Friday, April 10, 2009

F-Response 3.09 Trial Run & Screenshots

On Tuesday, I received a package in the mail from Matt Shannon, founder and creator of F-Response. Inside was a small, F-Response-branded USB thumb drive containing the upcoming release of F-Response due out April 15, 2009. I updated my dongle, installed the new license manager and was ready to begin testing.

One of the first things I noticed is the newly redesigned license manager to replace the NetUnikey Server! Thank you, thank you, thank you. The third-party NetUnikey Server for dongle authentication in previous releases sucked, and I even ran into some bizarre network issues where it wouldn't authenticate in version 1.18 but was fine in the 2.x betas. Now, that's all fixed and working great. For those of you unfamiliar with the product, their is a licensing dongle. In the Field Kit edition, it has to be plugged into the host you are examining. In the Consultant and Enterprise editions, the dongle can be plugged into the analyst's workstation. When the F-Response client runs on the host being analyzed, it first must authenticate to the workstation with the dongle in it. It was the NetUnikey Server that used to accept and authenticate the requests from the F-Response clients. Now, it's gone and the F-Response License Manager serves that purpose in version 3.09.

The next major feature addition is the inclusion of the new management interfaces in the Enterprise and Consultant editions. They make deployment and connecting to remote disks a piece of cake. The Enterprise Management Console allows you to push the F-Response enterprise service to hosts you have admin rights to, start the service and connect to the disks and memory. The Consultant Connector makes it easy to connect to disks from hosts on which the Consultant F-Response client is running. There are several videos over at the F-Response site if you want to see them in action (linked to by their names above). The Enterprise Management Console will definitely be a head turner for companies who have been looking to replace products like Encase Enterprise but weren't sure if F-Response was the solution. It's about time to take a another look if you're one of those groups.

For me, the most exciting new features were the inclusion of support for Mac OS X and Linux in the Enterprise and Consultant versions. Previously, support for those OS's were only on the Field Kit edition. So far, F-Response has been working flawlessly on Mac and Linux. Earlier this week, I witnessed two Mac OS X machines have their entire 200+GB hard drives images over the network with F-Response. I personally tested a Mac Book Pro with the latest version of OS X, a fully updated Ubuntu Linux system and a Windows XP SP3 system.

In this screenshot, you can see the different options available in the Mac OS X client.
I created an autoconfigure ".ini" file using the Windows F-Response client, which has a GUI interface where you enter the IP of the host with the dongle and the user credentials to connect back into the machine over iSCSI. As you can see in this screenshot, I ran the executable with the "-c" option followed by the autoconfigure file I had created from the Windows client. The F-Response client authenticated, mounted the available drives and started listening for connections via iSCSI.Did you notice how there were two drives in the last screenshot that were mounted read-only? What's worth noting is that this is my MacBook Pro which only has one hard drive. I use FileVault for encrypting my Home directory. The second drive is my Home directory mounted. I know one of the big features in Windows was the ability to access disk Volumes and not just raw hard drives, but I was surprised to see this behavior. I haven't tested imaging the mounted Home directory via F-Response, yet, but should be interesting.

This next screenshot is of the Linux F-Response client. It's pretty much identical to the Mac version and works with the same autoconfigure file as both Windows and Linux. This is a great feature allowing you to create CDs to hand out to your help desk with all versions of the client and only one ".ini".
This next screenshot is FTK Imager connected to a Linux host. While I was testing, I only looked around the filesystem a bit, but I could have easily imaged the drive. I think one of the things I like about F-Response the most is the flexibility it gives me to use pretty much any forensic tool I want whether it's FTK, Encase, RegRipper or anything else. It really lives up to its slogan by extending your arsenal.

Wednesday, April 01, 2009

Go Infect Yourself...with Conficker

I'd been wanting to do some testing with Conficker to see if my IDS rules were truly working and whether or not some of the new detection tools released Monday were accurate (DarkReading: "Conficker Detection...Let Me Count The Ways"). Knowing that just running an EXE wasn't all that easy based on some of the analysis from the Internet Storm Center (here and here), I started digging around for some good samples of Conficker and instructions. First, I grabbed a few samples from Offensive Computing's malware archive. Next, I went looking for some hints on the best way to load the samples and found a related thread on Offensive Computing where someone was looking for a Conficker.C sample.

So, here's the quick and dirty. We'll download the sample, rename it, copy it to system32 dir and edit a useless service to load it on startup.
  1. Grab the file here.
  2. Rename it to "booyah.dll"
  3. Copy "booyah.dll" to "C:\Windows\System32\"
  4. Open Regedit and navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla\Parameters
  5. Right click on "ServiceDll", click "Modify", change the current DLL to point to "booyah.dll", and click OK
  6. Close Regedit and Reboot.
Now, your machine is infected. To verify, go to some sites like McAfee and SecureWorks that are blocked, or try out the Conficker Eye Chart.

What's next? If you've done malware analysis before, you know you should have been capturing ALL network traffic from this host. Continue sniffing and looking for interesting things. Capture all of the traffic to disk with tcpdump, tshark or daemonlogger. Then run it through Snort with the Emerging Threats ruleset or ngrep looking for interesting strings. The possibilities are endless.

Oh yeah, don't forget to put this behind some kind of firewall or filtering device so you can keep a handle on it. I've got mine sitting behind a Vyatta-based bridging firewall that is working quite well for this use. I'm also sniffing directly on the bridged interface.

Conficker Eye Chart

Joe Stewart put together a great little page that leverages the feature of Conficker that blocks certain websites. I've mirrored that content here to save Joe some bandwidth.

The page is really simple in that it loads images from the different websites. If you're infected, you'll see images missing. He has included a chart on how to determine what you might be infected with. If you are infected, check out the Internet Storm Center's page full of links on how to get cleaned up.