In Memory of Our Fathers James A. Aquilina 1940 –2003 James Malin 1926–2002 Acknowledgements James warmly thanks and honors trusted confidants, friends, and co-authors Cameron and Eoghan…what a ride. For Obi Jolles and my loving family, who always support and cherish me, thank you, I love you, you all mean the world to me. I am ever humbled by the tremendous talent of my LA staff and appreci- ate the input of Stroz Friedberg colleagues Steve Kim, Jenny Martin, Beryl Howell, and Paul Luehr on this project. I am grateful for the enduring loyalty and friendship of Ali Mayorkas, Alicia Villarreal, Jeff Isaacs, Alka Sagar, and my other friends and colleagues at the U.S. Attorney’s Office in Los Angeles, from whom I have learned so much. For FBI Cyber Squad Supervisor Ramyar Tabatabian, U.S. Marshal Adam Torres, and all of the talented federal law enforcement agents I have come to know and work with, keep fighting the good fight. To Curtis Rose, our dedicated and tireless technical editor, we could not have pulled this off without you. And for my father, my rock, I miss you terribly. Eoghan would primarily like to thank Cameron Malin for coming up with the idea for this book and bringing it to fruition, and James Aquilina for his continued friendship. I am indebted to Cory Altheide, Harlan Carvey and Aaron Walters for sharing their knowledge, responding to my questions with such promptness and patience, and providing technical feedback on material in this book. I am grateful to Curtis Rose for his thorough and insightful technical editing. Many thanks to Andy Johnston and Thorsten Holz for sharing malware samples used to develop ideas and scenarios for this book. Thanks also to Seth Leone, Terrance Maguire, Marissa McGann, Steve Mead, Anthony Pangilinan, Ryan Pittman, Ryan Sommers, Gerasimos Stellatos, and my other friends from Stroz Friedberg for their support of this project. Finally, my love to Gen and Roisin for enriching my existence, and enabling the many late nights and weekend work that made this book possible. Cameron would like to thank the following people for their support on this project: Eoghan and James—I am grateful for having the opportunity and privilege of working with you both. Thank you for your dedication and hard work on this project. My deepest gratitude to Curtis Rose for tackling this Herculean task and making it look easy; your insightful and methodical technical editing is greatly appreciated. Many thanks to the talented Special Agents of the FBI Cyber program in Los Angeles and across the FBI for the honor of working and sharing ideas with you. Also, special thanks to the folks in the FBI who made this project possible. To my mother, father and sister for inspiring me to always pursue my goals and dreams and to never give up in the face of adversity. Although Dad is no longer with us, his legacy and lessons are very much alive and well. To my grandmother, who always stressed the important of education and faith. Finally, to my beautiful soul mate Adrienne; your patience, support and sacrifice made this book possible. I love you. iv v James M. Aquilina is an Executive Managing Director and Deputy General Counsel of Stroz Friedberg, a technical services and consulting firm specializ- ing in digital computer forensics; electronic data preservation, analysis, and production; computer fraud and abuse response; and computer security. Mr. Aquilina contributes to the management of the firm and the handling of its legal affairs, in addition to having overall responsibility for the Los Angeles office. He supervises numerous digital forensic and electronic discovery assignments for government agencies, major law firms, and corporate manage- ment and information systems departments in criminal, civil, regulatory and internal corporate matters, including matters involving e-forgery, wiping, mass deletion and other forms of spoliation, leaks of confidential information, computer-enabled theft of trade secrets, and illegal electronic surveillance. He has served as a neutral expert and has supervised the court-appointed forensic examination of digital evidence. Mr. Aquilina also has led the development of the firm’s online fraud and abuse practice, regularly consulting on the technical and strategic aspects of initiatives to protect computer networks from spyware and other invasive software, malware and malicious code, online fraud, and other forms of illicit Internet activity. His deep knowledge of botnets, distrib- uted denial of service attacks, and other automated cyber-intrusions enables him to provide companies with advice and solutions to tackle incidents of computer fraud and abuse and bolster their infrastructure protection. Prior to joining Stroz Friedberg, Mr. Aquilina was an Assistant U.S. Attorney in the Criminal Division of the U.S. Attorney’s Office for the Central District of California, where he most recently served as a Computer and Telecommunications Coordinator in the Cyber and Intellectual Property Crimes Section. He also served as a member of the Los Angeles Electronic Crimes Task Force and as chair of the Computer Intrusion Working Group, an inter-agency cyber-crime response organization. As an Assistant, Mr. Aquilina conducted and supervised investigations and prosecutions of computer intrusions, extortionate denial of service attacks, computer and Internet fraud, criminal copyright infringement, theft of trade secrets, and Authors vi other abuses involving the theft and use of personal identity. Among his notable cyber cases, Mr. Aquilina brought the first U.S. prosecution of malicious botnet activity for profit against a prolific member of the “botmaster underground” who sold his armies of infected computers for the purpose of launching attacks and spamming, and used his botnets to generate income from the surreptitious installation of adware; tried to jury conviction the first criminal copyright infringement case involving the use of digital camcording equipment; supervised the government’s continuing prosecution of Operation Cyberslam, an international intrusion investigation involving the use of hired hackers to launch computer attacks against online business competitors; and oversaw the collection and analysis of electronic evidence relating to the prosecution of a local terrorist cell operating in Los Angeles. During his tenure at the U.S. Attorney’s Office, Mr. Aquilina also served in the Major Frauds and Terrorism/Organized Crime Sections where he investigated and tried numerous complex cases, including a major corrup- tion trial against an IRS Revenue Officer and public accountants; a fraud prosecution against the French bank Credit Lyonnais in connection with the rehabilitation and liquidation of the now defunct insurer Executive Life; and an extortion and kidnapping trial against an Armenian organized crime ring. In the wake of the September 11, 2001 attacks, Mr. Aquilina helped establish and run the Legal Section of the FBI’s Emergency Operations Center. Before public service, Mr. Aquilina was an associate at the law firm Richards, Spears, Kibbe & Orbe in New York, where he focused on white collar work in federal and state criminal and regulatory matters. Mr. Aquilina served as a law clerk to the Honorable Irma E. Gonzalez, U.S. District Judge, Southern District of California. He received his B.A. magna cum laude from Georgetown University, and his J.D. from the University of California, Berkeley, School of Law, where he was a Richard Erskine Academic Fellow and served as an Articles Editor and Executive Committee Member of the California Law Review. He currently serves as an Honorary Council Member on cyber law issues for the International Council of E-Commerce Consultants (EC-Council), the organization that provides the CEH (Certified Ethical Hacker) and CHFI (Certified Hacking Forensic Investigator) certifications to leading security industry professionals worldwide. vii Eoghan Casey Eoghan Casey is an Incident Response and Digital Forensic Analyst, responding to security breaches and analyzing digital evidence in a wide range of investigations, including network intrusions with international scope. He has extensive experience using digital forensics in response to security breaches to determine the origin, nature and extent of computer intrusions, and has utilized forensic and security techniques to secure compromised networks. He has performed hundreds of forensic acquisitions and examinations, including e-mail and file servers, handheld devices, backup tapes, database systems, and network logs. Mr. Casey is a leading authority in his areas of expertise and has written and lectured extensively both in the United States and abroad, including at conferences sponsored by the Digital Forensics Research Workshop, High Tech Crime Investigators Association, SEARCH, SecureIT, and Infragard. He is the author of the widely used textbook Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (Academic Press, 2004). He is also editor of the Handbook of Computer Crime Investigation, and coauthor of Investigating Child Exploitation and Pornography. Mr. Casey is editor-in-chief of Elsevier’s international journal of Digital Investigation, which publishes articles on digital forensics and incident response on a quarterly basis. As a Director of Digital Forensics and Investigations at Stroz Friedberg, he co-managed the firm’s technical operations in the areas of computer forensics, cyber-crime response, incident handling, and electronic discovery. In addition, he maintained an active docket of cases himself, testified in civil and criminal cases, and submitted expert reports and prepared trial and grand jury exhibits for computer forensic and cyber-crime cases. Mr. Casey also spearheaded Stroz Friedberg’s external and in-house forensic training programs as Director of Training. Before working at Stroz Friedberg, Mr. Casey assisted law enforcement as a consultant in numerous criminal investigations involving on-line criminal activity and digital evidence relevant to homicides, child exploitation and other types of cases. As an Information Security Officer at Yale University, from 1999 to 2002, and in subsequent consulting work, he has performed vulnerability assessments, handled critical security breaches and policy violations, deployed and maintained intrusion detection systems, firewalls viii and public key infrastructures, and developed policies, procedures, and educational programs. Since 1996, Mr. Casey has offered on-line and in-person training. Mr. Casey’s courses cover digital forensics, incident handling, and intrusion investigation. Mr. Casey also served, from 1991 to 1995, as a Senior Research Assistant and Satellite Operator at NASA’s Extreme UV Explorer Satellite Project, where he wrote computer programs to automate routine and safety-critical satellite operations procedures and created and maintained a Sybase SQL database. Mr. Casey holds a B.S. in Mechanical Engineering from the University of California at Berkeley, and an M.A. in Educational Communication and Technology from New York University. Cameron H. Malin is Special Agent with the Federal Bureau of Investigation assigned to a Cyber Crime squad in Los Angeles, California, where he is respon- sible for the investigation of computer intrusion and malicious code matters. Mr. Malin is a Certified Ethical Hacker (CEH) as designated by the International Council of Electronic Commerce Consultants (EC-Council), a Certified Information Systems Security Professional (CISSP), as designated by the International Information Systems Security Certification Consortium (“(ISC) 2 ”), a GIAC certified Reverse Engineering Malware Professional (GREM), GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Incident Handler (GCIH), and GIAC Certified Forensics Analyst (GCFA), as designated by the SANS Institute. Mr. Malin currently sits on the Editorial Board of the International Journal of Digital Evidence (IJDE) and is a Subject Matter Expert for the Information Assurance Technology Analysis Center (IATAC). Prior to working for the FBI, Mr. Malin was an Assistant State Attorney (ASA) and Special Assistant United States Attorney (SAUSA) in Miami, Florida, where he specialized in computer crime prosecutions. During his tenure as an ASA, Mr. Malin was also an Assistant Professorial Lecturer in the Computer Fraud Investigations Masters Program at George Washington University. The techniques, tools, methods, views, and opinions explained by Cameron Malin are personal to him, and do not represent those of the United States Department of Justice, the Federal Bureau of Investigation, nor the government of the United States of America. Neither the federal government nor any federal agency endorses this book or its contents in any way. Technical Editor Curtis W. Rose is the Founder and Managing Member of Curtis W. Rose & Associates LLC, a specialized services company which provides Computer Forensics, Expert Testimony, Litigation Support, and Computer Intrusion Response and Training to commercial and government clients. Mr. Rose is an industry-recognized expert in computer security with over twenty years experience in investigations, computer forensics, technical and information security. Mr. Rose was an author of Real Digital Forensics: Computer Security and Incident Response, and was a contributing author or technical editor for many security books including, Anti-Hacker Toolkit; Network Security: The Complete Reference; and Incident Response: Investigating Computer Crime, 2nd Edition. He has also published white papers on advanced forensic methods and techniques, to include Windows Live Incident Response Volatile Data Collection: Non-Disruptive User & System Memory Forensic Acquisition, March 2003. ix Introduction Over the past year, the number of programs developed for malicious and illegal purposes has grown rapidly. The 2008 Symantec Internet Security Threat Report announced that there are over one million computer viruses in circulation, most developed in the past 12 months. 1 Other antivirus vendors, including F-Secure, report a similarly dramatic increase in the number of viruses emerging since 2007. 2 In the past, malicious code has been categorized neatly (e.g., viruses, worms, or Trojan Horses) based upon functionality and attack vector. Today, malware is often modular and multi-faceted; instead of fitting squarely into a certain category, many malware specimens represent more of a “blended-threat,” with diverse functionality and varied means of propagation. i Much of this malware has been developed to support increasingly organized, professional computer criminals. Indeed, criminals are making extensive use of malware to control computers and steal personal, confidential, or otherwise proprietary information for profit. A widespread attack in April 2008 exploited a new SQL injection vulnerability to insert a script “nihaorr1.com/1.js” into the database. 3 When individuals accessed an infected Web site, the “1.js” script redirected their browsers to www. nihaorr1.com and attempted to install a password stealing program via various known vulnerabili- ties in Web browsers. Furthermore, foreign governments are funding teams of highly skilled hackers to develop customized malware to support industrial and military espionage. 4 The increasing use of malware to commit and conceal crimes is compelling more digital investigators to make use of malware analysis techniques and tools that were previously the domain of antivirus vendors and security researchers. 1 See http://news.bbc.co.uk/2/hi/technology/7340315.stm. 2 See http://news.zdnet.com/2100-1009_22-6222896.html. 3 See http://gopaultech.com/blog/2008/04/nihaorr1-sql-injection-attack/.; http://robnewby.blogspot.com/2008/04/ nihaorr1-attack-explained.html; http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424 4 See “The New E-spionage Threat,” available at http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm ; “China accused of hacking into heart of Merkel administration,” available at http://www.timesonline.co.uk/tol/news/world/europe/ article2332130.ece. Introduction xxiii xxiv Introduction www.syngress.com This book is designed to help digital investigators identify malware on a computer system, pull malware apart to uncover its functionality and purpose, and determine the havoc malware wreaked on a subject system. Practical case scenarios are used throughout the text to demonstrate techniques and associated tools. Furthermore, to bring malware analysis into the realm of forensic discipline, this book provides methodologies and discusses legal considerations that will enable digital investigators to perform their work in a reliable, repeatable, defensible, and thoroughly documented manner. Investigative And Forensic Methodologies When malware is discovered on a system, there are many decisions that must be made and actions that must be taken, often under severe time pressure. To help digital investigators achieve a successful outcome, this book provides an overall methodology for dealing with such incidents, breaking investigations involving malware into five phases: Phase 1: Forensic preservation and examination of volatile data (Chapters 1 and 2) Phase 2: Examination of memory (Chapter 3) Phase 3: Forensic Analysis: Examination of hard drives (Chapters 4 and 5) Phase 4: Static analysis of malware (Chapters 7 and 8) Phase 5: Dynamic analysis of malware (Chapters 9 and 10) Within each of these phases, formalized methodologies and goals are emphasized to help digital investigators reconstruct a vivid picture of events surrounding a malware infection and gain a detailed understanding of the malware itself. However, the methodologies outlined in this book are not intended as a check list to be followed blindly. Digital investigators must always apply critical thinking to what they are observing, and interviewing the system owners and users often helps develop a more complete picture of what occurred. Furthermore, additional steps may be called for in some cases, depending on the context and available data sources. When backup tapes of the compromised system are available, it might be fruitful to compare them with the current state of the system and to assist in the recovery of the system. Some organizations routinely collect information that can be useful to the investigation, including centralized logs from antivirus agents, reports from system integrity checking tools like Tripwire, and network level logs. Whenever feasible, investigations involving malware should extend beyond a single compromised computer, as malicious code is often placed on the computer via the network, and most modern malware has network-related functionality. Discovering other sources of evidence, such as servers the malware contacts to download components or instructions, can provide useful information about how malware got on the computer and what it did once it was installed. Network forensics can play a key role in malware incidents, but this extensive topic is beyond the scope of this book. One of the author’s earlier works 5 covers tools and techniques for collecting ■ ■ ■ ■ ■ 5 Eoghan Casey, Digital Evidence and Computer Crime (Second Edition, 2004). Introduction xxv www.syngress.com and utilizing various sources of evidence on a network that can be useful when investigating a malware incident, including intrusion detection systems, NetFlow logs, and network traffic. These logs can show use of specific exploits, malware connecting to external IP addresses, and the names of files being stolen. Although potentially not available prior to discovery of a problem, logs from network resources implemented during the investigation may capture meaningful evidence of ongoing activities. Finally, as digital investigators more and more are asked to conduct malware analysis for investigative purposes that may lead to the victim’s pursuit of a civil or criminal remedy, ensuring the reliability and validity of findings means compliance with an oft complicated legal and regulatory landscape. Chapter 6, although not a substitute for obtaining counsel and sound legal advice, explores legal and regulatory concerns, and discusses some of the requirements or limitations that may govern the access, preservation, collection and movement of data and digital artifacts uncovered during malware forensic investigations. Forensic Soundness The act of collecting data from a live system causes changes that a digital investigator will need to explain with regards to their impact on the digital evidence. For instance, running tools like Helix from a removable media device will alter volatile data when it is loaded into main memory, and will generally create or modify files and Registry entries on the evidentiary system. Similarly, using remote forensic tools necessarily establishes a network connection, executes instructions in memory, and makes other alterations on the evidentiary system. Purists argue that forensic acquisitions should not alter the original evidence source in any way. However, traditional forensic disciplines such as DNA analysis show that the measure of forensic soundness does not require the original to be left unaltered. When samples of biological material are collected, the process generally scrapes or smears the original evidence. Forensic analysis of the evidentiary sample alters the sample even more because DNA tests are destructive. Despite the changes that occur during preservation and processing, these methods are considered forensically sound and DNA evidence is regularly admitted as evidence. Setting an absolute standard that dictates “preserve everything but change nothing” is not only inconsistent with other forensic disciplines but dangerous in a legal context. Conforming to such a standard may be impossible in some circumstances and, therefore, postulating this standard as the “best practice” only opens digital evidence to criticisms that have no bearing on the issues under investiga- tion. In fact, courts are starting to compel preservation of volatile computer data in some cases, requiring digital investigators to preserve data on live systems. In Columbia Pictures Indus. v. Bunnell, 6 for example, the court held that RAM on a Web server could contain relevant log data and was therefore within the scope of discoverable information in the case. One of the keys to forensic soundness is documentation. A solid case is built on supporting documentation that reports where the evidence originated and how it was handled. From a forensic standpoint, the acquisition process should change the original evidence as little as possible, and any changes should be documented and assessed in the context of the final analytical results. Provided the acquisition process preserves a complete and accurate representation of the original data, and its authenticity and integrity can be validated, the analysis is generally considered forensically sound. 6 2007 U.S. Dist. LEXIS 46364 (C.D. Cal. June 19, 2007). [...]... establish a link [eco@ice eco]$ ls -latc -rw - 1 eco eco 8868 Apr 18 10:30 -rw-rw-r 1 eco eco 540039 Apr 8 10:38 drwxrwxr-x 2 eco eco 4096 Apr 8 10:37 drwxr-xr-x 5 eco eco 4096 Apr 8 10:37 [eco@ice eco]$ less bash_history cd unix-exploits/ /SEClpd 192.168.0.3 brute -t 0 /SEClpd 192.168.0.3 brute -t 0 ssh -l owened 192.168.0.3 -p 31337 [eco@ice eco]$ cd tk [eco@ice tk]$ ls -latc total 556 drwx 25 eco... and saves the output in a file named “pv-e-20080430-host1.txt” on the collection system The netcat command must be executed on collection system first so that it is ready and waiting to receive data from the subject system Subject system -> -> Collection system (172.16.131.32) ec-pv.exe -e | nc 172.16.131.32 13579 nc -l -p 13579 > pv-e-20080430-host1.txt Remote forensics tools are also available that... For Bejtlich & Curtis W Rose, Real Digital Forensics: Computer Security and Incident Response, (Addison Wesley, 2005); Kevin Mandia, Chris Prosise & Matt Pepe, Incident Response & Computer Forensics (McGraw-Hill/Osborne, Second Edition, 2003); and Ed Skoudis & Lenny Zeltser, Malware: Fighting Malicious Code, (Prentice Hall, 2003) 10 www.syngress.com Introduction xxxi After the source code is compiled... ls -latc total 556 drwx 25 eco eco 4096 Apr 25 18:38 drwxrwxr-x 2 eco eco 4096 Apr 8 10:37 -rw - 1 eco eco 28967 Apr 8 10:37 -rw - 1 eco eco 380 Apr 8 10:37 -rw-rw-r 1 eco eco 507505 Apr 8 10:36 -rwx 1 eco eco 8735 Apr 8 10:34 [eco@ice tk]$ head t0rn #!/bin/bash # t0rnkit9+linux bought to you by torn/etC!/x0rg bash_history ftp-tk.tgz tk tornkit lib.tgz conf.tgz bin.tgz t0rn # Define (You... programming skills beyond the scope of this book More in-depth coverage of reverse engineering is available in Reverse Engineering Code with IDA Pro.12 Rootkits13 provides details on programming rootkits and other malware From Malware Analysis To Malware Forensics In the good old days, digital investigators could discover and analyze malicious code on computer systems with relative ease Trojan horse... techniques are covered in Chapter 4 (Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Windows Systems) and Chapter 5 (Post-Mortem Forensics: Discovering and Extracting Malware and Associated Artifacts from Linux Systems) Malware Analysis How an Executable File is Compiled Before delving into the tools and techniques used to dissect a malicious executable program, it is... majority of malware functionality was easily observable, there was little need for a digital investigator to perform in-depth analysis of the code In many cases, someone in the information security community would perform a basic functional analysis of a piece of malware and publish it on the Web Today as computer intruders become more cognizant of digital forensic techniques, malicious code is increasingly... Introduction The growing importance of malware analysis in digital investigations, and the increasing sophistication of malicious code, has driven advances in tools and techniques for performing surgery and autopsies on malware As more investigations rely on understanding and counteracting malware, the demand for formalization and supporting documentation has grown The results of malware analysis must be accurate... program, it is important to understand the process in which source code is compiled, linked, and becomes executable code The steps that an attacker takes during the course of compiling malicious code will often determine the items of evidentiary significance discovered during the examination of the code Think of the compilation of source code into an executable file like the metamorphosis of caterpillar... an e-greeting card, shown in Figure 1.5 The e-mail explained that to view the card, she needed to click on a hyperlink embedded in the e-mail to be directed to the e-greeting Kim was curious who sent her the card and clicked on the hyperlink Strangely, there was no e-greeting card, rather, an image of a mountain panoramic view popped up on her screen Kim assumed that there was an error with the e-greeting . link. [eco@ice eco]$ ls -latc -rw 1 eco eco 8868 Apr 18 10:30 .bash_history -rw-rw-r 1 eco eco 540039 Apr 8 10:38 ftp-tk.tgz drwxrwxr-x 2 eco eco 4096 Apr 8 10:37 tk drwxr-xr-x 5 eco eco 4096 Apr. http://news.zdnet.com/210 0-1 009_2 2-6 222896.html. 3 See http://gopaultech.com/blog/2008/04/nihaorr1-sql-injection-attack/.; http://robnewby.blogspot.com/2008/04/ nihaorr1-attack-explained.html; http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424 4 . 25 18:38 drwxrwxr-x 2 eco eco 4096 Apr 8 10:37 . -rw 1 eco eco 28967 Apr 8 10:37 lib.tgz -rw 1 eco eco 380 Apr 8 10:37 conf.tgz -rw-rw-r 1 eco eco 507505 Apr 8 10:36 bin.tgz -rwx 1 eco eco 8735