Derbycon 2015 wrap up

Before I get to my Derbycon 2015 wrap-up, I got to set the stage (bear with me, I’ll try not to ramble on too long).

Intro

In 2009 two big things happened in my life. The first big thing, the floor was dropping out from under me with losing a job in IT due to the economy and due to no fault of my own. It was a terrible time and IT support jobs were drying up. The job market was going through a major shift. Which leads to….The second big thing, It was time to reinvent myself as the work I was doing was boring I and I wanted to avoid another situation like this. I discovered the growing field of Information Security. So the journey began, which lead me to Bsides Detroit 2011. I’d found my new passion. Also that year, I attended the first Derbycon in 2011. I was all in and that experience helped me grow career wise and as a person.

(Too long? I tried to get to get to the point, trust me….. It’s relevant…..)

About a year ago I started my current role. When the opportunity was there to submit my training requests, I had only one thought: DerbyCon.

Friday

My plane arrived late Thursday night taking the most scenic route possible (Detroit to Phiily, Philly to Louisville). Unfortunately I didn’t get as much sleep as I had hoped. I wanted to make it for the start.

Welcome to the Family begins. As I’m listening to the intro, no truer words had been spoken. This conference was like a big family. Infosec is a small community I’ve found out starting back to 2011 when I attended my first security conference and nothing resonates that home any deeper than after you’ve attended a few conferences.

First up,Jordan Harbinger from the Art of Charm and Social Engineering podcast delivers the keynote. Jordan isn’t a technical guy, he even says so. He’s started his own company The Art of Charm and it’s about building social capital and becoming better socially, and as his LinkedIn profile says regarding Art of Charm; “Where ordinary guys become extraordinary men.” So out of the chute, it’s about relationships, family. Jordan killed it on the keynote.

Next up was “Information Security Today and in the Future
HD Moore – Ed Skoudis – John Strand – Chris Nickerson – Kevin Johnson – Katie Moussouris hosted by David Kennedy

This was a great panel and a lot of good conversations. It’s well worth checking out.

Next up was lunch. You can run hackers all day long but you got to break and throw them a burger or two along with some caffeine.

After that, I attended HallwayCon. The ever illustrious infosec conference staple where those who aren’t watching a talk start their own conversations, recharge phones and tablets (part of what I did).

Next on the list I had hoped to see “Python for Infosec”, but, I didn’t get in in time and had figured “I’ll catch it on video”, so I went over to “Stealthier Attacks and Smarter Defending with TLS Fingerprinting” by Lee Brotherson. This was a very interesting presentation and I did definitely walk away having learned a thing or two…. and looking forward to trying to carve out time to investigate the tools he released. As I’m writing this I found out the Python for Infosec talk had no audio. #sadpanda

Next on the agenda,Honeypots for Active Defense – Greg Foss from LogRhythm. This was a great talk as I do love to hear others implementing and talking about their findings with honeypots. Greg has definitely sparked some ideas I took notes on that I do plan on working on soon.

So after that talk, the next talk that intrigued me was Red vs. Blue: Modern Active Directory Attacks & Defense – Sean Metcalf “@PyroTek3”. Sean is seriously a mad crazy smart dude and one of only 100 who hold the Microsoft Certified Master Directory Services. This talk showed me how deep Active Directory can go. It was definitely a great talk and I highly suggest watching it.

Next up, back to HallwayCon, this time due to the close tightness which the seating in the previous talk had. My only complaint on DerbyCon this year… a lot of the talks were VERY packed. So after one of those, I had to step out and enjoy some personal space.

My next talk I went to, was down in the Stable talks.

Backdooring Git – John Menerick was a very good and interesting talk as one of things on my list is to learn more about Github.

Detecting phishing attacks with DNS reconnaissance – Mike Saunders This one was extremely good. It’s definitely sparked some ideas combined with the DNSMiner talk (but more on that one later).

Hacking Web Apps – Brent White – Another good talk. I am weak when it comes to the web app space and I try to challenge myself to see more web app related talks to try to pick up more.

Sticky Honey Pots – Paul J. Vann – So by the abstract alone it sounded intriguing. What made it even more intriguing, the presenter was a 9th grader!! The kid was very smart and advanced and had a very good presentation. It hit home with me as my son just started preschool. I look forward to exposing him to the hacker culture and conferences to see if he likes it.

At this point, my day was done. I’m not much of a bar guy and counting I had only 3 hours sleep, I went back, wound down and called it a night.

Saturday

Decent night of sleep was had. Relaxation was achieved. Off to Day 2.

OSINT for AppSec: Recon-ng and Beyond – Tim Tomes “lanmaster53” – This one jumped out at me as I am weak in the AppSec area and I knew only the surface level of Recon-ng. WOW, am I ever glad that I did attend this one.

Introducing the RITA VM: Hunting for bad guys on your network for free with math. – John Strand – Derek Banks – Joff Thyer – Brian Furham – This talk was one of the top 5 that I was looking forward to and it did deliver. I can’t wait to dig into this project further. It was a great great talk.

Next, was back to HallwayCon. I had visited some vendor booths, gained too many tshirts and topped off the phone charge again. It would help if I wasn’t tweeting so much or reading other tweets during some talks.

Gray Hat PowerShell – Ben Ten (@ben0xa) – Ben always delivers a great presentation. There are some people who exude the confidence and have the charm for a group of people. Ben is one of a few Powershell masters I’ve talked with being a part of Misec.

WhyMI so Sexy? WMI Attacks – Real-Time Defense – and Advanced Forensic Analysis – Matt Graeber – Willi Ballenthin – Claudiu Teodorescu – The Powershell lovefest continued. While this talk wasn’t specific on Powershell, Matt Graeber is an admitted Powershell fanboy. These guys are mad wicked smart and gave a great presentation on WMI.

Next up, to the Stable talks again.

Tool Drop: Free as in Beer – Scot Berner – Jason Lang – It was a great presentation and to learn some strategies people use in scripting out a tool to solve an immediate problem.

At this point I joined up with Mr @malware_traffic himself and some of his friends for lunch at Gordon Biersch Brewery Restaurant. The burger was pretty good.

After that, I wanted to catch Medical Devices: Pwnage and Honeypots – Scott Erven “windshield wipers” – Mark Collao. This was a pretty fascinating talk and it reflected on how vendors still fail with default passwords and other areas of fail.

I originally wanted to catch How to ruin your life by getting everything you ever wanted. – Chris Nickerson but after a few too many talks that were tighter than the airplane ride I flew in on, I thought “Catch it on video”. I found out later that it was an extremely moving and powerful talk. I just watched it today, and no offense to the guys who did the medical devices talk, I am kicking myself for not attending. The talk Chris gave is extremely moving and powerful because he ain’t putting on any schtick. I was completely blown away and have some mad serious respect for the guy and all he’s done for the industry that saved me from a mundane career of fixing Windows issues and building standardized corporate images.

So by this point, it was back to HallwayCon. It was during HallwayCon that I ran into some of the Misec guys, including David Schwartzberg (@DSchwartzberg, one of the nicest guys you could ever meet). He was participating in the scavenger hunt. One of things he was looking to do was to get 25 people running backwards up the escalator. After he talked with the DerbyCon security staff, we did it. I made a big mistake in participating only for one reason, I didn’t ask someone “Hey can you keep an eye on these backpacks?” and after adding in some of the conference swag, my backpack wasn’t the lightest. So the line started and I brought up the end of the line. Running up a fast escalator being out of shape = hard. Running up a fast single lane escalator being out of shape with a heavy backpack on your back = sheer stupidity. But, I did complete it. I almost face planted at the end as those last few steps were rougher than I expected. But… during the run, by the time I got to the top, I had apparently dropped my Fitbit Flex strapped loosely to my wrist (apparently too loose).

But, due to DerbyCon being about family and the overall culture of the tight knit Infosec community, someone picked it up for me.

One mission I had on the trip down was to get some Kentucky Bourbon Barrel Ale. I had heard great things about it and since it didn’t seem like Michigan had any, when in Kentucky, you seek out bourbon (ale in this case for me). While it wasn’t Kentucky Bourbon Barrel Ale, it was GoodWood Brewery Bourbon Barrel Ale was on tap in the lobby. I have only one word to describe this beer:
Holycrapthatwassomefantasticbeermmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.

It was dinner time and I had met someone over at Dish on Market to have dinner with. It was definitely a great conversation I had with@ammonsphoto. After some dinner then I headed back to my room for the night. My back was a bit sore and I definitely didn’t feel up to partying, besides, my hotel was 20 minutes away, so…

Sunday

Is That a Router in Your Pocket or are You Trying to P0wn Me? – Michael Vieau – Kevin Bong – A very interesting talk. I had learned that using OpenWRT it was possible to remove some stuff for those tiny router flashes and be able to put in the tools you want.

Next, DNS Miner – A semi-automatic Incident response and threat intelligence tool for small – over worked security teams – Doug Leece – AJ Leece. This was a talk that really captured my attention prior and I’m glad I went. I do plan on looking more into this project as I can see some interesting things coming from this.

Next, LongTail SSH Attack Analysis – Eric Wedaa. Mr Wedaa did a great job to capture attention as honeypots always get peoples attention at security conferences, especially if the presentation is good.

Next? Lunch of course, then some HallwayCon as well, of course.

Last talk of the day for me was Intrusion Hunting for the Masses – A Practical Guide – David Sharpe. Another talk I found fascinating by the abstract and it definitely delivered.

And so the conference was done as closing ceremonies began.

I made the mistake of not getting in line soon enough. So there was an additional room that you could see what they were showing on the screen but you couldn’t see those on the stage. So at this point, I threw in the towel and headed off to the airport.

Last but not least

DerbyCon 2015 was great. I can see why many people make this their main conference. It has a great environment (a bit tight during some talks) and good people going as well as putting on the conference and volunteering as well.

Earlier I had summarized briefly to the path that lead me to Information Security. It’s conferences like this that make me glad I moved my career to Information Security. I never witnessed or knew of any regional conferences for Windows support folks. It’s conferences like this that help inspire me and other folks to contribute to the community as a whole.

I’m glad I got to meet some new people and such and grateful was the knowledge and ideas I gained.

Hope I can make DerbyCon 2016.

Dear Google (rant of a disappointed Android fan)

Dear Google,

The time has come for my next phone upgrade and although I am an Android fan, we’ve got to take a 2 year break and I’m giving Apple another chance.

When I first got a smart phone I went with Android on the T – Mobile G1. It was different than the iPhone and AT&T had it exclusively. You won me over with all the things Android could do.  But you lost me on the shitty battery life.  So when the time came around for a new phone, I wanted better battery life and the iPhone wasn’t just at AT&T.

I really didn’t want to get an iPhone. The stigma of “the cult of Apple” was strong.  I didn’t want a “status symbol” that a lot people treat their iDevice as. I wanted functionality. I despised with an unbelievable loathing and burning hatred iTunes. But……. The reviews on battery life for iPhone were great compared to the available Android phones at the time. So I went to the “dark side”….. and it was good.

I had no really big issues with this phone.  I had a few small complaints but I was not converted to “fan boy” status. I can be honest about technology I use.  The battery life was great.  It was phenomenal the day my son was born and would not have been able to last 1/3 of the way through what I put it through that day.

As my contract was getting close to being done,  I started looking again at Android.  Around this time is when I discovered the fact that Samsung and the beginning of the size increase of the phones,  call it the “pre phablet” time. Now you’ve got my attention!! But how is it on battery life??!! After some research I’m convinced and get a Samsung Galaxy S4. I’m back with Android!!

As I was playing with my new S4, and I am noticing some things that bug me and in many ways I’m probably not the first to complain about these.

1. Bloatware (Carrier AND vendor provided).
I’d honestly be fine with the bloatware if I could uninstall it but if I can’t then it bothers me. But what makes it worse is the Samsung Hub.

The Samsung Hub is was their app store. Everyone has an “app store”. It takes up 50 Meg on my phone. Sometime in 2014 they took down the Hub….. but you can’t get rid of it! REALLY?! I have to keep an app that prompts a message saying “We’re sorry. If you want apps install Galaxy Apps….. but you can’t get rid of The Hub”.

Don’t get me started on the Sprint apps.

2. Security updates
We all know the story. Vendors don’t push out updates so they can push you to just upgrading handsets.

But really Google it’s time to take a page from Apples book. Everyone takes pages from everyone’s play book. Apple has taken plenty from the Android’s play book with the notifications and the Apple watch and a lot of other interesting features that started with Android. Microsoft has taken a page from the Unix world with Powershell. Let’s be honest….. Everyone does it!!

1. Bloatware – Limit vendors and carriers with the restrictions they cannot set it where the user can’t uninstall the crapware. If the app is so good people can leave it on but give them the choice. Yes, Apple has some apps you can’t get rid of short of rooting/jailbreaking the phone but they’re not defunct app stores or something like that, they’re just a few stupid apps (Maps, Stocks, Safari to name a few).

2. Security updates – Why Google hasn’t taken the route of making updates available via their site is beyond me. I’m sure I’m looking at it to simplistically and easily admit to not being an Android specialist and knowing and understanding their overall ecosystem. 
If Apple hadn’t taken another page for the Android vendors play book with the 6 Plus, I wouldn’t be saying this but…..

You’ve lost me for this cycle. I’m getting an iPhone 6 Plus. While I do appreciate the openness of the Android platform,  vendors and carriers are screwing it up for you and inspiring people who aren’t fanboys and those who will buy a NotApple product before anything.

When the time comes when my 6 Plus is to be replaced,  I will entertain the next batch of Android phones that will be available.  I don’t expect the security updates issue to be addressed or even the bloatware issue to be addressed but if you ever want to TRULY come up with the one and true iPhone killer, you need to make some changes.

Phishing email #malware analysis PWS:Win32/Zbot – Part 3 (host behavior: 1 of 2)

Host based analysis

Objective

This is a continuance of the overall Phishing email malware analysis PWS:Win32/Zbot blog posts I wrote;

  1. Part 1 – This was the introduction into the spam email I luckily checked to find this little gem in a password protected attachment (and they were nice enough to include the password too!!)
  2. Part 2 – This was the network behavior analysis I ran on this malware as it does try to “call home”.

The goal for Part 3 is to get a better understanding of what is going on under the hood when the malware is executed. This was intended for all intensive purposes to be one post using the data I extracted from a Process Monitor run, but to include the file, process, and registry activity on top of putting it all together (the data pertinent to the malware) would have been a bit much, so I took a queue from Tarantino (after asking a few friends opinions) and decided to split it into two parts.

(I thought I would try something different. Due to the width of this theme, you’re going to have to scroll over in the frame below to get to the good stuff. )

A quick note

My apologies for not getting this done sooner. I guess my only defense is “life happens”. Reality, it was part Converge/Bsides Detroit, part “life with a toddler”, with a mix of everyday life (including an upcoming job change for the better).

I had originally thought that this would be something I could run through real quick, but I had overestimated. I had originally captured 3 samples using Process Explorer. Each sample had about a notch over 1 million events. I had originally just started attempting to comb through manually thinking “this shouldn’t take long” and then I started discovering that it’s either use filters or forget it. While my CSV scripting skills leave a bit to be desired to comb through data, I’ll call this incentive for next run to see if I can get it done faster. So, with no further ado, here we go.

Process Activity

If you don’t feel like scrolling, here is the embedded spreadsheet.

So what can be gathered from this information?

  1. 9:45:03.5627178 PM – the process is created by double clicking the Invoice_06.04.2014.pdf.scr and it runs it was with a /S switch
    • Are there any other switches that can be ran via the command line?
    • This is color coded in green
  2. 9:45:04.5837508 PM – Invoice_06.04.2014.pdf.scr starts the upeqe.exe process at C:\Users\keith\AppData\Local\Temp\Etteva\upeqe.exe
    • This is more than likely the malware setting up persistence by running the backup of itself that was made.
    • The File System activity should be able to identify when this copy is made.
    • This is color coded by the blue/”dark cyan 1″ (according to Google Docs) line
  3. Invoice_06.04.2014.pdf.scr and upeqe.exe create threads
    • I had this in another sheet but decided to remove it. Unsure if it’s even important or if this is “normal” activity
  4. 9:45:05.6715395 PM – Invoice_06.04.2014.pdf.scr creates a process and runs “C:\Windows\system32\cmd.exe” /c “C:\Users\keith\AppData\Local\Temp\CQV2090.bat”
    • What is this batch file doing? This one has me really intrigued.
    • This one is color coded red with yellow letters.
  5. 9:45:05.9865492 PM – Invoice_06.04.2014.pdf.scr process exits with Exit Status: 0. 
    • Once it has made a backup of itself and ran it, is this the beginning of the end of Invoice_06.04.2014.pdf.scr?
    • This is color coded light purple
  6. 9:45:06.0210210 PM – conhost.exe starts this process, Command line: \??\C:\Windows\system32\conhost.exe “7004549161928483034-634817172-12620106904102454541647554162437855351-2089999309”
    • What is this? Does it mean anything? Is this normal?
    • This one is color coded by the orange line
  7. 9:45:07.1049881 PM – winmail.exe process starts, Command line: “C:\Program Files\Windows Mail\WinMail.exe” -Embedding
    • Malware initiated this process as I didn’t open WinMail.exe
  8. 9:45:20.7850986 PM – RunDLL32.exe starts this command, Command line: C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll
    • This happened because the Windows firewall was set default and it prompted to allow or block upeqe.exe access out
    • I let it out…. of course!

File Activity

If you don’t want to deal with the scrolling, you can open the document here.

So what can be gathered from this information?

  1. 9:45:03.2873373 PM – Invoice_06.04.2014.pdf.scr is executed. (We can tell this from the IRP_MJ_CREATE operation.)
  2. 9:45:03.6118215 PM – The prefetch file is created. (I’m unsure why it says “NAME NOT FOUND” in the results.)
    • The first line with the green fill
  3. 9:45:03.6509365 PM – Invoice_06.04.2014.pdf.scr tries to run about 13 or 14 different DLL’s from the same folder. The result is “NAME NOT FOUND”. (This one makes senses why it says it.)
    • I filtered on these in specifics due to the interesting nature. What I don’t have showing is right after each DLL fails from the C:\tools\Malware\tazdrummer\Invoice_06.04.2014 folder, it runs it successfully from C:\Windows\SysWOW64 folder.
    • These lines are filled in with blue
  4. 9:45:04.1169446 PM – C:\Users\keith\AppData\Local\Temp\Etteva folder is created.
    • This is color coded in purple.
  5. 9:45:04.1173293 PM – upeqe.exe file is created at C:\Users\keith\AppData\Local\Temp\Etteva
    • This is where the malware has created a copy of itself.
  6. 9:45:04.1257302 PM – hyil.raj is created at C:\Users\keith\AppData\LocalLow
  7. 9:45:04.1258986 PM – hyil.raj is deleted at C:\Users\keith\AppData\LocalLow ?
    • What the heck is this?
    • It gets created to get deleted?
    • This is color coded in orange.
  8. 9:45:04.5805563 PM – Invoice_06.04.2014.pdf.scr had an IRP_MJ_CLEANUP operation.
    • Looking up IRP_MJ_CLEANUP to get a better understanding, I originally had the initial impression that when IRP_MJ_CLEANUP was completed, it meant the file was closing all handles. This isn’t necessarily the case.
    • Further down at 9:45:21.2195979 PM, the same operation is completed, but this time it’s initiated by the cmd.exe process.
    • This may be interesting to come back to.
    • I suspect this is where it’s performing the clean up once it’s established persistence.
    • This is color coded with red fill and yellow letters.
  9. 9:45:04.5912261 PM – The upeqe.exe prefetch file is created.
    • Again…. NAME NOT FOUND… I’m unsure of this. A prefetch WAS created… right?
    • This is color coded in green
  10. 9:45:04.5972809 PM – upeqe.exe exhibits the same behavior as what was documented in item # 3
    • These lines are color coded the same blue as well.
  11. 9:45:05.1700510 PM – We have our what appears to be our first registry editing. upeqe.exe is writing to C:\Users\keith\NTUSER.DAT
  12. 9:45:21.2195979 PM – cmd.exe had an IRP_MJ_CLEANUP operation at this path,C:\tools\Malware\tazdrummer\Invoice_06.04.2014\Invoice_06.04.2014.pdf.scr.
    • I suspect this is where it’s performing the clean up once it’s established persistence.
    • This is color coded with red fill and yellow letters.
  13. 9:45:05.5885604 PM – Invoice_06.04.2014.pdf.scr creates C:\Users\keith\AppData\Local\Temp\CQV2090.bat
  14. 9:45:05.5889865 PM – Invoice_06.04.2014.pdf.scr runs C:\Users\keith\AppData\Local\Temp\CQV2090.bat
  15. 9:45:05.5890497 PM – Invoice_06.04.2014.pdf.scr deletes C:\Users\keith\AppData\Local\Temp\CQV2090.bat
    • I don’t know about you, but I want to see what’s in that file.
    • In the Process Activity, at 9:45:05.6715395 PM, Invoice_06.04.2014.pdf.scr runs the C:\Windows\SysWOW64\cmd.exe process and runs this command: “C:\Windows\system32\cmd.exe” /c “C:\Users\keith\AppData\Local\Temp\CQV2090.bat”
    • These events are color coded in orange again.
  16. 9:46:05.5233069 PM – upeqe.exe accesses DNSAPI.dll
    • This one really piqued my curiousity. Is this really important?
    • This is color coded with light red fill and orange letters

Summary

From the information pulled and analyzed from the Process Monitor log extraction, we can see that this piece of malware is rather busy and there is definitely “more than meets the eye” behind the scenes.

We can see the following so far;

  1. Double clicking the malware it runs with a command line switch of /s
  2. It creates a copy of itself in a semi hidden location (you’re not going to see it by default in the standard user folder structure view, but if you know where to look, you can find it)
  3. The malware somehow runs the copy of itself
  4. A batch file is created for a short time and then is gone.
    • Is this how the malware starts the process for the copy it made?
  5. The malware is apparently gathering information.
    • Why else would it run the default mail program?
    • What other information is it looking for?
  6. I have to include this…. Unless you’ve set up some major filtering and know what events you’re looking for regarding a particular event happening at the analysis time, use filtering afterwards as it will save on your sanity combing through potentially multiple hundreds of thousands of events.

My goal for the next few blog posts will be as follows:

  • Part 3 (2 of 2) – In this I will give an analysis of the registry activity I analyzed from the Process Explorer log extraction. I also am aiming to tie all of the important events into a timeline to show how the malware progressed through the system. (At least that is the goal… after all, the original goal was this would be one blog post, not a Kill Bill style posting).
  • Part 4 – In this blog post I plan to do an analysis of a memory image I took that was used in the Bsides Detroit 2014 Tri City CTF using Volatility.

Etc.

I’d love to hear feedback on these postings. While this is my first full analysis I’ve done and documented, I’d love to hear if I’ve missed an obvious step or if I’m on the wrong path with how I am analyzing this malware sample. I’m using this process as a learning experience and want to continue to grow in skill and knowledge from it, so I’m open to any feedback.

Phishing email #malware analysis PWS:Win32/Zbot – Part 2 (network behavior)

Network behavior analysis

Objective

  • To the malicious software the most comfortable environment to run

    • The focus is to study from a network perspective to allow better detection signatures and rules set up to allow further detection

First run – Lab configuration

  • Windows XP SP2 – VirtualBox

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.200, Gateway – 169.254.236.100

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.100

      • Wireshark capturing data

First run – Running of the exec

  1. Malware is ran. Fifteen to twenty seconds after the malware is ran, the malicious traffic attempts start.

  2. Then (and seemingly this has happened only one other time during dynamic analysis (run, watch, restore) it calls out to the following IP’s.

    • 174.16.157.26

    • 130.37.198.90

    • 203.80.102.213

    • 88.68.117.47

    • 75.99.113.250

    • 184.166.216.26

    • 212.235.62.68

    • 172.245.217.122

    • 24.231.61.81

    • 27.110.203.125

    • 221.193.254.122

    • 183.87.238.127

    • 198.50.128.48

    • 82.127.150.123

    • 85.64.52.205

    • 24.78.17.137

    • 79.119.228.199

    • 219.77.136.199

    • 76.234.37.14

  3. Malware attempts to look for www.google.com and then www.bing.com

    • Which two sites are most likely to be allowed through any corporate web filtering and be seen as “normal activity”?

  4. Which two sites are most likely to be allowed through any corporate web filtering and be seen as “normal activity”?

  5. Next the domain generation algorithm calls begin.

  6. Somewhere in the mix, the hard coded IP’s are attempted to connect to between a bunch of DGA URL calls.

  7. Infected system was restored.

First_Run-Part1

First run – Observations

  1. There is a short time between when the malware is ran and when the network activity starts

  2. Initial run included hard coded IP addresses in the chain of events

    1. Hard coded IP’s

    2. Google and Bing

    3. DGA URL’s

  3. There is a definite domain generation algorithm as the URL’s didn’t seem to follow a pattern

    1. Two seperate runs, it didn’t seem to repeat a URL.

Second run – lab configuration

  • Windows XP SP2 – VirtualBox

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.168.56.102

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.168.56.103

      • Wireshark capturing data

    • iNetSim running

      • Default configuration

      • www.google.com cloned locally

        • This was an attempt to see how the malware acts once it can reach Google first (since the first run the first domain it tried to call was Google)

Second run – Running of the exec

  1. Malware is ran. Fifteen to twenty seconds after the malware is ran, the malicious traffic attempts start.

  2. DNS request for www.google.com returns 192.168.56.103 (Debian system)

  3. The HTTP GET request to www.google.com is ran

Second_Run-Part1

  1. After some many HTTP GET’s, then it tries to run HTTP POST

Second_run-Part2

Second run – Observations

  1. After so many HTTP GET’s, it starts running HTTP POST every few. Is it in the code for specific URL’s to attempt to post to?

  2. Running iNetSim and pointing the DNS requests to one system makes for a somewhat confusing PCAP.

    1. This is why in the third, the set up is a bit more expanded.

Third run – lab configuration

  • Windows XP SP2 – VirtualBox (infected host)

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.200, DNS – 192.168.56.2, Gateway – 169.254.236.100

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE – VirtualBox (capture traffic, run iNetSim – Google.com)

    • Network configuration Attached to Internal Network

    • Static IP address – 169.254.236.100

    • Network configuration Attached to Host-only adapter

    • DHCP IP address – 192.68.56.101

  • Remnux – VirtualBox (run iNetSim – one of the DGA’s)

    • Network configuration Attached to Host-only adapter

    • DHCP IP address – 192.168.56.102

  • Remnux – VirtualBox (run iNetSim – one of the DGA’s)

    • Network configuration Attached to Host-only adapter

    • DHCP IP address – 192.168.56.103

  • Ubuntu Server – VirtualBox (Running bind pointing to all of the above servers)

    • Network configuration Attached to Host-only adapter

    • Static IP address – 192.168.56.2

Third run – Running of the exec

I’ll be honest, this was a bit of a flop. I tried running some analysis on the domain generation algorithms from multiple runs to see if there was a potentially repeating URL.

It didn’t work. (The malware didn’t try to call out to one of the hard coded URL’s.)

I also ran a few packet captures in attempts to find any particular URL’s that initiated a HTTP POST after running the HTTP GET. I was going to hard code two particular DGA URL’s to a particular zone on the bind server.

It didn’t work. (The malware didn’t try to call out to one of the hard coded URL’s.)

So, I have no packets to display on this one. Well, nothing like you haven’t seen before higher up in this.

Third run – Observations

  1. Attempting to use a DNS server and trying to find the one or two magic URL’s to get lucky and have the malware call out to it is a bit of a stretch. (I did learn a lot about bind servers FWIW.)

  2. I had previously tried running FakeDNS to point it to multiple machines with no luck. My original thought “if I’m having problems with FakeDNS, why not make a real DNS server” was a bit of a stretch, but, lessons learned are never a bad thing.

  3. When in doubt, punt.

    1. I sent out the #Misec distress call on Twitter since I had thoroughly hit the wall with the level of complexity I was trying to accomplish with the bind server (one IP address tied to multiple DGA URL’s). So @jwgoerlich being part Nick Fury and part good Terminator sent from the future, pointed me in the direction of @ninjasl0th who point me to a fantastic tool called DNSChef from @_iphelix (home page – https://thesprawl.org/) Thanks guys!!

    2. And this leads to…. (the final run for this part…. for now…. )

Fourth run – lab configuration

  • Windows XP SP2 – VirtualBox (infected host)

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.200, DNS – 192.168.56.102, Gateway – 169.254.236.100

    • Snapshot taken – Network configuration in place, BGInfo giving the network information on the wallpaper

      • Malware is running on this system

  • Debian 7.06 – LXDE – VirtualBox

    • Network configuration – Attached to Internal Network

    • Static IP address – 169.254.236.100

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.68.56.101

      • capture traffic

  • Remnux – VirtualBox

    • Network configuration – Attached to Host-only adapter

    • DHCP IP address – 192.168.56.102

      • InetSim – standard configuration (minus DNS)

      • DNSChef
        • ./dnschef.py –interface 192.168.56.101 –fakeip 192.168.56.101

Fourth run – Running of the exec

  1. Malware is ran. Fifteen to twenty seconds after the malware is ran, the malicious traffic attempts start.

  2. Connection attempts are made to the static IP addresses listed on the first run.

      • 174.16.157.26

      • 130.37.198.90

      • 203.80.102.213

      • 88.68.117.47

      • 75.99.113.250

      • 184.166.216.26

      • 212.235.62.68

      • 172.245.217.122

Fourth_run-Part1

  1. The HTTP GET and POST requests start

Fourth_run-Part2

Fourth run – observations

  1. It was observed in a previous packet capture, after certain HTTP GET requests the next packet would be a HTTP POST

First packet

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: pzydvgtkzpeirkfexpjaxrgmfd.info

Connection: Close

HTTP/1.1 200 OK

Server: INetSim HTTP Server

Connection: Close

Content-Length: 258

Content-Type: text/html

Date: Mon, 02 Jun 2014 01:11:50 GMT

Second packet

POST /write HTTP/1.1

Host: default

Accept-Encoding:

Connection: close

Content-Length: 340

X-ID: 1414

HTTP/1.1 200 OK

Server: INetSim HTTP Server

Connection: Close

Content-Length: 258

Content-Type: text/html

Date: Mon, 02 Jun 2014 01:11:51 GMT

  1. I created a write folder in the following location on the Remnux system but nothing was written to it.

    • /var/lib/inetsim/http/wwwroot/

This concludes (for now) my network behavioral analysis of this variant.

On an interesting side note, I submitted one of the pcaps I capture to VirusTotal. Here is the results.

  1. VirusTotal pcap submission

PCAP file! The file being studied is a network traffic capture, when studying it with intrusion detection systems Snort triggered 8 alerts and Suricatatriggered 4 alerts.

 Wireshark file metadata

File encapsulation Ethernet

Number of packets 5371

Data size 8960017 bytes

Start time 2014-05-01 03:54:09

File type Wireshark – pcapng

End time 2014-05-01 03:57:01

Capture duration 172 seconds

 HTTP requests

[+] GET http://www.google.com/

Request datetime 2014-05-01 03:55:35.136400

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 c9d1b14e2548d2fe84274c8df1c2bbc2f3c4e30ee7327cebe162dc961775fa7c

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://tkwkwytytkfxwnjroobaxqjrvxc.info/

Request datetime 2014-05-01 03:55:36.674263

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://xzpqfulpylfahymnyhylgqckn.org/

Request datetime 2014-05-01 03:55:38.211770

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://uwktplrdspftceipjkfpo.net/

Request datetime 2014-05-01 03:55:39.749917

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

[+] GET http://pvmjrwdadiztoyxbagbqwohinovcm.com/

Request datetime 2014-05-01 03:55:41.300534

Request user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Contacted host 192.168.56.103:80

Server response code 200

Response content sha256 69d8d2589495cc1de8dbda6a35a21dc273fa64811213050702096d8efbfa9103

Response content file type HTML document, ASCII text, with very long lines

 DNS requests

aulbbiwslxpvvphxnjij.biz 192.168.56.103

demrkpworsoblppffydpvlbht.biz 192.168.56.103

kbyhhatcculbpjnjbpfirairwtgc.biz 192.168.56.103

lbaybazlntrcwkvsxxchskwkkb.biz 192.168.56.103

nvgmytbewxtomrkhatokhl.biz 192.168.56.103

 Snort alertsSourcefire VRT ruleset

INDICATOR-COMPROMISE Suspicious .ru dns query (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus outbound connection (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus variant outbound connection attempt (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected (A Network Trojan was Detected)

 Suricata alertsEmerging Threats ETPro ruleset

ET TROJAN Possible Zeus GameOver Connectivity Check (A Network Trojan was Detected)

ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic)

ET USER_AGENTS Internet Explorer 6 in use – Significant Security Risk (Potential Corporate Privacy Violation)

ET TROJAN Zeus GameOver Checkin (A Network Trojan was Detected)

Final

If you wish to see the packet captures, you can grab them from my Google drive folder I shared.

#Facepalm or #malwarefail (you pick, too funny not to share)

As I am winding down after having a great day with my two sons, I’m in my lab wanting to do some studying. I end up doing a search online for I can’t remember what. (It’s been a long day and it’s 1:00am and I was asleep 30 minutes ago.) I stumble upon a site that gives me a redirect to this….

malwarefailOnly one word came to mind…

So, of course I download, after all, my Microsoft Linux Version 7 needed a driver update and I’ll be damned if I’m going to let sleep get in my way.

Since it is late, I submitted the file to Malwr.com, an online front end to Cuckoo Sandbox ran by the ShadowServer Foundation.

https://malwr.com/analysis/ZDI0NDdiYjRlOTg4NGFmOTg5NTY2ZTQzOGExYmVlZGU/

This one may be worthy of sacrificing an old Compaq, load it up with Microsoft Linux 7 and see what happens.

 

Phishing email malware analysis PWS:Win32/Zbot – Part 1

A few weeks ago I decided to check my Spam folder. Usually it’s a plethora of World of Warcraft phishing attempts or emails from compromised accounts/computers of people I know. But tonight, I hit the aspiring malware analyst/researchers jackpot… a phishing email with an attachment!!

The email

from:

Compromised User <$compromised_user@whatever.site>

to:

sweetmisery1984@gmail.com

date:

Mon, Apr 7, 2014 at 3:46 PM

subject:

Sales Receipt 113491

Good afternoon!

Order Number: 10012746

Contents of your purchase:
Cart ID: 5837
Vendor Product ID: WF-131491
Product Description: Vendor site cart purchase
Product Name: Cart Purchase
Quantity: 1
Your payment method is: WebMoney USD.

Total: 330.36 (USD)

Invoice details is in the attached ZIP-file. Password:   485893094
***********************************************

Thank you for your business.

* Please do not reply to this email. Your response will not be received. Please visit our website to contact us about your order.

Unfortunately I forgot to take a screenshot of the email (I thought I saved it, but it would seem the save feature ignores emails marked Spam) but, the text gets the point across.

  1. The above email address it’s addressed to obviously isn’t me.
  2. I would expect an automated “do not reply, it won’t be received” email address be something a tad generic, not someones first and last name.
  3. An attachment…. but wait… the file extension was rar (and the email says “zip”
  4. Look, they were nice enough to include the password!!

This is a perfect opportunity to test out my lab laptop and run some static and dynamic analysis on this “Invoice”.

Test environment

To start off my testing, I will be using four VirtualBox systems

  1. Windows XP SP 2 (LUCKYVICTIM1) = System that will be compromised (over and over and over)
  2. Windows 7 SP1, up to date patches (LuckyVictim2) = System that will be compromised (over and over and over)
  3. Debian 7.07 LXDE = Part router (to capture packets), part fake DNS (iNetSim, fakedns.py, etc)
  4. Remnux = Further analysis of the malicious file using the great distro Lenny Zeltzer put together

The Debian system will be using two NIC’s (most of the time), one will be the gateway for the Windows XP system to capture initial traffic, the other will go out to the Internet (when the time is right of course).

Disclaimer

  1. I am not a professional malware analyst/forensics analyst…. yet. Due to my current job as a SOC analyst, I see that as a natural progression in my career and that is ultimately what I am working towards building my skills and knowledge at home documenting it in this blog.
  2. This is my first real write up and first real analysis. I’d appreciate any feedback on what I could have covered or what I might have missed.

Initial analysis

After getting all the tools in place, network card settings set, and a snap shot taken, the rar file was opened.

From this screenshot, it’s obvious that this file is suspicious.

Seems legit right

But, it gets better, with the default settings of Windows XP, the file extension is hidden, so that plays perfectly into the social engineering aspect…. if it looks like a PDF, and the file name (you can see by default) says it’s a PDF, that means it’s a PDF, right? Any user without that basic fundamental level of knowledge probably would have ran the file especially with the icon being something they already know and are familiar with.

PDF eh

Prior to running, I ran some of the great tools that are on the Remnux distribution:

===================================
File: Invoice_06.04.2014.pdf.scr
Size: 799232 bytes
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 09472a4b57b832039b8965487ddf6898
SHA1: 901732c5cbd433fead1e5251dafc7a7547124eb3
ssdeep: 12288:MmOpQv98Q6MPdqDxHsntRqeZU5Xzf+dmbIanzNmUfsKjmnLNjN:MsFyYqDxHg8KMDPIaL0WuN
Date: 0x53428000 [Mon Apr 7 10:37:52 2014 UTC]
EP: 0x402b1c .text 0/4
CRC: Claimed: 0x0, Actual: 0xd317f [SUSPICIOUS]

With the above information we can tell that it’s not a packed executable and we have an MD5.

A packed executable is a compressed executable. Packing the executable is meant to lower the size of the overall code, but to add a level of obfuscation to make the overall analysis process more challenging. While there are 25 different packers listed in Wikipedia, there are occasions where a custom packer was created to make the overall analysis even more difficult. I haven’t deal with one of those yet, but I have seen articles on how to deal with them.

VirusTotal provides more information on this file.

https://www.virustotal.com/en/file/9c42db370cd740bd77f937772fd86c012f1b95a1298ba66d9ac7c20d1eb89072/analysis/1396886744/

From the initial search, you can see why this one got even more interesting:

SHA256: 9c42db370cd740bd77f937772fd86c012f1b95a1298ba66d9ac7c20d1eb89072
File name: Invoice_06.04.2014.pdf.exe
Detection ratio: 0 / 50
Analysis date: 2014-04-07 16:05:44 UTC ( 1 month ago ) View latest

0/50 when the initial analysis was done.

Here’s the latest VirusTotal update on this same MD5

https://www.virustotal.com/en/file/9c42db370cd740bd77f937772fd86c012f1b95a1298ba66d9ac7c20d1eb89072/analysis/ 

SHA256: 9c42db370cd740bd77f937772fd86c012f1b95a1298ba66d9ac7c20d1eb89072
File name: Invoice_06.04.2014.pdf.exe
Detection ratio: 43 / 49
Analysis date: 2014-04-25 13:17:02 UTC ( 2 weeks ago )

Wrap up

I’m currently working on Part 2 – Behavioral analysis. Part 2 will consist of running the malware and watching to see what it does (network activity, local host activity, etc). Part 3 will be a memory analysis using Volatility. This is subject to change but this is the initial plan.

I hope to have that done sometime next week. Maybe next week my little hacker will cooperate more on bedtime. If you believe that, then I’ve got some CyberAPT Heartbleed protection device to sell you.