So yesterday we talked about a decent amount of goodies, but we definitely could have grabbed more. What you ask? Well, here are some:
AutoRun Locations
Not all malware is created equal. Some malware is trickier than others. Regardless of how APT a piece of malware is, it still needs to do two things: talk to something and maintain persistence. I am sure there is malware that has broken these two rules... but in general, 99% of the time- they hold true.
Now there are certain places (favourites, oldies but goodies) that malware likes to place itself in some form or another so it survives a reboot, or is started when a certain program is executed (think internet browsing, mail, etc). AutoRuns by SysInternals/Microsoft covers a good portion of these locations. Just keep in mind it doesn't cover all (like DLL Hijacking).
Note: if you add the /accepteula switch when running the command line SysInternal Tools the popup will not show up on the victim machine. Every little helps!
We will be using the command-line version of autoruns, aptly called autorunsc. There are alot of switches you can use. I like the have the following:
Processes
If you look at your task manager right now (go ahead I dare you) you will see a good amount of running applications on your system right now. Now what happens if you saw evilProcess.exe running? You would PANIC and FREAK OUT right? Malware is not always that nice and spells it out for you, but looking at the processes can help give you an indication of malicious activity, and what spawned it (Parent Process Ids or PPIDs).
I will use PsList, yet another amazing tool from SysInternals (if I could, I would get a tattoo of a heart with the phrase 'sysinternals' because that's how much I love the suite of tools). Again I recommend going to the tools webpage to see all the parameters you can give it, here are a few goodies:
Network Activity
Why do you have a listening port on TCP port 6666? I don't know! You wouldn't know unless you A) checked what your network connections are and B) RESEARCH. Of course your your organization has a proxy you would see a lot of traffic going there (and then you have to go grab proxy logs!)
Now you could use netstat, but in the spirit of trying to keep from using local commands, we will use cports by NirSoft. This is also GUI but can be used in command-line. You can basically decide how you want the output file to be formatted (comma delimited, tab-delimited, HTML, XML). I like CSV, so my output would be:
"I swear I did not click on the link to the bulldog eating the watermelon... I do not even access the internet..."
Looking at a users browsing history can be a good method of finding out HOW the malware got on a system. This includes looking at browser cache as well as simply observing domains and IPs visited. Regardless of which browser used, its a bit difficult to look at these files in notepad. They are formatted in a certain way. I will quickly cover IE and Mozilla.
Internet Explorer - Pasco
Pasco is a free tool from McAfee for parsing the index.dat file into something a bit more legible. Its parameters are quite simple.
Don't forget to grab the 'All Users' index.dat. Malware likes to put itself there as well.
Mozilla
Mozilla stores its information in a database under a profile (the default profile name is... default), so naturally we need a tool which can parse thru it and return us legible data. I recommend MozillaHistoryViewer from NirSoft. And YES, there is a command line available! Just like IE, these db files are located in different areas based on OS. You can go to MozillaZine for a good list of locations.
Services
Remember how I said malware likes to maintain persistence? Well malware can register itself as a service and set itself to autostart (or it creates a scheduled task which then starts the service). We will use a tool from (wait for it....) SysInternals called PsService. The one paramater I would add is the 'config' switch which also dumps the configuration of a service (how does it start?)
Just For Shens...
So now we have a large chunk of data to parse thru... Could I have grabbed more? Sure. Could I have scripted this? Absolutely! Will what we extracted be enough to find badness??
- AutoRun Locations: Because malware like to maintain persistence, it generally has a few places where it like to hide to do so.
- Processes: List all processes running on the machine at that given time. If it is not rootkit'ed (is that a word?) the offending process may show up here. Or... you see iexplore running, but not IExplorer window... strange :)
- Network Activity: Looking at the network connections happening right now at the machine
- Internet History: Just like it sounds, very useful if we think the user got hit by a driveby download or they are doing some browsing they shouldn't be.
- Services
AutoRun Locations
Not all malware is created equal. Some malware is trickier than others. Regardless of how APT a piece of malware is, it still needs to do two things: talk to something and maintain persistence. I am sure there is malware that has broken these two rules... but in general, 99% of the time- they hold true.
Now there are certain places (favourites, oldies but goodies) that malware likes to place itself in some form or another so it survives a reboot, or is started when a certain program is executed (think internet browsing, mail, etc). AutoRuns by SysInternals/Microsoft covers a good portion of these locations. Just keep in mind it doesn't cover all (like DLL Hijacking).
Note: if you add the /accepteula switch when running the command line SysInternal Tools the popup will not show up on the victim machine. Every little helps!
We will be using the command-line version of autoruns, aptly called autorunsc. There are alot of switches you can use. I like the have the following:
-a displays all entries (you can specify individual entries as well)
-c Output in CSV format
-v verifiy digital signatures
If you look at your task manager right now (go ahead I dare you) you will see a good amount of running applications on your system right now. Now what happens if you saw evilProcess.exe running? You would PANIC and FREAK OUT right? Malware is not always that nice and spells it out for you, but looking at the processes can help give you an indication of malicious activity, and what spawned it (Parent Process Ids or PPIDs).
I will use PsList, yet another amazing tool from SysInternals (if I could, I would get a tattoo of a heart with the phrase 'sysinternals' because that's how much I love the suite of tools). Again I recommend going to the tools webpage to see all the parameters you can give it, here are a few goodies:
-t displays in 'tree' mode. A more visual representation on who spawned who
-x (cannot be run with the -t, so this would be a separate command) displays thread and memory information as well
Network Activity
Why do you have a listening port on TCP port 6666? I don't know! You wouldn't know unless you A) checked what your network connections are and B) RESEARCH. Of course your your organization has a proxy you would see a lot of traffic going there (and then you have to go grab proxy logs!)
Now you could use netstat, but in the spirit of trying to keep from using local commands, we will use cports by NirSoft. This is also GUI but can be used in command-line. You can basically decide how you want the output file to be formatted (comma delimited, tab-delimited, HTML, XML). I like CSV, so my output would be:
cports.exe /scomma (outputLocation)Internet History
"I swear I did not click on the link to the bulldog eating the watermelon... I do not even access the internet..."
Looking at a users browsing history can be a good method of finding out HOW the malware got on a system. This includes looking at browser cache as well as simply observing domains and IPs visited. Regardless of which browser used, its a bit difficult to look at these files in notepad. They are formatted in a certain way. I will quickly cover IE and Mozilla.
Internet Explorer - Pasco
Pasco is a free tool from McAfee for parsing the index.dat file into something a bit more legible. Its parameters are quite simple.
Usage:Where are index.dat files? Well it depends which OS you are looking at. You can get a great list here. The command I ran for my XP machine was:
pasco [options]
-d Undelete Activity Records
-t Field Delimiter (TAB by default)
pasco.exe C:\Documents and Settings\Administrator\Local Settings\History.IE5\index.dat > (locationToSaveTheOutput)
Don't forget to grab the 'All Users' index.dat. Malware likes to put itself there as well.
Mozilla
Mozilla stores its information in a database under a profile (the default profile name is... default), so naturally we need a tool which can parse thru it and return us legible data. I recommend MozillaHistoryViewer from NirSoft. And YES, there is a command line available! Just like IE, these db files are located in different areas based on OS. You can go to MozillaZine for a good list of locations.
Services
Remember how I said malware likes to maintain persistence? Well malware can register itself as a service and set itself to autostart (or it creates a scheduled task which then starts the service). We will use a tool from (wait for it....) SysInternals called PsService. The one paramater I would add is the 'config' switch which also dumps the configuration of a service (how does it start?)
Just For Shens...
- I grabbed the Temp folder for 'All Users' as well as the 'Administrator' user (who was logged on at the time). Malware likes to put itself in the Temp folder (its world readable/writeable by default). I may not find anything... but I'd rather have it before my admin wipes the box. (I did this using FTKImager Lite).
- A student reminded me about DOSKEY for trying to list all the commands run while performing IR. This is SO useful if you are trying to remember all the switches you used, and sometimes you have many more tools in your arsenal you are running. Right before I ran UnixDate (which I do at the start/end of my analysis) I ran the following:
doskey /HISTORY > E:\Output\CommandsRun.txtThis gave me the following output for all commands I ran in that session (command window). Pretty useful!
So now we have a large chunk of data to parse thru... Could I have grabbed more? Sure. Could I have scripted this? Absolutely! Will what we extracted be enough to find badness??
1 comment:
Check out Kludge
https://github.com/Kvetch/Kludge/
Post a Comment