I understand that most vendor contacts you initially receive are not technical people. I also understand that a sales or account manager’s job is to turn inquiries in to sales. However, I’m a firm believer that sales shouldn’t be the only goal of your account representative. They should be knowledgeable enough about the product that you’re interested in to give you a comprehensible response during testing & evaluation. If they come across a question they can’t answer, you should be immediately directed to someone that can. When I’m dealing with a vendor, I don’t want to keep getting badgered with information that I don’t care about. Nine times out of ten, the tool I’m looking at will have one purpose, and I want to know more about those specific capabilities, not the other wingdings that come with it. Another major peeve I have is when vendors just won’t stop. If I told you I’d call you back in a month, don’t call me 32 days later. Chances are I’m busy and that’s the quickest way to get the conversation pushed out another month. When I can, I’ll call, and that call won’t be to push out the conversation. If you …
[ Continue Reading... ]
This morning I received another, slightly different, AICPA.org phishing email. This time, the spoofed sender was “Aaron Peters – security@intuit.com” (Header available at the bottom of the post). This email contained two hotlinks, both of which pointed to hxxp://foraver.de/wp-includes/aic.html. This post has a slightly more convincing version of the standard wait screen, which consists of the code below. < title >Welcome to the AICPA< /title > Page is loading, please wait.. You will see tax info on this screen. It also contains exploit code for the Adobe LIBTiff and Microsoft HPC URL vulnerabilities. The full report for the site is available here. Also of note, the site seems to be a legitimate website that has been compromised, and not a site set up specifically for the scam. Within the malicious script, are the links for the malicious files. The first is hxxp://themeparkoupons.net/content/ap2.php?f=6231f, which delivers a malicious PDF file that currently has a 6/43 detection rate on VirusTotal. The second link is hxxp://themeparkoupons.net/main.php?page=89cd1f8b9fb67fbc, which if successful, serves up the payload from hxxp://themeparkoupons.net/w.php?f=6231f&e=[1-4]. The malware currently also has a 6/43 detection ratio on VirusTotal. The Microsoft detection for the malware is Worm:Win32/Cridex.B. This sample names itself similar to a Windows Update file …
[ Continue Reading... ]I recently finished reading the third edition of Harlan Carvey’s Windows Forensic Analysis Toolkit. This edition, as he clearly states throughout the text, is not meant to be a re-write of previous editions. Instead, it serves as a companion to both the second edition of the same text and Windows Registry Forensics. That being said, Harlan did a great job of relating Windows 7 artifacts to their more familiar Windows XP brethren when appropriate. As an analyst who, until recently, primarily dealt with Windows XP systems, this was a welcome aspect of the book. Having read WFA 2ed, I was somewhat surprised to see the first two chapters of this edition dedicated to non-technical topics. However, I do believe that the coverage is warranted, and that the topics are relevant to new and experienced practitioners alike. Keeping the analysis concepts included in the first chapter fresh in your mind will help ensure you’ve carried out the best and most efficient investigation possible. One point that I wholeheartedly agree with is the statement that “goals of our analysis are perhaps the most important aspect of what we do.” Having clear goals for an examination will scope your work, alter your process, …
[ Continue Reading... ]
I received an email reportedly from support@aicpa.org this morning. The email was clearly a phishing email as I’m not a CPA and it was addressed to “Dear accounting officer”. A picture of the email is included below: In order to avoid muddying up the post, the email header is included at the bottom of the page. Within the email, there are three links, which are included below and are considered MALICIOUS. hxxp://omerteke.com/KM8PHYEu/index.html hxxp://harboritalia.it/DxbQU2vE/index.html hxxp://martvarauto.ee/sN6saxG7/index.html Each of these sites then performs a number of redirects (All identical): WAIT PLEASE Loading… script type=”text/javascript” src=”hxxp://46.20.6.63/0v5qYtwZ/js.js”> script type=”text/javascript” src=”hxxp://seniordatinggroup.com.au/7b1kameF/js.js”>
[ Continue Reading... ]Based on popular request, I’m listing the indicators that I gathered from the malware in the situation described in the previous post (Thanks for Sharing). Don Clifton (@Digitalsec4u) has also shared his (and will be updating more) over on his blog at digitalsecurity4u. The initial tip came from the following tweets by @c_APT_ure: #malware news [1/2]: badware domains starting with (analyze|bold|blood|gone|adsa|bsdm) and ending: “\.[a-z]{2,3}\.(tf|pn|mn|ms|cm|cc)” [tbc] #malware news [2/2]: badware hosts moved from 188.72.201.x & 188.72.194.x to 31.184.192.x Based on these indicators, I searched some of the sensors that I have access to and low and behold, got some hits. The indicators for the initial malware are: MD5 757bb8d0ae847290119fcb9ea0d3b231 UPX Packed Spawns svchost which: Copies itself to AppData, deletes the original, and creates a run value named YahooPartnerToolbar It also modifies several IE cache limits (sets to 0×81830) Lastly, it reads Firefox profiles and accesses signons.sqlite The malware then makes several requests for the following IP/Domain pairs. In testing, not all requests included successful responses. Google.com (Probable connection check) POST http://ocean2372721.ru:80/sss/index.php (31.184.237.143) – Frequently Repeated GET http://www.whitestarlogic.com:80/forum/Themes/core/images/topic/1.exe (184.168.55.1) GET http://www.mercierautos.ca:80/img/1.exe (69.49.101.51) GET http://www.whitestarlogic.com:80/forum/Themes/core/images/topic/test.exe (184.168.55.1) During testing, I was able to successfully retrieve test.exe, but have not been able to fully examine …
[ Continue Reading... ]Guess What? Sharing information about new threats and threat indicators really can make a difference! Most people reading this post are probably saying DUH!, but I thought I’d like to present a case study that occurred over the past two days. Before I start, thanks to everyone involved for giving me enough fuel to make this post worthwhile. On February 6th, 2012, @c_APT_ure (Blog) tweeted out two tweets with some some threat indicators. Specifically, a pattern of domains and three IP ranges that were known to be serving various badware. I happened to notice the tweets while at work so I ran a couple quick queries on some network data and low and behold, I had hits! Sure enough, the traffic returned from the queries showed likely successful downloads and several visits to a variety of domains that matched the patterns he provided. That’s hit number 1. We made the detection permanent when a coworker wrote up a quick regex that will automatically alert when someone resolves a domain that matches the patterns provided by @c_APT_ure. Not long after, @Patories (Blog) noted that he too had gotten some positive results using the indicators provided. That’s hit number 2. After doing …
[ Continue Reading... ]As with my last post, this was originally written for an intermediate assignment in my M.S. program. It has already been submitted for credit and slightly modified for the for the format. Comments or questions here or @digital4rensics are always welcome! Introduction, or Why These Frameworks? Computer security incident details are deeply technical, but it is often the job of incident response personnel to translate these details in to business terms. In some cases, these descriptions are used to make organization influencing decisions and occasionally the high level incident details make it out of an organization. In these cases, the information gleaned may not be particularly useful for other incident handlers or organizations dealing with similar incidents. The gap that exists in the ability to share computer security incident information has been outlined and a rough system for facilitating such information sharing was described[1]. Such a system would require a standard framework or taxonomy for representing data. The frameworks examined herein were not chosen at random. There are several preliminary considerations when evaluating a potential framework. Extensibility: If the framework can’t be expanded in the future, there is high probability it will become outdated. This also serves to facilitate customization …
[ Continue Reading... ]This post was originally written as a paper for my current M.S. course. For I have incorporated a few changes recommended by those who were kind enough to review the paper prior to this post (thanks!). It was submitted for credit prior to any of the reviews or this post. I have also changed the references to links in order to be more accommodating for the blog format. Additionally, this initial work was meant to be an introduction or road-map of sorts for the rest of my semester. I aim to post the follow-up papers in later posts. Why Share Computer Security Incident Data? Every modern organization will experience computer security incidents. A 2005 FBI study estimated that computer crimes cost a staggering $67 billion per year in the U.S.1 Some organizations will identify a large number of the incidents they experience, others will identify none. No organization will identify them all. Some incidents form campaigns that target multiple organizations across multiple industries. The number of qualified personnel to investigate complex incidents is limited. These issues are just a sampling of barriers that incident handlers and computer security incident response teams (CSIRTs) must cope with. The sharing of computer security incident data on larger …
[ Continue Reading... ]This post was originally written on October 3, 2011 for www.studentforensics.com and has been re-posted here with their permission. The original post (and subsequent discussion) can be found here. Everyone should take a look at the site if you haven’t already, especially if you are, or want to help out, a new forensicator. Hello everyone and welcome to the StudentForensics blog! My name’s Keith Gilbert and I’m a young Digital Forensic Practitioner. I’d like to say thanks to the StudentForensics team for allowing me to contribute the inaugural post here, and since it’s the first, the topic I’ve chosen is directly applicable to all students in digital forensics. Last week I made a comment on Twitter regarding the benefit of networking for DFIR students and it subsequently generated some requests for elaboration. Additionally, there have been several posts in the past couple of months about breaking in to the DFIR field. A great summary of these posts can be found over at the Journey into Incident Response blog here. As a result, I thought this would be a great place to get my information out to current and future DFIR students. Networking can be a huge benefit for those who know what …
[ Continue Reading... ]Well, I’ve finally gotten around to getting a site up and running. That’s right, there’s another blog out now . I’ll do my best to make it useful in one way or another. Please bear with me as I get the site up and running with some content over the next week or two. -Keith
[ Continue Reading... ]