Tag Archives: Microsoft

DFIR fundamentals with Mandiant updates

Posted on 2011-11-22 | Leave a comment
Chew-bach-a

Chewbacha revisits the classics

Today, I had the opportunity to listen to the latest installment of Mandiant’s web series “Fresh Prints of Mal-ware”: The Nutts and Boltz of APT Persistence Mechanisms, hosted by Chris Nutt and Jason Rebholz. (The puns are strong with this one!)

The first part of this discussion consisted of some DFIR fundamentals, like looking at the file system timeline. This should include all eight time stamps in Windows / NTFS (file times and system information metadata). Rather than just start “looking for evil,” the investigator needs to start with a question. My favorite, where applicable, is to look at all system activity around the time of whatever other suspicious activity caused me to look at the system in the first place (e.g. network traffic). Another colleague mentioned using Splunk for forensic timeline research. I’ve not used this technique myself but the concept is solid.

The second part discussed persistence mechanisms in more detail, like autoruns and the various locations. On Twitter, the #m_fp discussion pointed me to two resources, one from Silent Runners and another from Trusted Signal. But they spent a good amount of time on DLL search order hijacking also, given that it doesn’t get a lot of attention but they’ve seen it in use by targeted (as opposed to opportunistic) malware.

I think this approach of revisiting fundamentals with a few new twists to keep things fresh works really well, and I hope to see more of this sort of thing from Mandiant (and whomever else!) in the future.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , ,

Aside

Here are some articles worth reading, but which I didn’t get to discuss in more detail due to time constraints. Hopefully I’ll get around to some of the themes later. Reflections on the Oral Argument in United States v. Jones, … Continue reading

→ Leave a comment

Posted on 2011-11-09

BSidesDFW 2011

Posted on 2011-11-08 | Leave a comment

Awkward hug with @kylemaxwell #BSidesDFW on TwitpicThis past weekend, we had the local BSides DFW conference. Overall, I’d classify it as a great success, but I also want to analyze a few bits here.

The Good

Microsoft provided a really nice facility at their Dallas Technology Center. We had lots of room, good wireless signal, friendly staff (even including the security guards). I’ve criticized Microsoft heavily for years due to their technology and business practices, so I have to note that they did this very well.

Some of the talks had some first-rate stuff. Andrew Case had a particularly outstanding talk on data exfiltration. I can’t wait to see the slides and maybe mess around with Registry Decoder as well. I certainly intend to submit a talk next year, now that I have a feel for what the conference covers and the sort of audience that shows up. We also had a lock pick village and lots of presence from the EFF as well as a table from Hackers For Charity.

I should note that any security conference with kegs and kegs of beer, drink tickets, and homemade barbecue knows its audience. Being sort of a wimp, I didn’t stay for the after party but I heard it was great. And of course I loved seeing some of my friends, or in some cases meeting them in person for the first time. The volunteers and coordinators did a first-rate job, without question.

The Bad

Really, there wasn’t much. Some of the speakers lacked presentation skills, but I think that many of them simply had never done this before. And as much as I loved the facility, shuttling between the first and fourth floors lacked a bit of convenience.

But those are the largest things I could mention about the conference itself, which I think speaks volumes for how well it actually went.

The Ugly

First, I’ll note that what I say below should not reflect in any way on BSides or the hard-working coordinators who did a great job organizing this conference for no compensation other than grinning faces and a few awkward hugs.

In 2011, and for a very long time before now, overtly sexist presentations have no place whatsoever at a technical conference. One of the speakers gave a presentation in an informal style, which fits BSides perfectly. This isn’t a government-sponsored academic conference on national defense in the cyber domain or something. It’s a community-organized thing that sprouts from the grass roots.

So throwing out a bunch of slides that demean women and treat them as sexualized objects doesn’t work. I’m not a prude, and there’s a place for unsophisticated locker-room humor. This wasn’t it. As one example out of many from the same talk, a deck that includes images like one of panties on a woman’s crotch with the words “ALL YOU CAN EAT” printed on them would get most of us fired from our day jobs, and rightfully so. Showing same-sex affection for titillation and digitally altered images of (clothed) breasts does nothing but demean women and the speaker, though in different ways.

All of this detracted from what would otherwise have been a really good presentation with some interesting things to say. I hope the speaker reconsiders his actions, and I don’t plan to attend his talks in the future. This is not the sort of thing that we want to encourage in any way.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , ,

Threat Intel: Duqu kernel sploit edition

Posted on 2011-11-01 | Leave a comment

While some of the links between Duqu and Stuxnet may have been overplayed, that doesn’t mean that Duqu doesn’t matter.

Symantec analyzed the actual Duqu dropper per work by the Hungarian group CrySyS.

The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they’re working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries.

Microsoft has confirmed the vulnerability but we don’t (yet) have a patch for it.

Keep your eyes open, folks.

→ Leave a comment

Posted in Links

Tagged , , , ,

Microsoft SIR overview

Posted on 2011-10-17 | Leave a comment

Last week, Microsoft released their 11th Security Intelligence Report. They have a very unique data set: all systems that report into Windows Update and the Malicious Software Removal Tool (MSRT). So I read the report on the plane back from MIRcon and mentally chewed on it for a few days.

Their data on malware propagation methods surprised me. AutoRun (USB or network share) accounted for a far higher share than I would have expected, though User Interaction Required (e.g. drive-by downloads) did not.

They also found a big jump in operating system exploits, though Java stayed on top. Almost all of this came from CVE-2010-2568 (the .LNK problem). I don’t think anybody will see the continued increase in PDF exploits against Acrobat Reader as news, but it does reinforce the idea that JavaScript in a document should never have happened.

Newer operating systems, particularly 64-bit versions, seem to get infected at lower rates.

And when they do, it looks like “adware” and trojans together account for nearly half of all of the threats listed. I liked seeing specific malware families listed, as well as data specific to domain-joined computers (far more common in enterprises rather than homes).

Microsoft included some analysis of spam and malicious websites. They classified the majority of spam as “Pharmacy – Non-sexual”, “Non-pharmacy Product Ads”, and “419 scams”. Surprisingly, “Software” only had a 1% share in their data. Also, most of the phishing impressions they see now target social networks, but more phishing sites go after financial institutions and customers.

The document contains a lot more interesting data and detail. One of the last sections, from Mark Russinovich, covers “Advanced Malware Cleaning
Techniques for the IT Professional”. While I firmly believe in nuking systems from orbit once you have completed your investigation, the techniques using Sysinternals process tools like Process Explorer, Process Monitor, and Autoruns provide a lot of general insight into finding malware on a given system.

I found the entire report useful for almost anyone who works in information security, even if their data set has some systemic bias in it. For example, it does not cover malware that their MSRT doesn’t detect, and of course it doesn’t cover non-Microsoft operating systems.

All graphics (c) Microsoft 2011.

→ Leave a comment

Posted in Notes

Tagged , , , , ,

I can haz MIRcon?

Posted on 2010-10-18 | 1 Comment

TLDR: Ninjas and beer. And security lulz.

Nothing livens up a beautiful fall day more than a bunch of geeks and suits sitting in a DC hotel meeting room talking about finding evil. Who doesn’t live for that sort of thing, amirite? So Mandiant decided that they’d get a bunch of incident response types in a room for two days, throw out some coffee and notecards and a projector screen, and see what happens.

'XIX Party Conference' by fotofreq

After having recovered from the beer tasting, intense questioning of product managers, and the ALDS (let’s go Rangers!), I can tell you that we haz moar ideaz than Taylor Swift has fashionable shoes. And that’s a lot, so some of this stuff will get a Killswitch Engage-style breakdown in future blog posts.

Kevin Mandia looks kind of like Nathan Fillion in a suit. He has nice hair, a rugged jawline, and a never-ending idiom factory lodged somewhere between those two things. (He should definitely get Captain Mal to play him in “Mandia: The Man, The Myth, The Legend.) His keynote speech put all of these on display, and we learned that a greenish-yellow Global Threatcon Severity Indicator means we’re all gonna die, man, game over.

Mandia-Fillion

Separated at birth?

Once we moved on to the panel discussion, things started to liven up. Well, that’s not true. The panel tried to stay away from too much management-speak (yeah, you know what I mean). For example, they talked about visibility and authority for incident response: how do you know if you’re compromised? What happens when you realize you are? You probably won’t reach a 100% solution, so shoot for achievable goals. I mean, I’m really happy for your incident response program, and I’m gonna let you finish, but GE has one of the best CIRTs of all time. OF ALL TIME!

Ahem. So your best threat intel might not come from your sekrit friends in the Illuminati^W military-industrial complex^W^W^W defense industry or critical infrastructure ISAC. Your best intel might come from the cases you’re already working. Pull on the threads you already have, see where they go, and soon your sweater will be undone.

'Loose Threads' by Chris Luckhardt

Then the sparks started to fly. Let me tell you, I thought GE and BAE were in a cage match (“two corporate security directors enter, one corporate security director leaves”). Richard “GE” Bejtlich got all Courage Wolf on us: neutralize the threat, take out the bad guys, RAWRAWRAWR! Then Ron “BAE” Davis was all about “hmmm, maybe that’s a bad idea, you could get the wrong person or go to jail”. And we were all, “ooooh, he TOLD you!” in the audience, and GE was all “ORLY”, and BAE was all “YA RLY”, but then they all smiled and reminded each other that we’re the good guys after all. And we all had ice cream with cherries on top. It was nice.

Michael Graven from Mandiant came up next on behalf of an “anonymous” customer to talk about tool integration. I’m going to call them “Anony Moose” from here on out. See, Mandiant is really proud of this technological terror they’ve constructed called Intelligent Response. It has a RESTful API that spits out well-defined XML and lots of other cool-sounding 2.0 kind of stuff. Anony Moose (wonder if they were in the room at all? nah, too obvious… OR IS IT) has a SEIM that automagically generates trouble tickets when it detects, er, trouble. In paradise. Or something.

So these tickets live in Request Tracker, which has a RESTful API. See some potential there? I guess Anony Moose did, too. They took off for every zig and matched the two of them up. I hear several steps and boxes with holes were involved. And when a ticket comes in, the system reaches out and touches someone^W the target system to gather lots of volatile data like ports, processes, recent audit logs, and all the sorts of things that a super-smart sekrit security agent will want to know. Good stuff and I bet it saves them time so they can kick back in their Fortress of Solitude, laughing at the evildoers stymied by their most excellent planning.

The next talk had ninjas. No, not real ninjas, because we couldn’t have seen them. And since ninjas just flip out and kill people, I’d be dead already. But these were malware reverse engineering ninjas, which is pretty sweet even if it isn’t Real Ultimate Power. They talked about generating Indicators of Compromise, which is how you can talk about targeted malware without actually giving it up to the antivirus vendors and getting useless MD5 hashes and registry key indicators. They do some awesome behavioral analysis in addition to standard sandboxing and static analysis. They can even look at DLL-based malware, and rocking that ain’t easy. When they get super-smart sekrit security agents who find this stuff in the field, then they tear apart the malware until they find the plans. I mean, uh, how it works and how to identify all variants.

'The Urban Ninja' by Tyson Cecka

After we had coffee to clear our heads from the sheer unmitigated awesomeness that was hex dumped assembly code in a screen magnifier, a panel discussion on information sharing ensued. Now, see, everybody wants somebody to love, and if they can’t get that, they at least want somebody to share their interest in a secure operating environment for truth, justice, and the Internet way. This leads to trust issues, because the first rule of the advanced persistent threat is that YOU DO NOT TALK ABOUT the advanced persistent threat. Though I suppose that’s only unless you have clearance, in which case you totally DO talk about the advanced persistent threat.

On that note, Sandia National Laboratories scares me. They have some project where FBI agents arrest the red team and interrogate people with Borg headsets that can totally read your mind. One minute, you’re doing an incident response cyber exercise, and the next minute a man in a black suit is all, “HALLO CAN I VIOLENCE YOUR BRAIN”.

Other organizations were a little more chill. They got back on the question of trusting other folks and maybe punching them in the nose if they talk about the advanced persistent threat (see?!), but then they realized they were harshing everybody’s mellow and just said we shouldn’t share the stuff that can hurt us. And threat data never expires. At least not if you’re a defense contractor.

Ever been playing Minesweeper and, just when you think you’re about to clear it in Expert mode, get that Blue Screen of Death? It’s not all bad. We learned about how crash dumps preserve your integrity. (Apparently that doesn’t work very well on Congress’s computer systems. HEY-YO!) Normally, these dumps of the process memory space and system debug data get sent to Microsoft, but if you don’t like Steve Ballmer getting his grubby paws on your data, you can instead direct all that stuff to an internal share. And hey, maybe you can get some good forensic data out of all those dumps. If you can, then you should probably grab all the dumps and drop them in a debugger. Highly situational, but it’s better than a mudkip.

Then we had beer. It was good.

Next morning, we had a sound check with Heavy D. Not really, but Michael Graven thinks he sounds like him even though he kinda looks more like River Cuomo back when Weezer made the Blue album. (Nothing but love for ya, Mike.)

MIRcon then hosted a real, actual, Man in Black. I don’t remember much except him putting on some sunglasses and asking us to look into his space pen LED. Oh, and that every investigation now relates to cyber (stop snickering, WoW players, you know that’s not what he meant). They want to get “IT” off the network, where I is “intellectual property” and T is your “treasure chest”. The FBI, or at least Assistant Director Gordon Snow, wants a culture shift so we quit putting the good stuff online where the Ebul Doers can get to it. Since the threat isn’t going away anytime soon and vulnerabilities get all the attention already, the best way to reduce your risk is to lower the value of the asset. (I assume he drives a Ford Focus, since his logic also says that the best way to keep your car from getting stolen is to drive a clunker.)

'How did that get here!?' by Purple Wyrm

Finally, Halvar Flake totally blew our minds. Honestly, he had me at “Hello, my name isn’t really Halvar Flake”, but then he set the hook when he went straight into “approximate maximum subgraph homomorphisms”. That is, imagine you have two street maps of different scale and resolution, but they actually represent more or less the same area. You’ll want to stretch and zoom and align and twist the maps until you can see where they overlap, so you can look at your wife and be all, “I told you we weren’t lost.” And that you found new families of malware.

But then, once you cluster these maps together, you can give out different signatures that tell everybody how to match up new maps. Nobody gets the same signatures, though, because (just like eating a Reese’s Peanut Butter Cup), there’s no WRONG way to perform an approximate maximum subgraph homomorphism. See, if it’s wrong, then it wasn’t really a homomorphism after all.

And by splitting things up, you don’t actually have to talk about the advanced persistent threat. That would lead to nose punchings, and anybody who would try to punch Kevin Mandia in the nose will definitely get a “NO WAI”. And probably their OWN nose punched. Because he’s Captain Hammer.

I did sort of lie. That wasn’t the final talk. But that was the last one I really noted, because after that we had a demo of MIR. And then Mandia and Bejtlich showed us their sweet incident response kung fu auditions. “I NEVER LOSE! YOU NEVER WIN!” Then real actual computer scientists handed out the Malies (think “mallies”, not “mailies” because the latter sounds kind of sexist and could create a hostile work environment). That was a one-shot deal, but many memes died to bring us that information.

And some lawyers came on to tell us about the legal costs of data breaches, but I had a plane to catch home.

For the future, I’d just suggest averaging out start times. 10:30am one day, 7:30am the next. Let’s split the difference and keep it at 9am, because ninjas and beer and baseball (let’s go Rangers!) and early mornings don’t mix.

If you want a more serious and professional look at MIRcon, go read Greg Pendergast’s summary over at the SANS Forensics Blog. And buy him a beer, because he’s a mensch.

→ 1 Comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , , , , , , ,