Tuesday, June 23, 2009


So, as you are probably aware, I am working on a case right now that has an interesting pair of malicious binaries. In a previous post, I stated that I was not able to get one of the binaries working either in a VM or on my dirty box. Well, after re-reading that post, and sleeping on it (or at least trying to), I couldn't stop thinking about it...something was not sitting well.

My instincts told me that I was missing something. So rather than simply dismissing it, or chalking it up to indigestion (which I hear Peanut Butter Cup cereal will do to you), I got out of bed at 0400, started the coffee pot, and decided to trust my instincts.

After trying to run the malware again unsuccessfully, I realized that I had not "Googled" the error message. That is something I usually would not have forgotten, but for whatever reason, I had. So I did...and what came back had something to do with the Microsoft .Net framework. I then found the download page from MSDN (which if you don't have bookmarked, you REALLY should) and grabbed "dotnetfx.exe" - let's remember that name for later (in a post I am working on for tomorrow)! So, I ran the executable, installed .Net v2, and kicked off the malware again. This time NO ERROR! While I was not sure what it was doing that this point, I was confident it was doing something as the error message that I had become so accustomed to was no longer plaguing me! The point here is that I trusted my gut...something was not sitting right and I was determined to find out what...which I did! And THAT ended up being HUGE in this case!

Next, I fired up Process Explorer and restarted the malware. It appeared for like a second...maybe two, then disappeared. Well, I had already opened the binary in both a hex editor and PEDump without any interesting results. I had to get at the process as it ran! I tried to dump RAM, but I couldn't do it quickly enough to catch the process as it ran. After about 45 minutes of launching the binary (which I could do from the cmd line) and trying to click on the process when it popped up in Process Explorer, I got it! What I saw in the strings as the process ran in memory was that it was trying to open and FTP connection to a remote IP address...AND...it gave me something that looked a whole lot like a username and password. Again, by trusting my instincts, I not only got the malware working, but I got an IP, a username, and password (later validated by the USSS...so I can state with confidence that I got it!)

So as I sat on my back porch celebrating, my neighbor (Glen Painter) came over. As I talked to him about my victory, I told him I still had one question. The malware definitely FTP'd the customer data off the network, but how did it get it in the first place? Well, my neighbor happens to be a very good .Net Developer. So we downloaded the free version of Red Gate's .Net Reflector and decompiled the binary into C#. By taking this last step, I was able to see that the malware was listening on the TCP port that the Point of Sale (POS) software used to transmit credit card numbers from the POS terminals to the back of house (BOH) server. As it listened, it created a file that contained the results of the traffic sniffing! This file format was the exact same as the format of the files on my forensic image that I suspected were being exported! By trusting my friend, I was able to learn something new, put a new tool in my arsenal, and really bust this case wide open. Thank you GLEN!

In this particular situation, the technology was not my obstacle...it rarely ever is. Truth be told, I hit a rut. I thought what I had done was good enough, and I was prepared to go on. So that made me wonder...how many other investigators do the same thing? Get stuck on something, but instead of waking up at 0Dark30 and knocking it out, they slap whatever they have into their report and call it a day.

I also have to give credit to Harlan. He was up around 0500, and I was able to bounce some ideas off of him. This brings me to my last point...trust your friends (#2). Look, we have a tough job. Every case I get is difficult in some way, but that's what makes it fun. It's a challenge! The key is to look that challenge straight in the eye, and kick it in the teeth...not fold at the first sign of adversity. Having a trusted friend that you can bounce your thoughts off of is a great tool. You need someone you can talk candidly to, who will tell you when you are way off, and who you won't lose any face with when you make mistakes.

Since Harlan and I don't work together anymore, we obviously don't share customer data, so we just stick to the forensics. After about 30 minutes of taking to him, feeling a bit sheepish a time or five, and gathering my thoughts, I was back on track, and able to find what I was looking for and then some.

Look, if you don't get woken up in the middle of the night thinking about case work, I will go out on a limb and say you may be in the wrong line of work. I have solved many many cases between the hours of midnight and 0600 when something was bothering me so much that I couldn't sleep...I HAD to figure it out. I'm sure there are investigators out there, who can be in the middle of difficult case, have some unresolved issues...throw some hash sets around hoping for a hit, and when they don't get anything they go to bed and sleep like babies. I am just not one of them.

Trust your instincts, Trust your friends, and Trust your abilities. Trust really is one of the best tools in your toolbox!


  1. One word, my friend, if you can't get the malware to stay in memory... flypaper

  2. Yep..gotta try it out. It's been invaluable.

  3. Yes, there is something about midnight to 0600 hours. Interesting post this ... Also, flypaper rocks! Thanks guys.

  4. ".. So that made me wonder.. how many other investigators do the same thing?"

    I would say, just a few. The vast majority know how to dump a process and has reversing skill enough to don't waste 45 minutes playing a "point & click" game with process explorer. It was your incompetence to know what a process dumper is and how it works that woke you up at 0400, not your instinct..

    In fact, your instinct should tell you to retire if you are unable to drive a forensic case at regular hours.

  5. Wow. Not a very nice post at all. I do have enough knowledge about reversing to dup a process - pull out strings, use PEDump, use Wireshark to check for network traffic, dump memory, use Memoryze (or Volatility) to review what the process is doing in memory...check what dlls are being loaded, which hooks are being made, and what threads are present.

    This was not an issue of a lack of knowledge, but that the malware was simply not behaving on my VM and dirty box as it was on the customer environment. I needed to figure out a way to make it...regardless of HOW I got it to work, I got it to work...found what the process did, how it did it, where it made connections, how it exfiltrated customer data.

    Honestly, If you didn't get anything from the post the you didn't get anything from the post. I am OK with that. But I would ask that you don't use my blog as a meduim to sling insults. It's just not the right place for those kinds of comments. If you would like to blast me by email, that's fine, my email address is locted on my profile.

  6. It was not a post to insult, neither to blast anybody. I wonder why did you reached that conclusion. It was just an opinion, matching perfectly the kind of "comment" a live blog would expect.

    - quote - as it was on customer environment - end quote-

    You are right, I forgot PEDump and others are marked to not work on customer computers, Process explorer not.

    IMHO is not fair for the customers to have a bill increased by point&click tasks, even if you think this is the only 'brand new technology' that should be used in this case. Honestly, customers would expect to see results, as well as actions.

    Anyway, I Learnt the lesson, I'll hail you from now on, this kind of comments are more close to what you expect, even if I'm right in the previous comment.

    Apologies If you felt insulted, of course it was not my intention.