Last Updated: 2008-09-07 10:54:43 UTC
by Daniel Wesemann (Version: 1)
Information Technology is a fast moving field, probably one of the most short-lived fields to be in from a continuing education perspective. This is why computer science and engineering education focuses so heavily on concepts and methodologies that stay valid even when the technology changes. I remember from years ago when I attended a forensic class that I was seriously annoyed at them teaching forensics based on FAT16, even though "everybody" was using NTFS by then. I sat through the class and it took a while until I realized that what they were teaching were the basic forensic moves of file system analysis that would remain unchanged, and in fact are still unchanged today.
A soggy weekend like this one, with the left-overs of hurricane Hanna drenching the east coast, is as good a time as any to brush up on some InfoSec skill that might come in handy in your day job. But with lots of things competing for our personal time nowadays, before you sink an hour or two into the latest white paper, ask yourself whether the paper will teach you a technique, concept or methodology of lasting value, or if it will teach you a short term or even vendor-centric tech hype.
As far as good reading goes, I actually like NIST special publications. I agree they are a bit dry and don't exactly make for entertaining reading, but hey, they are free, and especially when I'm reading a NIST paper on a topic that is outside my regular focus of work, I'm always left with a couple of concepts of lasting value. There are also many such nuggets available from the SANS reading room, though buried there between some not-so-exciting papers, and thus harder to find.
If, for your own continuing education, you make use of other free sources that teach long term InfoSec concepts rather than short term gimmicks, we would like to hear about them.
Last Updated: 2008-09-07 01:32:12 UTC
by Lorna Hutcheson (Version: 1)
Well, today wasn't exactly a tough handler's shift so I thought I would look in my spam folder for something interesting.
There is always something interesting in there, subject wise most are things which aren't even mentionable in public. However, in many of these emails are links and at the end of the link is the world of malware. So, I feel compelled to follow them (in a nice, safe environment). Today's attempt was a complete success on the first piece of spam I opened. Sure enough I found a nice executable at the other end just waiting to be downloaded. What a relaxing way to spend a Saturday, doing a little malware analysis.
I opened it in Ollydbg, got past the packer and took a look at the strings in the file. Sure enough, this file wasn't one filled with good intentions. If you a look at the strings below, you can see what I'm talking about at first glance.
Address Disassembly Text string
00401000 MOV EAX,1 (Initial CPU selection)
00401037 MOV DWORD PTR SS:[ESP+14],my_hots_.00410 ASCII "CbEvtSvc"
004010CB PUSH my_hots_.00410C04 UNICODE "-k"
004010DA PUSH my_hots_.00410C0C UNICODE "netsvcs"
0040110C PUSH my_hots_.00410C04 UNICODE "-k"
004014A5 MOV ECX,my_hots_.00410D58 ASCII " "
00401710 PUSH my_hots_.00410C3C ASCII "user"
00401731 PUSH my_hots_.00410C44 ASCII "os=%d&ver=%s&idx=%s&user=%s"
004018B5 PUSH my_hots_.00410C60 ASCII "%s&ioctl=%d&data=%s"
004018F4 PUSH my_hots_.00410C30 ASCII "126.96.36.199"
004018FD PUSH my_hots_.00410C78 ASCII "ldr/client03/ldrctl.php"
00401902 PUSH my_hots_.00410C90 ASCII "POST /%s HTTP/1.1
User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
00401C37 PUSH my_hots_.00410C30 ASCII "188.8.131.52"
00401C4A PUSH my_hots_.00410C30 ASCII "184.108.40.206"
0040340A PUSH my_hots_.00410EA8 ASCII "%s-%x"
00403561 PUSH my_hots_.00410EB0 ASCII "%s\%d.exe"
0040361A PUSH my_hots_.00410EC0 ASCII "D7EB6085-E70A-4f5a-9921-E6BD244A8C17"
00403915 PUSH my_hots_.00410EE8 ASCII "%d.%d.%d.%d"
00403B29 PUSH my_hots_.00410EF8 ASCII "CbEvtSvc.exe"
00403BC5 PUSH my_hots_.00410F08 ASCII "%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs"
00403BD5 PUSH my_hots_.00410BF8 ASCII "CbEvtSvc"
I checked out the IP found in the strings above and grabbed its source code. The only thing on the page was this:
So now I'm wondering if this malware has fangs yet or if its being distributed in a trial mode. I launched the malware on
one of my VM windows images and found that it looked pretty benign. Here is where it started to get interesting. I used a
tool called RegShot to get a "before" snapshot of my machine state. After launching the malware I used it to get an "after"
snapshot of my machine state. There didn't seem to be any files dropped on my harddrive, however there is a mention of a
file above called "CbEvtSvc.exe". When I launched the malware, I also had some other tools running. I like to use other
tools too when I'm doing behavioral analysis like: RegMon, FileMon, ProcessExplorer, TCPView, etc. Both RegMon and FileMon show that CbEvtSvc.exe was busy on my system. As a matter of fact, FileMon had this entry:
3:11:24 PM my_hots_video.e:796 CREATE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Options: OverwriteIf Sequential Access: 00130196
3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 SUCCESS Change Notify
3:11:24 PM my_hots_video.e:796 SET INFORMATION C:\WINNT\system32\CbEvtSvc.exe SUCCESS Length: 87040
3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 SUCCESS Change Notify
3:11:24 PM my_hots_video.e:796 QUERY INFORMATION C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe SUCCESS Length: 87040
3:11:24 PM my_hots_video.e:796 WRITE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Offset: 0 Length: 65536
3:11:24 PM my_hots_video.e:796 WRITE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Offset: 65536 Length: 21504
3:11:24 PM my_hots_video.e:796 SET INFORMATION C:\WINNT\system32\CbEvtSvc.exe SUCCESS FileBasicInformation
3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 Change Notify
3:11:24 PM my_hots_video.e:796 CLOSE C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe
3:11:24 PM my_hots_video.e:796 CLOSE C:\WINNT\system32\CbEvtSvc.exe SUCCESS
So the file had been created, but where was it? I used explorer to look for it and found nothing. I then used cmd.exe to
look at the directory for the file and nothing was there. I thought maybe its hidden and I can reference it another way. From the command prompt, I tried to run the following command in system32 directory: dir *cb* and guess what, my window closed on me. I tried this method again and could find any other variety of files this way as long as it wasn't the first letters of that filename. Now I'm thinking rootkit capabilities...cool! Since my antivirus did not have issues when I downloaded the file using wget, I thought I'd throw it at a few sites and see what they thought of my new toy. Norman Sandbox provided this analysis which disturbed me:
my_hots_video : Not detected by Sandbox (Signature: NO_VIRUS)
[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: NO
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
[ General information ]
* File length: 87040 bytes.
* MD5 hash: 1f4d13b31116860e0a3b692052856941
VirusTotal provided me results showing 14/36 (38.89%) vendors had detection for this file. Not great coverage by any means, but at least some vendors know that its bad and have a signature for it.
I'm not done with this file yet, its rather interesting. What I really wanted to point out is that my tools did not provide me with accurate answers. Tools are simply that...just tools. As you work with malware, its important to have many ways to confirm your results. Its just as important NOT to totally rely on your tools to provide you with the answers. You HAVE to understand the tools your using. Don't become so dependant on one way of verifying something. I run many tools at the same time when I work with malware. Each has a different purpose as well as strengths and weaknesses. It's important to know them and not just rely on a single method. In essence you want to look at malware from many different angles and never forget that your tools are only so good and may not provide you with the right answer. Nothing can replace your analysis skills and your ability to understand what your seeing.