This Week in Security and Forensics: Beware the cake!

Cube Party! image used with permission from John Walker at "rockpapershotgun.com"

Yeah, the cake is a Portal thing.  Let’s dispense with introductions and get right down into it this week before GLaDOS barges in.

Anti-Virus

Not new but I think it is worthwhile to reflect on the impact rogue/fake AV products have.  Not only did I get the joy of cleaning one such infection off my own dad’s system, last week I painfully listened to another dear friend tell of dropping almost $400 to local PC shops to remove another such infection…in the end they just reinstalled Windows for him.  I told him to call me first next time.  My local pizza house rates are much cheaper, and I find it perversely fun to hunt and clean this stuff off a system.

• Rogue Antispyware: WireSharkAntivirus -- Yep. Leave it to someone to seed the world with this weed.  Unfortunately it is playing on a very large and well-known name in the network and security business. More: Sunbelt Blog: Oh yea, right! A rogue named “Wireshark”
• Sniff free or die » Antivirus Outbreak -- This is the legit Wireshark blog’s personal account of the aftermath of their name being hijacked by this fake av product.  The company had to deal with and field and guide irate and disgruntled persons contacting them since they thought Wireshark was responsible for the fake av product.  Sadly that wasn’t the case, but folks just don’t seem to figure this out.  From the post.

Lessons:

Communicate. Luckily its victims were visiting www.cacetech.com, so we could pass along updates in near real time. Google and Bing helped track down users posting questions to online forums. I responded to each question with any information I had at the time.

People don’t run AV software. Seriously — you should at least be running something like MS Security Essentials by now.

Even cake is dangerous. One of the infections apparently happened while looking for pictures of cake on Flickr.

• Fake Antivirus abuses regular software names - Avira - has some more background analysis into the fake tool itself.
• Remove Wireshark Antivirus (Uninstall Guide) - Bleeping Computer - guide from Grinler to getting it off.

It’s my understanding that the free VIPRE Rescue tool can also cleanse it from a system.

• "Wireshark Antivirus" Malware · Wireshark -- PSA by Wireshark including multiple links to manual-removal instructions.
• Sunbelt Blog: Fake MSRT “suggests” you purchase a rogue - Yep.  Even the name o Microsoft’s own legit Malicious Software Removal Tool (MSRT) is now being used by the fake av scam artists.  Nothing is sacred here folks.  Constant Vigilance!
• Anti-malware tools crumble under Virus Bulletin tests - Donna’s SecurityFlash via SC Mag.

The winners:  Microsoft Security Essentials, AntiVir, Avast, Agnitum, AVG, EmsiSoft, Eset, Kaspersky, Symantec, PC Tools, Check Point, Lavasoft Ad-Aware, Kaspersky and of course, Sunbelt and many others. 

• Clam AntiVirus - Recently released in version 2.0.  This is not your father’s ClamAV any longer.  Now includes “cloud-based” protection engine and many more enhanced features.  See also VRT: ClamAV Release Announcements for a full detailing of the little devil.
• Alureon Evolves to 64 Bit - Microsoft Malware Protection Center - This was fascinating and a sure sign of the growing prevalence of x64 bit systems.  Alureon is a rootkit that has commonly targeted x32 bit Windows systems.  Security teams noted the inclusion of an inert file called ldr64 as part of the file system.  Lately it now has morphed into an active version that can infect 64-bit systems.  Fortunately, it’s presence is detected by Microsoft Security Essentials and evidence is easy to find manually if running.  The Disk Management pane of Computer Managmenet console will be blank of all local HDD and DiskPart command doesn’t locate any disks when “list disk” is run.

Tips and Techniques

• E-discovery is hard -- Security For All -- Be careful what you ask for!
• Computer Forensics: Identifying Disk Differences -- Broken Mirrors -- SANS Computer Forensic Investigations and Incident Response Blog -- excellent process walkthrough of validating your disks to be examined when potentially in a mirror state.
• Digital Forensics Recertification (Beyond the Cert) -- SANS Computer Forensic Investigations and Incident Response Blog - -Encouragement for the front line troops.
• Computer Forensics: Using Evidence Cleaners to Find Artifacts -- SANS Computer Forensic Investigations and Incident Response Blog -- I think what the post is saying is that you can learn a lot about potential evidence locations by studying the tools offered to clean them.
• Getting Started in Digital Forensics: Do You Have What It Takes? -- SANS Computer Forensic Investigations and Incident Response Blog -- great reality check for folks who are considering the digital forensics field as a career.
• Digital Forensics Case Leads: An OS X based Live CD, a Free Forensics App for Windows, Spying, and High Performance Password Cracking -- SANS Computer Forensic Investigations and Incident Response Blog -- Lots of tips, particularly the Creating an OS X Incident Response CD for Live Response link.
• Acquisition -- Apple Examiner.  New (to me) Apple forensics-centric website Apple Examiner with some guides to addressing acquisition of late-model Macintosh systems. Lots of good stuff here!  hat-tip to TinyApps blog for bringing this to my attention.
• OS X: Mount disks as read only or block automounting altogether -- TinyApps.Org Blog then goes to the mat with a word of a GUI tool Disk Arbitrator  to change OS X’s automount behavior.
• Forensic Linux Live CD issues - Forensics Wiki.  TinyApps also passed me this link to a long list of potential “gotcha’s” when relying solely on software/LiveCD based forensics distributions to perform “forensic” drive acquisitions. It would do well to be familiar with these issues in advance.  As always, it seems the only rock-solid way to guarantee a non-writeback acquisition of a drive occurs is to use a proven hardware-based forensic bridge; say the Tableau T35es and their T8-R2 or the WiebeTech USB WriteBlocker
• NetAnalysis Date and Time Fields -- Digital Detective. Great write up of Windows time/date field handling.
• The Pitfalls of File Initialization for Forensic Analysts -- cmdLabs -- more learning opportunities await!
• The U.S. Department of Justice hosts an ongoing series of publications including forensic releated documentation.  Note these gems!  While there are only some “recently” published works here and most are a bit dusty, these all remain great resources.

Review a complete list of reports from the Computer Forensic Tool Testing Program.

See also test specifications, support software and test documentation for:

• Disk Imaging
• Forensic Media Preparation
• Write block (Software)
• Write block (Hardware)
• Deleted File Recovery
• Mobile Devices
• String Search

Making Material

• Fundamental Computer Investigation Guide for Windows -- Microsoft TechNet -- Not sure where I came up with this. Dated back from 2007 but still is a small free resource zip file to download, read, and archive. Besides the primary information document, it also contains some DOC files to use as worksheets and templates…or as inspirations to design your own. Download

The Fundamental Computer Investigation Guide for Windows discusses processes and tools for use in internal computer investigations. It introduces a multi-phase model that is based on well-accepted procedures in the computer investigation community. It also presents an applied scenario example of an internal investigation in an environment that includes Microsoft® Windows®–based computers. The investigation uses Windows Sysinternals tools (advanced utilities that can be used to examine Windows–based computers) as well commonly available Windows commands and tools.

• I’m not sure where I found the link from, but the US Justice Department’s CyberCrime Laboratory created an awesome Digital Forensic Analysis Methodology Flowchart (PDF link).  Print this one out. Study it, and keep it handy for review.
• Just dropping this older GSD Post Focus on Forensics Linkfest in the mix here as it contains links to multiple templates and forms for chain of evidence recording and such.
• Intro to Report Writing for Digital Forensics -- SANS Computer Forensic Investigations and Incident Response Blog -- Must read because it never is enough just to dig up the pieces during an investigation, to be successful you must document your process as well as present it in an understandable manner for non-technical folks to understand and technical folks to be able to validate.

Tools and Utilities

• Quickpost: .LNK Template Update -- Didier Stevens -- tool update to now identify well-known Shell GUID’s as well.  See also his .LNK template post for additional info.
• Fget -- (freeware) -- HBGary tool “…The fget tool forensically extracts files from raw NTFS volumes on remote windows systems in your domain. This tool works over the network and can extract any file (including those that are locked and in-use) in a forensically sound manner, without altering target filetimes or attributes. In particular, the tool can be used to extract files that are critical to timeline reconstruction.”  Spotted via this FGET: Network-capable forensic data acquisition tool post at Help Net Security.
• Fingerprint -- (freeware) -- HBGary tool “…framework for scanning binaries (preferably binaries extracted from memory so they are already unpacked). It allows scanning for ascii/wide strings and byte patterns, then annotating results. Results are saved in an xml format and can be compared to previous results. The goal is to allow quick development of new search patterns and easy comparison to previous binaries.” Spotted in a great write up Open Source Malware Fingerprinting – Free Tool at the ESET ThreatBlog.
• Historian -- (freeware) -- Reads history, bookmark, cookie and cache information for raw browser files from Gaijin software.  Recently updated to version 1.4.4.  While there are lots and lots of tools now to help with browser history examination, I still like having different ones at my disposal to give me flexibility in both analysis and reporting.
• RegFileExport -- (freeware) -- It’s a new NirSoft tool!  This gem is a CLI tool to “…easily extract data from offline Registry file located on another disk drive. RegFileExport read the Registry file, ananlyze it, and then export the Registry data into a standard .reg file of Windows. You can export the entire Registry file, or only a specific Registry key.  RegFileExport may also be able to export some of the Registry data even when the Registry file is corrupted and cannot be loaded by Windows.  Check out the whole page to get the usage and “more information” areas understood as well.  It can even handle extraction of Registry data from XP restore points!  “You can find the Registry files of every restore point under C:\System Volume Information\_restore{guid}\RPxxx\snapshot. However, you must change the permissions of this folder in order to access these files, or alternatively, you can run cmd.exe as a SYSTEM account (with 'at' command), and then you'll be able to access this folder and the Registry files that are stored in it. Be aware that the _restore{guid} subfolder also has 'hidden' attribute.”  Sweet!
• TinEye Reverse Image Search -- I thought this was cool.  Suppose you come up with a image file that appears to have been downloaded from the web, but you don’t have a context for the source?  You could try TinEye to see if you could find locations where the file came from on the Web.  While it would be difficult to say with certainty that was the source, it might help provide some interesting information especially if taken as part of a larger context of data.  via Idée Labs

Mostly Wireless

I had spotted that the next two items were recently updated and then decided to go ahead and list other wireless-related utilites since birds of a feather…well…you know…

• Xirrus Wi-Fi Inspector -- (freeware) -- Xirrus now updated this neat tool to v1.1.1
• inSSIDer Wi-Fi Scanner -- (freeware) -- MetaGeek updated their BOSSIE winning tool to a newer version (1.2.8.0331).  I also see their forums says version 2.0 is working its way to Beta release in September. Link with screenshots here: inSSIDer 2.0 Preview
• WirelessNetView v1.27 -- (freeware) -- NirSoft tool
• BluetoothView v1.37 -- (freeware) -- NirSoft tool
• BluetoothCL v1.05 -- (freeware) -- NirSoft tool
• WirelessNetConsole v1.00 -- (freeware) -- NirSoft tool
• WirelessKeyView v1.34 -- (freeware) -- NirSoft tool
• D-Link routers get DNSSEC and CAPTCHA protection - HelpNet Security post

Oh those DLL eyes

• It’s those darned DLLs again... -- Windows Incident Response blog -- Probably the very best roundup and review of the latest DLL “vulnerability” now capturing the attention of the for/sec groups since the .LNK brouhaha. 
• Malware Persistence without the Windows Registry -- M-unition Blog -- Noted here both for the great technical explanation of the issue as well as the provision of a free tool to help assess the situation on a system.  From Nick Harbour’s post:

I’ve written a program to identify all locations and filenames that a DLL could be placed to achieve persistence on a given system.  The idea is that you can run this program on a clean (Gold Image) system and forensically search for any DLL name listed in the output on a machine you suspect of being compromised with this method of persistence. 

The program examines running processes and determines hijackable DLL locations by the following properties (applied to each loaded dll in every running process in the system):

1. The process executable that loaded the DLL is not located in the System32 folder
2. The DLL name is not found in the KnownDlls object
3. The DLL is not found in the same directory as the executable

Any loaded DLL that contains all three properties is susceptible to being trumped by search order hijacking.

The tool (compiled and source) to identify possibly malicious 32-bit DLL locations from a clean system can be found here.

You have to run it from the command line and it requires "elevated" or administrator privileges to run.

Also, the output will be to the CLI window. Depending on how much data you have you may not be able to see all the results.

Try "piping" the output to text with a command similar to below. Then when done open the resulting text file in notepad.

finddllhijack.exe > dllwatchlist.txt

Worked great on my x64 Windows 7 Home Premium system and I got output of a total of 560 different dll files/locations to keep an eye on.

"Here be Dragons" caution: This tool doesn't provide a "smoking gun" to any actual malware-based dll's or vulnerabilities. So please don't go deleting stuff just because it shows up here. That's not the point of the tool. It does help collect information about potential targets for the examiner to then consider with the points made by Mandiant above.

Returning to the linkage roundup…

• Windows DLL flaw may affect hundreds of programs -- TechBlog -- Dwight Silverman spells it out for the masses.
• Quickpost: Ariad & DLL Preloading -- Didier Stevens -- Yep. Didier already has some tools for that…Ariad (no file execute) and SRP
• DLL Preloading - Update Microsoft Recommendation -- TripleCheck Consulting Blog -- Thoughts on mitigation of the risk.
• Exploiting DLL Hijacking Flaws and Better, Faster, Stronger: DLLHijackAuditKit v2 -- Metasploit also provides a system auditing tool to help examine the issue on your own systems.  This isn’t for the faint of heart. Check out this DLLHijackAuditKit v2: Better, Faster, Stronger DLL Tests! post for a distilled guide from PenTestIT on how to get it armed and working.  Read the Metasploit posts for the full picture.

Finally let’s let Microsoft give us all the remaining bits of the scoop from their perspective.

• Microsoft Security Advisory (2269637): Insecure Library Loading Could Allow Remote Code Execution - Microsoft TechNet Security
• More information about the DLL Preloading remote attack vector - Microsoft Security Research & Defense Blog

As well as their tool to help mitigate the issue (platform specific tool download links at the bottom of the page).  Just read well to understand the tool and how it works before using!

• A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm -- Microsoft Support.

And if you haven’t guessed it, this is just a new resurgence in an old exploit.

• MS09-014: Addressing the Safari Carpet Bomb vulnerability - Microsoft Security Research & Defense Blog - April 2009
• DLL Preloading Attacks - David LeBlanc’s Web Log - February 2008.

Yes my friend, only eat the cake if you dare….

--Claus V.