I thought a few things were news worthy today, that and after a recent conversation with another Incident Responder interested in improved malware recovery techniques I wanted to share a method that I've been happily using for a while now in performing remote host analysis for the identification and retrieval of malicious code samples.
Holy smokes, the iframeDOLLARS business practice is back up and running at (www.iframedollars.biz) 126.96.36.199 and (bestcounter.biz) 188.8.131.52. We've also received reports of malicious hosting at 184.108.40.206. I personally (NOT SANS!!!) highly recommend these domains and IPs for blackholing on your networks. While you're at it, if you manage large proxies and find new hits for iframeDOLLARS exploits, we'd like to hear about them.
(p2p) It's free, so Prepare to Patch
It's Fr^h^hMonday the 13th, so p2p. I'm not talking about installing spyware and adware riddled software that tempt you to violate multiple laws by gaining access to free warez/music/etc... I'm talking about "p2p" as in "Prepare to Patch". Be forewarned that there are more than a few patches of significance that will become available for an operating system near you starting Tuesday the 14th. Oh yeah, by the way, these patch downloads are also free!
The SANS handlers have received a vendor notice from ISS of a potential incompatibility with specific BlackICE product versions running on Windows 2000 that may conflict with a revision of a Microsoft patch scheduled for release on June 14th. BlackICE users on Windows 2000, Please make sure your engine is running BlackICE PC/Server Protection version "cnr".
The MAP - and this one is not in Dora the Explorer's backpack
The availability of the from iDefense.com was posted in several forums last week. I'm intrigued and will be checking it out soon. Even though I have a strong preference for doing this type of work on a unix platform, based upon a quick read of included tool features there looks to be a few native Windows analysis functions that I wouldn't know how to replicate in the linux world.
Remote Malware Acquisition with SBD
I have an ongoing need to investigate and assist other investigators with remote machines to identify malware as well as retrieve suspicious/obvious samples. I do not often require full GUI console access to get to the root of the problem, so talking someone through the installation of VNC or configuration of terminal services can be a tedious experience. I have found that using SBD which is available from http://tigerteam.se/dl/sbd/ gave me pretty much all I needed. Just a simple encrypted command line reverse shell delivered to a host of your choosing. SBD, aka ShadowInteger's Backdoor (and no it's not really as evil as it sounds) supports compilation on both unix and win32(cygwin/mingw) environments. Several AntiVirus vendors have started flagging this tool as a PUP - a Potentially Unwanted Program. True Enough, most security tools are double edged swords.
Download the source for yourself. I still use sbd-1.33, it's certainly stable enough for my purposes. A shortcut to creating your custom sbd binary follows:
I recommend making the following modifications to sbd.h header define variables suitable for your environment.
To build your Windows binary, execute the following from a Cygwin Bash shell
If all goes well your new SBD binary is now hardcoded to perform a specific action by default which is to connect back to your host and present you with a cmd.exe shell.
To receive a connection from a suspect host, make sure you're running an appropriately configured sbd binary. The same binary can be used as sending client or receiving server.
On my linux host using a linux SBD binary of course, I first start a typescripting session so that I will have a log of everything I've done remotely, then I execute the following:
Once you have your sbd listener waiting you can provide phone/email/IM/pager instructions to your remote workstation user to grab and execute your custom sbd binary. The remote user should not have to provide any fancy command line arguments, and while it's bad security form they can even execute directly from your webpage. I leave a web server and tftp server available for tool retrieval and tftp uploads enabled so I can push malware samples back to myself.
Once the remote user executes your custom SBD binary you should have a command shell appear in the window you just executed your sbd listener in. Yay, let the healing begin.
At this point your creativity as an Incident Responder is the only limit.
TFTP retrieval of tools.
Directory listings in reverse order 'dir /od'
Hidden file listings 'dir /od /ah'
Registry run key listing using 'reg' (XP)
TFTP upload of malicious samples.
To bring this diary to a close, I leave it as a challenge for another handler to present you with an IR SBD based methodology that utilizes only the tools available to the default unmodified native operating system vs. a methodology that leverages the retrieval of supporting analysis tools. If the challenge is not accepted, I'll share my process.
Build it. Use it. Finally, Let us know how you use it.
Thanks, and we'll leave the light on.
Jun 14th 2005
1 decade ago