Thursday, January 1, 2009

sticking out

Commonly, when an intrusion occurs, an attacker will leave behind various types of detritus. Often times this is in the form of malware or a toolkit. In a recent compromise the attacker downloaded and left 80 MB of tools behind! This is admittedly not par for the course. Typically I'll see about 5-10 MB of detritus per incident. Identifying these files and classifying them is increasingly difficult. Consider the picture I've placed here. In a world where all items are of approximately the same color, this ball sticks out like an eye sore against the backdrop. How about in a filesystem where good files are known, an unknown file will stick out. Ah...if only that utopia existed. It can, if you invest in whitelisting a common build, but for most people out there that's just not reality. Unfortunately not only is identifying malware difficult, but what do you do with something you suspect of being malicious?

Suppose you are a technician checking out a system that you suspect has been compromised. You check with your antivirus program and fail to detect anything strange. However, you notice something looks out of place. You could submit the malware to your antivirus vendor of choice, but depending on your licensing you may not get a response for 4-8 hours. Imagine malware living in your intranet for 4-8 hours because your vendor is slow. Believe me when I say that makes for a long day if you've never had to do it.

You could also bypass your vendor, get results quickly, develop a solution and roll it out in the time the vendor is working on a new definition. How would you do this?

As far as identification goes, what options are available? There are of course the more well known websites for submission. These sites have been mentioned and used by many for a long time now:

That's all well and good. I use these sites with some regularity, and the results have been good to date. There are some other options that you may or may not be aware of when you want to determine the badness(TM) of a file. Many of us are familiar with NSRL and other hashing projects and we should all be familiar with hashes and hashing files. Our tools do this for us automagically when we process an image, and if not, it's easy enough to generate a hashlist of the files in an image.

Suppose for a second that you have a list of files and their hashes, such as one generated by FTK Imager's directory listing capability. Suppose you want to take this list and look for possible malware. You could spend an obscene amount of money on a particular tool that matches hashes, or you could try some of these options:

Virus total hash matching
Offensivecomputing hash search
Team Cymru malware hash registry

And what about web based malware such as Javascript or Flash?

You could try these tools and sites:
Iseclabs Wepawet (The people behind Anubis)

For a little fun let's take a test drive of the Cymru malware hash registry.

First I'll hash some files(90% of which are malware):
loki:~ hogfly$ md5 *.exe
MD5 (724L1_setup_e.exe) = 848c95260d147543eff2e2c15acb58f1
MD5 (BR165652.exe) = d77d96af740af6805abcb2c572a758ce
MD5 (BR165680.exe) = 31c1d83de1db1aa5a806434d81183d79
MD5 (DNC-P-Ver. = 518bcc3a6633dec8ceae3e0f02b4df60
MD5 (NATEON.exe) = af3c4884f690c48c115c8d9c55998141
MD5 (NVC.exe) = ee862735812241719960f2e069d99680
MD5 (abo.exe) = d2e23dbcbdd9a580b7897add524e4b09
MD5 (autorun.exe) = 3240c08878c7491b85b79c97db5c9204
MD5 (comrepl.exe) = 1d696a5dc70caa34d116344f50854d7f
MD5 (comrereg.exe) = 3619935460ddcb79f1ec9cc5710befc3
MD5 (dw8.exe) = f6da944f7c1ec3f0f8e6d673d9e9ff71
MD5 (envsetup.exe) = a1f8a82aad23a6b44cc92ee2eb1a10ef
MD5 (ff.exe) = 8a1b427981eecf67c60370b599c87dc6
MD5 (file.exe) = 107961dbceea53f729474b43c04302d4
MD5 (flvspeed.exe) = 45ce6d98337e4dba3e87d34adaf6d366
MD5 (hails.exe) = 5ebfe73e4fe237654a6bc07ed1712e7a
MD5 (hails2.exe) = 649d11e8d5676f0cee5c2a4a17f7e1a8
MD5 (index.exe) = 10980f4df2060b86a72eb5e533102980
MD5 (l07.exe) = 072ebc79aa1ff532c0d95f9a1ce4a395
MD5 (mfsl.exe) = 8fe25f71cbda9202995d74686eb5473e
MD5 (msdtc32.exe) = 205ca7ed3e6d8ae218c7fde2c50149f9
MD5 (net.exe) = c9c9a40e8a72907228e6a1bc9b5728ac
MD5 (net1.exe) = b8b857f3b5d8a8ef043fcf80120d0248
MD5 (omg.exe) = 654eef6ff6dbe666c1d9fd1f6049d525
MD5 (palzbn32.exe) = 28f02d257002221d367c0b43202c7a21
MD5 (pinyin.exe) = f9cbef1d67230b3845782b6fa11b976a
MD5 (rsscanner.exe) = a5953f3447a851f665702dd9afa63005
MD5 (scan.exe) = 29e20a4a5df73afee7acb3194f244b8e
MD5 (scann32.exe) = e464fb612104cc1da12c4d501cebe8df
MD5 (sss.exe) = 846790691b6f9717b9a1bf68e0bcd6e5

loki:~ hogfly$ whois -h 649d11e8d5676f0cee5c2a4a17f7e1a8
649d11e8d5676f0cee5c2a4a17f7e1a8 1224720131 31

loki:~ hogfly$ dig +short TXT
"1224720131 31"

loki:~ hogfly$ whois -h e464fb612104cc1da12c4d501cebe8df
e464fb612104cc1da12c4d501cebe8df 1221755478 25

So what do we have here? Two separate methods of doing a malware lookup (this is all explained on their site by the way). We simply feed them a hash and get back a unix datetime and the detection percentage of the malware. The detection percentage is a bit behind the curve and not all that accurate, but I would argue that it doesn't matter that much considering it's in their database and registered as malware. That doesn't mean I wouldn't like to see those numbers updated more frequently though. Cymru does support sending a large list of files via netcat for comparison, and I suspect that will be the most useful method of analysis for many out there.

For more active detection..If you've got about $25k I would strongly suggest you invest in a product called FireEye. I recently completed a demo of their product and all I can say is wow. I was most impressed. If you don't have the money for that you may want to try bothunter.

Here's to hoping you can identify and prosecute the investigation of suspicious files a little faster this year.