Forensic Blogs

An aggregator for digital forensics blogs

by

Analyzing A Malicious Document Cleaned By Anti-Virus

@futex90 shared a sample with me detected by many anti-virus programs on VirusTotal but, according to oledump.py, without VBA macros:

I’ve seen this once before: this is a malicious document that has been cleaned by an anti-virus program. The macros have been disabled by orphaning the streams containing macros, just like when a file is deleted from a filesystem, it’s the index that is deleted but not the content. FYI: olevba will find macros.

Using the raw option, it’s possible to extract the macros:

I was able to find back the original malicious document: f52ea8f238e57e49bfae304bd656ad98 (this sample was analyzed by Talos).

The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:

This can be clearly seen using oledir:

 


by

Enfuse 2017 Reflection – Emily Platz: Combating Fileless Malware

Introduction

It was bright and early – 8:00 AM – on the first day at Enfuse. I had just arrived at my first session, How to Combat Fileless Malware; I was a little nervous, but just as excited to be in Las Vegas to learn everything I could from professionals in my field of study. The audience was greeted by Lior Ben-Porat, a security researcher from a company called Hexadite. Over the next hour, Mr. Ben-Porat took us through exactly what fileless malware is, why it’s an increasing problem and how to combat it.

What is Fileless Malware?

Fileless malware, I learned, is essentially a system breach that doesn’t require any malicious files to reach the victim’s computer. Usually the attacker will use a convincing spam message or email that initiates a connection once a user accesses it. Once this connection is established, programs like Powershell are used to run commands that extract information without the user knowing. During the session we learned about Kovter, which is a (nearly) fileless malware that can maintain a connection for long periods of time through persistence. We even got to see Kovter in action through a live demonstration; it was eye-opening to see how much damage it can do without being noticed by the operating system.

fileless malware Enfuse

Mr. Ben-Porat also talked about why fileless malware is such a problem. Since it is not technically malware – due to the fact that it doesn’t rely on any kind of software to work – most antivirus programs cannot detect it. Another issue is that it can go unnoticed for such a long time. A user will most likely not know they have been attacked as the scripts sit in their registry and remain undetected by antivirus software.

How to Combat Fileless Malware

Finally, we come to the solution: how do we actually combat fileless malware? Mr. Ben-Porat was able to summarize the solution into three categories: Suspect, Incriminate, and Remediate. The first step, suspecting, is probably the most difficult: in essence, you are trying to locate malware that wasn’t ever downloaded in the first place. The best thing you can do is learn your machine. Know what’s good and what’s supposed to be there. Also look at processes and compare their normal properties: it’s a big red flag if there is more than one of the same process running at one time.

Incrimination can be done with thorough analysis of the machine. Look at antivirus signatures and maybe try sandbox analysis to try and detect the offender. Unfortunately, each memory instance that you examine may be different from the last: to solve this, you can use distance metrics or hashing to find identical instances.

Finally, remediation: since the malware is in memory, you can terminate processes that you believe are infected, but don’t forget to look in the registry or NTFS for persistence.

After the Session

I learned so much from this session and I’m glad to have the opportunity to share my experience in this blog. It really opened my eyes to what other invisible threats are out there that we know nothing about. Unfortunately, fileless malware doesn’t seem like something that is very preventable at the moment; however, the information gained will give me and hopefully others the ability to catch it as soon as possible.

I decided to do some research about Hexadite after the conference and found some really cool things: they’re currently using artificial intelligence to help respond to attacks so the employees have more time to research and develop better ways to mitigate threats. Using AI for antivirus capabilities is great because it might someday be able to respond to attacks instead of just identifying them after they happen. Hexadite has also joined forces with Microsoft to remediate attacks even faster and to minimize the time that attacks affect companies all over the world.

Conclusion

I had an amazing time at Enfuse. I learned a ton of information from people who use Cybersecurity and Digital Forensics every single day. I was able to talk to a lot of digital forensics professionals about their careers and how they got there. I was able to get hands-on with new software that Guidance is introducing soon as well as valuable EnCase skills which I hadn’t been able to practice in the past. I’m very grateful for Champlain College and Guidance Software for giving me the opportunity to attend the conference; it was an experience that I will never forget and hope to see again. I encourage you to get yourself involved with the Leahy Center for Digital Investigation at Champlain if you want to gain great work experience and  have the opportunity to attend Enfuse.

Like us on Facebook and follow us on Twitter for more information on Enfuse Conference.

The post Enfuse 2017 Reflection – Emily Platz: Combating Fileless Malware appeared first on The Leahy Center for Digital Investigation.

by

Enfuse 2017 Reflection – Megan Hallowell: Tracking Ransomware

Introduction

On average, about .08% of malware attacks remain undetected every day. Such a small percentage is extremely misleading when large companies like Cisco receive more than 1.1 million unique threats a day: that means 88,000 pieces of malware fly under the radar of industry standard antivirus and intrusion detection softwares. “How should we combat such a massive threat that has the ability to take down vast computer systems?”, asks Jessica Bair, Senior Manager of Advanced Threat Solutions at Cisco Security in her Enfuse presentation “Tracking Ransomware: Using Behavior to Identify New Threats.”

What is Ransomware?

Bair began her lecture by covering what ransomware is and how it has changed over its history. Ransomware is defined in her presentation as “a type of malicious software designed to block access to a computer system until a sum of money is paid”. Such attacks are carried out by encrypting the files and contents of a machine with asymmetric encryption, where a victim would need their attacker’s private security key to be able to decrypt their files and regain control of their device. To get the private key, the victim would need to pay a ransom – dependent on the number of encrypted devices and how much data they contained – which can range from 1 or 2 bitcoin to 23 bitcoin. Currently the exchange rate is $4,589 USD per bitcoin, making these demands just as crippling to a victim’s finances as they are to their frozen data.

History of Ransomware

Initial ransomware attacks were where near as advanced as the ones we see today. Early variants started appearing in 1989 with the PC Cyborg strand. This strand counted the number of times the computer booted and on the 90th time it would encrypt a disk and demand around $100 in ransom. The encryption method for PC Cyborg was symmetric encryption, meaning the key that is used to decrypt the data was the same one used to encrypt it. If the victim was able to crack the key, they would be able to get their files back without paying the ransom. A symmetric key also means that a key can be shared among infected users.

A more recent variant of ransomware is called a locker, composing of several strands like WinLock and Reveton. Originating sometime around 2012, these ransomware attacks are programmed to lock up a user’s desktop, making the entire computer inaccessible until the ransom is paid.

Modern Ransomware

Modern day ransomware has stepped up their sophistication and now use RSA-2048 and AES-256 algorithms to encrypt files. This encryption is virtually impossible to crack without obtaining the private key. This type of ransomware will either change your desktop background (Figure 1) to its ransom note or leave a text file with instructions in every folder that contains encrypted files. This type of ransomware tends to spread in phishing pdf email attachments and fake Google Docs. Clicking and downloading a suspicious attachment could cost hundred of dollars. Some .pdf, .docx, and .xlsx documents might require an extra step that has the user open the file and enable macros. A macro is a saved sequence of commands or keyboard strokes that can be stored and then recalled with a single command or keyboard stroke.

Locky ransom note

example of Locky ransom note

Figure 1: example of Locky ransom note

Identifying Ransomware with Threat Grid

After a brief overview of ransomware and its different variations, Bair introduced an online malware analysis sandbox called Threat Grid. A sandbox is a virtual environment that allows a user to deploy all types of malware and see its behavior without putting their workstations at risk. Threat Grid allows a user to upload a malware sample to the sandbox to observe its behavior (Figure 2) and record a list of identifiers (Figure 3). Bair’s presentation included a lab in which attendees used a demo version of Threat Grid to look at several pieces of ransomware. The lab was a great opportunity to analyze modern day ransomware like WannaCry and Locky.

Overall, Bair’s sessions was a great hands-on experience filled with very detailed and relevant information. It proved to be a great introduction to dynamic malware analysis using sandboxes. Bair demonstrated a great passion for teaching others and sharing her knowledge about this tool.

Deploying Malware on the Threat Grid sandbox.

A screenshot from a video of malware deploying on the sandbox

Figure 2:  A screenshot from a video of malware deploying on the sandbox

malware behavioral indicators

An example of behavioral indicators

Figure 3: An example of behavioral indicators

Want to know more about our trip to Enfuse 2016? Head to the LCDI blog! We also constantly communicate updates through our Twitter and Facebook, so be sure to Follow and give us a LIKE!

The post Enfuse 2017 Reflection – Megan Hallowell: Tracking Ransomware appeared first on The Leahy Center for Digital Investigation.