks

I came across these web sites while reading news about dnschanger and shutting down the DNS servers that used to be controlled by it. I was curious how it works, so decided to figure it out. Previously (for Conficker for example) this sort of pages just included IFRAMEs pointing to web addresses that were known to be blocked by modified hosts files, e.g. pages of AV companies. If any of these were blocked, you would know there is something going on with your system.

In this case it’s different. the page is static and just shows either in

GREEN

or

RED


I guessed it may be a change in DNS resolution that is different depending on your DNS settings – if the request goes through the ‘bad guy’, the server will return the ip for the red page, if your settings are good, it will return the green page.

Indeed, this is the case and you can confirm it via nslookup.

nslookup dns-ok.us
Name: dns-ok.us
Address: 38.68.193.96

nslookup dns-ok.us 77.67.83.1  <– 77.67.83.1 is a ‘bad guy’ DNS
Name: dns-ok.us
Address: 38.68.193.97

Check

 

Not a rocket science.

When I found out, I googled for IPs and lo and behold, I immediately spotted a comment from a guy using nick ‘TEA-Time’ talking about it few weeks back on Brian Krebs’ blog: https://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/

Argh.

Here goes yet another wasted human cycle.

So this post is for you not to waste yours :-)

Comments Off

RUStrings – extracting Russian strings from files

February 25, 2012 in Malware Analysis, Software Releases, Tips & Tricks

Running typical ‘strings’ tools over a suspicious file provides lots of useful information.The output typically provides an immediate clue what the file’s purpose is e.g. is it a text file, binary file, what is its file format, character encoding, is it compressed, what APIs , file names and URLs it is referring to and so on and so forth. If you are lucky, you may sometimes get a visual output as well e.g. an ASCII art as it is in a case of well-known web shell r57.

RUStrings0

Now, the problem with ‘strings’ tools is that they are usually monolingual. They extract English strings in ANSI and Unicode format, but forget about other languages. That is, they are unable to recognize strings that are non-English. Of course, it is non-trivial to write a tool that will recognize strings in a few dozens of languages, as they all use various types of character encodings and each character can occupy not only a single byte, but in many cases multiple bytes.

RUStrings.pl is a simple perl script that tries to address this issue and while it focuses only on Russian strings, it can be relatively easily extended to cover other languages. The strings it extracts include

  • ANSI
  • Unicode
  • 4 different Russian character encodings

The output will contain Cyrillic characters and has to be viewed with a proper program supporting various character encodings.

Compare the following:

  • obtained via ‘strings’:

RUStrings1

and

  • via ‘RUStrings’:

RUStrings2
In case you are wondering what tool I am using to preview these – it is Total Commander’s built-in Lister viewer – it has a very cool feature that allows changing the character encoding on the spot making Cyryllic (and others) characters ‘visible’.

Download

Comments Off

Extracting Strings from PE sections

February 21, 2012 in Malware Analysis, Tips & Tricks

One of the first things we do when we analyze malware is strings extraction. This is a good approach, but there is a problem – neither Sysinternals’ strings nor UNiX/cygwin version provide an ability to extract strings from a specific PE section. Being able to extract strings this way may be handy. It may simplify static analysis and even more importantly, it  helps to avoid noise coming from bad strings. Examples of bad strings are sequences of machine instructions coming from a code section that are interpreted as actual strings. The same goes for ‘strings’ from resource section. This part of file often contain bitmaps, icons and other data that often holds a lot of data that ‘looks’ like strings. We may not want to see these in the output.

So, having an ability to extract strings from each section separately would be certainly helpful. There are many way to do so – if you like to code, you can write your own script.

Or…You can just use a simple method presented below.

It turns out that 7zip has an ability to extract sections from PE files. It is available from both GUI and command line. GUI is option is straightforward, as per the command line, use the following:

“c:\Program Files\7-Zip\7zG.exe” x <filename> -osections

Example for Notepad.exe is shown below. Note that 7zip also extracts resources into a subdirectory – another handy feature.

We can now extract strings from .text section only:

Note:

There are executables for which extracting strings from specific sections won’t help and may even make you miss something or draw wrong conclusions; these include Borland applications (code and data is mangled together), position-independent code (shellcodes, viruses, code injects), etc.

Comments Off