How was the System Infected? Part 2
Wednesday, September 1, 2010
My previous post explained why I incorporated timeline analysis into the examination of the Infected 2 system.
I created a supertimeline to help answer the second question of how did the system become infected. My examination of the timeline focused on the creation and last modified dates in order to simulate a real security incident because the last access times may not be accurate depending on the time that elapsed between the initial infection and the examination. (I doubt I will be able to preserve a system at the exact moment of infection similar to the tests I conducted). In addition to the timeline, I used Guidance Software's Encase to hash and perform a file analysis on all of the files on the system in advanced of examining them. I also used Encase to examine any files identified in the timeline.
How the system became infected?
The examination of volatile data identified the following in the Infected 2 system: rogue aaclientt.exe process, 612835656.dat opened by aaclientt.exe, svchost process with an injected DLL, and a rogue 75622830.exe process. I examined the timestamps of aaclientt.exe and 75622830.exe files in order to get a starting point to begin the timeline review. The picture below shows the timestamps for aaclientt.exe.
The arrows in the picture are highlighting a time discrepancy between the Standard Information Attribute (SIA) date creation time and the Filename Attribute (FNA) date modification time. This is an indication the timestamps could have been changed on the aaclientt.exe program. I used Lance Muller's enscript to compare the two timestamps as can be seen below.
The timeline shows on line 163833 the 75622830 folder was created at the same time as the 75622830.exe file. Continuing to work backwards, the next file created on the system is named 612835656.dat, which occurred at 03:20:13PM (line 163831). The memory examination identified that the aaclientt.exe process had this file opened. 612835656.dat was examined on the system but the contents only showed a few characters.
The next few lines (163831 to 163828) show a few registry entries being modified. The HKLM\System\ControlSet001\Services\TapiSrvALG was examined and the value name display name contained the data Telephony TapiSrvALG while the imagepath value name contained the data C:\WINDOWS\system32\aaclientt.exe srv. This service seems very similar to the Telephony service which contains the data Telephony in the display name value name. This registry key is the persistence mechanism for aaclientt.exe which starts the program as a service. Line 163827 shows a prefetch file being created at 03:20:08PM for a program named _ex-68.exe. The analysis of the system did not locate a file by this name. Another prefetch file, for wpv901264679855.exe, was modified and last accessed at 03:19:59PM (line 163824). The last line I will discuss in this picture is the creation of aaclientt.exe's prefetch file at 03:19:57PM which is shown on line 162822. At this point in the examination, aaclientt.exe's persistence mechanism was identified and there is evidence of various programs being executed on the system in addition to the aaclientt.exe and 75622830.exe programs.
The picture below is the next section of the timeline.
Lines 163821 to 163817 show evidence of more programs being executed on the system but the wpv901264679855.exe prefetch file (line 163820) is the same one mentioned from line 163824. Think back to the time discrepancy involving aaclientt.exe which indicated the timestamps may have been modified. Line 163813 shows the MFT modification of 03:19:48PM for the file aaclientt.exe and this was the real time the file was created on the system. The MFT modification time can still reveal files of interest even if the files' timestamps have been stomped on. At this point in the examination, additional programs that executed on the system have been identified and the aaclientt.exe program, which was identified in the memory image, was located.
The picture below is the continuation of the timeline.
Line 163811 shows the first unknown program, wpv901264679855.exe, was created on the system at 03:19:44PM. Wpv901264679855.exe's prefetch file was referenced on lines 163820 and 163824. This file was uploaded to Virus Total and the detection rate on 04/10/10 was 38 percent. Line 163808 shows the next unknown program, wpv791264677196.exe, was created on the system at 03:19:44PM. The examination of this file revealed it had the same hash as aaclientt.exe, which means wpv791264677196.exe and aaclientt.exe are the same file. Line 163807 shows another unknown program, wpv351269312857.exe, was also created on the system at 03:19:44PM. This file was uploaded to Virus Total and the detection rate on 04/10/10 was 25 percent. Line 163806 shows a log file was created on the system but the examination of this file determined the file's signature was invalid and the contents were only a few characters. Line 163804 shows aaclientt.exe was last accessed at 03:19:35 while line 163803 shows another unknown program, e.exe, executed on the system one second earlier (the examination did not find any files by this name on the system). Line 163802 shows the Administrator user account's Startup folder was modified at 03:19:34PM. The examination of the Startup folder identified a program named mgjwin32.exe. This file had a discrepancy between the SIA date creation time and the FNA date modification time. Similar to the aaclientt.exe program, mgjwin32.exe's timestamps were modified so the creation date appeared to be 08/04/04 08:00:00AM. The timestamp comparison showed the real creation date of the mgjwin32.exe file was 03:19:34PM. Lastly, this file had the same hash as the file ~TM4.tmp which is on line 163801. The file's extension indicates it is a temporary file but the file signature analysis determined the file is an executable. ~TM4.tmp was uploaded to Virus Total and the detection rate on 04/20/10 was 70 percent.
At this point in the examination, three of the unknown programs (wpv901264679855.exe, wpv791264677196.exe, and wpv351269312857.exe) that were executed on the system were located and confirmed as malicious. Also, wpv901264679855.exe and aaclientt.exe are the same file. Mgjwin32.exe was another program identified as malicious and this program's persistence mechanism is the Administrator user account's Startup folder. The ~TM4.tmp file is an executable and is the same file as mgjwin32.exe.
The picture below is the continuation of the timeline.
So far the examination has identified various pieces of malware on the system but these files do not directly relate to the question of how the system became infected. At 03:19:32 there was a MFT modification for a PDF file, gla[1].pdf, located in the Administrator user account's Temporary Internet Files folder (line 163800). I used Didier Stevens PDF tools to analyze this file but for this post I am using a link to Virus Total since the website uses his tools. The gla[1].pdf Virus Total report showed the detection rate on 04/10/10 was 25 percent and a Javascript is executed when the file is opened (refer to the picture below).
The gla[1].pdf file was uploaded to Wepawet to help determine if the file was malicious. The gla[1].pdf Wepawet report confirmed the file was malicious. The report identified the two vulnerabilities being targeted were CVE-2008-2992 and CVE-2009-0927, and the payload requested three websites involving hxxp://googlecounter.cn/web/load.php?id=. The next line, 163799, in the timeline shows the file gla[1].pdf was downloaded to the system from the hxxp://googlecounter.cn website. The image below shows the administrator account was used to access this website at 03:18:08 (line 163783).
I infected this test system back in April by visiting a malicious website using the Administrator user account. I obtained the website from the Contagio post March's malware links. I knew ahead of time about the malicious PDF since it was indicated next to the URL but I didn't know what the outcome was going to be when I visited the website. The examination of the Infected 2 system's volatile data and hard drive helped me understand what this outcome was.
Conclusion
The files located in memory were used as the starting point to examine the activity on the system. The examination worked backwards in time and the image below shows all of the evidence located during the examination. Not only does the image show all of the evidence identified but it also shows the activity after the 75622830.exe file was created on the system. (Note: 75622830.exe uses HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as its persistence mechanism)
The examination of Infected 2 covered all of the initial examination steps except one which was the examination of the executable files of interest. The next blog post will examine the importance of this step and why it may be needed to fully answer the question of how the system became infected.
I created a supertimeline to help answer the second question of how did the system become infected. My examination of the timeline focused on the creation and last modified dates in order to simulate a real security incident because the last access times may not be accurate depending on the time that elapsed between the initial infection and the examination. (I doubt I will be able to preserve a system at the exact moment of infection similar to the tests I conducted). In addition to the timeline, I used Guidance Software's Encase to hash and perform a file analysis on all of the files on the system in advanced of examining them. I also used Encase to examine any files identified in the timeline.
How the system became infected?
The examination of volatile data identified the following in the Infected 2 system: rogue aaclientt.exe process, 612835656.dat opened by aaclientt.exe, svchost process with an injected DLL, and a rogue 75622830.exe process. I examined the timestamps of aaclientt.exe and 75622830.exe files in order to get a starting point to begin the timeline review. The picture below shows the timestamps for aaclientt.exe.
The arrows in the picture are highlighting a time discrepancy between the Standard Information Attribute (SIA) date creation time and the Filename Attribute (FNA) date modification time. This is an indication the timestamps could have been changed on the aaclientt.exe program. I used Lance Muller's enscript to compare the two timestamps as can be seen below.
This comparison confirmed the timestamps were modified and this discrepancy can also be seen in the timeline. The confirmation shows aaclientt.exe was created on the system on 04/07/10 03:19:48PM instead of 08/04/04 08:00:00AM. The purpose of this modification was an attempt to make aaclientt.exe blend in with other files on the system which have a creation date of 08/04/04 08:00:00AM. The picture below shows how aaclientt.exe was trying to blend in with other files in the Windows\System32 folder.
Aaclientt.exe was uploaded to Virus Total and the detection rate on 04/10/10 was 20 percent. 75622830.exe was examined to determine if the file was created on the system before or after aaclientt.exe. The picture below shows 75622830.exe was created on the system at 04/07/10 03:20:17PM, which is 29 seconds after aaclientt.exe. 75622830.exe was then uploaded to Virus Total and the detection rate on 04/08/10 was also 20 percent.
During my testing, I started the timeline review using the latest creation date of the files I located because I wanted to see as many of the artifacts of the infection as I could. However, if this was an actual security incident then I would have approached this by starting with the file created on the system first because I would want to be as close in proximity to when the system was first infected. With that said, the review of the timeline will start at 04/07/10 03:20:17PM which is 75622830.exe's creation time. The timeline review will be working backwards trying to determine what caused these files to appear on the system. The picture below is a portion of the timeline that includes the creation time of 75622830.exe on line number 163834.
Note: the type column shows the action of the file with m meaning the last time the file was modified, a meaning the last time the file was accessed, c meaning the last time the file's MFT entry was modified, and b meaning the creation time of the file.
The timeline shows on line 163833 the 75622830 folder was created at the same time as the 75622830.exe file. Continuing to work backwards, the next file created on the system is named 612835656.dat, which occurred at 03:20:13PM (line 163831). The memory examination identified that the aaclientt.exe process had this file opened. 612835656.dat was examined on the system but the contents only showed a few characters.
The next few lines (163831 to 163828) show a few registry entries being modified. The HKLM\System\ControlSet001\Services\TapiSrvALG was examined and the value name display name contained the data Telephony TapiSrvALG while the imagepath value name contained the data C:\WINDOWS\system32\aaclientt.exe srv. This service seems very similar to the Telephony service which contains the data Telephony in the display name value name. This registry key is the persistence mechanism for aaclientt.exe which starts the program as a service. Line 163827 shows a prefetch file being created at 03:20:08PM for a program named _ex-68.exe. The analysis of the system did not locate a file by this name. Another prefetch file, for wpv901264679855.exe, was modified and last accessed at 03:19:59PM (line 163824). The last line I will discuss in this picture is the creation of aaclientt.exe's prefetch file at 03:19:57PM which is shown on line 162822. At this point in the examination, aaclientt.exe's persistence mechanism was identified and there is evidence of various programs being executed on the system in addition to the aaclientt.exe and 75622830.exe programs.
The picture below is the next section of the timeline.
Lines 163821 to 163817 show evidence of more programs being executed on the system but the wpv901264679855.exe prefetch file (line 163820) is the same one mentioned from line 163824. Think back to the time discrepancy involving aaclientt.exe which indicated the timestamps may have been modified. Line 163813 shows the MFT modification of 03:19:48PM for the file aaclientt.exe and this was the real time the file was created on the system. The MFT modification time can still reveal files of interest even if the files' timestamps have been stomped on. At this point in the examination, additional programs that executed on the system have been identified and the aaclientt.exe program, which was identified in the memory image, was located.
The picture below is the continuation of the timeline.
Line 163811 shows the first unknown program, wpv901264679855.exe, was created on the system at 03:19:44PM. Wpv901264679855.exe's prefetch file was referenced on lines 163820 and 163824. This file was uploaded to Virus Total and the detection rate on 04/10/10 was 38 percent. Line 163808 shows the next unknown program, wpv791264677196.exe, was created on the system at 03:19:44PM. The examination of this file revealed it had the same hash as aaclientt.exe, which means wpv791264677196.exe and aaclientt.exe are the same file. Line 163807 shows another unknown program, wpv351269312857.exe, was also created on the system at 03:19:44PM. This file was uploaded to Virus Total and the detection rate on 04/10/10 was 25 percent. Line 163806 shows a log file was created on the system but the examination of this file determined the file's signature was invalid and the contents were only a few characters. Line 163804 shows aaclientt.exe was last accessed at 03:19:35 while line 163803 shows another unknown program, e.exe, executed on the system one second earlier (the examination did not find any files by this name on the system). Line 163802 shows the Administrator user account's Startup folder was modified at 03:19:34PM. The examination of the Startup folder identified a program named mgjwin32.exe. This file had a discrepancy between the SIA date creation time and the FNA date modification time. Similar to the aaclientt.exe program, mgjwin32.exe's timestamps were modified so the creation date appeared to be 08/04/04 08:00:00AM. The timestamp comparison showed the real creation date of the mgjwin32.exe file was 03:19:34PM. Lastly, this file had the same hash as the file ~TM4.tmp which is on line 163801. The file's extension indicates it is a temporary file but the file signature analysis determined the file is an executable. ~TM4.tmp was uploaded to Virus Total and the detection rate on 04/20/10 was 70 percent.
At this point in the examination, three of the unknown programs (wpv901264679855.exe, wpv791264677196.exe, and wpv351269312857.exe) that were executed on the system were located and confirmed as malicious. Also, wpv901264679855.exe and aaclientt.exe are the same file. Mgjwin32.exe was another program identified as malicious and this program's persistence mechanism is the Administrator user account's Startup folder. The ~TM4.tmp file is an executable and is the same file as mgjwin32.exe.
The picture below is the continuation of the timeline.
So far the examination has identified various pieces of malware on the system but these files do not directly relate to the question of how the system became infected. At 03:19:32 there was a MFT modification for a PDF file, gla[1].pdf, located in the Administrator user account's Temporary Internet Files folder (line 163800). I used Didier Stevens PDF tools to analyze this file but for this post I am using a link to Virus Total since the website uses his tools. The gla[1].pdf Virus Total report showed the detection rate on 04/10/10 was 25 percent and a Javascript is executed when the file is opened (refer to the picture below).
The gla[1].pdf file was uploaded to Wepawet to help determine if the file was malicious. The gla[1].pdf Wepawet report confirmed the file was malicious. The report identified the two vulnerabilities being targeted were CVE-2008-2992 and CVE-2009-0927, and the payload requested three websites involving hxxp://googlecounter.cn/web/load.php?id=. The next line, 163799, in the timeline shows the file gla[1].pdf was downloaded to the system from the hxxp://googlecounter.cn website. The image below shows the administrator account was used to access this website at 03:18:08 (line 163783).
I infected this test system back in April by visiting a malicious website using the Administrator user account. I obtained the website from the Contagio post March's malware links. I knew ahead of time about the malicious PDF since it was indicated next to the URL but I didn't know what the outcome was going to be when I visited the website. The examination of the Infected 2 system's volatile data and hard drive helped me understand what this outcome was.
Conclusion
The files located in memory were used as the starting point to examine the activity on the system. The examination worked backwards in time and the image below shows all of the evidence located during the examination. Not only does the image show all of the evidence identified but it also shows the activity after the 75622830.exe file was created on the system. (Note: 75622830.exe uses HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as its persistence mechanism)
The examination was able to trace the malware from memory to a malicious PDF (which exploited a vulnerability in Adobe Reader) to the website where the PDF came from. This answered to a certain extent how the system became infected. The total time from when the 75622830.exe program (the second piece of malware running in memory) executed to when the Administrator user account visited the malicious website was only 2 minutes and 28 seconds.
The examination of Infected 2 covered all of the initial examination steps except one which was the examination of the executable files of interest. The next blog post will examine the importance of this step and why it may be needed to fully answer the question of how the system became infected.
Labels:
drive-by,
malware,
timeline,
timestomping
Corey,
nice write-up. If you do upload files from a case though make sure to use multiple sandbox operators as the results may vary. The PDF file, e.g., leads to further results when analysed w/ jsunpack
Stefan,
I try to use two tools to help validate any findings but it didn't cross my mind to use the same approach with online scanners.
Thanks for the feedback and I will get your tip in mind.
Corey
Nice post and nice blog. It seemed like a real security incident and its investigation. Hope to see posts on analysis of other types of infection in future.
Kalyan,
I am focusing on systems with malware for various reasons but the main one is because I find this scenario one of the easier ones to create multiple test systems. Eventually I want to be able to investigate an infection within a network (multiple computers, servers, and network logs) and be able to answer the same two questions. I will be posting about different types of infections including different sources of data in the future before I move on to a different scenario.
Thanks for the comment.