Sunday, August 29, 2010

This Week in Security and Forensics: Beware the cake!


Cube Party! image used with permission from John Walker at ""

Yeah, the cake is a Portal thing.  Let’s dispense with introductions and get right down into it this week before GLaDOS barges in.


Not new but I think it is worthwhile to reflect on the impact rogue/fake AV products have.  Not only did I get the joy of cleaning one such infection off my own dad’s system, last week I painfully listened to another dear friend tell of dropping almost $400 to local PC shops to remove another such infection…in the end they just reinstalled Windows for him.  I told him to call me first next time.  My local pizza house rates are much cheaper, and I find it perversely fun to hunt and clean this stuff off a system.


Communicate. Luckily its victims were visiting, so we could pass along updates in near real time. Google and Bing helped track down users posting questions to online forums. I responded to each question with any information I had at the time.

People don’t run AV software. Seriously — you should at least be running something like MS Security Essentials by now.

Even cake is dangerous. One of the infections apparently happened while looking for pictures of cake on Flickr.

It’s my understanding that the free VIPRE Rescue tool can also cleanse it from a system.

The winnersMicrosoft Security Essentials, AntiVir, Avast, Agnitum, AVG, EmsiSoft, Eset, Kaspersky, Symantec, PC Tools, Check Point, Lavasoft Ad-Aware, Kaspersky and of course, Sunbelt and many others. 

  • Clam AntiVirus - Recently released in version 2.0.  This is not your father’s ClamAV any longer.  Now includes “cloud-based” protection engine and many more enhanced features.  See also VRT: ClamAV Release Announcements for a full detailing of the little devil.
  • Alureon Evolves to 64 Bit - Microsoft Malware Protection Center - This was fascinating and a sure sign of the growing prevalence of x64 bit systems.  Alureon is a rootkit that has commonly targeted x32 bit Windows systems.  Security teams noted the inclusion of an inert file called ldr64 as part of the file system.  Lately it now has morphed into an active version that can infect 64-bit systems.  Fortunately, it’s presence is detected by Microsoft Security Essentials and evidence is easy to find manually if running.  The Disk Management pane of Computer Managmenet console will be blank of all local HDD and DiskPart command doesn’t locate any disks when “list disk” is run.

Tips and Techniques

Making Material

  • Fundamental Computer Investigation Guide for Windows -- Microsoft TechNet -- Not sure where I came up with this. Dated back from 2007 but still is a small free resource zip file to download, read, and archive. Besides the primary information document, it also contains some DOC files to use as worksheets and templates…or as inspirations to design your own. Download

The Fundamental Computer Investigation Guide for Windows discusses processes and tools for use in internal computer investigations. It introduces a multi-phase model that is based on well-accepted procedures in the computer investigation community. It also presents an applied scenario example of an internal investigation in an environment that includes Microsoft® Windows®–based computers. The investigation uses Windows Sysinternals tools (advanced utilities that can be used to examine Windows–based computers) as well commonly available Windows commands and tools.

  • I’m not sure where I found the link from, but the US Justice Department’s CyberCrime Laboratory created an awesome Digital Forensic Analysis Methodology Flowchart (PDF link).  Print this one out. Study it, and keep it handy for review.
  • Just dropping this older GSD Post Focus on Forensics Linkfest in the mix here as it contains links to multiple templates and forms for chain of evidence recording and such.
  • Intro to Report Writing for Digital Forensics -- SANS Computer Forensic Investigations and Incident Response Blog -- Must read because it never is enough just to dig up the pieces during an investigation, to be successful you must document your process as well as present it in an understandable manner for non-technical folks to understand and technical folks to be able to validate.

Tools and Utilities

  • Quickpost: .LNK Template Update -- Didier Stevens -- tool update to now identify well-known Shell GUID’s as well.  See also his .LNK template post for additional info.
  • Fget -- (freeware) -- HBGary tool “…The fget tool forensically extracts files from raw NTFS volumes on remote windows systems in your domain. This tool works over the network and can extract any file (including those that are locked and in-use) in a forensically sound manner, without altering target filetimes or attributes. In particular, the tool can be used to extract files that are critical to timeline reconstruction.”  Spotted via this FGET: Network-capable forensic data acquisition tool post at Help Net Security.
  • Fingerprint -- (freeware) -- HBGary tool “…framework for scanning binaries (preferably binaries extracted from memory so they are already unpacked). It allows scanning for ascii/wide strings and byte patterns, then annotating results. Results are saved in an xml format and can be compared to previous results. The goal is to allow quick development of new search patterns and easy comparison to previous binaries.” Spotted in a great write up Open Source Malware Fingerprinting – Free Tool at the ESET ThreatBlog.
  • Historian -- (freeware) -- Reads history, bookmark, cookie and cache information for raw browser files from Gaijin software.  Recently updated to version 1.4.4.  While there are lots and lots of tools now to help with browser history examination, I still like having different ones at my disposal to give me flexibility in both analysis and reporting.
  • RegFileExport -- (freeware) -- It’s a new NirSoft tool!  This gem is a CLI tool to “…easily extract data from offline Registry file located on another disk drive. RegFileExport read the Registry file, ananlyze it, and then export the Registry data into a standard .reg file of Windows. You can export the entire Registry file, or only a specific Registry key.  RegFileExport may also be able to export some of the Registry data even when the Registry file is corrupted and cannot be loaded by Windows.  Check out the whole page to get the usage and “more information” areas understood as well.  It can even handle extraction of Registry data from XP restore points!  “You can find the Registry files of every restore point under C:\System Volume Information\_restore{guid}\RPxxx\snapshot. However, you must change the permissions of this folder in order to access these files, or alternatively, you can run cmd.exe as a SYSTEM account (with 'at' command), and then you'll be able to access this folder and the Registry files that are stored in it. Be aware that the _restore{guid} subfolder also has 'hidden' attribute.”  Sweet!
  • TinEye Reverse Image Search -- I thought this was cool.  Suppose you come up with a image file that appears to have been downloaded from the web, but you don’t have a context for the source?  You could try TinEye to see if you could find locations where the file came from on the Web.  While it would be difficult to say with certainty that was the source, it might help provide some interesting information especially if taken as part of a larger context of data.  via Idée Labs

Mostly Wireless

I had spotted that the next two items were recently updated and then decided to go ahead and list other wireless-related utilites since birds of a feather…well…you know…

Oh those DLL eyes

  • It’s those darned DLLs again... -- Windows Incident Response blog -- Probably the very best roundup and review of the latest DLL “vulnerability” now capturing the attention of the for/sec groups since the .LNK brouhaha. 
  • Malware Persistence without the Windows Registry -- M-unition Blog -- Noted here both for the great technical explanation of the issue as well as the provision of a free tool to help assess the situation on a system.  From Nick Harbour’s post:

I’ve written a program to identify all locations and filenames that a DLL could be placed to achieve persistence on a given system.  The idea is that you can run this program on a clean (Gold Image) system and forensically search for any DLL name listed in the output on a machine you suspect of being compromised with this method of persistence. 

The program examines running processes and determines hijackable DLL locations by the following properties (applied to each loaded dll in every running process in the system):

  1. The process executable that loaded the DLL is not located in the System32 folder
  2. The DLL name is not found in the KnownDlls object
  3. The DLL is not found in the same directory as the executable

Any loaded DLL that contains all three properties is susceptible to being trumped by search order hijacking.

The tool (compiled and source) to identify possibly malicious 32-bit DLL locations from a clean system can be found here.

You have to run it from the command line and it requires "elevated" or administrator privileges to run.

Also, the output will be to the CLI window. Depending on how much data you have you may not be able to see all the results.

Try "piping" the output to text with a command similar to below. Then when done open the resulting text file in notepad.

finddllhijack.exe > dllwatchlist.txt

Worked great on my x64 Windows 7 Home Premium system and I got output of a total of 560 different dll files/locations to keep an eye on.

"Here be Dragons" caution: This tool doesn't provide a "smoking gun" to any actual malware-based dll's or vulnerabilities. So please don't go deleting stuff just because it shows up here. That's not the point of the tool. It does help collect information about potential targets for the examiner to then consider with the points made by Mandiant above.

Returning to the linkage roundup…

Finally let’s let Microsoft give us all the remaining bits of the scoop from their perspective.

As well as their tool to help mitigate the issue (platform specific tool download links at the bottom of the page).  Just read well to understand the tool and how it works before using!

And if you haven’t guessed it, this is just a new resurgence in an old exploit.

Yes my friend, only eat the cake if you dare….

--Claus V.

No comments: