Now With 23% More Memory! Grabbing Skype Data

I am on a roll finding cool new programs dealing with memory analysis. This one is Skypeex, and it is developed by Nick Furneaux. This one deals with the same concept as the pdgmail tool I had last posting. You run strings against the memory dump and then run the Skypeex python script against it to find remnants of Skype contacts and conversations.

So like in the previous script (pdgmail) you first run strings. From that you then run the Skypeex. Nick created versions that should run on Windows (if you have Python installed), Linux, and MacOSX. There are two different scripts included for Windows/Linux, the one you use depends on the version of Python you are running. Go to the command line and run 'Python -V' to see what you have. There is a helpful readme file as well.

To run Skypeex, simply type from the command line, 'python skypeex.py' -- it will then ask you for the location of the strings output you created earlier. From that the program creates two output files. From the readme:

The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and 'carved chats'. Please expect many duplicates and some false positives.

Its a bit hard to show my results  just due to me being paranoid, however I can tell you some things I saw:

• Group chat windows and conversations
• Contacts
• IM (one on one) chat windows and conversations

So these two programs clearly show the value of memory dumps from a bit of a different perspective. This will probably not help in malware investigations (never say never though!) but from a LE perspective this could make or break a case. 

This is the last post of 2011--- everyone have a great New Year! I will be spending my holiday geocaching around London, what better way to get to know a new city? Enjoy!

More Memory Fun: Grabbing Gmail Data

Happy Holidays everyone! Hopefully everyone is still on a food coma, but I thought I'd do a quick blog before I go on leave-- a few days to explore my new city :)

Think that just because you run over HTTPS no one could ever see your emails? Well, think again. Behold again the power of memory, which actually stores portions of your gmail unencrypted. I am not doing video today, a lot of this is just waiting around... so please bear with the screenshots :)

So let's say you have a memory dump from your investigation and you know this user uses GMail a lot and you think maybe its contents could be integral to your investigation. Remember good ol strings? Well you can actually run strings against your memory dump, and then use a tool called pdgmail to extract gMail artifacts. How to do this? Read on!

• Filename: XP.vmem
• Size: 500MB

Ok, first step is to run strings on this badboy, depending on the size of your memory dump this could take a while (still quicker than a subpoena I would imagine).

So the parameters for strings is -q (quiet), you can use -o for offset if you'd like, but its not necessary. 

Almost done! Now assuming you have Python installed, go ahead and fire up the pdgmail script, created by Jeff Bryner (read about his analysis and grab the code here). Jeff does a great job with commenting so even a programming n00b (such as myself) can follow along. Make sure you output to a file because this can be beastly!

The one required witch is -f, which is the strings output from your previous command. Other switches you can include are -b (ignore message bodies, apparently the search expressions for this can reveal many false positives) and -v for verbose. The result? About 100K file with a decent amount of data involved... for the sake of my privacy (and my colleagues), email addresses have been blacked out.

So as you can see, the tool parsed out quite a lot of info. A lot of those emails are in my address book- I have not used them in ages... I moved from DC two years ago. I don't remember the last time I emailed Ed Skoudis (I think it was after BlackHat Federal). So, pretty thorough.

Same with e-mails, although it looked like emails from much more recent activity than the email addresses. As you can see, I am supposed to meet at the park at noon and wear one red shoe (does anyone get the reference?--SHHH!!), subscribe to DailyCandy (yes I am a girl, I am intrigued by sample sales), I can never remember by Keynoir password, something about SecretCinema (which is awesome), and even though I live thousands of miles away... still get email about happenings in Buffalo.

You can even put these into a Excel spreadsheet, which would seem useful for filtering.

So, once again showing how powerful memory can truly be. I tried this in XP while running IE, I will run a  test with Mozilla and see if I get the same results. 

UPDATE: It works a charm with Mozilla, and in Vista! I did notice that it does not contain the address book e-mails, but it does have e-mails from my inbox... if you scroll down the link I have for pdgmail someone else noticed this. Will have to do some research...

PDF Analysis

So this video is all about PDF analysis. The tools I use in the video are:

• Contagio: great place to go for sample malware
• PDF Stream Dumper: A bunch of tools thrown together in one amazing program, did I mention it is free?
  
• REMnux: A great RE tool by Lenny Zeltser. Has tools for PDF, JS , shellcode and much more. I was using INetSim in this demo to simulate network services so the malware had something to talk to.
• CaptureBAT: Allows the collection of modified/created/deleted files and registry keys after clicking malware. Can also capture network traffic.
• Process Explorer: SysInternals... enough said

Now I really do not go into explaining what a PDF is composed of in the video, I wanted to keep it to a reasonable time. So.. consider this the 'fine print'... and is it a doooozy!

A PDF consists of objects which can be multiple things: numbers, strings, code, streams (compressed data), etc.  Below is a screen shot to hopefully explain this a bit better:

Ok... so the left pane has all the Objects in this PDF, which is 14. The pane on the right shows what is inside that object, these are called indirect objects but I have seen it called header data too. You see how there are two numbers? The first one is the index number (or the object you can find the data under) and the second is the version number. Version numbers can indicate previous or newer versions of the same object, and can be used by nefarious users to hide their code. The 'R' means Reference, so.... we can tell from this screenshot

• Object 1 references 3 additional objects
• Pages (go to obj 2 for more information) 
• OpenAction (go to obj 11 for more information)
• AcroForm (go to obj 13 for more information)

Going to these objects may actually reference additional objects, it can become a cat and mouse game and given a lot of objects, it can be tedious to sort thru.

Now what do these things mean? Well a quick run-down of items of interest:

• Stream Objects: compressed/encoded data... you gotta decompress/decode  to see what's inside
• /Page: How many pages are in the document (if its 0... watch out)
• /JS -or- /Javascript: self-explanatory, watch out because this can be obfuscated
• /AA /OpenAction -or- /Acroform: indicates an automatic action when the PDF is opened
• /RichMedia: indicates the presence of Flash (another way to exploit the system)

So lets follow /OpenAction, which is in Object 11:

 See what I mean? Another reference... this time to Javascript which is in object 12, which is the obfuscated code in the video.

Oh and headers (indirect objects) themselves can be obfuscated. PDF Stream Dumper is nice and converts them for you, but if you right click on an Object and select 'Show Raw Header' to see what I mean. Here is what object 1's indirect objects look like:

This is using hex to obfuscate the header data. #50 is equal to the ASCII symbol 'P', #61 is 'a' and so on. There are a ton of hex to ascii converters. A good site for tons of string manipulation options is http://www.string-functions.com.

Honestly playing around and research on the internet is the best way to figure this stuff out. Didier Stevens has some awesome tools, which are included in the REMnux image. The guys over at Sourcefire also did a post of PDF analysis using Didier Steven's tools.Oh and did I mention Mr. Stevens wrote a book about PDF analysis?! Best thing: it's free

I would be remiss if I didn't reiterate watching the videos with PDF Stream Dumper too, no one knows the tool better than the guy to created it :) Watch, learn, play... enjoy

So without ado... this video:

Oh and in my haste to finish the video I forgot to show the network data captures by CaputreBAT. Here is a screenshot of Wireshark with the file opened:

Ok, so the first thing we see is the DNS query for googlemail.proxydns.com. This was the TCP item we saw when we looked at the process with Process Explorer. My REMnux box, running dutifully as a DNS server, says the website is at 192.168.10.1 (my REMnux box again). The malware then connects to the web server and posts to it a file index.php. REMnux sends a dummy file, which the malware does not know what to do with... however we now know the domain the malware beacons out to and can block by name and IP. Or, as analysts, we go out there and see what is on that site :)

This is the Virustotal output for the PDF and the subsequent spoolsv file. Both bad.

What I am trying to say is that I barely scraped the surface of PDF analysis. It is always better in the long run to understand the structure of a file you are analyzing rather than depending on a tool to do it for you. This was when something goes wrong, you have a better understanding of what is happening and potentially why. In a court of law, it does not look good as an expert witness if you say "Well your honor, you click this button and this pops out... I don't know how it arrives as that answer"

Never stop learning my friends :)
 

SANS Pen Testing Christmas Hacking Challenge

Ho ho ho! There is trouble a-hoof for poor Rudolph in Ed Skoudis and Tom Hessman's Christmas Hacking Challenge. Grab your favourite packet viewer (the file is small enough Wireshark works very well) and start tracing!

I think these exercises are wonderful-- a great (and fun) way to keep fresh on packet analysis. If anyone knows of any other fun exercises like this around the net please leave it in the comments. I am sure there are hundreds out there.

Now that I have most of my workstations set up (hooray!) I can get down to the fun videos. I hope to have one about PDF analysis before the holidays.

Bahumbug!

Black Hat Abu Dhabi Recap



The 'front door'



 As my first visit to the Middle East draws to a close-- I figure I would get down my thoughts on the talks presented at BH Abu Dhabi before the hustle and bustle of the holiday season. It's hard to think about Christmas when you are basking in beautiful 70 degree weather....

So the venue (the Emirates Palace) is absolutely amazing. It is just gigantic, and the staff will bend over backwards to get you what you need, be it AV cables or just more watermelon juice. The food was amazing beyond belief and very plentiful. I didn't miss pork too much :)

Anyways to the talks:

• General Hayden was the keynote speaker. He discussed the ever hard to distinguish line between security and privacy in our digital world, and how now US Government Agencies have come to accept that they are hacked and now focus on managing egress outside the network . He also talked about the power of the online communication, in both a good and bad perspective.
•  I am not sure I agree with the whole 'accepting we are hacked thing', as being a security person I find it utterly depressing. Although I do agree we need to be realistic, we can't just give up entirely in defending our perimeters and retreat to further inside the network. Security in depth is so crucial here, and we need to begin not only worrying about traffic coming in, but traffic going out. How do we detect exfil? How can we make traversal inside our network more difficult for our attacker? If our hacker friends pop one box thats a shame, but if they are not allowed vertical or horizontal traversal on the network it greatly limits the fruits of their labor. Why not have an IDS sitting within your network perimeter montoring network traffic? Why would you allow desktops to have trust relationships with other desktops if it is not necessary? Just limit trust relationships to servers they need access to, and closely monitor those. VLANs are also an idea here-- I know all of these have flaws but again its the layered model approach to contain attackers and limit the information they can receive.




Traditional Arabic Food... amazing!


• Being both the former CIA and NSA director, I am pretty sure Gen Hayden knows a lot more about the reasoning for a lot of the topics he discussed, even touching on Stuxnet and CNA/CNE. Did you know most people think America is the most dangerous in terms of hacking (not China or Russia)? The opinion pool? Americans. Thats kind of surreal.
• Insulin Pump Hacks
• Barnaby Jack of McAfee gave a talk about hardware hacking insulin pumps-- describing the steps needed to be done to gain access to the hardware and assembly code. Hint, it is not just plugging in a USB. Apparently insulin pumps have RF capabilites, and Barnaby was able to create an exploit which would reveal to him the unique serial number and then allow him to either dispense insulin or suspend the device completely. Without any notification to the user, and then he showed a demo of this.  Dispensing too much insulin to a person can be lethal, so the implications become quite clear. It seems a la Jason Bourne but given enough resources and dedication, Barnaby shows the threat is real. He then mentioned this could be patched via another vulnerablity he found... great. 
• Framework Level Securtiy Profiling & Monitor
• Trustwave demo'd a framework for catching the subtle web hacks. So in general many web hacks are easy to spot, you see them doing recon using some tool, traversing to the vulnerable page, uploading an exploit, and then them heading to retrieve their payload (in this case login credentials for users). However, what if they use Google for their reconaissance, and use different IPs to make it difficult to trace, and inject php's with fake data so it simply looks like a normal (and not a password file getting larger and larger). Their proof of concept framework FLSPM tries to address this issue.
• WifiHacking
•  Vivek R. of SecurityTube fame also gave a 2 hour lecture on WiFi Hacking. He mentioned how WPA Enterprise can actually be easier to hack if server names are not enumerated for the enterprise servers. If this is the case, the hacker simply needs a valid certificate to present to the users-- doesnt matter what the servername is. No warnings or anything as it met the criteria set by the system administrators. Oops.
• Did you know you can use Windows 7 to be a wireless AP even when you yourself are on a wireless network as a client? This has been around for a while, just has not been highly publicized and discussed. What are the implications? Well besides being super convenient for the road warriors, it also has serious security implications. Windows does not inform you about this new AP (you can see it if you click on the network icon in the task bar-- but how many users do that?) NOR does it tell you when people connect to it. Rogue APs anyone? Can one create a PDF whose payload is a simple little batch file setting up this AP network? (at least you need admin privileges, but that's not a reassuring defense at all, especially if the carrier file is a malicious PDF which can probably gain admin rights anyways) 

So I leave you guys with the commands to make your Windows 7 box a wifi access point. Be sure you are running as admin when executing these commands.

As you see, I have set up my SSID and password in order to gain access to the network. Next you need to go in and enable internet sharing on your current network connection. When choosing the Home Networking Connection, select "Wireless Network Connection 2". Then, head over to the properties for Wireless Network Connection 2 and only enable IPv4 (or IPv6 depending on your device). Save this. Finally head back to your command line and enable the interface.

I have a screenshot of my iPhone showing my connection. Sweet. This is great when you are roaming, have an ethernet connection in a hotel but not wifi and you want to browse on your mobile devices... like me right now. To disable use the following.

Heading Out and About

So I know I said I would post a video today... Sorry it is going to have to wait until tomorrow, still have no internets at the new flat. That should be resolved once I get back from Black Hat next week.

So a few updates: I am helping Christiaan (http://securitybananas.com/) teach MFIRE (malware forensics & incident response) at BH Abu Dhabi. Should make for an interesting time-- a bit nervous as this is one of my first teaching gigs. Hopefully all should go well!

Also I joined the Twittersphere (Tweetaverse?) and now trying to figure that all out. My name on Twitter is @Sk3tchymoos3. Come find me and say hello. It might not all be techie/security stuff... But also some nice photos of places I am at. You have been warned! :) Will definitely be tweeting at BH though so stay tuned!

I had a chance to go to a SANS@Night talk last night. The speaker was Bryce Galbraith (http://blog.layeredsec.com/), and he talked a lot about "The Power of One Click"- which basically infers that it takes one user to click on ONE attachment/link to compromise your entire network. He talked about how free, open source tools when in the right hands-- can prove fatal to a company. Why worry about password complexity when Pass the Hash works? Or when there are online Rainbow Tables?

The answer to this is simple: Defense in Depth. I know that is a buzz term but it's true. A company needs to have layers of security and never depend on one thing (AV, firewall, IDS) to do the job. Also user education is key. Restricting admin rights is also critical.

Anyways it was a great talk- Once I get to a laptop instead of my iPhone I will blog a bit more about the key points if people at interested.

Malware Detection Checklist

Sorry its been a while-- been moving house and everything is a bit hectic. (read: I hate unpacking) I have another video in the queue which should be released tomorrow. For now-- good ol text :)

So recently Harlan Carvey posted something about a malware detection checklist. This would be something one would peform to try and determine if malware is resident on their system . You can see it on Google Docs and download for your enjoyment. I may make something similar to provide to clients, who always seem to be asking "What should I do if I think I am infected?".

Some things I want to highlight on the checklist:

• Check AV: This sounds slightly weird, checking to see what your computer blocked so you can see if something is still on your machine. However, gone are the days of simple one-stage droppers and here are the days of multiple stage droppers, obfuscated code, and redirects. Seeing what your AV has snagged could lead to clues as to what (potentially) could still be on your systems. HINT: if is says anything associated with a toolkit, then there probably is something still there. You can also use that timestamp of the file found in AV to look around other files created in that timeframe for suspicious behavior.
• MBR checks: Yes, malware can reside in the Master Boot Record, or store traces of itself in there to maintain persistence.
• Registry Analysis: I cannot stress this enough. Reviewing the registry gives you a glimpse as to what malware is trying to do on your system. Is it hooking itself into SafeMode so even then it cannot be seen? Is it adding itself to the Run key so it keeps executing even after a reboot? Is it adding a nice little proxy so all your web traffic is being redirected? Its a very confusing place the Registry... Microsoft has some excellent (I should hope so!) documentation on it, and if not thee is always Google.
• Internet History: Grab all the index.dat files. Yours, Administrators, LocalService, Default... you name it. Then go download IndexDatSpy. This shows you the websites visited for users (for IE), opened files (locally and remotely), and web queries. You will be amazed at what you can find there.
• Temp directories: Another biggie amongst the list. This is the drop point for most malware, from here it skitters off to other areas of your hard drive. Look in here for strange executables, JAR files, and .tmp files. If you clean these regularly you have a bit less clutter to sift thru and its generally a good security practice. Will a file not delete because its in use? First off don't panic, I had this and I traced it make to my Screen Recording Software I used for making videos. Investigate-- which THEN take action (tea or IR)

A few things I would like to add:

• Documents and Settings\%USER%\Application Data: Like the Temp files, malware tends to fester here. Again look for suspicious files (exe, bat, tmp, etc)
• Network Connections: check and see what connections you have right now on your computer  (netstat -ano), anything strange? Use robtex or something similar to look up information about IP addresses. Do you normally send SSL (port 443) traffic to Russia?  Do you see some abnormally high process IDs (PID)? Might be an alarm bell.

          Best thing here is to push to another file because you will be needing this for the next step.

C:\netstat -ano > networkconnections.txt

• Processess: This shows you all processes running on your machine at the current moment. Can you link all the network connections to a process? Do you see any strange processes? Weird dlls?

C:\tasklist /m > tasklist.txt 

 I would also suggest grabbing a memory dump if possible (this can be done with FTK imager). This saves all the volatile information such as network connections, running processes, opened files, hooked dlls, etc which can then be analyzed later. Also, some rootkits hide themselves from system calls such as 'netstat', however these can be seen in memory (remember my Hacker Defender video?)

This checklist can be used by anyone investigating possible badness on a machine. It is good to have a process and methodology when one peforms these things and this is as good as any. Be sure though you fit it to your site, and develop your own toolkit when responding to these. Are the windows commmands good for you or would you rather use SysInternals? Use what you like-- as long as it works correctly. Put all the necessary tools on a thumb drive or CD (NEVER depend on commands on the suspected infected machine) which you can bring on-site for analysis.

 

Alternate Data Streams: A Blast from the Past... Still Going Strong



I was walking to Starbucks and....



You ever wonder the feeling you would have if you saw a unicorn? Something you always heard or read about but never actually saw in the wild? Well I (kinda) got that feeling yesterday when I was searching for Alternate Data Streams in a case I am working. Personally I think I would be more excited if I saw a unicorn... but I digress.

So what are Alternate Data Streams? Well they were basically created for NTFS to deal with Apple file systems and the different ways they handle data. So if we think about the Master File Table, we know its like a library pointing to all the files on you system. NOW, with NTFS, we can have multiple file attributes about our file (like a prequel). One of these attributes is $DATA- which you can add additional data to the file or even point to another file to link the two.

Sound a tad confusing? You can read another explanation here by Dan Mares, or you can click to watch my amazing video. I think I say NPFS for the Apple filesystem, I meant HFS... sorry a bit late in the day here :)

I was actually trying to get AV (I have Microsoft Security Essentials on the VM) to trip on my ADS, and it did not take. I even tried it with an MD5 executable (which AVG did alert on my home system) and an XOR program. AntiVirus detect ADS in different ways-- so mileage may vary. I should also point out legitimate files can use ADS as well, so don't "Panic and Freak Out" if you see some. Investigate, only panic when necessary :)

Links to content mentioned in the video:

• LADS (List Alternate Data Streams)
• Streams (SysInternals)
• FTK Imager
• More fun with ADS by IronGeek

In other news... I am heading to Black Hat Abu Dhabi to asisst in teaching MFIRE (Malware Forensics & Incident REsponse) as well as go to the presentations. It should be a good time... will try and post something about it post-con.

Another thing I am hoping to get involved with is Online DFIR Meetups. Do you get sad when you read Harlan Carvey's blog about the latest NOVA forensics meetup and just wish you could go to something similar? Well thanks to the power of this here internet (and Adobe Flash) you can!  The next one is December 15th, and if I can determine what time 8pm EST is in Abu Dhabi and its not unreasonable, I may just try to drop in. Harlan will actually be 'guest speaking' on Volume Shadow Copies, a topic I definitely want to get more educated on. Mike Wilkinson will also be speaking on 'Computers as an Alibi'... which I hope the subtitle is "How WoW Saved My Life".

In all seriousness they sound like good talks and if you are free on the 15th check it out.

I have also joined the twittesrphere (tweetaverse?). This is a trial run basis, so please be patient while I figure this all out. I hope to push out my blog updates too (yay for all of you upset with the new Google Reader layout). My twitter name? @sk3tchymoos3. I may tweet some non-technie things in here as well (esp with Santacon 2011 coming up) so be on the lookout!