Finding Malware on a Windows Box
Transcription
Finding Malware on a Windows Box
Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Computer Kevin Murphy, Mantech International Dave Shaver, Mantech International www.encase.com/ceic Finding Malware on a Windows Box Session Description In this hands on lab, participants will examine a compromised Windows 8.1 computer and RAM capture to locate the malware. Along the way we will discuss various methods on automating some of the processes to locate malware faster. Page 2 Dave Shaver, ManTech International Kevin Murphy, ManTech International 1 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box DISCLAIMER • All views and ideas expressed here are our own and not of Mantech International or anyone else alive or dead. • There is no warrantee, expressed or implied on anything. • You should always validate your forensic tools • Remember, you will be on the stand, not us. Page 3 Finding Malware on a Windows Box Limitations on this presentation Only 90 minutes. 160+ people of varying skills What might be too complicated for some, might be too easy for others. I am going to try to walk a fine line. Finally, allow us to introduce ourselves. Page 4 Dave Shaver, ManTech International Kevin Murphy, ManTech International 2 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Malware basics What is malware? Is it a photo? Is it a text file? Is it an executable? Page 5 Finding Malware on a Windows Box Malware Basics How does malware get onto the machine? Unsecured servers Unwise actions of users (click here virus) First piece of malware is called a dropper. Small Designed to start the process, will get more files from other sites, then deletes itself ▫ Generally compromised websites (small companies) Page 6 Dave Shaver, ManTech International Kevin Murphy, ManTech International 3 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Malware Hiding in Plain or Not Plain Sight Normal hiding spots Recycle Bin Windows folder System Information folder User Appdata folder Program Files folder Program Data folder Page 7 Finding Malware on a Windows Box Malware Hiding in Plain or Not Plain Sight Renamed to blend in svchost.exe scvhost.exe rundll.exe (rund lower case L) rundII.exe (uppercase i ) Page 8 Dave Shaver, ManTech International Kevin Murphy, ManTech International 4 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Demo #1 – Hiding a folder in plain sight Create a hidden folder on your desktop 1. On you desktop, right click -> new -> folder 2. Right click on “new folder” -> Properties - > Customize 3. Change Icon -> Choose the blank image 4. In the General Tab, highlight “New Folder” 5. On the key pad (ensure num lock is on), 6. Hold the ALT KEY and press 0160 -> let go 7. Check “Hidden” 8. Click “OK” Page 9 Finding Malware on a Windows Box Page 10 Dave Shaver, ManTech International Kevin Murphy, ManTech International 5 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Malware Basics The files could be anywhere, however… It needs to survive a reboot! Something is starting the process. Find what starts it and pull the thread. Keep in mind, with Windows Vista and on, security has gotten better (UAC). A user might not have permission to install a program, so where does the malware go? It goes into the User’s profile. Page 11 Finding Malware on a Windows Box Altered Time and Date Stamps Evidence of timestamp altering NTFS is redundant and maintains (2) two sets of (4) four timestamps: Standard Information Attribute (SIA): Starting with File0, sweep 80. Then sweep 32 The date you see! ▫ Created ▫ Last Written ▫ Last Accessed ▫ Entry Modified File Name Attribute (FNA): Starting with File0, sweep 184. Then sweep 32 ▫ Created ▫ Last Written ▫ Last Accessed ▫ Entry Modified Page 12 Dave Shaver, ManTech International Kevin Murphy, ManTech International 6 Finding Malware on a Windows Computer 5/21/2014 Master Title Demo #2 – Finding altered time and date stamps Open EnCase Add the logical evidence file AOL.EXE Page 13 Finding Malware on a Windows Box Demo #2 – Finding altered time and date stamps What dates and times do you see? Page 14 Dave Shaver, ManTech International Kevin Murphy, ManTech International 7 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Demo #2 – Finding altered time and date stamps Verify in the $MFT • Open the $MFT, go to the record for aol.exe. • Remember (File Identifier * 1024) = File record • In this example: 66723840 Page 15 Finding Malware on a Windows Box These are the dates you see!! SIA Field Created Last Written Last Accessed Entry Modified Page 16 Dave Shaver, ManTech International Kevin Murphy, ManTech International 8 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box FNA Field Created Last Written Last Accessed Entry Modified Page 17 Finding Malware on a Windows Box Demo #2 – Finding altered time and date stamps MFT Date Comparator (V3.0.0) Page 18 Dave Shaver, ManTech International Kevin Murphy, ManTech International 9 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Altered Time Date Stamps - Automated Page 19 Finding Malware on a Windows Box Today’s Scenario Situation: • You work in the computer forensic shop of a large multinational company. One of the regional supervisors reports his computer was acting odd. Resources: • You have an EnCase image of the computer • You have a RAM Capture of the computer Goal: • Find the Malware. Page 20 Dave Shaver, ManTech International Kevin Murphy, ManTech International 10 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Keep in mind, Malware has to start somehow • First place to look? Autoruns! • What is the difference between the autoruns in the case processor and the encscipt? Page 21 Finding Malware on a Windows Box Case Processor (138 Locations) Page 22 Dave Shaver, ManTech International Kevin Murphy, ManTech International 11 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Enscript (172 Locations) Page 23 Finding Malware on a Windows Box Ok, I ran the autorun enscript, now what? • In the Comments column, look for the paths of programs Page 24 Dave Shaver, ManTech International Kevin Murphy, ManTech International 12 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box A closer look Page 25 Finding Malware on a Windows Box View the NTUSER.DAT • Software\Microsoft\Windows\CurrentVersion\Run\ Page 26 Dave Shaver, ManTech International Kevin Murphy, ManTech International 13 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Go look at the file Page 27 Finding Malware on a Windows Box Check the hash values of all the files Using Team Cymru • http://hash.cymru.com/ • http://www.team-cymru.org/Services/MHR/ • Install WinMHR Beta Setup.exe • Open WinMHR Beta Setup Page 28 Dave Shaver, ManTech International Kevin Murphy, ManTech International 14 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Share out those files (Remember this might be a bad idea) • On the folder Moh/AppData, right click • Device -> Share -> Mount as network share Page 29 Finding Malware on a Windows Box Running WinHMR • In WinHMR, at the bottom, choose Scan Folder • Navigate to the mounted share (Z Drive) Page 30 Dave Shaver, ManTech International Kevin Murphy, ManTech International 15 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Look at the results - Nothing Malicious • Results • So it’s all good, Right? Page 31 Finding Malware on a Windows Box Prefetch files • Prefetch are a Microsoft tool to make programs run faster • C:\Windows\Prefetch • File Created -> Date First Run • Last Written -> Date Last Run • Inside, you can learn the path, number of times runs • However in this case Page 32 Dave Shaver, ManTech International Kevin Murphy, ManTech International 16 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box EnCase Prefetch Enscript Page 33 Finding Malware on a Windows Box Dynamic Analysis • You located a suspect file, you want to see what it does when it runs. • Remember to run this in a controlled environment, as this could go badly for you Page 34 Dave Shaver, ManTech International Kevin Murphy, ManTech International 17 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Using Process Monitor for Dynamic Analysis • Open ProcMon • Click on the magnifying glass to start the collection • Launch the executable (FTK Imager V4.04.exe) • Wait 30-60 seconds • Click on the magnifying glass to stop the collection. Page 35 Finding Malware on a Windows Box Filter the Results • Click on the filter icon • Under “Display entries matching these”, select the following: • “Process Name”, “begins with”, FTK, include • Apply Page 36 Dave Shaver, ManTech International Kevin Murphy, ManTech International 18 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Review the Results • File -> Save -> .CSV • Open the file (AccessData ProcMon Log.CSV) Page 37 Finding Malware on a Windows Box Using Excel to Filter • Save the CSV as XLSX • View -> Freeze Panes -> Freeze Top Row • Home -> Sort & Filter -> Filter • In the Operation Column, drop down and select items you are interested in • TCP? • File Created? Page 38 Dave Shaver, ManTech International Kevin Murphy, ManTech International 19 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box A note on ProcMon • These filters are not all inclusive of what you might want to look for. • Start wide, filter only the known process name (file name of the malware). • Save as a .CSV and filter within Excel to locate what you are looking for. Page 39 Finding Malware on a Windows Box What to do, if the malware does not run • The malware might need another file to run • The malware was not designed to run in your test environment • You are not doing it right. • <INSERT ANOTHER REASON HERE> Page 40 Dave Shaver, ManTech International Kevin Murphy, ManTech International 20 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Virus Total Page 41 Finding Malware on a Windows Box Using RAM Using Volatility standalone (on a windows computer) https://code.google.com/p/volatility/ volatility-X.X.X.standalone -f <MEMORY FILE> --profile <PROFILE> <COMMAND> --outputfile=<OUTPUT FILE> Page 42 Dave Shaver, ManTech International Kevin Murphy, ManTech International 21 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Within Ram- PROCESS LISTINGS 1. PSLIST: Lists the identified processes, good to see what RAM sees, versus your OS 2. PSSCAN: Scan for hidden or terminated processes 3. PSTREE: Show processes in parent/child tree format 4. PSXVIEW: Cross reference processes with various lists (Why would a process not be listed in a process?) Page 43 Finding Malware on a Windows Box Within Ram- System Information 1. ENVARS: Display environment variables 2. GETSIDS: Display SIDs. Page 44 Dave Shaver, ManTech International Kevin Murphy, ManTech International 22 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Within Ram- Injected Code 1. Malfind 2. ldrmodules Page 45 Finding Malware on a Windows Box Automate the time line and other cool functions • MantaRay • SIFT Add-on, automates a lot of processes • FREE!!! • www.mantarayforensics.com Page 46 Dave Shaver, ManTech International Kevin Murphy, ManTech International 23 Finding Malware on a Windows Computer 5/21/2014 -s -y SIFT 3.0 How to Install MantaRay and SIFT 3.0 1. Download Ubuntu 12.04 2. Install it in a VM 3. Run these commands to update the OS? 1. sudo apt-get update 2. sudo apt-get dist-upgrade 4. Install the SIFT 3.0 (This will take a few minutes) 1. wget --quiet -O - https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh | sudo sh -s -- -i -s -y Page 47 SIFT 3.0 Complete the VM Build 1. Re-install VM Tools 2. Power off the VM 3. Edit the VM to add shared folders. Page 48 Dave Shaver, ManTech International Kevin Murphy, ManTech International 24 Finding Malware on a Windows Computer 5/21/2014 SIFT 3.0 Create the shortcut 1. sudo apt-get install --no-install-recommends gnome-panel 2. sudo gnome-desktop-item-edit /usr/share/applications/ --create-new 1. In Name field type the Application name: MantaRay 2. In Command field: sudo /usr/share/mantaray/Tools/Python/Manta_Ray_Master_GUI.py 3. Change the icon to: usr/share/mantaray/images/Mantaray_Artwork_Small.png 4. Save Page 49 SIFT 3.0 Create the shortcut In Dash, in the search field, type MantaRay. Drag the icon to the unity bar on the left. Page 50 Dave Shaver, ManTech International Kevin Murphy, ManTech International 25 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Updating the SIFT Open Update Manager, click “Check” Page 51 SIFT 3.0 Page 52 Dave Shaver, ManTech International Kevin Murphy, ManTech International 26 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box So what does it do? Page 53 Finding Malware on a Windows Box Time Line Analysis Page 54 Dave Shaver, ManTech International Kevin Murphy, ManTech International 27 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Open CEIC2014-MantaRay_2014-0324_16_36_30_504309_timeline_modules_split_xaa.csv • Save the CSV as XLSX • View -> Freeze Panes -> Freeze Top Row • Home -> Sort & Filter -> Filter • In the Full Name Column, drop down Text Filters -> Contains -> accessdata • Repeat with the second Split file Page 55 Finding Malware on a Windows Box Summary • Malware needs to survive a reboot, you know were to look • Malware can hide it’s date and time, you know were to look • You now know how to do some basic Dynamic Malware analysis • You learned that Excel is your friend • You learned how to use the time line feature of MantaRay/Sift • You learned that CEIC is pretty cool Page 56 Dave Shaver, ManTech International Kevin Murphy, ManTech International 28 Finding Malware on a Windows Computer 5/21/2014 Finding Malware on a Windows Box Questions? What is the guy doing on the tank? Page 57 Finding Malware on a Windows Box Contact Information • [email protected] • [email protected] Page 58 Dave Shaver, ManTech International Kevin Murphy, ManTech International 29