Finding Malware on a Windows Box

Transcription

Finding Malware on a Windows Box
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Computer
Kevin Murphy, Mantech International
Dave Shaver, Mantech International
www.encase.com/ceic
Finding Malware on a Windows Box
Session Description
In this hands on lab, participants will examine a
compromised Windows 8.1 computer and RAM capture to
locate the malware. Along the way we will discuss various
methods on automating some of the processes to locate
malware faster.
Page 2
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
1
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
DISCLAIMER
•
All views and ideas expressed here are our own and not
of Mantech International or anyone else alive or dead.
•
There is no warrantee, expressed or implied on anything.
•
You should always validate your forensic tools
•
Remember, you will be on the stand, not us.
Page 3
Finding Malware on a Windows Box
Limitations on this presentation
Only 90 minutes.
160+ people of varying skills
What might be too complicated for some, might be too easy
for others.
I am going to try to walk a fine line.
Finally, allow us to introduce ourselves.
Page 4
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
2
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Malware basics
What is malware?
Is it a photo?
Is it a text file?
Is it an executable?
Page 5
Finding Malware on a Windows Box
Malware Basics
How does malware get onto the machine?
Unsecured servers
Unwise actions of users (click here virus)
First piece of malware is called a dropper.
Small
Designed to start the process, will get more files from
other sites, then deletes itself
▫ Generally compromised websites (small companies)
Page 6
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
3
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Malware Hiding in Plain or Not Plain Sight
Normal hiding spots
Recycle Bin
Windows folder
System Information folder
User Appdata folder
Program Files folder
Program Data folder
Page 7
Finding Malware on a Windows Box
Malware Hiding in Plain or Not Plain Sight
Renamed to blend in
svchost.exe
scvhost.exe
rundll.exe (rund lower case L)
rundII.exe (uppercase i )
Page 8
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
4
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Demo #1 – Hiding a folder in plain sight
Create a hidden folder on your desktop
1. On you desktop, right click -> new -> folder
2. Right click on “new folder” -> Properties - > Customize
3. Change Icon -> Choose the blank image
4. In the General Tab, highlight “New Folder”
5. On the key pad (ensure num lock is on),
6. Hold the ALT KEY and press 0160 -> let go
7. Check “Hidden”
8. Click “OK”
Page 9
Finding Malware on a Windows Box
Page 10
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
5
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Malware Basics
The files could be anywhere, however…
It needs to survive a reboot!
Something is starting the process.
Find what starts it and pull the thread.
Keep in mind, with Windows Vista and on, security has gotten better (UAC). A user might
not have permission to install a program, so where does the malware go?
It goes into the User’s profile.
Page 11
Finding Malware on a Windows Box
Altered Time and Date Stamps
Evidence of timestamp altering
NTFS is redundant and maintains (2) two sets of (4) four timestamps:
Standard Information Attribute (SIA): Starting with File0, sweep 80. Then sweep 32
The date you see!
▫
Created
▫
Last Written
▫
Last Accessed
▫
Entry Modified
File Name Attribute (FNA): Starting with File0, sweep 184. Then sweep 32
▫
Created
▫
Last Written
▫
Last Accessed
▫
Entry Modified
Page 12
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
6
Finding Malware on a Windows Computer
5/21/2014
Master Title
Demo #2 – Finding altered time and date stamps
Open EnCase
Add the logical evidence file AOL.EXE
Page 13
Finding Malware on a Windows Box
Demo #2 – Finding altered time and date stamps
What dates and times do you see?
Page 14
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
7
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Demo #2 – Finding altered time and date stamps
Verify in the $MFT
•
Open the $MFT, go to the record for aol.exe.
•
Remember (File Identifier * 1024) = File record
•
In this example: 66723840
Page 15
Finding Malware on a Windows Box
These are the dates you see!!
SIA Field
Created
Last Written
Last Accessed
Entry Modified
Page 16
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
8
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
FNA Field
Created
Last Written
Last Accessed
Entry Modified
Page 17
Finding Malware on a Windows Box
Demo #2 – Finding altered time and date stamps
MFT Date Comparator (V3.0.0)
Page 18
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
9
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Altered Time Date Stamps - Automated
Page 19
Finding Malware on a Windows Box
Today’s Scenario
Situation:
•
You work in the computer forensic shop of a large multinational company. One of the
regional supervisors reports his computer was acting odd.
Resources:
•
You have an EnCase image of the computer
•
You have a RAM Capture of the computer
Goal:
•
Find the Malware.
Page 20
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
10
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Keep in mind, Malware has to start somehow
•
First place to look?
Autoruns!
•
What is the difference between the autoruns in the case
processor and the encscipt?
Page 21
Finding Malware on a Windows Box
Case Processor (138 Locations)
Page 22
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
11
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Enscript (172 Locations)
Page 23
Finding Malware on a Windows Box
Ok, I ran the autorun enscript, now what?
•
In the Comments column, look for the paths of programs
Page 24
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
12
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
A closer look
Page 25
Finding Malware on a Windows Box
View the NTUSER.DAT
•
Software\Microsoft\Windows\CurrentVersion\Run\
Page 26
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
13
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Go look at the file
Page 27
Finding Malware on a Windows Box
Check the hash values of all the files Using Team Cymru
•
http://hash.cymru.com/
•
http://www.team-cymru.org/Services/MHR/
•
Install WinMHR Beta Setup.exe
•
Open WinMHR Beta Setup
Page 28
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
14
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Share out those files (Remember this might be a bad idea)
•
On the folder Moh/AppData, right click
•
Device -> Share -> Mount as network share
Page 29
Finding Malware on a Windows Box
Running WinHMR
•
In WinHMR, at the bottom, choose Scan Folder
•
Navigate to the mounted share (Z Drive)
Page 30
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
15
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Look at the results - Nothing Malicious
•
Results
•
So it’s all good, Right?
Page 31
Finding Malware on a Windows Box
Prefetch files
•
Prefetch are a Microsoft tool to make programs run faster
•
C:\Windows\Prefetch
•
File Created -> Date First Run
•
Last Written -> Date Last Run
•
Inside, you can learn the path, number of times runs
•
However in this case
Page 32
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
16
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
EnCase Prefetch Enscript
Page 33
Finding Malware on a Windows Box
Dynamic Analysis
•
You located a suspect file, you want to
see what it does when it runs.
•
Remember to run this in a controlled
environment, as this could go badly
for you
Page 34
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
17
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Using Process Monitor for Dynamic Analysis
•
Open ProcMon
•
Click on the magnifying glass to start the collection
•
Launch the executable (FTK Imager V4.04.exe)
•
Wait 30-60 seconds
•
Click on the magnifying glass to stop the collection.
Page 35
Finding Malware on a Windows Box
Filter the Results
•
Click on the filter icon
•
Under “Display entries matching these”, select the following:
•
“Process Name”, “begins with”, FTK, include
•
Apply
Page 36
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
18
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Review the Results
•
File -> Save -> .CSV
•
Open the file (AccessData ProcMon Log.CSV)
Page 37
Finding Malware on a Windows Box
Using Excel to Filter
•
Save the CSV as XLSX
•
View -> Freeze Panes -> Freeze Top Row
•
Home -> Sort & Filter -> Filter
•
In the Operation Column, drop down and select items you
are interested in
•
TCP?
•
File Created?
Page 38
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
19
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
A note on ProcMon
•
These filters are not all inclusive of what you might want
to look for.
•
Start wide, filter only the known process name (file name
of the malware).
•
Save as a .CSV and filter within Excel to locate what you
are looking for.
Page 39
Finding Malware on a Windows Box
What to do, if the malware does not run
•
The malware might need another file to run
•
The malware was not designed to run in your test
environment
•
You are not doing it right.
•
<INSERT ANOTHER REASON HERE>
Page 40
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
20
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Virus Total
Page 41
Finding Malware on a Windows Box
Using RAM
Using Volatility standalone (on a windows computer)
https://code.google.com/p/volatility/
volatility-X.X.X.standalone -f <MEMORY FILE> --profile <PROFILE> <COMMAND> --outputfile=<OUTPUT FILE>
Page 42
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
21
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Within Ram- PROCESS LISTINGS
1. PSLIST: Lists the identified processes, good to see what RAM sees, versus your OS
2. PSSCAN: Scan for hidden or terminated processes
3. PSTREE: Show processes in parent/child tree format
4. PSXVIEW: Cross reference processes with various lists (Why would a process not be
listed in a process?)
Page 43
Finding Malware on a Windows Box
Within Ram- System Information
1. ENVARS: Display environment variables
2. GETSIDS: Display SIDs.
Page 44
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
22
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Within Ram- Injected Code
1. Malfind
2. ldrmodules
Page 45
Finding Malware on a Windows Box
Automate the time line and other cool functions
•
MantaRay
•
SIFT Add-on, automates a lot of processes
•
FREE!!!
•
www.mantarayforensics.com
Page 46
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
23
Finding Malware on a Windows Computer
5/21/2014
-s -y
SIFT 3.0
How to Install MantaRay and SIFT 3.0
1. Download Ubuntu 12.04
2. Install it in a VM
3. Run these commands to update the OS?
1. sudo apt-get update
2. sudo apt-get dist-upgrade
4. Install the SIFT 3.0 (This will take a few minutes)
1.
wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo sh -s -- -i -s -y
Page 47
SIFT 3.0
Complete the VM Build
1. Re-install VM Tools
2. Power off the VM
3. Edit the VM to add shared folders.
Page 48
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
24
Finding Malware on a Windows Computer
5/21/2014
SIFT 3.0
Create the shortcut
1. sudo apt-get install --no-install-recommends gnome-panel
2. sudo gnome-desktop-item-edit /usr/share/applications/ --create-new
1. In Name field type the Application name: MantaRay
2. In Command field: sudo /usr/share/mantaray/Tools/Python/Manta_Ray_Master_GUI.py
3. Change the icon to: usr/share/mantaray/images/Mantaray_Artwork_Small.png
4. Save
Page 49
SIFT 3.0
Create the shortcut
In Dash, in the search field, type MantaRay. Drag the icon to the unity bar on the left.
Page 50
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
25
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Updating the SIFT
Open Update Manager, click “Check”
Page 51
SIFT 3.0
Page 52
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
26
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
So what does it do?
Page 53
Finding Malware on a Windows Box
Time Line Analysis
Page 54
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
27
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Open CEIC2014-MantaRay_2014-0324_16_36_30_504309_timeline_modules_split_xaa.csv
•
Save the CSV as XLSX
•
View -> Freeze Panes -> Freeze Top Row
•
Home -> Sort & Filter -> Filter
•
In the Full Name Column, drop down Text Filters -> Contains -> accessdata
•
Repeat with the second Split file
Page 55
Finding Malware on a Windows Box
Summary
•
Malware needs to survive a reboot, you know were to look
•
Malware can hide it’s date and time, you know were to look
•
You now know how to do some basic Dynamic Malware analysis
•
You learned that Excel is your friend
•
You learned how to use the time line feature of MantaRay/Sift
•
You learned that CEIC is pretty cool
Page 56
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
28
Finding Malware on a Windows Computer
5/21/2014
Finding Malware on a Windows Box
Questions?
What is the guy doing on
the tank?
Page 57
Finding Malware on a Windows Box
Contact Information
•
[email protected][email protected]
Page 58
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
29