After gathering some information from systems around the world (literally) I started doing some memory analysis  information captured from one of the infected systems.  Memory analysis quickly identified one process that had used for DLL injection.  One of the exported functions of a DLL we had already flagged as “interesting” was exporting a function called “StartLoopRunDoor.”  Although this could just be anomalous it sounds an awful like “backdoor” so we noted it.   I moved onto generating timeline information from the systems files, folders, Event logs, and registry modifications and the security administrator helping me added “door” to his keywords and ran another search on the system.  As he was reviewing the hits I heard him say, “What the hell.  Hey come look at this.”  As I Peeked over his shoulder he pointed me to a registry key that had the value “door.”  I started to say, “Yeah, no big deal” when he asked me “Can you store executable files in the registry?”  Smiling, I said, “As a matter of fact, you can.”

It turns out that just days before heading to the site Harlan had mentioned it in his post “More Links“.  Basically Harlan points us to a write-up over at Sophos Labs titled “Persistence is Futile“.  They outline one such infection very nicely and Harlan concludes his post with some interesting capabilities that we might want to take into consideration.  Had I not read Harlan’s post I might not have been surprised by the malware hidden in the registry key values, but I would not have known where to go for immediate resources to help with the situation.

So, what am I really talking about.  Well, luckily I have a few screen shots for you.  First lets start with reviewing the Registry Key in question.  Using Mitek’s Registry File Viewer we drilled down into \\Software Hive\Microsoft\SysMgr.  The are several key values as you can see.  One key value that is hidden is “addr” which contains the IP address of the infected system and one other IP address (not sure the reason).

Now, many of you will be quick to recognize “4D 5A” which corresponds with “MZ” located at the beginning of Windows-based executable and DLL files.   For a better look, here is some of the information in the “ssdt” key value.

Definitely an executable or DLL.  Turns out, that this file was getting written to disk.  Funny thing is, Symantec and Microsoft were not detecting it at the time.  (I have to say, at the time they were detecting the file in the “hide” registry key value but only on disk.) So, we gave them a call.  First we started with the company’s Symantec contact.  We explained what we were doing and then what we had found.  His first words were “You can’t do that.”  We politely informed him that we were looking right at it and it can be done.  Next we pointed him to the SophosLab post so that he could do a little research and spin up on the concept.  Next we asked if they could start working on signature for the malicious code injected into memory and the malicious files stored in the registry.  His response “No and No.”

Let me break down why quickly.  Basically Symantec does not scan memory.  Oh it will look at memory.  It detects what is running and then scans the files, executables, DLLS, etc on disk to see if they contain code that triggers one of their signatures.  But beyond that they cannot detect malicious code that has been injected into memory.  NICE!!!  Next, although the engine (he said engine, not definitions) can look at certain “hard-coded” locations in the registry, it does not actively scan the whole registry looking for malicous behavior.  NICE!!!  Whether or not he new what he was talking about the answer we got at the end of the phone call was, “Send us your files and we’ll see if we can do anything.”  Which, in the end, they did.  But the situation as it occurred was not very promising.

TIP:  You can export the file in any key value by clicking “Save data….”  Hashes of the extracted file and malware found on the system were identical.

Next we called Microsoft.  We explained the situation again to their support representative and the first words out of his mouth were “You can’t do that.”  The rest of the conversation was very similar to the Symantec call.

Of course, while we are talking to these representative we were also looking at the other keys.  Remember “door”?  Well, a quick peek at its contents started to get us a little worried.  Here is what we saw.

Notice the “db” at the beginning?  What about the “yyy” (I know, deal with it!!) and “vk” values?  Well, my friends, that is a little database right there in the registry.  The first entry is the file that is located in the “ssdt” key value.  I cannot show you the other entries in this database because they are related to client information from the registry.  Stuff like account information, group policy settings, and software that was run on the system. Just little things like that.

So, not only do you have to be worried about the registry being used as a part of a malware’s persistence mechanism, you also have to be concerned about the registry being used as a staging area for your intellectual property, credit card information, user information, etc.  All this with limited methods to detect these situations.

The next question is pretty obvious.  If my anti-virus program cannot help me, what can I do to protect myself.  Well, as I am tired, that is going to have to wait until tomorrow.  Check back as I’ll have a registry detection script modeled after Harlan’s RegScan and three RegRipper timeline plugins.

Go forth and do good things,

Don C. Weber

To help with this I have taken a relatively new piece of malware and run it through the paces that Harlan describes.  I have to warn you, there are still things that are not completely understood about this malware.  But, in the end, that is the point.  Some time in the future I can just take the report I generated and update it with any new information.  Not unlike what is currently done by most AV vendors.  But  I hope that Harlan’s method helps incident responders understand these reports a little better.  I think it will also provide them with the means to speak more intelligently about malware and present the issues and reasons for recommendations in a more professional and consistent manner.

I also want you to pay attention to the different sections of the write-up.  In addition to Harlan’s basic characteristics I have included a Research Notes section.  Although some of this information is apparent from the previous sections, I have tried to tie together how specific things were discovered or explain specific actions.  Especially things that are not covered by the AV vendors.  I believe it is a good example of how information obtained by incident responders can add to the details associated with a malware outbreak within an environment.  Many times quick and focused research can discover key aspects about the actions taken by a piece of malware that are not necessarily apparent in the write-up by AV vendors.  These details could drive your response or help you focus on specifics instead of operating with generalities.

NOTE: This post is best viewed using Firefox and may not render properly in Internet Explorer since most of this post is cut and pasted from Microsoft Word. *shrug* I needed the nested bullets.

Trojan.RegSubsDat.A

INITIAL INFECTION VECTOR

• Unknown – possibly email (from AV report) – I cannot figure this out for some reason
• Possibly associated with Excel Vulnerability or vulnerabilities in other Office documents

PROPOGATION MECHANISM

• Unknown – possibly email (from AV report)

PERSISTENCE MECHANISM

• Current User Run Key for ctfmon.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • ctfmon.exe = “%System%\ctfmon.exe”
  • NOTE: Use of this key appears to be behavior that is consistent with non-malicious activity associated with uncorrupted versions of this program.
• The malicious files ws2_32.dll and ctfmon.exe placed in the %SYSTEM%\dllcache directory to ensure that if they are deleted or modified the system will restore them automatically. This means that the sfcfiles.dll had to be updated to include the names of both files. This also means that the services had to be disable temporarily which could mean that the LastWrite time for the following key and value was updated. Unfortunately there are many key values associated with Winlogon and therefore the LastWrite time is modified regularly.
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    • SFCDisable should equal 0 to indicate that WFP is enabled
  • [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection]
    • SFCDisable should equal 0 to indicate that WFP is enabled

ARTIFACTS

• Creates
  • %System%\ctfmen.exe
  • %System%\noise0.dat
  • %System%\regs.dat
  • %System%\subs.dat
  • %System%\windcb.dat
  • %System%\windows.dll
  • %System%\bkav2006.exe
• Modifies
  • %System%\dllcache\ws2_32.dll
  • %System%\dllcache\ctfmon.exe
  • %System%\ws2_32.dll
  • %System%\ctfmon.exe
  • C:\boot.ini – disables DEP
    • The boot.ini is modified so that DEP is disabled. This is done by changing the /noexecute value to “alwaysoff” – see the DEP reference in the notes
• Mutexes created – these may be due to the malware or due to other processes or the subverted programs
  • oleacc-msaa-loaded
  • MSCTF.Shared.MUTEX.APG
  • 08B1CDBCH
  • mutexA
• DNS Queries and Web activity
  • v4.windowsaupdate.com
  • happytimer.free.info
• Network Traffic
  • Possibly Excel or other Office or Wordpad Documents that contain shellcode to connect to remote sites and download malware
  • Multiple IDS/IPS signatures should detect shellcode, writes to system32 directory,
• Other
  • During initial malware infection the following files have been detected. These files may be associated with a completely different malware but their occurrence precedes the activity associated with Trojan.RegSubsDat.A and should be noted.
    • % Windir %\SchedLog.Txt or %Windir%\Tasks\SchedLog.Txt
    • At1.job associated with running the program TMP.EXE
    • TMP.EXE – content or actions of executable unknown
    • del.bat – content or actions of executable unknown
    • sfcfiles.dll – modified to include the %System%\ws2_32.dll and %System%\ctfmon.exe
    • %Windir%\JavaApplet
    • %Windir%\h323log.txt

RESEARCH NOTES

From system analysis it appears that the infection starts out by a scheduled task being created on the system.  The Scheduled Task Log shows that a task titled At1.job (probably depends if there is already an At1.job) is suppose to run “TMP.EXE”.  After this is run the other files appear on the system.  I also detect the occurrence of the file “del.bat” in system restore files.  I have not been able to recover either “TMP.EXE” or “del.bat” from any infected systems.  After that the dllcache files appear, the “boot.ini” file is modified, the sfcfile.dll is modified to include the new files in the dllcache, and the Prefetch file for CTFMON.EXE is created or modified.  Later after that the bkav2006.exe file, the “.dat” files, and the JavaApplet folder appear (possibly after a reboot), see the ThreatExpert update.  All of this activity appears to be surrounded by System Restore points being created.  These restore points could be caused by system files being updated or by some other system activity.

RECOMMENDATIONS

• Apply Microsoft Patches MS09-009 and MS09-010
• Update all third party applications including Microsoft Office and Adobe PDF (added for good measure)
• Monitor DNS logs for queries pertaining to “windowsaupdate” and “happytimer”
• Block via DNS, web proxy, or web filtering “windowsaupdate.com” and “happytimer.com”
• Do not read emails or surf the web from servers or critical assets
• Update IDS/IPS solutions to detect shellcode, shellcode in Office products, system32 writes, UPX packer detection
• Use file integrity products or host-based IDS solutions to detect modifications to system files
• Update AV signatures

RESOURCES

• ThreatExpert Trojan.RegSubsDat Report – http://www.threatexpert.com/report.aspx?md5=0cafb41eca73d768091bc93f4343cbb9
• IBM X-Force: Microsoft Excel Remote Code Execution Vulnerability – https://portal.mss.iss.net/mss/xftas/alertAdvisory/details.mss?alertAdvisoryId=3311
• Trojan.Regsubdat.A – http://www.symantec.com/security_response/writeup.jsp?docid=2009-042215-2550-99&tabid=2
• W32.Regsubdat.A!inf – http://www.symantec.com/security_response/writeup.jsp?docid=2009-042222-3030-99&tabid=2
• Microsoft Security Bulletin MS09-009 – Critical – http://www.microsoft.com/technet/security/Bulletin/MS09-009.mspx
• CVE-2009-0100 – http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0100
• Microsoft Excel Malformed Object Memory Corruption Bug Lets Remote Users Execute Arbitrary Code – http://securitytracker.com/alerts/2009/Apr/1022039.html
• A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 – http://support.microsoft.com/kb/875352
• Registry settings for Windows File Protection – http://support.microsoft.com/kb/q222473/
• Hacking Windows File Protection – http://www.bitsum.com/aboutwfp.asp

POSSIBLY RELATED

• Microsoft Security Bulletin MS09-010 – Critical – http://www.microsoft.com/technet/security/Bulletin/MS09-010.mspx
• Microsoft WordPad Text Converter Remote Code Execution Vulnerability – http://www.securityfocus.com/bid/32718/info
• Microsoft WordPad Word 97 Text Converter Memory Corruption Error Lets Remote Users Execute Arbitrary Code – http://securitytracker.com/alerts/2008/Dec/1021376.html

For those of you still reading I’ll provide you with what is currently being provided by Symantec and Microsoft for this malware.  I am going to leave the recommendations off of the Symantec write-up to save space.  One note I would like to make is that the Symantec write up talks about injecting code into specific dlls.  This is a perfect example of information that malware analysis will discover that an analysis of system artifacts may miss.  These write-ups are still necessary and helpful.

Symantec – Trojan.Regsubdat.A

Discovered: April 22, 2009

Updated: April 23, 2009 7:45:14 PM

Type: Trojan

Infection Length: 33,280 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

The Trojan may arrive as an email attachment.

Once executed, the Trojan creates the following files:

• %System%\ctfmen.exe
• %System%\noise0.dat
• %System%\regs.dat
• %System%\subs.dat
• %System%\windcb.dat
• %System%\windows.dll

It then modifies the following files:

• %System%\dllcache\ws2_32.dll
• %System%\dllcache\ctfmon.exe
• %System%\ws2_32.dll
• %System%\ctfmon.exe
• C:\boot.ini

The Trojan then disables the Data Execution Prevention (DEP).

Next, the Trojan injects executable code from the non-executable .dat files into the ctfmon.exe process and any other process that loads the following file:
%System%\ws2_32.dll

Once the compromised computer has restarted, the Trojan contacts the following remote location and may download additional files:
v4.windowsaupdate.com

Microsoft – Virus:Win32/Kirpich.A

Summary
This software threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

Go forth and do good things,

Don C. Weber

Now, printing directly to the default printer might be fun for some, but it is not what I had in mind.  So, I modified the batch script a little.

@echo off
date /t > %2
time /t >> %2
echo. >> %2
dir %1 /b /-p /o:gn >> %2
exit

This adds a file to the specified directory.  This file includes a date/time stamp (accurate to a minute) and a plan file listing that does not include any other information.  I find this helpful for quickly including things in notes and reports and I hope that it helps you as well.

Go forth and do good things,

Don C. Weber

I hope that some of you find this useful and that this centralizes a lot of the information necessary to understand the abilities inherent to the Windows operating system.  It is nothing ground breaking.  Just a few things that can be done if you do not have or are not allowed to obtain and use the number of very useful tools that are available online or through a vendor.

Go forth and do good things,

Don C. Weber

wmi, wmic, vbscript, Security Ripcord, incident response

1. Vulnerabilities in software and drivers put computers and users at risk. The mitigation for this is to patch the software and driver whenever there is an update and especially when there is a security update.

2. Most software do have automatic update features. They can poll on bootup or when the program starts. They can be configured to run at granular start times or stopped completely. Unfortunately, there is not really a standard where to place this information and there is no way to determine when other softwares are scheduled to update unless you specifically open that piece of software and record the scheduled update time.

3. Drivers are more difficult to keep up with than other software. Users do not usually directly interact with drivers and most do not have an automatic update scheduler to determine if an update is available. Although some OSes handle this for some drivers they do not do it for all.

4. The more confusing and time consuming a process the less likely end users are going to perform the task. Most systems are vulnerable because people do not know how to update or just don’t want to take the extra time necessary to go through and configure automatic updates or monitor specific drivers that do not include the service. And, if the automatic update affects their user experience they are going to find a way to turn that feature off.

Here is my solution: Microsoft needs to come up with a Central Update Console that software and driver developers can hook to configure automatic updates. They already provide this type of feature through the “Add/Remove Programs” console. Good developers utilize this to help users and administrators manage the software that is installed on their systems. How hard would it be to come up with a solution that other developers could hook to help with centralizing the management of updates and provide a significant positive impact on the overall security of every computer on the Interweb? Although the design, development, testing, implementation, and maintenance of this project would be challenging, I am willing to be that this would be a small project in the grand scheme of Microsoft OS development. They don’t need to take every software vendor into consideration, they just need to come up with one method all of them could use. Once a system is developed software developers can start modifying their products to hook the console. They wouldn’t need to take out their current auto-update mechanism, rather, they could leave it in place. This is how the “Add/Remove Programs” console works. Software developers have not removed the mechanism to uninstall from their software, rather, they have placed hooks in the “Add/Remove Programs” console that calls their uninstall and repair mechanism. Users and admins who prefer a particular method are all satisfied.

Finally, it is not like this is not done other places. Linux in particular, and to a smaller context Apple, has been doing this for a while. Most distros have a packaging system the allows developers to centralize the patch management and automatic updates. End users and admins only have to worry about watching for updates to software that they have installed outside that packaging system. Very nice, very ease, very secure.

So, how about it Microsoft? Don’t you think that this would benefit everybody? It certainly could not hurt.

Go forth and do good things,
Cutaway

Microsoft, Apple, updates, patches, automatic updates, patch management, Security Ripcord

• Aleethia Foundation
• Project Valor-IT

Please let me know what you think by posting your comments here.  Even though I had some help from Martin McKeay, Dan Kuykendall, and Michael Santarcangelo I still have plenty of learning to do.   

Drinking Game Alert:

• One shot every time I say, "So…."
• Don't play if you are driving.

Yes, I am aware of this fault in my speaking habits and I will be working on it.  I decided to try and speak from notes rather than having the whole episode scripted.  So…hopefully it is not too annoying.

Show Notes:

• Windows Genuine Software Validation Tool 
• Microsoft PowerToys for Windows XP
• Microsoft's sordid spyware SNAFU
• NirSoft
• Magical Jelly Bean Keyfinder
• 
• 
• Belarc Advisor
• 
• 
• Marines' Hymn
• Aleethia Foundation
• Blackfive
• Project Valor-IT

Blackfive, Computerworld, iTunes, security, Nirsoft, BeLarc Advisor, Security Ripcord, Magical Jelly Bean Keyfinder, Windows Genuine Software Validation Tool

LET THE RACES BEGIN!! It is only a matter of time until we see this with the capability to also install Linux. Of course the guys over at CyberSpeak Podcast have recently pointed out (I think it was the March 25th edition) that the Holy Grail is to be able to switch seamlessly between the systems without needing to reboot to the other operating system. Now, I will definitely by stock in the company that comes out with that feature.

This definitely has great implications for the security professional. Although vitual systems are reliable and very handy, vulnerabilites are going to be serious issues in the future. In the same episode (if I remember correctly) the guys at CyberSpeak mentioned that there is malware out there that avoids deploying itself in virtual environments. How long before they leverage this for exploits and viruses on the child and parent systems. Besides, although the software version of VMWare’s Server Beta edition is free (as in registration), not everybody can afford a system that can handle multiple virtual operating system running at the same time in a smooth fashion.

Now I just need to get a Mac. Can somebody talk to my wife about it?
Cutaway

Edit: More detailed information can be found at Hack in the Box.

“Where is this coming from?” you ask. Well, this past week I had an interview for an Security Manager position and one of the system administrators asked the question, “So, how are you going to treat my linux server if you are hired to this position?” I told him that I didn’t have a problem with one operating system over another. I explained that any job can be done by any operating system and that a good security administrator will have to be ready to evaluate any system to determine how it is affecting the security of the environment. A pretty good answer in my mind but it seems that the statement “any job can be done by any operating system” raised a few hairs and ruffled a few tail feathers.

Look, in my heart of hearts I am a Linux man. However, I working in a Solaris and IRIX mixed environment that is moving to a Solaris and SUSE mix and periodically a Windows system will rear its ugly head. Do I mind? No. I am happy to secure or provided suggestions when securing any operating system. Has this hurt me a little in the fact that I am not completely conversant in any one operating system. Maybe, but I am ready for all encounters and I will overcome either with the knowledge in my head or a little bit of SANS Reading Room and/or Google.
Please get over it,

Cutaway

As a side note: I ran across a good tutorial on how to use Dia.