tag:blogger.com,1999:blog-9518042.post8185091973850901170..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: More on AV write-upsUnknownnoreply@blogger.comBlogger13125tag:blogger.com,1999:blog-9518042.post-78176257098408119902010-02-26T10:13:33.330-05:002010-02-26T10:13:33.330-05:00Interesting.
What about other artifacts, such a...Interesting. <br /><br />What about other artifacts, such as the HelpAssistant account information in the SAM database, and maybe even Event Log records?<br /><br />I'm going to see about doing a write-up on this, from the overall analysis conducted.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42233713915426718772010-02-26T09:17:43.466-05:002010-02-26T09:17:43.466-05:00I've noticed that almost the entire content of...<i>I've noticed that almost the entire content of the HelpAssistant profile has been copied from the profile of the user that was active/logged in on the system when the infection occurred. I created a timeline and it seems to indicate that this is the case.</i><br /><br />My timeline agrees with that. With the exception of HelpAssistant/Templates which has roughly the same timestamp as the system load.<br /><br />iamnowonmaiAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-12591810116566951002010-02-25T17:03:25.550-05:002010-02-25T17:03:25.550-05:00Case study I saw linked on Gadi Evrons blog regard...Case study I saw linked on Gadi Evrons blog regarding investigating anamolous data when AV says it aint:<br /><br />http://www.cyberwart.com/blog/2010/01/09/undetected-malware-case-study-jan2010-01/<br /><br />Besides, Case study postings r0xdu212noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-6710155580236099552010-02-25T17:00:35.178-05:002010-02-25T17:00:35.178-05:00I agree...I am currently analyzing a Mebroot infec...I agree...I am currently analyzing a Mebroot infected system myself.<br /><br />I've noticed that almost the entire content of the HelpAssistant profile has been copied from the profile of the user that was active/logged in on the system when the infection occurred. I created a timeline and it seems to indicate that this is the case. In fact, when I run RegRipper against the user hives, I get almost identical contents there, as well.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-61351337647749270222010-02-25T16:43:45.785-05:002010-02-25T16:43:45.785-05:00This post is interesting to me as I just completed...This post is interesting to me as I just completed an investigation where Mebroot had been installed on several systems. I also believe that Symantec is correct (eventhough I do not agree with how they worded it) that the HelpAssistant profile is a Mebroot infection artifact. It was common between all of these systems that I performed analysis on that the HelpAssistant profile directory was created (including the appropriate sub directories) and done so at the time of infection. <br /><br />I think that the breakdown is that they are stating that the account is created by mebroot, when it should state that the Help Assistant profile directory is created as part of mebroot infection.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-37276161769519108032010-02-24T15:17:01.125-05:002010-02-24T15:17:01.125-05:00Though using Remote Assistance requires the HelpAs...Though using Remote Assistance requires the HelpAssistant account, I've never observed a profile created for this account under Documents and Settings even after a Remote Assistance session. It doesn't appear in the ProfileList key and is only listed under SpecialAccounts in HKLM. There are a few mentions of it in HKU under systemprofile's hive (S-1-5-18) so that might be the profile it uses. I don't think it would be possible to log in directly with this account, or take it over. <br /><br />I played with it a little on my VM and found that it's possible to delete the account, breaking Remote Assistance. It will not be recreated automatically and you must boot into Safe Mode and run sessmgr.exe -service (as instructed by a helpful error message in the Application Viewer from RemoteAssistance) to restore it. I imagine that with the account deleted you should be able to create your own HelpAssistant account, but the difference should be very, very obvious.<br /><br />But it wouldn't be obvious, as you were saying, to a regular user, and I can imagine someone creating a jdbgmgr-like hoax out of it. <br /><br />--ShannaAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11325716999386632112010-02-24T07:24:45.200-05:002010-02-24T07:24:45.200-05:00My understanding is that HelpAssistant is created ...<i>My understanding is that HelpAssistant is created when a Remote Assistance session is activated. It shouldn't normally have a profile under \Documents and Settings.</i><br /><br />Thanks for the comment.<br /><br />More correctly, the HelpAssistant user account is on the system, in the SAM...however, no user <b>profile</b> is created until someone logs into the system via that account.<br /><br />You can test/verify this by creating a user account on your system with <i>net user /add</i>, and then observing the user profile directory for several days, across reboots. Then, log into the system using that account; you will be able to verify that the profile was not created until you actually logged in using that account.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11879565483214780252010-02-24T07:17:04.117-05:002010-02-24T07:17:04.117-05:00I just finished an incident that included malware ...I just finished an incident that included malware like this. My understanding is that HelpAssistant is created when a Remote Assistance session is activated. It shouldn't normally have a profile under \Documents and Settings.<br /><br />iamnowonmaiAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-52994595467312267112010-02-24T05:56:30.402-05:002010-02-24T05:56:30.402-05:00thanks for posting my post; I appreciate that and ...thanks for posting my post; I appreciate that and apologies if it sounded like a personal attack; <br />would you agree that writeups should be completely ignored by IRs/FIs? Or, more practically, disqualified as "proper" evidence and treated like hearsay? The fundamental problem is not the writeups itself, but the approach that assumes these writeups are a reliable source of information; for reasons outlined in my previous post (I could add some more e.g. how many different samples are covered by one writeup, how many completely different malware samples are qualified by accident/mistake as the same sample and then writeups modified accordingly, etc.), they shouldn't be treated as such; in other words, there are no shortcuts and IRs/FIs need to learn proper malware analysis; and by "proper", I mean the ability to fully analyse what that piece of code is doing (on the code level, not dynamic and static analysis only that is often misleading), and the ability to make informed decisions when various reasons make such analysis impossible or not worthyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-10779552896734397402010-02-23T21:14:41.181-05:002010-02-23T21:14:41.181-05:00...there is not so much you can say about how AV c...<i>...there is not so much you can say about how AV companies work...</i><br /><br />You're right, because I don't know. I do know that, as an incident responder trying to assist a customer, and as an analyst trying to answer a question for a customer, I've had issues with what's in the write-ups.<br /><br />Thanks for your comments.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-15315771971140773472010-02-23T19:46:36.858-05:002010-02-23T19:46:36.858-05:00well, you may not post this answer as you may find...well, you may not post this answer as you may find it not up to your taste, but while there is a lot you can say about incident response and forensics, there is not so much you can say about how AV companies work; writeups are often autogenerated, and for these where the manual input is provided, it's often junior researchers who work on them; then the writeups go through QA and reviews, yet you can't avoid problems coming from a simple fact that a) researcher doesn't know everything b) a person who reviews it, doesn't know everything; finally, the AV writeups are pretty much at the bottom list of priorities; automation and batch sample processing - _ensuring_ the product detects and removes malware properly in a first place and with no issues - is far more important than writeups; these who actually read and use writeups and do not rely on the product itself are people who are at least experienced or power users... like youAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-78675938408533957882010-02-23T19:07:04.588-05:002010-02-23T19:07:04.588-05:00While I agree that what they post can be misleadin...While I agree that what they post can be misleading, I also realize that they aren't in the business of incident response, per se...so they aren't focused on such things. <br /><br />When a customer infrastructure is infected, most often the AV vendor's approach is to get sample, generate a signature and then roll it out to all systems. Many times, what ends up happening is that other responders will scan the domain for Registry or file system artifacts, and then clean individual systems.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-39564741113793485242010-02-23T18:19:20.064-05:002010-02-23T18:19:20.064-05:00This does not surprise me at all! AV companies are...This does not surprise me at all! AV companies are so often wrong about their scan results with false positive file or website virus detection. I believe they do very little diligence. <br /><br />Even after you contact them on some hidden report page, tell them what the file is and they remove it from their detection list there no guarantee that they will not detect it as a threat at a later date. All you can do is apply to have your name cleared by them again. Guilty until proven innocent with these guys. <br /><br />They are total immune from the consequences of a false positive or shoddy work. I think this makes their work lax across the entire range.Anonymousnoreply@blogger.com