Thursday, October 29, 2015

IRS Phone Scam

I received a voicemail that was interesting enough I thought I'd share regarding an IRS Scam. I didn't answer since I personally recommend, don't ever answer phone calls from non-local numbers, especially ones you weren't expecting and don't know. Let it go to voicemail, screen it, and then determine if it's worth calling back. It was a threatening message from the IRS saying that I'd been caught for Tax Evasion and I would get arrested if I didn't call back. The IRS has posted consumer alerts about scams like this and have several ways to report them. I have seen these before and can tell it's fake just by the accent and his demands to call now or get arrested. But some can be convincing, especially if you haven't received one before or aren't in tune with these type of scams. Enjoy and stay safe. Listen to the full audio of the voicemail. I posted the full transcript on pastebin.

*****
Source: +1 (202) 470-0933
Caller Id Location: DC, USA
Date: 10/27/2015
*****
FULL TRANSCRIPT
*****
We have received a legal position notice against you concerning a tax evasion. So before we file a case against you in the court house and before you get arrested kindly call us back on our callback number. The number to reach me that is 202-470-0933. I'll repeat its 2024700933. Don't disregard this message. Give it a call. Again this is officer Daniel Cruz from the Internal Revenue Service. Thank you and have a blessed day.


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, October 27, 2015

Registry Explorer\ComDlg3 Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg3

It appears each time a user opens a file or saves a file using the standard windows dialog box then it's recorded in this registry

For example I opened this registry

HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy\0

And was able to read the following values

notepad++.exe Windows\temp

Which would seem to me to indicate that the user opened the c:\windows\temp folder with notepad++.exe

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Registry Terminal Server Client\Servers Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.

Software\Microsoft\Terminal Server Client\Servers

It appears each time a user used Remote Desktop to connect to another computer a registry entry is created in Terminal Server Client folder. For example, I opened the following registry key

HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Terminal Server Client\Servers\SERVERXYZ\UsernameHint

And was able to read the following values

DOMAIN1\USER1

Which would seem to me to indicate that USER1 attempted to connect to SERVERXYZ thru domain DOMAIN1

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Registry Explorer\RecentDocuments Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocuments

It appears each time a file or folder is accessed in a Windows operating system, it records it in the RecentDocuments registry (which makes sense based on the name). For example, I opened the following registry key

HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docx\3

And was able to read the following values

PracticeExam.docx, PracticeExam.docx.lnk

Which would seem to me to indicate that a word document was recently accessed.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Registry Shell\BagMRU Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.

Software\Microsoft\Windows\Shell\BagMRU

It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry For example, I opened the following registry key

HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14

And was able to read the following values

login_scripts

Which would seem to me to indicate that a folder named login_scripts was accessed.

NirSoft has a nice utility called ShellBagsView that allows you to view these values.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Registry Explorer\UserAssist Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\

It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key

HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS

And was able to read the following values

mstsc.exe , Microsoft.Windows.RemoteDesktop

Which would seem to me to indicate that Remote Desktop was launched.

In another example I saw this text

TaskBar\Google Chrome.lnk

Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.

Didier Stevens has a nice utility called UserAssist that allows you to view these values.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, October 26, 2015

Walking Thru a Phishing Email Attachment

Here's a walk-thru of how I look at a Phishing Email Attachment.

There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.

Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.

The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.

I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.

After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, October 19, 2015

Exploit Kits 101

This Trend Micro White paper on Exploit kits was a good read. It gives an easy to understand explanation of how exploit kits are currently working. Here's some highlights I took from the paper.

Exploit Kits appear to be the script-kiddie method to infect victims with malware at a mass scale. It requires no skill or expertise, it's simply a pay-to-play software as a service. The newbie bad guy wants to distribute malware to unsuspecting users, but he doesn't know how or doesn't have enough resources to get the job done. So he goes to the underground and purchases an exploit kit. With that purchase he gets an online management console, he's able to choose the vulnerabilities he wants to attack (windows, flash, etc.), the type of victims he wants to attack (certain country, certain types of sites, etc.), and the payload of malware to distribute.

All the while there is only 1 or a handful of actual smart bad guys sitting in the background, writing the code for the exploit kit, and making this software as a service operate successfully by adding new vulnerablities, new add-ons, etc. to the kits.

Now how does an exploit kit work?
1.) Newbie Bad Guy purchases exploit kit and is given a URL from the smart bad guy
2.) Newbie Bad Guy finds ways to get people to browse the URL (spam, malvertisments, hack a website)
3.) The smart guy URL uses the logic setup by the Newbie Bad Guy on the management console to decide who to infect or not
4.) If the victim should be infected the smart guy URL redirects the victim to the actual exploit
5.) The smart guy URL determine which exploit to use based on the browser/OS and uses it
6.) The smart guy exploit determines which payload/malware to deliver based on the Newbie bad guy's choices on the management console and then does so


Why do they work?
1.) People (especially slow moving enterprises) don't patch fast enough so known exploits still work for quite a while
2.) The smart bad guy is constantly adding new exploits (including 0-days or those that haven't been patched)
3.) The smart bad guy incorporates many exploit types/browsers (Internet Explorer, Flash, silverlight, Adobe Reader, Java, ActiveX) so if one doesn't work another might
4.) The smart bad guy adds evasion techniques like auto-disabling if it detects an anti-virus
5.) The smart bad guy is constantly updating/changing the URL and exploit behavior such that old Detection Signatures no longer match
6.) The smart bad guy heavily obfuscates the payload so that they're encrypted, compressed, etc. and very difficult to detect
7.) There are plenty of Newbie Bad Guy's forking out money to the smart bad guy thus making it worthwhile for the smart bad guy to continue his evil operations

How can it be stopped?
- It seems the smart bad guy will always have the upper-hand in terms of evading static signatures and developing new obfuscation techniques. So to me it seems that defense will rely heavily on Behavior based solutions for the near-future. Behavior based solutions need to understand what is normal and abnormal and be able to alert on such without actually knowing anything about the malware or attack.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, October 12, 2015

SIP (VoIP) Packets from sipvicious

Have you ever seen traffic looking like this against your networK?



The protocol is SIP, the Destination Port is 5060, UDP, it's a Request. From what?

If you look at the UDP Stream you'll see more details.



In the stream you see key information like 'From: "sipvicious"', User-Agent: friendly-scanner, etc


My understanding is that this is essentially the script-kiddie version of VoIP hacking. sipvicious is a tool (watch this video) where you can scan a network for VoIP servers and then try to brute-force authenticate into them and wreak havoc. If SIP is setup poorly or insecurely, you could have big problems from sipvicious.

Why care? If you're the good guy then you need to know about tools like this if you're supporting VoIP / SIP so that you can protect against it and secure it.

General reminder that this demonstration was for educational and awareness purposes and should not be used for malicious activities.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Finding Windows Files that Changed

Many times in the information security world it's necessary to see what files changed on a system. One possible way to do that is comparing the hashes of files (SHA1, MD5, etc.) before and after the incident. One tool that could accomplish this is the free Microsoft File Checksum Integrity Verifier

It starts with a baseline. So you'll need to have run this against a clean image originally. To do so run it against a folder of your choosing (or the entire C:\ drive for that matter). Notice in the command below you choose what file types you want to look for (instead of just doing every file).

    fciv.exe -xml hashdb-original.xml -r c:\windows\temp\SuspiciousFiles -type *.dll -type *.zip -type *.png

Let's say in this folder there were originally 3 untouched files


Now the malware touched 1 of them and compromised it's integrity


Let's say in this folder there were originally 3 untouched files Then after an incident run this command to compare the original hashdb against the current state of the system. As you see below it identified the change, original hash and new hash.

    fciv.exe -xml hashdb-original.xml -v -bp c:\windows\temp\SuspiciousFiles



Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Find Hidden Website Folders

Here's a simple tool that can find Hidden/Common Website Folders that might not have a link directly to them from the main page.

Download a brute force website scanner like dirs3arch

Run it against an ASP website
   python.exe dirs3arch.py -u mywebsitethatiownandcontrol.com -e asp

Or Run it against a PHP website
   python.exe dirs3arch.py -u mywebsitethatiownandcontrol.com -e php

Watch as it discovers several pages that may or may not be of interest



Why might this be useful? Well, if you're a bad guy you probably want to know if there's administrator pages hidden, or you can use this to determine based on the existance of certain folders what Operating System, Web Environment, Programming Service, Version, etc. it's running so you know how to target it. If you're a good guy (like us) then you want to know what the bad guy's going to find so you can secure it and properly protect your website.

General reminder that this demonstration was for educational and awareness purposes and should not be used for malicious activities.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Entropy - Encryption, Compression, etc.

Entropy in computer science can be as simple as counting how many times each character appears in a file. If the file is written in plain English sentences, there are predictable percentages for which certain letters will appear. For example the letter 'e' will appear way more often than the letter 'z' when viewing a written piece of work. Now what gets interesting is that you can use tools to calculate entropy and also be able to determine whether a file is for example compressed, or even encrypted. How? Let's see.

Download an entropy calculating tool such as binwalk

Run that tool against a file
   binwalk -E

Notice in the example below that the entropy is pretty flat, but has consistent deviations. It's a fare assumption to make that this file might be compressed because of that layout seen. Actually this file was a '.zip' compressed file.



Notice in the example below that the entropy is pretty flat, flatter than the previous. It's a fare assumption to make that this file might be encrypted because of that layout seen. Actually this file was a '.gpg' encrypted file.



Notice in the example below that the entropy is all over, no flatness at all. It's a fare assumption that this is not encrypted or compressed, but instead some more standard file or text. Actually this file was '.bmp' image file.



Finally notice in the example below that the entropy is also all over, no flatness at all. It's a fare assumption that this is not encrypted or compressed, but instead some more standard file or text. Actually this file was '.html' web page with the text from a story.



Why is this useful? In computer science, and especially in the information security realm, you run across unknown data all the time. It becomes very helpful then to learn whether that data is perhaps encrypted, or compressed, so that you can make attempts to reverse engineer it and get back to the original malicious content.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Memory Dump Collection & Analysis

Here is a quick run-down of basic Memory Dump collection and analysis on a Windows 7 machine.

First download a memory dump tool like DumpIt.

Then generate a memory dump by running the tool against the desired machine.
   DumpIt.exe


Move the memory dump to your analysis vm.

Determine what Image type you're going to use.
   python.exe vol.py imageinfo -f WIN7-20151012-174426.raw


Run queries against the dump like "pslist" (process list)
   python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw pslist


"pstree" (process tree)
   python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw pstree


"netscan" (connections)
   python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw netscan


Find all registry hives and query one for a key
   python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw hivelist
   python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw printkey -o 0x90839008 -K "Google\Update"


Find all the amazing volatility commands here!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.