Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Responding to "Copyright Lawsuit filed against you" - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Responding to "Copyright Lawsuit filed against you"

The Scenario:

 Let's say you're responsible for responding to an email like that reported here: https://isc.sans.org/diary.html?storyid=8497

Assess:

Is this email a problem?

It certainly appears to be appealing to the recipients fears with the scary legal language.  There's a typo or two in there that might make you suspicious.  Real or not, a document like this should be brought to the attention of your security/legal departments.  So it's likely a problem of one sort or another.

What is it?

You could start by checking into the source of the email and the domain hosting the link.  In this case, the originator appears to be a mail-server for a small city.  The domain has been around for nearly a year, but was just updated a few days ago.  Domaintools.com is your friend.

If you're equipped for it, you may ant to start by checking out the document by pulling down to a safe machine.  In my case it's a unix box since it appears to be a word document.  I craft a simple wget script to pull the file down looking like a vulnerable version of IE.

wget --save-cookies=./cookies -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)" $1

Curiosity getting the better of me, I look at the file a bit and see:

{rtf1ansiansicpg1252deff0{fonttbl{f0fswissfcharset0 Arial;}}
{*generator Msftedit 5.41.15.1515;}viewkind4uc1pardlang1033f0fs20{objectobjemb{*objclass Package}objw795objh765{*objdata
01050000
02000000
08000000
5061636b61676500
00000000
00000000
6f740000
0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164
6d696e6973747261746f725c4465736b746f705c332e69636f000000030010000000433a5c434f
4d504c417e312e45584500107400004d5a90000300000004000000ffff0000b800000000000000
400000000000000000000000000000000000000000000000000000000000000000000000d00000
000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072
756e20696e20444f53206d6f64652e0d0d0a240000000000000009d117d84db0798b4db0798b4d
b0798b4db0788b51b0798b2faf6a8b48b0798b4b93728b49b0798b8ab67f8b4cb0798bb2907d8b
4cb0798b526963684db0798b00000000000000000000000000000000504500004c0104000fd8a9
4b0000000000000000e0000f010b010600001e00000052000000000000c02a0000001000000030
00000000400000100000000200000400000000000000040000000000000000a000000004000000
000000020000000000100000100000000010000010000000000000100000003033000052000000
...

Yeah, that doesn't look good.  Let's calculate an md5sum and see what others think of it.

$ md5sum suit_documents.doc
6db76304a2aff6bef94364b86abd8b7f  suit_documents.doc

 Since you're a lone responder and don't have an army of reverse engineers on your staff, we'll leverage this information to see what the group-mind knows about this.

I use the hash-search at virus total to see if someone's already working on this: http://www.virustotal.com/buscaHash.html

In this case, this yields the following results: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269529133

Some interesting things come back, we know that this is likely some sort of downloader disguised as a document.

I'll also search through http://www.threatexpert.com/ by the md5sum to see if it has already been analyzed.  In this case it hasn't.  I could ship it off there for analysis or one of the other fine sandbox tools such as Anubis (http://anubis.iseclab.org) or CWSandbox (http://mwanalysis.org/)

Looking at the earlier diary entry we see results from Anubis showing some network activity.  Now we have a couple of things to look for to measure impact:

  • Email details to search our mail-logs to determine who received the lure message.
  • The URL of the initial downloader to see who clicked on it and brought it into the network.
  • The network behavior of a system that executed the code.

How bad is it for us?

Using those details it's time to evaluate the impact this attack has had on your firm.  If you have anyone who downloaded the file, or evidence of a machine reaching out for the next-stage then you pull your Malware Incident response document off of the shelf and follow that.  We all have differing levels of documentation to refer to, but there's always some sort of plan, even if it's "update resume."

Protect

While you're assess the impact (greps take a while to run sometimes) you have some information that you can leverage to protect the people in your network.  You have email addresses and URLs to block and malware to submit to your vendor (assuming they're not on the virustotal list like mine wasn't.)  Acting quickly on this protection phase makes your clean-up phase go easier.

Respond/Clean-up

Now that you have your list of machines that were exposed and your Malware incident response document handy, you follow that to make your systems and network all shiny and clean.

Report

This step is important. 

In my environment, my boss likes to know what it is that I'm doing in the dark data closet.  So keeping track of the event, it's impact, etc. is good for not only tracking the incident, but also review time.

When you were researching the IP that sent the email and hosting the URL (you still have that up in a browser, right?) it is also critical that you report that to the abuse contacts.  Send a kind email reporting the issue, (because they'll likely get a few reports, and most of them might not be so kind.) which helps more than just your own environment.

 Learning from Others/Helping Others

You will want to follow a similar process in response to events reported here and in other blogs and media.  It not only helps protect you from what is hitting other folks, but you may also uncover a gap in your internal detection process.

By submitting malicious URLs to proxy-filter vendors, and malware to AV vendors you help protect not only your environment, but also your neighbors.  If fewer of your neighbors are getting infected, then that's fewer spam-bots, and phishing-sites the eventually target you.

Kevin Liston

292 Posts
ISC Handler
Besides submitting bad URLs to http://www.google.com/safebrowsing/report_badware/ what other sites take submissions?

FWIW, for banking type scams there is: http://www.phishtank.com/ and a membership is required.
Andrew

41 Posts
To expand Bluecoat's K9 database you can check/submit URLs here: .k9webprotection.com/support/…
Kevin Liston

292 Posts
ISC Handler

Thank you, this is an excellent post. It has both strategic and tactical value
Kevin Liston
17 Posts

Sign Up for Free or Log In to start participating in the conversation!