Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Staying current, but not too current

Published: 2008-09-07
Last Updated: 2008-09-07 10:54:43 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Information Technology is a fast moving field, probably one of the most short-lived fields to be in from a continuing education perspective. This is why computer science and engineering education focuses so heavily on concepts and methodologies that stay valid even when the technology changes. I remember from years ago when I attended a forensic class that I was seriously annoyed at them teaching forensics based on FAT16, even though "everybody" was using NTFS by then. I sat through the class and it took a while until I realized that what they were teaching were the basic forensic moves of file system analysis that would remain unchanged, and in fact are still unchanged today.

A soggy weekend like this one, with the left-overs of hurricane Hanna drenching the east coast, is as good a time as any to brush up on some InfoSec skill that might come in handy in your day job. But with lots of things competing for our personal time nowadays, before you sink an hour or two into the latest white paper, ask yourself whether the paper will teach you a technique, concept or methodology of lasting value, or if it will teach you a short term or even vendor-centric tech hype.

As far as good reading goes, I actually like NIST special publications. I agree they are a bit dry and don't exactly make for  entertaining reading, but hey, they are free, and especially when I'm reading a NIST paper on a topic that is outside my regular focus of work, I'm always left with a couple of concepts of lasting value. There are also many such nuggets available from the SANS reading room, though buried there between some not-so-exciting papers, and thus harder to find.

If, for your own continuing education, you make use of other free sources that teach long term InfoSec concepts rather than short term gimmicks, we would like to hear about them.

Keywords: education
0 comment(s)

Malware Analysis: Tools are only so good

Published: 2008-09-07
Last Updated: 2008-09-07 01:32:12 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

Well, today wasn't exactly a tough handler's shift so I thought I would look in my spam folder for something interesting. 
There is always something interesting in there, subject wise most are things which aren't even mentionable in public.  However, in many of these emails are links and at the end of the link is the world of malware.  So, I feel compelled to follow them (in a nice, safe environment).  Today's attempt was a complete success on the first piece of spam I opened.  Sure enough I found a nice executable at the other end just waiting to be downloaded.  What a relaxing way to spend a Saturday, doing a little malware analysis.

I opened it in Ollydbg, got past the packer and took a look at the strings in the file.  Sure enough, this file wasn't one filled with good intentions.  If you a look at the strings below, you can see what I'm talking about at first glance. 
 
Address    Disassembly                               Text string
00401000   MOV EAX,1                                 (Initial CPU selection)
00401037   MOV DWORD PTR SS:[ESP+14],my_hots_.00410  ASCII "CbEvtSvc"
004010CB   PUSH my_hots_.00410C04                    UNICODE "-k"
004010DA   PUSH my_hots_.00410C0C                    UNICODE "netsvcs"
0040110C   PUSH my_hots_.00410C04                    UNICODE "-k"
004014A5   MOV ECX,my_hots_.00410D58                 ASCII " "
00401710   PUSH my_hots_.00410C3C                    ASCII "user"
00401731   PUSH my_hots_.00410C44                    ASCII "os=%d&ver=%s&idx=%s&user=%s"
004018B5   PUSH my_hots_.00410C60                    ASCII "%s&ioctl=%d&data=%s"
004018F4   PUSH my_hots_.00410C30                    ASCII "74.50.109.2"
004018FD   PUSH my_hots_.00410C78                    ASCII "ldr/client03/ldrctl.php"
00401902   PUSH my_hots_.00410C90                    ASCII "POST /%s HTTP/1.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: %s
Content-Length: %d

%s"
00401C37   PUSH my_hots_.00410C30                    ASCII "74.50.109.2"
00401C4A   PUSH my_hots_.00410C30                    ASCII "74.50.109.2"
0040340A   PUSH my_hots_.00410EA8                    ASCII "%s-%x"
00403561   PUSH my_hots_.00410EB0                    ASCII "%s\%d.exe"
0040361A   PUSH my_hots_.00410EC0                    ASCII "D7EB6085-E70A-4f5a-9921-E6BD244A8C17"
00403915   PUSH my_hots_.00410EE8                    ASCII "%d.%d.%d.%d"
00403B29   PUSH my_hots_.00410EF8                    ASCII "CbEvtSvc.exe"
00403BC5   PUSH my_hots_.00410F08                    ASCII "%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs"
00403BD5   PUSH my_hots_.00410BF8                    ASCII "CbEvtSvc"



I checked out the IP found in the strings above and grabbed its source code.  The only thing on the page was this:


"<html><body><h1>It works!</h1></body></html>"


So now I'm wondering if this malware has fangs yet or if its being distributed in a trial mode.  I launched the malware on
one of my VM windows images and found that it looked pretty benign.  Here is where it started to get interesting. I used a
tool called RegShot to get a "before" snapshot of my machine state.  After launching the malware I used it to get an "after"
snapshot of my machine state.  There didn't seem to be any files dropped on my harddrive, however there is a mention of a
file above called "CbEvtSvc.exe".  When I launched the malware, I also had some other tools running.  I like to use other
tools too when I'm doing behavioral analysis like:  RegMon, FileMon, ProcessExplorer, TCPView, etc.  Both RegMon and FileMon show that CbEvtSvc.exe was busy on my system.  As a matter of fact, FileMon had this entry:

3:11:24 PM    my_hots_video.e:796    CREATE    C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Options: OverwriteIf Sequential  Access: 00130196   
3:11:24 PM    WINLOGON.EXE:160    DIRECTORY    C:\WINNT\system32    SUCCESS    Change Notify   
3:11:24 PM    my_hots_video.e:796    SET INFORMATION     C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Length: 87040   
3:11:24 PM    WINLOGON.EXE:160    DIRECTORY    C:\WINNT\system32    SUCCESS    Change Notify   
3:11:24 PM    my_hots_video.e:796    QUERY INFORMATION    C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe    SUCCESS    Length: 87040   
3:11:24 PM    my_hots_video.e:796    WRITE     C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Offset: 0 Length: 65536   
3:11:24 PM    my_hots_video.e:796    WRITE    C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Offset: 65536 Length: 21504   
3:11:24 PM    my_hots_video.e:796    SET INFORMATION     C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    FileBasicInformation   
3:11:24 PM    WINLOGON.EXE:160    DIRECTORY    C:\WINNT\system32        Change Notify   
3:11:24 PM    my_hots_video.e:796    CLOSE    C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe 
SUCCESS       
3:11:24 PM    my_hots_video.e:796    CLOSE    C:\WINNT\system32\CbEvtSvc.exe    SUCCESS       


So the file had been created, but where was it?  I used explorer to look for it and found nothing.  I then used cmd.exe to
look at the directory for the file and nothing was there.  I thought maybe its hidden and I can reference it another way.  From the command prompt, I tried to run the following command in system32 directory:  dir *cb*  and guess what, my window closed on me.  I tried this method again and could find any other variety of files this way as long as it wasn't the first letters of that filename.  Now I'm thinking rootkit capabilities...cool!  Since my antivirus did not have issues when I downloaded the file using wget, I thought I'd throw it at a few sites and see what they thought of my new toy.  Norman Sandbox provided this analysis which disturbed me:

my_hots_video : Not detected by Sandbox (Signature: NO_VIRUS)


 [ DetectionInfo ]
   * Sandbox name: NO_MALWARE
   * Signature name: NO_VIRUS
   * Compressed: NO
   * TLS hooks: NO
   * Executable type: Application
   * Executable file structure: OK

 [ General information ]
   * File length:        87040 bytes.
   * MD5 hash: 1f4d13b31116860e0a3b692052856941


VirusTotal provided me results showing 14/36 (38.89%) vendors had detection for this file.  Not great coverage by any means, but at least some vendors know that its bad and have a signature for it.


I'm not done with this file yet, its rather interesting.  What I really wanted to point out is that my tools did not provide me with accurate answers.  Tools are simply that...just tools.  As you work with malware, its important to have many ways to confirm your results.  Its just as important NOT to totally rely on your tools to provide you with the answers.  You HAVE to understand the tools your using.  Don't become so dependant on one way of verifying something.  I run many tools at the same time when I work with malware.  Each has a different purpose as well as strengths and weaknesses.  It's important to know them and not just rely on a single method.  In essence you want to look at malware from many different angles and never forget that your tools are only so good and may not provide you with the right answer.  Nothing can replace your analysis skills and your ability to understand what your seeing.

Keywords: malware tools
0 comment(s)
Diary Archives