Monday, August 13, 2007

Mandiant Red Curtain - Incident Review Software

camera

Earlier this week I spotted a brief post over on the SANS-ISC Handler's Diary: Interesting new tool.

Handler Jim Clausing had discovered that computer forensics company MANDIANT had unveiled a new (free) software utility called Red Curtain.

For some reason I now have an image of Nicole Kidman swinging on her swing in Moulin Rouge. Go figure.

Lifting the Red Curtain

Briefly, what this tool does is to scan a file or folder and score the scanned executable files therein based on criteria MANDIANT programmers feel (in combination) are indicative of suspicious files.

It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.

Red Curtain isn't a meant to be a signature-based response to file analysis. It doesn't do that.

MANDIANT wants you to use their tool after you have scanned a workstation and/or files and/or folders using your kit of anti-virus, anti-malware, and other anti-ware tools and utilities. It doesn't provide any "protection" in the normal sense of the meaning, instead it is a utility to investigate the presence of additional files that may not be detected by normal means but still are worthy of a closer look by incident responders.

MRC attempts to help the Good Guys by providing a way to analyze files for properties that may indicate packing, encryption, or other characteristics that "just don't look right." While it can't magically "Find Evil", it can significantly narrow the scope of analysis. Think of it as a good tracker, helping you side step those caltrops and read the double-backed footprints on a trail.

It attempts to highlight files that may be passed over or attempt to hide in plain sight. A useful approach.

Red Curtain can be deployed in a Console version which is installed on a system as well as an Agent mode which delivers a command-line executable file for "roaming" scans on target workstations. This is a very nice combination.

System Requirements

Red Curtain Console requires Windows XP or higher, .NET Framework 2.0, and sufficient RAN and free disk space. The RAM noted is 1GB but I suspect it can run on system with less than that.

Red Curtain Agent requires Windows 2000 or higher, 256 MB RAM (minimum) and sufficient disk space for the program and any log files that are generated.

Installation

I downloaded the Red Curtain ZIP file installer file and unpacked it.

I already had .NET installed so no problems were encountered there.

I then ran the installer which requested (but did not require) registration. Once all the files were copied and installed I went to work.

First Run

Eschewing for the moment reading the manual, I fired it up and was met with a simple window and the choices of File, Edit, Options, and Help.

Under "File" I found I could scan a folder or file, or deploy the scanning agent. I can also export the results (row or all) as a .csv file which is handy, or save the entire thing as a XML log file. You can also go back and open a previously saved log file.

The "Edit" drop downs allow you to copy a single row of results or all the displayed rows of results. These can then be pasted into various office-software type programs that support tables/cells.

The "Options" drop down allows you to pick your columns for display: Score, File (path/name), Size, Entry Point Signature, Entropy, Code Entropy, Anomaly Count, Signed?, Details button, as well as three optional file information columns for Created, Modified, and Accessed times.

The "Help" drop down provides you with a fantastically detailed Help file and the obligatory "About" version information.

I first picked a single file in my download pile and ran Red Curtain. The scan-time was very fast and the results came back with a nice green box and a low score. I knew the file was safe so that was expected.

Next I ran it against a folder containing 92 executable files and it performed the scan in about 1-2 minutes. Only one file was flagged red with a higher score. It was just the autoupdater file for Spyware Blaster (a great freeware program by the way) so it was safe as well, but something about the higher entropy ratings triggered the code-red.

Details, Details

If you want to investigate the file more, click the "details" button on the corresponding row.

You will then be able to view some code data on the file itself. The Sections area shows various items such as the section size, type, characteristics (read, execute, code) and the entropy code calculated by Red Curtain.

An Imports area shows the files that are imported into the file, and function calls.

Then there is an "anomalies" area that will list any potential issues detected by Red Curtain.

MANDIANT's Entropy Focus

I'm not a programmer or even a highly trained incident responder or forensic specialist.

I am usually a first-responder when we discover unusual or highly malignant malware or other issues on our workstations. I have to try to quickly determine what it is we are looking at, why it is behaving the way it is, determine if it is harmful or benign, and if harmful, why it is there and how to get it off. Finally I will need to prepare a wider-response report to instruct our team on how to clean and respond to the file(s) in question.

So I just have to take MANDIANT's explanations on why their product is designed the way it is. The Help file goes a long way to doing just that.

One of the fundamental properties of encrypted, compressed, or obfuscated (depending on the method of obfuscation) data is its entropy (or "randomness") tends to be higher than that of "structured" data, such as user generated documents and computer programs. A measure of entropy isn't a sure-fire method for identifying malware or the Bad Guy's hidden data store. A valid user may have encrypted, or more commonly, compressed, information stored on a computer system. However, looking at entropy does provide an excellent filter when you are faced with a multi-gigabyte data reduction problem.

(snip)

MRC implements a unique sliding-window method for determining the entropy of a file, which makes it useful when analyzing a large block of data that may have small sections that have highly random data, and are therefore potentially interesting to the investigator.

Then Red Curtain looks for valid Digital Signatures for the executable files, PE (portable executables) Structure Anomalies, imports from other files on the system, and section permissions of code that can be read or contain executable code.

Red Curtain considers all these code elements and then generates a threat score for potential evilness.

0.0 - 0.7 - Typically not suspicious, at least in the context of properties that MRC analyzes.

0.7 - 0.9 - Somewhat interesting. May contain malicious files with some deliberate attempts at obfuscation.

0.9 - 1.0 - Very interesting. May contain malicious files with deliberate attempts at obfuscation.

1.0+ - Highly Interesting. Often contains malicious files with deliberate attempts at obfuscation

It is an interesting approach and one I haven't encountered before.

The results are very easy to interpret, even for a non-coder.

Roaming Mode

I like "portable" applications I can run off a USB stick on a target machine and not have to install. Especially in utilities, anti-malware tools, and incident response software.

So while I was a bit turned off by the high requirements and installation needed to get the Red Curtain Console going, it was refreshing to see that MANDIANT's developers think along those same lines and provided a "portable" version of the tool as well which doesn't require installation or even the .NET framework be present on the target machine.

This makes scanning and report collection of findings very simple. Me Likey!

Just open the Console version and select "File, New, Deploy Scanning Agent." Done.

This copies four required files into the specified folder.

To use the Roaming Mode agent, copy the folder to a USB device or the target workstation.

Then open Command Prompt window. (Sorry but that's the breaks!)

The command line string seem pretty involved, but is simpler than it looks.

Usage:
mrcagent epcompsigs eppacksigs roamingsigs [[-r] <Dir> | <File>] <Output File>
where: -r is recurse through subdirectories [off by default]

Example:

D:\mrcagent>MRCAgent.exe epcompilersigs.dat eppackersigs.dat roamingsigs -r c:\windows\system32 myoutput.xml

In this instance the Agent will collect an analysis of all directories and files within c:\windows\system32 and store it within d:\mrcagent\myoutput.xml.

I'd actually recommend just keeping a text file with the above sample in the same folder then doing a little copy-paste ninja work until you get the command line requirements down.

The Roaming Mode agent runs very fast as well and makes fairly short work of the folders. Speed will vary depending on system performance and file/folder sizes.

When you are done, collect your log file and examine away! (Although I would probably recommend using the Red Curtain Console application to open and view the output xml file if it is even moderately large. My Internet Explorer 7 nearly choked to death trying to process a scan of my system32 folder results while the Red Curtain Console had it opened in seconds despite having over 4000 records.

Real-World Usage

Here is how I plan to use Red Curtain in an incident response that I would be tasked to:

1) I almost always first isolate the system from the network (say by pulling the network cable).

2) I then like to run (from CD media) Process Explorer, Process Monitor, Autoruns, and usually at least one utility to check open and listening network ports. Having considerable experience with the standard items expected on our workstations, I can usually pick out something "out of place."

3) I would run the usually battery of anti-virus and anti-malware scanning utilities as well as check the logs for any prior history of alerts from those enterprise-class anti-virus applications we run "real-time" on our systems.

4) Assuming that all these have been passed, any anomalies noted and captured for review in the lab, and any other issues dealt with using my l33t secret State Incident Responder Sauce™, I would then probably turn to a final check of the system using Red Curtain.

5) Any highly-scored and red-tagged files I would likely examine a bit more closely for strings and other possible clues. Maybe do some Google work. Finally I would ice the cake by uploading them to online scanners such as Jotti or Vtotal as well as Sunbelt CWSandbox and Norman SandBox Information Center - SandBox Live.

Heck, I have a whole list of Online System Security Scanners worth trying the suspect file(s) out on.

Final Thoughts

I'm very excited about the possibilities this utility will provide in the never-ending malware race.

It is a well-designed product that has a very simple interface that belies its heavy-power-packing punch.

While not a "protection" tool, and requiring a bit of expertise and experience from the examiner who is using it, MANDIANT's Red Curtain looks like it can provide quick and helpful information to those of us who are less code-experienced and draw our attention to files worthy of a closer look.

Highly Valca Recommended!

--Claus

2 comments:

H. Carvey said...

Quick comment...have you tried openports.exe or tcpvcon.exe instead of cports.exe for process-to-port mapping?

Just curious...I've found that openports.exe doesn't work in all instances on Win2003...

Harlan
http://windowsir.blogspot.com

Anonymous said...

Hi Harlan,

I haven't tried openports, but have used tcpvcon ( Tcpvcon, TCPView ).

I also use VStat, and Essential NetTools.

I generally use them when I am responding to a hot machine that has shown up on our virus/trojan report list before I start cleaning to make sure I note anything out of the ordinary.