Tuesday, August 21, 2007

Hunting Me up a Malware File

I had been on our home desktop system off-and-on for most of the morning.

Lavie and I had run to a doctor's appointment and Alvis stayed home, eschewing the joys of our family physician's waiting room.

When I returned back to the PC later that night, I noticed that AVG-Free had unloaded.

Hmmm.

So I fired it back up and looked for any new updates. Sure enough, it found one which I installed.

I've noticed that sometimes, depending on the type of update offered, sometimes AVG might shut down and not reinitialize so I didn't get too concerned.

But, for good measure, I went ahead and ran a manual scan of the system.

Danger!!! Will Robinson, Danger!!!

Imagine my surprise when midway into the scan it indicated an infected file had been located.

The patch indicated it was in my Firefox cache.

Hmmmm.

I opened up Windows Explorer and went looking for it. But it wasn't displayed where it should be.

Maybe it had been quarantined by AVG? No. Not yet.

I opened up a command-line box and ran a recursive search in the cache folder for the target filename.

dir *128ACFDDd01* /s

Bingo!

128ACFDDd01

There it was right in my command-line window; just super-hidden with its file attribute settings.

Never a good sign.

It was 21,335 bytes in size and didn't have a file extension.

I copied the file to a USB stick for safe keeping then manually deleted the file from the cache location while AVG was still scanning.

First Response

I immediately fired up AutoRuns, Process Explorer, and both VStat and CurrPorts. My goal here was to inspect my system for any unfamiliar running processes, newly added auto-run entries, and look for any unexpected network connections. All passed clear.

I also ran RootkitRevealer and it came back with a clean bill of health.

Lastly, I hit the system with several Anti-Malware Tools that I keep handy. All came back with clean results except for some expected nuisance cookies.

Whew. But what the heck happened?

Question One: What is it?

The next thing I did was to see if the file in question had any identifying properties or "strings" in it that might help me.

I ran Safer-Networking's FileAlyzer application to look inside.

What I found appeared to be Java-script code wrapping an obfuscated and packed section.

I've got a number of links that give tips on how to address these things:

Right now I don't have the patience or time to work through these exercises on the file, but maybe later I will try.

I sent if off with a request for review to the SANS-ISC handlers in the hopes they were bored and might want to look into it for me. I'm still awaiting a (hopeful) response.

Question Two: What Say Other AV Companies?

I uploaded the file to jotti, vtotal, Norman SandBox Information Center - SandBox Live, and Sunbelt CWSandbox.

Jotti and vtotal only found two engines that identified it; AVG and AntiVir. Unfortunately, neither had any additional information regarding the exploit itself or any helpful details.

I uploaded it to AntiVir's website. They responded that they are taking a closer look at the file in their labs and might get back with me on it. It appears that it showed up there based on heuristics-based scanning, and not from a signature.

Norman and Sunbelt's responses were both negative as well. I might try resubmitting it with a .js file extension to see if that helps it to trigger/execute better on their platforms.

Question Three: When and How Did it Arrive?

Because it was located in my Firefox cache, I knew it was very likely it came from there during the course of browsing activity.

I checked my history and indeed saw some web-activity for some sites that I hadn't been on, but looked like Alvis had while we were out.

Nothing bad or forbidden...mostly just MySpace stuff.

Unfortunately, the history sidebar in Firefox isn't really helpful for tracing specific time/datestamps. It will order them in various arrangements, including "Last visited" but that wasn't detailed enough to allow me to match the file with the website visited.

I opened up the Firefox history.dat file in Notepad hoping for more detail in there. But while it contained some information, it wasn't really in a format to make it easy for review.

Was there a way to better audit the history.dat file?

Yeah, Buddy!

DORK 0.0 - Utility to Audit Firefox History

I found a tiny almost unknown gem of a program (freeware) for auditing the history.dat file in Mozilla:

It is called DORK 0.0. and was coded by Keith Anderson.

A great writeup about the tool can be found on the following website:

Redmond | Print: Easy Firefox History Audits

The link on that page for the download was bad, but the writer of the story, Chris Wolf has a blog as well and he provides a link there that works: Auditing Firefox History at ChrisWolf.com

It is a breeze to use. Just download and extract the file. Then copy the history.dat file into the folder. Run the exe file and drag the history.dat file onto the application window. It will save the file in the name history.txt in a delimited format.

Open in a spreadsheet program (I used "import data" in Excel) and you can see the following information:

  • URL
  • Number of times visited
  • Date and time of first access
  • Data and time of last access

Comparing the timestamp on the file properties to the time/date properties listed I narrowed the likely site down to a handful. However no smoking gun yet.

Time to Question Alvis

Alvis and I have a pretty awesome relationship. I explained what I had been doing, that she wasn't in trouble and hadn't done anything "wrong" but needed some info.

Over our conversation, she confirmed that she had been on MySpace at the time in question. That was fine. She is allowed to.

Yes she had in fact noticed that AVG had "choked" but didn't think much of it at the time.

Yes Firefox (NoScript?) did pop up a red warning message and then went away, but also didn't think much of it at the time.

In fact, she volunteered, one of her buddies had to recently wipe their MySpace page clean as it kept generating virus warning messages. (Interesting fact, but probably not directly related to this adventure.)

So, now I knew when and who, but what site and link was it that triggered the download, specifically.

Looks like encouraging Alvis to use Firefox and the add-ons I have installed did their job.

Back to the Cache

Feeling confident that this file was the only "dangerous" one on my system, and that it was Java-script based, as long as I didn't execute the script, I should be ok to proceed.

(I suspect that it might not even work in Mozilla, and only in Internet Explorer...but can't confirm that.)

I placed the copied file I archived back in the cache folder.

Then I opened Firefox and typed "about:cache" in the address bar.

I selected the link to "List Cache Entries" and all the items were displayed.

At first I tried searching for the date, but didn't find any exact matches.

Then I decided to search just by the filesize value.

Bingo!

Key: http:// <snipped> .com/jjebb.js
Data size: 21335 bytes

Fetch count: 1
Last modified: 2007-08-18 16:25:47
Expires: 1969-12-31 18:00:00

The only match. And the datestamp time was very close (by a second) to the file datestamp. Nothing else was close.

I asked Alvis about the website name and she had loaded a script to her MySpace page from that site to enhance her "comments" box.

As she hurried to remove it from her MySpace page from her Linux pc, I turned my attention to the domain.

A Google search turned up the following entry right under the site name listed on the Google Search Results:

This site may harm your computer.

Not a good sign.

The website in question is one of many that provide MySpace layouts and graphics to folks for free.

I'm choosing not to name the site domain in particular at this point until the file itself is unraveled and I can determine what it REALLY does; I don't want to indict the possibly innocent.

Lockdown Response

Alvis called her MySpace buddies and warned them to pull the newly added component off their pages (it warms my heart!).

I re-deleted the file out of the cache manually, and emptied my Firefox browser cache totally for good measure.

I added some blocks to my HOSTS file for the domain in question, but decided that might not be strong enough, as pages under that domain might still load.

So I opened up my router's configuration window and made some custom DENY filtering rules for all domains AND URL's that contained that domain name.

I tested it and it works like a charm. Blocked.

I use OpenDNS and they also support a neat blocking feature: OpenDNS Blog » Block the bad guys with OpenDNS!

Since I blocked the sites at the router level, I didn't need to tinker with that method, but it may be an option. Many software-based firewalls also let you specify specific IP's or domains to block.

So now all our laptops and pc's were safe from future access to that site, by accident or purpose at the router level.

Laptops....? Am I forgetting something?

OH! Better check all our other systems as well.

Alvis's Linux box didn't have the file on it anywhere.

Our XP Home laptop did indeed have the same file, though this time named 2910CFDDd01.

I now suspect that there is some random filename generation with the first several characters, though the CFDDd01 part was the same. Filesize and contents were exact matches.

So I cleaned that one off that laptop as well.

No evidence at all of the file on the Vista notebook.

All looks clean again in the Valca computing environment.

Final Thoughts

  1. Alvis didn't do anything "wrong" and in fact actually I think she did many things right.
    • She uses Firefox exclusively, per my encouragements.
    • We maintain an honest and open dialog regarding her pc usages.
    • She notified her friends of the problems she encountered and encouraged them to drop the layout additions in question.
  2. I reacted immediately with suspicion when I noticed a security component (my av scanner) was not running as expected.
  3. I know what should "normally" be running process and auto-start wise and was able to confirm nothing unexpected was present.
  4. Using the NoScript add-on may have prevented the malicious java-script from executing in the first place and doing any harm
  5. I examined the file and noted the key information as to its strings and properties.
  6. I kept a copy of all the questionable files safely tucked away in a password encrypted ZIP file.
  7. I sent the file to several virus scanners on-line to verify it wasn't a false positive. It wasn't.
  8. I made sure all my AV DAT files were current and scanned all of my systems, just to be safe. Found it on two of them.
  9. Since I can't always be around to keep an eye on known dangerous sites, accidentally stumbled upon, I CAN hard-code them into my router's settings to filter them for us.

This highlights a potential danger that some parents need to keep in mind with their MySpace connected kids; dangerous code.

Alvis doesn't understand "code" but she is smart enough to follow instructions on adding code to her MySpace template. It could be pretty easy for malicious code to be offered to a youngster and they could then, unintentionally, cross-infect or spread the code to other friends and their family's home pcs.

In the process Alvis and I got to have a great learning experience together, and I uncovered what may be a hidden gem of a utility for examining Firefox history.dat files.

Not a bad, bad experience after all.

Stay Safe.

--Claus

2 comments:

Unknown said...

Sounds like you've got a smart kid there. Kudos to you parents, too. I'm off to check out Chris Wolf's blog.

Mike

. said...

If you are having trouble finding Dork History Reader / Dork 0.0 like I was, I have hosted it myself. Go here:
http://www.blackcatgeek.com/tech.html