Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : PrerequisitesWindows Happy New Year A New Year's resolution is something that goes in one year and out the other. - Author Unknown IntroductionDecember is the time of year when I post the ToolsmithTool of the Year survey for reader s to vote on their favorite tool of thegiven year. Please do take a moment to vote. What snice is that I often receive inquiries from tool developers who would likeconsideration for coverage in toolsmith. David Wren, Managing Director, ofPassMark Software caught me at just the right moment as I was topic hunting forthis month s column. PassMark, out of Sydney, Australia, has been known for benchmarkand diagnostic tools but has recently dipped its tow in the digital forensicspool with OSForensics. I givePassMark props for snappy marketing. OSForensics, Digital Investigation for anew era coupled with the triumvirate of Discover, Identify, and Manage makesfor a good pitch, but as always we need tools that do as they do, not as theysay. So what can we expect from OSForensics According to David, who providedme with prerequisite vendor developer content, the pending 1.1 release ofOSForensics expected in mid-January 2012 will include Inclusion of a tree view style file systembrowser Windows Explorer replacement . Indexing searching of the contents ofE-mail attachments. At the moment just the E-mail content and the file names ofattachments are indexed. Improvements to add search results to a casedirectly from search history efficiency improvement Ability to add quick notes to a case. At themoment adding arbitrary notes is a 2 step process. Improvements in the built-in image viewer.Better quality image scaling more file properties. Minor improvements in the way E-mails areexported Significant speed improvements in the window'sregistry browser A bug fix for handling of dates in Spanishlanguage E-mails. Some minor documentation changes Existing features include disk imaging, disk imagemounting, raw hex view of disk, manualcarving, a registry viewer, forensic copy of network files, testing zeroing of external drives prior to imaging, file hashing, live memory dumping,detection of files with wrong extensions via signatures, case management,reporting, 64bit support, and more.The OSForensics website has an extensive FAQ as wellexcellent videos and tutorials. Please note that there is a Free Edition and a ProEdition. For this article I tested the 1.0 Pro version of OSForensics. Integratingadditional tools into OSForensics One of the things I like most about OSForensics is theability to plug in other tools. There s a great tutorial for enhancingOSForensics with Harlan Carvey s RegRipper thatwill give you a solid starting point for this activity. Friend and reader JeffC. expressed interest in rootkit analysis this month so I m going to use thisopportunity to integrate GMER andRootkitRevealer into OSForensics.As I ran OSForensics on a Windows XP system from a USBkey, I copied GMER and RootkitRevealer to E OSForensics AppData SysInfoTools.I then navigated to SystemInformation in the OSForensics UI, selected Add List and created a Rootkit Analysis list, followed Add under Commands and added the command to execute GMER andRootkitRevealer as seen in Figure 1. Figure 1 Rootkit Analysis tools added Keep in mind, you can add any of your preferred tools toOSForensics and their execution as well as their output will be captured aspart of OSForensics case management capabilities. RunningOSForensics For ease of viewing, right-click the menu on the leftside of the OSForensics UI and choose thin buttons as this will present alloptions without scrolling.One note of interest before diving in OSForensics allowsinstallation on a base analysis system from which you can then Install to USB so as to run it from aUSB key as part of your field kit as seen in Figure 2. Figure 2 Install OSForensics to a USB key Jeff, as part of his expressed interest in rootkitanalysis, also provided me with a perfect sample with which to compromise mytest system. Nomenclature for this little nugget includes Jorik and Sirefef butyou may now it best as Zaccess or ZeroAccess. To read a truly in-depth study ofZeroAccess, check out Giuseppe Bonfa s fine work in four parts over at InfosecResources, aswell as a recent update from Pedro Bueno on the ISC Diary.ZeroAccess has been rolled into the BlackHole Exploit Kit and is often used incrimeware bundles for ad clicking.This particular sample MD5 3E6963E23A65A38C5D565073816E6BDC is VMWare-aware so I targeted my Windows XP SP 3 system running Windows SteadyState and executed QuickTimeUpdate.exe it only plays a real QuickTime update on TV . As with any tool of OSForensic s ilk, I started theprocess by creating a case which is as easy clicking Start then CreateCase. The OSForensics UI is insanely intuitive and simple if you re oneof those who refuses to read manuals, FAQs, and or tutorials you ll still getunderway in short order. With most forensics oriented multi-functional toolsthat include indexing I always make indexing my second process. Yep, it s aseasy as Create Index. I infectedthis system on 12 26 11 at 1630 hours so a great next step for me was to reviewRecent Activity to see what wasnoteworthy. Based on a date range-limited search under Recent Activity I noted a significant spike in events inthe 1600 hour. I right-clicked on the resulting histogram for the hour ofinterest and selected Show these files.The result, as seen in Figure 3, shows all the cookies spawned when ZeroAccesstapped into all its preferred ad channels. All cookies in Figure 3, includingthose for switchadhub.com, demdex.com, and displayadfeed.com were created righton the heels of the infection at 1630 hours. These are services malware writersuse to track clicks and campaign success. Figure 3 ZeroAccess malicious click campaign evidence via OSForensics I had not browsed to any websites and on this host wouldhave done so via a browser other than Internet Explorer as such this activity aswritten to C Documents andSettings LocalService LocalSettings Temporary Internet Files Content.IE5clearly occurred in the background.I always take a network capture during malware runtimeand the resulting PCAP acquired while analyzing this version of ZeroAccessincluded connections to a well-known malware redirection service at 67.201.62. .Search 67.201.62 malwareand you ll see what I mean. I then opted to call GMER from OSForensics as discussedearlier during Integration. Ifyou re not familiar GMER is the defacto standard for rootkit detection. Once aGMER scan is complete, you can choose to dump detected modules as seen inFigure 4 via Dump module. Figure 4 GMER bags ZeroAccess via OSForensics I fed the resulting binary file to VirusTotal and wasrewarded for my efforts with hits for Gen Variant.Sirefef.38,a ZeroAccess variant.OSForensics features a MemoryViewer from which you can conduct similar activity natively by selectinga given process one you assume or have determined is malicious , select one offour dump options including Dump ProcessMemory Contents, then click Dump.The resulting .bin can be fed to VirusTotal or a similar service.But alas, you will not have made the utmost use of OSForensicsif you don t capitalize on Hash Sets.I won t get into great detail as to how to do so as again the tutorial videosare excellent. You will want to enable a given hash set by selecting it in theUI then clicking Make Active.One of the hash sets PassMark offers via download is a 124kb common Keyloggershash set. Youcan select a directory via File NameSearch, then Search, thenright-click a file of interest or CTRL-A to select all and choose Look Up in Hash Set. As none of theacquired binaries for ZeroAccess matched the current hash set, I chose to scanmy Lurid theAPT analysis folder to see what matches the hash set had for me. I used the Sorting menu in the lower right-handcorner of the UI and set it to In HashSets the results are seen Figure 5. Figure 5 Keylogger hashset checks While OSForensics claimed to have matches, they were onlyfor 0 byte files that all show up with the MD5 hash of D41D8CD98F00B204E9800998ECF8427E.I ll test this further with a known keylogger and determine what a real matchlooks like. I don t fault OSForensics for this as I likely don t have a samplekeylogger whose hash matched the hash set. Trying hash matching against knowngood system files worked admirably. I didn t even touch OSForensics password analysiscapabilities but will also likely do so in a future blog post. Do check outthat feature set via Passwordsfor yourself and share your feedback. Recognize that OSForensics integratesRainbow Tables so as you can imagine, the possibilities are endless.Don t forget the expected disk image analysiscapabilities coupled with file carving. I tested this briefly andsuccessfully only to confirm what I consider a required and standard featurefor tools of this nature. In Conclusion I ll admit I had no expectations for OSForensics as I hadno prior experience with it and to be quite candid, no awareness prior to Davidcontacting me. I always assume some risk when choosing such a tool given that Icould spend hours conducting research and analysis only to find the tool doesnot meet the standard for toolsmith discussion can you say emergency topicchange . Such was not the case withOSForensics. I was pleased with the results, disappointed I didn t have moretime to spend on it before writing about it here, but looking forward makingmuch more use of it in the future. As always, let me know what you think, I mhopeful you find it as intriguing as I have. Ping me via email if you have questions russ atholisticinfosec dot org .Cheers until next month. Acknowledgements DavidWren, Managing Director, PassMark Software

Les videos sur SecuObs pour les mots clés : zeroaccess





Les derniers articles du site "HolisticInfoSec.org" :

- toolsmith ZeroAccess analysis with OSForensics
- toolsmith Registry Decoder
- Tool review NetworkMiner Professional 1.2
- toolsmith OWASP ZAP - Zed Attack Proxy
- Presenting OWASP Top 10 Tools Tactics at ISSA International
- toolsmith Log Analysis with Highlighter
- toolsmith Memory Analysis with DumpIt and Volatility
- Phorum Phixes Phast
- toolsmith PacketFence - Open Source NAC
- Mark Russinovich presenting at ISSA Puget Sound

---

S'abonner au fil RSS global de la revue de presse

---