Anatomy of a Drive-by Part 1
Thursday, September 30, 2010
0
comments
This post is about the brief examination I recently performed on an infected system. I received permission from the person I assisted to write this post because I thought the content could be helpful to others. This post is broken up into two parts and will contain the majority the steps and research I conducted.
A couple of Sundays ago I was working on a draft of the first post for my next series which will be discussing the overall forensic investigation process. This was when I received a text from a friend asking for help. Basically, a security program was blocking him from starting any program and when his computer was idle porn websites would appear. This security program just seemed to appear out of nowhere. I recommended he power off his computer since he is probably infected with a Fake Antivirus Trojan and I would take a look at the computer over the following weekend. This is the system under examination.
Background Information
My friend just asked for help cleaning his system but I also wanted to determine what the root cause of the infection was. This information could help my friend and his family from being re-infected because they could take steps to help protect their computer in the future.
Here is the background information about this request for assistance. My friend noticed the rogue security software on the evening of Sunday September 12. When I asked my friend what occurred on the computer around this time, he mentioned he was surfing the web including checking his email and going to Facebook. The system was powered off on Sunday 09/12/2010 between 08:00PM and 9:00PM.
During the following week I noticed my friend wasn’t the only person infected over the weekend with rogue security software. On 09/15/2010, I was speaking with two of my co-workers who both knew about someone being infected on Sunday as well. In addition to this, the 09/13/2010 McAfee Avert Labs blog had a post stating over the previous few days there was an increase of submissions from of customers with a variant FakeAlert-SpyPro.gen.ai. There is no way for me to know if these events were related but I thought it was some coincidence.
I acquired an image my friend’s system then I loaded the image into Encase v6.17. All of the files were hashed and a file signature analysis was run against the files. I created a timeline of the system using the log2timeline program in the Sift v2 workstation. I selected the following items to be included in the timeline because it appeared like the infection came from the Internet: file system, prefetch files, recent files, UserAssist key (for three user accounts), index.dat files (for three user accounts), event logs, and registry files (Software, System, and Ntuser.dats). The first timeline I created I overlooked the index.dat file in the PrivacIE folder in one of the user’s profile. The entries in this index.dat file is from third party content providers on websites a user has visited. I noticed the missing index.dat because I parse the Internet artifacts with another tool by selecting the entire user’s profile folder in order to have quick access to the Internet usage information. I noticed right away the missing PivacIE URL entries in the timeline so I generated another timeline with this index.dat included.
The examination will start by locating the rogue security software then the activity on the system will be reviewed with the focus on the time when the Trojan appeared on the system in order to determine where it came from.
Examination of the Auto-start Locations
I was only provided with the hard drive from the system so I didn’t have access to any volatile data which could have helped me determine what program my friend saw running. One of the purposes of rogue security software is to convince a person to part ways with their hard earned money. To accomplish this, the program has to run shortly after a person accesses their computer by either launching when the computer starts up or when the user logs on. The first examination step I performed was to review the system auto-start locations in order to gain a lead I could use to know where my investigation should start. The Sysinternals autoruns utility was run against the hard drive so the programs automatically starting could be reviewed.
I reviewed all of the tabs in the autoruns utility but I only found suspicious programs under the Logon tab. The first suspicious program is shown in the image below.
This program caught my attention for two reasons. The first being the path to the executable because the program is located in the user’s local settings folder. The second reason was due to the naming convention used; the program’s name was hcdrsjbuqiw while the parent folder’s name was bfuqvjmoj. The same two reasons drew my attention to the next suspicious program which is shown below.
There were about four other programs on the Logon tab I marked for closer inspection since I was unsure about them. One of these files was named egugehudafu.dll and is shown below.
Examination of the Files of Interest
The examination of the auto-start locations step provided a few leads about the rogue security software on the system. These leads were two suspicious files and about four other unknown files. The files were examined on the forensic image to determine if they were malicious, and if so to review the files’ metadata for additional information.
VirusTotal (VT) was used to help determine if a file was malicious. At first, I tried to identify the file by searching for the file’s hash in VT but if the hash wasn’t present then I uploaded the file to VT once I confirmed the file was an executable. I understood the risk of uploading the file as a last resort but I would have missed one piece of malware by solely relying on the hash as you will see. The following was discovered about the identified files:
hcdrsjbuqiw.exe
* File path: \Documents and Settings\******\Local Settings\Application Data\bfuqvjmoj\ hcdrsjbuqiw.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:39:04PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date: 09/12/10 06:59:06PM
hdwhvqmuqiw.exe
* File path: \Documents and Settings\*****\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:58PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 07:02:52PM
egugehudafu.dll
* File path: \WINDOWS\egugehudafu.dll
* VT result: hash 30fd84f3c0e0dc7666658dc52c216a2a wasn’t in the VT database but the MFT timestamp was in close proximity to the previous files’ creation dates. I had to confirm if the file was malicious so the file was uploaded to VT, confirmed as malicious, and identified as Hiloti.
* MD5 hash: 30fd84f3c0e0dc7666658dc52c216a2a
* Creation date: 08/16/05 06:18:42AM (note: this file’s timestamp was modified)
* Last written date: 04/13/08 08:12:08PM
* MFT last modification date: 09/12/10 06:40:40PM
The other unknown files identified in the auto-start locations step were examined but didn’t get identified as being malicious. However, I already located two unique pieces of malware which were the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) located in two places and Hiloti (MD5 30fd84f3c0e0dc7666658dc52c216a2a) located in the Windows directory. McAfee’s detection of SpyPro program in the VT report was FakeAlert-SpyPro.gen.ai, which is the same name mentioned in blog post I referenced earlier. Furthermore, McAfee’s description write-up on FakeAlert-SpyPro.gen.ai showed the discovery date being on 09/12/2010.
As I was browsing the folder locations containing the above programs a folder and four executables caught my attention. The folder had the same name as oexrvilnf while the executables were out of place since they were located in the root of the user’s application data folder as can be seen below.
All of the files were reviewed and the following was discovered:
176572328.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176572328.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: 5170e6923859a70ede3b2685ccd5ba04
* Creation date: 09/12/10 06:38:42PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 06:39:04PM
176572329.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176572329.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:42PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 06:38:42PM
176581812.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176581812.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: 5170e6923859a70ede3b2685ccd5ba04
* Creation date: 09/12/10 06:38:51PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date: 09/12/10 06:38:51PM
176581813.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176581813.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:51PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date : 09/12/10 06:38:51PM
hdwhvqmuqiw.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:58PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 06:38:42PM
Needless to say at this point in the examination it was confirmed that the system was pretty infected. I was able to identify the rogue security software (SpyPro) my friend saw running on his computer and a few programs lurking beneath the surface. There were five copies of the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d), two copies of Hiloti (MD5 5170e6923859a70ede3b2685ccd5ba04), and one copy of Hiloti (MD5 30fd84f3c0e0dc7666658dc52c216a2a). The earliest that any malware appeared on the system was at 09/12/10 06:38:42PM and the latest was 09/12/10 06:40:40PM, which means all of this activity occurred within a two minute time period.
The first part of this examination confirmed my friend’s computer was infected but the answer of what occurred on the system for the malware to appear is still not answered. Did my friend use one of McAfee’s suggested distribution channels such as using peer-to-peer networks, email, or newsgroups? I admit I ruined the suspense with a few hints in this post but finding the answer is still an interesting journey.
Stay tuned for the second part of this post when the examination will try to answer the question of how the malware ended up on the system.
A couple of Sundays ago I was working on a draft of the first post for my next series which will be discussing the overall forensic investigation process. This was when I received a text from a friend asking for help. Basically, a security program was blocking him from starting any program and when his computer was idle porn websites would appear. This security program just seemed to appear out of nowhere. I recommended he power off his computer since he is probably infected with a Fake Antivirus Trojan and I would take a look at the computer over the following weekend. This is the system under examination.
Background Information
My friend just asked for help cleaning his system but I also wanted to determine what the root cause of the infection was. This information could help my friend and his family from being re-infected because they could take steps to help protect their computer in the future.
Here is the background information about this request for assistance. My friend noticed the rogue security software on the evening of Sunday September 12. When I asked my friend what occurred on the computer around this time, he mentioned he was surfing the web including checking his email and going to Facebook. The system was powered off on Sunday 09/12/2010 between 08:00PM and 9:00PM.
During the following week I noticed my friend wasn’t the only person infected over the weekend with rogue security software. On 09/15/2010, I was speaking with two of my co-workers who both knew about someone being infected on Sunday as well. In addition to this, the 09/13/2010 McAfee Avert Labs blog had a post stating over the previous few days there was an increase of submissions from of customers with a variant FakeAlert-SpyPro.gen.ai. There is no way for me to know if these events were related but I thought it was some coincidence.
I acquired an image my friend’s system then I loaded the image into Encase v6.17. All of the files were hashed and a file signature analysis was run against the files. I created a timeline of the system using the log2timeline program in the Sift v2 workstation. I selected the following items to be included in the timeline because it appeared like the infection came from the Internet: file system, prefetch files, recent files, UserAssist key (for three user accounts), index.dat files (for three user accounts), event logs, and registry files (Software, System, and Ntuser.dats). The first timeline I created I overlooked the index.dat file in the PrivacIE folder in one of the user’s profile. The entries in this index.dat file is from third party content providers on websites a user has visited. I noticed the missing index.dat because I parse the Internet artifacts with another tool by selecting the entire user’s profile folder in order to have quick access to the Internet usage information. I noticed right away the missing PivacIE URL entries in the timeline so I generated another timeline with this index.dat included.
The examination will start by locating the rogue security software then the activity on the system will be reviewed with the focus on the time when the Trojan appeared on the system in order to determine where it came from.
Examination of the Auto-start Locations
I was only provided with the hard drive from the system so I didn’t have access to any volatile data which could have helped me determine what program my friend saw running. One of the purposes of rogue security software is to convince a person to part ways with their hard earned money. To accomplish this, the program has to run shortly after a person accesses their computer by either launching when the computer starts up or when the user logs on. The first examination step I performed was to review the system auto-start locations in order to gain a lead I could use to know where my investigation should start. The Sysinternals autoruns utility was run against the hard drive so the programs automatically starting could be reviewed.
I reviewed all of the tabs in the autoruns utility but I only found suspicious programs under the Logon tab. The first suspicious program is shown in the image below.
This program caught my attention for two reasons. The first being the path to the executable because the program is located in the user’s local settings folder. The second reason was due to the naming convention used; the program’s name was hcdrsjbuqiw while the parent folder’s name was bfuqvjmoj. The same two reasons drew my attention to the next suspicious program which is shown below.
There were about four other programs on the Logon tab I marked for closer inspection since I was unsure about them. One of these files was named egugehudafu.dll and is shown below.
Examination of the Files of Interest
The examination of the auto-start locations step provided a few leads about the rogue security software on the system. These leads were two suspicious files and about four other unknown files. The files were examined on the forensic image to determine if they were malicious, and if so to review the files’ metadata for additional information.
VirusTotal (VT) was used to help determine if a file was malicious. At first, I tried to identify the file by searching for the file’s hash in VT but if the hash wasn’t present then I uploaded the file to VT once I confirmed the file was an executable. I understood the risk of uploading the file as a last resort but I would have missed one piece of malware by solely relying on the hash as you will see. The following was discovered about the identified files:
hcdrsjbuqiw.exe
* File path: \Documents and Settings\******\Local Settings\Application Data\bfuqvjmoj\ hcdrsjbuqiw.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:39:04PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date: 09/12/10 06:59:06PM
hdwhvqmuqiw.exe
* File path: \Documents and Settings\*****\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:58PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 07:02:52PM
egugehudafu.dll
* File path: \WINDOWS\egugehudafu.dll
* VT result: hash 30fd84f3c0e0dc7666658dc52c216a2a wasn’t in the VT database but the MFT timestamp was in close proximity to the previous files’ creation dates. I had to confirm if the file was malicious so the file was uploaded to VT, confirmed as malicious, and identified as Hiloti.
* MD5 hash: 30fd84f3c0e0dc7666658dc52c216a2a
* Creation date: 08/16/05 06:18:42AM (note: this file’s timestamp was modified)
* Last written date: 04/13/08 08:12:08PM
* MFT last modification date: 09/12/10 06:40:40PM
The other unknown files identified in the auto-start locations step were examined but didn’t get identified as being malicious. However, I already located two unique pieces of malware which were the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) located in two places and Hiloti (MD5 30fd84f3c0e0dc7666658dc52c216a2a) located in the Windows directory. McAfee’s detection of SpyPro program in the VT report was FakeAlert-SpyPro.gen.ai, which is the same name mentioned in blog post I referenced earlier. Furthermore, McAfee’s description write-up on FakeAlert-SpyPro.gen.ai showed the discovery date being on 09/12/2010.
As I was browsing the folder locations containing the above programs a folder and four executables caught my attention. The folder had the same name as oexrvilnf while the executables were out of place since they were located in the root of the user’s application data folder as can be seen below.
All of the files were reviewed and the following was discovered:
176572328.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176572328.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: 5170e6923859a70ede3b2685ccd5ba04
* Creation date: 09/12/10 06:38:42PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 06:39:04PM
176572329.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176572329.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:42PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 06:38:42PM
176581812.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176581812.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: 5170e6923859a70ede3b2685ccd5ba04
* Creation date: 09/12/10 06:38:51PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date: 09/12/10 06:38:51PM
176581813.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\176581813.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:51PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date : 09/12/10 06:38:51PM
hdwhvqmuqiw.exe
* File path: \Documents and Settings\*****\Local Settings\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* VT result: malicious and hash search identified the file as SpyPro
* MD5 hash: ce5806f3f3a2afa8efe0272440ae6b2d
* Creation date: 09/12/10 06:38:58PM
* Last written date: 09/12/10 06:38:42PM
* MFT last modification date: 09/12/10 06:38:42PM
Needless to say at this point in the examination it was confirmed that the system was pretty infected. I was able to identify the rogue security software (SpyPro) my friend saw running on his computer and a few programs lurking beneath the surface. There were five copies of the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d), two copies of Hiloti (MD5 5170e6923859a70ede3b2685ccd5ba04), and one copy of Hiloti (MD5 30fd84f3c0e0dc7666658dc52c216a2a). The earliest that any malware appeared on the system was at 09/12/10 06:38:42PM and the latest was 09/12/10 06:40:40PM, which means all of this activity occurred within a two minute time period.
The first part of this examination confirmed my friend’s computer was infected but the answer of what occurred on the system for the malware to appear is still not answered. Did my friend use one of McAfee’s suggested distribution channels such as using peer-to-peer networks, email, or newsgroups? I admit I ruined the suspense with a few hints in this post but finding the answer is still an interesting journey.
Stay tuned for the second part of this post when the examination will try to answer the question of how the malware ended up on the system.
Labels:
drive-by,
examination steps,
malware,
malware analysis