Images of Pixels and Light

DC3 results came out two weeks ago. We didn't win, although, we didn't expect to win. What I was hoping for was a ranking list, but that won't be released for some time yet, along with the actual solutions to the challenges. That makes the waiting that much more difficult! The Academic category winner was UoSF, who where the ones everyone expected to take the lead. The Commercial winner, however, was AccessData, makers of Forensic Toolkit. Not sure how I feel about that. I mean, it's their business to do this stuff, how much of a challenge could that be for them?

Got some mail last week about several computers on campus being part of a meshed, multi-school, FTP warez network. First time I had encountered this. The systems apparently kept in touch with each other and distributed the files amongst themselves. I seized 1 one of the machines here and am running an analysis on it. More about that later when I find something of interest. The other one is in a computer lab which makes it harder to find. One PC in a room of indistinguishable PCs. "Just trace the cables!" I wish it were that easy. I don't have access to the switch to do that. Gonna have to check MACs instead.

I got some phishing mail yesterday that was puzzling me. It was, of course, bogus, because I didn't have accounts (let alone ever heard of) at the sites the mail was talking about but when I examined the links and the body of the mail, it all seemed "legitimate". I use that in quotes because by legitimate I mean there was no obfuscation being used. The links went where they said where they went.

I fired up my sandbox VM and went to visit the page they asked about. The first thing it tried to do was install an ActiveX component for MDAC. Yeah... I think not. Drive-by intalls and attacks aren't new, but it was the first time I got to play with one. I might go back later and let it install and see what it wants to do with my data.

I completed my analysis of the distributed FTP network machine we seized. It had the drftpd FTP daemon on it which seems specifically designed to work with IRC as a file distribution mechanism. It itself doesn't appear suspect, but it definitely didn't belong there. Seems the initial compromise occurred back in JULY 06. Radmin and its friends were installed at that point, but the FTP server was installed till 12/21/06. It doesn't appear to have been populated as I found no warez of any kind on the machine. The IRC channel it was configured to connect to doesn't exist anymore either. Oh well.

Yeah, that's right, I'm a security professional. I am so good I managed to infect myself with a rootkit this afternoon. Okay. I'll wait while you laugh.

Finished? Alright, I can continue. So, whatever it was that this trojan was trying to masquerade as, it did a really crappy job. Didn't make much of an effort to hide itself at all. First, as expected, it attempted to phone home. My firewall immediately pitched a fit when "mswinup.exe" attempted to get network access. I refused it access and pulled out the network cable. After refusing it network access, my machine promptly rebooted on its own.

As Windows came back up, I saw a very brief window popup saying something about creating directories. It came and went too fast for me to read it, but I knew that wasn't right. At this point, it was pretty clear something was wrong.

ProcessExplorer did not indicate anything unusual running, however, TCPView showed outbound connection attempts even though I didn't have anything running and they weren't to the usual suspects (ie Google, Symantec, etc). AutoRuns on the other hand, showed several new additions to both services and autorun startup.

A new, hidden service called "Agony" was in place and a hidden entry in startup called "c:\windows\system32\winsecurity\mswinup.exe". Sitting my home directory was a file called "agony.sys" with a duplicate in c:\windows\system32. Both of which were clearly part of this given their name and time stamp.

Rootkit Unhooker (which I had never heard of before) showed me several hooks into the kernel originating with agony.sys. Additionally, a new registry key had been created:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

that read:

%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer

Also bogus. I removed everything related to it and rebooted. Upon reboot, all services and files noted above had not returned. Rootkit Unhooker did not show any unknown hooks. On the safe side, I am imaging the system to run it through FTK and get a filesystem timeline, see if anything else changed that I might have missed. It looks, though, that I got it all.

I am a little annoyed that Symantec didn't even bat an eye when this thing loaded into memory. The agony part appears to be what is used to hide everything from the general user space. On the other hand, the detection signatures I am seeing for other AV vendors for this particular threat are dated on or about 12/26/06, so it's rather recent. If I don't see a signature in Symantec for it soon, it might be time to change AV vendors.

If the FTK timeline shows any missing dangly bits, I'll update.

Not really exciting, but I found it interesting anyway. I usually see traffic giving IRC bots on campus instructions to scan and exploit various vulnerabilities. Today I got one that was trying to pass on malware using, predictably, a MySpace picture request:

:sv-5.s3cr3t.net 332 [A07|USA|37152] ##vap1d## :.aim I was going to put this pic of us on 

myspace. Is that ok with you?  A H - REF="http://www.do not follow.dk/includes/picture-

ustogether.002.com">http://myspace/userphotos/us-together/picture-ustogether.002.jpg


:sv-5.s3cr3t.net 333 [A07|USA|37152] ##vap1d## H0AX 1168997693

I broke up the HTML so it would display properly. Not sure what the second command string does, the H0AX one.