Honeynet Forensics Contest

Challenge 3 of the Forensic Challenge 2010 - Banking Troubles

Synopsis:

The Challenge:


"Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation."


[source: https://www.honeynet.org/challenges/2010_3_banking_troubles]

1.  List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)

Using the volatility plugin pslist the processes, firefox.exe (Pid 888) or AcroRd32.exe (Pid 1752) are probable attack vectors.  Note that Pid 888 is the parent of Acrobat Reader Pid 1752.  The two Pids 644 and 880 highlighted in blue will be discussed later.

$ python volatility pslist -f Bob.vmem

Name                 Pid    PPid   Thds   Hnds   Time  
System               4      0      58     573    Thu Jan 01 00:00:00 1970  
smss.exe             548    4      3      21     Fri Feb 26 03:34:02 2010  
csrss.exe            612    548    12     423    Fri Feb 26 03:34:04 2010  
winlogon.exe         644    548    21     521    Fri Feb 26 03:34:04 2010  
services.exe         688    644    16     293    Fri Feb 26 03:34:05 2010  
lsass.exe            700    644    22     416    Fri Feb 26 03:34:06 2010  
vmacthlp.exe         852    688    1      35     Fri Feb 26 03:34:06 2010  
svchost.exe          880    688    28     340    Fri Feb 26 03:34:07 2010  
svchost.exe          948    688    10     276    Fri Feb 26 03:34:07 2010  
svchost.exe          1040   688    83     1515   Fri Feb 26 03:34:07 2010  
svchost.exe          1100   688    6      96     Fri Feb 26 03:34:07 2010  
svchost.exe          1244   688    19     239    Fri Feb 26 03:34:08 2010  
spoolsv.exe          1460   688    11     129    Fri Feb 26 03:34:10 2010  
vmtoolsd.exe         1628   688    5      220    Fri Feb 26 03:34:25 2010  
VMUpgradeHelper      1836   688    4      108    Fri Feb 26 03:34:34 2010  
alg.exe              2024   688    7      130    Fri Feb 26 03:34:35 2010  
explorer.exe         1756   1660   14     345    Fri Feb 26 03:34:38 2010  
VMwareTray.exe       1108   1756   1      59     Fri Feb 26 03:34:39 2010  
VMwareUser.exe       1116   1756   4      179    Fri Feb 26 03:34:39 2010  
wscntfy.exe          1132   1040   1      38     Fri Feb 26 03:34:40 2010  
msiexec.exe          244    688    5      181    Fri Feb 26 03:46:06 2010  
msiexec.exe          452    244    0      -1     Fri Feb 26 03:46:07 2010  
wuauclt.exe          440    1040   8      188    Sat Feb 27 19:48:49 2010  
wuauclt.exe          232    1040   4      136    Sat Feb 27 19:49:11 2010  
firefox.exe          888    1756   9      172    Sat Feb 27 20:11:53 2010  
AcroRd32.exe         1752   888    8      184    Sat Feb 27 20:12:23 2010  
svchost.exe          1384   688    9      101    Sat Feb 27 20:12:36 2010 

Using the 'dot' output feature of the psscan2 plugin it is possible to generate a visual tree view of the processes relationships. 

$ python volatility psscan2 -d -f Bob.vmem > output.dot
$ dot -Tpng:cairo:gd output.dot -o example.png

2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)

$ python volatility sockets -f Bob.vmem

Pid    Port   Proto  Create Time               
4      0      47     Fri Feb 26 03:35:00 2010  
1040   68     17     Sat Feb 27 20:12:35 2010  
880    1185   6      Sat Feb 27 20:12:36 2010  
4      1030   6      Fri Feb 26 03:35:00 2010  
700    500    17     Fri Feb 26 03:34:26 2010  
4      138    17     Sat Feb 27 19:48:57 2010  
1244   1189   6      Sat Feb 27 20:12:37 2010  
1040   1181   17     Sat Feb 27 20:12:35 2010  
1100   1047   17     Fri Feb 26 03:43:12 2010  
880    30301  6      Sat Feb 27 20:12:36 2010  
4      445    6      Fri Feb 26 03:34:02 2010  
1040   123    17     Sat Feb 27 19:48:57 2010  
948    135    6      Fri Feb 26 03:34:07 2010  
1752   1178   6      Sat Feb 27 20:12:32 2010  
888    1168   6      Sat Feb 27 20:11:53 2010  
1752   1177   17     Sat Feb 27 20:12:32 2010  
1244   2869   6      Sat Feb 27 20:12:37 2010  
1040   123    17     Sat Feb 27 19:48:57 2010  
888    1171   6      Sat Feb 27 20:11:53 2010  
700    0      255    Fri Feb 26 03:34:26 2010  
1100   1025   17     Fri Feb 26 03:34:34 2010  
1244   1900   17     Sat Feb 27 19:48:57 2010  
1040   1182   17     Sat Feb 27 20:12:35 2010  
4      139    6      Sat Feb 27 19:48:57 2010  
1040   1186   17     Sat Feb 27 20:12:36 2010  
2024   1026   6      Fri Feb 26 03:34:35 2010  
888    1172   6      Sat Feb 27 20:11:53 2010  
888    1176   6      Sat Feb 27 20:12:28 2010  
1244   1900   17     Sat Feb 27 19:48:57 2010  
880    1184   6      Sat Feb 27 20:12:36 2010  
700    4500   17     Fri Feb 26 03:34:26 2010  
4      137    17     Sat Feb 27 19:48:57 2010  
4      445    17     Fri Feb 26 03:34:02 2010  
888    1169   6      Sat Feb 27 20:11:53 2010  


How about filtering by the suspicous Pids? 

$ python volatility sockets -f Bob.vmem > sockets.txt

Create a text file 'pids' listing 880, 888, 640, and 1752

$ grep -f pids sockets.txt

Pid    Port   Proto  Create Time
880    1185   6      Sat Feb 27 20:12:36 2010  
880    30301  6      Sat Feb 27 20:12:36 2010  
1752   1178   6      Sat Feb 27 20:12:32 2010  
888    1168   6      Sat Feb 27 20:11:53 2010  
1752   1177   17     Sat Feb 27 20:12:32 2010  
888    1171   6      Sat Feb 27 20:11:53 2010  
888    1172   6      Sat Feb 27 20:11:53 2010  
888    1176   6      Sat Feb 27 20:12:28 2010  
880    1184   6      Sat Feb 27 20:12:36 2010  
888    1169   6      Sat Feb 27 20:11:53 2010  

Reorder by date/time:

Pid    Port   Proto  Create Time
888    1168   6      Sat Feb 27 20:11:53 2010
888    1171   6      Sat Feb 27 20:11:53 2010  
888    1172   6      Sat Feb 27 20:11:53 2010  
888    1169   6      Sat Feb 27 20:11:53 2010
888    1176   6      Sat Feb 27 20:12:28 2010
1752   1178   6      Sat Feb 27 20:12:32 2010 
1752   1177   17     Sat Feb 27 20:12:32 2010 
880    1185   6      Sat Feb 27 20:12:36 2010  
880    30301  6      Sat Feb 27 20:12:36 2010  
880    1184   6      Sat Feb 27 20:12:36 2010

$ python volatility connections -f Bob.vmem

Local Address             Remote Address            Pid   
192.168.0.176:1176        212.150.164.203:80        888   
192.168.0.176:1184        193.104.22.71:80          880   
127.0.0.1:1168            127.0.0.1:1169            888   
127.0.0.1:1169            127.0.0.1:1168            888   
192.168.0.176:2869        192.168.0.1:30379         1244  
192.168.0.176:1178        212.150.164.203:80        1752  
192.168.0.176:1185        193.104.22.71:80          880   
192.168.0.176:1171        66.249.90.104:80          888   
192.168.0.176:2869        192.168.0.1:30380         4     
192.168.0.176:1189        192.168.0.1:9393          1244  
192.168.0.176:1172        66.249.91.104:80          888

Here is the condensed series of events:

1. Firefox is running under Pid 888
2. Adobe Reader opens a socket under Pid 1752
3. Svchost.exe opens a socket under Pid 880

3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)

Volatility includes a perfect plugin "strings" to answer this, however the input required is a list of strings paired with the hexadecimal offset.  Using strings on my *nix machine failed to produce the input that Volatility desired.  Using strings.exe from Sysinternals as suggested in the Volatility README.txt worked as expected.

Generate strings output:

c:\strings.exe -a -o -n 5 Bob.vmem > Bob.vmem.strings

Use the Volatitliy plugin strings to associate particular URLs with a Pid:

$ python volatility strings -s Bob.vmem.strings -f Bob.vmem > output.strings

Pid 880 / svchost.exe / URLs:

/~produkt/983745213424/34650798253 HTTP/1.1
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php
POST /~produkt/9j856f_4m9y8urb.php HTTP/1.1
http://193.104.22.71/~produkt/69825439870/73846525#N
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php&N
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php

Pid 888 / firefox.exe / URLs (duplicates removed):

http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
GET /cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/favicon.ico

Pid 1752 / AcroRd32.exe / URLs:

http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=1
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=3
http://search-network-plus.com/load.php?a=a&st=Internet%20Explorer%206.0&e=2
http://www.oldversion.com/download/firefox1502.exe
Path: kontera.com/

Other suspect URLs found in the memory dump:

[kernel:8047dae8 ] http://kona.kontera.com/javascript/lib/KonaLibInline.js
[kernel:8047dde8 ] http://kona.kontera.com/javascript/lib/2010_02_24_2/KonaBase.js
[kernel:8047df68 ] http://kona5.kontera.com/KonaGet.js?u=1267155818664&p=116534&k=http%3A//www.oldversion.com/Acrobat-Reader.htmlIE&al=1&l=http%3A//www.oldversion.com/Acro
[1756:1265568 ] Visited: Administrator@http://www.oldversion.com/download/acrobat60.exe

Domain Reputation

Not all of the URLs found in the memory dump were malicious.  Searching various IP reputation sources provided useful clues to identify the malware.  Some sites yeilded no results for a given domain/address while others identified malicious sites.  My research of each found that for reliable results at least three different sources should be used when checking a domain or IP address reputation.


A few recommended sites are...

• http://google.com
• http://www.trustedsource.org/query/
• http://www.malwaredomainlist.com/mdl.php
• http://www.mywot.com/
• http://www.malwareurl.com/index.php
• http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=microsoft.com
  

Domain: search-network-plus.com
Status: Confirmed Malicious - documented ZeuS botnet and PDF exploits

Domain/IP:  193.104.22.71
Status: Confirmed Malicious - documented ZeuS botnet

Domain: www.oldversion.com
Status: Reports of Malicious Content

Although the domain receives a respectable rating (somewhat questionable in itself) it is not without warning!

Domain: kona.kontera.com
Status: Confirmed Malicious

4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)

At this point it is clear that some processes are initiating connections to ZeuS botnet C&C servers.  With the confirmation that this is a bot produced by the ZeuS malware toolkit looking at Pid 644 (winlogon.exe) shows that this banking related URL is present:

$ grep -i bank pid.644.strings
360893288  [644:1312b68 ] Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)

Volatility again provides a plugin to show open files which lists tons of information.  Time for some data reduction!  Redirecting the output to a file then searching the file 'files' for keywords in a 'dirtywords' list for known bad files associated with ZeuS bots.

File dirtywords contains:

local.ds
user.ds
ntos.exe
oembios.exe
sdra64.exe
sysproc32.sys
sysproc86.sys
local.ds
user.ds
twext.exe
audio.dll
video.dll

Dump process files to a file:

$ volatility files -f Bob.vmem > files

Next step, grep for any of the dirtywords in the process file output.

$ grep -nif dirtywords files
41:File   \WINDOWS\system32\sdra64.exe            
44:File   \WINDOWS\system32\lowsec\user.ds        
177:File   \WINDOWS\system32\lowsec\local.ds       
267:File   \WINDOWS\system32\lowsec\user.ds.lll    

Positive hits... we are on the right track.

• sdra64.exe (malicious executable, child of winlogon.exe Pid 644)
• user.ds  (stolen information stored here, child of winlogon.exe Pid 644)
• local.ds (encrypted config, child of winlogon.exe Pid 644)
• user.ds.lll (child of svchost.exe Pid 880)

Previously the banking URL was found in Pid 644 (winlogon.exe).  Malicious files associated with Pid 644 is new in this analysis, so far Pid 888, 880, and 1752 have been examined.

6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)

The initial process being acroread32.exe (Pid 1752) was exploited by a malicious PDF document.  To identify the technique used to exploit the host the document must be analyzed.  The PDF can be extracted manually or carved using formost.  The later approach was applied and produced 63 potential PDF documents. 

Configured foremost.conf to only search and extract PDF headers/footers:%PDF-  %EOF

./foremost -i Bob.vmem -c foremost.conf

foremost extracts 63 PDF documents to analyze.  Thankfully, a set of PDF parsing tools from
Didier Stevens make this an easy task.  The tool pdf-parser.py can search for terms embedded in the document.  Looking for keywords such as "javascript" is a good first step.

Using another for loop and searching through the directory of PDFs generated by foremost shows some interesting output... namely x86 noop filled the terminal which is a good indication that bad stuff is to follow.

for i in `ls -1 ./output/pdf/*.pdf`; do echo -n "File $i"; pdf-parser.py --search javascript $i; done

The PDF 00769000.pdf (MD5 32faa35102a6d56a86260b5535ba14d6) was found to contain this noop bounty.  Uploading to Virustotal shows that only Avast detects the presence of Zbot.

Looking for the shell code:

Browsing the binary PDF with xxd the start of a PE executable is visible.

Other fragments:

pdfid shows the following objects contained within this PDF.  No low hanging fruit like JavaScript or JBIG2Decode techniques.

$ pdfid.py 00769000.pdf
PDFiD 0.0.10 00769000.pdf
 PDF Header: %PDF-1.4
 obj                   77
 endobj                75
 stream                21
 endstream             21
 xref                   1
 trailer                1
 startxref              1
 /Page                  3
 /Encrypt               0
 /ObjStm                3
 /JS                    0
 /JavaScript            0
 /AA                    0
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Colors > 2^24         0

After hours of attempts, inflating the object streams proved fruitless.  Ideally, one of the Object Streams of type "file" would contain one or more payloads which may be further obfuscated.

7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)

From answer to question 5...

• sdra64.exe (malicious executable, child of winlogon.exe Pid 644)
• user.ds  (stolen information stored here, child of winlogon.exe Pid 644)
• local.ds (encrypted config, child of winlogon.exe Pid 644)
• user.ds.lll (child of svchost.exe Pid 880)

An additional payload would include a banker/trojan malware which steals banking login information.

8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)

To complete this section the additional plugin malfind2 was installed along with it's dependencies.

Sample 1: The extracted binary malfind.644.a10000-a2cfff.dmp from process 644 is detected as Zbot:

$ volatility malfind2 -p 644 -d malware -f Bob.vmem

Sample 2: The extracted binary malfind.880.720000-73cfff.dmp from process 880 is detected as Zbot:

$ volatility malfind2 -p 880 -d malware -f Bob.vmem

The majority of AV scanners detect this malware.

9. Are there any related registry entries associated with the payload? (4pts)

This is a three step process.  First use the hivescan to enumerate all the memory offsets where registry hives can be found:

$ python volatility hivescan -f Bob.vmem

Offset          (hex)          
44658696        0x2a97008      
44686176        0x2a9db60      
48529416        0x2e48008      
55269896        0x34b5a08      
57399112        0x36bd748      
59082008        0x3858518      
70588752        0x4351950      
111029088       0x69e2b60      
114539360       0x6d3bb60      
121604960       0x73f8b60      
180321120       0xabf7b60      
191408992       0xb68ab60      
244959264       0xe99c820   
 
Volatility plugin hivelist will show the offsets needed for the SOFTWARE registry hive.  To quickly parse through all the offsets listed in the output above, save the hex offset values into a file (hive.offsets) and loop through them with the hivelist plugin.

$ for i in `cat hive.offsets`; do python volatility hivelist -f Bob.vmem -o $i; done

(output omitted for brevity)

$ python volatility hivelist -f Bob.vmem -o 0x36bd748

Address      Name
0xe151ea08   \WINDOWS\system32\config\SAM
0xe153e518   \WINDOWS\system32\config\SECURITY
0xe139d008   [no name]
0xe1035b60   \WINDOWS\system32\config\system
0xe102e008   [no name]
0xe1d6cb60   \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1de0b60   \Documents and Settings\Administrator\NTUSER.DAT
0xe1769b60   \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17deb60   \Documents and Settings\LocalService\NTUSER.DAT
0xe1797b60   \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17a3820   \Documents and Settings\NetworkService\NTUSER.DAT
0xe1526748   \WINDOWS\system32\config\software
0xe15a3950   \WINDOWS\system32\config\default

Display the values for key Winlogon:

$ python volatility printkey -o 0xe1526748 -f Bob.vmem "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"

Key name: Winlogon (Stable)
Last updated: Sat Feb 27 12:12:34 2010

Subkeys:
   GPExtensions (Stable)
   Notify (Stable)
   SpecialAccounts (Stable)
   GPExtensions (Stable)
   Notify (Stable)
   SpecialAccounts (Stable)

Values:
REG_DWORD AutoRestartShell : 1 (Stable)
REG_SZ    DefaultDomainName : BOB-DCADFEDC55C (Stable)
REG_SZ    DefaultUserName : Administrator (Stable)
REG_SZ    LegalNoticeCaption :  (Stable)
REG_SZ    LegalNoticeText :  (Stable)
REG_SZ    PowerdownAfterShutdown : 0 (Stable)
REG_SZ    ReportBootOk : 1 (Stable)
REG_SZ    Shell      : Explorer.exe (Stable)
REG_SZ    ShutdownWithoutLogon : 0 (Stable)
REG_SZ    System     :  (Stable)
REG_SZ    Userinit   : C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, (Stable)
REG_SZ    VmApplet   : rundll32 shell32,Control_RunDLL "sysdm.cpl" (Stable)
REG_DWORD SfcQuota   : 4294967295 (Stable)
REG_SZ    allocatecdroms : 0 (Stable)
REG_SZ    allocatedasd : 0 (Stable)
REG_SZ    allocatefloppies : 0 (Stable)
REG_SZ    cachedlogonscount : 10 (Stable)
REG_DWORD forceunlocklogon : 0 (Stable)
REG_DWORD passwordexpirywarning : 14 (Stable)
REG_SZ    scremoveoption : 0 (Stable)
REG_DWORD AllowMultipleTSSessions : 1 (Stable)
REG_EXPAND_SZ UIHost     : logonui.exe (Stable)
REG_DWORD LogonType  : 1 (Stable)
REG_SZ    Background : 0 0 0 (Stable)
REG_SZ    AutoAdminLogon : 0 (Stable)
REG_SZ    DebugServerCommand : no (Stable)
REG_DWORD SFCDisable : 0 (Stable)
REG_SZ    WinStationsDisabled : 0 (Stable)
REG_DWORD HibernationPreviouslyEnabled : 1 (Stable)
REG_DWORD ShowLogonOptions : 0 (Stable)
REG_SZ    AltDefaultUserName : Administrator (Stable)
REG_SZ    AltDefaultDomainName : BOB-DCADFEDC55C (Stable)

The malware persistence mechanism is highlighted in Red/Yellow above.

10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)

1. The user is logged in with the Administrator permitting all sorts of promiscious behaviour
   
2. JavaScript shellcode served to the browser as a PDF which is handled by Acrobat Reader
   
3. See evidence of the Kernel interacting with JavaScript from the domain kontera.com
4. Shell code is successfull in exploiting the Acrobat Reader flaw, a trojan downloader retrieves the bot and executes it
5. Once the bot is executed it unpacks and decrypts itself into winlogon.exe, sets up persistance mechanism and spawns a process via services.exe -> svchost.exe to begin communicating with the C&C servers.

User searches for old versions of software, finds Acrobat Reader 6.0
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.msn.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Acrobat-Reader.html
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/acrobat60.exe
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Acrobat_Reader_6.0.html

Feb 26 03:34:04 2010, Source: Processes, Name: winlogon.exe ,Pid: 644 ,PPid: 548
Feb 26 03:34:05 2010, Source: Processes, Name: services.exe ,Pid: 688 ,PPid: 644

User again searches for old software, this time it's Firefox 1.5.0.2
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Mozilla-Firefox.html
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/firefox1502.exe
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html

Firefox started
Feb 27 20:11:53 2010, Source: Processes, Name: firefox.exe ,Pid: 888 ,PPid: 1756

Acrobat Reader started and is exploited
Feb 27 20:12:23 2010, Source: Processes, Name: AcroRd32.exe ,Pid: 1752 ,PPid: 888
Feb 27 20:12:28 2010, Source: Socket, PID: 888,Port: 1176, Protocol: 6
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1177, Protocol: 17
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1178, Protocol: 6

Feb 27 12:12:34 2010, Winlogon Registry Key Last Update Time (Note: Hour is off by -8, but the minutes and seconds are right in line with the chain of events.  The registry is recorded in UTC, the TimeZoneInformation registry value indicates EST.)

Svchost.exe opens three sockets and connects to C&C server
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1184, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1185, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 30301, Protocol: 6

Resources

Contest URL: https://www.honeynet.org/challenges/2010_3_banking_troubles
https://zeustracker.abuse.ch/faq.php
http://www.fortiguard.com/analysis/zeusanalysis.html

Disclaimer
These are my answers which have not been validated against the official results.  Updates/corrections will be made if necessary once the results are published.  Feedback and comments are always welcome.

---

Other interesting bits...

User appears to own a D-Link home router/firewall at 192.168.0.1 and a client at 192.168.0.176

Typed the search term "old software" into Google:

http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20sof&cp=7
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20soft&cp=8
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=

Time stamps found in the memdump:

:2010022720100228: Administrator@http://www.msn.com
:2010022720100228: Administrator@http://www.google.com
:2010022720100228: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
:2010022720100228: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
:2010022720100228: Administrator@http://www.oldversion.com
:2010022720100228: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
:2010022720100228: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
:2010022720100228: Administrator@http://www.oldversion.com/download/firefox1502.exe

:2010022520100226: Administrator@http://www.msn.com
:2010022520100226: Administrator@http://www.google.com
:2010022520100226: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
:2010022520100226: Administrator@http://www.oldversion.com
:2010022520100226: Administrator@http://www.oldversion.com/Acrobat-Reader.html
:2010022520100226: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
:2010022520100226: Administrator@http://www.oldversion.com/download/acrobat60.exe

Visited: Administrator@http://www.google.com
Visited: Administrator@http://www.msn.com
Visited: Administrator@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Visited: Administrator@http://www.oldversion.com/download/acrobat60.exe
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Visited: Administrator@http://www.oldversion.com
Visited: Administrator@http://www.oldversion.com/Acrobat-Reader.html
Visited: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
Visited: Administrator@http://home.microsoft.com
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Visited: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=

Visited: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
Visited: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
Visited: Administrator@http://www.oldversion.com/download/firefox1502.exe

User appears to have been presented with some HTML snips from Adds or Email containing the malicious URL:

Seems to be redirected to kontera domain from oldversions:

http://te.kontera.com/ContentLink/ContentLink?publisherId=116534&layout=adlinks&sId=142&cb=1267300209&creative=L&cn=us&pRfr=http%3A//www.oldversion.com/Mozilla-Firefox.html&pRfr=&keys=Mozilla%20Firefox;browser;Application;development&kids=45239;682919;461663;595008&iit=1;1;1;1&index=0&cbl=0&ab=1&onf=1&omk=1&resultNum=1&time=5500&dc_aff_id=&bt=1&mod=27&rId=116534_1267300209255_05828260058095254&prev_page=http%3A//www.oldversion.com/&ptv=&ur=1&sids=5544;7753;19447;-0-0-7753;6497;&tag=0

SANS Network Forensic Puzzle #4

Okay, it's overdue and I'm getting further and further behind my usual walk through of the SANS forensics puzzles (This may be the last as I'm loosing interest.).  So here it is!  Please feel free to contact me if you have any questions or corrections.

1. What was the IP address of Mr. X’s scanner?

Using Wireshark, navigate to Statistics and select IP Addresses... ignore the Filter dialog and just click Create Stat

In this sample we can easily identify the top talker...

Judging by the high count of packets being generated by 10.42.42.253 it is very likely the source of the scanning activity in this PCAP.

2. For the FIRST port scan that Mr. X conducted, what type of port scan was it?

(Note: the scan consisted of many thousands of packets.) Pick one:

* TCP SYN
* TCP ACK
* UDP
* TCP Connect
* TCP XMAS
* TCP RST

This is where (in my humble opinion) a command line tool excels - to confirm what type of scan we need to systematically run throught the possibilities:

If you are unfamiliar with Wireshark/Tshark display filter syntax, a 1 indicates that the bit is set (true) and a 0 indicates that it is not set (false).  See references links at the end of this article to brush up on TCP flags and their values.

TCP SYN (0x02)- Search for segments containing only SYN flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags.cwr == 0 && tcp.flags.ecn == 0 && tcp.flags.urg == 0 && tcp.flags.ack == 0 && tcp.flags.push == 0 && tcp.flags.reset == 0 &&  tcp.flags.syn == 1 && tcp.flags.fin == 0" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

...that's a mess.  You could try something more straight forward using the hexadecimal value for the SYN bit:

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x02" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 7414 matches - Not bad seems like this could be a SYN scan.


TCP ACK (0x10)- Search for segments containing only ACK flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 11 matches - Compared to the previous result this is not likely the scan we are looking for.


UDP - Search for large number of UDP packets from scanner

$ tshark -R "ip.src == 10.42.42.253 && udp" -Tfields -e frame -e ip.src -e ip.dst -e udp.dstport -r evidence04.pcap

Result: 8 matches - that's less than TCP ACK so the odds are not good that this is a UDP scan


TCP Connect (0x10)- The attributes of a TCP Connect scan are similar to a SYN scan so we cannot simply look for the SYN packets.  Unlike the SYN scan, the TCP Connect scan will complete the 3-way TCP handshake by sending the ACK packet back to the target if it receives a SYN/ACK.  The results of searching for segments with ACK flag sent from the scanner could be misleading if there were an ACK scan in progress.  We need more data!  Inspecting the previous packet in the sequence (note the addition of tcp.stream in the tshark fields list) it is possible to associate it with a SYN/ACK from the target thus confirming the presence of a TCP Connect scan.

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap

Output:

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap

Frame 791     10.42.42.253    10.42.42.50    139    0x10    390
Frame 4389     10.42.42.253    10.42.42.50    135    0x10    2235
Frame 13531     10.42.42.253    10.42.42.50    135    0x10    7413
Frame 13532     10.42.42.253    10.42.42.50    139    0x10    7414
Frame 13543     10.42.42.253    10.42.42.50    135    0x10    7415
Frame 13547     10.42.42.253    10.42.42.50    135    0x10    7415
Frame 13593     10.42.42.253    10.42.42.56    1    0x10    7425
Frame 13594     10.42.42.253    10.42.42.25    1    0x10    7426
Frame 13606     10.42.42.253    10.42.42.50    135    0x10    7431
Frame 13610     10.42.42.253    10.42.42.50    1    0x10    7433
Frame 13622     10.42.42.253    10.42.42.56    1    0x10    7425

(Note: I like to include the frame number for ease of locating the packet in Wireshark.)


Result: 11 matches - not too many - if this were an ACK scan there would be hundreds or thousands of ACK packets coming from the scanner.  In the output above, let's look at the first TCP stream identified as 390:

$ tshark -R "tcp.stream eq 390" -Tfields  -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap

Frame 779     10.42.42.253    10.42.42.50    139    0x02    390
Frame 786     10.42.42.50    10.42.42.253    56257    0x12    390
Frame 791     10.42.42.253    10.42.42.50    139    0x10    390
Frame 821     10.42.42.253    10.42.42.50    139    0x14    390

The sequence above confirms that this is *not* a SYN scan since the scanner responded to the clients SYN/ACK (flag 0x12) with an ACK (flag 0x10).  In addition the lack of ACK packets does not indicate an ACK scan.  Given the evidence above, it appears that this first scan is a TCP Connect scan.

To be thorough the XMAS and RST scans are examined next.

TCP XMAS (0x31) - Search for FIN, PSH, and URG flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x31" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 0 matches


TCP RST (0x04) - Search for RST segments from SRC

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x04" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 10 matches - the output of this contains one destination IP so it is not a host enumeration scan.

Side Note: Here is a little exercise that will extract the flag values and create a list counting the frequency of each type.  Step 1: Extract SRC IP, DST IP, DST Port and TCP Flags field and save it to a CSV file: $ tshark -R "ip.src == 10.42.42.253" -Tfields -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -E separator=, -r evidence04.pcap >> output.txt Now, although you could just extract the header field above, I extracted additional fields so I can reuse it to analyze ports and target IPs. So, now just need to pluck the TCP Flags from output.txt $ cat output.txt | awk -F, '{print $4}' | sort -u > list.txt Should look something like this: $ cat  list.txt  0x00 0x02 0x04 0x10 0x11 0x14 0x18 0x29 0x2b 0xc2 Step 2.  That give you a distinct list of all the TCP flag values in hexadecimal format.  Now let's generate a count of each with this Bash loop: $ for i in `cat list.txt`; do echo -n "TCP Flag: $i, Count: " ; grep -c $i output.txt; done TCP Flag: 0x00, Count: 1 TCP Flag: 0x02, Count: 7414 TCP Flag: 0x04, Count: 10 TCP Flag: 0x10, Count: 11 TCP Flag: 0x11, Count: 3 TCP Flag: 0x14, Count: 2 TCP Flag: 0x18, Count: 3 TCP Flag: 0x29, Count: 4 TCP Flag: 0x2b, Count: 1 TCP Flag: 0xc2, Count: 1 Using this information alone the answer to this challenge would be inaccurate.

3. What were the IP addresses of the targets Mr. X discovered?

With this command you can quickly find a distinct list of targets (DST IP)

tshark -R "ip.dst" -Tfields -e ip.dst -r evidence04.pcap | sort -t "." -k1,1 -k2,2 -k3,3 -k4,4 | sort -u

10.255.255.255

10.42.42.25

10.42.42.253

10.42.42.50

10.42.42.56

So throwing out the broadcast and the known source (scanner) you can identify the targets 10.42.42.25, 10.42.42.50, and 10.42.42.56.

4. What was the MAC address of the Apple system he found?

Borrowing the command line foo from Puzzle #3 the MAC OUI Vendors can be extracted like this:

$ for i in `tshark -R eth.src -Tfields -e eth.src -r evidence04.pcap  | sort -u`; do echo -n "$i OUI Vendor: "; VALUE=`echo $i | awk -F":" '{print $1 ":" $2 ":"  $3}'`; grep -i $VALUE oui.txt | awk '{print $2}';done

00:16:cb:92:6e:dc OUI Vendor: AppleCompu

00:23:8b:82:1f:4a OUI Vendor: QuantaComp

00:26:22:cb:1e:79 OUI Vendor: CompalInfo

70:5a:b6:51:d7:b2 OUI Vendor: CompalInfo

5. What was the IP address of the Windows system he found?

By elimination, known IP addresses are:

10.255.255.255 - Broadcast

10.42.42.25 - Apple Macintosh

10.42.42.253 - Scanning System

10.42.42.50 - ?

10.42.42.56 - ?

Do either of these unidentified hosts respond to the SYN probes?  Wireshark display filter for SYN+ACK from specific SRC IP addresses can reveal what services responded... Well known Microsoft specific services can indicate that a Windows machine is responding to the probe.

Try either the .50 or .56 hosts in the 'ip.src==' filter below

ip.src == 10.42.42.50 && tcp.flags.ack ==1 && tcp.flags.syn == 1

Only .50 replys with both the SYN+ACK TCP flags set which reveals that the port is open and something acknowledged the SYN - presumably a windows service on this well known port (MS-RPC on port 135).

Curiously .50 is also talking to the Apple system on TCP/139 (NetBIOS/SMB - File and Printer Sharing) which the attacker also probed.

Answer: 10.42.42.50

6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)

TCP/135

TCP/139

X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?

It's everyone's favorite scanner nmap of course! To do this answer justice it would be another week before I finish so I will just recommend reading this article (http://www.aldeid.com/index.php/Network-forensics/Puzzle4#Tools) which is extremely informative on the topic..

References:

0. Wikipedia http://en.wikipedia.o/wiki/Transmission_Control_Protocol#TCP_segment_structure
1. http://danielmiessler.com/study/tcpflags/
2. http://www.wireshark.org/docs/dfref/t/tcp.html
3. http://www.parkenet.com/apl/HexDecConverter.html