Tuesday, March 22, 2016

The case of the frustrating MacBook imaging


A quick post today. I recently had to image a few of the newer MacBooks (late 2015) that only have one USB Type C port. This is a challenge. I have a USB non-powered Type C hub that has four USB 3.1 ports on it. To acquire an image of the drive you are limited, as the NVMe drivers for the new internal SSD drive are not working in the current versions of any Linux distro (at the time when I was creating the images). I believe that kernel version 4.3-rc3 will work with some tweaking, but as of the time of this posting I have not verified if there is support for these internal drives. For now I've detailed the process I used below. I was under a time crunch, but I believe the process to be sound and reproducible. The next time I have to create an image of one of these *wonderful* devices I will certainly be trying the excellent boot disk Paladin from Sumuri: https://www.sumuri.com/product-category/paladin/ The crew at Sumuri are absolutely the best, please support them whenever you are able!

Process:

  1. Plug in the USB hub with a ExFat formatted external USB 3 hard drive to contain the image.
  2. Power on the fully charged MacBook and press Command-R while it turns on. This is the recovery mode (typically used for repairing the OS).
  3. Once booted click on Utilities → Terminal.
  4. At the terminal window use the command diskutil list to identify the boot disk and the intended destination disk.
    1. The boot disk may show up as /dev/disk2 but, there is a RAW version of this called /dev/rdisk2. If you don’t use dd on the RAW version of the disk it will take days to image as the /dev/disk2 is presented by the underlying OS.
  5. Unmount the internal SSD by running diskutil unmount /dev/diskX
  6. Mount your destination partition by running diskutil mount /dev/disk4s1 (depends on where it shows up under the list).
  7. Use the built in dd command to start the process. Ex: dd if=/dev/rdisk2 of=/Volume/image/macbook.raw bs=8192 conv=noerror
  8. To prevent the MacBook from sleeping use the built in caffeinate command: caffeinate -u -t 3600   (don't sleep for an hour)
  9. To check on the status of the image size, use this simple FOR loop: while : ; do ls -l /Volume/image/ ; sleep 1 ; clear ; done
  10. To create an md5 hash of the imaged drive use this command: md5 /dev/rdisk2 > /Volume/image/macbook.md5 (Perform this AFTER the imaging is complete, otherwise the system may lock up)

Thursday, March 12, 2015

The case of the unknown proxy



A real example of finding unknown malware in a RAM image using Volatility


Background:

While doing some research on some new intrusion detection rules I noticed that a system on a network was causing a "new" IDS rule to be tripped. The rule itself was fairly simple and looked for something similar to "SSH-2.0-PuTTY_Local:_Apr" in the payload on a destination TCP port of 22. This rule was one I hadn't seen before, so I thought I would dig in a bit and take a look. Looking through the logs the system seemed to be tripping this rule every morning around the same time, but never on the weekends. I also noticed that it would occasionally happen in the afternoon right after the lunch time as well. This led me to believe that it was only checking out when the user rebooted their system. I knew where this system was located, and I also knew that there was a fairly comprehensive firewall in front of it. This meant that it was next to impossible to attempt a remote analysis via the network (which is usually a last resort anyway). I scheduled some time with the user so I could capture RAM and find out what was going on.

The tools:

After using the super reliable Dumpit from http://www.moonsols.com/ to create a RAM image on my flash drive I walked back to my office hoping this would end up being an interesting case. The user was already having a replacement system installed, so they would be back to work quickly as well. I copied the newly created file to my analysis network and set up my vol_script.sh mentioned in a previous blog post. In about an hour it was finished running, and I had managed to get a few other things done. Such a time saver!

First steps using Volatility's plugins:

Netscan

I knew this potential infection was using the network, so I looked at the output from the netscan plugin. The only item that really jumped out at me was that winlogon was listening on localhost via TCP port 7908 as seen here:





That's weird. I wrote down PID 8024 after inspecting the rest of the connections and moved on.

Cmdline / pstree / pslist

There are several plugins that will give you a list of processes running, including some that scan for active and exited processes. For this instance I started with pstree. Why? Because it is awesome.
PID 8024 was shown to be:

 

Well, that is strange! I don't recall this being a valid directory. The number of handles for a valid winlogon process is also pretty low. The parent of this process, PID 2156, turned out to be:




I sincerely doubt that winlogon.exe would be started by WScript.exe - at least it was highly suspect!

I pulled up the output from the cmdline plugin to see exactly how these processes were started. I've changed some of the variables, but the content remains largely the same:




Well, there's the problem right there! I also noticed the wininit.exe process running out of the same directory and a strange vbe script that might be able to be carved out of the RAM image.
At first glance it appears to have set up a reverse tunnel (with a modified version of putty that I recalled from the payload of the IDS alert) on TCP port 7908 using this fake winlogon.exe process. There is also a connection to a remote DNS name via the wininet.exe process. Strange.

Now I have a few tasks. See if the DNS name identified is associated with any malware, extract those processes, extract the vbe file, find the original point of compromise, and look for any other hints as to what is happening. I will concentrate on just the Volatility related tasks to keep this short.

Procdump

Part of my script already extracts the processes to a folder, so I checked the output for the PIDs I cared about:






Success! I made notes to check these executables out later. Later VirusTotal.com reported zero results. Looks like a manual disassembly is in my future if I can't figure this out!

Filescan

Next I checked the output from the filescan plugin for the GoogleIndexer.vbe file.





Success! I have the physical offset of the vbe file, so now I will try extracting the file.

Dumpfiles





This vbe file type is basically an obfuscated VBscript that uses something like Microsoft's Script Encoder to encode scripts. I had a really old conversion script in my toolkit that would "decrypt" the code, so I fired it up. The human readable output of the script was essentially the persistence mechanism that ended up running: 
"winlogon.exe -d -t -l -e0.0.0.0 -i127.0.0.1 -p7908 -a"
Later I found a startup entry in the user's registry confirming this as the persistence mechanism.

Consoles

On a whim I decided to check the output from the consoles plugin. This plugin may find commands that attackers typed into cmd.exe or executed via backdoors. The first item I noticed was my PowerShell prompt where I ran dumpit. After that I found this interesting tidbit:























That is certainly exciting! It appears to be the remote information panel for some kind of proxy. The malicious user also needs to reboot their system to apply some updates. A quick search of the IP directed me to a VirusTotal link that suggested the infection was a malicious proxy known as Penepe.
https://www.virustotal.com/en/ip-address/91.229.78.202/information/

Well, now I have enough information to confirm that this system was definitely running a malicious proxy. Now to find out how this system was originally infected. For this I looked through the logs to find out the very first time this IDS rule was tripped.

Scripted timeline

Part of my automation script runs three distinct plugins that can combined to make a simple timeline. These plugins (mftparser, shellbags, and timeliner) can all output their findings in bodyfile format. Then a quick mactime conversion will produce a very nice csv file that is easily filtered.
I knew that around 15:15 on the 23rd of the month was the first time the IDS rule was tripped, so I filtered the timeline to look for files created on the 22nd or later.
On the 23rd at 15:13 the following ZIP file was created:



A corresponding .lnk file was also created immediately following the file creation timestamp. Coincidentally, the folder where I found the three proxy files was also created at the same time.
The file obviously looks suspicious, and it appears that it was downloaded via the user's web browser. I didn't see anything else suspicious during the time frame surrounding the initial checkin, so further analysis is needed. Based on timestamps alone it looks highly suspicious.

Chromedownloads

The chromedownloads plugin is a newer plugin written by superponible (https://github.com/superponible) that parses the contents of Google Chrome's SQLite database.
The output confirms that the user, who I knew uses Gmail, downloaded an attachment called fax-message01282190.zip and saved it to their Downloads directory.



Summary:

Now we have a potential point of compromise, the malware location, the persistence mechanism, and a nice and quick assessment of the infected system.
After 15 minutes of analysis I had all of the information I needed to report back to a local administrator on what was happening. Further work would be needed looking through network logs, but for now I was confident in the results!

Footnotes:

*I seriously considered obfuscating the DNS name and remote IP address of the malicious host. Nope! Since the IP is blacklisted a few places and one of the first Google search hits yields a VirusTotal page, I think it is safe to assume it is malicious.*
**Tonight's drink of choice is Woodford Reserve Double Oaked bourbon.**

Wednesday, March 11, 2015

Volatility automation - my simple script

By Derek Meier - March 11, 2015

I like to process RAM images using Volatility. The Volatility framework, available at http://www.volatilityfoundation.org/, has saved me endless nights toiling away doing a deep dive into a full forensic disk image. The time it takes to fully analyze a RAM capture of an infected machine is nothing compared to doing analysis on a full forensic disk image. I will never say dead disk forensics is a relic of times gone by, and a RAM capture may not have a complete picture of an event, but it should give you a great amount of relevant information. Hopefully this information can rapidly rule out the need to continue with a full disk analysis.

I also like those commercials on late night TV where you simply set it, and/or forget it. Hitting start on a system and coming back in an hour to find a folder full of results is a wonderful feeling. Plus I find it very useful in my line of work to have reproducible results. As I started capturing more and more RAM images for processing it became apparent that I was always running the same plugins or needing similar information. So, after a bit of playing around one night I came up with a simple shell script to help automate some of the aspects of using Volatility. This script encompasses very little of the analysis you can perform with Volatility, so check it out at their website for a complete list - and please buy "The Art of Memory Forensics!"

There are a few requirements to using this script:

  • This script is only intended for processing Windows RAM images
  • I use the latest version of Volatility from their Github repository - 2.4 currently
  • My main system is running Ubuntu 14.04 LTS x64, but 12.04 should work just fine
  • A few simple tools that should be used are nuhup, mactime, yara, and hashdeep
  • There are a few custom plugins used that were written by the outstanding community members - check out some of the winning plugins from the 2014 plugin contest: http://www.volatilityfoundation.org/#!2014/cjpn
  • I'm using the current stable version of Bulk_Extractor from their Github repository - 1.5: https://github.com/simsong/bulk_extractor 

To use the script I will customize the grep terms and then save a copy in the same directory as the RAM image. Then just run the file from the command line:
> ./vol_script.sh

Once running it will prompt you for a name or description for the case you are working on, and then attempt to find the correct Windows profile automatically.

When the script is finished there will be a new directory called "vol" with the output from all of the plugins and the time.log file.

You can grab a copy of the script here:

https://raw.githubusercontent.com/dmeier-umn/VolScript/master/vol_script.sh

I will update the script frequently (consider it a work in progress) and may move to a new Github repository once I have a few more things finalized.

If you like the script, or have a better way to do things please don't hesitate to leave a comment below!

Resources (more found in the script):

The Art of Memory Forensics: http://www.memoryanalysis.net/#!amf/cmg5
Github repository for the latest version of Volatility: https://github.com/volatilityfoundation/volatility
http://www.jeffbryner.com/code/pdgmail
https://github.com/simsong/bulk_extractor
http://bitbucket.cassidiancybersecurity.com/prefetch-parser
https://github.com/dfirfpi/hotoloti