Mining Ports for Malware

I recently wrote a script that runs croned and port scans all of our servers daily.  It saves the output and diffs it compared to the previous days and emails me as new ports open up.

I think this will be a good way to detect new services and potential malware infection, but what about machines that are already infected?

To fix that I wrote in a function that parses the output for known malware ports.  The only problem is that I cant find a definitive list of known malware ports.  Does anyone know of such a resource?

Loaded C:\WINNT\system32\KERNEL32.dll differs from file image

I have recently been updating my Windows Forensics First Responder script and have noticed a number of servers reporting the following when using Sysinternals/Microsoft’s listdlls.exe.

*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp:         Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000  0x102000  5.02.3790.4062  C:\WINNT\system32\KERNEL32.dll

Now I can think of lots of malicious reasons why this would be.  In fact I recently wrote on one of these reasons.   But I cant think of any legitimate reasons.

I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.

Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?

Thanks guys.

Take THAT IE Fan Boy

Bruce Schneier just posted an interesting article on his blog entitled “Interview with an Adware Developer“.

This article reinforces many of the things I have been telling people for a very long time, but for whatever reason never sinks in.

I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do—which means basically anything.

Aside from reinforcing that Internet Explorer is a poor choice to use for web browsing (unless you enjoy collecting and cleaning malware… you know, for practice), it also outlines an interesting new technique that I recently witnessed as I was cleaning a machine.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it. That’s fine until somebody goes and deletes the executable.

The next thing that Direct Revenue did—actually I should say what I did, because I was pretty heavily involved in this—was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn’t, [ the poller would ] install it.

During my live analysis of this machine I used the ms/sysinternals filemon program to watch for a bit and noticed explorer.exe doing something similar to what the author describes.

34139    6:32:11 PM    explorer.exe:2916    OPEN    C:\NTDETECT.COM:QebiesnrMkudrfcoIbamtykdDa.exe:$DATA    NOT FOUND    Options: Open  Access: Read

The article explains how they will create a seemingly random named file (a hash of the mac address) and use that as the installer.  This one appears to be a variant on the technique that takes it a step further and uses hidden data streams (or alternate data streams). These are data streams that I had previously detected and removed.

The article also has an interesting point about evasion.

Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature’s all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.

In the virology and malware world this is known as polymorphism, and is a very effective technique for evading most anti-virus/spyware programs.

Now the truly frightening part mentions using interrupt handlers instead of executables and states that they decided not to do it.  Because the concept is written, someone will run with it.

There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.

What this all boils down to is that the malware authors once again have leap frogged the anti-virus industry.  Microsoft also needs to take a more proactive role in securing IE and Windows against these sorts of threats.

The days of recycling the old code as variants is over and its time that we prepare ourselves for a whole new world of malware threats.

More on Heartland

Dark Reading posted an article entitle “Report: Law Enforcement Closing In On Heartland Breach Perpetrator

“Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late October or early November, whereas previous statements indicated that it was only in the fall. The company has had two outside forensics teams and the Secret Service working on the problem for more than two months, and yet the “sniffer” software used to collect the data was located only last week.”

If this turns out to be true, heads should roll.

Conn. Teacher Cleared of Felony Endangerment in Pop-Up Case

The case against Connecticut substitute teacher Julie Amero has finally
come to a close.  Prosecutors dropped the felony charges against her,
but the agreement called for a guilty plea to a misdemeanor charge of
disorderly conduct and surrender of her state teaching credential.
Amero had previously been convicted of endangering minors and faced 40
years in prison.  Prosecutors alleged that in 2004 she had surfed to
dubious websites that displayed pornographic pop-ups on a computer in
the classroom; when security specialists caught wind of the case, they
pushed to examine the computer in question and found that the school
district had inadequate anti-malware protection on that computer and the
pop-ups were not Amero’s fault.

This is easily one of the most frustrating InfoSec stories of recent years.  In case you are unaware, some poor substitute teacher in Conn was using a computer in a classroom when a flood of pornographic pop-ups (induced by malware) came on the screen.  She found herself in court facing Child Endangerment charges and up to 40 years in prison.

This highlights how scary our legal system can get.  If you have no idea what a case is about do not try to render a verdict.  Defer it to another judge, a jury or call in some experts.  For gods sake, don’t sentence someone for not doing anything wrong.

Building a Forensics Computer

Forensics ComputerAt work it is fairly common for hard drives to die, machines to become infected with a virus, trojan or worm and the occasional compromise. It just happens when you have so many machines; the odds are against you.

For this reason I wanted to build a machine specifically for forensics purposes, similar to the Forensic Recovery of Evidence Device (FRED) systems put out by Digital Intelligence.

The first time I saw the FRED it just made sense.

  • Empty removable drive bays for the drive you want to image, analyze or restore.
  • Conveniently accessible ports for every imaginable type of peripheral.
  • A large storage disk for storing images of drives, case files and VMWare images, etc.
  • And of course, load it with every imaginable forensic and security tool you could ever need.

Here are the parts and reason for their selection:

Multi-function Panel
I used the SunBeamTech 20-in-1 5.25 Multi-function Panel. This little unit is awesome! It occupies one 5.25″ drive slot and contains USB, Firewire, SATA, Composite Video, Audio Jacks, a -TON- of card readers, two internal thermometers that display their respective temperatures on an LCD display on the front and two fan speeds controllers. This unit has a LOT of cables that really clutter up the interior of the computer. If your totally anal you may be able to zip and twist tie them up, but man; it is a LOT of cables.

5.25″ Storage Drawer
I use this to store adapters screws for the drive trays. As well as a couple of my commonly used adapters; the 2.5″ Laptop hard drive to 3.5″ IDE hard drive converter and the dual PS2 to USB.

Hardware Write Blocker

If you want your evidence to be admissible in court a write blocker is going to be a necessity. This ensures that the data isn’t altered in anyway (inadvertently or otherwise) during your investigation. I went with the MyKey NoWrite FPU. It comes recommended from the forensic’s community and is accredited for forensic investigation. It also supports both IDE and SATA and is relative inexpensive compared to other write blockers.

Removable Drive Bays

I have 3 SATA and 2 IDE. These particular removable drive bays have built in silent fans, with a nice digital temperature readout.

10 Bay ATX Case

I went with the Aerocool Masstige, mainly because it had all of the 5.25″ bays I needed in a mid-tower-ish size. Anything else with that many bays was a beast of a full-tower. It also turned out to be a strange coincidence that this case looks strikingly similar to the one used on the FRED.

Power Supply

You’re going to need a great deal of juice to power all of these drives and devices. I went with a 500w PSU.

SATA Controller Card

I used a generic PCI IDE/SATA combo. Anything will do.

FireWire/USB Controller Card
Once again, I purchased a generic PCI card for this purpose. The one I got has one firewire and one usb port on the inside. On the outside it has 2 firewire and 4 usb ports. In my case, most of those ports were taken up by my multifunction panel.

Motherboard
Be sure to use a modern motherboard with about 4+ PCI slots. These will fill quick as you add device capabilities.

RAM
The more RAM the better. If you plan on doing viral research or virtual honey nets you will want to run VMWare. The more virtual machines you have running the more RAM you need.

Hard Drive(s)
Drive images, case files, evidence collection bin; you will be using the storage on this machine for many many purposes. It would be best to run a large RAID5 array in addition to your boot drive. Your array will be fairly static as far as physical drive additions and subtractions so its not necessary for it to be in removable drive bays, however keeping your OS drive in the bays is a good idea so you can switch OS by swapping in a new drive.

Once you put all of these pieces together you will have a very useful multipurpose machine. You will find that it will come in handy for so much more than forensic analysis.

The software I chose to install and why, will be outlined in a later article.