Transcription

THEHONEYNETP R O J E C T Forensic Challenge 2010Challenge 3: Banking Troubles (difficult)Submission TemplateSubmit your solution at http://www.honeynet.org/challenge2010/ by 17:00 EST, Sunday, April 18th2010. Results will be released on Wednesday, May 5th 2010.Name (required): Carl PulleyCountry (optional): UKEmail (required): [email protected] (optional):StudentSecurity ProfessionalOtherQuestion 1. List the processes that were running on the victim’s machine. Which processPossible Points: 2ptswas most likely responsible for the initial exploit?Tools Used: Volatility (see http://github.com/carlpulley/volatility for the precise volatility environment used throughout thisreport)Awarded Points:Answer 1.Using Volatility's pslist[13] we are able to list the processes running when the memory imagewas collected. Using psscan2[13] we are able to list the EProcess objects present in memory.Merging the output from these two plugins allows us to start building a timeline[55].By reviewing what network connections are active (see connections[15] and connscan2[15] inthe appendices), we are able to further enhance our timeline[55] with connection related data.As a result, we can determine that:Pid 4 (System) has an active connection with 192.168.0.1 on port 30380 - this is unusual forthe System process.Pid 0 has what appears to be a connection object with 80.206.204.129 (whois reports this asbeing an Italian address and googling reports nothing untoward) on port 0 (this connectionwas not active when the memory image was taken) – this is unusual for Pid 0.Pid 1244 (svchost.exe) has two active connections with 192.168.0.1 on ports 30379 and30380 – this process is deemed suspicious based on its association with IP address192.168.0.1 (cf. tainting).Pid 888 (firefox.exe) has active port 80 connections with 212.150.164.203 (whois reports thisas being an Israeli address and http://www.malwareurl.com [31/3/2010] lists this IP addressas a Bot), 66.249.91.104 (google.com) and 66.249.90.104 (google.com).Pid 888 (firefox.exe) appears to have active localhost connections on ports 1168 and 1169 The work is licensed under a Creative Commons License.Copyright The Honeynet Project, 2010Page 1 of 55

THEHONEYNETP R O J E C T Forensic Challenge 2010these are probably IPC connections?Pid 880 (svchost.exe) has two port 80 connections with 193.104.22.71(https://zeustracker.abuse.ch [31/3/2010] lists this IP address as a bullet-proof ZeuScommand and control server located in Malta).Pid 1752 (AcroRd32.exe) has an active port 80 connection with 212.150.164.203 (whoisreports this as being an Israeli address and http://www.malware.com [31/3/2010] lists this IPaddress as a Bot).Thus we get that Pid's 0, 4, 880, 888, 1244 and 1752 are all worth further investigation.If we take the view that our local (non-privileged) socket (ie. port) numbers are assignedincreasingly, then we may deduce the following sequence of connections:Pid 888 connects with 212.150.164.203 (local port 1176)Pid 1752 connects with 212.150.164.203 (local port 1178)Pid 880 connects with 193.104.22.71 (local port 1184)Pid 880 connects with 193.104.22.71 (local port 1185)Pid 1244 connects with 192.168.0.1 (local port 1189)Pid 1244 connects with 192.168.0.1 (local port 2869 and remote port 30379)Pid 4 connects with 192.168.0.1 (local port 2869 and remote port 30380)This sequence of connection events is consistent with the data provided by our timeline. Usingthis data, the initial infection entry would appear to have originated from firefox.exe sometimebefore or on Sat Feb 27 20:12:28 2010 GMT.Given that a known ZeuS command and control server has been contacted, it is reasonable toexpect that the system has been infected in some way by this malware. Since ZeuS commonlyinfects via email or drive by downloads, it is also reasonable to expect firefox.exe as being theentry point for infection.Question 2. List the sockets that were open on the victim’s machine during infection. ArePossible Points: 4ptsthere any suspicious processes that have sockets open?Tools Used: Volatility; livekdAnswer 2.By looking at the active sockets (see sockets[16], sockscan2[17] andhttp://en.wikipedia.org/wiki/List of TCP and UDP port numbers [31/3/2010]) we may furtherenhance our timeline[55]. Grouping/categorizing our timeline based on Pid allows us todetermine that:The work is licensed under a Creative Commons License.Copyright The Honeynet Project, 2010Page 2 of 55

THEHONEYNETP R O J E C T Forensic Challenge 2010Pid 4 (System) and pid 1244 (svchost.exe) use a common socket object on TCP port 2869 this is unusual behavior.Pid 880 (svchost.exe) has a socket object for TCP port 30301 – this port is normallyassociated with BitTorrent and so is unusual behavior for this process.Pid 1752 (AcroRd32.exe) has a socket object on UDP port 1177 – if we take the view that thisis the Acrobat Reader process, then this is also unusual.Thus, we have that the suspicious processes 4, 880 and 1752 have unusual open sockets.Using a modified version of the thrdscan2[18] Volatility plugin (this plugin searches forETHREAD objects), we can additionally add in thread creation and exit time stamps to ourtimeline[55]. By grouping/categorizing our timeline on Pid, this helps us to identify thefollowing:Pid 880 creates thread ID’s 160, 176, 264, 592 and 1004 after the identified suspicious socketcreations and the earliest possible connection time to 193.104.22.71.Pid 1244 creates thread ID’s 476, 872, 1296 and 1624 after the identified suspicious socketcreations and the earliest possible connection time to 192.168.0.1.Pid 1752 creates thread ID’s 664, 992, 1768, 1784 and 2020 after the identified suspicioussocket creations and the earliest possible connection time to 212.150.164.203.As a result, we’re able to further identify potentially suspicious threads.Question 3. List any suspicious URLs that may be in the suspected process’s memory.Tools Used: Volatility; strings; grepAnswer 3.Possible Points: 2ptsFor each suspect process, we use Volatility to dump the processes memory (via thememdmp[27] plugin) and then perform a keyword search[28] looking for any valid HTTPrequest headers by greping the process memory dumps for ASCII strings using the keyword“Host: “ (a mandatory HTTP request header).From this we get that all processes on the system appear to be engaging in HTTPconversations with the following hosts:HOST: 192.168.0.176:2869Host: 192.168.0.1Host: 192.168.0.1:4444Host: 192.168.0.1:9393Host: 193.104.22.71Host: activex.microsoft.comHost: ad.doubleclick.netThe work is licensed under a Creative Commons License.Copyright The Honeynet Project, 2010Page 3 of 55

THEHONEYNETP R O J E C T Forensic Challenge 2010Host: clients1.google.comHost: col.stb.s-msn.comHost: col.stc.s-msn.comHost: creativeby1.unicast.comHost: crl.thawte.comHost: en-us.start.mozilla.comHost: fxfeeds.mozilla.comHost: google.comHost: googleads.g.doubleclick.netHost: kona.kontera.comHost: kona5.kontera.comHost: mozcom-cdn.mozilla.netHost: msnportal.112.2o7.netHost: newsrss.bbc.co.ukHost: pagead2.googlesyndication.comHost: ping1.unicast.comHost: s0.2mdn.netHost: search-network-plus.comHost: te.kontera.comHost: www.google-analytics.comHost: www.google.comHost: www.liutilities.comHost: www.mozilla.comHost: www.oldversion.comThus, it would appear that the entire machine has been compromised. We can verify thatthese HTTP headers are (mostly) in kernel space and not user space by using Volatility’svaddump to dump the user space pages for each process and then repeat the search for thekeyword “Host: “. This user space based search shows no results for all processes except for: Process 888, where host headers for search-network-plus.com and www.google.comcan be found. Process 880, where host headers for 193.104.22.71 can be found. Process 1040, where host headers for 192.168.0.1 and 192.168.0.1:4444 can befound. Process 1244, where host headers for 192.168.0.1:9393 can be found.https://zeustracker.abuse.ch ([31/3/2010]) reports that 193.104.22.71 is associated with theThe work is licensed under a Creative Commons License.Copyright The Honeynet Project, 2010Page 4 of 55

THEHONEYNETP R O J E C T Forensic Challenge 2010keyword produkt (this keyword appears in the reported ZeuS links). Further keyword searches(using produkt) allow us to relate the HTTP request:GET / produkt/983745213424/34650798253with the 193.104.22.71 host headers present in all process address spaces. In addition,process 880 has the following additional URLs: http://193.104.22.71/ produkt/9j856f 4m9y8urb.php http://193.104.22.71/ produkt/69825439870/73846525#NExamining the HTTP requests destined for host search-network-plus.com reveals that thefollowing additional URI is present in all process address spaces: GET /load.php?a a&st Internet%20Explorer%206.0&e 2Norton Web Safe places search-network-plus.com (incidentally, this domain does not currentlyresolve [5/4/2010]) and oldversion.com on its URL blacklist (since its scanners have detectedmalware signatures on both sites). Based on our timeline[55], it appears that search-networkplus.com probably resolved to the IP address 212.150.164.203.Using Volatility’s hashdump plugin allows us to determine that the machine only appears tohave one active user account - the Administrator. Probably why the entire machine appears tohave been quickly compromised.Question 4. Are there any other processes that contain URLs that may point to bankingPossible Points: 4ptstroubles? If so, what are these processes and what are the URLs?Tools Used: Volatility; strings; grepAnswer 4.See answer to question 3.Question 5. Were there any files that were able to be extracted from the initial process?Possible Points: 6ptsHow were these files extracted?Tools Used: Volatility; Mandiant Web Historian; Cache View; hexdump; pdfid.py; fileAnswer 5.Here we use the SHARED CACHE MAP of our FILE OBJECT’s to carve file data (seeWindows Internals for algorithm details). The file objects are those returned by fileobjscan(modulo what looks like a bug[28]?). To aid in automating this carving task, we have writtensome code (see honeynet/carvefileobjects.py) designed to be used from within volshell (seehttp://github.com/carlpulley/volatility). All extracted files have been scanned using Virus Total unless otherwise indicated, these AV scans show nothing untoward.From process 888 we’re able to extract:/Documents\ and\ Settings/Administrator/Local\ Settings/Application\The work is licensed under a Creative Commons License.Copyright The Honeynet Project, 2010Page 5 of 55

THEHONEYNETP R O J E C T Forensic Challenge /Cache:this directory contains Firefox’s Cache Map file and three Cache Block files. Since the initialpages for each of these files have been recovered, we have that our Cache Map headerand Cache Block bitmaps are in tact. Thus allowing Firefox’s page cache index to be fullyreconstructed and its contents partially reconstructed using Cache View. No untowardlooking files or URLs are located in doing this./Documents\ and\ refox/Profiles/6e0nnrv4.default/history.dat:this is Firefox’s (history) cache of accessed or visited URL’s. Analysis with Mandiant WebHistorian allows us to determine that Firefox.exe does indeed appear to have accessedthe URL http://search-network-plus.com/cache/PDF.php?st Internet%20Explorer%206.0.The history.dat timestamps associated with this URL allow us to further refine the startingpoint of our compromise on our timeline[55].From process 1752 we’re able to extract the following cached file sections:DOCUME 1/ADMINI 1/LOCALS 1/Temp/Acr106.tmp/cache.0x00-0xFFF.dmp, when viewedusing hexdump, we clearly have three PDF objects:object number 1:0000000031 20 30 20 6f 62 6a 3c3c 2f 50 61 67 65 73 20 1 0 obj /Pages 0000001032 20 30 20 52 2f 54 7970 65 2f 43 61 74 61 6c 2 0 R/Type/Catal 000000206f 67 3e 3e 0d 65 6e 646f 62 6a 0d 32 20 30 20 og .endobjobject number 2:0000002032 20 30 20 2 0 000000306f 62 6a 3c 3c 2f 43 6f75 6e 74 20 30 2f 4b 69 obj /Count 0/Ki 0000004064 73 5b 5d 2f 54 79 7065 2f 50 61 67 65 73 3e ds[]/Type/Pages 000000503e 0d 65 6e 64 6f 62 6a0d 33 20 30 20 6f 62 6a .endobjobject number 3:0000005033 20 30 20 6f 62 6a 3 0 obj 000000603c 3c 2f 4d 6f 64 44 6174 65 28 44 3a 32 30 31 /ModDate(D:201 0000007030 30 32 32 37 31 35 3132 32 35 2d 30 35 27 30 00227151225-05'0 0000008030 27 29 2f 43 72 65 6174 69 6f 6e 44 61 74 65 0')/CreationDate 0000009028 44 3a 32 30 31 30 3032 32 37 31 35 31 32 32 (D:2010022715122 000000a035 2d 30 35 27 30 30 2729 3e 3e 0d 65 6e 64 6f 5-05'00') .endo 000000b062 6a 0d 00 00 00 00 0000 00 00 00 00 00 00 00 bjDOCUME 1/ADMINI 1/LOCALS 1/Temp/Acr107.tmp/cache.0x00-0xFFF.dmp. The UNIX fileThe work is licensed under a Creative Commons License.Copyright The Honeynet Project, 2010Page 6 of 55

THEHONEYNETP R O J E C T Forensic Challenge 2010command reports this file as being a PDF file. Both VirusTotal and pdfid.py suggest that thisfile is innocent. Viewing the PDF file with hexdump suggests that all of the file has beenextracted here (a recognizable PDF EOF comment is present).DOCUME 1/ADMINI 1/LOCALS 1/Temp/plugtmp/PDF.php/cache.0x00-0x4FFF.dmp 439f46421a994fdbe6c5bafed90bf3b79121for AV scan results). The UNIX file command reports this fileas being a PDF file. Additionally, pdfid.py reports this file has having 1 page, javascriptobjects and an action object - and so further analysis is needed here. Viewing the file withhexdump suggests that not all of the PDF file has been recovered here.722d95bfa1ea435a1-1269936720\Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf. The UNIX filecommand reports this file as being a PDF file. Virus Total does not report this file as beinguntoward. However, pdfid.py clearly identifies that this file is encrypted. Vi