Friday, March 26, 2010

Links

Evtx Parsing
Andreas has released an update to his Evtx Parser tools, bringing the version up to 1.0.4. A great big thanks to Andreas for providing these tools, and the capability for parsing this new format from MS.

F-Response Boot CD
As if F-Response wasn't an amazing enough tool as it is, Matt's now got a boot CD for F-Response! Pretty soon, Matt's going to hem everyone in and the only excuse you'll have for NOT having and using F-Response is that you live in a cave, don't have a computer, and don't gets on the InterWebs...

Malware & Bot Detection for the IT Admin
I recently attended a presentation, during and after which, the statement was made that the Zeus bot is/was difficult to detect. What I took away from this was that the detection methodology was specific to network traffic, or in some cases, to banking transactions. Tracking and blocking constantly changing domains and IP addresses, changes in how data is exfiltrated, etc., can be very difficult for even teams of network administrators.

As most of us remember, there's been discussion about toolkits that allow someone, for about $700US, to create their very own Zeus. By it's nature, this made the actual files themselves difficult to detect on a host system with AV. Again, detection is said to be difficult.

Remember when we talked about initial infection vectors of malware, and other characteristics? Another characteristic is the persistence mechanism...how malware or an intruder remains persistent on a system across reboots and user logins. These artifacts can often be very useful in identifying malware infections where other methods (i.e., network traffic analysis, AV, etc.) fail.

ZBot was also covered by the MMPC. A total of four variants are listed, but look at what they have in common...they all add data to a Registry value, specifically:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

The same could be said for Conficker. According to the MMPC, there were two Registry artifacts that remained fairly consistent across various families of Conficker; creating a new, randomly named value beneath the Run key that pointed to rundll32.exe and the malware parameters, as well as Windows service set to run under svchost -k netsvcs.

That being the case, how can IT admins use this information? When I was in an FTE position with a financial services company, I wrote a script that would go out to each system in the infrastructure and grab all entries from a specific set of Registry keys. As I scanned the systems, I'd verify entries and remove them from my list. So, in short order, I would start the scan and head to lunch, and when I got back I'd have a nice little half page report on my desktop, giving me a list of systems with entries that weren't in my whitelist.

Admins can do something similar with something as simple as reg.exe, or something more complex written into a Perl script. So while someone else is scanning firewall logs or monitoring network traffic, someone else can target specific artifacts to help identify infected systems.

SIFT 2.0
Rob Lee has released SIFT 2.0, an Ubuntu-based VMWare appliance that comes with about 200 tools, including log2timeline, Wireshark, ssdeep/md5deep, Autopsy, PyFlag, etc.

To get your copy, go here, click on the "Forensics Community" tab at the top of the page, and choose Downloads.

If you're taken the SEC 508 course with Rob...or now with Ovie, or Chris...you have probably seen the SIFT workstation in action.

5 comments:

Shanna said...

Unless I completely missed it, log2timeline was not included in the SIFT image I downloaded. I had to install it and its Perl dependencies. Still, it's a really nice setup and I'm looking forward to playing with all the goodies they've provided.

H. Carvey said...

Shanna,

I posted that based on what I've seen Rob post to the Win4n6 Yahoo group.

Enjoy!

Shanna said...

Well, I'm not sure how this happened, but I noticed that the version on my workstation was 1.3. I logged back in to the download page and though there is definitely only one link there to click , I can see that it points to version 2.0 now. I have no idea how I ended up with 1.3, but I'm pulling down what's hopefully the right one.

(This also explains why the username was not at all the one named in the instructions.)

I'm very sorry, and very embarrassed!

Rob Lee said...

Shanna,

Apologize, we had a hiccup yesterday when they accidentally posted the new download page pointing to the old download. Nothing was announced yet, but word started to trickle out that it had been posted. As of 9 PM last night both the DVD ISO and the Vmware Appliance were correct. Now it is just a matter of fighting bandwidth at the SANS NOCs.

Shanna said...

Thanks for the clarification. I figured it was something like that or I was just too early. Your link was very popular Friday so I wasn't able to get it, but it's downloading at a good speed now. I look forward to trying it out!