Tuesday, April 28, 2009

Innocent???

U-Toys is one of my toy suppliers. I recently bought my Green Lantern action figure from them. I didn't know their website address so I decided to google it. Hmmmmmm? My Firefox plugin, Finjan SecureBrowsing, flagged malicious activity on this site.

Better play it safe. I fired up my Virtual Machine and proceeded to the site. Pop-ups blocked by Firefox but either wise nothing suspicious happening.

How about I try allowing the pop-ups? Lo and behold!!! A strange file mysteriously appears in my root directory. Submitted this executable file to VirusTotal and it was discovered to be a Trojan. Scary isn't it? Only 9 out of the 40 hosted AV engines detected it as malware. My hypothesis is that the hacker injected the banner ads into the website. The ads point to another site that drops the Trojan onto the victim's machine.

I ran through the same sequence again... this time on another machine with Antivir AV engine installed and updated. Antivir was able to block the malware from being injected using its heuristic scanner. Powerful!!! The Trojan's filename is randomly generated btw because the filename keeps changing when I repeat the injection multiple times.
I've contacted my toy supplier but he is unwilling to take down the site and doesn't know how to rectify the problem. I've offered my security consulting service in exchange for toys but was turned down. Out of goodwill, I offered a few remediation options but he rejected them.
Morale of the story? Be wary when surfing the dangerous web... you never know which site hosts malicious content no matter how innocent it looks.

Wednesday, April 15, 2009

File carving

File carving (aka carving) is defined as "the practice of searching an input for files or other kinds of objects based on content, rather than on metadata... for recovering files and fragments of files". The input from a digital forensic perspective is either an image of a disk or packet dumps.
Foremost is the tool of choice for forensic analyst wanting to recover evidence from disk images. tcpxtract is a tool designed for extracting files from captured network traffic. I installed tcpxtract onto my Ubuntu 8.10 system. I captured the packets of an FTP session where I transferred an image from one host to another. I ran tcpxtract against the pcap file to extract the said transferred image. Viola!!!
The high res version of this demo can be downloaded here.

Tuesday, April 7, 2009

Infected?

I've encountered systems that were so badly infected that the OS could not boot up properly. In most cases, I would recommend a full wipe before reinstalling the OS but there may be critical data still resident on that drive. That is where a rescue CD might be useful. F-Secure and Avira are 2 AV vendors that offer free rescue CDs for that purpose.
I tested the F-Secure rescue CD. You basically download their ISO file from their website, burn the ISO into a bootable CD and boot up the infected system from the CD. The bootable Linux OS has a built-in F-Secure AV engine that will prompt you to update its virus detection signatures*. Next, you choose the drive/partition to scan. It will start scanning the selected drive/partition and rename files detected as malware (by adding .virus).
* You need to have Internet connectivity to obtain the latest virus detection signatures.
The high res version of this demo can be downloaded here.