Question: Can you create two files with the same name in a Windows directory?
Answer:
http://blogs.technet.com/b/mmpc/archive/2011/08/10/can-we-believe-our-eyes.aspx
Not sure how many of you remember the right to left override trick that was found a few months back. Here is another play on that type of bypass. Very interesting.
Thursday, August 18, 2011
Tuesday, August 16, 2011
To APT or not?
McAfee recently discovered a widespread series of exploits that they are calling Operation Shady Rat (http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat). This exploit compromised 72 companies around the world and seemed to lead back to China. McAfee concluded that this attack was an Advanced Persistant Threat or APT, other security Vendors such as Sophos claimed that this attack was not an APT becuase the malware was not sophisticated. As a result, I wanted to take the time to discuss this type of attack and get away from some of the marketing terms.
What is an APT? APT is the term used to describe an attack carried out over a fairly significant time, that is meant to gain a foothold deep into an organization's systems, staying in the network for a long period of time undetected, usually with the goal of collecting intelligence information such as troop movements in the case of an attack carried out against the government or intellectual property in the case of an atack carried out against a corporation. The main difference between an attacker that is considered an APT is that they are persistent and have resources such as a government or major corporation backing them.
Second, an APT is not a piece of malware, even though some seurity vendors would have you believe that for the sake of selling a product. For example FireEye claims they can stop APT's (http://www.fireeye.com/products-and-solutions/), really? Don't ge me wrong, I love the FireEye malware analysis product and I am not just picking on them as there are several others that advertise the same, but really do you expect me to believe you can shutdown hackers backed by a large government or the Russian Mafia on all attack vectors? Now, yes you maybe able to find the malware that is being planted, but that is only one part of the attack and even if you stop that piece of malware, the attackers will be back, they are persistent after all.
Ultimately what I want get across here is that, an APT is the attack as a whole, including; the attackers, the attackers' motives, and the methods used to compromise the network (it could be malware, or maybe a misconfigured server, etc.). An APT attack could be carried out by a group of attackers using something as old as Back Orifice, or by using no malware at all. To protect against APT's you, will need mroe than a product that claims to protect against APT's, you will need multiple products and you will also need people analyizing logs and network behavior for things that your tools missed.
What is an APT? APT is the term used to describe an attack carried out over a fairly significant time, that is meant to gain a foothold deep into an organization's systems, staying in the network for a long period of time undetected, usually with the goal of collecting intelligence information such as troop movements in the case of an attack carried out against the government or intellectual property in the case of an atack carried out against a corporation. The main difference between an attacker that is considered an APT is that they are persistent and have resources such as a government or major corporation backing them.
Second, an APT is not a piece of malware, even though some seurity vendors would have you believe that for the sake of selling a product. For example FireEye claims they can stop APT's (http://www.fireeye.com/products-and-solutions/), really? Don't ge me wrong, I love the FireEye malware analysis product and I am not just picking on them as there are several others that advertise the same, but really do you expect me to believe you can shutdown hackers backed by a large government or the Russian Mafia on all attack vectors? Now, yes you maybe able to find the malware that is being planted, but that is only one part of the attack and even if you stop that piece of malware, the attackers will be back, they are persistent after all.
Ultimately what I want get across here is that, an APT is the attack as a whole, including; the attackers, the attackers' motives, and the methods used to compromise the network (it could be malware, or maybe a misconfigured server, etc.). An APT attack could be carried out by a group of attackers using something as old as Back Orifice, or by using no malware at all. To protect against APT's you, will need mroe than a product that claims to protect against APT's, you will need multiple products and you will also need people analyizing logs and network behavior for things that your tools missed.
NoVAH Hackers Talk
I would like to thank everyone at NoVAH hackers for having me tonight. I had a great time and learned some good things.
For those who couldn't make it, or those that were there and want the slides, I am adding them here. If you have any questions, don't hesitate to ask. I have some good links coming this week as well. Stay tuned.
Also guys, don't forget, if you want us to analyze a sample and post the steps, send it on! We generally try to find samples that are good learning samples. I have one that I'm sitting on now, but that's for another talk. I will release it then :)
Get the talk here: Curt NoVAH Talk 8-15-2011
For those who couldn't make it, or those that were there and want the slides, I am adding them here. If you have any questions, don't hesitate to ask. I have some good links coming this week as well. Stay tuned.
Also guys, don't forget, if you want us to analyze a sample and post the steps, send it on! We generally try to find samples that are good learning samples. I have one that I'm sitting on now, but that's for another talk. I will release it then :)
Get the talk here: Curt NoVAH Talk 8-15-2011
Thursday, August 11, 2011
SANS Malware Analysis Challenge
I am working on a talk to present at NoVA Hackers August meeting. I will be posting the slides and a link to the video on the blog once the talk is complete. The subject is on how to utilize Indicators of Compromise (IOCs) found during malware analysis to find and fix infected machines and to protect others. If you are in the NoVA area stop by and check it out. The details can be found here:
http://novahackers.blogspot.com/
In the mean time, to keep your malware analysis learning going, check out the latest SANS Malware Analysis Challenge.
http://computer-forensics.sans.org/blog/2011/08/10/malware-analysis-challenge-to-strengthen-your-skills
http://novahackers.blogspot.com/
In the mean time, to keep your malware analysis learning going, check out the latest SANS Malware Analysis Challenge.
http://computer-forensics.sans.org/blog/2011/08/10/malware-analysis-challenge-to-strengthen-your-skills
Saturday, July 2, 2011
Changing the Blog format
We have found, as many probably have that venture into blogging, that it can be hard to keep up with new posts. With that in mind, we have decided to change the way we are doing things. We will still be submitting step by step examples of malware analysis when possible. To keep posting moving in our busy schedules, we are also going to add posts about new malware trends, how to for tools that are either existing or new, how to protect or detect malware in the enterprise etc.
We are also looking for some volunteers. If you are interested in helping out with the blog, or if there is anything you would like to see us write about, please send an email to inetopenurla[at}gmail(dot)com.
The static portion of the latest sample should be coming any day. Stay tuned. And thanks for viewing!
We are also looking for some volunteers. If you are interested in helping out with the blog, or if there is anything you would like to see us write about, please send an email to inetopenurla[at}gmail(dot)com.
The static portion of the latest sample should be coming any day. Stay tuned. And thanks for viewing!
Saturday, May 21, 2011
Analysis of facebookmessenger malware
In this latest analysis, I will be analyzing a recent piece of malware called the facebook messenger. This piece of malware has received some recent press, which to me makes it even more interesting to evaluate.
I started the analysis of this sample in my XP analysis VM. I began once again by taking a snapshot of the VM and a baseline using Regshot. I then started up Process Hacker and Capture Bat. Process Hacker is similar to Process Explorer but includes a few more advanced features, such as the ability to suspend a process and the ability to look into the memory of the process to see DLL's in use, what file handles are open, and basic network information very similar to TCP View. I will not cover how to run capture bat or take a snapshot as we have covered these items before.
Right away one of the interesting things here is that facebook messenger is less than 100k, yet after being run, it uses well over 20 Mb of RAM. Very Interesting!
What this interesting behavior tells us is that Facebook Messenger is relying on mostly built in Windows functions and DLL's for its capabilities. This a tactic used to make the malware more difficult to detect, as it is using legitimate libraries.
Next I went to the network tab and noticed facebook messenger opening a connection to smtp.mail.ru. At first this would seem to be a standard SMTP communication except that it is connecting to TCP port 8080 which is a standard web proxy or web server port. Using this port is most likely done to allow the malware to bypass firewalls that would normally block non-standard ports. Process hacker also indicated that facebook messenger was sending a TCP SYN, meaning it is expecting a live connection and response. Since the sample could not connect to it's server, the process went into a wait state using a UDP port.
Since I wanted to find out more, I moved on to my Regshot and Capture Bat Analysis. The Capture bat analysis didn't show much of interest, it seems that the activity of this specimen primarily takes place in memory. During this process I tried to terminate the process several times, with task manager which did not work. It's a good thing I have Process Hacker. Process Hacker has an arsenal of ways to terminate processes in Windows, chances are that if you run into process termination protection, that Process Hacker can bypass it.
Interestingly, Facebook Messenger made very few registry changes, this is most likely due to the fact that it is really jsut calling other windows libraries. The changes it made were designed to set facebookmessenger to autrun on bootup.
Next I went back to process hacker and looked at the strings in memory. I found a few interesting things such as what appears to be non-random obfuscated text.
Since this line of questioning was not getting as far as I wanted, I decided to load up REMNux and the HoneyD honeypot to see if I could complete the connection and see what the facebook messenger is sending to smtp.mail.ru.
To get the sample to redirct its traffic to my honeypot, I edited the hosts file (c:\windows\system32\drivers\etc\hosts) to redirect smtp.mail.ru to 192.168.40.120.
The screenshot below shows what I captured with Wireshark.
In this case I am really interested in what this malware is doing, so I will move on to some Brain Surgery/Static Analysis to determine what this malware is doing. Look for my next post in the next couple of weeks (Hopefully!)
I started the analysis of this sample in my XP analysis VM. I began once again by taking a snapshot of the VM and a baseline using Regshot. I then started up Process Hacker and Capture Bat. Process Hacker is similar to Process Explorer but includes a few more advanced features, such as the ability to suspend a process and the ability to look into the memory of the process to see DLL's in use, what file handles are open, and basic network information very similar to TCP View. I will not cover how to run capture bat or take a snapshot as we have covered these items before.
Right away one of the interesting things here is that facebook messenger is less than 100k, yet after being run, it uses well over 20 Mb of RAM. Very Interesting!
What this interesting behavior tells us is that Facebook Messenger is relying on mostly built in Windows functions and DLL's for its capabilities. This a tactic used to make the malware more difficult to detect, as it is using legitimate libraries.
Next I went to the network tab and noticed facebook messenger opening a connection to smtp.mail.ru. At first this would seem to be a standard SMTP communication except that it is connecting to TCP port 8080 which is a standard web proxy or web server port. Using this port is most likely done to allow the malware to bypass firewalls that would normally block non-standard ports. Process hacker also indicated that facebook messenger was sending a TCP SYN, meaning it is expecting a live connection and response. Since the sample could not connect to it's server, the process went into a wait state using a UDP port.
Since I wanted to find out more, I moved on to my Regshot and Capture Bat Analysis. The Capture bat analysis didn't show much of interest, it seems that the activity of this specimen primarily takes place in memory. During this process I tried to terminate the process several times, with task manager which did not work. It's a good thing I have Process Hacker. Process Hacker has an arsenal of ways to terminate processes in Windows, chances are that if you run into process termination protection, that Process Hacker can bypass it.
Interestingly, Facebook Messenger made very few registry changes, this is most likely due to the fact that it is really jsut calling other windows libraries. The changes it made were designed to set facebookmessenger to autrun on bootup.
Next I went back to process hacker and looked at the strings in memory. I found a few interesting things such as what appears to be non-random obfuscated text.
Since this line of questioning was not getting as far as I wanted, I decided to load up REMNux and the HoneyD honeypot to see if I could complete the connection and see what the facebook messenger is sending to smtp.mail.ru.
To get the sample to redirct its traffic to my honeypot, I edited the hosts file (c:\windows\system32\drivers\etc\hosts) to redirect smtp.mail.ru to 192.168.40.120.
The screenshot below shows what I captured with Wireshark.
Next I started Remnux and edited honeyd.conf to set Honeyd to listen to port 8080.
You can edit the honeyd.conf file using your favorite Nix text editor. After editing the .conf file, start honeyd using the command honeyd start
In this case I am really interested in what this malware is doing, so I will move on to some Brain Surgery/Static Analysis to determine what this malware is doing. Look for my next post in the next couple of weeks (Hopefully!)
Sunday, January 23, 2011
Sample Analysis 2: Dynamic Analysis
Based on demand, we are going to start posting samples that we analyze to offensivecomputing.net so everyone can download the sample even if the site or system that we grab it from has been taken down. You can navigate to that site and search for the MD5 hash of the file. We will include the information at the beginning of each post. You will need to create a free account with them to search for malware.
This month's sample can be retrieved here: 882ced9c6987b919fdbbbe5221cbfbe2
Filename: free-zoo-video.45262.exe
MD5: 882ced9c6987b919fdbbbe5221cbfbe2
This sample was an interesting one to analyze. I initially had some trouble trying to get this running in my dynamic lab environment. When I would open the executable, it would run for about 30 seconds and it appeared to just die.
I started Regshot on a clean snapshot in my VMWare environment. I ran the executable file and let it run for about a minute. After that, I took our second snapshot in Regshot to see what changed. This must have been the cleanest result I have ever seen from the output of Regshot.
I thought to myself, either this file isn't being run from where it needs to be run from, or it knows it's being analyzed. My initial instinct is to jump into static analysis and figure this out, but alas, I'm on dynamic duty this time so I'm going to try a different method.
I ran the file again while watching the process with Process Monitor. I was trying to get a feel for things it might be looking for or wanting. It seemed to read a ton of registry keys. Some of them were related to winsock and TCP/IP parameters. I thought to myself, maybe this thing wants some network connectivity.
I configured my lab host to go out to the real Internet. I will caution you here to make sure this is controlled. Some analysts will even recommend against this but I have found it can reveal things when having trouble with a sample such as this. If you do this make sure you have complete control over the access it has and have the ability to remove it's access should anything bad start to happen.
Ahh, looks like we are getting closer. After providing this thing some network connectivity it attempted to do more. Unfortunately it crashed pretty quick after execution.
Did I mention this sample was a real pain? I resorted to removing VMWare tools from my lab machine in order to see if it realized it was being analyzed. This is fine because I can always revert back to snapshot to get the tools back. That's the beauty of virtual environments! After rebooting I double clicked the file again and bingo. Looks like we are running now.
I ran Regshot again for the first shot. Seeing how this sample seems pretty aware of stuff, I didn't want to keep it running in case it realized I was using it. So instead of keeping Regshot running, I choose to take the first shot and save. I can stake a second shot if it runs and compare it with the loaded first shot.
After about 30 seconds I got a Java pop up which can be seen the screen shot below:
I decided to open Process Explorer and see what is going on. I noticed that I now have three new processes running. Mt2.exe, MVawia.exe and Mt1.exe. These are showing in fuchsia color in Process explorer, which by default means they are packed. Another interesting note is that it says Adobe Player Setup. I don't have automatic updates going so that is indeed interesting.
I started by taking a look at Mt2.exe. I looked on the strings tab and it shows UPX0 and UPX1 near the top. This would be a good indicator that this binary is packed with UPX. It could be there to throw us off, but it could be legit as well. I didn't see any TCP/IP connections from this binary so I decided to move on to the next new process.
Moving on to Mvawia.exe. Viewing the strings tab on this guy I also see UPX0 and UPX1. We can assume that this sample is packed as well. One thing different about this one was the existence of TCP/IP connections. It added and removed a ton of connections, this thing is busy.
I now took a look at Mt1.exe. Like the others, the strings of this file show UPX0 and UPX1 as well. There were no network connections on this file either. I also wanted to mention that one nice feature of Process Explorer is that when you are on the Strings tab, you can choose to view the strings from Image (on disk) or in memory. When the sample is run in memory, it has to be unpacked, so if you choose that option, you will often find more strings that are readable which may give you more clues as to what this thing is doing or capable of. Another thing that was interesting is that there was a child process to this one called ctfmon.exe.
Ctfmon.exe is a real Windows application. It is generally used to monitor active windows and assist functions for alternate input devices such as text to speech or others. The odd thing here is that it is running as a child process of these rather than then ctfmon.exe which is generally a child of explorer.exe.
While I was writing this section and letting the processes run, I noticed a command line pop up for a second and disappear. I also noticed that a new child process of one of these binaries was the Windows help center. Unfortunately my egress filtering (which I forgot to turn off while giving this sample access to the Internet) stopped whatever it was going to do. I quickly shut that off and decided to let it run a little longer and see if it would happen again.
As if on command after I wrote that last sentence, an IE windows popped up taking me to www.restasis.com, an ad for a Prescription Eye Drops for Dry Eyes. Soon after that the Restasis site popped up another window to show me their fancy new commercial, but oh no! I need the latest Adobe Flash to view it. OK, I'll bite.
I installed the Flash player, but I don't see any video! How rude! I closed the window out and decided to let things run on their own for a little longer. One thing I forgot to show is that the IE instance was loaded under an svchost.exe process rather than a child of explorer.exe. Another sign that we got something funky going on.
I let things run a bit longer and nothing was really happening. It could very well be that I was not waiting long enough. However, I decided I wanted to launch IE manually and see if anything changed there. Ahh! MSN wants me to install a new Adobe Flash player now. Before I could click to install, a popup from www.vuwl.com/pop.html came up. I choose to run the new Flash player and let IE run by itself for a bit.
Nothing seemed to be going on so I decided to do some light browsing and see if I see anything else that is odd. I browsed to www.google.com and nothing really seemed odd. I decided to try a bank site. I went to www.suntrust.com and this site wants me to run adobe flash player as well. I'll allow it. I may come back to this later and watch network traffic as I enter my, wink wink, real credentials.
I tried to go to another bank. I decided to Google for M&T bank. I click the link to go to their online banking page but I was redirected to glimpse.com which wanted me to run some Adobe Flash content.
I decided to try one more site before leaving. I navigated to bankofamerica.com and wouldn't ya know, I need to allow Flash content there as well.
At this time I decided to take my second snapshot with Regshot to see what has changed. I choose to load the 1st shot from my desktop where I saved it.
I then took my second shot and hit the compare button. The bad thing about browsing around while doing a regshot is that there is going to be a lot of noise in the file. We have some indicators in which to sift through the data for though.
At this time I think I have seen enough on the real internet. I'm going to fire up Lenny Zeltser's new distro REMnux to launch a sniffer and see what I can see on the wire. My current theory is that this is a click fraud or similar sample, but with the basic dynamic analysis that I'm doing, I can't tell if that is the only capability.
I set the IP address to of my Windows host to my host only networking in VMWare. I set the default gateway as my REMnux box which will be running fakeDNS to start as well as wireshark to see what this sample may be requesting. You start fakeDNS in REMnux by typing fakedns. This will prompt you for your sudo password which is malware for this distro.
You start wireshark in REMnux by typing wireshark. This will also prompt you for your sudo password as the alias is really sudo wireshark. Again, type malware. Go to the capture menu and choose start capture, or you can also hit control + E.
I see a ton of traffic already. The first DNS request I see is for alljplanet.com. Of course our fake DNS server gave up a good response and then I see a request on port 80. You will see a RST, ACK in the response though, because we are not listening to port 80.
I'm going to take a sidebar here for a second. Some may ask why didn't I just fire up DNS server, web server, mail server, IRC server etc. for the sample before I started my analysis. One thing I recently learned from a very, very wise man (Lenny Zeltser) in his SANS 610 course is to give the sample a little bit at a time. This way you can control what it is doing at a granular level and mold your lab as you progress in your analysis. I used to just throw the kitchen sink at samples, but then I would dread sifting through the data overload. Thus, I recommend and have started following this advise as it has allowed me to filter what I am seeing to more relevant data.
Back to the regularly scheduled program :)
I noticed in our fakeDNS responses a number of DNS queries.
I'm guessing at this point that we want port 80 traffic on these due to what I have seen thus far. What I'm going to do at this point is fire up a netcat listener to see if I can glean any information out of the requests. I know I could use Apache, or some other web server, but I'm going to start with netcat since it is so easy to use.
To do this, I bring up another xterm window and type sudo nc -l -p 80. This tells netcat to listen (-l) on port 80 (-p 80). This should show any request that comes to port 80. (Don't forget sudo! You need to use this because you are opening a privileged port and that needs root access)
We did get a successful capture of what was going on. As you can see in the following screen shot, we have HTTP Post to the site alljplanet.com. The data is not in clear text. Our next job would be to figure out what the data contains. Another interesting thing to note is that the user agent here is saying it's IE 6.0 when I am running IE 8.0 on my lab machine. It is also saying that the Windows version is Windows NT 5.0 which corresponds with Windows 2000, when I am running Windows 5.1 which is XP. These are all indicators of compromise (IOC), which could be use to search for or detect/block on in your systems and IDS/IPS devices.
At this point the requests seemed to have slow down a bit. I tried to kick start them by opening the browser and going to some of the sites that I tried when it had a live connection to the Internet to see if that would get things moving. It did not seem to help. I decided to let it run it's course.
After waiting for a bit, I decided to kill the netcat listener and start it again. One thing about the Linux netcat is that it tends to hang after one session. The Windows version allows for a -L which will continue to listen for other sessions.
It looks like the data in the post for every site is the same. My first guess is that application/x-www-form-urlencoded is encoding the values of what is being posted so I'd like to decode that to see if I can see what is being sent.
The interesting data that remains a mystery is the data= section of this POST. I attempted to decode this with base64, unicode, and urldecode methods but to no avail. At this point I think this could just be the API key that is used for tracking when ads are clicked.
I'm feeling stronger now that this sample is doing some sort of click fraud. I don't know all of the sites that are being called, but one interesting request made is for netflix.com which could be evidence of pretending to click an ad but it could be something else as well. Again, these requests aren't being seen on the Windows GUI while I am on it. The requests are coming from an IE instance that is running under svchost.exe rather than under explorer.exe process as it should be.
That is about all the time I can devote to this sample at this time. I'm pretty sure that it is a click fraud sample at least. As I mentioned before, it may have other capabilities, but I do not see evidence of these through dynamic analysis alone. I would probably revert to static analysis at this point, but that is Jamy's job this time. Check out his post and see what he found.
This month's sample can be retrieved here: 882ced9c6987b919fdbbbe5221cbfbe2
Filename: free-zoo-video.45262.exe
MD5: 882ced9c6987b919fdbbbe5221cbfbe2
This sample was an interesting one to analyze. I initially had some trouble trying to get this running in my dynamic lab environment. When I would open the executable, it would run for about 30 seconds and it appeared to just die.
I started Regshot on a clean snapshot in my VMWare environment. I ran the executable file and let it run for about a minute. After that, I took our second snapshot in Regshot to see what changed. This must have been the cleanest result I have ever seen from the output of Regshot.
I thought to myself, either this file isn't being run from where it needs to be run from, or it knows it's being analyzed. My initial instinct is to jump into static analysis and figure this out, but alas, I'm on dynamic duty this time so I'm going to try a different method.
I ran the file again while watching the process with Process Monitor. I was trying to get a feel for things it might be looking for or wanting. It seemed to read a ton of registry keys. Some of them were related to winsock and TCP/IP parameters. I thought to myself, maybe this thing wants some network connectivity.
I configured my lab host to go out to the real Internet. I will caution you here to make sure this is controlled. Some analysts will even recommend against this but I have found it can reveal things when having trouble with a sample such as this. If you do this make sure you have complete control over the access it has and have the ability to remove it's access should anything bad start to happen.
Ahh, looks like we are getting closer. After providing this thing some network connectivity it attempted to do more. Unfortunately it crashed pretty quick after execution.
Did I mention this sample was a real pain? I resorted to removing VMWare tools from my lab machine in order to see if it realized it was being analyzed. This is fine because I can always revert back to snapshot to get the tools back. That's the beauty of virtual environments! After rebooting I double clicked the file again and bingo. Looks like we are running now.
I ran Regshot again for the first shot. Seeing how this sample seems pretty aware of stuff, I didn't want to keep it running in case it realized I was using it. So instead of keeping Regshot running, I choose to take the first shot and save. I can stake a second shot if it runs and compare it with the loaded first shot.
After about 30 seconds I got a Java pop up which can be seen the screen shot below:
I decided to open Process Explorer and see what is going on. I noticed that I now have three new processes running. Mt2.exe, MVawia.exe and Mt1.exe. These are showing in fuchsia color in Process explorer, which by default means they are packed. Another interesting note is that it says Adobe Player Setup. I don't have automatic updates going so that is indeed interesting.
I started by taking a look at Mt2.exe. I looked on the strings tab and it shows UPX0 and UPX1 near the top. This would be a good indicator that this binary is packed with UPX. It could be there to throw us off, but it could be legit as well. I didn't see any TCP/IP connections from this binary so I decided to move on to the next new process.
Moving on to Mvawia.exe. Viewing the strings tab on this guy I also see UPX0 and UPX1. We can assume that this sample is packed as well. One thing different about this one was the existence of TCP/IP connections. It added and removed a ton of connections, this thing is busy.
I now took a look at Mt1.exe. Like the others, the strings of this file show UPX0 and UPX1 as well. There were no network connections on this file either. I also wanted to mention that one nice feature of Process Explorer is that when you are on the Strings tab, you can choose to view the strings from Image (on disk) or in memory. When the sample is run in memory, it has to be unpacked, so if you choose that option, you will often find more strings that are readable which may give you more clues as to what this thing is doing or capable of. Another thing that was interesting is that there was a child process to this one called ctfmon.exe.
Ctfmon.exe is a real Windows application. It is generally used to monitor active windows and assist functions for alternate input devices such as text to speech or others. The odd thing here is that it is running as a child process of these rather than then ctfmon.exe which is generally a child of explorer.exe.
While I was writing this section and letting the processes run, I noticed a command line pop up for a second and disappear. I also noticed that a new child process of one of these binaries was the Windows help center. Unfortunately my egress filtering (which I forgot to turn off while giving this sample access to the Internet) stopped whatever it was going to do. I quickly shut that off and decided to let it run a little longer and see if it would happen again.
As if on command after I wrote that last sentence, an IE windows popped up taking me to www.restasis.com, an ad for a Prescription Eye Drops for Dry Eyes. Soon after that the Restasis site popped up another window to show me their fancy new commercial, but oh no! I need the latest Adobe Flash to view it. OK, I'll bite.
I installed the Flash player, but I don't see any video! How rude! I closed the window out and decided to let things run on their own for a little longer. One thing I forgot to show is that the IE instance was loaded under an svchost.exe process rather than a child of explorer.exe. Another sign that we got something funky going on.
I let things run a bit longer and nothing was really happening. It could very well be that I was not waiting long enough. However, I decided I wanted to launch IE manually and see if anything changed there. Ahh! MSN wants me to install a new Adobe Flash player now. Before I could click to install, a popup from www.vuwl.com/pop.html came up. I choose to run the new Flash player and let IE run by itself for a bit.
Nothing seemed to be going on so I decided to do some light browsing and see if I see anything else that is odd. I browsed to www.google.com and nothing really seemed odd. I decided to try a bank site. I went to www.suntrust.com and this site wants me to run adobe flash player as well. I'll allow it. I may come back to this later and watch network traffic as I enter my, wink wink, real credentials.
I tried to go to another bank. I decided to Google for M&T bank. I click the link to go to their online banking page but I was redirected to glimpse.com which wanted me to run some Adobe Flash content.
I decided to try one more site before leaving. I navigated to bankofamerica.com and wouldn't ya know, I need to allow Flash content there as well.
At this time I decided to take my second snapshot with Regshot to see what has changed. I choose to load the 1st shot from my desktop where I saved it.
I then took my second shot and hit the compare button. The bad thing about browsing around while doing a regshot is that there is going to be a lot of noise in the file. We have some indicators in which to sift through the data for though.
At this time I think I have seen enough on the real internet. I'm going to fire up Lenny Zeltser's new distro REMnux to launch a sniffer and see what I can see on the wire. My current theory is that this is a click fraud or similar sample, but with the basic dynamic analysis that I'm doing, I can't tell if that is the only capability.
I set the IP address to of my Windows host to my host only networking in VMWare. I set the default gateway as my REMnux box which will be running fakeDNS to start as well as wireshark to see what this sample may be requesting. You start fakeDNS in REMnux by typing fakedns. This will prompt you for your sudo password which is malware for this distro.
You start wireshark in REMnux by typing wireshark. This will also prompt you for your sudo password as the alias is really sudo wireshark. Again, type malware. Go to the capture menu and choose start capture, or you can also hit control + E.
I see a ton of traffic already. The first DNS request I see is for alljplanet.com. Of course our fake DNS server gave up a good response and then I see a request on port 80. You will see a RST, ACK in the response though, because we are not listening to port 80.
I'm going to take a sidebar here for a second. Some may ask why didn't I just fire up DNS server, web server, mail server, IRC server etc. for the sample before I started my analysis. One thing I recently learned from a very, very wise man (Lenny Zeltser) in his SANS 610 course is to give the sample a little bit at a time. This way you can control what it is doing at a granular level and mold your lab as you progress in your analysis. I used to just throw the kitchen sink at samples, but then I would dread sifting through the data overload. Thus, I recommend and have started following this advise as it has allowed me to filter what I am seeing to more relevant data.
Back to the regularly scheduled program :)
I noticed in our fakeDNS responses a number of DNS queries.
I'm guessing at this point that we want port 80 traffic on these due to what I have seen thus far. What I'm going to do at this point is fire up a netcat listener to see if I can glean any information out of the requests. I know I could use Apache, or some other web server, but I'm going to start with netcat since it is so easy to use.
To do this, I bring up another xterm window and type sudo nc -l -p 80. This tells netcat to listen (-l) on port 80 (-p 80). This should show any request that comes to port 80. (Don't forget sudo! You need to use this because you are opening a privileged port and that needs root access)
We did get a successful capture of what was going on. As you can see in the following screen shot, we have HTTP Post to the site alljplanet.com. The data is not in clear text. Our next job would be to figure out what the data contains. Another interesting thing to note is that the user agent here is saying it's IE 6.0 when I am running IE 8.0 on my lab machine. It is also saying that the Windows version is Windows NT 5.0 which corresponds with Windows 2000, when I am running Windows 5.1 which is XP. These are all indicators of compromise (IOC), which could be use to search for or detect/block on in your systems and IDS/IPS devices.
At this point the requests seemed to have slow down a bit. I tried to kick start them by opening the browser and going to some of the sites that I tried when it had a live connection to the Internet to see if that would get things moving. It did not seem to help. I decided to let it run it's course.
After waiting for a bit, I decided to kill the netcat listener and start it again. One thing about the Linux netcat is that it tends to hang after one session. The Windows version allows for a -L which will continue to listen for other sessions.
It looks like the data in the post for every site is the same. My first guess is that application/x-www-form-urlencoded is encoding the values of what is being posted so I'd like to decode that to see if I can see what is being sent.
I'm feeling stronger now that this sample is doing some sort of click fraud. I don't know all of the sites that are being called, but one interesting request made is for netflix.com which could be evidence of pretending to click an ad but it could be something else as well. Again, these requests aren't being seen on the Windows GUI while I am on it. The requests are coming from an IE instance that is running under svchost.exe rather than under explorer.exe process as it should be.
That is about all the time I can devote to this sample at this time. I'm pretty sure that it is a click fraud sample at least. As I mentioned before, it may have other capabilities, but I do not see evidence of these through dynamic analysis alone. I would probably revert to static analysis at this point, but that is Jamy's job this time. Check out his post and see what he found.
Subscribe to:
Posts (Atom)