Wednesday, April 8, 2009

DNS poisoning - visually

Notice anything wrong with this picture?



The real question is, would one of the hundreds of millions of internet users notice anything wrong with this picture, or would they just think that an online pharmacy was hawking their crap(I mean advertising) on amazon.com?



Let's take a packet level look at this shall we?
192.168.30.128 is my host that's infected with Tidserv.G.

I opened Internet Explorer here.
22:26:00.658521 IP 192.168.30.128.1025 > 85.255.112.229.53: 59534+ A? ie.search.msn.com. (35)
22:26:00.692644 IP 85.255.112.229.53 > 192.168.30.128.1025: 59534 1/0/0 A 194.126.101.166 (51)

Look at the supposed A record. Who is that? *Hint* it's not msn.

inetnum: 194.126.101.0 - 194.126.101.255
netname: EE-ESTPAK
descr: backbone and servers
descr: Sole 14
descr: Tallinn
descr: Estpak Data/Estonian Telephone Co
country: EE
admin-c: ET332-RIPE
tech-c: ET332-RIPE
rev-srv: dns.estpak.ee
rev-srv: dns2.estpak.ee
status: ASSIGNED PA
mnt-by: ESTPAK-MNT
source: RIPE # Filtered

Maybe that's why this happened to a previously working IE instance when I tried to do a 'live' search?




What about other domains?

22:28:39.238470 IP 192.168.30.128.1038 > 85.255.112.229.53: 15535+ A? www.googleadservices.com. (42
)
22:28:40.225710 IP 192.168.30.128.1038 > 85.255.112.140.53: 15535+ A? www.googleadservices.com. (42
)
22:28:40.249730 IP 85.255.112.140.53 > 192.168.30.128.1038: 15535* 1/0/0 A 67.210.14.103 (58)
22:28:40.297489 IP 192.168.30.128.1038 > 85.255.112.140.53: 47016+ A? js.doubleclick.net. (36)
22:28:40.321746 IP 85.255.112.140.53 > 192.168.30.128.1038: 47016 1/0/0 A 67.210.14.81 (52)
22:28:41.477518 IP 192.168.30.128.1038 > 85.255.112.140.53: 8873+ A? info-feed.com. (31)
22:28:41.502943 IP 85.255.112.140.53 > 192.168.30.128.1038: 8873 1/0/0 A 67.210.14.81 (47)


Here's a first hand look at what happens when DNS is poisoned. No Mic on my workstation so you'll just have to watch.


Monday, April 6, 2009

Digital DNA

You may or may not have heard of it yet, but HBGary has added an exciting new feature to their Responder Pro product called Digital DNA. I'm still in the process of learning more about it but I'll try to summarize it.

Malware has components that constitute its existence. Much like a person, these components are traits that are inherited upon creation. In the malware sense, traits are inherited through programming behaviors that, generally speaking, can't be avoided if you wish to achieve a specific goal. Keyloggers, rootkits, droppers, process injection and so on all have modes of operation that can be identified. Not in the sense of a traditional signature but more in the sense of a behavioral signature. The individual characteristics don't matter as much here.

Generally speaking, a specific piece of malware has several traits that make it malicious and define its individual behaviors. These class characteristics when applied to the individual malware specimen, become a series of individual characteristics, or a DNA chain. This DNA chain can then be used to identify the software as malicious in nature.

So let me clarify before continuing.

A piece of malware is installed on a computer. It
a) opens a backdoor
b) hides processes
c) injects itself in to a running process
d) speaks HTTP
e) logs keystrokes

These are all class characteristics of malware. They are non-specific in nature, yet they are indicative of malicious behaviors. Taken individually, they are innocuous. Taken together they are a problem. Taken together, they form a DNA chain that can be used to identify potentially malicious processes on your computer. You can take my word for it, or check out these screen shots of it.

The following image was taken from malware that is identified by 11/39 on Virustotal.



And here's what an Infostealer looks like



And it's then simple to go from that to this:


and then this:



Malware identification and analysis just got that much easier.

Friday, April 3, 2009

DNS poisoning - What is it good for?

This really should be two posts but sometimes thoughts just flow. Pay close attention to the end of the post.


In a recent post I showed a little bit about Tidserv.G and made it available for analysis. One of the fun features of this and other malware like it is that it poisons DNS. The biggest question to date is "Why?" The second question is "What are they doing?" Throughout this post there will be threat intelligence for you..

For background on the problem start here:
Security Fix

I'm going to attempt to explain it a little further. Brian Krebs says in his article that "[...]But the authors of DNSChanger appear to have instead chosen a more low-key approach: Machines infected with DNSChanger will seem to only merely have a small subset of their Web searches hijacked."

Granted his article is now a few months old. So, what's new?

First let me explain what this variant actually does.


1) It gets downloaded as a fake codec from the RBN marketing and advertising department in Latvia hosted here. One could reasonably state that if you're downloading fake codecs, you're watching videos you shouldn't be. Remember that The internet is for porn.

2) It proceeds to poison the DNS configuration of the local host to point DNS to the ukraine hosted here. So if you were to check the dns configuration of the infected host you'd see 85.255.xxx.xxx for the nameservers. This host them immediately sends an HTTP POST to 94.247.2.107 with a string 'POST /cgi-bin/generator'. This is the checkin to let the bad guys know they've got another poisoner out there in the wild.

Now here's something the vendors don't tell you.
It also sends out another HTTP POST to the same host in the form of:
POST /adc.php to 94.247.2.107
POST /clk.php to 94.247.2.107

the adc POST is an HTTP/1.0 format whereas clk.php is HTTP/1.1. The user agent string for both is: Mozilla/4.0 Compatible; MSIE 6.0; Windows NT 5.1; SV1;

3) It then begins a routine to snoop DHCP requests and provide DHCP addresses to hosts in the local broadcast domain. You'll likely see some gratuitous arp'ing on the subnet when this occurs. It commonly fails to provide the real IP address to the requesting host, so you'll see IP hopping occur on the network. In addition, any DHCP leases handed out by this system will provide DNS addresses of:
  • 64.86.133.51 (primary)
  • 63.243.173.162 (secondary)
These IP's are actually hosts in canada.

So, if you see IP's in a subnet making DNS queries to canada, look for the host sending dns queries to the Ukraine and you'll find the poisoner. The leases last for one hour (not sure I understand why they chose an hour, unless they're building up their backend and want the poisoned hosts to get different nameservers more frequently)

Seems rather straightforward right?

So, once DNS is poisoned, what happens?

Here's where things get interesting.

Let's say you're browsing the tubes and you visit amazon.com. Amazon, just like many other sites will show advertisements on the side and top of the page. These ads tend to be served by doubleclick.net. In the case of Tidserv, ads are not served by doubleclick, they are served by Internet Path/Cernel. But that's not all. They are also redirecting googleadservices, so any site using googleadservices will also have ads served by this group.

some of the domains embedded in the binary:
search.yahoo.com
search.aol.com
search.live.com
search.msn.com
search.icq.com
wzus1.ask.com
wikimedia
opselect.com
o.aolcdn.com
rds.yahoo
revsci.net
microsoft
hotmail
digitalcity
atwola
atdmt
amazon.com
altavista.com
alltheweb.com
wikipedia.com
youtube.com
yimg.com

There's even a typo: saerch.aol

So to clarify, if you're infected and browsing the web, and you visit these sites or search engines etc.. expect to see fake ads, that will generate revenue for the criminals living in eastern europe.

Here's one more thing your Antivirus vendor isn't telling you:
The worm spreads by copying itself to all drive letters available on the compromised computer, including removable drives and mapped network shares[...].

What it really does:
Spread through mapped drives and spread through brute forcing network shares and it will also brute force network devices.

What's the remote IP you ask? Why it's 93.188.166.4
Where is it you ask?

Non-authoritative answer:
4.166.188.93.in-addr.arpa name = 93.188.166.4.static.ukrtelegroup.com.ua.

Yeah, that's the Ukraine.

Check exemplar18 yourself. Here's the strings dump from the .tmp file:

This was extracted through HBGary Responder Pro.


Package Offset String
tempo-447187.tmp 0x000021E9
hTF*
tempo-447187.tmp 0x000041D4 !root:
tempo-447187.tmp 0x00007720 %
tempo-447187.tmp 0x000070F4 %
tempo-447187.tmp 0x000030A0 %d.%dA%X%X%X%X
tempo-447187.tmp 0x0000475C %s;%d;%d;%d

tempo-447187.tmp 0x00004710 %wZ
tempo-447187.tmp 0x00000238 .reloc
tempo-447187.tmp 0x000001C0 .text
tempo-447187.tmp 0x000047A4 /control/abrute.php
tempo-447187.tmp 0x0000478C /control/acontrol.php
tempo-447187.tmp 0x00004774 /control/aoffline.php
tempo-447187.tmp 0x00003110 /dlink/hwiz.html
tempo-447187.tmp 0x00003100 /home.asp
tempo-447187.tmp 0x00003124 /index.asp
tempo-447187.tmp 0x000030F4 /wizard.htm
tempo-447187.tmp 0x000040CC :_Cisco
tempo-447187.tmp 0x00004184 :1064
tempo-447187.tmp 0x0000417C :1234
tempo-447187.tmp 0x00004174 :12345
tempo-447187.tmp 0x00004168 :1234admin
tempo-447187.tmp 0x00004160 :3477
tempo-447187.tmp 0x00004154 :3ascotel
tempo-447187.tmp 0x00004148 :4getme2
tempo-447187.tmp 0x00004140 :9999
tempo-447187.tmp 0x000040C4 :access
tempo-447187.tmp 0x000040BC :admin
tempo-447187.tmp 0x00003FFC :administrator
tempo-447187.tmp 0x000040B4 :ascend
tempo-447187.tmp 0x000040AC :atc123
tempo-447187.tmp 0x00004138 :BRIDGE
tempo-447187.tmp 0x000040A4 :cisco
tempo-447187.tmp 0x00004130 :Cisco
tempo-447187.tmp 0x00004098 :connect
tempo-447187.tmp 0x0000408C :default
tempo-447187.tmp 0x00004084 :enter
tempo-447187.tmp 0x00004078 :epicrouter
tempo-447187.tmp 0x00004070 :help
tempo-447187.tmp 0x00004064 :hs7mwxkk
tempo-447187.tmp 0x00004128 :Intel
tempo-447187.tmp 0x00004058 :letmein
tempo-447187.tmp 0x00004050 :medion
tempo-447187.tmp 0x00004048 :nokia
tempo-447187.tmp 0x0000403C :password
tempo-447187.tmp 0x0000411C :PASSWORD
tempo-447187.tmp 0x00004034 :pento
tempo-447187.tmp 0x0000402C :public
tempo-447187.tmp 0x00004024 :secret
tempo-447187.tmp 0x00004018 :sitecom
tempo-447187.tmp 0x0000400C :smcadmin
tempo-447187.tmp 0x00004114 :SMDR
tempo-447187.tmp 0x00003FF0 :speedxess
tempo-447187.tmp 0x0000410C :SUPER
tempo-447187.tmp 0x00004104 :Symbol
tempo-447187.tmp 0x00003FE8 :sysadm
tempo-447187.tmp 0x00003FE0 :system
tempo-447187.tmp 0x000040F8 :TANDBERG
tempo-447187.tmp 0x000040D4 :Telecom
tempo-447187.tmp 0x000040E0 :TENmanUFactOryPOWER
tempo-447187.tmp 0x0000020F @.data
tempo-447187.tmp 0x00004A54 _snprintf
tempo-447187.tmp 0x000001E7 `.rdata
tempo-447187.tmp 0x000041B8 11111:x-admin
tempo-447187.tmp 0x0000460C 1234:1234
tempo-447187.tmp 0x000041A0 1500:and 2000 Series
tempo-447187.tmp 0x00004194 1502:1502
tempo-447187.tmp 0x00004714 93.188.166.4
tempo-447187.tmp 0x000039E8 aaa:often blank
tempo-447187.tmp 0x000030B0 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
tempo-447187.tmp 0x0000464C admin:
tempo-447187.tmp 0x00003F7C Admin:
tempo-447187.tmp 0x00004604 admin:0
tempo-447187.tmp 0x000045F8 admin:1111
tempo-447187.tmp 0x000045EC admin:123
tempo-447187.tmp 0x000045E0 admin:1234
tempo-447187.tmp 0x000045D4 admin:12345
tempo-447187.tmp 0x00004634 admin:123456
tempo-447187.tmp 0x00003F6C Admin:123456
tempo-447187.tmp 0x000045C4 admin:1234admin
tempo-447187.tmp 0x000045B8 admin:2222
tempo-447187.tmp 0x000045AC admin:22222
tempo-447187.tmp 0x00004510 admin:access
tempo-447187.tmp 0x00004618 admin:admin
tempo-447187.tmp 0x00003F60 Admin:admin
tempo-447187.tmp 0x00004500 admin:admin123
tempo-447187.tmp 0x000044EC admin:administrator
tempo-447187.tmp 0x000044D8 admin:adslolitec
tempo-447187.tmp 0x000044C8 admin:adslroot
tempo-447187.tmp 0x000044B8 admin:articon
tempo-447187.tmp 0x000044A8 admin:asante
tempo-447187.tmp 0x0000459C admin:Ascend
tempo-447187.tmp 0x0000449C admin:asd
tempo-447187.tmp 0x0000448C admin:atlantis
tempo-447187.tmp 0x0000447C admin:barricade
tempo-447187.tmp 0x0000446C admin:bintec
tempo-447187.tmp 0x0000445C admin:changeme
tempo-447187.tmp 0x0000444C admin:comcomcom
tempo-447187.tmp 0x0000443C admin:default
tempo-447187.tmp 0x0000442C admin:draadloos
tempo-447187.tmp 0x00004418 admin:epicrouter
tempo-447187.tmp 0x00004408 admin:extendnet
tempo-447187.tmp 0x000043F8 admin:hagpolm1
tempo-447187.tmp 0x000043EC admin:hello
tempo-447187.tmp 0x000043DC admin:hp.com
tempo-447187.tmp 0x000043CC admin:imss7.0
tempo-447187.tmp 0x000043BC admin:ironport
tempo-447187.tmp 0x000043B0 admin:isee
tempo-447187.tmp 0x000043A0 admin:leviton
tempo-447187.tmp 0x00004394 admin:linga
tempo-447187.tmp 0x00004380 admin:michelangelo
tempo-447187.tmp 0x0000436C admin:microbusiness
tempo-447187.tmp 0x0000435C admin:motorola
tempo-447187.tmp 0x00004350 admin:mu
tempo-447187.tmp 0x00004340 admin:my_DEMARC
tempo-447187.tmp 0x00004330 admin:netadmin
tempo-447187.tmp 0x0000458C admin:NetCache
tempo-447187.tmp 0x00004578 admin:NetSurvibox
tempo-447187.tmp 0x00004324 admin:noway
tempo-447187.tmp 0x0000456C admin:OCS
tempo-447187.tmp 0x0000455C admin:OkiLAN
tempo-447187.tmp 0x00004314 admin:operator
tempo-447187.tmp 0x0000454C admin:P@55w0rd!
tempo-447187.tmp 0x00004624 admin:password
tempo-447187.tmp 0x0000453C admin:Password
tempo-447187.tmp 0x00004304 admin:passwort
tempo-447187.tmp 0x000042F4 admin:pfsense
tempo-447187.tmp 0x0000452C admin:Protector
tempo-447187.tmp 0x000042E4 admin:rmnetlm
tempo-447187.tmp 0x000042D4 admin:secure
tempo-447187.tmp 0x000042C8 admin:setup
tempo-447187.tmp 0x00004520 admin:Sharp
tempo-447187.tmp 0x000042B4 admin:smallbusiness
tempo-447187.tmp 0x000042A4 admin:smcadmin
tempo-447187.tmp 0x00004294 admin:switch
tempo-447187.tmp 0x00004284 admin:symbol
tempo-447187.tmp 0x00004274 admin:synnet
tempo-447187.tmp 0x00004264 admin:sysAdmin
tempo-447187.tmp 0x00004258 admin:w2402
tempo-447187.tmp 0x00004248 admin:x-admin
tempo-447187.tmp 0x000039D8 admin2:changeme
tempo-447187.tmp 0x00004238 administrator:
tempo-447187.tmp 0x00003F50 Administrator:
tempo-447187.tmp 0x00003F3C Administrator:3ware
tempo-447187.tmp 0x00003F28 Administrator:admin
tempo-447187.tmp 0x00003FC4 ADMINISTRATOR:ADMINISTRATOR
tempo-447187.tmp 0x00003F10 Administrator:changeme
tempo-447187.tmp 0x00003EF8 Administrator:ganteng
tempo-447187.tmp 0x00003EE0 Administrator:password
tempo-447187.tmp 0x00003ECC Administrator:pilou
tempo-447187.tmp 0x00003EB4 Administrator:smcadmin
tempo-447187.tmp 0x00004228 adminstat:OCS
tempo-447187.tmp 0x00004210 adminstrator:changeme
tempo-447187.tmp 0x000041FC adminttd:adminttd
tempo-447187.tmp 0x000041EC adminuser:OCS
tempo-447187.tmp 0x000041DC adminview:OCS
tempo-447187.tmp 0x00003FB8 ADMN:admn
tempo-447187.tmp 0x00003FA8 ADSL:expert03
tempo-447187.tmp 0x00004A10 ADVAPI32.dll
tempo-447187.tmp 0x0000A4DA ADVAPI32.dll
tempo-447187.tmp 0x00003F9C ADVMAIL:HP
tempo-447187.tmp 0x00003F84 ADVMAIL:HPOFFICE DATA
tempo-447187.tmp 0x0000A2B0 ALL/V32/Answer/Rx/Eq
tempo-447187.tmp 0x0000A1E0 ALL/V32/Caller/Tx/States
tempo-447187.tmp 0x00003EA8 Any:12345
tempo-447187.tmp 0x000039C8 apc:apc
Authorization: Basic %s
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
tempo-447187.tmp 0x0000A28C BCS_EVENT_MEASUREMENT_NOTIFICATION
tempo-447187.tmp 0x000039B8 cablecom:router
tempo-447187.tmp 0x000039A4 cac_admin:cacadmin
tempo-447187.tmp 0x00003994 ccrusr:ccrusr
tempo-447187.tmp 0x00003984 cellit:cellit
tempo-447187.tmp 0x0000397C cisco:
tempo-447187.tmp 0x00003E80 Cisco:Cisco
tempo-447187.tmp 0x00003E98 CISCO15:otbu+1
tempo-447187.tmp 0x0000396C citel:password
tempo-447187.tmp 0x00003960 comcast:
tempo-447187.tmp 0x00003950 comcast:1234
tempo-447187.tmp 0x00003948 craft:
tempo-447187.tmp 0x0000A47A CreateMutexA
tempo-447187.tmp 0x00004AF6 CreateThread
tempo-447187.tmp 0x00003E8C CSG:SESAME
tempo-447187.tmp 0x00003934 cusadmin:highspeed
tempo-447187.tmp 0x00003924 customer:none
tempo-447187.tmp 0x00003914 dadmin:dadmin01
tempo-447187.tmp 0x00003908 davox:davox
tempo-447187.tmp 0x0000A064 DELAYED_STS_RESET_DMA calling Rksample
tempo-447187.tmp 0x000038F4 deskalt:password
tempo-447187.tmp 0x000038E0 deskman:changeme
tempo-447187.tmp 0x000038CC desknorm:password
tempo-447187.tmp 0x000038B8 deskres:password
tempo-447187.tmp 0x000038A8 device:device
tempo-447187.tmp 0x0000389C diag:danger
tempo-447187.tmp 0x0000A2C8 diskdump.pdb
tempo-447187.tmp 0x0000A104 dispatch: invoke handler for %s
tempo-447187.tmp 0x0000388C disttech:4tas
tempo-447187.tmp 0x00004A2C DNSAPI.dll
tempo-447187.tmp 0x00004A20 DnsQuery_A
tempo-447187.tmp 0x00003878 e250:e250changeme
tempo-447187.tmp 0x00003864 e500:e500changeme
tempo-447187.tmp 0x00009E9F eBCS_STATE_CHANNEL_SWITCH_PROCESSING
tempo-447187.tmp 0x0000A190 EV_HMAC_OID_DOT11_CURRENT_OPERATION_MODE
tempo-447187.tmp 0x0000A1BC EV_HMAC_OID_DOT11_QOS_ADDTS_REQUEST
tempo-447187.tmp 0x0000A138 EV_MMAC_HAP_WAKE_ME
tempo-447187.tmp 0x0000A14C EV_MMAC_OID_TGH_IBSS_RADAR_DETECTION
tempo-447187.tmp 0x0000A270 EV_MMAC_TX_CTR_FRAME_SEND
tempo-447187.tmp 0x0000A250 Exact path to App + arguments
tempo-447187.tmp 0x0000A3E2 ExitProcess
tempo-447187.tmp 0x00004B18 ExitThread
tempo-447187.tmp 0x00003DF0 Factory:56789
tempo-447187.tmp 0x00003E70 FIELD:HPONLY
tempo-447187.tmp 0x00003E5C FIELD:HPP187 SYS
tempo-447187.tmp 0x00003E48 FIELD:HPWORD PUB
tempo-447187.tmp 0x00003E3C FIELD:LOTUS
tempo-447187.tmp 0x00003E2C FIELD:MANAGER
tempo-447187.tmp 0x00003E20 FIELD:MGR
tempo-447187.tmp 0x00003E10 FIELD:SERVICE
tempo-447187.tmp 0x00003E00 FIELD:SUPPORT
tempo-447187.tmp 0x0000A218 G_ApplyPJP
tempo-447187.tmp 0x00003DC8 Gearguy:Geardog
tempo-447187.tmp 0x00003DE4 GEN1:gen1
tempo-447187.tmp 0x00003DD8 GEN2:gen2
tempo-447187.tmp 0x0000A514 GetActiveWindow
tempo-447187.tmp 0x000049AA GetAdaptersInfo
tempo-447187.tmp 0x0000A3B2 GetComputerNameA
tempo-447187.tmp 0x0000A40E GetCurrentDirectoryA
tempo-447187.tmp 0x0000A44C GetCurrentProcessId
tempo-447187.tmp 0x0000A3FA GetCurrentThread
tempo-447187.tmp 0x0000A48A GetCurrentThreadId
tempo-447187.tmp 0x0000A4FE GetForegroundWindow
tempo-447187.tmp 0x00004AE0 GetModuleFileNameA
tempo-447187.tmp 0x00004AA8 GetProcessHeap
tempo-447187.tmp 0x0000A4A0 GetStdHandle
tempo-447187.tmp 0x0000A436 GetSystemDirectoryA
tempo-447187.tmp 0x0000A4EA GetSystemMetrics
tempo-447187.tmp 0x0000A4CC GetUserNameA
tempo-447187.tmp 0x0000A3C6 GetVersionExA
tempo-447187.tmp 0x00004ABA GetVersionExA
tempo-447187.tmp 0x0000A462 GetWindowsDirectoryA
tempo-447187.tmp 0x00001279 Gj h,G*
tempo-447187.tmp 0x00004750 go_offline
tempo-447187.tmp 0x0000A2D8 GR: SW Method Error
tempo-447187.tmp 0x0000385C guest:
tempo-447187.tmp 0x00003850 guest:guest
tempo-447187.tmp 0x00004A90 HeapAlloc
tempo-447187.tmp 0x00004A9C HeapFree
tempo-447187.tmp 0x00004AD2 HeapReAlloc
tempo-447187.tmp 0x00003DB4 HELLO:FIELD.SUPPORT
tempo-447187.tmp 0x00003DA0 HELLO:MANAGER.SYS
tempo-447187.tmp 0x00003D90 HELLO:MGR.SYS
tempo-447187.tmp 0x00003D7C HELLO:OP.OPERATOR
tempo-447187.tmp 0x00003840 helpdesk:OCS
tempo-447187.tmp 0x00003834 hsa:hsadb
tempo-447187.tmp 0x00003D70 HTTP:HTTP
tempo-447187.tmp 0x00004950 HttpOpenRequestA
tempo-447187.tmp 0x00004916 HttpQueryInfoA
tempo-447187.tmp 0x00004964 HttpSendRequestA
tempo-447187.tmp 0x00003824 images:images
tempo-447187.tmp 0x0000465C infersearch.com
tempo-447187.tmp 0x00003814 install:secret
tempo-447187.tmp 0x00003800 installer:installer
tempo-447187.tmp 0x000037F4 intel:intel
tempo-447187.tmp 0x000037E0 intermec:intermec
tempo-447187.tmp 0x00004988 InternetCloseHandle
tempo-447187.tmp 0x00004928 InternetConnectA
tempo-447187.tmp 0x00004978 InternetOpenA
tempo-447187.tmp 0x0000493C InternetReadFile
tempo-447187.tmp 0x00003D5C IntraStack:Asante
tempo-447187.tmp 0x00003D48 IntraSwitch:Asante
tempo-447187.tmp 0x000049BA iphlpapi.dll
tempo-447187.tmp 0x0000A2EC ipinip.pdb
tempo-447187.tmp 0x000037D8 isp:isp
h8G*
tempo-447187.tmp 0x000037CC jagadmin:
tempo-447187.tmp 0x0000A4BC KERNEL32.dll
tempo-447187.tmp 0x00004B24 KERNEL32.dll
tempo-447187.tmp 0x000037C4 l2:l2
tempo-447187.tmp 0x000037BC l3:l3
tempo-447187.tmp 0x0000A4B0 LocalAlloc
tempo-447187.tmp 0x0000A3D6 LocalFree
tempo-447187.tmp 0x000037AC login:access
tempo-447187.tmp 0x000037A0 login:admin
tempo-447187.tmp 0x000049F6 LsaClose
tempo-447187.tmp 0x00004A02 LsaFreeMemory
tempo-447187.tmp 0x000049E6 LsaOpenPolicy
tempo-447187.tmp 0x000049CA LsaQueryInformationPolicy
tempo-447187.tmp 0x00003794 m1122:m1122
tempo-447187.tmp 0x00003D38 MAIL:HPOFFICE
tempo-447187.tmp 0x00003D2C MAIL:MAIL
tempo-447187.tmp 0x00003D20 MAIL:MPE
tempo-447187.tmp 0x00003D14 MAIL:REMOTE
tempo-447187.tmp 0x00003D04 MAIL:TELESUP
tempo-447187.tmp 0x00003788 maint:maint
tempo-447187.tmp 0x00003778 maint:ntacdmax
tempo-447187.tmp 0x00003768 manage:!manage
tempo-447187.tmp 0x00003B54 Manager:
tempo-447187.tmp 0x00003758 manager:admin
tempo-447187.tmp 0x00003294 manager:change_on_install
tempo-447187.tmp 0x00003CF4 MANAGER:COGNOS
tempo-447187.tmp 0x00003748 manager:friend
tempo-447187.tmp 0x00003B44 Manager:friend
tempo-447187.tmp 0x00003CE0 MANAGER:HPOFFICE
tempo-447187.tmp 0x00003CD0 MANAGER:ITF3000
tempo-447187.tmp 0x00003738 manager:manager
tempo-447187.tmp 0x00003CBC MANAGER:SECURITY
tempo-447187.tmp 0x00003CB0 MANAGER:SYS
tempo-447187.tmp 0x00003CA4 MANAGER:TCH
tempo-447187.tmp 0x00003C94 MANAGER:TELESUP
tempo-447187.tmp 0x00003728 manuf:xxyyzz
tempo-447187.tmp 0x0000A08C Max NE tap location %d
tempo-447187.tmp 0x00003C84 MDaemon:MServer
tempo-447187.tmp 0x00003714 mediator:mediator
tempo-447187.tmp 0x00003C74 MGR:CAROLIAN
tempo-447187.tmp 0x00003C6C MGR:CCC
tempo-447187.tmp 0x00003C60 MGR:CNAS
tempo-447187.tmp 0x00003C54 MGR:COGNOS
tempo-447187.tmp 0x00003C48 MGR:CONV
tempo-447187.tmp 0x00003C3C MGR:HPDESK
tempo-447187.tmp 0x00003C2C MGR:HPOFFICE
tempo-447187.tmp 0x00003C20 MGR:HPONLY
tempo-447187.tmp 0x00003C14 MGR:HPP187
tempo-447187.tmp 0x00003C08 MGR:HPP189
tempo-447187.tmp 0x00003BFC MGR:HPP196
tempo-447187.tmp 0x00003BF0 MGR:INTX3
tempo-447187.tmp 0x00003BE4 MGR:ITF3000
tempo-447187.tmp 0x00003BD8 MGR:NETBASE
tempo-447187.tmp 0x00003BCC MGR:REGO
tempo-447187.tmp 0x00003BC4 MGR:RJE
tempo-447187.tmp 0x00003BB8 MGR:ROBELLE
tempo-447187.tmp 0x00003BA8 MGR:SECURITY
tempo-447187.tmp 0x00003BA0 MGR:SYS
tempo-447187.tmp 0x00003B94 MGR:TELESUP
tempo-447187.tmp 0x00003B88 MGR:VESOFT
tempo-447187.tmp 0x00003B7C MGR:WORD
tempo-447187.tmp 0x00003B6C MGR:XLSERVER
tempo-447187.tmp 0x0000A2F8 MIB
tempo-447187.tmp 0x00003B60 MICRO:RSX
tempo-447187.tmp 0x00003708 mlusr:mlusr
tempo-447187.tmp 0x000036F8 monitor:monitor
tempo-447187.tmp 0x0000466C Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
tempo-447187.tmp 0x000036E4 mso:w0rkplac3rul3s
tempo-447187.tmp 0x000036D4 naadmin:naadmin
tempo-447187.tmp 0x00003B3C NAU:NAU
tempo-447187.tmp 0x000036C0 netadmin:nimdaten
tempo-447187.tmp 0x000036B8 netman:
tempo-447187.tmp 0x000036A8 netrangr:attack
tempo-447187.tmp 0x00003694 netscreen:netscreen
tempo-447187.tmp 0x00003B2C NICONEX:NICONEX
tempo-447187.tmp 0x00004654 nobrute
tempo-447187.tmp 0x0000368C none:0
tempo-447187.tmp 0x00003680 none:admin
tempo-447187.tmp 0x00004A84 ntdll.dll
tempo-447187.tmp 0x00003674 operator:
tempo-447187.tmp 0x0000365C operator:$chwarzepumpe
tempo-447187.tmp 0x00003B1C OPERATOR:COGNOS
tempo-447187.tmp 0x00003B0C OPERATOR:DISC
tempo-447187.tmp 0x00003648 operator:operator
tempo-447187.tmp 0x00003AF8 OPERATOR:SUPPORT
tempo-447187.tmp 0x00003AE8 OPERATOR:SYS
tempo-447187.tmp 0x00003AD8 OPERATOR:SYSTEM
tempo-447187.tmp 0x00003638 patrol:patrol
tempo-447187.tmp 0x00003ACC PCUSER:SYS
tempo-447187.tmp 0x00003628 piranha:piranha
tempo-447187.tmp 0x0000361C piranha:q
tempo-447187.tmp 0x00003AB0 Polycom:456
tempo-447187.tmp 0x00003AA0 Polycom:SpIp
tempo-447187.tmp 0x00003ABC PRODDTA:PRODDTA
tempo-447187.tmp 0x00003614 public:
tempo-447187.tmp 0x00003604 public:public
tempo-447187.tmp 0x00005000 r=%s&f=%s&p=%s&u=%s&i=%s&g=%d
tempo-447187.tmp 0x000035F4 radware:radware
tempo-447187.tmp 0x000035DC readonly:lucenttech2
tempo-447187.tmp 0x000035C4 readwrite:lucenttech1
tempo-447187.tmp 0x000035AC replicator:replicator
tempo-447187.tmp 0x0000A0D0 RKCFG_AGGRESSIVE_SPEED: buffer size %d is too small
tempo-447187.tmp 0x00003A8C RMUser1:password
tempo-447187.tmp 0x000035A4 ro:ro
tempo-447187.tmp 0x00004644 root:
tempo-447187.tmp 0x00003A78 Root:
tempo-447187.tmp 0x00003598 root:0P3N
tempo-447187.tmp 0x0000358C root:1234
tempo-447187.tmp 0x00003580 root:12345
tempo-447187.tmp 0x00003570 root:3ep5w2u
tempo-447187.tmp 0x00003548 root:admin
tempo-447187.tmp 0x00003538 root:admin_1
tempo-447187.tmp 0x0000352C root:ascend
tempo-447187.tmp 0x00003520 root:attack
tempo-447187.tmp 0x00003510 root:blender
tempo-447187.tmp 0x00003504 root:calvin
tempo-447187.tmp 0x000034F4 root:changeme
tempo-447187.tmp 0x00003564 root:Cisco
tempo-447187.tmp 0x000034E8 root:davox
tempo-447187.tmp 0x000034D8 root:default
tempo-447187.tmp 0x000034C8 root:fivranne
tempo-447187.tmp 0x000034B8 root:iDirect
tempo-447187.tmp 0x00003554 root:Mau'dib
tempo-447187.tmp 0x000034AC root:pass
tempo-447187.tmp 0x0000349C root:password
tempo-447187.tmp 0x00003490 root:root
tempo-447187.tmp 0x00003480 root:tslinux
tempo-447187.tmp 0x00003A80 RSBCMON:SYS
tempo-447187.tmp 0x00003478 rw:rw
tempo-447187.tmp 0x00003470 rwa:rwa
tempo-447187.tmp 0x00003458 scmadmin:scmchangeme
tempo-447187.tmp 0x0000344C scout:scout
tempo-447187.tmp 0x00003438 security:security
tempo-447187.tmp 0x00003A28 Service:5678
tempo-447187.tmp 0x00003428 service:smile
tempo-447187.tmp 0x0000A124 SeShutdownPrivilege
tempo-447187.tmp 0x0000472C setgroup
tempo-447187.tmp 0x00004738 settempgroup
tempo-447187.tmp 0x00003418 setup:changeme
tempo-447187.tmp 0x0000340C setup:setup
tempo-447187.tmp 0x0000A1FC SetupDiCreateDeviceInfoList
tempo-447187.tmp 0x00004A3A SHGetValueA
tempo-447187.tmp 0x00004A46 SHLWAPI.dll
tempo-447187.tmp 0x00004724 sleep
tempo-447187.tmp 0x00004ACA Sleep
tempo-447187.tmp 0x0000A3F0 SleepEx
tempo-447187.tmp 0x000033FC smc:smcadmin
tempo-447187.tmp 0x00003A64 SPOOLMAN:HPOFFICE
tempo-447187.tmp 0x00004A6A sprintf
tempo-447187.tmp 0x00003A5C SSA:SSA
tempo-447187.tmp 0x0000A174 STATUS_DUPLICATE_OBJECTID
tempo-447187.tmp 0x0000A0A4 STATUS_KEY_DELETED
tempo-447187.tmp 0x000033E4 storwatch:specialist
tempo-447187.tmp 0x000033CC stratacom:stratauser
tempo-447187.tmp 0x00004A74 strncmp
tempo-447187.tmp 0x000033BC super.super:
tempo-447187.tmp 0x000033A8 super.super:master
tempo-447187.tmp 0x00003398 super:5777364
tempo-447187.tmp 0x0000338C super:super
tempo-447187.tmp 0x00003378 superadmin:secret
tempo-447187.tmp 0x00003364 superman:21241036
tempo-447187.tmp 0x00003354 superman:talent
tempo-447187.tmp 0x00003344 superuser:admin
tempo-447187.tmp 0x00003338 supervisor:
tempo-447187.tmp 0x00003324 supervisor:PlsChgMe
tempo-447187.tmp 0x0000330C supervisor:supervisor
tempo-447187.tmp 0x000032FC support:h179350
tempo-447187.tmp 0x000032EC support:support
tempo-447187.tmp 0x000032E0 sys:uplink
tempo-447187.tmp 0x00003A4C SYSADM:sysadm
tempo-447187.tmp 0x000032D0 sysadmin:PASS
tempo-447187.tmp 0x000032BC sysadmin:password
tempo-447187.tmp 0x00003A38 SYSDBA:masterkey
tempo-447187.tmp 0x00003284 system:password
tempo-447187.tmp 0x000032B0 system:sys
tempo-447187.tmp 0x00003270 teacher:password
tempo-447187.tmp 0x00003260 telecom:telecom
tempo-447187.tmp 0x0000324C tellabs:tellabs#1
tempo-447187.tmp 0x0000323C temp1:password
tempo-447187.tmp 0x00004B06 TerminateThread
tempo-447187.tmp 0x0000A224 The mirrored volume creation setup failed
tempo-447187.tmp 0x0000322C tiara:tiaranet
tempo-447187.tmp 0x0000321C tiger:tiger123
tempo-447187.tmp 0x00003A14 TMAR#HWMT8007079:
tempo-447187.tmp 0x00004A60 tolower
tempo-447187.tmp 0x00003208 topicalt:password
tempo-447187.tmp 0x000031F4 topicnorm:password
tempo-447187.tmp 0x000031E0 topicres:password
tempo-447187.tmp 0x0000A0B8 UpstreamQamAllowed %d
tempo-447187.tmp 0x00003154 user:
tempo-447187.tmp 0x00003144 user:password
tempo-447187.tmp 0x000031D0 user:tivonpw
tempo-447187.tmp 0x00003138 user:user
tempo-447187.tmp 0x0000A524 USER32.dll
tempo-447187.tmp 0x00003A04 USERID:PASSW0RD
tempo-447187.tmp 0x000031C4 vcr:NetVCR
tempo-447187.tmp 0x0000A058 VESA DMT
tempo-447187.tmp 0x0000A426 VirtualAlloc
tempo-447187.tmp 0x000031B4 vt100:public
tempo-447187.tmp 0x000031A4 webadmin:1234
tempo-447187.tmp 0x00003190 webadmin:webadmin
tempo-447187.tmp 0x0000317C websecadm:changeme
tempo-447187.tmp 0x0000499C WININET.dll
tempo-447187.tmp 0x00003170 wlse:wlsedb
tempo-447187.tmp 0x000039F8 WP:HPOFFICE
tempo-447187.tmp 0x0000315C wradmin:trancell
tempo-447187.tmp 0x00004908 WS2_32.dll
tempo-447187.tmp 0x00003130 xd:xd
tempo-447187.tmp 0x000041C8 zxc:cascade

I'll probably have more to say about this soon.

Addendum 1:
The brute forcing functionality is through remote control over HTTP.

Addendum 2:
Virustotal detection is poor at 2/40.

Addendum 3:
The .tmp file is a new variant of the Zlob trojan.

Wednesday, April 1, 2009

Responder Pro - A review

Here's a short disclaimer before I get in to this.
*I'm not paid by nor affiliated with HBGary. This is an honest review of their product(s).*

A short while ago I received a demo copy of HBGary's Responder Pro product. A big thanks goes out to Rich and the HBGary team for letting me demo their tools. My demo period has now expired so I wanted to share my experience.

During my demo I used Responder Pro almost exclusively to analyze malware, and perform memory analysis. There's a bit of a learning curve with the product, mainly in getting used to the layout of the GUI which was at first a senseless morass of windows and tabs. After I adapted my thinking and used the tool a few times, the GUI made some sense.

Once I got acclimated to the GUI, memory analysis couldn't have been any easier. The GUI is pretty powerful and allows for a quick examination of the 'big win' components of memory - processes, modules, open files, open registry keys, network connections. Identifying process and DLL injection was in a word 'simple' once I figured out how the tool laid out the process and module information. Image(executable) extraction is simple - a right click does the trick.

A warning though. If you're using Antivirus products on the system you use this tool on, be prepared to redo your analysis or make exceptions for files and folders. More than once I was frustrated by having Symantec Endpoint Protection delete the extracted binary, leaving Responder in a state of confusion and inability to complete an analysis. I have many v.2 case files due to this.

The automated malware analysis of the memory dump was a huge timesaver. Based on a file called baserules.txt, a memory dump will be analyzed for processes and modules that are exhibiting potentially malicious behaviors. If you highlight a module, it will be selected for a deeper dive analysis. Did I mention it's a time saver? Analyzing module after module in a process can be tedious work. Having the information presented to you allows you to quickly weed out what looks normal from the abnormal.

My one nit about the automated analysis was the transition from 1.3 to 1.4. 1.4 had far too many rules commented out, and while this led to fewer false positives, it greatly contributed to more manual work because it missed a lot of things.

During my demo period HBGary updated Responder Pro from version 1.3 to version 1.4. The transition added interesting capabilities such as pulling out URL's from the memory dump as well as passwords. Harlan discussed this a bit while looking at one of my memory snapshot project images.

Memory analysis-wise Responder is right up there for commercial tools. I'd pretty much say it's the best around for the price point ($1000 for Field edition). It also integrates with Encase, which is nice for a lot of people.

And then there's the graphing for malware analysis. One of my colleagues summed it up accurately by calling it very 'seductive'. Now, graphing has been around a while for malware analysis. There's a difference though when it comes to using Responder. The difference is you don't have to screw around with the reindeer games that various packers use. When you're analyzing a memory dump of malware, you're seeing the unpacked malware and it makes for a very straightforward analysis. In more than one case I was able to do analysis in about an hour or so on something that would have otherwise taken a few hours. The ability to pull out a subroutine, and analyze it graphically and having the code available as well is a fantastic feature. Or, if you want to, you can begin by performing an analysis of a process, and looking at the strings. Then just pull the string you're interested in, in to the working canvas, and begin analysis on something that looks like it's of direct interest to you. That's what I was doing here. The bookmarking and layering made it almost photshop'esque. I only had to look at what was of interest and I could go back to it later. While analyzing virut.CF the bookmarking feature was very handy, especially when I discovered some Passthru driver configuration files intact while doing a graphical analysis. I won't get in to the differences between IDA pro and Responder Pro for analysis but I will say that I had a much faster time of doing analysis in Responder than in IDA, and I think the reason was due to using a memory dump rather than static binary analysis.

So that's enough talking about why I like the product. Case Study-wise I used Responder Pro to look at several poorly classified malware types during my demo. In the field I use Responder Pro to analyze several USB related malware variants that my other vendors called "downloader" or "trojan horse" or "SillyFDC". In a wave of compromises I didn't want any other tool for analysis. I reached for Responder Pro when I needed to do an analysis to determine scope and the REAL risk to data. I reached for Responder Pro when I needed to determine the capabilities of a few very nasty pieces of malware. Why? Because I needed accurate, actionable intel fast.

Just this evening I wanted to do an analysis of an InfoStealer variant I discovered in the wild. The tool I went for? Responder Pro. As I said though, my demo expired and I felt a bit lost. Gone was the quick analysis. Gone was the interface. I still have Volatility and Memoryze and they certainly have their strengths but I had gotten very used to using Responder. I still have the old tried and true tools around but it's a bit of a disappointment to go back to them.

The biggest issue I have is unfortunately not technical at all. It's price - which is currently the biggest concern for us. For $9000 I could license my entire team with IDA pro and train them all in Memoryze and Volatility.

Do I recommend the Responder family of products?

Absolutely. The products have a lot of strengths including time saving techniques and easy analysis and presentation of otherwise complex data sources. For many people in the industry Responder Field Edition is more than appropriate.

Responder Pro is an entirely different beast and to be frank I feel a little naked right now.