Saturday, December 19, 2009

The Trojan Defense

The malware did it...not me.

How often do we see or hear of this? I don't see this specific question very often during exams...probably because I don't work in certain environments, per se...but I do get questions peripheral to it, and I do hear the question being asked by folks who do those sorts of investigations.

More importantly, however, is another question...how does an examiner (LE or otherwise) answer that question before it gets asked? The claim that "the Trojan/worm/malware did it" is being made more and more, and it can be a challenge to address this sort of thing...but it does need to be addressed.

The fact of the matter is that there are enough data sources on a Windows system that can provide indications as to whether certain actions (downloading illicit images, collecting/exfiltrating sensitive data, etc.) were performed by malware, or intentionally by a user. These sources may vary in their location and how useful they are, depending upon the case, but by examining and correctly interpreting the preponderance of data (rather than a few selected data points), an analyst can get an overall picture of what happened.

One example is when illicit images appear on a system...did malware reach out and download those images, or did the user install P2P software and then run a specific search for those images? Or did the user install P2P software that then led to a malware infection, and then the malware downloaded the software?

All of these questions can be answered, but what it takes to do so varies from case to case, and cannot be adequately addressed in a single blog post. Suffice to say that a knowledgeable analyst needs to look at everything, and be aware of those things they do not know. By this I mean, do not dismiss the value of Registry analysis simply because you have a deadline and do not feel that you sufficiently understand Registry analysis as a whole, or how it could apply to your case. The same is true for P2P analysis.

Addressing the "Trojan Defense" involves much more than simply mounting an acquired image and running an AV scanner across it. But like I said, that's not something that can be addressed in a blog post. This isn't a sales pitch, but what's really required is training, and regular, continuous interaction with other knowledgeable analysts, so that information and experiences can be exchanged.

8 comments:

Dale Rogers said...

Just this week an attorney asked me about the Pop-Up Defense. Several years ago I wrote a document I called Pop-Up_Defense.rtf, which a quick review of my archives did not locate, of course. But just off the top of my head, the methodology of defeating the Pop-Up Defense has multiple steps, not necessarily in this order.

First you want to see if the offending files on the computer, such as porn, are stored in a non-standard folder, such as Sports_Stuff. If the porn is mixed in with genuine sports material, such as a softball team roster, it is doubtful that any malware created the folder and the files.

Secondly you want to find all search engine key terms. If the bad guy is searching for the offending material, such as little girls or children taking baths, that's a clue. I have a robust set of search engine key terms that I run in Microforensics Mercury.

Third, the Typed URLs found in the NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs registry key show that the keyboard was the source of some of the Internet History.

Fourth, if the offending material comes from a half-dozen different sites, it is questionable that malware is trying to get you to go to competing internet sources.

Fifth, If you find Temporary Internet Files from sites such as Adult Friend Finder that say "Welcome Back Pervert_Guy" it is not likely that maleware signed the bad guy up as a member of the Web site.

Sixth, if the bad guy is sending and receiving email and email attachments to some of his buddies, and the emails include some personal stuff, such as as what a jerk his boss is, malware probably does not play a role.

Seventh, if you do a time-line analysis of what activity was taking place on the machine around the time of the offending behavior, you might see clues in chat, MySpace FaceBook, email, Craigslist, etc., that supports the user being the offending party.

Eighth, yeah, you can run anti-virus software against the image.

Ninth, review Internet History, live and deleted, including cookies.

Tenth, I'd be burned out looking for evidence by now.

Dale Rogers
Rogers Computer Forensics

Keydet89 said...

Dale,

Great post! Keep in mind, though...step 3 only works for bad guys who use IE. If Safari or FireFox is used, your process will differ.

Jimmy_Weg said...

Hey, Dale, it's good to see you on Harlan's blog! In MSIE, I'd also check for Host entries in the history. Pop-ups tend not to produce Host records. Also check the settings of the browser's pop-up blocker. The default setting should block most of the pop-ups. You can test that by following the target's browsing with varying pop-up blocker settings.

Keydet89 said...

Jimmy,

For the benefit of our viewers, can you describe how to check for Host entries in the history? And how to check the pop-up blocker settings?

Jimmy_Weg said...

While I would think that there's a registry setting that reveals the pop-up blocker settings (in at least MSIE), I always check when I run a VM of the target system. I build a VM on most of my cases anyway. It would be easy enough to run ProcessMonitor while changing the settings to check this out.

The Host entries are found in the Daily history index. They indicate the top level domain of the visited sites. For example, if you view your history in MSIE, and click the Today icon, you'll see a list of hosts (I don't think that I can post a screen shot). You can, of course, expand the hosts and review the areas visied within each host. NetAnalysis identifies the host entries when it parses the Daily history.

Dale Rogers said...

Harlan, Jimmy, thanks for the comments. After I rattled off a bunch of procedures, shooting from the hip so to speak, I spent some time refining those into 12 steps that could be taken to defeat the PopUp/Trojan defense. These steps slant toward MS Internet Explorer users. I can see where the community might want to tweak these suggestions a bit, but I also think that the procedures should be kept down to no more than a dozen. Maybe Step 13 could simply be "Perform other procedures as appropriate." The steps do not include forensic process details. I'll wait for a chapter or two in Harlan's next book for that...

From a labor hours perspective, the time it would take to peform all of these steps would rarely make economic sense. The good news is that many of the listed steps would be performed in a forensic examination with or without Trojan considerations. So the extra effort required for portions of resolving a Trojan defense issue would only require keeping a good check list and detailed forensic review notes.

A concise check list is handy, and the fewer steps and the fewer words the better. The list I'm posting below has some extra verbiage that could be cut out. For example, step 2, "Review the Recycle Bin" is only four words. The rest of the words in that step could be deleted.

I have my forensic favorites that I tend to specialize in. Finding search engine terms is right at the top of my list. I've built what I refer to as Key Term Libraries which I run in Mercury for a gaggle of topics, Search Engines being one. Being that I index nearly all of my cases anyway, I can run my search engine library in just a few minutes. In a recent case I found that an employee who was suspected of downloading porn, if not inappropriate sexual material, had not intentionally done so at all. He had been searching for video game clips on You Tube and ended up with some small sexy Temporary Internet File graphics. His Google searches were the same, for video games. Conversely, I worked a child porn cases and found bad guys searching for little girls and children taking baths, as well as unspeakable searches.

We all might agree that most Trojan defenses can be resolved quickly with just a few forensic steps. The PopUp/Trojan defense is usually related to nasty things, primarily child porn and other porn. If not my first step, recovery of search engine terms makes me twitch just thinking about it. Now, without futher verbiage, this posting is too long and I have to split it.

Dale Rogers said...

[Part II]

Here are my Twelve Steps:

Steps to Resolve a Pop-Up or Trojan Defense [Sequence of Steps is Case Dependent.]

1. Identify files containing questioned data. Determine if the questioned data was stored in a non-standard folder, such as My_Stuff. If the questioned data was stored with personal material, such as a softball team roster, it is doubtful that any malware created the folder and the files. Determine if any link files exist that show when the files had been opened and if they existed on external media.

2. Review the Recycle Bin. Questioned data in the Recycle Bin could indicate knowledge on the part of the computer user. The user could have deleted some questioned data while keeping the rest. The user could also have edited some of the data and deleted the originals.

3. Run anti-virus/malware software against the hard drive image. Note the file(s) containing any identified malware. Research the known characteristics of the malware on Internet security sites. If detected malware might account for the questioned data, determine if the questioned data predated when the malware was discovered in the wild.

4. Recover all search engine query terms to see if searches were related to the questioned data.

5. Review Temporary Internet Files and HTML fragments for content related to the suspect data. Identify password protected accounts such as Web-based email.

6. Review Internet History, live and deleted, including cookies.

7. For the Windows Internet Explorer, review Typed URL records in the NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs Windows Registry key. The keyboard was the source of the entries. For other browsers, such as Firefox and Safari, perform necessary forensic review.

8. Identify and review usage of any pertinent software applications (such as Peer-2-Peer software) that were installed/uninstalled shortly before and/or after the creation date of the questioned data.

9. Review Email. If the suspect was sending and receiving email and suspect email attachments to specific correspondents, malware probably did not play a role.

10. Determine if the questioned data was copied to a thumb drive, hard drive, CD/DVD.

11. Perform a time-line analysis of what activity was taking place on the machine surrounding the time of the suspect behavior.

12. Perform a live RAM dump and preserve live state information on the target computer. Determine if a hidden malware process was running/started every time the computer was booted.

Rogers Computer Forensics
Dale@RogersForensics.com

Jimmy_Weg said...

Being that I index nearly all of my cases anyway . . .

Interesting. I index rarely, and almost never for a typical c-p case. I've found that extracting index records with NetAnalysis (HstEx) will produce adequate records of Internet searches, if they exist. I suppose that you could also search free clusters for strings such as q=regex, but if NetAnalyis finds nothing, a string search will not get the goods, either. If I filter properly and use XWF to do a simultaneous search, the speed is impressive. To index completely for finding strings in HTML based data, it helps to include certain characters that are non-alphanumeric. This slows the indexing process.

Review Internet History, live and deleted, including cookies

Here's where I also check the browser seettings. You have to be careful about inferring anything from cookies, as they may be third party cookies. However, the browser may be set to block some or all of such cookies.

TypedURLs Windows Registry key. The keyboard was the source of the entries.

I don't rely upon this very heavily. There are a few ways in which this key can be populated. I can't recall them now, but there was some discussion of this on the Digital Detective Forum.

If you have a Vista case and find only thumbcache files, it may help to know that the thumbcache does not store files that were in Internet cache. So, the previously existing full size counterparts were not in cache. This can aid in refuting the cache defense.

In sum, most trojan or cache defenses fall short in the face of intent, such as the search term exam you described.