IT Saturation Point

So the other night I had gotten off late from work and being quite tired and looking forward to unwinding in front of some DVR’ed PBS material, took Alvis on an only-because-it-was-convenient-and-we-were-exhausted McD’s carryout run.

Back a the house after probably consuming enough calories and sodium to take care of a Roman legion, I was ridding the kitchen of the evidence, and a super-sytro cup was next to the sink.

“Hey Alvis, you done with this drink?”

Alvis, hovering nearby as my late-night/early-morning project schedule had kept me from seeing her for the past two days all the while working her mobile phone continuing a SMS discussion with one of her BFF’s responded (very airily).

“No, you can delete it.”

I looked at Alvis with bemusement and she looked shocked at what she had said.

“OK…so you want me to move it to the recycle bin or wipe it?”

We both grinned.

Yep…IT saturated indeed.

--Claus V.

Read More

For/Sec Linkfest: Revolutionary Edition

cc attrib: The US Army on flickr, DoD photo by Air Force Tech. Sgt. Jacob N. Bailey

This season’s July 4th finds Lavie and I quietly resting at home watching “classic” revolutionary period movies on TCM. Alvis has flow the coop to a week-long church-youth camp. Firework sales and use have been banned by all the area counties and municipalities due to the record-busting Texas drought and heat.  We will probably have to suffice with watching celebratory events in HDTV-mode again tonight.

The weekend has been pretty light on tech-support calls. Dad wanted to give his father-in-law’s old cobbled-together “antique” PC system a refresh so I picked out a nice basic-home-user-grade Dell Inspiron 570 model that will be way sufficient for his pretty-much email-only PC needs.  Dad and little-bro set it up yesterday and did most of the pre-installation setup and file-transfer.  I’ll do some remote-support work this afternoon to lock it down and recover some account passwords and such off the old system and get them going on the new one.   And then yesterday I stripped-down the keyboard off Lavie’s laptop.  Seems a week or so ago, Lavie fell asleep with both a small tumbler of sweet tea and her laptop on her chest.  A very small portion of the tea ended up in the keyboard. Oops. (very) Fortunately the keyboard tray caught all of the spillage. (un) Fortunately, it was sweet (sugared) tea, so let’s just say the keys were less than responsive with spring-back action.  That restoration job took about three hours. Disassembly and cleaning was pretty straight-forward. However getting the scissor-action two-piece key travel parts re-mounted was very delicate work as I didn’t want to break any of them. It took me about twenty minutes to get the mating and mounting technique down before my pace picked up.  All is well now and Lavie is clickity-clicking again happily.

Offered here today is a forensic and security slanted linkfest.  This folder has been very, very full for a very long time.  What survives below are the best of the best as the blogging room floor is littered with editing cuts and discarded linkage that didn’t age well.

In the Reading Room

(IN)SECURE Magazine is a great source of security and network issues. I keep several of these PDF files on both my laptop and Kindle for go-to reading when things are slow. (IN)SECURE Magazine issue 29 and (IN)SECURE Magazine issue 30 are the most current. However, pop onto the Archive page to look for past issues that may have some gems.  For example, this early ISSUE 4 (PDF link) has a great article “Structured Traffic Analysis” on pg 6 written by network sec guru Richard Bejtlich. While the article could probably be updated with the newer network analysis tools made available since Oct 2005, the framework Richard lays out still works very well.

InfoSec Resources has lots of great articles to read and study. Check out their article archives for a really wide range of for-sec articles and whitepapers.

CERT Societe Generale - IRM (Incident Response Methodologies) as some good incident handling guides to review or keep filed within reach.

Dashboard | SANS Internet Storm Center - Security “dashboards” look cool and can communicate valuable information. I’ve got several I keep an eye on from time to time.  SANS has recently updated theirs.

Girl, Unallocated - Newly added forensics blog to my RSS feed list.  Fresh perspectives are always welcome at GSD!

VRT: A Close Look at Rogue Antivirus Programs - Post by Alain Zidouemba that contains PDF of the slides presented on his talk "A Close Look at Rogue Antivirus Programs" given at Hack in Paris conference.  I’ve lately been paying closer attention to articles on malware (particularly rogue-securityware) vectors.

Security Aegis has some great posts Real OSINT and OSINT, because knowing is half the battle on “open-source intelligence” work.  This is good stuff as when you are doing network traffic analysis, being able to attempt to track down and understand the names/handles seen in the traffic may provide additional clues in your incident response analysis.

The posts over at Malware Intelligence don’t come fast-enough for me, but when they do, they are golden. JAVA Drive-by [infection] On Demand actually got their hands on a “drive-by” generator and pick it apart. Neat.

Network Traffic: News and Reports

Lots and lots of goodies here!

The folks at Packet Life have posted some good material recently: Proving the Network is Not the Problem With iperf and Long-Term Traffic Capture With Wireshark offer great tips and techniques for you network jockeys.

Out of comments from those posts came a jump to the NetStress Network Benchmarking Tool and NetSurveyor Network Discovery Tool -- both of which are offered for free by Performance WiFi.

LoveMyTool blog has the following juicy fruits: Microsoft Network Monitor 3.4: Search the Description Column (by Joke Snelders) and A Deeper Look into Your Network - Cool Tool (by Vivek Rajagopalan)

That second one points us to Trisul Network Metering and Forensics tool.  If you just need “near-time” network traffic reporting and analysis, then the Free rolling 3 day window version looks hard to beat.

TinyApps.Org Blog : Setup a virtual network lab brings to our attention the free Marionnet.org project for networking practice and study.  It is a very cool project.

The Case of the Great Router Robbery over at InfoSec Resources poses some deep thoughts about the importance of physically securing your routers.  It’s not just because many of they are outright high-dollar items to begin with, but the configuration data on them is golden for pen-attack reconnaissance and enablement. It closes with some good thoughts about securing your device if it is stolen and what you should do if loss does occur.

Network Mystery #1 (by Betty DuBois) at LoveMyTool has both a recorded presentation as well as slide-show PDF from Sharkfest 2011. It is appx 1:26 long so it isn’t a fast-view.  That said, Betty offers some great guided material for you network tracers.

" ... In this session, Detective Betty DuBois will review one of the elusive network cases she has solved using Wireshark and Pilot. There will be plenty of forensics evidence provided, and lots of practical information to help you solve your own network mysteries. This session will be a deep dive into the "Case of the Slow Network". Betty will walk the attendees through how the data was captured (tshark & AirPcap), the methods used to isolate the problem (SMTP relay infection), and which users were infected ... "

Network Traffic: Tools and Techniques

Solution to the Nitroba case - Erik Hjelmvik (Network Miner) on the NETRESC blog posts some great network forensics tips specific to the “Nitroba Case” exercise. I was fortunate enough to read the first-post version before some elements were modified. Regardless it is a great example of how NetworkMiner can be used to analyze and dissect network traces in investigatory work.

Tools for modeling the user-traffic - superlist of network traffic analysis tools over at comlab.uni-rostock.de.  Bookmarkable.

RawCap sniffer for Windows released - NETRESEC Blog. I’m sure I’ve posted this here. Erik released a CLI tool for raw-socket network captures. It’s a slim single-exe file and is pretty cool. No installation required. Definitely worth keeping on a USB stick.  I like that I could download it to a local (remote) system and run a targeted trace of that system’s network traffic without needing to install a larger app like Wireshark. Likewise, as Erik suggests in the post, one could “…use the Sysinternals tool PsExec to inject RawCap.exe onto the [remote system] and sniff the packets.”

Split or filter your PCAP files with SplitCap - NETRESEC Blog. Not a new tool, but an update to v1.6. This CLI tool can slice-n-dice very large PCAP files into smaller sets based on IP addresses or sessions. Sure, you can do filtering work in Wireshark and NetMon as well, but this is a very fast tool and makes bulk PCAP file splitting/filtering very easy.

York::Log all network traffic - The SZ Development.  Interesting network sniffing/logging tool.  Certainly not for Wireshark/NetMon pros; however the GUI and basic logging/websession monitoring features might make it more user-friendly for folks getting their feet wet.

NMTopProtocols Expert Released - Network Monitor Blog

Using Wireshark's editcap to Remove Duplicate Packets Packets (by Tony Fortunato) - LoveMyTool guided post.

Bittwiste: pcap Capture File Editor (by Joke Snelders) - LoveMyTool - review and thoughts on how to use the Bit-Twist program for packet manipulation.

So Many Tools…So Little Time!

Windows Incident Response: Using RegRipper - WindowsIR blog. Harlan provides us an updated guide on how to effectively use his amazing RegRipper tool. See also the New Plugins from Harlan.

Kissin-Kousin of RegRipper is Woanware’s RegExtract.  I believe they complement each other nicely. Keeping up with the active updates to RegExtract can be challenging. Focusing on the most recent may cause you to overlook other features that have previously snuck in! See these: RegExtract v1.1.3, RegExtract v1.1.4, RegExtract v1.1.5, RegExtract v1.1.6, and the latest, RegExtract v1.1.7.

Also recently updated in the Woanware factory:

• ChromeForensics v1.0.4
• USBDeviceForensics v1.0.6
• PrefetchForensics v1.0.4

Dropbox Reader - by CyberMarshal. CLI tool collection for investigating DropBox cloud-storage software indicators.

DumpStrings.1sc - Didier Stevens shares a script that dumps ASCII and UNICODE strings found in a file. To be used with 010 Editor.

P2 Shuttle Free - Paraben Corporation - Free multi-tool to remotely mount disks, do live-system process reconnoiter, memory capture, machine searching, active file browsing of email, chant and IE history, and open a disk without mounting. This version does have some limitations so understand before relying on it too much.

P2 eXplorer Free - Paraben Corporation - Free utility to mount forensic disk images of many different formats.

Meanwhile the folks at Mandiant have been busy making material as well:

• MANDIANT Intelligent Response 2.0. See this MIR 2.0 Released post for more info. (not free)
• MANDIANT Redline - (free) - “Redline is a free utility from MANDIANT that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Designed to help find even the best-hidden malware, it analyzes and rates every running process on a system according to risk, combining Memoryze's live memory analysis with MRI (Malware Risk Index) scoring. Redline makes memory forensics accessible to any investigator without relying upon easily-defeated signature-based detection.”
• Highlighter v1.1.2 Released

In both posts Windows Incident Response: Tools and Meetup, Tools and other stuff  - Harlan offers a great listing of for-sec tools.  I especially liked the discussion of “Jump Lists”.

Complementing that discussion is the new woanware tool JumpLister v1.0.0.  “JumpLister is designed to open one or more Jump List files, parse the Compound File structure, then parse the link file streams that are contained within. It uses the LNK parser I wrote so stuff like object ID’s and MAC addresses are handled.” Sweet!

The H Security announced that Microsoft releases Security Essentials 2.1.  Despite the fact that the recent system infections I had to clean were able to overwhelm (previous versions of) Microsoft Security Essentials, I still have lots of confidence in the product for home users. In these cases, outdated Java/Flash versions left the door to the barn open and MSSE couldn’t keep up with the attack. Any a new version has been quietly released.  It’s actually been out for about a week but Windows Updates and/or MSSE internal updating didn’t pick it up. However if you want it now (recommended) download the new version directly from the product page and run. It will do an in-place upgrade with no fuss. For more info or download locations:

• Microsoft Security Essentials 2.1.1116.0 released, Download Now - Windows Valley has the (slim) info on what this update brings.
• Virus, Spyware & Malware Protection - Microsoft Security Essentials main product page.
• Download Security Essentials 2.1.1116 - FileHippo.com (alt download link)
• Download and install Offline Updates for Microsoft Security Essentials - Windows Valley has a great tip and linkage on how to “off-line upate” the DAT files for MSSE. I figured this could be done but never took the time to hunt down the source locations. Here you go!

How-To’s and Info of Note

Create a Bootable DBAN USB Pen Drive - TrishTech - Vendor dude has a contract to secure(DoD) wipe our out-of-service system HDD’s before they are returned to the lessor. Most of the time he is running a bank of bases and tossing in a Darik's Boot And Nuke (DBAN) CD and wiping away. Periodically however he would run into a system with a bad CD-ROM drive and would have to strip out the HDD and put it into another system to then run his CD.  I asked him why he didn’t just make a boot-USB version of DBAN. Brilliant, wasn’t it….  Here you go.

Security Braindump: Virtualizing Raw Disk Images - Because you know one day you will need to…

Windows Security Center: Under the Hood - Didier Stevens. Wish I had this post from Didier when I had composed this GSD post: How to Repair Windows Security Center List Items.

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis - posted by John Strand at PaulDotCom.

Internet Explorer 9 Security Part 4: Protecting Consumers from Malicious Mixed Content - IEBlog.

For-Sec Live CD News

The world of “Live CD’s” is alive and healthy.

Security Onion 20110628 now available - I’ve only recently become acquainted with the tools and features of Security Onion distro. Very nice and has some great includes from Doug Burks.

PALADIN Download - Sumuri - Version 1.0 was released back in April 11. 

DEFT Linux 6.1 Computer Forensics live cd was also released back in April 11. See this new “draft” DEFT english manual if you are not already familiar with this distro.

BackTrack Linux 5.0 - Penetration Testing Distribution was released in May 11.  It’s a whopper so unless you got a big pipe, you may need to start the download when you put the cat out for the night.

As previously mentioned here on GSD, Brett Shavers the WinFE guy has been hard at work evangelizing on the WinFE distro.

• Sharing the love with WinFE - WinFE Blog
• How easy (or difficult) is it to build a WinFE with WinBuilder? - WinFE Blog

Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 - 4sysops

Whew!

Now this post is out of the way, I can turn attention back to an Xplico follow-up along with a collection of linkage that came out of a conversation with TinyApps on write-block hardware that has been gathering dust for quite a while.

Happy 4th!

--Claus V.

Read More

Anti-Malware Tools of Note

As promised, here is a resource-dump of some anti-virus/anti-malware tools I either use for came across in my recently documented battles that I thought would be helpful for reference.

As with many things in life, having the right tool for the particular job at hand can save much time and aggravation.   Hopefully most of these will already be well known to the GSD faithful readers. But I also hope that maybe one or two of these may be new finds as well to go into your toolbox.

Obviously this isn’t a complete list.  However they nicely supplement those I’ve already recommended. Check the side-bar to the left for many more that have been previously shared here.

While I do sometimes favor a direct frontal attack against malware while the system is running “live”, I typically find it much more productive to first whack-away at the infected system “off-line” having booted the system first in a WinPE environment.  I prefer to use my own custom Sexy USB Boots tools on a write-protected USB stick.  There are lots of flavors of WinPE including WinFE and WinRE and each bring their own benefits/drawbacks to the fight.

One important lesson I’ve learned is that the more scratch-space you can spare on your WinPE build, the better your apps will run in the WinPE operating environment.  Check out this WinPE and DISM/PEimg to boost Scratch Space (Ram Disk) post to option things out.  If you want to carry the option to boot from several different “boot.wim” files with different scratch-space settings, or maybe WinPE, WinRE, and WinFE boot options all on the same stick check out this WinPE Multi-boot a Bootable USB Storage device post for some thoughts.

Of course there are lots of different options for building your WinPE as well.  You can go “old-school” and use the Microsoft WAIK, there is WinBuilder, or you can check out TinyApps cool find to build a WinPE without any of those extra bits.  AgniPulse sets out a great tool and method to in his Beginners Guide to Creating Custom Windows PE.

My own preferred first-strike team is to boot the system with WinPE then toss the free tool VIPRE Rescue at the system.  There are two things that I think really make this anti-malware tool exceptional.  First it is easy to use and very thorough. But secondly, it creates some incredible logs and quarantines the files.  Both the logs and quarantined files helps me understand what was going on with the infection and possibly what vector it used.  That might help me secure the fixed system and submit the files for additional analysis.

Once the system is running “live” again, I also like to toss Malwarebytes Anti-Malware Free at the system.  It is a pretty aggressive anti-malware scanner with lots of options.

I also like SurfRight’s Hitman Pro 3 and have found it seems to do an exceptional job addressing issues that are missed by many other tools I have used. The plus is that you can use their product to get unlimited free scanning + 30 day removal.

Norton Power Eraser is a very powerful tool to root-out deeply embedded malware from a system Read their page carefully first.  I’ve had good experience with it myself.

I also keep handy and request a third-scan opinion from the still fairly new Microsoft Safety Scanner.  Being a “standalone” tool of sorts, it can be run in the WinPE environment or on the “live” system.  The trick in WinPE is to make sure your WinPE build has a large scratch-space value.  Check out this 4sysops post Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 for more details.

I do understand that for some folks, the thought of making a custom-spun WinPE boot tool could be quite intimidating.  With that in mind, you will want to keep a copy of the Microsoft Standalone System Sweeper Beta handy.  Of course you will need an uninfected “host” system to create the tool. Download the “builder” utility in either x32 or x64 flavor depending on your hardware and choose a blank CD, DVD, or USB drive with at least 250 MB of space. Execute the tool and build-away.

Of course, you may want to do more with this plain-Jane WinPE build that it lets you.  And you can if you know the tricks our dear TinyApps bloggist posts in his Extending Microsoft Standalone System Sweeper tips.

Maybe all you want is just to download and burn an ISO file to CD and use it to try to disinfect a system without all those extra bells-and-whistles that I love so much in WinPE.

Well, many reputable security product vendors offer their own tools as well in that same line.

Calendar of Updates has a page that is kept pretty updated Free Anti-Virus Rescue boot CDs including direct links to Avira Rescue CD & BitDefender Rescue CD.

F-Secure keeps their own Rescue CD resource updated. They also offer some fantastic Easy Clean, Online Scanner, and Blacklight rootkit tool.

Likewise, Kaspersky has their own Rescue Disk 10 tool as well as an Online Scanner, an incredibilly extensive toolbox of free Virus-fighting utilities to address specialized malware threats, a tool to remove banner from desktop, unlock Windows.  Kaspersky also offers valuable documentation on common malware information, viruses and solutions, as well as Rogue security software response guidance.

Dr.Web CureIt!! is another LiveCD solution worth knowing.  See also their Sysadmin First aid kit page for some additional resources.

Not “free” for everyone but a good LiveCD resource for Norton product users, check out the Norton Bootable Recovery Tool.  As explained on the page, “You will need your product key or PIN in order to use the Norton Bootable Recovery Tool.”

Likewise, if you are a Sophos customer, they also offer their customers the Sophos Bootable Anti-Virus tool. However, they do offer some Free Tools as well, including some specialized tools as well as Free Security Scan tools and their Sophos Anti-Rootkit tool.

Need more? Check out this GSD USB based AV/AM Tools post for many more options.

I have an extensive collection of highly-specialized sysadmin tools at my disposal. However the following tools are always the ones I keep coming back to over and over again. All free.

• Process Explorer from SysInternals
• Autoruns for Windows from SysInternals
• RegASSASSIN from MalwareBytes
• FileASSASSIN from MalwareBytes

As malware (and particularly scareware/rogue-security “products”) gets more and more sophisticated, it seems even more highly-specialized tools are needed to fight and restore the damage done by them.

Broken EXE Association is a how to and REG files for fixing issues launching applications after an infection.

The Updated Combofix (5-23-11) is a highly specialized tool offered by the fine folks at bleepingcomputer.com forums.  It is not recommended to run on your own without guidance from their community unless you are already an advanced/professional Windows system specialist. Seriously.  Read their ComboFix usage, Questions, Help? page well and carefully before embarking on its usage.

See also their RKill utility. From that page:

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then import a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly remove

And for any Mac users/caretakers who are still reading this post, they also have a BleepingComputer Mac Rogue Remover Tool. Check out that page for more info.

This Google redirect virus forum thread has a lot of great tips and steps to follow in addressing malware in general.

As I last posted, I feel remiss to not re-mention this guide Remove Windows Recovery (Uninstall Guide) over at BleepingComputer.com for a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

You can also take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

• Windows 7: Restore Default Shortcuts in Start Menu All Programs
• Vista: Restore Default Shortcuts in Start Menu Programs
• Restore the Administrative Tools folder with vista_ultimate_admintools.zip
• Restore Accessories Program Files Menu with accrestore.zip for XP
• Restore Admin Tools Program Files Menu with admintools.zip for XP
• App Paths - SourceForge

Although most of what I see now-a-days is Windows 7 and Vista systems for most of my home/family/friends systems. More than a few still have XP systems. One trick still in my bag from days ago is when a system is cleaned of a internet-browsing redirector infection the internet doesn’t work anymore is that in many cases it requires the network sockets to be “reset” by running a tool like LSP-Fix or WinSock XP Fix 1.2 (via MajorGeeks mirror site).  This only should be run on XP systems.

Coming full-circle again in this post, some of these tools and techniques require working on a live running system and others can be done “off-line” using a LiveCD/WinPE/otherOS approach.

If you do go with a “off-line” boot method such as WinPE from a bootable USB flash or HDD, you want to be very careful you avoid potential cross-infection in your response/rescue efforts. Yes a bootable CD/DVD does offer greater protection but at the same time, it can severely reduce the number of options or other tools you can bring to bear on assessing and cleansing the system.

If you have a LOT of bootable ISO files (as I do for specialized situations), then I seriously recommend the awesome iodd device for sysadmins and incident responders as well as you semi-pro malware busters.  It allows you to carry many, many, many different bootable ISO files on a portable HDD and pick between them on the fly for off-line system booting.  Couple that with a physical write-block switch and the ability to partition the hard disk drive you cram into it, and you can carry many portable apps on there as well to access if you are booting in, say, a WinPE environment.

If that seems like way too much (and it never could be) firepower, then at least consider a USB flash drive with a write-block switch.  My personal preference is the Kanguru Flashblu II (NewEgg product link).  It is a great value for a reasonably sized USB drive with a write-block switch.  Sony also offers write-block switches on some of their USB flash drives (Alvis has one in fact) but they are getting harder and harder to find.

If you don’t have the option or resources to pick up either one, but do have a bootable USB flash drive that you have already loaded up with all your scanners, tools, and other response files, consider this simple and free tool usbdummyprotect. The trick to using it is to download the tool and unzip, then copy it directly onto your USB drive.  There, run it.  It creates a “dummy” file to fill up all the remaining free-space on your flash-drive.  In theory, this should prevent malware from copying any files to your drive.  When you want your free-space back, just delete the clearly identified dummy file.

Not quite the same thing, but noteworthy is Document Solutions free DSi USB Write-Blocker. You need to download and install this on your own clean-system first. Then run the tool BEFORE connecting a USB flash device.  Basically it keeps your own running system from writing TO the USB device once you plug the device onto your PC.  This should preserve time/date stamps and other file modifications.  It doesn’t necessarily protect your host system from anything bad on the device itself if you choose to either run anything directly or copy off the device and run locally. So understand how it works first then use it when the situation calls.

Finally, in some cases, the malware might have actually damaged or modified the Windows bootloader itself. If this is the case and any of the specialized tools already mentioned didn’t work to restore the Windows boot loader, then you may need to do it yourself.

See this GSD post Partition and Disk Management: Part II – Free and Useful Tools for a rich roundup of resources.

For a really nice and trusted freeware GUI tool check out EasyBCD 2.1 from NeoSmart Technologies.

I also recently discovered MBRWizard which is not a free product (but it is offered dirt-cheap) and has a great GUI as well.  However, for your value-expecting fans not afraid of a little command-line ninja work, they do offer a CLI Freeware version! Check out the Command line reference page for more information.

Effectively responding to a malware/rogue-ware infection is never an easy task. It takes careful assessment, planning, research, tool/utility/scanner gathering, off-line booting in many cases, and lots and lots of tedious, patience-requiring work.  It takes time, experience, and for the non-technical, lots and lots of help from a devoted community.

Obviously, this post can’t even really begin to scratch the surface of the tools and techniques out there. However, I hope it is a good starting point or comes to be a return-to resource source to collect valuable materials as you go forth and battle.

Cheers.

--Claus V.

Read More

Skirmish 2: A Rouge Security Software battle

Fresh off of having wrestled my friend’s system back from the clutches of a rogue-security product, a few weeks later Dad called in a panic with his Windows Vista system in cardiac arrest.

He had booted his system only to find all their documents, emails, and family photos missing.

On top of that, they had a “security scanner” warning them their system was “infected” in many critical locations and only their product could remove the mess and possibly restore their files.

Oh bother. Not again.

I knew that with this kind of mess, attempting to clean the system remotely would be counter-productive.

Dad offered to drive down and pass the base-unit off to me.

Looks like the workbench was going to stay dust-free.

Basically, I followed the same steps previously outlined in the GSD post Skirmish 1: A Rouge Security Software battle.

However I had to tread just a bit more carefully in the assessment process.

Dad’s system did support direct USB flash-based booting.  So I could use one of my custom WinPE USB boot sticks for just a bit faster off-line booting performance.

I quickly determined (much to his relief) that all the user profiles, documents, emails, and photos were in fact present and accounted for.

Turns out this bad-nasty had done some additional mojo which “hid” all the start program files, as well as the user desktop (folder) environment as well.

The full list of infected baddies found:

• Trojan:WinNT/Alureon.S
• Exploit:Java/CVE-2009-3867.IJ
• Exploit:Java/CVE-2008-5353.SN
• Trojan:Java/Mugademel.A
• TrojanDownloader:Java/OpenConnection.EM
• Exploit:Java/CVE-2008-5353.QV

Again, another drive-by browsing infection caused by outdated Java version. Nice…

Because I first carefully assessed the system, in Dad’s system’s case, I had elected to NOT run CCleaner or any other temp-file cleanup tools.  This ended up being a very good thing.

This particular infection had relocated all those critical system/program files and settings into a temp folder.  Had I run the cleanup blindly, I would have ended up nuking all the original files and had to manually rebuild the entire Start/Program list, as well as the desktop items.

The public face of this infection ended up being a variant of “Windows Recovery” malware/rouge-security scareware.

This guide Remove Windows Recovery (Uninstall Guide) over at BleepingComputer.com has a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

I preferred to take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

• Windows 7: Restore Default Shortcuts in Start Menu All Programs
• Vista: Restore Default Shortcuts in Start Menu Programs
• Restore the Administrative Tools folder with vista_ultimate_admintools.zip
• Restore Accessories Program Files Menu with accrestore.zip for XP
• Restore Admin Tools Program Files Menu with admintools.zip for XP
• App Paths - SourceForge

Once all was running/cleaned as expected, I had to re-arm the Windows Firewall (disabled), re-arm the automatic updates (disabled), re-arm the anti-virus application (realtime protection disabled).

Again, all Browser Plugin Updates were applied. I updated all the web-browsers, Quicktime, Adobe Reader, etc.  Removed some toolbars, stuff like that.

Dad returned a week later and after a super-yummy lunch at a local authentic tex-mex dive, the system got handed back and once reconnected at its home, Dad found it to be perfectly restored.

Now if we can’t just push him onto Windows 7….

--Claus V.

Read More

Skirmish 1: A Rouge Security Software battle

Note: while some may find this a helpful guide, it is not a “cure-all” malware cleaning process. Every infection is somewhat different.  What I hope to offer is a process I have used to successfully clean a specific infection from a home-user’s system. Your mileage may vary.

More than many weeks ago, my video-desk buddy at the church asked me for advice about what virus-cleaning product I recommended.

In my experience that means two things, someone actually has a compromised system and that any singular answer I provide will be inadequate to solve their problem if attempted.  So I probed further so I could provide a better (more detailed) answer.

Turns out the user was reacting to a report that popped up on their computer warning them they had a whole bunch of infected system files and that their PC was going to perform worse unless they purchased the offered program.

He then proceeded to show me a long list of “infected files” all with crazy names and locations.  He had done some Google work on the files listed but hadn’t made any progress.

Well, I agreed he did have a serious issue, but likely those “files” were just a sham and in fact the security warning/program was the problem.

I told him I’d prefer to have him haul his system up to the church early so I could (off the network) hook it up to a spare monitor/keyboard and take a quick-peek.  He readily agreed.

That afternoon we met up and after what seemed like a ten-minute bootup I agreed his system was running super-slow.  This was a Windows XP system and after I launched the task-manager and it eventually appeared, a number of suspicious running processes were visible.  On top of things, the CPU fan was roaring like a jet taking off. Yes…my friend reported…this behavior had been happening recently also.

I was able to identify and disable the main rogue security app “loader” but significant problems remained and I suspected other stuff was lurking unseen at first glance.

Attempts to run any .exe application executable failed.  Attempts to run CMD failed as well.  The Control Panel was MIA. Bad things were afoot.

This quick-peek told me enough to confirm that my friend had indeed been hit by a scareware/rogue-security “product” infection and was in some serious hurt.

He trusted me to bring his system home and throw it on my workbench to attempt a full cleaning.

So is set the stage.

The battle begins

First thing I did was to off-line boot the system.  This was a bit more challenging than one would expect.

Although it was a nice mini-case IBM ThinkCentre unit, alas, it did not appear to support USB flash drive booting.

So I used one of my WinPE ISO files loaded on my iodd device (with the write-block switch thrown) to get the system up and running with me in control.  I then plugged in my 2GB USB stick that I had preloaded with various utilities and malware-busting tools. (note: because I didn’t yet have my Kanguru Flashblu II drive, I used usbdummyprotect to fill the remaining free space on the drive to avoid a potential write-back infection).

I then ran VIPRE Rescue overnight against the system.  When done it had located and isolated the following infections (and associated bits) in multiple locations:

• Trojan.Boot.Alureon.Gen (v)
• Trojan-Dropper.Win32.TDSS.cfvs (v)
• FraudTool.Win32.FakeRean.e (v)

After rebooting I had a lot of work to do.

Next since the System Properties and Control Panel weren’t working, I discovered that rundll32.exe had been renamed to rundll.exe.  An examination of that file convinced me it was the original file, so I renamed it back and those items worked again.

Since any attempt to launch an application failed, I had to repair that.  This was made pretty easy by using the correct REG file fix found in this Broken EXE Association page.  Fixed.

Because the system was still crawling in terms of performance, I had to start addressing that or else it might take a month to get it running better.

The system was running on 1GB of RAM (2 512MB mismatched speed sticks) with a 40 GB (5400 RPM) HDD at almost 90% filled. Yikes!

The virtual memory settings had a very large custom valued set, so I rolled that back to let the system manage it instead.  I turned off start-menu animations.

Next, I ensured that all the user’s documents and other files were present and the start-menu lists appeared normal and unaffected by this malware version. Only after that had been established and I had collected some web-browsing log files to see if I could learn the infection point, I ran both CCleaner and CleanAfterMe to neaten things up and gain some additional free hard-drive space.

Disk fragmentation was horrible (although my friend appears to have been dutifully defragging his registry based on a desktop program that I found installed).  So I used JkDefrag Portable to clean that up.

Now that things were running (a bit) snappier, I returned to the infection cleaning.

I used the installed (but apparently was overwhelmed) Microsoft Security Essentials tool to re-scan the system.  It didn’t find anything, but now that it was running again, the history showed its battle at the time of the infection to keep the system clean.

• Exploit: Java/CVE-2010-4452
• Trojan: DOS/Alureon.A
• Trojan: Java/Clagent.B

Still not convinced, I next ran Malwarebytes : Malwarebytes Anti-Malware Free which found 15 more bits and pieces.

I then sought-out and installed all the most current Browser Plugin Updates as the installed ones were woefully outdated…hence the vector for the infection in the first place.

Next?  I downloaded and ran Hitman Pro 3 from SurfRight.  It revealed some more stuff remaining that indicated a boot-loader infection. Bad-stuff man.  Hitman Pro did it’s thing and cleaned up that mess.

I recovered both the admin password and OS key as the user had lost those and documented those for him.

Windows Updates had also been borked.  As this was a Windows XP system, I found that running the following command in a (now working again) CMD window got them flowing again.  More info and methods in this Microsoft KB883821 bulletin

To register the Wuaueng.dll file, follow these steps:

1. Click Start, click Run, type regsvr32 Wuaueng.dll, and then click OK.
2. When you receive the following message, click OK:

   DllRegisterServer in Wuaueng.dll succeeded.

Now that the Windows updates were all on successfully, I upgraded the browser to IE8 from IE6. Also found installed (and so updated) were Safari for Windows and Firefox..

I removed the registry defragger and installed Defraggler to provide this user a more friendly tool.  The outdated version of Adobe Reader got removed and replaced with Adobe Reader X instead. Apple Quicktime was updated.

From here I took the system outside and opened up the case.

Loads of dust-bunnies and the foam-intake filter was completely obstructed with dust buildup.  Much cleaning later, the system now was purring quietly along.  All the dust was restricting the cool-air intake over the CPU heatsink (also caked in dust) causing the CPU to run hotter, causing the fans to go into overdrive causing the system fan-noise to require ear-protection.

I turned off System Restore so it would dump all the restore-points, some of which had copies of the infected files. This also added a bit more free-disk space.

I ran both Process Explorer (making sure no other rouge processes were found) as well as Autoruns for Windows (which I used to disable/remove some non-necessary helper services).

I then searched out and updated all the device drivers from the IBM/Intel sites I could find that applied to this particular system. For this particular IBM system, I located this ThinkVantage System Update utility that was a really big help in the process.

A full scan with MS Security Essentials and MalwareBytes AntiMalware both came back 100% clean.

For extra measure I also ran both Kaspersky’s Anti-rootkit utility TDSSKiller and Norton’s Power Eraser. Both also reported no issues found.

I flushed the DNS cache and cleared the Java cache.  HOSTS file looked normal.

Things were looking up.

I dug around on the spec page for this system and found it could support up to 2 GB of system RAM on the mainboard.  It just so happened that I had a pair of matched 1 GB PC2700 333MZ DDR sticks laying around.  I pulled the original ones and dropped these in.  I think I could hear the system actually taking a deep breath and shudder with relief once again.  Performance was much more nimble now!

Alas, I didn’t have a spare drive, but did pass on a note for my recommendation to upgrade to a larger capacity/faster RPM PATA hard-drive as well.

Done.

Time invested? Approximately 10 hours (not counting unattended overnight scanning) spread over a week.

Return on investment from gratefully shining face of owner? Priceless.

Lessons learned

Reviewing all the logs, it seemed clear that the user had browsed across an maliciously-coded web-page in a unpatched browser running unpatched/outdated browser plug-ins.  I suspect the java exploit got the ball started and once the actual malware installer app had been dropped/executed on the system. all bets were off despite MSSE’s attempts to protect the system.  For additional information on these things these references might be helpful..

• Java CVE-2010-4452 - YouTube
• CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit - YouTube
• Not Just Another Analysis of Scareware - Security Braindump
• Vulnerabilities in a Flash - WhiteHat Security Blog
• Encyclopedia entry: TrojanDownloader:Win32/FakeRean - Microsoft Malware Protection Center
• Win32/Alureon brings back old school virus techniques, enhanced - Microsoft Malware Protection Center

I guess in some ways since the system was in the state it was, the slowness of the performance may have kept things from getting worse or the user being able to continue to work with the infection running in the background. In this case, the scareware/malware only helped cause the system to grind down even slower.

No one single anti-malware app fixed the problem.  Because the malware compromised/changed some key Windows filenames and settings, additional manual remediation work had to be performed.

There are a lot of great cleaning tools out there, the challenge is being familiar with the best of them and knowing which ones are the most effect to apply.

The whole process is quite involved and must be taken through logically, building on each success.

Next post -- same thing but with a twist -- Dad’s PC infection.

I’ll also do a standalone post linkfest listing these and other tools/resources I found helpful or came across in these skirmishes.

Cheers.

--Claus V.

Read More

PSA: Browser Plugin Updates

As I prepare my notes for one to two GSD posts on recent rogue-security product malware-purges from heavily infected systems, I’m going to offer a brief public service announcement.

In both cases, a review of the logs generated and collected during the incident responses strongly suggests to me that both infections occurred during innocent web-surfing when the users unknowingly landed on maliciously seeded pages that took advantage of exploitable code in their older versions of Java.

While probably not the specific exploit they encountered, these YouTube videos do illustrate how the process can work.

• Java CVE-2010-4452 - YouTube
• CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit - YouTube

For more in-depth illustration and analysis of the problem, take a look at these security posts.

• Not Just Another Analysis of Scareware - Security Braindump
• Vulnerabilities in a Flash - WhiteHat Security Blog

Patch it like a hobo

Trying to guide Dad though all the hoops on how to check his Windows (Vista) system early for latest versions of these most popular browser plugins has been quite challenging.  Not only do you you have to go confirm the current version you are running (either through the control panel or from the providers’ websites) but then you have to navigate through the download and install process, often trying to avoid an offered “bonus” software product installation in the process.

So, although at work I download such update packages directly from the provider’s source for security reasons, at home and in recommendations to family and friends, I usually just point them to the specific updated package as found on the FileHippo.com Plugins Downloads site.  It’s just easier that way.

• Adobe Air -- FileHippo mirror site.
• Flash Player-- FileHippo mirror site. (be sure to get both the IE “ActiveX” and the “Non-IE” versions)
• Shockwave Player-- FileHippo mirror site.
• Java Runtime Environment-- FileHippo mirror site. (if you run x64, grab and install both the x32 and x64 versions)

If you do want to go the “official source only” path, then here you go.

Adobe - Flash Player - This page will tell you what version of Flash you are running and what the latest versions are.

Troubleshoot Flash Player installation | Windows - Links to both the update page as well as the direct manual download links for most current level of both versions; Flash Player 10 ActiveX and Flash Player 10 Plugin.

Adobe - Test Adobe Shockwave Player - this page will play and display a Shockwave file which then tells you your currently installed version of Shockwave.  Write it down then…

…go to this page Adobe - Adobe Shockwave Player to see what the latest version actually is.  If this one is newer, download and install (just watch out for the offered “bonus” software install and uncheck the box if you don’t want it.

To confirm you have the freshest Java beans, pop over to this Verify Java Version page and see what fortune you get.  Need an update?  Well then my bedraggled friend, stop in at All Java Downloads to pick from the buffet.  You likely will be focusing on the Windows 32-bit and 64-bit versions.

I haven’t mentioned it, but Adobe Acrobat also is almost ubiquitously found on Windows systems and it also must be keep updated to avoid the worst of the PDF-related exploit issues out there.

Updates galore

This past month saw a banner crop of security patches and updates both to the Windows operating system environment as well as many popular Windows browser plugins.  Hopefully everyone who needs these applied them to their systems.  Adobe in particular has become more of a responsible citizen by changing the updating in their products to now do “auto-check” for updates. Oracle has been including a Java-update check service in their product for some time now.

It’s my personal experience that while these auto-update features do work, sometimes they don’t offer an available update for some time.  And when in the case of Java they are sitting quietly in the system tray as an indicator icon, it is easy to overlook.  Adobe at least throws the notice in your face.

I understand and acknowledge the challenges for many home-users in keeping informed and notified of these updates. Heck, it’s hard enough to get some home users to even care about patching third-party systems.

That said, as anyone who has either been a victim of a browser drive-by malware infection, or the guy or gal who had to spend many, many hours cleaning uncle Bob’s unpatched PC to save their system and Uncle Bob’s sanity again, it’s too serious to not keep an eye out and patch these browser plugins as soon as they get released.

• Adobe Ships Security Patches, Auto-Update Feature -- Krebs on Security
• Flash Player Patch Fixes Zero-Day Flaw -- Krebs on Security
• Patch Tuesday part two – Adobe patches Reader, Flash and more -- Naked Security
• Adobe releases patches -- ISC Diary post
• Java Patch Plugs 17 Security Holes -- Krebs on Security
• Microsoft Patches Fix 34 Security Flaws -- Krebs on Security
• IE 9.0.1 Available via Windows Update -- IEBlog
• ISC Diary | Microsoft June 2011 Black Tuesday Overview -- ISC Diary
• Patch Tuesday – June 2011 – 16 bulletins, 9 critical -- Naked Security
• Microsoft Security Bulletin Summary for June 2011 - Microsoft TechNet

Patch on Mr. Adams!

--Claus V.

Read More

GSD Blog Template Reboot

No, you have not accidently experienced a page-redirection to either the TinyApps.Org or NirBlog website, although they remain quite inspiring to me.

I’m blaming it on the super-hot, super-dry summer.  Looking at the “warm” color-tones previously used on the GSD blog just has made me feel uncomfortable of late.

So we are trying on some new new minimalistic clothing here to weather this long, hot summer here on the Texas Gulf Coast.

I feel cooler already.

--Claus V.

Read More