Bits and Bytes

 Hostile ForensicsHello everybody to my first Blog post both here at SANS. I’ve released a whitepaper that may be of interest to people in the forensic community, and wanted to both share it with you and get feedback and criticism on it. Seeing a few great presentations today here at DefCon, namely by Christopher Cleary, Michael “theprez98″ Schearer, and Wesley McGrew motivated me to get off my duff and finish this thing.- Mark LachnietOverviewDue to recent developments in counter-forensic technologies such as strong encryption, it maysoon be necessary for forensic analysts to use system penetration or “hacking” techniques in order toobtain forensic evidence, a process here referred to as “Hostile Forensics”. This issue is not one thathas been adequately discussed in the forensic community at large, and as such there has been very littleplanning or public collaboration to discuss issues and define …

Turning Google Chrome into a Hacking Machine – Say Hello to KromCAT v1.0 Beta.

Before I co-founded viaForensics, I was the Chief Information Officer for a large international packaging company. We had a fair number of smart phones and we occasionally needed to examine a phone. I knew little about digital forensics at the time and as I researched the various offerings, I was overwhelmed.My initial reaction was to find the tool that would support the most phones (when in fact I really only needed to support the Palm Treo running Windows Mobile). And so that’s exactly what I boughtmy shiny new forensics software supported over 1,800 phones at the time and I felt quite comfortable that if I ever needed to extract data from a CDMA phone operating in the Middle East with Farsi as the main language, I could do it (ok, I’m exaggerating a little bit but you get the idea). Of course, I never needed to do that but I had the cables and the software that said I could.In retrospect, I certainly understand the rationale and for some examiners, they …

Wakefield, Mass. — Aug. 4, 2011 — The Consortium of Digital Forensic Specialists (CDFS), a global non-profit industry group that aims to improve the digital forensic profession through unity, advocacy and standardization, announced today that it is now accepting membership applications from interested organizations and individuals. CDFS plans to develop and influence standards for the practice of digital forensics; review and endorse digital forensic training and certification programs; and promote and develop an enforceable ethical framework for digital forensic practitioners. The group also plans to advocate against improper licensing standards. …

A new approach to overcoming state-level Internet censorship relies, ironically enough, on a technique that security experts have frequently associated with government surveillance.

Current anti-censorship technologies, including the services Tor and Dynaweb, direct connections to restricted websites through a network of encrypted proxy servers, with the aim of hiding who’s visiting such sites from censors. But the censors are constantly searching for and blocking these proxies. A new scheme, called Telex, makes it harder for censors to block communications by disguising traffic destined for restricted sites as traffic meant for popular, uncensored websites. It does this by employing the same method of analyzing packets of data that censors often use.

“To route around state-level Internet censorship, people have relied on proxy servers outside of the country doing the censorship,” says J. Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan. “The difficulty there is, you have to communicate to those people where the proxies are, and it’s very hard to do that without also letting the government censors figure out where the proxies are.”

The Telex system has two major components: “stations” at dozens of Internet service providers (ISPs)—the stations connect traffic from inside nations that censor to the rest of the Internet—and the Telex client software program that runs on the computers of people who want to avoid censorship.

This is an excerpt from a piece I wrote that was published today in MIT Technology Review. Read the full story here.

Recently, I was considering material for an internal knowledge transfer session on timelining, when it occurred to me that the subject matter was likely of broader interest, and so, without further ado…First, a note about the way I personally use timelines. I find them a great way to identify dated tidbits which one might not otherwise realize are associated with activity of interest, once investigation has been focused down to a restricted timeframe. When I do this, I typically extract all timeline data, and then filter it for times of interest to avoid information overload.The best general purpose timelining utility of which I’m aware is Kristinn Gudjonsson’s log2timeline tool. This great program handles a huge selection of input filetypes, and can output in several standardized formats, most notably;

This week, we feature a number of tools and articles that leverage Python to do the heavy lifting. So, if you’re looking for scripts and applications to put the squeeze on some of that work load, this may be the article for you. In other news, Brian Krebs alerts us to new malware tricks, Jennifer Granick takes a legal look at recent hacking arrests, and the data center is alive at Dilbert.com.If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.Tools: Last week, David Kovar announced the release of analyzeMFT 2.0, a python module for analyzing the Windows Master File Table ($MFT). This new version is object-oriented, and has been …

An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years.

I recently highlighted the financial links among the organizations responsible for promoting fake antivirus products and spam-advertised pharmacies; all were relying on a few banks in Azerbaijan to process credit card payments.

In this segment, I’ll look at the personnel overlap between the fake AV and pharma industries. The data is drawn from two places: a study done by researchers at the University of California, Santa Barbara (UCSB) that examined three of the most popular fake AV affiliate services which pay hackers to foist worthless software on clueless Internet users; and the leaked Glavmed/Spamit affiliate database, which includes the financial and contact information for many of the world’s top spammers and hackers.

UCSB researcher Brett Stone-Gross and I compared the ICQ instant message numbers belonging to affiliates from Glavmed/Spamit with the ICQ numbers used by affiliates of the largest of the fake AV programs measured by his research team. The result? 417 out of 998 affiliates who were registered with the fake AV distribution service — a whopping 42.2 percent — also were registered pharma spammers with Glavmed/Spamit.

Unfortunately, the other two fake AV affiliate programs had not stored affiliate ICQ numbers in their databases, so we needed to find another basis for examining users of these programs. Instead, we looked for common email addresses among affiliates of the three fake AV programs and for affiliates of Glavmed/Spamit. This is almost certainly a conservative measure of overlap, because miscreants tend to change email addresses more frequently than they adopt new ICQ numbers. Even so, we found that the rate of email address overlap was high, between 19 and 27 percent across all programs:

STRADDLING BOTH WORLDS

A textbook example of this overlap was a key Spamit member, a hacker named “Severa.” Prior to Spamit’s shutdown in September 2010, Severa was a moderator of the “spam” section on the site (like most cybercrime forums, Spamit had sections dedicated to a range of criminal enterprises).

Severa is short for “Peter Severa,” a Russian who is listed at #5 on Spamhaus‘s Register of Known Spam Operations (ROKSO). According to Spamhaus, Severa is one of the longest operating criminal spam-lords on the Internet. Severa advertises his spamming services on several invite-only cyber crime forums.

Until last month, Severa ran a fake antivirus distribution affiliate program called Sevantivir, which seems to have counted among its ranks a large number of Glavmed/Spamit members (Sevantivir is not one of the three fake AV services included in the UCSB study).

It appears that Severa has been using his fake AV affiliate program to generate new infections for the botnet that powers his spamming service. Last month, I reached out to French security blogger Steven K., after reading one of his posts about a different fake AV affiliate program. I showed Steven an easy way to obtain a malware download from the Sevantivir affiliate Web site, and he spent the next couple of days studying the malware.

Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.

Microsoft targeted the Waledac botnet last year in a sneak attack on its control infrastructure. Microsoft does not consider this Kelihos.b worm to be in the same family as Waledac, as claimed by some researchers.  Microsoft states: “Based on our analysis, we have classified this as a new family and not a variant of Waledac. It is important to note that this new family is not communicating with nor is it reactivating the original Waledac which had its command and control infrastructure neutralized last year.”

Stay tuned for the final story in this series, which will look at how recent events have impacted the fake AV industry.

This week’s edition of Case Leads features a couple of tools for Windows including a memory capture application, a kernel driver that monitors and reports on interesting processes, and a tool for exporting data from “the Cloud.” We’ve also included a TED talk on the history of malware and we have an article on the role of technology in the recent Casey Anthony trial. Apple released Lion along with a change to the license which now allows the new OS to be virtualized.As always, if you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to caseleads@sans.org.Tools: Matthieu Suiche has made DumpIt available as a free download. Matthieu describes DumpIt as a fusion of win32dd and win64dd in one executable that does not require the user to respond to any prompts. Running the executable on either a 32 or 64-bit …

As memory forensics has become better understood and more widely accomplished, tools have proliferated. More importantly, the capabilities of the tools have greatly improved. Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. We are also seeing novel ways to attack the problem. One of the more interesting developments I have been following lately is the advent of live memory analysis.I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change. The idea itself could be as controversial as creating a memory image was just a few years ago. Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we …