tag:blogger.com,1999:blog-42685843937798401952024-03-05T10:22:43.601+00:00Active Securitycbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4268584393779840195.post-3590956077519593242012-01-19T12:19:00.000+00:002012-01-24T21:43:41.430+00:00Ramnit, Zeus and the BAT! Part 3<br />
After <a href="http://active-security.blogspot.com/2012/01/ramnit-zeus-and-bat-part-1.html" target="_blank">parts 1</a> and <a href="http://active-security.blogspot.com/2012/01/ramnit-zeus-and-bat-part-2.html" target="_blank">2</a> we can safely say the machine is infected.This next part
will go through the building of the MandiantIOC using <a href="http://www.mandiant.com/products/free_software/ioceditor/" target="_blank">Ioc Editor</a> in order to hopefully identify other infected
hosts.<br />
<br />
One issue I am keeping an eye on is trying to identify indicators that would
hopefully be present in numerous samples. Malware writers are incorporating new
ways to subvert AV identification techniques (And have been know to brag online
that the malware is not detected). <br />
<h2>
<span style="font-size: x-small;">Driver Inspection</span></h2>
I’m going to start with the driver <span style="font-family: Calibri;">(<strong>imjvxcsr.sys</strong>)</span> associated with the
misspelled service: <strong>Mic<u>or</u>soft Windows Service.</strong><br />
Looking at the drivers name it looks randomly generated but after infecting the same
host a few times the driver name is consistent on the host.<br />
<br />
The directory where the driver is located always seems to be C:\Documents and
Settings\User\Local Settings\Temp as seen in the SSDT hooks tab in Audit Viewer
and Redline<br />
<br />
<img alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlFTYkLF-VjEX6lymYNrTnnIPxslH5hzfvDezcKKPnrGbUeXo4PsuwV_eTlfiWTHbeldITH8PcrQSXOtbzIYbuaGCjuKiBqxwyDI1uaDpF7eqCmVN9TtyLY0sdmucWhTxw1isRD1Ig514/?imgmax=800" /><br />
<br />
Using Redline to review Drivers and Devices we can see that we have a device
also associated with the driver<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-3nBd5QinU6vsAZfgbtSUnhRDdKXjPnxKLc6xWlhKZNz1TuV7cWvrLtM6Z5pZhZy8QHvvJtbK2wrxw9v3kzBA6vUky3M4X5Evmxy1DBWRhNkeIWTNk0leKjyiUMTfW5YyHOAreAuKiNQ/s1600/New+Picture.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-3nBd5QinU6vsAZfgbtSUnhRDdKXjPnxKLc6xWlhKZNz1TuV7cWvrLtM6Z5pZhZy8QHvvJtbK2wrxw9v3kzBA6vUky3M4X5Evmxy1DBWRhNkeIWTNk0leKjyiUMTfW5YyHOAreAuKiNQ/s400/New+Picture.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
By selecting the Driver and reviewing the driver information we can review
any strings associated with the driver.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx2Zua7CFHy7Rs4QjdpD7oHaBLoJeBiUHJzf-jYnjm4WKV4TK12aQFp8s5nPLSfeE6Cr4eGPDP0iUOsRe5zpKZ4-haVALbBsVXmtkY1tAj-Aj9SqkJM_BmysYjLvU_mejcwusZyDvX_Ls/s1600/New+Picture+%25281%2529.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="375" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx2Zua7CFHy7Rs4QjdpD7oHaBLoJeBiUHJzf-jYnjm4WKV4TK12aQFp8s5nPLSfeE6Cr4eGPDP0iUOsRe5zpKZ4-haVALbBsVXmtkY1tAj-Aj9SqkJM_BmysYjLvU_mejcwusZyDvX_Ls/s400/New+Picture+%25281%2529.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Upon reviewing the Strings we can see an number of possible IOCs<br />
<ul>
<li>\systemsroot\temp\%x
</li>
<li>\Device\631D2408D44C4f47AC647AB96987D4D5
</li>
<li>\DosDevices\631D2408D44C4f47AC647AB96987D4D5
</li>
<li>c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
</li>
</ul>
<a href="https://twitter.com/#!/2gg" target="_blank">Chae Jong Bin @2gg</a> also tweeted that the demetra project path was located in
a sample.<br />
Using the OpenIOC Framework we can start with the following<br />
<ul>
<li>Driver StringList is
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
</li>
<li>Driver StringList is \Device\631D2408D44C4f47AC647AB96987D4D5
</li>
<li>Driver StringList is \DosDevices\631D2408D44C4f47AC647AB96987D4D5 </li>
</ul>
<h2>
<span style="font-size: x-small;">Hook Inspection</span></h2>
If we then review the Hooks section using Redline or Audit Viewer we can use
it to further enhance our indicator.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbDrhOVkh5caZn2SSlRQcOSRGRc1Dq69dQZwH-gMKR4qkSVjFHJ5_mh3ZVfWs9zOoEPUyzZborcDLy4IaEPU1MyKi0u7sjf66O3rP0eRj83hyG74udYMBko0QJ-hAzB_2a-mAdpEgSYyE/s1600/New+Picture+%25282%2529.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbDrhOVkh5caZn2SSlRQcOSRGRc1Dq69dQZwH-gMKR4qkSVjFHJ5_mh3ZVfWs9zOoEPUyzZborcDLy4IaEPU1MyKi0u7sjf66O3rP0eRj83hyG74udYMBko0QJ-hAzB_2a-mAdpEgSYyE/s400/New+Picture+%25282%2529.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
Using the evidence above we can use the Hooking Module, Hooked Module and
Hook Description.<br />
Using the OpenIOC Framework we can use the following to enhance our IOC<br />
<ul>
<li><span style="font-family: Calibri;">Hook HookDescription is SystemCall</span>
</li>
<li><span style="font-family: Calibri;">Hook Hooking Module contains \Local~1\Temp\</span>
</li>
<li><span style="font-family: Calibri;">Hook Hooked Module is ntoskrnl.exe</span> </li>
</ul>
<h2>
<span style="font-size: x-small;">Process Inspection</span></h2>
Using the default indicator from Redline and Audit Viewer we can build an IOC
for the svchost.exe with unexpected arguments (this can be expanded on if your
environment has additional valid svchost arguments) .<br />
<ul>
<li><span style="font-family: Calibri;">Process name is svchost.exe</span>
</li>
<li><span style="font-family: Calibri;">Process arguments is not C:\WINDOWS\System32\svchost.exe
-k netsvcs</span>
</li>
<li><span style="font-family: Calibri;">Process arguments is not C:\WINDOWS\system32\svchost -k
rpcss</span>
</li>
<li><span style="font-family: Calibri;">Process arguments is not C:\WINDOWS\System32\svchost.exe
-k LocalService</span>
</li>
<li><span style="font-family: Calibri;">Process arguments is not C:\WINDOWS\System32\svchost.exe
-k NetworkService</span>
</li>
<li><span style="font-family: Calibri;">Process arguments is not C:\WINDOWS\system32\svchost -k
DcomLaunch</span>
</li>
<li><span style="font-family: Calibri;">Process arguments is not C:\WINDOWS\system32\svchost.exe
-k imgsvc</span> </li>
</ul>
In turn pick one of the suspicious svchost.exe to review using Redline and
Audit Viewer to review Process Handles, Mutex’s and Strings. From the analysis
we can use the following IOC’s as possible indicators (Please note Ramnit is
quite verbose and as such offers a lot of string values to review, the items
below can easily be expanded on/removed due to false positives).<br />
<br />
There are other string values that look to be passwords, email addresses and
DNS hostnames.<br />
<br />
By reviewing the String List below we can also make the assumption that
Ramnit has integrated some of the components seen in Zeus, these references can
be found in the leaked source code which can be found online. <br />
<ul>
<li><span style="font-family: Calibri;">Process Handle contains \Start
Menu\Programs\Startup\</span>
</li>
<li><span style="font-family: Calibri;">Process Handle contains
CTF.Compart.MutexDefaultS-1-5-21</span>
</li>
<li><span style="font-family: Calibri;">Process Handle contains
CTF.Layouts.MutexDefaultS-1-5-21</span>
</li>
<li><span style="font-family: Calibri;">Process Handle contains
CTF.TMD.MutexDefaultS-1-5-21</span>
</li>
<li><span style="font-family: Calibri;">Process Handle contains
CTF.TimListCache.FMPDefaultS-1-5-21</span>
</li>
<li><span style="font-family: Calibri;">Process Handle contains
CTF.Asm.MutexDefaultS-1-5-21</span>
</li>
<li><span style="font-family: Calibri;">Process Handle contains
CTF.LBES.MutexDefaultS-1-5-21</span>
</li>
<li><span style="font-family: Calibri;">Process String contains LOCALS~1\Temp\~TM4.tmp</span>
</li>
<li><span style="font-family: Calibri;">Process String is Hide Browser v1.1</span>
</li>
<li><span style="font-family: Calibri;">Process String is 220 220 RMNetwork FTP</span>
</li>
<li><span style="font-family: Calibri;">Process String is Ftp Grabber v1.0</span>
</li>
<li><span style="font-family: Calibri;">Process String is Virus Module v1.0 (exe, dll
only)</span>
</li>
<li><span style="font-family: Calibri;">Process String is VNC Module v1.0 (Zeus Model)</span>
</li>
<li><span style="font-family: Calibri;">Process String is Byob Ernie Gild Lotto 2002-2006</span>
</li>
<li><span style="font-family: Calibri;">Process String is Reich.exe</span>
</li>
<li><span style="font-family: Calibri;">Process String is \Start Menu\Programs\Startup\</span>
</li>
</ul>
When we review a number of the other processes we can also find the following
Process Strings and Handle which seems to be in multiple processes.<br />
<ul>
<li><span style="font-family: Calibri;">Process String is
<%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT
POST</span>
</li>
<li><span style="font-family: Calibri;">Process Handle Name is !IETld!Mutex</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is
\\.\631D2408D44C4f47AC647AB96987D4D5</span> </li>
</ul>
Next its the additional executable that was dropped during one of the
infections, this already gives us an insight into the functionality available to
Ramnit I.E the ability to drop and execute additional files.<br />
<br />
By reviewing the <a href="http://active-security.blogspot.com/2012/01/ramnit-zeus-and-bat-part-2.html" target="_blank">NETWORK ACTIVITY Section</a> for Install.exe (PID 3424) we can
assume this is our spamming engine. By reviewing the Process Strings can can
confirm this functionality.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiabtvlaLVlps42cUmT9db0gkDVeaRPteoJ6vbsXibNE7pBdL5BrfOMQzSiUEanQ9Xn_wgXSVefPULxerW7U-Rp1b4f_vPawucbF_-7kvkN9r4N-eZW2tZ_MrdtNS5BvbDGAFtgAVMd3Ns/s1600/New+Picture+%25283%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiabtvlaLVlps42cUmT9db0gkDVeaRPteoJ6vbsXibNE7pBdL5BrfOMQzSiUEanQ9Xn_wgXSVefPULxerW7U-Rp1b4f_vPawucbF_-7kvkN9r4N-eZW2tZ_MrdtNS5BvbDGAFtgAVMd3Ns/s320/New+Picture+%25283%2529.png" width="250" /></a></div>
<br />
Further review shows reference to Delphi and in particular what looks to be a
backup location for the source code. A number of stings also mention a few Email
clients\providers(Outlook,The Bat, POPPeeper).<br />
Using the OpenIOC one possible IOC could be the following:<br />
<ul>
<li><span style="font-family: Calibri;">Process StringList is
X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is
X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas</span>
</li>
<li><span style="font-family: Calibri;">Process StringList
isX:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is
X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is
X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas</span>
</li>
<li><span style="font-family: Calibri;">Process StringList
isX:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is
X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_POPPeeper</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_Eudora</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_Gmail</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_IncrediMail</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_GroupMailFree</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_VypressAuvis</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_The_Bat</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TModule_Outlook0</span>
</li>
<li><span style="font-family: Calibri;">Process StringList is TOutlookIdentItem</span> </li>
</ul>
<h2>
</h2>
<h2>
</h2>
<h2>
<span style="font-size: x-small;">Published IOC</span></h2>
All we need to do now is put it together and introduce the logic to get the
hits.A complete IOC that has been tested is below, the IOC has been tested
against multiple audit files and did not produce and false positives.<br />
<strong><span style="font-family: Calibri;">OR:</span></strong><br />
<ul>
<li><span style="font-family: Calibri;">DriverItem/StringList/string <i>is</i> '
c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb'
</span>
</li>
<li><span style="font-family: Calibri;">DriverItem/StringList/string <i>is</i> '
\Device\631D2408D44C4f47AC647AB96987D4D5' </span>
</li>
<li><span style="font-family: Calibri;">DriverItem/StringList/string <i>is</i> '
631D2408D44C4f47AC647AB96987D4D5' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>is</i> '
!IETld!Mutex' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
\\.\631D2408D44C4f47AC647AB96987D4D5' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>contains</i> '
<%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT
POST' </span>
</li>
<li><strong><span style="font-family: Calibri;">AND:</span></strong>
<ul>
<li><span style="font-family: Calibri;">HookItem/HookDescription <i>is</i> ' SystemCall' </span>
</li>
<li><span style="font-family: Calibri;">HookItem/HookedModule <i>is</i> ' ntoskrnl.exe' </span>
</li>
<li><span style="font-family: Calibri;">HookItem/HookingModule <i>contains</i> ' \LOCALS~1\Temp\'
</span></li>
</ul>
</li>
<li><strong><span style="font-family: Calibri;">AND:</span></strong>
<ul>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>contains</i> ' Micorsoft
Windows Service' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>contains</i> '
TANGrabber' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/name <i>is</i> ' services.exe'
</span></li>
</ul>
</li>
<li><strong><span style="font-family: Calibri;">AND:</span></strong>
<ul>
<li><span style="font-family: Calibri;">ProcessItem/arguments <i>isnot</i> '
C:\WINDOWS\System32\svchost.exe -k netsvcs' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/arguments <i>isnot</i> '
C:\WINDOWS\system32\svchost -k rpcss' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/arguments <i>isnot</i> '
C:\WINDOWS\System32\svchost.exe -k LocalService' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/arguments <i>isnot</i> '
C:\WINDOWS\System32\svchost.exe -k NetworkService' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/arguments <i>isnot</i> '
C:\WINDOWS\system32\svchost -k DcomLaunch' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/arguments <i>isnot</i> '
C:\WINDOWS\system32\svchost.exe -k imgsvc' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/name <i>is</i> ' svchost.exe'
</span></li>
</ul>
</li>
<li><strong><span style="font-family: Calibri;">AND:</span></strong>
<ul>
<li><span style="font-family: Calibri;">ProcessItem/name <i>is</i> ' svchost.exe' </span>
</li>
<li><strong><span style="font-family: Calibri;">OR:</span></strong>
<ul>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>contains</i> '
CTF.Compart.MutexDefaultS-1-5-21' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>contains</i> '
CTF.Layouts.MutexDefaultS-1-5-21' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>contains</i> '
CTF.TMD.MutexDefaultS-1-5-21' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>contains</i> '
CTF.TimListCache.FMPDefaultS-1-5-21' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>contains</i> '
CTF.Asm.MutexDefaultS-1-5-21' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>contains</i> '
CTF.LBES.MutexDefaultS-1-5-21' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/HandleList/Handle/Name <i>contains</i> '
\Start Menu\Programs\Startup\' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>contains</i> '
LOCALS~1\Temp\~TM4.tmp' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' Hide Browser
v1.1' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' 220 220
RMNetwork FTP' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' Ftp Grabber
v1.0' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' Virus Module
v1.0 (exe, dll only)' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' VNC Module v1.0
(Zeus Model)' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' Byob Ernie Gild
Lotto 2002-2006' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' Reich.exe'
</span></li>
</ul>
</li>
</ul>
</li>
<li><strong><span style="font-family: Calibri;">AND:</span></strong>
<ul>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
X:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
X:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
TModule_POPPeeper' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' TModule_Eudora'
</span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> ' TModule_Gmail'
</span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
TModule_IncrediMail' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
TModule_GroupMailFree' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
TModule_VypressAuvis' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
TModule_The_Bat' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
TModule_Outlook0' </span>
</li>
<li><span style="font-family: Calibri;">ProcessItem/StringList/string <i>is</i> '
TOutlookIdentItem'</span> </li>
</ul>
</li>
</ul>
A published IOC can be located on the <a href="https://forums.mandiant.com/topic/ramnit-ioc" target="_blank">Mandiant
Forums</a> as well as on the <a href="http://ioc.forensicartifacts.com/">http://ioc.forensicartifacts.com/</a>
website<br />
Happy Hunting, Please leave feedback if the IOC produces false positives and
needs amending or improving.cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com5tag:blogger.com,1999:blog-4268584393779840195.post-79819182024988724162012-01-19T00:07:00.001+00:002012-01-19T00:07:11.475+00:00Ramnit, Zeus and the BAT! Part 2<h2><font size="2">Memory Analysis</font></h2> <p><strong>Please note the memory sample reviewed in this next section does not correlate with the logs reviewed above (I.E PIDs are different, and one other artifact occurred during the memory dump. <em>All will be revealed</em>)</strong></p> <p>After the VM was snapshot and paused analysis could be conducted on the vmem file.</p> <p>A number of tools were used to conduct the analysis including the following:</p> <ul> <li>Mandiant’s Redline (and also AuditViewer with Memoryze) </li> <li>Volatility </li> </ul> <p>The reason a number of tools were used was because each tool has advantages and disadvantages.</p> <h2><font size="2">Process List and Process Tree</font></h2> <p>The output below was generated from Volatility using the pslist command. As can been seen below Sample1.exe is the ParentPID of two svchost.exe processes  (The snapshot was taken before Sample1.exe terminated see <a href="http://active-security.blogspot.com/2012/01/ramnit-zeus-and-bat-part-1.html" target="_blank">Ramnit Zeus and Bat part 1</a>).</p> <p>During one of the infections an additional process was started by one of the svchost.exe (PID 2000) the process was called install.exe (PID 3424). We will analyse the file later.</p> <p><font face="Calibri">Offset(V)  Name                 PID    PPID   Thds   Hnds   Time <br />---------- -------------------- ------ ------ ------ ------ ------------------- <br />0x823c8830 System                    4      0     67    510 1970-01-01 00:00:00       <br />0x82193da0 smss.exe                556      4      3     19 2012-01-11 22:13:40       <br />0x81fff978 csrss.exe               624    556     12    732 2012-01-11 22:13:43       <br />0x81f67978 winlogon.exe            648    556     21    519 2012-01-11 22:13:43       <br />0x81ef7880 services.exe            692    648     20    298 2012-01-11 22:13:43       <br />0x81f91418 lsass.exe               704    648     27    424 2012-01-11 22:13:43       <br />0x82209198 vmacthlp.exe            860    692      5     40 2012-01-11 22:13:44       <br />0x81e654f0 svchost.exe             872    692     25    223 2012-01-11 22:13:44       <br />0x81ea7360 svchost.exe             956    692     15    284 2012-01-11 22:13:45       <br />0x81f42c10 svchost.exe            1068    692     93   1600 2012-01-11 22:13:45       <br />0x81e9c528 svchost.exe            1200    692     10     93 2012-01-11 22:13:46       <br />0x822adbf0 svchost.exe            1300    692     18    177 2012-01-11 22:13:46       <br />0x822bc840 spoolsv.exe            1428    692     18    133 2012-01-11 22:13:46       <br />0x81e1e6a0 svchost.exe            1532    692      9    116 2012-01-11 22:13:55       <br />0x81e28da0 EngineServer.ex        1604    692      8     53 2012-01-11 22:13:55       <br />0x81e755e8 FrameworkServic        1628    692     14    238 2012-01-11 22:13:55       <br />0x820353e8 VsTskMgr.exe           1692    692     28    273 2012-01-11 22:13:58       <br />0x82194a58 mfevtps.exe            1716    692     10    157 2012-01-11 22:13:59       <br />0x822537a8 naPrdMgr.exe           1724    872      9     98 2012-01-11 22:13:59       <br />0x81ee8760 VMwareService.e        1928    692      7    157 2012-01-11 22:13:59       <br />0x81e4dda0 Mcshield.exe           2012    692     17    131 2012-01-11 22:14:00       <br />0x81de7968 mfeann.exe              204   2012     13    127 2012-01-11 22:14:05       <br />0x81eff6a0 explorer.exe            708    492     23    616 2012-01-11 22:14:08       <br />0x81fb0a20 alg.exe                 524    692     10    117 2012-01-11 22:14:32       <br />0x8223bda0 VMwareTray.exe         1048    708      5     50 2012-01-11 22:14:33       <br />0x81ecb588 wscntfy.exe             416   1068      5     51 2012-01-11 22:14:33       <br />0x821ec918 VMwareUser.exe         1464    708     10    212 2012-01-11 22:14:34       <br />0x8225f6a8 UdaterUI.exe           1612    708     10    121 2012-01-11 22:14:35       <br />0x81f22a20 shstat.exe              900    708      0 ------ 2012-01-11 22:14:35       <br />0x81e81550 AdobeARM.exe           2092    708     12    197 2012-01-11 22:14:38       <br />0x81d1fda0 ctfmon.exe             2216    708      5     89 2012-01-11 22:14:39       <br />0x81f047c8 McTray.exe             2296   1612      5     46 2012-01-11 22:14:39       <br />0x81f8d7b0 mcconsol.exe           3796    900      9    176 2012-01-11 22:15:12       <br />0x81cf3a20 cmd.exe                2108    708      5     53 2012-01-11 22:15:47       <br />0x81f1c5c8 CaptureBAT.exe         2992   2108      0 ------ 2012-01-11 22:16:13       <br />0x81fc8ab0 CaptureBAT.exe         3788   2108     10     56 2012-01-11 22:16:57       <br />0x8213f458 <strong>Sample1.exe</strong>                 4000    708      0 ------ 2012-01-11 22:17:04       <br />0x821e1bf0 <strong>svchost.exe</strong>            2640   4000     13    125 2012-01-11 22:17:05       <br />0x82070200 <strong>svchost.exe</strong>            2000   4000     10    119 2012-01-11 22:17:05       <br />0x820b9ad0 <strong>install.exe</strong>            3424   2000     12    159 2012-01-11 22:17:42       <br />0x82049b60 iexplore.exe           2200    708      0 ------ 2012-01-13 19:36:33       <br />0x81a629b8 iexplore.exe            516    708     26    367 2012-01-13 19:37:49       <br />0x81a535a0 iexplore.exe           2480    516     27    550 2012-01-13 19:37:51</font></p> <p>Upon analysing the memory dump using Redline the following processes are flagged straight away and highlighted red.</p> <p><font face="Calibri">svchost.exe PID 2000</font></p> <p><font face="Calibri">svchost.exe PID 2640</font></p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWtEx-hIYN98KoVQw2i-6NbVKGDgIefxzL0PBHISCOgE7lUHAZk1Y7w9qS6VXgYHd-PY_-YwqjY6zY1fjlLVNHYdOxM41oTyJgWIZuOFl-FOwTIVjbXDe46yiwFjVjPcZt63loWSGyMc0/s1600-h/image2.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7e4iM2JK91rEj17azVbnVZunaFrT2EAm6qwYZG0j32X0t3iyl9_Wprd2sVQX8-6DZKMM2z6ZNdn9mriY2C85nit3WOcf0GSPkYSsv5_opAqAdMakptCBR3d8g8kaHP6lT1RaRex6BeiE/?imgmax=800" width="208" height="79" /></a></p> <p>Redline reports that the reason the processes were flagged was due to both processes having unexpected arguments in fact the processes don't have any.</p> <p> <font face="Calibri">“C:\WINDOWS\system32\svchost.exe”</font></p> <p>We get a different visual representation of the memory dump using Mandiant’s <a href="http://www.mandiant.com/products/free_software/memoryze/" target="_blank">Memoryze</a> and <a href="http://www.mandiant.com/products/free_software/mandiant_audit_viewer/" target="_blank">Audit Viewer</a>.</p> <p>The reason for all the additional flags is due to the fact that Audit Viewer has identified the injected memory sections.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH6U5-0rh_MPl-ab-hGl_HCy7MrsN_bhl3o_FQxo-d4ZxEtWOErNp7SlMIFctNX169Gf_jmAeC2LZjjgdcdbtu435T6_NAogZXqoDT4aQr7voW6O_JtIUUztexPk-47aGJlcSlgqQCoug/s1600-h/image14.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTRYmLLxOjC_fra7VoQW8v-ktSafDDWtSqMlVK0OBr0MP7PbaCe1hYlkeI-X4dsnmiW-22Tin1Cs6Eh4xBFAcvxUcyXJvcHvOYO54dqYbvgmpzO5I5URmg4jwn2wU1WjIqnkfWvjpDF24/?imgmax=800" width="177" height="560" /></a></p> <p>Redline also displays the Injected Memory Sections and upon initial analysis it can be seen that they nearly all start at the the same Region address:<font face="Calibri"><strong>0x20010000</strong></font></p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA1TuK3MKbgJIGp-DT4Df2Hvi1rSHPVw3OL9cGCcmxUvkZ09lfClldLb8YZhkqYuL6nyMKEjBEx2WRUr9qTgVZBdd5TB615K8xVh4vsZVg4kYLyzAGh9LaraTu1xhsuu75loi3U2BWv6E/s1600-h/image29.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdwnp_84XtIOAwVhHfPGQiub4dff7tHMj7P5PQQ8AhRnH2gcqgTs23uePck5P5MlQpeOqF_EAn1AAc2UofTjarpr3acAB3Z9FWVOHeOW4Lp2QwcQQ0z60Pyh6WuQxdx5CdpkDloVnF9ws/?imgmax=800" width="400" height="421" /></a></p> <h2><font size="2">Network Activity</font></h2> <p><font face="Calibri">Offset(V)  Local Address             Remote Address            Pid   <br />---------- ------------------------- ------------------------- ------ <br />0x820c0008 192.168.0.18:1806         173.194.41.95:80            2480 <br />0x81e307a8 192.168.0.18:1810         173.194.67.104:80           2480 <br />0x81ab0008 192.168.0.18:1807         209.85.147.94:80            2480 <br />0x82066a58 192.168.0.18:1802         204.212.40.2:25             3424 <br />0x81f65a50 192.168.0.18:1052         209.85.147.105:80           2000 <br />0x81a994f0 192.168.0.18:1809         209.85.147.94:80            2480 <br />0x81a994f0 192.168.0.18:1805         209.85.147.94:80            2480 <br />0x81f29720 192.168.0.18:1033         209.85.147.105:80           2000 <br />0x82055008 192.168.0.18:1500         209.85.229.99:80            2000 <br />0x8206c370 192.168.0.18:1803         74.125.43.27:25             3424 <br />0x81a9db28 192.168.0.18:1799         202.136.110.213:25          3424 <br />0x81a9db28 192.168.0.18:1715         202.136.110.213:25          3424</font></p> <p>Straight away the interesting connections that stand out are the connections to port 25 (SMTP) this will be expanded on later. The IP Addresses are located in Australia, and  The United States</p> <h2><font size="2">Services</font></h2> <p>Using Volatility (svcscan) we can review the Services that were running at the time the snapshot was taken, upon first analysis nothing really seems to be amiss apart from the misspelled: <strong>Mic<font style="background-color: #ffff00"><u>or</u></font>soft Windows Service</strong></p> <p><font face="Calibri">Offset(P)  #Ptr #Hnd Start        Size Service key          Name <br />0x01f26f38    3    0 0xb2746000 333952 'Srv'                'Srv'        '\\FileSystem\\Srv' <br />0x01fe0190    3    0 0xf8b72000  15488 'mssmbios'           'mssmbios'   '\\Driver\\mssmbios' <br />0x01fe0838    3    0 0xf80f5000 384768 'Update'             'Update'     '\\Driver\\Update' <br />0x01fe3950    2    0 0xb2102000  68512 'mfeapfk'            'mfeapfk'    '\\Driver\\mfeapfk' <br />0x01fffa08    5    0 0xf8ab6000  11008 'vmscsi'             'vmscsi'     '\\Driver\\vmscsi' <br />0x02042a18    5    0 0xb1e81000 264832 'HTTP'               'HTTP'       '\\Driver\\HTTP' <br />0x0204bf38    5    0 0xf88ba000  56576 'mfetdik'            'mfetdik'    '\\Driver\\mfetdik' <br />0x0204cb10    4    0 0xb2cc0000 113152 'vmhgfs'             'vmhgfs'     '\\FileSystem\\vmhgfs' <br />0x0204f300    3    0 0xf883a000  41472 'RasPppoe'           'RasPppoe'   '\\Driver\\RasPppoe' <br />0x02060df0   19    0 0xf8376000 333376 'mfehidk'            'mfehidk'    '\\Driver\\mfehidk' <br />0x02061860    5    0 0xf83c8000 105344 'Mup'                'Mup'        '\\FileSystem\\Mup' <br />0x02061ce8   17    0 0xf83e2000 182656 'NDIS'               'NDIS'       '\\Driver\\NDIS' <br />0x02064bb8    3    0 0xf882a000  51328 'Rasl2tp'            'Rasl2tp'    '\\Driver\\Rasl2tp' <br />0x02071168    6    0 0xf853b000 125056 'Ftdisk'             'Ftdisk'     '\\Driver\\Ftdisk' <br />0x0207b240    3    0 0xf8a82000  21760 'TDTCP'              'TDTCP'      '\\Driver\\TDTCP' <br />0x0207d178    2    0 0xb21db000  11648 'CaptureFileMonitor' 'CaptureFileMonitor' '\\FileSystem\\CaptureFileMonitor' <br />0x02091790    3    0 0xf88ca000  34688 'NetBIOS'            'NetBIOS'    '\\FileSystem\\NetBIOS' <br />0x02092f38    5    0 0xb2cfe000 162816 'NetBT'              'NetBT'      '\\Driver\\NetBT' <br />0x02095838    5    0 0xf8153000 196224 'rdpdr'              'rdpdr'      '\\Driver\\rdpdr' <br />0x02096030    4    0 0xf8263000  12160 'mouhid'             'mouhid'     '\\Driver\\mouhid' <br />0x02098030    7    0 0xf8bb0000   7936 'Fs_Rec'             'Fs_Rec'     '\\FileSystem\\Fs_Rec' <br />0x0209cf38    6    0 0xf8972000  23040 'Mouclass'           'Mouclass'   '\\Driver\\Mouclass' <br />0x020ab1b0    6    0 0xf84fd000  96512 'atapi'              'atapi'      '\\Driver\\atapi' <br />0x020ab2a8    5    0 0xf86ba000  52352 'VolSnap'            'VolSnap'    '\\Driver\\VolSnap' <br />0x020ab3a0    4    0 0xf8922000  19712 'PartMgr'            'PartMgr'    '\\Driver\\PartMgr' <br />0x020b2030    4    0 0xf87fa000  40704 'es1371'             'es1371'     '\\Driver\\es1371' <br />0x020bcf38    3    0 0xf89c2000  19072 'Msfs'               'Msfs'       '\\FileSystem\\Msfs' <br />0x020bd030    3    0 0xf8b52000  13952 'CmBatt'             'CmBatt'     '\\Driver\\CmBatt' <br />0x020bd560    3    0 0xf89ca000  30848 'Npfs'               'Npfs'       '\\FileSystem\\Npfs' <br />0x020c2548    3    0 0xf86ea000  42368 'agp440'             'agp440'     '\\Driver\\agp440' <br />0x020e8be0    3    0 0xf8c26000   7296 'CaptureRegistryMonitor' 'CaptureRegistryMonitor' '\\Driver\\CaptureRegistryMonitor' <br />0x020fd788    4    0 0xb2c25000 455296 'MRxSmb'             'MRxSmb'     '\\FileSystem\\MRxSmb' <br />0x02101790    3    0 0xb2cdc000 138496 'AFD'                'AFD'        '\\Driver\\AFD' <br />0x02101be0    7    0 0xb2d74000 361600 'Tcpip'              'Tcpip'      '\\Driver\\Tcpip' <br />0x02103678    6    0 0xf88aa000  59520 'usbhub'             'usbhub'     '\\Driver\\usbhub' <br />0x02106bd8    3    0 0xf8bb6000   4224 'RDPCDD'             'RDPCDD'     '\\Driver\\RDPCDD' <br />0x02126928    3    0 0xb27e8000 180608 'MRxDAV'             'MRxDAV'     '\\FileSystem\\MRxDAV' <br />0x02128970    4    0 0xb1c2d000 143744 'Fastfat'            'Fastfat'    '\\FileSystem\\Fastfat' <br />0x02130730    3    0 0xf89a2000  16512 'Raspti'             'Raspti'     '\\Driver\\Raspti' <br />0x02134360    2    0 0xb20ed000  84352 'mfeavfk'            'mfeavfk'    '\\Driver\\mfeavfk' <br />0x02134880    3    0 0xb25a6000  60800 'sysaudio'           'sysaudio'   '\\Driver\\sysaudio' <br />0x02161160    4    0 0xf8b9e000   5504 'IntelIde'           'IntelIde'   '\\Driver\\IntelIde' <br />0x02164cc0    3    0 0xf8d3a000   2944 'Null'               'Null'       '\\Driver\\Null' <br />0x0216f030    7    0 0xf8cd2000   3072 'audstub'            'audstub'    '\\Driver\\audstub' <br />0x02170110    5    0 0xf89d2000  32128 'usbccgp'            'usbccgp'    '\\Driver\\usbccgp' <br />0x0218f6e0    3    0 0xf885a000  35072 'Gpc'                'Gpc'        '\\Driver\\Gpc' <br />0x0218fbb8    5    0 0xf8183000  69120 'PSched'             'PSched'     '\\Driver\\PSched' <br />0x021905f0   13    0 0x00000000      0 '\\Driver\\Win32k'   'Win32k'     '\\Driver\\Win32k' <br />0x021a1030    4    0 0xf896a000  24576 'Kbdclass'           'Kbdclass'   '\\Driver\\Kbdclass' <br />0x021ada30    6    0 0xf8515000 153344 'dmio'               'dmio'       '\\Driver\\dmio' <br />0x021adc48    3    0 0xf8ba0000   5888 'dmload'             'dmload'     '\\Driver\\dmload' <br />0x021f09f8    5    0 0xf887a000  40704 'TermDD'             'TermDD'     '\\Driver\\TermDD' <br />0x021fdec8    3    0 0xf8325000  12032 'WS2IFSL'            'WS2IFSL'    '\\Driver\\WS2IFSL' <br />0x02209030    3    0 0xf881a000  36352 'intelppm'           'intelppm'   '\\Driver\\intelppm' <br />0x0220bda0    3    0 0xf87da000  48256 'vmci'               'vmci'       '\\Driver\\vmci' <br />0x02222460    3    0 0xf8bb4000   4224 'mnmdd'              'mnmdd'      '\\Driver\\mnmdd' <br />0x02230270    5    0 0xb2411000  83072 'wdmaud'             'wdmaud'     '\\Driver\\wdmaud' <br />0x02232f38    3    0 0xb2c95000 175744 'Rdbss'              'Rdbss'      '\\FileSystem\\Rdbss' <br />0x02236408    3    0 0xf8335000   8832 'RasAcd'             'RasAcd'     '\\Driver\\RasAcd' <br />0x02236ca8    3    0 0xf89ba000  20992 'VgaSave'            'VgaSave'    '\\Driver\\VgaSave' <br />0x0223bcc0    3    0 0xf8bb2000   4224 'Beep'               'Beep'       '\\Driver\\Beep' <br />0x022f11e8    3    0 0xf8952000  32768 '<strong>Mic<font style="background-color: #ffff00"><u>or</u></font>soft Windows Service' 'Mic<font style="background-color: #ffff00"><u>or</u></font>soft Windows Service' '\\Driver\\Mic<font style="background-color: #ffff00"><u>or</u></font>soft Windows Service' </strong> <br />0x02349500    3    0 0xb17f2000 172416 'kmixer'             'kmixer'     '\\Driver\\kmixer' <br />0x02389bb8    9    0 0xf8bac000   4352 'swenum'             'swenum'     '\\Driver\\swenum' <br />0x0238ef38    6    0 0xf826b000  10368 'hidusb'             'hidusb'     '\\Driver\\hidusb' <br />0x0239b7f0    6    0 0xf899a000  17792 'Ptilink'            'Ptilink'    '\\Driver\\Ptilink' <br />0x0239c5d8    3    0 0xf88ea000  36864 'vmdebug'            'vmdebug'    '\\Driver\\vmdebug' <br />0x023a04b8    4    0 0xf87ca000  57600 'redbook'            'redbook'    '\\Driver\\redbook' <br />0x023a6418    3    0 0xf8b96000  10624 'gameenum'           'gameenum'   '\\Driver\\gameenum' <br />0x023e9030    3    0 0xf873a000  63744 'Cdfs'               'Cdfs'       '\\FileSystem\\Cdfs' <br />0x023ea5d0    3    0 0xf8c1e000   6272 'CaptureProcessMonitor' 'CaptureProcessMonitor' '\\Driver\\CaptureProcessMonitor' <br />0x023fcf38    2    0 0xb21bb000  36288 'mfebopk'            'mfebopk'    '\\Driver\\mfebopk' <br />0x02405740    3    0 0xb2dcd000  75264 'IPSec'              'IPSec'      '\\Driver\\IPSec' <br />0x024178d0    5    0 0xf878a000  52480 'i8042prt'           'i8042prt'   '\\Driver\\i8042prt' <br />0x02437da0    3    0 0xb1eea000 139520 'RDPWD'              'RDPWD'      '\\Driver\\RDPWD' <br />0x02439030    3    0 0xf8be2000   6784 'ParVdm'             'ParVdm'     '\\Driver\\ParVdm' <br />0x02439430    3    0 0xb2a59000  14592 'Ndisuio'            'Ndisuio'    '\\Driver\\Ndisuio' <br />0x02439da0    3    0 0xf8be4000   7680 'VMMEMCTL'           'VMMEMCTL'   '\\Driver\\VMMEMCTL' <br />0x02450f38    3    0 0xf88fa000  44544 'Fips'               'Fips'       '\\Driver\\Fips' <br />0x02458a50    3    0 0xb2d4e000 152832 'IpNat'              'IpNat'      '\\Driver\\IpNat' <br />0x0245d030    3    0 0xf87aa000  42112 'Imapi'              'Imapi'      '\\Driver\\Imapi' <br />0x0245d610    3    0 0xf87ba000  62976 'Cdrom'              'Cdrom'      '\\Driver\\Cdrom' <br />0x024682a0    4    0 0xf8234000  91520 'NdisWan'            'NdisWan'    '\\Driver\\NdisWan' <br />0x02468d78    6    0 0xf8b56000  10112 'NdisTapi'           'NdisTapi'   '\\Driver\\NdisTapi' <br />0x02472640    4    0 0xf8309000  80128 'Parport'            'Parport'    '\\Driver\\Parport' <br />0x024ad8a8    3    0 0xf898a000  29696 'vmxnet'             'vmxnet'     '\\Driver\\vmxnet' <br />0x024b3b70   16    0 0xf84c5000 129792 'FltMgr'             'FltMgr'     '\\FileSystem\\FltMgr' <br />0x024c00b0    7    0 0xf86aa000  42368 'MountMgr'           'MountMgr'   '\\Driver\\MountMgr' <br />0x024edca8    3    0 0xf890a000  34560 'Wanarp'             'Wanarp'     '\\Driver\\Wanarp' <br />0x024ef838    3    0 0xf884a000  48384 'PptpMiniport'       'PptpMiniport' '\\Driver\\PptpMiniport' <br />0x024efb30    3    0 0xf89aa000  20480 'Flpydisk'           'Flpydisk'   '\\Driver\\Flpydisk' <br />0x024f9150    3    0 0xf8ba8000   4736 'vmmouse'            'vmmouse'    '\\Driver\\vmmouse' <br />0x0250d290    4    0 0xf897a000  27392 'Fdc'                'Fdc'        '\\Driver\\Fdc' <br />0x0250e278    4    0 0xf8982000  20608 'usbuhci'            'usbuhci'    '\\Driver\\usbuhci' <br />0x0250f200    4    0 0xf8b4a000  15744 'serenum'            'serenum'    '\\Driver\\serenum' <br />0x0250f378    3    0 0xf87ea000  57216 'vmx_svga'           'vmx_svga'   '\\Driver\\vmx_svga' <br />0x0250f9f8    4    0 0xf879a000  64512 'Serial'             'Serial'     '\\Driver\\Serial' <br />0x02517c78    3    0 0xf888a000  40576 'NDProxy'            'NDProxy'    '\\Driver\\NDProxy' <br />0x02519778    4    0 0xf840f000 574976 'Ntfs'               'Ntfs'       '\\FileSystem\\Ntfs' <br />0x02519988    3    0 0xf849c000  92288 'KSecDD'             'KSecDD'     '\\Driver\\KSecDD' <br />0x02519b98    7    0 0xf84b3000  73472 'sr'                 'sr'         '\\FileSystem\\sr' <br />0x0251ccc8    4    0 0xf86ca000  36352 'Disk'               'Disk'       '\\Driver\\Disk' <br />0x0253e218    4    0 0xf8aae000  10240 'Compbatt'           'Compbatt'   '\\Driver\\Compbatt' <br />0x025ab560    5    0 0x00000000      0                      'RAW'        '\\FileSystem\\RAW' <br />0x025acf38   81    0 0xf855a000  68224 'PCI'                'PCI'        '\\Driver\\PCI' <br />0x025af2d8    4    0 0x00000000      0 '\\Driver\\ACPI_HAL' 'ACPI_HAL'   '\\Driver\\ACPI_HAL' <br />0x025c5308    4    0 0xf869a000  37248 'isapnp'             'isapnp'     '\\Driver\\isapnp' <br />0x025e2980   64    0 0xf856b000 187776 'ACPI'               'ACPI'       '\\Driver\\ACPI' <br />0x025e6ce8    4    0 0x00000000      0 '\\Driver\\WMIxWDM'  'WMIxWDM'    '\\Driver\\WMIxWDM' <br />0x025eb290   65    0 0x00000000      0 '\\Driver\\PnpManager' 'PnpManager' '\\Driver\\PnpManager'</font> </p> <p>Using the driverirp Volatility command we can output a drivers IRP (Major Function) table, here we can see that we have a driver (<font face="Calibri"><strong>imjvxcsr.sys</strong></font>) associated with the misspelled Micorsoft Windows Service</p> <p><font face="Calibri">0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE                        0xf89541b8   <strong>imjvxcsr.sys</strong>     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_NAMED_PIPE             0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLOSE                         0xf89541b8   <strong>imjvxcsr.sys</strong>     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_READ                          0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_WRITE                         0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_INFORMATION             0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_INFORMATION               0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_EA                      0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_EA                        0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_FLUSH_BUFFERS                 0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_VOLUME_INFORMATION      0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_VOLUME_INFORMATION        0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_DIRECTORY_CONTROL             0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_FILE_SYSTEM_CONTROL           0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CONTROL                0xf89541d8   <strong>imjvxcsr.sys</strong>     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_INTERNAL_DEVICE_CONTROL       0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_SHUTDOWN                      0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_LOCK_CONTROL                  0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLEANUP                       0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_MAILSLOT               0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_SECURITY                0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_SECURITY                  0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_POWER                         0xf89541b8   <strong>imjvxcsr.sys</strong>     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_SYSTEM_CONTROL                0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CHANGE                 0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_QUOTA                   0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_QUOTA                     0x804f355a   ntoskrnl.exe     -            - <br />0xf8952000   'Micorsoft Windows Service' IRP_MJ_PNP                           0x804f355a   ntoskrnl.exe     -            -</font> <br /></p> <h2><font size="2">Hooks</font></h2> <p>If we review the Hooks tab in Audit Viewer or the Hooks section in Redline  and in particular the System Service Descriptor Table Hooks we see our driver (<font face="Calibri"><strong>imjvxcsr.sys</strong></font>) identified in the previous section</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_oaQa3LjNxWiAyQQS3l4wGymzFFcyZJahIGsOKfNBZR37kUfFx02gIr4k3vPxMJ3-M8hJRQ7Vor0nqnsRp_CT-T6c0r62Su5RS-6G4tyPw4XFjKVa0uCRqCiV6FybZMKYkVGje1MyfQQ/s1600-h/image34.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlFTYkLF-VjEX6lymYNrTnnIPxslH5hzfvDezcKKPnrGbUeXo4PsuwV_eTlfiWTHbeldITH8PcrQSXOtbzIYbuaGCjuKiBqxwyDI1uaDpF7eqCmVN9TtyLY0sdmucWhTxw1isRD1Ig514/?imgmax=800" width="429" height="78" /></a></p> <p>This can also be verified using the ssdt or the threads –F HookedSSDT Volatility commands.</p> <p><em>ssdt command</em><font face="Calibri"> <br />Entry 0x0029: 0xf89546ac (NtCreateKey) owned by <strong>imjvxcsr.sys</strong> <br />Entry 0x0077: 0xf8954562 (NtOpenKey) owned by <strong>imjvxcsr.sys</strong></font></p> <p><em>threads –F HookedSSDT command</em></p> <p><font face="Calibri">ETHREAD: 0x81f1cbc8 Pid: 692 Tid: 3980 <br />Tags: HookedSSDT <br />Created: 2012-01-11 22:18:34 <br />Exited: - <br />Owning Process: 0x81ef7880 'services.exe' <br />Attached Process: 0x81ef7880 'services.exe' <br />State: Waiting:WrQueue <br />BasePriority: 0x9 <br />Priority: 0x9 <br />TEB: 0x7ffd9000 <br />StartAddress: 0x7c8106f9 <br />ServiceTable: 0x80553020 <br />  [0] 0x80501b9c <br />      [0x29] NtCreateKey 0xf89546ac imjvxcsr.sys <br />      [0x77] NtOpenKey 0xf8954562 imjvxcsr.sys <br />  [1] - <br />  [2] - <br />  [3] - <br />Win32Thread: 0x00000000 <br />CrossThreadFlags: <br />Eip: 0x7c90e514 <br />  eax=0x77e76c7d ebx=0xffffffff ecx=0x00090640 edx=0x0072fb78 esi=0x000ac2e8 edi=0x00000000 <br />  eip=0x7c90e514 esp=0x006efeac ebp=0x006efed8 err=0x00000000 <br />  cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 efl=0x00000246 <br />  dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000</font> </p> <p>Part 3 Building an IOC to follow.</p> cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com1tag:blogger.com,1999:blog-4268584393779840195.post-14767663379303899662012-01-18T21:31:00.001+00:002012-01-18T21:31:59.006+00:00Ramnit, Zeus and the BAT! Part 1<p>Please note the samples analysed were provided by Andre M. DiMino @sempersecurus (<a href="http://sempersecurus.org">http://sempersecurus.org</a>).</p> <table border="0" cellspacing="0" cellpadding="2" width="387"><tbody> <tr> <td valign="top" width="133">Sample No</td> <td valign="top" width="168">MD5</td> <td valign="top" width="84">Executable name</td> </tr> <tr> <td valign="top" width="133">Sample1 </td> <td valign="top" width="168">2f5d28f9792c7d114bed7fdcec00f550 </td> <td valign="top" width="84">Sample1.exe</td> </tr> <tr> <td valign="top" width="133">Sample2 </td> <td valign="top" width="168">76991eefea6cb01e1d7435ae973858e6 </td> <td valign="top" width="84">Sample2.exe</td> </tr> </tbody></table> <h2> </h2> <h2><font size="2"><font style="font-weight: bold">Initial File Analysis</font></font></h2> <p>Initial analysis of the files show that both files are packed using UPX and import 3 libraries</p> <p>Kernel32.dll </p> <p>6 functions (LoadLibraryA,GetProcAddress,VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess)</p> <p>Comctl32.dll</p> <p>1 Functions (InitCommonControls)</p> <p>SHLWAPI.dll</p> <p>1Function (StrCharA)</p> <p> </p> <h2><font size="2"><font style="font-weight: bold">Dynamic Analysis</font></font></h2> <p>Both samples were analysed using Dynamic analysis techniques using various monitoring tools (CaptureBat.exe  and Preservation( see Malware Analysis Cookbook Chapter 9)).</p> <p>The process below was used to setup the environment</p> <li>Start Monitoring tools (see Preservation and Capturebat section below) </li> <li>Execute samples </li> <li>Snapshot Virtual Machine <p>After the final stage was completed the VM was rolled back to a previous state and the same process used for the next sample.</p> <h2><font size="2">Monitoring Tools</font></h2> <p>The analysis was conducted by first executing preservation.exe with the <strong>preservation</strong>.<strong>exe</strong> <strong>ln</strong> argument this logs everything to the c:\preservation\ directory</p> <p>CaptureBat was executed next and configured to capture file, process and registry access as well as capture network activity using the following arguments.</p> <p><strong>capturebat.exe –cn –l c:\preservation\Capture.txt</strong> </p> <h2><font size="2"><font style="font-weight: bold">Initial Log Review</font></font></h2> <p><em>Preservation Output</em></p> <p><strong>Please note!! Various sections of the log below have been removed</strong></p> <p>Upon initial execution of <strong>Sample1.exe</strong> we can see it starts an instance of  the <strong>svchost.exe</strong> process (PID 4048)</p> <p><em><font face="Calibri">[PROCESS START] explorer.exe (PID:2140) started Sample1.exe (PID 2496) <br />[THREAD START] explorer.exe (PID:2140) started thread (TID 2520) <br />[IMAGE LOAD] Sample1.exe (PID:2496) loaded \Device\HarddiskVolume1\Documents and Settings\nosuchuser\Desktop\ramnit\Sample1.exe</font></em></p> <p> <br /><strong>First SVCHOST Instance</strong></p> <p><em><font face="Calibri">[PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 4048)</font></em></p> <p><em><font face="Calibri">[THREAD START] Sample1.exe (PID:2496) started thread (TID 1244)</font></em></p> <p><em><font face="Calibri">[IMAGE LOAD] svchost.exe (PID:4048) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</font></em></p> <p><strong>Second SVCHOST Instance</strong></p> <p>The malware sample then starts another instance of <strong>svchost.exe</strong> (PID 2384)</p> <p><em><font face="Calibri">[PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 2384) <br />[THREAD START] Sample1.exe (PID:2496) started thread (TID 3020) <br />[IMAGE LOAD] svchost.exe (PID:2384) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe</font></em></p> <p><em><strong>Sample1 Third Process Initiated</strong></em></p> <p>Sample 1 then goes onto create another pseudo-randomly named executable located in the \Temp directory.The pseudo-randomly nature has been observed by restoring the VM to a previous state and re-infecting the machine(with the same sample) each time the file is named the same apart from the last 2 characters.My assumption at this point is the file name is created using some information from the host machine.</p> <p>On the host infected the following remained static during a number of infections: <strong>sggjahylqiethd<XX>.exe</strong></p> <p>After the randomly named executable is initiated the original executable <strong>Sample1.exe</strong> is terminated.</p> <p>By reviewing the log below it can also be ascertained that services.exe  starts a new service , during each infection the Service name was identical the misspelled:</p> <strong>Mic<em><u>or</u></em>soft Windows Service</strong> <br /> <p>After the service starts we then see System (PID:4) load a suspicious driver: <strong>imjvxcsr.sys</strong> from the Temp directory.</p> <p> <br /><font face="Calibri"><em>[PROCESS START] <strong>Sample1.exe</strong> (PID:2496) started <strong>sggjahylqiethdj</strong> (PID 3900) <br />[THREAD START] Sample1.exe (PID:2496) started thread (TID 2972) <br />[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \Device\HarddiskVolume1\DOCUME~1\nosuchuser\LOCALS~1\Temp\<strong>sggjahylqiethdjp.exe</strong> <br />[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \SystemRoot\System32\ntdll.dll <br />[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\kernel32.dll <br />[PROCESS TERMINATE] Sample1.exe (PID:2496) terminating Sample1.exe (PID 2496) <br />[THREAD START] System (PID:4) started thread (TID 1416) <br />[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\comctl32.dll <br />[IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\advapi32.dll <br />[THREAD START] System (PID:4) started thread (TID 2900) <br />[THREAD START] services.exe (PID:760) started thread (TID 3968) <br />[DRIVER LOAD] <strong>services.exe</strong> (PID:760) loading driver <strong>\Registry\Machine\System\CurrentControlSet\Services\Micorsoft Windows Service</strong> <br /></em>----<em><strong>Removed Multiple Thread Starts and Image Loads </strong></em>---- </font></p> <p><em><font face="Calibri">[IMAGE LOAD] System (PID:4) loaded <strong>\??\C:\DOCUME~1\nosuchuser\LOCALS~1\Temp\imjvxcsr.sys</strong> <br />[FILE DELETE] System (PID:4) deleting file \systemroot\temp\3ab95fd5 <br />[THREAD START] System (PID:4) started thread (TID 4020) <br /></font></em> <br /><em>CaptureBat Output</em></p> <p>The CaputureBat log has all the associated artifacts identified above with the addition of registry entries, file creation and network activity. <br /></p> <p>A number of other observations can be seen from the log below:</p> </li> <li>An additional executable (bbioufwf.exe) is created on the file system </li> <li>The file is added to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key </li> <li>The file is also added to the users Startup folder to add persistence<strong> (Note when reviewing the file system this file does not appear due to the rootkit)</strong> </li> <li>A number of logs are written to by svchost on the local system (log names again appear to be pseudo-randomly generated). </li> <li>A number of temporary files  ~TM<N>.tmp files are created in the Temp folder. This file contains some references to IE cookies but also seems to contain encrypted data. </li> <li>svchost also infects a number of files located in the Program Files directory <p><font face="Calibri">"16/1/2012 13:16:30.23","file","Write","System","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\bbioufwf.exe"</font></p> <p><font face="Calibri">"16/1/2012 13:16:30.616","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BbiOufwf"</font></p> <p><font face="Calibri">"16/1/2012 13:16:27.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Start Menu\Programs\Startup\bbioufwf.exe"</font></p> <p><font face="Calibri">"16/1/2012 13:16:27.429","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\cclgvecb.log"</font></p> <p><font face="Calibri">"16/1/2012 13:16:27.491","file","Delete","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\px3.tmp"</font></p> <p><font face="Calibri">"16/1/2012 13:16:34.601","file","Write","C:\Documents and Settings\nosuchuser\Local Settings\Temp\sggjahylqiethdjp.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\imjvxcsr.sys"</font></p> <p><font face="Calibri">"16/1/2012 13:17:30.929","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\hlgbbwvv.log"</font></p> <p><font face="Calibri">"16/1/2012 13:17:31.804","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\dsstrbjb.log"</font></p> <p><font face="Calibri">"16/1/2012 13:17:37.7","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\~TM4.tmp"</font></p> <p><font face="Calibri">"16/1/2012 13:20:34.335","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Acrobat_com\Acrobat_com.exe"</font></p> <p>Part 2 Memory Analysis to follow.</p> </li> cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com0tag:blogger.com,1999:blog-4268584393779840195.post-16817231120014257592011-12-15T22:32:00.001+00:002011-12-15T22:36:36.490+00:00Attack the Kill Chain MindMapIf we look at the past 12 months it hardly seems a day goes by, whereby a news article is posted of an attack or compromise. <br />
<br />
These range from small family businesses trying to gain an online advantage (especially in todays climate) to large scale businesses which provide services which impact our everyday life.<br />
<br />
In 2009 Mike Cloppert posted <a href="http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/" target="_blank">Security Intelligence: Attacking the Kill Chain</a> the article was an excellent example of foresight (And from someone deep in the trenches).<br />
The article was part of a series on Security Intelligence which I feel has even more importance as we come to an end of 2011.<br />
<br />
I’m not really big on predictions, but i will make this one.<br />
<br />
I guarantee that more articles will be written in 2012 which describe online attacks.(Fairly certain this will be a safe bet).<br />
<br />
As an Industry we need to stop using the old Ostrich approach and “bury our heads in the sand”. The attacks are going to come, lets try and find a way to deal with them through being open and sharing the experience of how the compromise occurred.<br />
<br />
“Defence in Depth” is not just about multiple layers of technology, its also about Knowledge Sharing, if i know what to look for its also my duty to pass that on so others can prevent the same mistake\compromise from happening. <br />
<br />
I have produced a Mindmap of what I feel are the key points of the article. The Mindmap is based on my interpretation of the original article.<br />
<br />
Please read the original article, if you work in the Information Security space try to incorporate them in to your everyday life.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8wdSHIgRqlytABeRfms7FVadBZQr2NKavFMzXUPgFzRiMEYZbnTECFfuNeVClNJRWDoLhqaYmmlC-ZAUCme2LkMK1i3izXDtql-iCnHf8yqGgC2iTF2INLxLkT-U7No9LZyG2KVrRNHo/s1600-h/Attacking_the_Kill_Ch%25255B14%25255D.png"><img alt="Attacking_the_Kill_Ch" border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR9wEOVUtWPxEphY0FJj4DZmzjNvDazzpB8hCCN3wR-4sCN6W2V02muFxP5e-m67oVRj1Yi_NwrnyHp4VISlXBWAc8dtA5L5tFUnoV-3Rso2o4i0cFRbL65uUGvsRlP0qfgaFc3yl-Z8Y/?imgmax=800" style="background-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: inline; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Attacking_the_Kill_Ch" width="404" /></a><br />
<br />
A higher resolution image can be found <a href="https://docs.google.com/open?id=0Bz2rZ4S-yK8AZTM1MWNlOWYtNmVhNS00NTliLWIxMzMtZDdkODBmMjAwOWU3" target="_blank">here</a>cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com0tag:blogger.com,1999:blog-4268584393779840195.post-61451468347248498902011-05-31T22:04:00.000+01:002012-03-13T20:34:22.778+00:00Volatility Script for WindowsWell I've decided to make more of an effort to use my blog.<br />
<div>
<br /></div>
<div>
First article will be a a new windows based volatility script I've developed based on the one from<span class="Apple-style-span"> lg's blog (<a href="http://lorgor.blogspot.com/2010/11/volatility-mem-forensics-ivputting-it.html">http://lorgor.blogspot.com/2010/11/volatility-mem-forensics-ivputting-it.html</a>)</span></div>
<div>
<br /></div>
<div>
There are few prerequisites, just follow the instructions on the Volatility Wiki site:</div>
<div>
<a href="http://code.google.com/p/volatility/wiki/FullInstallation#Windows_Installation"><span class="Apple-style-span">http://code.google.com/p/volatility/wiki/FullInstallation#Windows_Installation</span></a></div>
<div>
<br />
The report also makes use of the malware.py script from<span class="Apple-style-span"> <span class="Apple-style-span"><a href="http://code.google.com/p/malwarecookbook/">http://code.google.com/p/malwarecookbook/</a></span></span><br />
<span class="Apple-style-span"><span class="Apple-style-span">just download the plugin and drop the file in the plugins directory. </span></span><br />
<br /></div>
<div>
<span class="Apple-style-span"><b>Set-up</b></span></div>
<div>
Make sure all your environment variables have been set up for Python and Perl (Instructions can be found on numerous sites ).</div>
<div>
<br /></div>
<div>
Drop the batch file into the volatility directory and make sure you update the following:</div>
<div>
<br /></div>
<div>
Your Case Directory and dumps directory, this can be where ever you like on your machine.</div>
<div>
<div>
<ul>
<li>mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%</li>
<li>mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%\dumps</li>
</ul>
You should also check and set-up the following:</div>
</div>
<div>
<br /></div>
<div>
<div>
set VOLDIR="C:\Forensics\vol\vol1.4\%VOLDIR%\vol.py-1.4_rc1"</div>
<div>
set PYTHON="C:\Python27\python.exe"</div>
<div>
set PERL="C:\Perl\bin\perl.exe"</div>
</div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="font-size: medium;"><b>Running the script</b></span></div>
<div>
I generally run the script in the following way:</div>
<div>
<ol>
<li>Open a command prompt and change directory to the volatility directory.</li>
</ol>
Next to run the script type the following, remember if the path contains spaces use quotes around the parameter.<br />
<br />
volscript.bat <path-to-memory-dump> <name-of-report></div>
<div>
<br />
<br />
The script can take a while to complete but once the script has finished you will have one report which you can analyse.</div>
<div>
<br /></div>
<div>
That was the easy part, the hard part comes with analysing the report and identifying if the machine is compromised in some way.</div>
<div>
<br /></div>
<div>
Over the coming weeks I will provide more posts on analysing the output from the images hosted at Michael Hale Ligh's site:<span class="Apple-style-span"> <span class="Apple-style-span"><a href="http://code.google.com/p/malwarecookbook/">http://code.google.com/p/malwarecookbook/</a></span></span></div>
<div>
<br /></div>
<div>
In my opinion the Malware Analyst Cookbook has to be considered the de-facto standard when it comes to analysing malware and memory analysis, simply put you have to buy this book.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
I'll periodically post updates to the script.<br />
<br />
The script can be found <a href="https://docs.google.com/leaf?id=0Bz2rZ4S-yK8AMDE5ODhhMzEtOGNhMS00N2U3LWEyMzYtNjFkNTFmMjc4ZTZi&hl=en_US">here </a>just rename the file to .bat there is also a sample report taken from the zeus sample from the Malware Cookbook site.<br />
<br />
---Update 13/03/2012---<br />
Added naft by Didier Stevens <a href="http://blog.didierstevens.com/2012/03/12/naft-release/">http://blog.didierstevens.com/2012/03/12/naft-release/</a> to automate dumping network traffic as part of the automated script.<br />
<br />
Just download all the files and put naft-gfe.py in the same directory as vol.py and volscript remember to add to naft_pfef and naft_uf to C:\Python27\Lib<br />
<br />
Once the pcap file has been created you can use NetWitness, Netminer or Wireshark to analyse the file.<br />
<br /></div>cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com2tag:blogger.com,1999:blog-4268584393779840195.post-74862642639666913372007-04-02T18:33:00.000+01:002007-04-02T18:37:10.407+01:00Security PodcastsThe following is a list of Security Podcasts i love to listen to:<br />Cyberspeak<br />PaulDotCom Security Weekly<br />Martin Mckeays Network Security Podcast<br />SploitCast<br />Hack5cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com0tag:blogger.com,1999:blog-4268584393779840195.post-64554019703348257192006-08-17T17:17:00.000+01:002006-08-17T17:18:57.970+01:00Must ReadingPost's you just have to read if you are interested in Computer/Network Security or Digital Forensics.<br /><br />http://www.realdigitalforensics.com/<br />http://taosecurity.blogspot.com/<br />http://windowsir.blogspot.com/cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com0tag:blogger.com,1999:blog-4268584393779840195.post-87925016203976348762006-08-17T17:01:00.000+01:002006-08-17T17:06:16.318+01:00First BloggWell a big hello to all thoughs viewers (if any!!).<br /><br />First and foremost this blog will be a collection of any news stories, or interesting sites that i visit.<br /><br />The Blog will server as a clearer Bookmarking service so i can and more context to why i visited a particular article/site.cbentle2http://www.blogger.com/profile/12931621208758003923noreply@blogger.com0