Saturday, July 11, 2009

Links and New Stuff

The MalwareForensics site, based on the book by the same name, is up and running...pretty nice so far. If you're involved in incident response, malware analysis, or just IT in general, you should check this site out. It has links to Linux and Windows tools, as well as to web-based tools.

Tools available with the DVD that accompanies Windows Forensic Analysis allow you to view metadata within MSOffice documents up to the point where MS ported the document format from OLE over to OpenXML. Well, this post on the SANS Forensic blog takes that step forward and shows you how to extract metadata from within Office 2007 documents. Even cooler, the code is written in Perl!

Another tool, albiet not written in Perl, is Security Database's Evidence Collector. The span of data collected looks to be pretty useful, and the UI is different from anything I've seen before. If you're an incident responder in a small shop, you might want to take a look at using a tool like this.

In case you missed it, I recently released the current iteration of my ripXP tool, a small tool that is part of the RegRipper set of tools. RipXP uses the same plugins as RegRipper, and will run each plugin not only against the designated Registry hive file, but also against all of the corresponding hive files within XP System Restore Points! This is extremely useful for a couple of reasons, the first of which is that Registry keys have LastWrite times, which are analogous to file last modification times, but we very often don't know what changed. RipXP will allow you to parse through the Restore Points to see a historical view of the data. Second, ripXP also includes a small bit of code that parses the rp.log file to report not only when the Restore Point was created, but also the reason why it was created, potentially adding a significant amount of context to the data itself.

There's some new fun floating about the Internet, exploiting a vulnerability to the MS Video ActiveX Control, msvidctl.dll. There's been info posted on this issue:
SANS ISN
Terminal23
MS Security Research and Defense

Others have posted intel about what happens after the exploit:
FireEye Malware Intel Lab

It appears that the way this is working is that the bad guys first compromise web sites, and then redirect users to sites where the exploit resides. The exploit then occurs through the browser (MS refers to this as "browse and get owned"...comforting) and additional malware (such as an online gaming password stealer) is downloaded.

So why am I talking about this? This is yet another example of how all of the available information about this stuff is vulnerability-based, and there's really very little information available as to what this looks like on a system once it's succeeded. The MS SRD site lists some mitigation steps such as setting the kill bit in the Registry that can be used to determine if a compromised system was susceptible to this sort of attack, but the fact is that there is little information available regarding what to look for to determine if the system was compromised via this particular exploit.

More later, folks. As always, comments and suggestions are welcome...

No comments: