Tuesday, September 25, 2007

Links for AITP and FAEDS presentations

Thank all of you for attending my presentation. If you have any questions, please don't hesitate to e-mail me. Here are links to many of the things I talked about and demonstrated along with several that I didn't have time to get to.

My Websites
Personal Blog

Dark Reading Blog

UF IT Security Team

Malware Analysis and Sandboxes
VirusTotal (submit files for analysis)

CWSandbox - Behavior-based Malware Analysis

Anubis: Analyzing Unknown Binaries

Norman Sandbox

Mandiant Red Curtain


pefile (for you Python programmers)

Firefox Extensions and SpiderMonkey

User Agent Switcher



Incident Response Tools (& more)
(autoruns, tcpview, filemon, regmon, process moniopenports, tor, process explorer, pstools)
Sysinternals Suite (all tools in one download)

(cmdline, openports)

Wireshark - sniffer and protocol analzer (formerly Ethereal)

Helix - CD designed for incident response and forensics (Linux & Windows tools)

Some Security Blogs
SANS Internet Storm Center

Windows Incident Response (Harlan Carvey) - event logs, registry and memory analysis & more

int for(ensic){blog;} (Andreas Schuster) - event logs and memory analysis

Centralizing Windows Event Logs
Series of Posts on DarkReading about logs:
Log Central
How to Centralize Windows Event Logs (links to Snare and Lasso)
Watch Out for That Log!

Miscellaneous Links
Metasploit Framework

VMware (Workstation for Linux & Windows, Fusion for Mac, Server and Player are FREE )

Thursday, September 20, 2007

Process memory dumping tools

This is from a post I had over at ForenisFocus.com. I'm working on a presentation and was trying to come up with a list of all the useful process dumpers for Windows, so I did a little Googling and found my old post. So, I stuck it here for my own future reference.

Everyone already knows about dd for Windows from George M. Garner so I won't discuss it any further. Until, the tools like those developed in the 2005 DFRWS memory forensic challenge are released, dd memory images are only as useful as the strings you pull out of them.

There is some promising research from Mariusz Burdach who just spoke at BlackHat Federal 2006 on "Finding Digital Evidence in Physical Memory." His website is located at http://forensic.seccure.net/ but his documentation memory forensics is more up-to-date on the BlackHat Media Archives page. The tools/docs archive even has the Windows version of wmft.exe which isn't on his webpage yet (just the linux version of wmft is there).

Memdump was mentioned but there are at least two different versions for Windows that I know of. The one mentioned previously by APsoft and another from the Metasploit project.

APsoft's memdump will do any or all of memory.

MEMDUMP/386 for DOS Version 2.00 - Release 15-Jun-2005
(C) Copyright 1993-2005 by APSoft (http://www.tssc.de)
All rights reserved. Disassembly or decompilation prohibited.

This program dumps or copy any part of 4GB memory address space of your system.
For proper access to hardware registers, memory can be read with BYTE, WORD or
Double WORD granularity.

Syntax: MEMDUMP [/H|?]

where: /H - Print this text
- Dump <Length> number of memory bytes from specified
linear <Address> as bytes (DB), words (DW) or
double words (DD) correspondingly.
/F:filename - Output file for the dump (Default: console)
Use /F:none to completely suppress dump
/B:filename - Output file for the binary contents of memory

Notes: Both 'Address' and 'Length' can be expressed in hexadecimal format
with '0x' prefix. The 'Length' field can be also expressed in decimal

MEMDUMP /DW:0x100000,0x100000 /F:2ndMB.dmp - dump second MB to file
MEMDUMP /DB:0x100000,128 - dump 128 Bytes to CON:
MEMDUMP /D:0,0x100 /F:none /B:IntTB.bin - copy INT table to file

If dump or binary file exists, MEMDUMP unconditionally overrides it.

If you are using WORD or DWORD access 'Length' parameter should be
multiple of 2 or 4 correspondingly.

Please remember that if the memory manager (such as EMM386.EXE) is
loaded, MEMDUMP will read linear address rather as physical address.

There is almost no help for the Metasploit memdump. It dumps specific processes by giving it a PID and creates quite a few files that are to be analyzed with msfpescan. The file names looks to be based on the section of memory it is pulled from. Msfpescan is crashing on my Mac OS X box right now so can't show you the output but here is the syntax and sample of memdump running.

Usage: y:\memdump.exe pid [dump directory]

C:\>y:\memdump.exe 2796
[*] Creating dump directory...2796
[*] Attaching to 2796...
[*] Dumping segments...
[*] Dump completed successfully, 49 segments.

Then, there is pmdump that also dumps processes.

pmdump 1.2 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
- http://ntsecurity.nu/toolbox/pmdump/

Usage: pmdump <pid> <filename>
- dumps the process memory contents to a file

pmdump -list
- lists all running processes and their PID's

Microsoft has several versions of userdump but I think the latest is version 8.0 and is less than a month old. As with Metasploits memdump, there is another tool that can read the dumped output. Dumpcheck is that tool and is part of the debugging tools package. For it to be most useful, you need the symbols, also.

User Mode Process Dumper (Version 8.0.2826.0)
Copyright (c) 1999-2005 Microsoft Corp. All rights reserved.

userdump -p
Displays a list of running processes and process IDs.

userdump [-k] <ProcessSpec> [<TargetDumpFile>]
Dumps one process or processes that share an image binary file name.

-k optionally causes processes to be killed after being dumped.

<ProcessSpec> is a decimal or 0x-prefixed hex process ID, or the
base name and extension (no path) of the image file used to create
a process.

<TargetDumpFile> is a legal Win32 file specification. If not specified,
dump files are generated in the current directory using a name
based on the image file name.

userdump -m [-k] <ProcessSpec> [<ProcessSpec>...] [-d <TargetDumpPath>]
Same as above, except dumps multiple processes.

-d <TargetDumpPath> supplies the directory where the dumps will go.
The default is the current directory.

userdump -g [-k] [-d <TargetDumpPath>]
Similar to above, except dumps Win32 GUI apps that appear hang.

userdump -I [-d <TargetDumpPath>]
To change just in time debugger to UserDump.
This command will not actually start UserDump.
If you don't setup userdump, please copy userdump.exe to %windir%\system32.

-d <TargetDumpPath> supplies the directory where the dumps will go.
The default is a current directory of the target process.

That's it that I can think of for now. I will probably remember the other one or two tonight. Hope all that helps give you some direction and a realization that there is no specific way to analyze memory, but quite a few people are interested and several smart people are doing some excellent research into the area.

Tuesday, September 18, 2007

MSN bot making the rounds

It has handy commands like main.wget, main.remove, msn.url, msn.self and msn.stop.

If you get one of the following and it includes a link to a site like photobucket.com or similar, don't click it. This came straight from a txt file an IRC bot was using as its source of deceptive messages being sent to MSN users.

This picture isnt you... right?
Wow i think i found your pic on myspace!
hey did i ever show you this picture of me?
can i up some of these pics of ya to my myspace profile?
you care if i put this pictuer of you in my new album?
sry about the messup i fixed the pic! Try it one more time plz
Can i put this pic of you into my new myspace album?
this looks like you lol
haha this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Have you seen me Naked Yet :D
ok I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
hey you got a myspace album? anyways heres my new myspace album :) accept k?
do I look dumb in this picture? I want to put it on myspace.

Saturday, September 15, 2007

Storm brings "games" that pack a punch

Today, Storm includes e-mails about free games available. The e-mails are resorting back to including URLs to IP addresses and not a domain like the most recent NFL messages. The web page includes pictures of all sorts of games and links to "ArcadeWorld.exe".

The Storm worm folks are also resorting to including exploit code. My guess is they just didn't get the number of infections they were hoping to with just including links to the *.exe with the NFL version.
Here's a screenshot of the obfuscated javascript.

This is after the first round of deobfuscating the javascript using SpiderMonkey. See how there's still more to analyze. The overly long filename for the WMV file looks like it is targeting MS06-006.

The do/while loop creates a string of 16,777,216 A's that gets the shellcode appended to the end.

Subject: Quick, grab this
Body: Click here to get over 1000 games for free http://xxx.0.188.5/

Subject: Quick, grab this
Body: Stop paying for games; we have over 1000 games for free online http://xx.57.250.77/

Subject: Thousands of hours of fun, for free
Body: Go http://xx.203.41.160/

Subject: Stop paying for games
Body: 1000 Online Free games, take a look http://xx.38.52.177/

Subject: The internet just got better
Body: Look http://xxx.54.195.27/

Thursday, September 13, 2007

freeNFLtracker.com now in use by Storm worm

Messages just started pouring in with links to http://freeNFLtracker.com/ instead of individual IP addresses. If you can blackhole the DNS, do so immediately to prevent users from being able to resolve the domain.

There is still no exploit code in the webpage, but it probably won't be long before it is included. I'm guessing the current page is so effective at getting users to click and run that there isn't a need for automatic exploitation.

Subject: Are you ready for football season?
Body: Want to know all the stats all the time this season? Get your free NFL Season Tracker!

Subject: Are you ready for football season?
Body: Are you ready for tonight's game? How about the whole season? Do you have your NFL Season Tracker?

Subject: The season has started
Body: Know every player and every stat, with this years Real-time NFL Tracker.

Here's the registrar info for FREENFLTRACKER.COM. For obvious reasons, they're using a privacy service to block the real registrant info.

Registration Service Provided By: LOMTI INC.
Contact: +351.3456712


Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
null,2680 AB
Tel. +45.36946676

Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008

Domain servers in listed order:

Saturday, September 08, 2007

Go! Fight! Storm..uhm..Score!

Just in time for football season, Storm worm is now targeting football fans with a free online game tracker. The page is much more elaborate than any of the others so far with more graphics, a table and an image map. Every link on the page goes to "tracker.exe" and there is no obfuscated javascript or exploit code in the page itself. It is solely relying on users to click and run the "tracker.exe".

Subject: FOOTBALL! Are You ready?
Body: Football Season Is Finally here!
Never miss a game again, and know all the stats.
Get you data online everyday from our free game tracker:

Subject: Free NFL Game Tracker
Body: Are you ready for some football?
Let us keep you on top of every game everyday.
Never be in the dark again with this online game tracker:

Subject: Do you have your NFL Game List?
Body: Football is back, Life may resume again!
We can keep you on top of every single game this season.
Get all your game info daily from our online game tracker:

Subject: Are you ready for some football?
Body: Life as we know it is back, NFL season is open.
Let us keep you on top of every game everyday.
Get all your game info daily from our online game tracker:

Thursday, September 06, 2007

sTORm preying on file sharers

This came in at 7:02am this morning after about two days of nothing new from Storm. Now they are promoting Tor for file sharers to protect themselves from "Big Brother." Tor anonymizes online activity by encrypting and tunneling network traffic through random Tor exit nodes all around the world. It is nice to see Tor getting some recognition, but hopefully, it won't lead to too many new infections.

Here's a copy of the e-mail and a screenshot of the page.

Subject: Big brother is watching you.
Body: Do you trade files online? Then they will come after you. The news is full of articles of lawsuits by the RIAA. This program protects your online identity. Save yourself from an attack and use this free software now. Download Tor

Tuesday, September 04, 2007

A Stormy Labor Day celebration

I did have a stormy Labor Day weekend in Hilton Head over the long holiday weekend, but my Inbox also received new copies of Storm worm hoping to trick users into infecting themselves. They either tell users they have a new e-card or there is a holiday greeting card waiting for them. The host with the malicious content has a cute Labor Day picture that links to "labor.exe"

All the same nasty obfuscated Javascript exploit code is still there and doesn't appear to have changed from what we were seeing last week.

Subject: Happy Labor Day
Body: Someone has sent you an E-Card. To view it, follow this link: http://ecards.com/funcard/edelivery?xz2dl2ifbi6r80hzk

Subject: The Big Labor Day Weekend
Body: Here is the link to view your holiday greeting online: http://hallmark.com/ecards/labor1?j7hesyq65ubntze680a1p67969wt2

Subject: Your friend has sent you a card.
Body: Click here to pick up your greeting card: http://netcards.com/cards/edelivery?p9n2q90enz4afj0

I do most of my javascript deobfuscation using technique #4 as detailed by Daniel Wesemann on the SANS Internet Storm Center site (http://isc.sans.org). I'll probably go over how I do it in a little more detail in an upcoming post.