• ethical disclosure
  
• a tale of two log files part 1
  
• a tale of two log files part 2
  
• a tale of two log files part 3
  
• a tale of two log files final
  

• investigating malware in action
  
• investigating malware in action cont
  
• quick and dirty pgp setup for w32
  
• how to: sign a certificate request with openssl
  
• application fuzzing
  

• central secure logging in a win2k environment
  
• central secure logging in a win2k environment cont
  
• central secure logging in a win2k environment cont 2
  
• central secure logging in a win2k environment cont 3
  
• central secure logging in a win2k environment cont 4
  

• example forensics sop/procedure
  
• example forensics sop/procedure cont
  
• example forensics sop/procedure cont 2
  
• buffer overflows part one
  
• buffer overflows part two
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials5
  

INVESTIGATING MALWARE IN ACTION CONT...

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here:
http://www.antionline.com/showthread.php?s=&threadid=267069

Enjoy

Filemon.log

This log gives a feel for how complex the filesystem is, how much "work" goes on within it. The actual output has been edited to only leave the Tor Installer's activity because it shows what files have been written, (altered or added). See FileMonClean.log in the Zip file.

Early in the log you can see the installer thread started by explorer.exe in #325 above reading itself in chunks of 512 bytes into memory:-

157 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 0 Length: 512
158 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 512 Length: 512
159 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 1024 Length: 512

Then it checks for the existence of a folder that _should_exist and does hence the success:-

257 10:27:18 AM tor-0.0.9.5-win:1008 QUERY INFORMATION C:\DOCUME~1\TIGER\LOCALS~1\Temp SUCCES
S Attributes: DA

Next it creates a temporary file in that folder, closes it, recreates it to ensure it can overwrite it, reads data from the installer and writes it to the file. These are the temporary files the installer will use to install the required files later:-

258 10:27:18 AM tor-0.0.9.5-win:1008 CREATE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Options: Create Access: All
259 10:27:18 AM tor-0.0.9.5-win:1008 CLOSE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS
260 10:27:18 AM tor-0.0.9.5-win:1008 CREATE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Options: OverwriteIf Access: All
261 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 36380 Length: 16384
262 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 0 Length: 32768
263 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 32768 Length: 32768
264 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 65536 Length: 3793
265 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 0 Length: 4
266 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 4 Length: 15160

You will also notice in all the text that installer generates also indicates that the installer references various system DLL's as it goes. As long as these aren't Write or delete attempts then no harm is done to them.

After creating several temporary files and folders the installer moves on with it's job:-

805 10:27:21 AM tor-0.0.9.5-win:1008 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Program Files
806 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\ SUCCESS
807 10:27:21 AM tor-0.0.9.5-win:1008 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
808 10:27:21 AM tor-0.0.9.5-win:1008 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: Tor
809 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\Program Files\ SUCCESS
810 10:27:21 AM tor-0.0.9.5-win:1008 CREATE C:\Program Files\Tor SUCCESS Options: Create Directory Access: All
811 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\Program Files\Tor SUCCESS
812 10:27:21 AM tor-0.0.9.5-win:1008 OPEN C:\Program Files\Tor SUCCESS Options: Open Directory Access: Traverse

Here it opens and closes each folder in the structure till it gets to program files, then it tests to see if there is a Tor folder already there, (#808). Since there isn't it creates one, (#809).

Then it creates Tor.exe itself in the new folder and after some "messing around" it begins writing to it:-

818 10:27:21 AM tor-0.0.9.5-win:1008 CREATE C:\Program Files\Tor\tor.exe SUCCESS Options: Create Access: All
......
874 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 0 Length: 16384
875 10:27:21 AM tor-0.0.9.5- win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm5
6.tmp SUCCESS Offset: 80305 Length: 16384
876 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 16384 Length: 16384
877 10:27:21 AM tor-0.0.9.5- win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm5
6.tmp SUCCESS Offset: 96689 Length: 16384
878 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 32768 Length: 16384

A quick search for the word "create" will provide you with a list of every file the installer created. See FilemonCreated.Log in the zip file.

This is where it creates it's autostart entry which it writes to later:-

1569 10:27:22 AM tor-0.0.9.5-win:1008 CREATE C:\Documents and Settings\TIGER\Start Menu\Programs\Tor SUCCESS Options: Create Directory Access: All

After that there is a lot or writing the files themselves, checking them, gathering information about the system, housekeeping and cleaning up.

Now we know every file and folder that was opened, created, written or deleted on the system. Handy information if we need to do a manual removal.

Regmon.log

It's actually fascinating to see how much information and the way the installer locates it in the registry, (mostly by trial and error). See regmonclean.log in the zip file.

You will see hundreds of entries like this:-

1 37.48215737 tor-0.0.9.5-win:652 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Advanced SUCCESS Key: 0xE27AE4E0
2 37.48219005 tor-0.0.9.5-win:652 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Advanced\UseDoubleClickTimer NOTFOUND
3 37.48222609 tor-0.0.9.5-win:652 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Advanced SUCCESS Key: 0xE27AE4E

as the installer finds certain information about the system. Here and there amongst all these entries you will find entries such as:-

25 37.61170344 tor-0.0.9.5-win:652 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Shell Folders SUCCESS Key: 0xE2AD3440

where the installer creates keys it will need in the future. Thus a search for all "CreateKey" entries will show you the keys that the installer created. Furthermore you should search for "Setvalue" which will indicate that a value was either created or changed within the registry;_

26 37.61172747 tor-0.0.9.5- win:652 SetValue HKCU\Software\Microsoft\Windows\C
urrentVersion\Explorer\Shell Folders\AppData SUCCESS "C:\Documents and Settings\TIGER\Application Data"

It would, of course, be prudent to search for "DeleteKey" in case your chosen malware deletes keys that may be of use. This is why we backed up the registry. We can import the backup and fix these deleted keys without knowing their contents - It also makes it quicker to retore the original state rather then doing it all manually.

[/b]TDIMon.log[/b]

See tdimonclean.log in the zip file.

In this file you can see the now started process, (Tor.exe), setting itself up to talk to the address 127.0.0.1, (this computer). This is because the program actually requires to connect to Privoxy, (a local proxy), before it can function properly.

2 2.21473400 tor.exe:428 82C0E2A8 IRP_MJ_CREATE TCP:127.0.0.1:9050 SUCCESS Address Open
3 2.21479993 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Error Event
4 2.21481501 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Disconnect Event
5 2.21482535 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Receive Event
6 2.21483541 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Expedited Receive Event
7 2.21484574 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Chained Receive Event
8 2.21485664 tor.exe:428 82C0E2A8 TDI_QUERY_INFORMATION TCP:127.0.0.1:9050 SUCCESS Query Address
9 2.21489631 tor.exe:428 FB37EE88 IRP_MJ_CREATE TCP:Connection obj SUCCESS Context:0x811511A8
10 2.21491586 tor. exe:428 FB37EE88 TDI_ASSOCIATE_ADDRESS TCP:Connect
ion obj SUCCESS TCP:127.0.0.1:9050

Once it has set up it's communication with Privoxy it then tries to connect to the outside world through SSL and finds a connection:-

78 3.03891584 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Error Event
79 3.03893204 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Disconnect Event
80 3.03894210 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Receive Event
81 3.03895188 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Expedited Receive Event
82 3.03896166 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Chained Receive Event
83 3.03897199 tor.exe:428 FA08E708 TDI_QUERY_INFORMATION TCP:0.0.0.0:4067 SUCCESS Query Address
84 3.03901641 tor.exe:428 FA08E368 IRP_MJ_CREATE TCP:Connection obj SUCCESS Context:0xFA1A2DA8
85 3.03903513 tor. exe:428 FA08E368 TDI_ASSOCIATE_ADDRESS TCP:Connect
ion obj SUCCESS TCP:0.0.0.0:4067
86 3.03905105 tor.exe:428 FA08E368 TDI_CONNECT TCP:0.0.0.0:4067 62.116.124.106:443 SUCCESS
87 3.23438314 tor.exe:428 FA08E368 TDI_SEND TCP:0.0.0.0:4067 62.116.124.106:443 SUCCESS Length:49
88 3.43803109 tor.exe:428 FA08E708 TDI_EVENT_CHAINED_RECEIVE TCP:0.0.0.0:4067 62.116.124.106:443 PENDING Length:1398 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
89 3.46378855 tor.exe:428 FA08E368 TDI_SEND TCP:0.0.0.0:4067 62.116.124.106:443 SUCCESS-100 Length:1262
90 3.71987529 tor.exe:428 FB043B68 IRP_MJ_CREATE TCP:0.0.0.0:0 SUCCESS Address Open

This connection is where the application connects to the master server to determine the currently available proxies that can be used in the chain. It receives a list of them and then makes an initial connection on port 9301, (it's standard first port of choice but they will vary after this initial connection), to 128.39.141.245. with the successful completion of this connection the Tor window indicates:-

"[notice] circuit_send_next_onion_skin(): Tor has successfully opened a circuit. Looks like it's working."

Now, just for confirmation of your finding you can use autoruns again and compare it to your first run to see the differences.

So, now we have all the information we require to determine exactly what a piece of potentially malicious code did to our computer. With this information we could manually reverse the effects and return our computer back to the state it was in. Had the program downloaded additional code and executed it we would have been able to see where it got the code from, what changes that code made to the system and what files it created, changed or destroyed.

We also just took a quick look at how incredibly complex our computers are today.

Original Tutorial Submitted by nokia for TheTAZZone-TAZForum

Originally posted on March 4th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.