Active Security

Thursday, January 19, 2012

Ramnit, Zeus and the BAT! Part 3

After parts 1 and 2 we can safely say the machine is infected.This next part will go through the building of the MandiantIOC using Ioc Editor in order to hopefully identify other infected hosts.

One issue I am keeping an eye on is trying to identify indicators that would hopefully be present in numerous samples. Malware writers are incorporating new ways to subvert AV identification techniques (And have been know to brag online that the malware is not detected).

Driver Inspection

I’m going to start with the driver (imjvxcsr.sys) associated with the misspelled service: Micorsoft Windows Service.
Looking at the drivers name it looks randomly generated but after infecting the same host a few times the driver name is consistent on the host.

The directory where the driver is located always seems to be C:\Documents and Settings\User\Local Settings\Temp as seen in the SSDT hooks tab in Audit Viewer and Redline

Using Redline to review Drivers and Devices we can see that we have a device also associated with the driver

By selecting the Driver and reviewing the driver information we can review any strings associated with the driver.

Upon reviewing the Strings we can see an number of possible IOCs

\systemsroot\temp\%x
\Device\631D2408D44C4f47AC647AB96987D4D5
\DosDevices\631D2408D44C4f47AC647AB96987D4D5
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb

Chae Jong Bin @2gg also tweeted that the demetra project path was located in a sample.
Using the OpenIOC Framework we can start with the following

Driver StringList is c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Driver StringList is \Device\631D2408D44C4f47AC647AB96987D4D5
Driver StringList is \DosDevices\631D2408D44C4f47AC647AB96987D4D5

Hook Inspection

If we then review the Hooks section using Redline or Audit Viewer we can use it to further enhance our indicator.

Using the evidence above we can use the Hooking Module, Hooked Module and Hook Description.
Using the OpenIOC Framework we can use the following to enhance our IOC

Hook HookDescription is SystemCall
Hook Hooking Module contains \Local~1\Temp\
Hook Hooked Module is ntoskrnl.exe

Process Inspection

Using the default indicator from Redline and Audit Viewer we can build an IOC for the svchost.exe with unexpected arguments (this can be expanded on if your environment has additional valid svchost arguments) .

Process name is svchost.exe
Process arguments is not C:\WINDOWS\System32\svchost.exe -k netsvcs
Process arguments is not C:\WINDOWS\system32\svchost -k rpcss
Process arguments is not C:\WINDOWS\System32\svchost.exe -k LocalService
Process arguments is not C:\WINDOWS\System32\svchost.exe -k NetworkService
Process arguments is not C:\WINDOWS\system32\svchost -k DcomLaunch
Process arguments is not C:\WINDOWS\system32\svchost.exe -k imgsvc

In turn pick one of the suspicious svchost.exe to review using Redline and Audit Viewer to review Process Handles, Mutex’s and Strings. From the analysis we can use the following IOC’s as possible indicators (Please note Ramnit is quite verbose and as such offers a lot of string values to review, the items below can easily be expanded on/removed due to false positives).

There are other string values that look to be passwords, email addresses and DNS hostnames.

By reviewing the String List below we can also make the assumption that Ramnit has integrated some of the components seen in Zeus, these references can be found in the leaked source code which can be found online.

Process Handle contains \Start Menu\Programs\Startup\
Process Handle contains CTF.Compart.MutexDefaultS-1-5-21
Process Handle contains CTF.Layouts.MutexDefaultS-1-5-21
Process Handle contains CTF.TMD.MutexDefaultS-1-5-21
Process Handle contains CTF.TimListCache.FMPDefaultS-1-5-21
Process Handle contains CTF.Asm.MutexDefaultS-1-5-21
Process Handle contains CTF.LBES.MutexDefaultS-1-5-21
Process String contains LOCALS~1\Temp\~TM4.tmp
Process String is Hide Browser v1.1
Process String is 220 220 RMNetwork FTP
Process String is Ftp Grabber v1.0
Process String is Virus Module v1.0 (exe, dll only)
Process String is VNC Module v1.0 (Zeus Model)
Process String is Byob Ernie Gild Lotto 2002-2006
Process String is Reich.exe
Process String is \Start Menu\Programs\Startup\

When we review a number of the other processes we can also find the following Process Strings and Handle which seems to be in multiple processes.

Process String is <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST
Process Handle Name is !IETld!Mutex
Process StringList is \\.\631D2408D44C4f47AC647AB96987D4D5

Next its the additional executable that was dropped during one of the infections, this already gives us an insight into the functionality available to Ramnit I.E the ability to drop and execute additional files.

By reviewing the NETWORK ACTIVITY Section for Install.exe (PID 3424) we can assume this is our spamming engine. By reviewing the Process Strings can can confirm this functionality.

Further review shows reference to Delphi and in particular what looks to be a backup location for the source code. A number of stings also mention a few Email clients\providers(Outlook,The Bat, POPPeeper).
Using the OpenIOC one possible IOC could be the following:

Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas
Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas
Process StringList isX:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas
Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas
Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas
Process StringList isX:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas
Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas
Process StringList is TModule_POPPeeper
Process StringList is TModule_Eudora
Process StringList is TModule_Gmail
Process StringList is TModule_IncrediMail
Process StringList is TModule_GroupMailFree
Process StringList is TModule_VypressAuvis
Process StringList is TModule_The_Bat
Process StringList is TModule_Outlook0
Process StringList is TOutlookIdentItem

Published IOC

All we need to do now is put it together and introduce the logic to get the hits.A complete IOC that has been tested is below, the IOC has been tested against multiple audit files and did not produce and false positives.
OR:

DriverItem/StringList/string is ' c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb'
DriverItem/StringList/string is ' \Device\631D2408D44C4f47AC647AB96987D4D5'
DriverItem/StringList/string is ' 631D2408D44C4f47AC647AB96987D4D5'
ProcessItem/HandleList/Handle/Name is ' !IETld!Mutex'
ProcessItem/StringList/string is ' \\.\631D2408D44C4f47AC647AB96987D4D5'
ProcessItem/StringList/string contains ' <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST'
AND:
- HookItem/HookDescription is ' SystemCall'
- HookItem/HookedModule is ' ntoskrnl.exe'
- HookItem/HookingModule contains ' \LOCALS~1\Temp\'
AND:
- ProcessItem/StringList/string contains ' Micorsoft Windows Service'
- ProcessItem/StringList/string contains ' TANGrabber'
- ProcessItem/name is ' services.exe'
AND:
- ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k netsvcs'
- ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost -k rpcss'
- ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k LocalService'
- ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k NetworkService'
- ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost -k DcomLaunch'
- ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost.exe -k imgsvc'
- ProcessItem/name is ' svchost.exe'
AND:
- ProcessItem/name is ' svchost.exe'
- OR:
  - ProcessItem/HandleList/Handle/Name contains ' CTF.Compart.MutexDefaultS-1-5-21'
  - ProcessItem/HandleList/Handle/Name contains ' CTF.Layouts.MutexDefaultS-1-5-21'
  - ProcessItem/HandleList/Handle/Name contains ' CTF.TMD.MutexDefaultS-1-5-21'
  - ProcessItem/HandleList/Handle/Name contains ' CTF.TimListCache.FMPDefaultS-1-5-21'
  - ProcessItem/HandleList/Handle/Name contains ' CTF.Asm.MutexDefaultS-1-5-21'
  - ProcessItem/HandleList/Handle/Name contains ' CTF.LBES.MutexDefaultS-1-5-21'
  - ProcessItem/HandleList/Handle/Name contains ' \Start Menu\Programs\Startup\'
  - ProcessItem/StringList/string contains ' LOCALS~1\Temp\~TM4.tmp'
  - ProcessItem/StringList/string is ' Hide Browser v1.1'
  - ProcessItem/StringList/string is ' 220 220 RMNetwork FTP'
  - ProcessItem/StringList/string is ' Ftp Grabber v1.0'
  - ProcessItem/StringList/string is ' Virus Module v1.0 (exe, dll only)'
  - ProcessItem/StringList/string is ' VNC Module v1.0 (Zeus Model)'
  - ProcessItem/StringList/string is ' Byob Ernie Gild Lotto 2002-2006'
  - ProcessItem/StringList/string is ' Reich.exe'
AND:
- ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas'
- ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas'
- ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas'
- ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas'
- ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas'
- ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas'
- ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas'
- ProcessItem/StringList/string is ' TModule_POPPeeper'
- ProcessItem/StringList/string is ' TModule_Eudora'
- ProcessItem/StringList/string is ' TModule_Gmail'
- ProcessItem/StringList/string is ' TModule_IncrediMail'
- ProcessItem/StringList/string is ' TModule_GroupMailFree'
- ProcessItem/StringList/string is ' TModule_VypressAuvis'
- ProcessItem/StringList/string is ' TModule_The_Bat'
- ProcessItem/StringList/string is ' TModule_Outlook0'
- ProcessItem/StringList/string is ' TOutlookIdentItem'

A published IOC can be located on the Mandiant Forums as well as on the http://ioc.forensicartifacts.com/ website
Happy Hunting, Please leave feedback if the IOC produces false positives and needs amending or improving.

Ramnit, Zeus and the BAT! Part 2

Memory Analysis

Please note the memory sample reviewed in this next section does not correlate with the logs reviewed above (I.E PIDs are different, and one other artifact occurred during the memory dump. All will be revealed)

After the VM was snapshot and paused analysis could be conducted on the vmem file.

A number of tools were used to conduct the analysis including the following:

Mandiant’s Redline (and also AuditViewer with Memoryze)
Volatility

The reason a number of tools were used was because each tool has advantages and disadvantages.

Process List and Process Tree

The output below was generated from Volatility using the pslist command. As can been seen below Sample1.exe is the ParentPID of two svchost.exe processes (The snapshot was taken before Sample1.exe terminated see Ramnit Zeus and Bat part 1).

During one of the infections an additional process was started by one of the svchost.exe (PID 2000) the process was called install.exe (PID 3424). We will analyse the file later.

Offset(V) Name                 PID    PPID   Thds   Hnds   Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x823c8830 System                    4      0     67    510 1970-01-01 00:00:00
0x82193da0 smss.exe                556      4      3     19 2012-01-11 22:13:40
0x81fff978 csrss.exe               624    556     12    732 2012-01-11 22:13:43
0x81f67978 winlogon.exe            648    556     21    519 2012-01-11 22:13:43
0x81ef7880 services.exe            692    648     20    298 2012-01-11 22:13:43
0x81f91418 lsass.exe               704    648     27    424 2012-01-11 22:13:43
0x82209198 vmacthlp.exe            860    692      5     40 2012-01-11 22:13:44
0x81e654f0 svchost.exe             872    692     25    223 2012-01-11 22:13:44
0x81ea7360 svchost.exe             956    692     15    284 2012-01-11 22:13:45
0x81f42c10 svchost.exe            1068    692     93   1600 2012-01-11 22:13:45
0x81e9c528 svchost.exe            1200    692     10     93 2012-01-11 22:13:46
0x822adbf0 svchost.exe            1300    692     18    177 2012-01-11 22:13:46
0x822bc840 spoolsv.exe            1428    692     18    133 2012-01-11 22:13:46
0x81e1e6a0 svchost.exe            1532    692      9    116 2012-01-11 22:13:55
0x81e28da0 EngineServer.ex        1604    692      8     53 2012-01-11 22:13:55
0x81e755e8 FrameworkServic        1628    692     14    238 2012-01-11 22:13:55
0x820353e8 VsTskMgr.exe           1692    692     28    273 2012-01-11 22:13:58
0x82194a58 mfevtps.exe            1716    692     10    157 2012-01-11 22:13:59
0x822537a8 naPrdMgr.exe           1724    872      9     98 2012-01-11 22:13:59
0x81ee8760 VMwareService.e        1928    692      7    157 2012-01-11 22:13:59
0x81e4dda0 Mcshield.exe           2012    692     17    131 2012-01-11 22:14:00
0x81de7968 mfeann.exe              204   2012     13    127 2012-01-11 22:14:05
0x81eff6a0 explorer.exe            708    492     23    616 2012-01-11 22:14:08
0x81fb0a20 alg.exe                 524    692     10    117 2012-01-11 22:14:32
0x8223bda0 VMwareTray.exe         1048    708      5     50 2012-01-11 22:14:33
0x81ecb588 wscntfy.exe             416   1068      5     51 2012-01-11 22:14:33
0x821ec918 VMwareUser.exe         1464    708     10    212 2012-01-11 22:14:34
0x8225f6a8 UdaterUI.exe           1612    708     10    121 2012-01-11 22:14:35
0x81f22a20 shstat.exe              900    708      0 ------ 2012-01-11 22:14:35
0x81e81550 AdobeARM.exe           2092    708     12    197 2012-01-11 22:14:38
0x81d1fda0 ctfmon.exe             2216    708      5     89 2012-01-11 22:14:39
0x81f047c8 McTray.exe             2296   1612      5     46 2012-01-11 22:14:39
0x81f8d7b0 mcconsol.exe           3796    900      9    176 2012-01-11 22:15:12
0x81cf3a20 cmd.exe                2108    708      5     53 2012-01-11 22:15:47
0x81f1c5c8 CaptureBAT.exe         2992   2108      0 ------ 2012-01-11 22:16:13
0x81fc8ab0 CaptureBAT.exe         3788   2108     10     56 2012-01-11 22:16:57
0x8213f458 Sample1.exe                 4000    708      0 ------ 2012-01-11 22:17:04
0x821e1bf0 svchost.exe            2640   4000     13    125 2012-01-11 22:17:05
0x82070200 svchost.exe            2000   4000     10    119 2012-01-11 22:17:05
0x820b9ad0 install.exe            3424   2000     12    159 2012-01-11 22:17:42
0x82049b60 iexplore.exe           2200    708      0 ------ 2012-01-13 19:36:33
0x81a629b8 iexplore.exe            516    708     26    367 2012-01-13 19:37:49
0x81a535a0 iexplore.exe           2480    516     27    550 2012-01-13 19:37:51

Upon analysing the memory dump using Redline the following processes are flagged straight away and highlighted red.

svchost.exe PID 2000

svchost.exe PID 2640

Redline reports that the reason the processes were flagged was due to both processes having unexpected arguments in fact the processes don't have any.

“C:\WINDOWS\system32\svchost.exe”

We get a different visual representation of the memory dump using Mandiant’s Memoryze and Audit Viewer.

The reason for all the additional flags is due to the fact that Audit Viewer has identified the injected memory sections.

Redline also displays the Injected Memory Sections and upon initial analysis it can be seen that they nearly all start at the the same Region address:0x20010000

Network Activity

Offset(V) Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ------
0x820c0008 192.168.0.18:1806         173.194.41.95:80            2480
0x81e307a8 192.168.0.18:1810         173.194.67.104:80           2480
0x81ab0008 192.168.0.18:1807         209.85.147.94:80            2480
0x82066a58 192.168.0.18:1802         204.212.40.2:25             3424
0x81f65a50 192.168.0.18:1052         209.85.147.105:80           2000
0x81a994f0 192.168.0.18:1809         209.85.147.94:80            2480
0x81a994f0 192.168.0.18:1805         209.85.147.94:80            2480
0x81f29720 192.168.0.18:1033         209.85.147.105:80           2000
0x82055008 192.168.0.18:1500         209.85.229.99:80            2000
0x8206c370 192.168.0.18:1803         74.125.43.27:25             3424
0x81a9db28 192.168.0.18:1799         202.136.110.213:25          3424
0x81a9db28 192.168.0.18:1715         202.136.110.213:25          3424

Straight away the interesting connections that stand out are the connections to port 25 (SMTP) this will be expanded on later. The IP Addresses are located in Australia, and The United States

Services

Using Volatility (svcscan) we can review the Services that were running at the time the snapshot was taken, upon first analysis nothing really seems to be amiss apart from the misspelled: Micorsoft Windows Service

Offset(P) #Ptr #Hnd Start        Size Service key          Name
0x01f26f38    3    0 0xb2746000 333952 'Srv'                'Srv'        '\\FileSystem\\Srv'
0x01fe0190    3    0 0xf8b72000 15488 'mssmbios'           'mssmbios'   '\\Driver\\mssmbios'
0x01fe0838    3    0 0xf80f5000 384768 'Update'             'Update'     '\\Driver\\Update'
0x01fe3950    2    0 0xb2102000 68512 'mfeapfk'            'mfeapfk'    '\\Driver\\mfeapfk'
0x01fffa08    5    0 0xf8ab6000 11008 'vmscsi'             'vmscsi'     '\\Driver\\vmscsi'
0x02042a18    5    0 0xb1e81000 264832 'HTTP'               'HTTP'       '\\Driver\\HTTP'
0x0204bf38    5    0 0xf88ba000 56576 'mfetdik'            'mfetdik'    '\\Driver\\mfetdik'
0x0204cb10    4    0 0xb2cc0000 113152 'vmhgfs'             'vmhgfs'     '\\FileSystem\\vmhgfs'
0x0204f300    3    0 0xf883a000 41472 'RasPppoe'           'RasPppoe'   '\\Driver\\RasPppoe'
0x02060df0   19    0 0xf8376000 333376 'mfehidk'            'mfehidk'    '\\Driver\\mfehidk'
0x02061860    5    0 0xf83c8000 105344 'Mup'                'Mup'        '\\FileSystem\\Mup'
0x02061ce8   17    0 0xf83e2000 182656 'NDIS'               'NDIS'       '\\Driver\\NDIS'
0x02064bb8    3    0 0xf882a000 51328 'Rasl2tp'            'Rasl2tp'    '\\Driver\\Rasl2tp'
0x02071168    6    0 0xf853b000 125056 'Ftdisk'             'Ftdisk'     '\\Driver\\Ftdisk'
0x0207b240    3    0 0xf8a82000 21760 'TDTCP'              'TDTCP'      '\\Driver\\TDTCP'
0x0207d178    2    0 0xb21db000 11648 'CaptureFileMonitor' 'CaptureFileMonitor' '\\FileSystem\\CaptureFileMonitor'
0x02091790    3    0 0xf88ca000 34688 'NetBIOS'            'NetBIOS'    '\\FileSystem\\NetBIOS'
0x02092f38    5    0 0xb2cfe000 162816 'NetBT'              'NetBT'      '\\Driver\\NetBT'
0x02095838    5    0 0xf8153000 196224 'rdpdr'              'rdpdr'      '\\Driver\\rdpdr'
0x02096030    4    0 0xf8263000 12160 'mouhid'             'mouhid'     '\\Driver\\mouhid'
0x02098030    7    0 0xf8bb0000   7936 'Fs_Rec'             'Fs_Rec'     '\\FileSystem\\Fs_Rec'
0x0209cf38    6    0 0xf8972000 23040 'Mouclass'           'Mouclass'   '\\Driver\\Mouclass'
0x020ab1b0    6    0 0xf84fd000 96512 'atapi'              'atapi'      '\\Driver\\atapi'
0x020ab2a8    5    0 0xf86ba000 52352 'VolSnap'            'VolSnap'    '\\Driver\\VolSnap'
0x020ab3a0    4    0 0xf8922000 19712 'PartMgr'            'PartMgr'    '\\Driver\\PartMgr'
0x020b2030    4    0 0xf87fa000 40704 'es1371'             'es1371'     '\\Driver\\es1371'
0x020bcf38    3    0 0xf89c2000 19072 'Msfs'               'Msfs'       '\\FileSystem\\Msfs'
0x020bd030    3    0 0xf8b52000 13952 'CmBatt'             'CmBatt'     '\\Driver\\CmBatt'
0x020bd560    3    0 0xf89ca000 30848 'Npfs'               'Npfs'       '\\FileSystem\\Npfs'
0x020c2548    3    0 0xf86ea000 42368 'agp440'             'agp440'     '\\Driver\\agp440'
0x020e8be0    3    0 0xf8c26000   7296 'CaptureRegistryMonitor' 'CaptureRegistryMonitor' '\\Driver\\CaptureRegistryMonitor'
0x020fd788    4    0 0xb2c25000 455296 'MRxSmb'             'MRxSmb'     '\\FileSystem\\MRxSmb'
0x02101790    3    0 0xb2cdc000 138496 'AFD'                'AFD'        '\\Driver\\AFD'
0x02101be0    7    0 0xb2d74000 361600 'Tcpip'              'Tcpip'      '\\Driver\\Tcpip'
0x02103678    6    0 0xf88aa000 59520 'usbhub'             'usbhub'     '\\Driver\\usbhub'
0x02106bd8    3    0 0xf8bb6000   4224 'RDPCDD'             'RDPCDD'     '\\Driver\\RDPCDD'
0x02126928    3    0 0xb27e8000 180608 'MRxDAV'             'MRxDAV'     '\\FileSystem\\MRxDAV'
0x02128970    4    0 0xb1c2d000 143744 'Fastfat'            'Fastfat'    '\\FileSystem\\Fastfat'
0x02130730    3    0 0xf89a2000 16512 'Raspti'             'Raspti'     '\\Driver\\Raspti'
0x02134360    2    0 0xb20ed000 84352 'mfeavfk'            'mfeavfk'    '\\Driver\\mfeavfk'
0x02134880    3    0 0xb25a6000 60800 'sysaudio'           'sysaudio'   '\\Driver\\sysaudio'
0x02161160    4    0 0xf8b9e000   5504 'IntelIde'           'IntelIde'   '\\Driver\\IntelIde'
0x02164cc0    3    0 0xf8d3a000   2944 'Null'               'Null'       '\\Driver\\Null'
0x0216f030    7    0 0xf8cd2000   3072 'audstub'            'audstub'    '\\Driver\\audstub'
0x02170110    5    0 0xf89d2000 32128 'usbccgp'            'usbccgp'    '\\Driver\\usbccgp'
0x0218f6e0    3    0 0xf885a000 35072 'Gpc'                'Gpc'        '\\Driver\\Gpc'
0x0218fbb8    5    0 0xf8183000 69120 'PSched'             'PSched'     '\\Driver\\PSched'
0x021905f0   13    0 0x00000000      0 '\\Driver\\Win32k'   'Win32k'     '\\Driver\\Win32k'
0x021a1030    4    0 0xf896a000 24576 'Kbdclass'           'Kbdclass'   '\\Driver\\Kbdclass'
0x021ada30    6    0 0xf8515000 153344 'dmio'               'dmio'       '\\Driver\\dmio'
0x021adc48    3    0 0xf8ba0000   5888 'dmload'             'dmload'     '\\Driver\\dmload'
0x021f09f8    5    0 0xf887a000 40704 'TermDD'             'TermDD'     '\\Driver\\TermDD'
0x021fdec8    3    0 0xf8325000 12032 'WS2IFSL'            'WS2IFSL'    '\\Driver\\WS2IFSL'
0x02209030    3    0 0xf881a000 36352 'intelppm'           'intelppm'   '\\Driver\\intelppm'
0x0220bda0    3    0 0xf87da000 48256 'vmci'               'vmci'       '\\Driver\\vmci'
0x02222460    3    0 0xf8bb4000   4224 'mnmdd'              'mnmdd'      '\\Driver\\mnmdd'
0x02230270    5    0 0xb2411000 83072 'wdmaud'             'wdmaud'     '\\Driver\\wdmaud'
0x02232f38    3    0 0xb2c95000 175744 'Rdbss'              'Rdbss'      '\\FileSystem\\Rdbss'
0x02236408    3    0 0xf8335000   8832 'RasAcd'             'RasAcd'     '\\Driver\\RasAcd'
0x02236ca8    3    0 0xf89ba000 20992 'VgaSave'            'VgaSave'    '\\Driver\\VgaSave'
0x0223bcc0    3    0 0xf8bb2000   4224 'Beep'               'Beep'       '\\Driver\\Beep'
0x022f11e8    3    0 0xf8952000 32768 'Micorsoft Windows Service' 'Micorsoft Windows Service' '\\Driver\\Micorsoft Windows Service'
0x02349500    3    0 0xb17f2000 172416 'kmixer'             'kmixer'     '\\Driver\\kmixer'
0x02389bb8    9    0 0xf8bac000   4352 'swenum'             'swenum'     '\\Driver\\swenum'
0x0238ef38    6    0 0xf826b000 10368 'hidusb'             'hidusb'     '\\Driver\\hidusb'
0x0239b7f0    6    0 0xf899a000 17792 'Ptilink'            'Ptilink'    '\\Driver\\Ptilink'
0x0239c5d8    3    0 0xf88ea000 36864 'vmdebug'            'vmdebug'    '\\Driver\\vmdebug'
0x023a04b8    4    0 0xf87ca000 57600 'redbook'            'redbook'    '\\Driver\\redbook'
0x023a6418    3    0 0xf8b96000 10624 'gameenum'           'gameenum'   '\\Driver\\gameenum'
0x023e9030    3    0 0xf873a000 63744 'Cdfs'               'Cdfs'       '\\FileSystem\\Cdfs'
0x023ea5d0    3    0 0xf8c1e000   6272 'CaptureProcessMonitor' 'CaptureProcessMonitor' '\\Driver\\CaptureProcessMonitor'
0x023fcf38    2    0 0xb21bb000 36288 'mfebopk'            'mfebopk'    '\\Driver\\mfebopk'
0x02405740    3    0 0xb2dcd000 75264 'IPSec'              'IPSec'      '\\Driver\\IPSec'
0x024178d0    5    0 0xf878a000 52480 'i8042prt'           'i8042prt'   '\\Driver\\i8042prt'
0x02437da0    3    0 0xb1eea000 139520 'RDPWD'              'RDPWD'      '\\Driver\\RDPWD'
0x02439030    3    0 0xf8be2000   6784 'ParVdm'             'ParVdm'     '\\Driver\\ParVdm'
0x02439430    3    0 0xb2a59000 14592 'Ndisuio'            'Ndisuio'    '\\Driver\\Ndisuio'
0x02439da0    3    0 0xf8be4000   7680 'VMMEMCTL'           'VMMEMCTL'   '\\Driver\\VMMEMCTL'
0x02450f38    3    0 0xf88fa000 44544 'Fips'               'Fips'       '\\Driver\\Fips'
0x02458a50    3    0 0xb2d4e000 152832 'IpNat'              'IpNat'      '\\Driver\\IpNat'
0x0245d030    3    0 0xf87aa000 42112 'Imapi'              'Imapi'      '\\Driver\\Imapi'
0x0245d610    3    0 0xf87ba000 62976 'Cdrom'              'Cdrom'      '\\Driver\\Cdrom'
0x024682a0    4    0 0xf8234000 91520 'NdisWan'            'NdisWan'    '\\Driver\\NdisWan'
0x02468d78    6    0 0xf8b56000 10112 'NdisTapi'           'NdisTapi'   '\\Driver\\NdisTapi'
0x02472640    4    0 0xf8309000 80128 'Parport'            'Parport'    '\\Driver\\Parport'
0x024ad8a8    3    0 0xf898a000 29696 'vmxnet'             'vmxnet'     '\\Driver\\vmxnet'
0x024b3b70   16    0 0xf84c5000 129792 'FltMgr'             'FltMgr'     '\\FileSystem\\FltMgr'
0x024c00b0    7    0 0xf86aa000 42368 'MountMgr'           'MountMgr'   '\\Driver\\MountMgr'
0x024edca8    3    0 0xf890a000 34560 'Wanarp'             'Wanarp'     '\\Driver\\Wanarp'
0x024ef838    3    0 0xf884a000 48384 'PptpMiniport'       'PptpMiniport' '\\Driver\\PptpMiniport'
0x024efb30    3    0 0xf89aa000 20480 'Flpydisk'           'Flpydisk'   '\\Driver\\Flpydisk'
0x024f9150    3    0 0xf8ba8000   4736 'vmmouse'            'vmmouse'    '\\Driver\\vmmouse'
0x0250d290    4    0 0xf897a000 27392 'Fdc'                'Fdc'        '\\Driver\\Fdc'
0x0250e278    4    0 0xf8982000 20608 'usbuhci'            'usbuhci'    '\\Driver\\usbuhci'
0x0250f200    4    0 0xf8b4a000 15744 'serenum'            'serenum'    '\\Driver\\serenum'
0x0250f378    3    0 0xf87ea000 57216 'vmx_svga'           'vmx_svga'   '\\Driver\\vmx_svga'
0x0250f9f8    4    0 0xf879a000 64512 'Serial'             'Serial'     '\\Driver\\Serial'
0x02517c78    3    0 0xf888a000 40576 'NDProxy'            'NDProxy'    '\\Driver\\NDProxy'
0x02519778    4    0 0xf840f000 574976 'Ntfs'               'Ntfs'       '\\FileSystem\\Ntfs'
0x02519988    3    0 0xf849c000 92288 'KSecDD'             'KSecDD'     '\\Driver\\KSecDD'
0x02519b98    7    0 0xf84b3000 73472 'sr'                 'sr'         '\\FileSystem\\sr'
0x0251ccc8    4    0 0xf86ca000 36352 'Disk'               'Disk'       '\\Driver\\Disk'
0x0253e218    4    0 0xf8aae000 10240 'Compbatt'           'Compbatt'   '\\Driver\\Compbatt'
0x025ab560    5    0 0x00000000      0                      'RAW'        '\\FileSystem\\RAW'
0x025acf38   81    0 0xf855a000 68224 'PCI'                'PCI'        '\\Driver\\PCI'
0x025af2d8    4    0 0x00000000      0 '\\Driver\\ACPI_HAL' 'ACPI_HAL'   '\\Driver\\ACPI_HAL'
0x025c5308    4    0 0xf869a000 37248 'isapnp'             'isapnp'     '\\Driver\\isapnp'
0x025e2980   64    0 0xf856b000 187776 'ACPI'               'ACPI'       '\\Driver\\ACPI'
0x025e6ce8    4    0 0x00000000      0 '\\Driver\\WMIxWDM' 'WMIxWDM'    '\\Driver\\WMIxWDM'
0x025eb290   65    0 0x00000000      0 '\\Driver\\PnpManager' 'PnpManager' '\\Driver\\PnpManager'

Using the driverirp Volatility command we can output a drivers IRP (Major Function) table, here we can see that we have a driver (imjvxcsr.sys) associated with the misspelled Micorsoft Windows Service

0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE                        0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_NAMED_PIPE             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLOSE                         0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_READ                          0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_WRITE                         0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_INFORMATION             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_INFORMATION               0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_EA                      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_EA                        0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_FLUSH_BUFFERS                 0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_VOLUME_INFORMATION      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_VOLUME_INFORMATION        0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DIRECTORY_CONTROL             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_FILE_SYSTEM_CONTROL           0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CONTROL                0xf89541d8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_INTERNAL_DEVICE_CONTROL       0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SHUTDOWN                      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_LOCK_CONTROL                  0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLEANUP                       0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_MAILSLOT               0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_SECURITY                0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_SECURITY                  0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_POWER                         0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SYSTEM_CONTROL                0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CHANGE                 0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_QUOTA                   0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_QUOTA                     0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_PNP                           0x804f355a   ntoskrnl.exe     -            -

Hooks

If we review the Hooks tab in Audit Viewer or the Hooks section in Redline and in particular the System Service Descriptor Table Hooks we see our driver (imjvxcsr.sys) identified in the previous section

This can also be verified using the ssdt or the threads –F HookedSSDT Volatility commands.

ssdt command
Entry 0x0029: 0xf89546ac (NtCreateKey) owned by imjvxcsr.sys
Entry 0x0077: 0xf8954562 (NtOpenKey) owned by imjvxcsr.sys

threads –F HookedSSDT command

ETHREAD: 0x81f1cbc8 Pid: 692 Tid: 3980
Tags: HookedSSDT
Created: 2012-01-11 22:18:34
Exited: -
Owning Process: 0x81ef7880 'services.exe'
Attached Process: 0x81ef7880 'services.exe'
State: Waiting:WrQueue
BasePriority: 0x9
Priority: 0x9
TEB: 0x7ffd9000
StartAddress: 0x7c8106f9
ServiceTable: 0x80553020
[0] 0x80501b9c
[0x29] NtCreateKey 0xf89546ac imjvxcsr.sys
[0x77] NtOpenKey 0xf8954562 imjvxcsr.sys
[1] -
[2] -
[3] -
Win32Thread: 0x00000000
CrossThreadFlags:
Eip: 0x7c90e514
eax=0x77e76c7d ebx=0xffffffff ecx=0x00090640 edx=0x0072fb78 esi=0x000ac2e8 edi=0x00000000
eip=0x7c90e514 esp=0x006efeac ebp=0x006efed8 err=0x00000000
cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 efl=0x00000246
dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000

Part 3 Building an IOC to follow.

Wednesday, January 18, 2012

Ramnit, Zeus and the BAT! Part 1

Please note the samples analysed were provided by Andre M. DiMino @sempersecurus (http://sempersecurus.org).

Sample No	MD5	Executable name
Sample1	2f5d28f9792c7d114bed7fdcec00f550	Sample1.exe
Sample2	76991eefea6cb01e1d7435ae973858e6	Sample2.exe

Initial File Analysis

Initial analysis of the files show that both files are packed using UPX and import 3 libraries

Kernel32.dll

6 functions (LoadLibraryA,GetProcAddress,VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess)

Comctl32.dll

1 Functions (InitCommonControls)

SHLWAPI.dll

1Function (StrCharA)

Dynamic Analysis

Both samples were analysed using Dynamic analysis techniques using various monitoring tools (CaptureBat.exe and Preservation( see Malware Analysis Cookbook Chapter 9)).

The process below was used to setup the environment

Start Monitoring tools (see Preservation and Capturebat section below)

Execute samples

Snapshot Virtual Machine

After the final stage was completed the VM was rolled back to a previous state and the same process used for the next sample.

Monitoring Tools

The analysis was conducted by first executing preservation.exe with the preservation.exe ln argument this logs everything to the c:\preservation\ directory

CaptureBat was executed next and configured to capture file, process and registry access as well as capture network activity using the following arguments.

capturebat.exe –cn –l c:\preservation\Capture.txt

Initial Log Review

Preservation Output

Please note!! Various sections of the log below have been removed

Upon initial execution of Sample1.exe we can see it starts an instance of the svchost.exe process (PID 4048)

[PROCESS START] explorer.exe (PID:2140) started Sample1.exe (PID 2496)
[THREAD START] explorer.exe (PID:2140) started thread (TID 2520)
[IMAGE LOAD] Sample1.exe (PID:2496) loaded \Device\HarddiskVolume1\Documents and Settings\nosuchuser\Desktop\ramnit\Sample1.exe

First SVCHOST Instance

[PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 4048)

[THREAD START] Sample1.exe (PID:2496) started thread (TID 1244)

[IMAGE LOAD] svchost.exe (PID:4048) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

Second SVCHOST Instance

The malware sample then starts another instance of svchost.exe (PID 2384)

[PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 2384)
[THREAD START] Sample1.exe (PID:2496) started thread (TID 3020)
[IMAGE LOAD] svchost.exe (PID:2384) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

Sample1 Third Process Initiated

Sample 1 then goes onto create another pseudo-randomly named executable located in the \Temp directory.The pseudo-randomly nature has been observed by restoring the VM to a previous state and re-infecting the machine(with the same sample) each time the file is named the same apart from the last 2 characters.My assumption at this point is the file name is created using some information from the host machine.

On the host infected the following remained static during a number of infections: sggjahylqiethd<XX>.exe

After the randomly named executable is initiated the original executable Sample1.exe is terminated.

By reviewing the log below it can also be ascertained that services.exe starts a new service , during each infection the Service name was identical the misspelled:

Micorsoft Windows Service

After the service starts we then see System (PID:4) load a suspicious driver: imjvxcsr.sys from the Temp directory.

[PROCESS START] Sample1.exe (PID:2496) started sggjahylqiethdj (PID 3900)
[THREAD START] Sample1.exe (PID:2496) started thread (TID 2972)
[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \Device\HarddiskVolume1\DOCUME~1\nosuchuser\LOCALS~1\Temp\sggjahylqiethdjp.exe
[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \SystemRoot\System32\ntdll.dll
[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\kernel32.dll
[PROCESS TERMINATE] Sample1.exe (PID:2496) terminating Sample1.exe (PID 2496)
[THREAD START] System (PID:4) started thread (TID 1416)
[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\comctl32.dll
[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\advapi32.dll
[THREAD START] System (PID:4) started thread (TID 2900)
[THREAD START] services.exe (PID:760) started thread (TID 3968)
[DRIVER LOAD] services.exe (PID:760) loading driver \Registry\Machine\System\CurrentControlSet\Services\Micorsoft Windows Service
----Removed Multiple Thread Starts and Image Loads ----

[IMAGE LOAD] System (PID:4) loaded \??\C:\DOCUME~1\nosuchuser\LOCALS~1\Temp\imjvxcsr.sys
[FILE DELETE] System (PID:4) deleting file \systemroot\temp\3ab95fd5
[THREAD START] System (PID:4) started thread (TID 4020)

CaptureBat Output

The CaputureBat log has all the associated artifacts identified above with the addition of registry entries, file creation and network activity.

A number of other observations can be seen from the log below:

An additional executable (bbioufwf.exe) is created on the file system

The file is added to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key

The file is also added to the users Startup folder to add persistence (Note when reviewing the file system this file does not appear due to the rootkit)

A number of logs are written to by svchost on the local system (log names again appear to be pseudo-randomly generated).

A number of temporary files ~TM<N>.tmp files are created in the Temp folder. This file contains some references to IE cookies but also seems to contain encrypted data.

svchost also infects a number of files located in the Program Files directory

"16/1/2012 13:16:30.23","file","Write","System","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\bbioufwf.exe"

"16/1/2012 13:16:30.616","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BbiOufwf"

"16/1/2012 13:16:27.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Start Menu\Programs\Startup\bbioufwf.exe"

"16/1/2012 13:16:27.429","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\cclgvecb.log"

"16/1/2012 13:16:27.491","file","Delete","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\px3.tmp"

"16/1/2012 13:16:34.601","file","Write","C:\Documents and Settings\nosuchuser\Local Settings\Temp\sggjahylqiethdjp.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\imjvxcsr.sys"

"16/1/2012 13:17:30.929","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\hlgbbwvv.log"

"16/1/2012 13:17:31.804","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\dsstrbjb.log"

"16/1/2012 13:17:37.7","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\~TM4.tmp"

"16/1/2012 13:20:34.335","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Acrobat_com\Acrobat_com.exe"

Part 2 Memory Analysis to follow.

Thursday, December 15, 2011

Attack the Kill Chain MindMap

If we look at the past 12 months it hardly seems a day goes by, whereby a news article is posted of an attack or compromise.

These range from small family businesses trying to gain an online advantage (especially in todays climate) to large scale businesses which provide services which impact our everyday life.

In 2009 Mike Cloppert posted Security Intelligence: Attacking the Kill Chain the article was an excellent example of foresight (And from someone deep in the trenches).
The article was part of a series on Security Intelligence which I feel has even more importance as we come to an end of 2011.

I’m not really big on predictions, but i will make this one.

I guarantee that more articles will be written in 2012 which describe online attacks.(Fairly certain this will be a safe bet).

As an Industry we need to stop using the old Ostrich approach and “bury our heads in the sand”. The attacks are going to come, lets try and find a way to deal with them through being open and sharing the experience of how the compromise occurred.

“Defence in Depth” is not just about multiple layers of technology, its also about Knowledge Sharing, if i know what to look for its also my duty to pass that on so others can prevent the same mistake\compromise from happening.

I have produced a Mindmap of what I feel are the key points of the article. The Mindmap is based on my interpretation of the original article.

Please read the original article, if you work in the Information Security space try to incorporate them in to your everyday life.

A higher resolution image can be found here

Tuesday, May 31, 2011

Volatility Script for Windows

Well I've decided to make more of an effort to use my blog.

First article will be a a new windows based volatility script I've developed based on the one from lg's blog (http://lorgor.blogspot.com/2010/11/volatility-mem-forensics-ivputting-it.html)

There are few prerequisites, just follow the instructions on the Volatility Wiki site:

http://code.google.com/p/volatility/wiki/FullInstallation#Windows_Installation

The report also makes use of the malware.py script from http://code.google.com/p/malwarecookbook/
just download the plugin and drop the file in the plugins directory.

Set-up

Make sure all your environment variables have been set up for Python and Perl (Instructions can be found on numerous sites ).

Drop the batch file into the volatility directory and make sure you update the following:

Your Case Directory and dumps directory, this can be where ever you like on your machine.

mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%
mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%\dumps

You should also check and set-up the following:

set VOLDIR="C:\Forensics\vol\vol1.4\%VOLDIR%\vol.py-1.4_rc1"

set PYTHON="C:\Python27\python.exe"

set PERL="C:\Perl\bin\perl.exe"

Running the script

I generally run the script in the following way:

Open a command prompt and change directory to the volatility directory.

Next to run the script type the following, remember if the path contains spaces use quotes around the parameter.

volscript.bat <path-to-memory-dump> <name-of-report>

The script can take a while to complete but once the script has finished you will have one report which you can analyse.

That was the easy part, the hard part comes with analysing the report and identifying if the machine is compromised in some way.

Over the coming weeks I will provide more posts on analysing the output from the images hosted at Michael Hale Ligh's site: http://code.google.com/p/malwarecookbook/

In my opinion the Malware Analyst Cookbook has to be considered the de-facto standard when it comes to analysing malware and memory analysis, simply put you have to buy this book.

I'll periodically post updates to the script.

The script can be found here just rename the file to .bat there is also a sample report taken from the zeus sample from the Malware Cookbook site.

---Update 13/03/2012---
Added naft by Didier Stevens http://blog.didierstevens.com/2012/03/12/naft-release/ to automate dumping network traffic as part of the automated script.

Just download all the files and put naft-gfe.py in the same directory as vol.py and volscript remember to add to naft_pfef and naft_uf to C:\Python27\Lib

Once the pcap file has been created you can use NetWitness, Netminer or Wireshark to analyse the file.

Monday, April 02, 2007

Security Podcasts

The following is a list of Security Podcasts i love to listen to:
Cyberspeak
PaulDotCom Security Weekly
Martin Mckeays Network Security Podcast
SploitCast
Hack5

Thursday, August 17, 2006

Must Reading

Post's you just have to read if you are interested in Computer/Network Security or Digital Forensics.

http://www.realdigitalforensics.com/
http://taosecurity.blogspot.com/
http://windowsir.blogspot.com/