Challenge 3 of the Forensic Challenge 2010 - Banking Troubles
Synopsis:
The Challenge:
"Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation."
[source: https://www.honeynet.org/challenges/2010_3_banking_troubles]
"Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation."
[source: https://www.honeynet.org/challenges/2010_3_banking_troubles]
1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
Using the volatility plugin pslist the processes, firefox.exe (Pid 888) or AcroRd32.exe (Pid 1752) are probable attack vectors. Note that Pid 888 is the parent of Acrobat Reader Pid 1752. The two Pids 644 and 880 highlighted in blue will be discussed later.
$ python volatility pslist -f Bob.vmem
Name Pid PPid Thds Hnds Time
System 4 0 58 573 Thu Jan 01 00:00:00 1970
smss.exe 548 4 3 21 Fri Feb 26 03:34:02 2010
csrss.exe 612 548 12 423 Fri Feb 26 03:34:04 2010
winlogon.exe 644 548 21 521 Fri Feb 26 03:34:04 2010
services.exe 688 644 16 293 Fri Feb 26 03:34:05 2010
lsass.exe 700 644 22 416 Fri Feb 26 03:34:06 2010
vmacthlp.exe 852 688 1 35 Fri Feb 26 03:34:06 2010
svchost.exe 880 688 28 340 Fri Feb 26 03:34:07 2010
svchost.exe 948 688 10 276 Fri Feb 26 03:34:07 2010
svchost.exe 1040 688 83 1515 Fri Feb 26 03:34:07 2010
svchost.exe 1100 688 6 96 Fri Feb 26 03:34:07 2010
svchost.exe 1244 688 19 239 Fri Feb 26 03:34:08 2010
spoolsv.exe 1460 688 11 129 Fri Feb 26 03:34:10 2010
vmtoolsd.exe 1628 688 5 220 Fri Feb 26 03:34:25 2010
VMUpgradeHelper 1836 688 4 108 Fri Feb 26 03:34:34 2010
alg.exe 2024 688 7 130 Fri Feb 26 03:34:35 2010
explorer.exe 1756 1660 14 345 Fri Feb 26 03:34:38 2010
VMwareTray.exe 1108 1756 1 59 Fri Feb 26 03:34:39 2010
VMwareUser.exe 1116 1756 4 179 Fri Feb 26 03:34:39 2010
wscntfy.exe 1132 1040 1 38 Fri Feb 26 03:34:40 2010
msiexec.exe 244 688 5 181 Fri Feb 26 03:46:06 2010
msiexec.exe 452 244 0 -1 Fri Feb 26 03:46:07 2010
wuauclt.exe 440 1040 8 188 Sat Feb 27 19:48:49 2010
wuauclt.exe 232 1040 4 136 Sat Feb 27 19:49:11 2010
firefox.exe 888 1756 9 172 Sat Feb 27 20:11:53 2010
AcroRd32.exe 1752 888 8 184 Sat Feb 27 20:12:23 2010
svchost.exe 1384 688 9 101 Sat Feb 27 20:12:36 2010
Using the 'dot' output feature of the psscan2 plugin it is possible to generate a visual tree view of the processes relationships.
$ python volatility psscan2 -d -f Bob.vmem > output.dot
$ dot -Tpng:cairo:gd output.dot -o example.png
2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
$ python volatility sockets -f Bob.vmemPid Port Proto Create Time
4 0 47 Fri Feb 26 03:35:00 2010
1040 68 17 Sat Feb 27 20:12:35 2010
880 1185 6 Sat Feb 27 20:12:36 2010
4 1030 6 Fri Feb 26 03:35:00 2010
700 500 17 Fri Feb 26 03:34:26 2010
4 138 17 Sat Feb 27 19:48:57 2010
1244 1189 6 Sat Feb 27 20:12:37 2010
1040 1181 17 Sat Feb 27 20:12:35 2010
1100 1047 17 Fri Feb 26 03:43:12 2010
880 30301 6 Sat Feb 27 20:12:36 2010
4 445 6 Fri Feb 26 03:34:02 2010
1040 123 17 Sat Feb 27 19:48:57 2010
948 135 6 Fri Feb 26 03:34:07 2010
1752 1178 6 Sat Feb 27 20:12:32 2010
888 1168 6 Sat Feb 27 20:11:53 2010
1752 1177 17 Sat Feb 27 20:12:32 2010
1244 2869 6 Sat Feb 27 20:12:37 2010
1040 123 17 Sat Feb 27 19:48:57 2010
888 1171 6 Sat Feb 27 20:11:53 2010
700 0 255 Fri Feb 26 03:34:26 2010
1100 1025 17 Fri Feb 26 03:34:34 2010
1244 1900 17 Sat Feb 27 19:48:57 2010
1040 1182 17 Sat Feb 27 20:12:35 2010
4 139 6 Sat Feb 27 19:48:57 2010
1040 1186 17 Sat Feb 27 20:12:36 2010
2024 1026 6 Fri Feb 26 03:34:35 2010
888 1172 6 Sat Feb 27 20:11:53 2010
888 1176 6 Sat Feb 27 20:12:28 2010
1244 1900 17 Sat Feb 27 19:48:57 2010
880 1184 6 Sat Feb 27 20:12:36 2010
700 4500 17 Fri Feb 26 03:34:26 2010
4 137 17 Sat Feb 27 19:48:57 2010
4 445 17 Fri Feb 26 03:34:02 2010
888 1169 6 Sat Feb 27 20:11:53 2010
How about filtering by the suspicous Pids?
$ python volatility sockets -f Bob.vmem > sockets.txt
Create a text file 'pids' listing 880, 888, 640, and 1752
$ grep -f pids sockets.txt
Pid Port Proto Create Time
880 1185 6 Sat Feb 27 20:12:36 2010
880 30301 6 Sat Feb 27 20:12:36 2010
1752 1178 6 Sat Feb 27 20:12:32 2010
888 1168 6 Sat Feb 27 20:11:53 2010
1752 1177 17 Sat Feb 27 20:12:32 2010
888 1171 6 Sat Feb 27 20:11:53 2010
888 1172 6 Sat Feb 27 20:11:53 2010
888 1176 6 Sat Feb 27 20:12:28 2010
880 1184 6 Sat Feb 27 20:12:36 2010
888 1169 6 Sat Feb 27 20:11:53 2010
Reorder by date/time:
Pid Port Proto Create Time
888 1168 6 Sat Feb 27 20:11:53 2010
888 1171 6 Sat Feb 27 20:11:53 2010
888 1172 6 Sat Feb 27 20:11:53 2010
888 1169 6 Sat Feb 27 20:11:53 2010
888 1176 6 Sat Feb 27 20:12:28 2010
1752 1178 6 Sat Feb 27 20:12:32 2010
1752 1177 17 Sat Feb 27 20:12:32 2010
880 1185 6 Sat Feb 27 20:12:36 2010
880 30301 6 Sat Feb 27 20:12:36 2010
880 1184 6 Sat Feb 27 20:12:36 2010
$ python volatility connections -f Bob.vmem
Local Address Remote Address Pid
192.168.0.176:1176 212.150.164.203:80 888
192.168.0.176:1184 193.104.22.71:80 880
127.0.0.1:1168 127.0.0.1:1169 888
127.0.0.1:1169 127.0.0.1:1168 888
192.168.0.176:2869 192.168.0.1:30379 1244
192.168.0.176:1178 212.150.164.203:80 1752
192.168.0.176:1185 193.104.22.71:80 880
192.168.0.176:1171 66.249.90.104:80 888
192.168.0.176:2869 192.168.0.1:30380 4
192.168.0.176:1189 192.168.0.1:9393 1244
192.168.0.176:1172 66.249.91.104:80 888
Here is the condensed series of events:
- Firefox is running under Pid 888
- Adobe Reader opens a socket under Pid 1752
- Svchost.exe opens a socket under Pid 880
3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)
Volatility includes a perfect plugin "strings" to answer this, however the input required is a list of strings paired with the hexadecimal offset. Using strings on my *nix machine failed to produce the input that Volatility desired. Using strings.exe from Sysinternals as suggested in the Volatility README.txt worked as expected.Generate strings output:
c:\strings.exe -a -o -n 5 Bob.vmem > Bob.vmem.strings
Use the Volatitliy plugin strings to associate particular URLs with a Pid:
$ python volatility strings -s Bob.vmem.strings -f Bob.vmem > output.strings
Pid 880 / svchost.exe / URLs:
/~produkt/983745213424/34650798253 HTTP/1.1
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php
POST /~produkt/9j856f_4m9y8urb.php HTTP/1.1
http://193.104.22.71/~produkt/69825439870/73846525#N
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php&N
http://193.104.22.71/~produkt/9j856f_4m9y8urb.php
Pid 888 / firefox.exe / URLs (duplicates removed):
http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
GET /cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/favicon.ico
Pid 1752 / AcroRd32.exe / URLs:
http://search-network-plus.com/cache/PDF.php?st=Internet%20Explorer%206.0
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=1
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=2
http://search-network-plus.com/load.php?a=a&st=Internet Explorer 6.0&e=3
http://search-network-plus.com/load.php?a=a&st=Internet%20Explorer%206.0&e=2
http://www.oldversion.com/download/firefox1502.exe
Path: kontera.com/
Other suspect URLs found in the memory dump:
[kernel:8047dae8 ] http://kona.kontera.com/javascript/lib/KonaLibInline.js
[kernel:8047dde8 ] http://kona.kontera.com/javascript/lib/2010_02_24_2/KonaBase.js
[kernel:8047df68 ] http://kona5.kontera.com/KonaGet.js?u=1267155818664&p=116534&k=http%3A//www.oldversion.com/Acrobat-Reader.htmlIE&al=1&l=http%3A//www.oldversion.com/Acro
[1756:1265568 ] Visited: Administrator@http://www.oldversion.com/download/acrobat60.exe
Domain Reputation
Not all of the URLs found in the memory dump were malicious. Searching various IP reputation sources provided useful clues to identify the malware. Some sites yeilded no results for a given domain/address while others identified malicious sites. My research of each found that for reliable results at least three different sources should be used when checking a domain or IP address reputation.A few recommended sites are...
- http://google.com
- http://www.trustedsource.org/query/
- http://www.malwaredomainlist.com/mdl.php
- http://www.mywot.com/
- http://www.malwareurl.com/index.php
- http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=microsoft.com
Domain: search-network-plus.com
Status: Confirmed Malicious - documented ZeuS botnet and PDF exploits
Domain/IP: 193.104.22.71
Status: Confirmed Malicious - documented ZeuS botnet
Domain: www.oldversion.com
Status: Reports of Malicious Content
Although the domain receives a respectable rating (somewhat questionable in itself) it is not without warning!
Status: Confirmed Malicious
4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
At this point it is clear that some processes are initiating connections to ZeuS botnet C&C servers. With the confirmation that this is a bot produced by the ZeuS malware toolkit looking at Pid 644 (winlogon.exe) shows that this banking related URL is present:
$ grep -i bank pid.644.strings
360893288 [644:1312b68 ] Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
$ grep -i bank pid.644.strings
360893288 [644:1312b68 ] Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
Volatility again provides a plugin to show open files which lists tons of information. Time for some data reduction! Redirecting the output to a file then searching the file 'files' for keywords in a 'dirtywords' list for known bad files associated with ZeuS bots.File dirtywords contains:
local.ds
user.ds
ntos.exe
oembios.exe
sdra64.exe
sysproc32.sys
sysproc86.sys
local.ds
user.ds
twext.exe
audio.dll
video.dll
Dump process files to a file:
$ volatility files -f Bob.vmem > files
Next step, grep for any of the dirtywords in the process file output.
$ grep -nif dirtywords files
41:File \WINDOWS\system32\sdra64.exe
44:File \WINDOWS\system32\lowsec\user.ds
177:File \WINDOWS\system32\lowsec\local.ds
267:File \WINDOWS\system32\lowsec\user.ds.lll
Positive hits... we are on the right track.
- sdra64.exe (malicious executable, child of winlogon.exe Pid 644)
- user.ds (stolen information stored here, child of winlogon.exe Pid 644)
- local.ds (encrypted config, child of winlogon.exe Pid 644)
- user.ds.lll (child of svchost.exe Pid 880)
Previously the banking URL was found in Pid 644 (winlogon.exe). Malicious files associated with Pid 644 is new in this analysis, so far Pid 888, 880, and 1752 have been examined.
6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
The initial process being acroread32.exe (Pid 1752) was exploited by a malicious PDF document. To identify the technique used to exploit the host the document must be analyzed. The PDF can be extracted manually or carved using formost. The later approach was applied and produced 63 potential PDF documents.Configured foremost.conf to only search and extract PDF headers/footers:%PDF- %EOF
./foremost -i Bob.vmem -c foremost.conf
foremost extracts 63 PDF documents to analyze. Thankfully, a set of PDF parsing tools from
Didier Stevens make this an easy task. The tool pdf-parser.py can search for terms embedded in the document. Looking for keywords such as "javascript" is a good first step.
Using another for loop and searching through the directory of PDFs generated by foremost shows some interesting output... namely x86 noop filled the terminal which is a good indication that bad stuff is to follow.
for i in `ls -1 ./output/pdf/*.pdf`; do echo -n "File $i"; pdf-parser.py --search javascript $i; done
The PDF 00769000.pdf (MD5 32faa35102a6d56a86260b5535ba14d6) was found to contain this noop bounty. Uploading to Virustotal shows that only Avast detects the presence of Zbot.
Looking for the shell code:
Browsing the binary PDF with xxd the start of a PE executable is visible.
Other fragments:
pdfid shows the following objects contained within this PDF. No low hanging fruit like JavaScript or JBIG2Decode techniques.
$ pdfid.py 00769000.pdf
PDFiD 0.0.10 00769000.pdf
PDF Header: %PDF-1.4
obj 77
endobj 75
stream 21
endstream 21
xref 1
trailer 1
startxref 1
/Page 3
/Encrypt 0
/ObjStm 3
/JS 0
/JavaScript 0
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Colors > 2^24 0
After hours of attempts, inflating the object streams proved fruitless. Ideally, one of the Object Streams of type "file" would contain one or more payloads which may be further obfuscated.
7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
From answer to question 5...- sdra64.exe (malicious executable, child of winlogon.exe Pid 644)
- user.ds (stolen information stored here, child of winlogon.exe Pid 644)
- local.ds (encrypted config, child of winlogon.exe Pid 644)
- user.ds.lll (child of svchost.exe Pid 880)
An additional payload would include a banker/trojan malware which steals banking login information.
8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
To complete this section the additional plugin malfind2 was installed along with it's dependencies.Sample 1: The extracted binary malfind.644.a10000-a2cfff.dmp from process 644 is detected as Zbot:
$ volatility malfind2 -p 644 -d malware -f Bob.vmem
Sample 2: The extracted binary malfind.880.720000-73cfff.dmp from process 880 is detected as Zbot:
$ volatility malfind2 -p 880 -d malware -f Bob.vmem
The majority of AV scanners detect this malware.$ volatility malfind2 -p 880 -d malware -f Bob.vmem
9. Are there any related registry entries associated with the payload? (4pts)
This is a three step process. First use the hivescan to enumerate all the memory offsets where registry hives can be found:$ python volatility hivescan -f Bob.vmem
Offset (hex)
44658696 0x2a97008
44686176 0x2a9db60
48529416 0x2e48008
55269896 0x34b5a08
57399112 0x36bd748
59082008 0x3858518
70588752 0x4351950
111029088 0x69e2b60
114539360 0x6d3bb60
121604960 0x73f8b60
180321120 0xabf7b60
191408992 0xb68ab60
244959264 0xe99c820
Volatility plugin hivelist will show the offsets needed for the SOFTWARE registry hive. To quickly parse through all the offsets listed in the output above, save the hex offset values into a file (hive.offsets) and loop through them with the hivelist plugin.
$ for i in `cat hive.offsets`; do python volatility hivelist -f Bob.vmem -o $i; done
(output omitted for brevity)
$ python volatility hivelist -f Bob.vmem -o 0x36bd748
Address Name
0xe151ea08 \WINDOWS\system32\config\SAM
0xe153e518 \WINDOWS\system32\config\SECURITY
0xe139d008 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]
0xe1d6cb60 \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1de0b60 \Documents and Settings\Administrator\NTUSER.DAT
0xe1769b60 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17deb60 \Documents and Settings\LocalService\NTUSER.DAT
0xe1797b60 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe17a3820 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1526748 \WINDOWS\system32\config\software
0xe15a3950 \WINDOWS\system32\config\default
Display the values for key Winlogon:
$ python volatility printkey -o 0xe1526748 -f Bob.vmem "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
Key name: Winlogon (Stable)
Last updated: Sat Feb 27 12:12:34 2010
Subkeys:
GPExtensions (Stable)
Notify (Stable)
SpecialAccounts (Stable)
GPExtensions (Stable)
Notify (Stable)
SpecialAccounts (Stable)
Values:
REG_DWORD AutoRestartShell : 1 (Stable)
REG_SZ DefaultDomainName : BOB-DCADFEDC55C (Stable)
REG_SZ DefaultUserName : Administrator (Stable)
REG_SZ LegalNoticeCaption : (Stable)
REG_SZ LegalNoticeText : (Stable)
REG_SZ PowerdownAfterShutdown : 0 (Stable)
REG_SZ ReportBootOk : 1 (Stable)
REG_SZ Shell : Explorer.exe (Stable)
REG_SZ ShutdownWithoutLogon : 0 (Stable)
REG_SZ System : (Stable)
REG_SZ Userinit : C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, (Stable)
REG_SZ VmApplet : rundll32 shell32,Control_RunDLL "sysdm.cpl" (Stable)
REG_DWORD SfcQuota : 4294967295 (Stable)
REG_SZ allocatecdroms : 0 (Stable)
REG_SZ allocatedasd : 0 (Stable)
REG_SZ allocatefloppies : 0 (Stable)
REG_SZ cachedlogonscount : 10 (Stable)
REG_DWORD forceunlocklogon : 0 (Stable)
REG_DWORD passwordexpirywarning : 14 (Stable)
REG_SZ scremoveoption : 0 (Stable)
REG_DWORD AllowMultipleTSSessions : 1 (Stable)
REG_EXPAND_SZ UIHost : logonui.exe (Stable)
REG_DWORD LogonType : 1 (Stable)
REG_SZ Background : 0 0 0 (Stable)
REG_SZ AutoAdminLogon : 0 (Stable)
REG_SZ DebugServerCommand : no (Stable)
REG_DWORD SFCDisable : 0 (Stable)
REG_SZ WinStationsDisabled : 0 (Stable)
REG_DWORD HibernationPreviouslyEnabled : 1 (Stable)
REG_DWORD ShowLogonOptions : 0 (Stable)
REG_SZ AltDefaultUserName : Administrator (Stable)
REG_SZ AltDefaultDomainName : BOB-DCADFEDC55C (Stable)
The malware persistence mechanism is highlighted in Red/Yellow above.
10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)
- The user is logged in with the Administrator permitting all sorts of promiscious behaviour
- JavaScript shellcode served to the browser as a PDF which is handled by Acrobat Reader
- See evidence of the Kernel interacting with JavaScript from the domain kontera.com
- Shell code is successfull in exploiting the Acrobat Reader flaw, a trojan downloader retrieves the bot and executes it
- Once the bot is executed it unpacks and decrypts itself into winlogon.exe, sets up persistance mechanism and spawns a process via services.exe -> svchost.exe to begin communicating with the C&C servers.
User searches for old versions of software, finds Acrobat Reader 6.0
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.msn.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Acrobat-Reader.html
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/acrobat60.exe
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Acrobat_Reader_6.0.html
Feb 26 03:34:04 2010, Source: Processes, Name: winlogon.exe ,Pid: 644 ,PPid: 548
Feb 26 03:34:05 2010, Source: Processes, Name: services.exe ,Pid: 688 ,PPid: 644
User again searches for old software, this time it's Firefox 1.5.0.2
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Mozilla-Firefox.html
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/firefox1502.exe
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
Firefox started
Feb 27 20:11:53 2010, Source: Processes, Name: firefox.exe ,Pid: 888 ,PPid: 1756
Acrobat Reader started and is exploited
Feb 27 20:12:23 2010, Source: Processes, Name: AcroRd32.exe ,Pid: 1752 ,PPid: 888
Feb 27 20:12:28 2010, Source: Socket, PID: 888,Port: 1176, Protocol: 6
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1177, Protocol: 17
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1178, Protocol: 6
Feb 27 12:12:34 2010, Winlogon Registry Key Last Update Time (Note: Hour is off by -8, but the minutes and seconds are right in line with the chain of events. The registry is recorded in UTC, the TimeZoneInformation registry value indicates EST.)
Svchost.exe opens three sockets and connects to C&C server
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1184, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1185, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 30301, Protocol: 6
https://zeustracker.abuse.ch/faq.php
http://www.fortiguard.com/analysis/zeusanalysis.html
Disclaimer
These are my answers which have not been validated against the official results. Updates/corrections will be made if necessary once the results are published. Feedback and comments are always welcome.
Typed the search term "old software" into Google:
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20sof&cp=7
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20soft&cp=8
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Time stamps found in the memdump:
:2010022720100228: Administrator@http://www.msn.com
:2010022720100228: Administrator@http://www.google.com
:2010022720100228: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
:2010022720100228: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
:2010022720100228: Administrator@http://www.oldversion.com
:2010022720100228: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
:2010022720100228: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
:2010022720100228: Administrator@http://www.oldversion.com/download/firefox1502.exe
:2010022520100226: Administrator@http://www.msn.com
:2010022520100226: Administrator@http://www.google.com
:2010022520100226: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
:2010022520100226: Administrator@http://www.oldversion.com
:2010022520100226: Administrator@http://www.oldversion.com/Acrobat-Reader.html
:2010022520100226: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
:2010022520100226: Administrator@http://www.oldversion.com/download/acrobat60.exe
Visited: Administrator@http://www.google.com
Visited: Administrator@http://www.msn.com
Visited: Administrator@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Visited: Administrator@http://www.oldversion.com/download/acrobat60.exe
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Visited: Administrator@http://www.oldversion.com
Visited: Administrator@http://www.oldversion.com/Acrobat-Reader.html
Visited: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
Visited: Administrator@http://home.microsoft.com
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Visited: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Visited: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
Visited: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
Visited: Administrator@http://www.oldversion.com/download/firefox1502.exe
User appears to have been presented with some HTML snips from Adds or Email containing the malicious URL:
Seems to be redirected to kontera domain from oldversions:
http://te.kontera.com/ContentLink/ContentLink?publisherId=116534&layout=adlinks&sId=142&cb=1267300209&creative=L&cn=us&pRfr=http%3A//www.oldversion.com/Mozilla-Firefox.html&pRfr=&keys=Mozilla%20Firefox;browser;Application;development&kids=45239;682919;461663;595008&iit=1;1;1;1&index=0&cbl=0&ab=1&onf=1&omk=1&resultNum=1&time=5500&dc_aff_id=&bt=1&mod=27&rId=116534_1267300209255_05828260058095254&prev_page=http%3A//www.oldversion.com/&ptv=&ur=1&sids=5544;7753;19447;-0-0-7753;6497;&tag=0
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.msn.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Acrobat-Reader.html
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/acrobat60.exe
Feb 25 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Acrobat_Reader_6.0.html
Feb 26 03:34:04 2010, Source: Processes, Name: winlogon.exe ,Pid: 644 ,PPid: 548
Feb 26 03:34:05 2010, Source: Processes, Name: services.exe ,Pid: 688 ,PPid: 644
User again searches for old software, this time it's Firefox 1.5.0.2
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/Mozilla-Firefox.html
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download/firefox1502.exe
Feb 27 20:10:02 2010, Source: Browser, User: Administrator, URL: http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
Firefox started
Feb 27 20:11:53 2010, Source: Processes, Name: firefox.exe ,Pid: 888 ,PPid: 1756
Acrobat Reader started and is exploited
Feb 27 20:12:23 2010, Source: Processes, Name: AcroRd32.exe ,Pid: 1752 ,PPid: 888
Feb 27 20:12:28 2010, Source: Socket, PID: 888,Port: 1176, Protocol: 6
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1177, Protocol: 17
Feb 27 20:12:32 2010, Source: Socket, PID: 1752,Port: 1178, Protocol: 6
Feb 27 12:12:34 2010, Winlogon Registry Key Last Update Time (Note: Hour is off by -8, but the minutes and seconds are right in line with the chain of events. The registry is recorded in UTC, the TimeZoneInformation registry value indicates EST.)
Svchost.exe opens three sockets and connects to C&C server
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1184, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 1185, Protocol: 6
Feb 27 20:12:36 2010, Source: Socket, PID: 880,Port: 30301, Protocol: 6
Resources
Contest URL: https://www.honeynet.org/challenges/2010_3_banking_troubleshttps://zeustracker.abuse.ch/faq.php
http://www.fortiguard.com/analysis/zeusanalysis.html
Disclaimer
These are my answers which have not been validated against the official results. Updates/corrections will be made if necessary once the results are published. Feedback and comments are always welcome.
Other interesting bits...
User appears to own a D-Link home router/firewall at 192.168.0.1 and a client at 192.168.0.176Typed the search term "old software" into Google:
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20sof&cp=7
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20soft&cp=8
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://clients1.google.com/complete/search?hl=en&client=serp&pq=oldarchives&q=old%20software&cp=12
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Time stamps found in the memdump:
:2010022720100228: Administrator@http://www.msn.com
:2010022720100228: Administrator@http://www.google.com
:2010022720100228: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
:2010022720100228: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
:2010022720100228: Administrator@http://www.oldversion.com
:2010022720100228: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
:2010022720100228: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
:2010022720100228: Administrator@http://www.oldversion.com/download/firefox1502.exe
:2010022520100226: Administrator@http://www.msn.com
:2010022520100226: Administrator@http://www.google.com
:2010022520100226: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
:2010022520100226: Administrator@http://www.oldversion.com
:2010022520100226: Administrator@http://www.oldversion.com/Acrobat-Reader.html
:2010022520100226: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
:2010022520100226: Administrator@http://www.oldversion.com/download/acrobat60.exe
Visited: Administrator@http://www.google.com
Visited: Administrator@http://www.msn.com
Visited: Administrator@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Visited: Administrator@http://www.oldversion.com/download/acrobat60.exe
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=old+programs&aq=f&aqi=g10&aql=&oq=
Visited: Administrator@http://www.oldversion.com
Visited: Administrator@http://www.oldversion.com/Acrobat-Reader.html
Visited: Administrator@http://www.oldversion.com/download_Acrobat_Reader_6.0.html
Visited: Administrator@http://home.microsoft.com
Visited: Administrator@http://www.google.com/search?hl=en&source=hp&q=oldarchives&aq=f&aqi=g-sx5g-s1&aql=&oq=
Visited: Administrator@http://www.google.com/search?hl=en&q=old+software&aq=f&aqi=g10&aql=&oq=
Visited: Administrator@http://www.oldversion.com/Mozilla-Firefox.html
Visited: Administrator@http://www.oldversion.com/download_Mozilla_Firefox_1.5.0.2.html
Visited: Administrator@http://www.oldversion.com/download/firefox1502.exe
User appears to have been presented with some HTML snips from Adds or Email containing the malicious URL:
Seems to be redirected to kontera domain from oldversions:
http://te.kontera.com/ContentLink/ContentLink?publisherId=116534&layout=adlinks&sId=142&cb=1267300209&creative=L&cn=us&pRfr=http%3A//www.oldversion.com/Mozilla-Firefox.html&pRfr=&keys=Mozilla%20Firefox;browser;Application;development&kids=45239;682919;461663;595008&iit=1;1;1;1&index=0&cbl=0&ab=1&onf=1&omk=1&resultNum=1&time=5500&dc_aff_id=&bt=1&mod=27&rId=116534_1267300209255_05828260058095254&prev_page=http%3A//www.oldversion.com/&ptv=&ur=1&sids=5544;7753;19447;-0-0-7753;6497;&tag=0