Saturday, January 17, 2009

Security and Forensics Roundup #4: Eyes on you

Alvis got a major teen upgrade last month.

We moved our old TV out of the bedroom and into her room.

I haven’t had time yet to run a cable line from a junction-box to it just yet, but she is diligently reminding me that I had promised to address the lack of visual connectivity this weekend.

So I prepare for a trip to Lowe’s.

As much as I like watching the new LCD TV as a family, this might get me the extra wiggle room needed to catch up on some classic movies I’ve so far been unable to watch due to a lack of control on the remote.

While I am working out the cable-runs, I thought I would toss these security and forensics tidbits your way to snack on.

Just chew quietly…wouldn’t want to get on the bad-side of any librarians.  They work hard to keep us safe!

Web Watching

BartZilla has been hard at work recently.  He dropped a line to me that he has puzzled out just how Firefox 3’s “safebrowsing” functions both in regular and “private-browsing mode.

I am seeing a number of short-linked URL’s lately in comments.  TinyURL is one of many locations that takes a really long URL and shortens it.  This makes it much easier to copy/past to a user.  However it also may mask information on what could turn out to be a malicious web-url. – What’s behind that short URL? took a look at these issues and recommended a great Firefox Add-on that promises to remove and re-display the short-url back to its full-length splendor.

  • Long URL Please – Firefox Add on.  Supports 32 different short-url services.  So you don’t have to worry about being tricked by a mysterious short-URL.

Hidden IP Addresses Not Hidden Anymore – This post from isn’t really that new.  Security wonks have known for years that anonymizer services can be seeded or tricked into “decloaking” a user’s actual IP address using a number of techniques.  They bring attention to a new write up of one tool in particular.

Security and the Net has published a superb write-up of the newly updated Metasploit decloaking engine, utilized to determine the original (supposedly anonymized)  IP of a connecting machine (when that computer is  tunneling its’ network communications through an anonymous proxy).  More information regarding the capabilities of the Metasploit Decloaker, and how to find the original IP, even with an anonymous proxy server running) appears after the jump.

If properly configured, one can still use these anonymizing tools to hide an IP address with reasonable certainty.  But that takes more work to do than casual users of these utilities might pay attention to.

More Autorun hacking

In a recent post, we looked at USB autorun file dangers and methods to protect them.

In that context I had come across yet another danger in autorun files I wasn’t aware of…malicious code can be dropped in what looks like garbage text in the file and still execute.

As the images on that link show, must sysadmins and even regular pc users might be able to decode a call to a malicious file in a standard autorun file content.

However, if you open up some and see what looks to be encrypted/or garbage text fields, you might just pass it off as a harmless corrupted file.

That’s not the case.  See Windows will ignore all the junk text in the file until it finds something it can execute, and away it goes.

The noteworthy text is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

…which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.

The rest of the binary junk are comments and will be ignored by Windows. And of course, the file size and amount of binary junk is different every time.
Nice trick.

So yes, I’m sorry but you must examine any such files very carefully.  They might contain a hidden executable call. 

Virus Testing your Email Protection

Anonymous was having some problems testing the efficacy of his AV system in checking emails for malicious content.  It’s a good point.  Unless you have malicious files hanging around and can mail them to yourself, how do you know your AV program is sufficiently protecting you.

While I do collect the odd malicious file in my desktop-support responses, I keep them only long enough to safely send to some AV research labs for inspection and inclusion.  Once I have removed the threat, I rarely keep them around.

And if you are working with a malicious file, chances are that your AV protection will keep on catching it and locking it down.  Try sending a malicious file via Gmail and it gets scanned and removed.

See the problem?

Even the “safe” EICAR Test Files are a frustration to work with in testing email protection as they too, by design, should be caught and locked down by your AV system, preventing you from emailing them to yourself! 

However, there is an easy workaround when it comes to testing your email protection system—use one of these sources!

Both offer a free and easy, third-party way to send an “infected” test file to yourself without tripping any of your local AV protections in the process!

Great way to no only see if your AV system is working, but it can be used to explain to mom and dad what (should) happen if someone send them a malicious file.  Or testing a potentially compromised system to see if email/download protections for the software have been turned off somehow.

Watching for the Inside Job

We watched Numb3rs last night and it wasn’t 1/3 of the way in before I was telling Lavie that the cop and his fiancée both were in on the job.  We were right.  The fiancée was casing the F.B.I. tactical room as a “concerned” family member and feeding the bad-guys information to keep them one-step ahead of the game.

Many times we might become complacent to the nature and motives of those who work around us.  This includes our customers, our vendors, our co-workers, and the hardware that we support.  In our willingness and drive to meet service-levels and keep the productivity flowing, we might decide to overlook or ignore things that just don’t quite jive with the way things should be.

That can be a serious security mistake.

Printer Scanning the Firewall? – Andrew Hay’s blog.  Is IP scanning of the network by a printer normal or is something else going on? Turns out that that one can actually use a JetDirect box as an Nmap Idlescan Zombie.  While not likely a common attack vector, you never know….

SynJunkie has started yet another new series on a modified social-engineering based attack on a system.  Good read.

Syn: The Story of a Newbie Hax0r - Part 1

Syn: The Story of a Newbie Hax0r - Part 2. My Evil AP

Meanwhile, letting a malicious file into your network, which has not been kept current on security patches can have devastating results:

Still having trouble getting the bean-counters to respond seriously?  Could be the case. I mean with the economy in the tank, I could see IT shops reconfiguring their priorities to focus on production and not prevention.

Might want to drop them a link to this post.

It links to Peter Sommers deep whitepaper: Directors' and Corporate Advisors' Guide to Digital Investigations and Evidence (PDF-link).

At 100 pages, many might think they don’t have the time or need to review just how critical and understanding, plan, and relationship with digital investigations and forensics really is.

In the forward, Sir Edmund Burton sums up the importance in that typical understated British manner:

This useful guide highlights the potential risks for enterprises that do not have a
detailed planned response to typical risk scenarios.  It points out that the ‘Low
Frequency/High Impact’ events are disruptive and emphasises that ‘High
Frequency/Low Impact’ events are also disruptive and must be addressed by
contingency plans and preventative measures.

An Effective Wiping Technique

…..for hard drives.  Sheesh!

I and our IT group apply Secure Disk-wiping Software solutions to all the hard-drives and memory storage devices we manage. Unneeded CD/DVD and floppy material goes into the shredder.  Depending on the hardware/firmware, a policy-mandated DoD-grade three-pass secure-wipe can take anywhere from 30-minutes to several hours to complete on a single hard-drive.  It is a time-consuming, but critical function of data handling and management.

So I read with curiosity the following posts:

With the exception of the Data Sanitization Tutorial (PDF-link) written by the University of California at San Diego Center for Magnetic Recording Research, I haven’t seen very many other official-grade research papers that detail just how effective a single-pass bit-wipe of a drive is in comparison to a 3-pass or even a 35-pass wipe.  Now there’s a new research paper on the block Overwriting Hard Drive Data: The Great Wiping Controversy that seeks to dispel the mythos surrounding multi-pass wipes.

From the heise Security link:

Craig Wright, a forensics expert, claims to have put this legend finally to rest. He and his colleagues ran a scientific study to take a close look at hard disks of various makes and different ages, overwriting their data under controlled conditions and then examining the magnetic surfaces with a magnetic-force microscope. They presented their paper at ICISS 2008 and it has been published by Springer AG in its Lecture Notes in Computer Science series (Craig Wright, Dave Kleiman, Shyaam Sundhar R. S.: Overwriting Hard Drive Data: The Great Wiping Controversy).

They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.

The actual paper itself must be accessed for $ or bought via a book, however the author kindly repackaged the research paper in a recent post at SANS Computer Forensics blog.  The details there should be sufficient for most mortals.

Overwriting Hard Drive Data – Dr. Craig Wright, SANS Computer Forensics, Investigation, and Response blog

Now if we can only convince our director that once will be good enough….old habits and wisdom die hard. 

Tin-foil hat-wearers are free to continue to worry.

Tips, Tools, and Techniques

  • A quick analysis helper – Forensic Incident Response blog. Hogfly drops a gem of a tip that points to the registry location where Symantec keeps their last date scanned and the date of the definition files.  Yes I realize you could try to load up the installed Symantec GUI and use it to look for log information, but when you are looking at a system via the captured image, that might not be a viable option. As Hogfly also points out, it can provide information whether the scan was a scheduled scan or initiated manually by a user.

  • Memory Collection and Analysis Tools and New and interesting things – Windows Incident Response blog.  Harlan must not have much work to do on his 2nd edition update.  Obviously he has some free-time on his hands as he continues to share with us awesome tools for memory data collection and analysis.  Be careful,  there are a lot of links for awesome tools.  You will likely loose significant blocks of time checking them out!  I also advise you to check out the post comment threads.  Good detail in there.  Thanks for sharing Harlan!  Looking forward for the book!

  • MANDIANT First Response – free tool to remotely collect key data on a system by security and investigation responders. “MANDIANT First Response provides the ability to remotely collect the volatile data, file lists, registry information, event logs, running processes, running services, file time/date stamps and many other data sources to allow an organization to perform precision strike responses when an incident may have occurred.”  This is a data-collection tool, not a data-analysis tool.

  • F-Secure Exploit Shield – (freeware) – Heuristics based beta tool that runs real-time to provide protection against web-based malicious exploits and malware.  It does phone-home and provide data to the F-Secure labs to help with exploit detection and response.  So be aware.  See this F-Secure post for screenshots and more details.  Download link here.  Supported on Windows XP.  No word on Vista/W7 editions yet.  Similar freeware product: ThreatFire.

  • F-Secure Easy Clean – (freeware) – Free and easy to use tool to remove common malware and viruses from a system.  Also does root-kit check before scan commencement.  Can be run in Safe-Mode. XP/Vista compatible. For more details see F-Secure Easy Clean – FAQ.

  • ThreatFire Research Blog – I’m always on the lookout for security blogs that have both technical and real-world information.  Finally uncovered the ThreatFire blog.  Even if you don’t use the free product, the information from their blog could be helpful in threat-assessment and defense.

  • Exiftool - (freeware) – Tool by Phil Harvey allows for read, write, and edit of meta-data information.  This is golden stuff, especially if you are investigating information on recovered image format files.  (Example Output).  This tool could provide clues in investigation work.  Depending on the camera itself (and assuming the meta-data hasn’t been tampered with), one might be able to to use data in the files to associate an image, to a specific image capture date/time, to a specific camera, and maybe to a specific owner.  Could be a stretch, but cases have been broken with less…

  • Security Database Tools Watch - FireCAT 1.5 released – This update of FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment.  The latest version now lists a number of new Add-ons in some restructured categories.  If you are into security research and use Firefox, you simply must spend some time checking this out!  If you don’t want to do a pick-n-choose to get them installed, pop over to the Package de plugins FireCat 1.5 (natively in French so here is the English Version a-la Google) and download the compressed file and install away.

  • SANS SIFT Workstation Version 1.2 Released - SANS Computer Forensics, Investigation, and Response blog.   “The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.”

  • Zero Wine: Malware Behavior Analysis – Open Source – Tool to “…dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.”  I must say, this is really cool and can provide a fast and locally obtained malware-behavior report similar to those offered by the web-based CWSandbox - Automated Malware Analysis or the Norman SandBox Information Center.  Having a local-system-based lab-tool like this really can speed incident response analysis and response.


--Claus V.


Cd-MaN said...

A little ping: the autorun.inf parsing is even more permissive than the one shown by the F-Secure people. Check out my little research about the topic:

You can make it so that you won't see anything of use with the standard tools.

Anonymous said...

Thanks for that post on drive wipes - certainly interesting research. We have a few tin-foil hatters at my corporation who still do the 3-pass wipe in fear that data could still be recovered otherwise. Ha, if you have any ideas on how to convince these people 1-pass is all you need, please let me know!

Claus said...

@cdman83 - Great post! Thanks for sharing it with me!

How permissive is the Windows autorun.inf parsing?

I really like the suggestion about running strings.

Foundstone's BinText might also be a standalone executable that could help screen it in a GUI interface.

Sysinternals has it's Strings which is CLI (and might turn off the casual users).

Finally the brilliant Didier Stevens walks us through both tools in his older post Viewing strings in executables.

Good stuff and thank you very much for the added investigative work.

I think this type of "attack" by misdirection might become more common.

Especially if it takes the form as seen in this latest F-secure post that is also related to both ath autorun.inf file as well as Windows Vista and Windows 7.

Social Engineering Autoplay and Windows 7


Nathaniel said...

Don't know if you saw it on the Exiftool page, but there is a Windows GUI for it that seems pretty good.

Have yet to get around to it, but I downloaded Exiftool so I could change incorrect timestamps on photos (forgot to reset the camera clock!).

Claus said...

@ Nathaniel - Dude! That's an awesome find!

What's is fully portable so it can be toted around on a USB stick.

Sweet! Thanks for passing along the tip. I'll add it in to my next software linkpost!