In this series of
posts, I’m continuing the Open Security Training materials with this set of
post being more focused on the Malware Analysis class.
You may find reviewing
the material from Open Security more beneficial. However, if you do choose to
stick with this I hope you find it helpful.
In this post we
will take a quick pass at some live forensic analysis. See the reference section
for some other analysis you may undertake.
First up, I’ll
start off with the network through leveraging “netstat” on the “compromised”
host. The network information below shows that the host “Securitynik-xp” on
source port 1025 has an established connection to host 10.10.10.1 on port 3460.
Now that we have an
established connection, let’s see what is the PID and owning process of this
connection. Leveraging the “neststat –ob” as shown below.
Above we see the
owning process is “system32:secnik_piv.exe” and it has a PID of 1688.
By looking at the “:”
in “system32:secnik_piv.exe” we can conclude that this is more than likely an Alternate
Data Stream (ADS).
Doing a “dir
c:\windows\system32\secnik*.exe” we see … basically the file was not found. In
Windows XP there is no immediate way to detect ADS without third party tools.
Therefore let’s
leverage Sysinternals “Streams.exe” to identify the ADS in “system32”. The
image below shows that “secnik_priv.exe” is embedded in “c:\windows\system32”
Taking a look
at the registry for persistence, we see the key "HKLM\software\Microsoft\windows\CurrentVersion\Run"
has a value “SecurityNik_PIvy_Agent
REG_SZ
C:\WINDOWS\system32:secnik_piv.exe”
Taking a look at ProcessHacker to learn more about the process “system32:secnik_piv.exe”, we see that it was started by “explorer.exe”. We also see that this process has spawned a “cmd.exe” process. If we remember from this post, we were interacting with the “compromised host” via the command shell.
At this point,
we can continue to leverage ProcessHacker or even identify additional tools
which can assist with our live analysis.
However, we
were able to identify it’s persistence mechanism which allows it to survive
reboot. At this point we can take the next step which is to begin the clean-up
process.
Let’s start
with deleting the persistence mechanism via the registry using “reg delete
"HKLM\software\Microsoft\windows\CurrentVersion\Run" /v
"SecurityNik_PIvy_Agent"”
Let’s now
look at suspending the process “system32:secnik_piv.exe” before we attempt to
delete it from the ADS.
… once suspended we then leverage GMER to delete the file as shown below …
If we take a
look at “c:\windows\system32:secnik_priv.exe” with Sysinternals “streams.exe” we
see the file no longer exists as show below.
Now let’s
close this off by terminating the process tree for “system:secnik_priv.exe”
At this point, consideration should be given to the fact that the process may be recreated, therefore close attention should be paid to monitoring. Additionally, you may want to monitor the network for traffic known to be associated with Poison Ivy. Restarting the “infected” system is a good way to verify that all is well.
Open
Security Training – Malware Class
POISON IVY: Assessing Damage and Extracting Intelligence
iTrust Consulting - APT1: technical backstage
Poison Ivy RAT - Configuration & Communications
POISON IVY: Assessing Damage and Extracting Intelligence
iTrust Consulting - APT1: technical backstage
Poison Ivy RAT - Configuration & Communications
No comments:
Post a Comment