Sunday, March 28, 2010

Malware Case : Concluded

Let me preface this entry by stating that I did NOT follow all of the standard procedures that you would for a real case. I used this situation in an attempt to hone my skills and test my own capability to solve a case like this on a live machine. I did not produce a chain of custody, I did not interview staff members, I didn't take very good notes or record all my commands.

After I captured a full image of the hard drive using ftk-lite, I went ahead and used the installed antivirus solution and Malwarebytes Anti-Malware to scan and clean the original hard drive.

The first step of my investigation was to mount my USB disk with the acquired images (read-only) on my Ubuntu workstation.  I then mounted the image file itself to a folder I created and shared via Samba. Then I mapped a drive to the Samba share from my Windows XP workstation.  This allows to me to run scans and poke around the image as if it were a regular old network share, very slick if you have Windows forensic tools that you like to use. I knew I was looking at a malware incident so I fired off MBAM and scanned the read-only file system. Malwarebytes default action is to report only and produces a very simple log file when the scan is complete.

The antivirus picked up the .exe's and .dll's but none of the compromised registry entries.(One of the reasons I like to use a number of different scanners)
I recorded the names of the files and started processing my image further:

My "evidence" drive is already connected read-only to my laptop, so my next step is to attach a drive where I can dump all of my processed data, in my case I have a Rosewill USB to multi-interface adapter. I connected a freshly wiped(dd if=/dev/zero of=/dev/sdx bs=512) 500 GB IDE drive for this purpose.

I'm not here to start fights but you can pay thousands of dollars for a software suite that will do everything for you at the push of a button(see: anybody can do this), I use The Sleuth Kit instead. It's, and stuff. All those super expensive tool suites? Yup, based on the tools in TSK. Learn it, use it, rely on it, it's the goods.  You can even pull down Autopsy while you're at it, turning TSK into one hell of a nice toolset. I recommend getting to know TSK for a little while and manually processing a case or two, you will learn a lot about what each of the commands produce and really the basics of why forensics is what it is. After you do, you will realize why Autopsy is so nice. It logs all those really, really fun commands for you and let's you put in case notes and all sorts of other fun stuff.  On to the processing....

I used autopsy to open a case and added my raw image file, I also verified the MD5 checksum that FTK-Lite produced for me during the imaging process. Once the image was imported (many hours later) I did some cursory searches for the file names I recorded earlier (see:dirty word list) I found a directory under "Program Files" called "SelectRebates" The recorded creation time was November 7,2009 @ 13:41.  This is almost too easy....

Now I have a pretty good idea when this was adware was installed, so on to creating a timeline.

The command fls is used to create a single file containing all the file and directory names and their MACtimes. It has a ton of useful switches for doing things like setting timezone, adjusting clockskew, image type and a myriad of other things. I don't recommend trying to look at this file raw after it's been created, it's a garbled mess that doesn't help you do anything. Instead continue on turning all that junk into a usable timeline.

The command mactime is used to parse all that raw data and turn it into something human-readable. It too has a ton of different switches, the important one for me in this case was the ability to capture a short time frame instead of looking at this system from build date to when I imaged it. I set a time frame of Nov. 6th to Nov. 8th. Here's what I got in return:

Looks like somebody was doing a little surfing right before the install......

A timeline is not the place to be looking at web history, try Web Historian instead.  Mandiant has lots of other tools worth checking out as well.  Web Historian spits out an excel file that is easily sorted and viewed:

Doing a little online coupon-clipping were we? Sounds pretty safe huh? My mom clips coupons.

Immediately after visiting :

The adware install begins in the timeline.

Seems like we've got it nailed down now, but I'm not quite satisfied.  I've been reading some blogs about timelines and supertimelines lately and I figure this case fits the bill.

You'll have to read Chris's blog for the ins and outs of using to parse the registry and add it to your file system timeline.  It just flat works and it blows away a standard file system timeline. Add the ability to parse some other system logs like event logs or Dr. Watson logs, system restore points, etc... and you can really start to nail down an event.

In the screenshot below you can not only see the installer finishing up creating it's file paths, but you can also see it adding itself to the run line and even adding it's own uninstaller. (very friendly for software that generates 5or 6 popups every minute). This is really useful information and pretty darn easy to add in to your standard timeline, Chris talks about some software in development (timescanner) that will grab a bunch of different logs and dump them into this format. Good stuff.

So we've found our adware,  we've generated a timeline and a super-timeline, we've used it to nail down the website responsible and the user logged in at the time of the infection.  Aside from the mountain of paperwork if it were the real closed.

We could have gone in deeper to system restore points, prefetch and memory analysis. If this were a nasty trojan or a paid gig I would definitely go further.  In this case I'm pretty satisfied.

Not too shabby for a new guy.


  1. Next time, I'll hope for a nasty trojan so you go deeper. Thanks for the ride.

  2. Glad to have you along. I'm working on your earlier suggestion.

  3. If you don't mind, I have another suggestion that I've made to several bloggers, who have appreciated it (so have the bloggers' readers).

    Use the MORE tag (that's the wordpress term, not sure what they call it in blogspot) in your posts. Basically, it puts only the first couple lines or paragraphs of your post on your home page, with a link for readers to click to read the entire post.

    This isn't much of an issue when you first start your blog, but it becomes an issue the more you post.

    I explain how to use this tag and why it's good for bloggers and readers at

    My blog is an example of how it works....

    Let me know what you think. Either way, I like your style and look forward to following your career and hearing about your adventures.

  4. Found it, It's called a "jump break". Thanks for the tip.

  5. This comment has been removed by a blog administrator.