Finding Malware on a Windows Box

Transcription

Finding Malware on a Windows Computer
5/21/2014
Kevin Murphy, Mantech International
Dave Shaver, Mantech International
www.encase.com/ceic
Session Description
In this hands on lab, participants will examine a
compromised Windows 8.1 computer and RAM capture to
locate the malware. Along the way we will discuss various
methods on automating some of the processes to locate
malware faster.
Page 2
Dave Shaver, ManTech International
Kevin Murphy, ManTech International
1
5/21/2014
DISCLAIMER
•
All views and ideas expressed here are our own and not
of Mantech International or anyone else alive or dead.
•
There is no warrantee, expressed or implied on anything.
•
You should always validate your forensic tools
•
Remember, you will be on the stand, not us.
Page 3
Limitations on this presentation
Only 90 minutes.
160+ people of varying skills
What might be too complicated for some, might be too easy
for others.
I am going to try to walk a fine line.
Finally, allow us to introduce ourselves.
Page 4
2
5/21/2014
Malware basics
What is malware?
Is it a photo?
Is it a text file?
Is it an executable?
Page 5
Malware Basics
How does malware get onto the machine?
Unsecured servers
Unwise actions of users (click here virus)
First piece of malware is called a dropper.
Small
Designed to start the process, will get more files from
other sites, then deletes itself
▫ Generally compromised websites (small companies)
Page 6
3
5/21/2014
Malware Hiding in Plain or Not Plain Sight
Normal hiding spots
Recycle Bin
Windows folder
System Information folder
User Appdata folder
Program Files folder
Program Data folder
Page 7
Malware Hiding in Plain or Not Plain Sight
Renamed to blend in
svchost.exe
scvhost.exe
rundll.exe (rund lower case L)
rundII.exe (uppercase i )
Page 8
4
5/21/2014
Demo #1 – Hiding a folder in plain sight
Create a hidden folder on your desktop
1. On you desktop, right click -> new -> folder
2. Right click on “new folder” -> Properties - > Customize
3. Change Icon -> Choose the blank image
4. In the General Tab, highlight “New Folder”
5. On the key pad (ensure num lock is on),
6. Hold the ALT KEY and press 0160 -> let go
7. Check “Hidden”
8. Click “OK”
Page 9
Page 10
5
5/21/2014
Malware Basics
The files could be anywhere, however…
It needs to survive a reboot!
Something is starting the process.
Find what starts it and pull the thread.
Keep in mind, with Windows Vista and on, security has gotten better (UAC). A user might
not have permission to install a program, so where does the malware go?
It goes into the User’s profile.
Page 11
Altered Time and Date Stamps
Evidence of timestamp altering
NTFS is redundant and maintains (2) two sets of (4) four timestamps:
Standard Information Attribute (SIA): Starting with File0, sweep 80. Then sweep 32
The date you see!
▫
Created
▫
Last Written
▫
Last Accessed
▫
Entry Modified
File Name Attribute (FNA): Starting with File0, sweep 184. Then sweep 32
▫
Created
▫
Last Written
▫
Last Accessed
▫
Entry Modified
Page 12
6
5/21/2014
Master Title
Demo #2 – Finding altered time and date stamps
Open EnCase
Add the logical evidence file AOL.EXE
Page 13
What dates and times do you see?
Page 14
7
5/21/2014
Verify in the $MFT
•
Open the $MFT, go to the record for aol.exe.
•
Remember (File Identifier * 1024) = File record
•
In this example: 66723840
Page 15
These are the dates you see!!
SIA Field
Created
Last Written
Last Accessed
Entry Modified
Page 16
8
5/21/2014
FNA Field
Created
Last Written
Last Accessed
Entry Modified
Page 17
MFT Date Comparator (V3.0.0)
Page 18
9
5/21/2014
Altered Time Date Stamps - Automated
Page 19
Today’s Scenario
Situation:
•
You work in the computer forensic shop of a large multinational company. One of the
regional supervisors reports his computer was acting odd.
Resources:
•
You have an EnCase image of the computer
•
You have a RAM Capture of the computer
Goal:
•
Find the Malware.
Page 20
10
5/21/2014
Keep in mind, Malware has to start somehow
•
First place to look?
Autoruns!
•
What is the difference between the autoruns in the case
processor and the encscipt?
Page 21
Case Processor (138 Locations)
Page 22
11
5/21/2014
Enscript (172 Locations)
Page 23
Ok, I ran the autorun enscript, now what?
•
In the Comments column, look for the paths of programs
Page 24
12
5/21/2014
A closer look
Page 25
View the NTUSER.DAT
•
Software\Microsoft\Windows\CurrentVersion\Run\
Page 26
13
5/21/2014
Go look at the file
Page 27
Check the hash values of all the files Using Team Cymru
•
http://hash.cymru.com/
•
http://www.team-cymru.org/Services/MHR/
•
Install WinMHR Beta Setup.exe
•
Open WinMHR Beta Setup
Page 28
14
5/21/2014
Share out those files (Remember this might be a bad idea)
•
On the folder Moh/AppData, right click
•
Device -> Share -> Mount as network share
Page 29
Running WinHMR
•
In WinHMR, at the bottom, choose Scan Folder
•
Navigate to the mounted share (Z Drive)
Page 30
15
5/21/2014
Look at the results - Nothing Malicious
•
Results
•
So it’s all good, Right?
Page 31
Prefetch files
•
Prefetch are a Microsoft tool to make programs run faster
•
C:\Windows\Prefetch
•
File Created -> Date First Run
•
Last Written -> Date Last Run
•
Inside, you can learn the path, number of times runs
•
However in this case
Page 32
16
5/21/2014
EnCase Prefetch Enscript
Page 33
Dynamic Analysis
•
You located a suspect file, you want to
see what it does when it runs.
•
Remember to run this in a controlled
environment, as this could go badly
for you
Page 34
17
5/21/2014
Using Process Monitor for Dynamic Analysis
•
Open ProcMon
•
Click on the magnifying glass to start the collection
•
Launch the executable (FTK Imager V4.04.exe)
•
Wait 30-60 seconds
•
Click on the magnifying glass to stop the collection.
Page 35
Filter the Results
•
Click on the filter icon
•
Under “Display entries matching these”, select the following:
•
“Process Name”, “begins with”, FTK, include
•
Apply
Page 36
18
5/21/2014
Review the Results
•
File -> Save -> .CSV
•
Open the file (AccessData ProcMon Log.CSV)
Page 37
Using Excel to Filter
•
Save the CSV as XLSX
•
View -> Freeze Panes -> Freeze Top Row
•
Home -> Sort & Filter -> Filter
•
In the Operation Column, drop down and select items you
are interested in
•
TCP?
•
File Created?
Page 38
19
5/21/2014
A note on ProcMon
•
These filters are not all inclusive of what you might want
to look for.
•
Start wide, filter only the known process name (file name
of the malware).
•
Save as a .CSV and filter within Excel to locate what you
are looking for.
Page 39
What to do, if the malware does not run
•
The malware might need another file to run
•
The malware was not designed to run in your test
environment
•
You are not doing it right.
•
<INSERT ANOTHER REASON HERE>
Page 40
20
5/21/2014
Virus Total
Page 41
Using RAM
Using Volatility standalone (on a windows computer)
https://code.google.com/p/volatility/
volatility-X.X.X.standalone -f <MEMORY FILE> --profile <PROFILE> <COMMAND> --outputfile=<OUTPUT FILE>
Page 42
21
5/21/2014
Within Ram- PROCESS LISTINGS
1. PSLIST: Lists the identified processes, good to see what RAM sees, versus your OS
2. PSSCAN: Scan for hidden or terminated processes
3. PSTREE: Show processes in parent/child tree format
4. PSXVIEW: Cross reference processes with various lists (Why would a process not be
listed in a process?)
Page 43
Within Ram- System Information
1. ENVARS: Display environment variables
2. GETSIDS: Display SIDs.
Page 44
22
5/21/2014
Within Ram- Injected Code
1. Malfind
2. ldrmodules
Page 45
Automate the time line and other cool functions
•
MantaRay
•
SIFT Add-on, automates a lot of processes
•
FREE!!!
•
www.mantarayforensics.com
Page 46
23
5/21/2014
-s -y
SIFT 3.0
How to Install MantaRay and SIFT 3.0
1. Download Ubuntu 12.04
2. Install it in a VM
3. Run these commands to update the OS?
1. sudo apt-get update
2. sudo apt-get dist-upgrade
4. Install the SIFT 3.0 (This will take a few minutes)
1.
wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo sh -s -- -i -s -y
Page 47
SIFT 3.0
Complete the VM Build
1. Re-install VM Tools
2. Power off the VM
3. Edit the VM to add shared folders.
Page 48
24
5/21/2014
SIFT 3.0
Create the shortcut
1. sudo apt-get install --no-install-recommends gnome-panel
2. sudo gnome-desktop-item-edit /usr/share/applications/ --create-new
1. In Name field type the Application name: MantaRay
2. In Command field: sudo /usr/share/mantaray/Tools/Python/Manta_Ray_Master_GUI.py
3. Change the icon to: usr/share/mantaray/images/Mantaray_Artwork_Small.png
4. Save
Page 49
SIFT 3.0
Create the shortcut
In Dash, in the search field, type MantaRay. Drag the icon to the unity bar on the left.
Page 50
25
5/21/2014
Updating the SIFT
Open Update Manager, click “Check”
Page 51
SIFT 3.0
Page 52
26
5/21/2014
So what does it do?
Page 53
Time Line Analysis
Page 54
27
5/21/2014
Open CEIC2014-MantaRay_2014-0324_16_36_30_504309_timeline_modules_split_xaa.csv
•
Save the CSV as XLSX
•
View -> Freeze Panes -> Freeze Top Row
•
Home -> Sort & Filter -> Filter
•
In the Full Name Column, drop down Text Filters -> Contains -> accessdata
•
Repeat with the second Split file
Page 55
Summary
•
Malware needs to survive a reboot, you know were to look
•
Malware can hide it’s date and time, you know were to look
•
You now know how to do some basic Dynamic Malware analysis
•
You learned that Excel is your friend
•
You learned how to use the time line feature of MantaRay/Sift
•
You learned that CEIC is pretty cool
Page 56
28
5/21/2014
Questions?
What is the guy doing on
the tank?
Page 57
Contact Information
•
[email protected]
•
[email protected]
Page 58
29

Finding Malware on a Windows Box

Transcription

Similar documents

Slides

Evasive Tactics: Terminator RAT | FireEye Blog

Shut the Front Door (and the Back Door too)

Safe Christmas - Panda Security

Albert Kramer Technical Director Trend Micro

PCMM_Broch_MASTER_NETWORKING copy.indd

JPO MRAP and Army Route Clearance Program

Misery from Social Media (and other thoughts)

What We`ve Seen in Q2 2015