Mac IR

Flashback Mac Malware Analysis and Removal

Posted on Updated on

Flashback is Mac malware that has recently been showing up with a vengeance. The latest version .K is exploiting a newly patched java vulnerability on OS X.  F-secure recently posted about detecting and removing it from a system. In this post, I’ll cover some addition artifacts found on an infected machine and include a script to remove it.

/Var/log/secure

When responding to an infected system, I noticed that in the /var/log/secure.log it included a couple of indicators of infection. The indicators below may help you detect infected users if you are using syslog for your OS X devices. Seeing a “/bin/sh” followed by the “suppressing keychain prompt” within a couple of minutes of each other that has been a solid indicator in the log. When looking through the systems, the suppressing keychain prompt did not show up in a years worth of logs until after it was infected.

Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: UID 501 authenticated as user k (UID 501) for right ‘system.privilege.admin’ Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/private/tmp/Software Update’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/usr/libexec/security_authtrampoline’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro authexec[318]: executing /bin/sh
Mar 31 14:19:55 K-MacBook com.apple.SecurityServer[25]: suppressing keychain prompt for invalidly signed client /Applications/Safari.app(658)

Mac Times

I also collected file system MAC times on the infected machine.  You can see the malware being created .QUICKHEALXGEN.png and .QUICKHEALXGEN.xsl. Additionally you see chmod and mv accessed. This matches up with F-secure analysis.

2012 Mar 31 Sat 14:17:32
102 m.c. drwxr-xr-x 0  0  0  /Applications/Safari.app
374 m.c. drwxr-xr-x 0  0 0  /Applications/Safari.app/Contents
4643 m.c. -rw-rw-rw- 501 20  0 /Applications/Safari.app/Contents/Info.plist
20400 m.c. drwxr-xr-x 0 0   0  /Applications/Safari.app/Contents/Resources
403744 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/ .QUICKHEALXGEN.png
26168 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/.QUICKHEALXGEN.xsl
62656 .a.. -r-xr-xr-x 0 0 0 /bin/chmod
44848 .a.. -r-xr-xr-x 0 0   0  /bin/mv

Virus Total

Submitting the malware to virus total had poor results with only 8 out of 42 detecting it as of April 4th.

Cleaning Script

This script has several components: It checks for both types of infections discussed by F-Secure,  backups a copy of the two plist files and names them .infected, prompts user if they want to clean the infection and also prompts the user to disable java in Safari. While I have tested this script on the cleanup of the Safari Info.plist, I have not seen an infection of the environment.plist. The cleanup should work, but  please test it before you use it. I will not be held liable for any problems. 

I have built in a simple update function that will check for a new version using the -u switch at the command line. If a new outbreak happens, I’ll try and keep it updated. You can submit bug fixes to the blog or to the email address in the script.

To run the program, unzip the download below and double click on the flashback-detect.command file. It will prompt you for your password and check to see if your infected.  You can also run it from terminal using the flashback-detect.sh.

Get the script HERE.

Advertisements

Creating a log2timeline plugin

Posted on Updated on

I have a new post on the SANS forensics blog.  This post covers the process of creating a plugin for the log2timeline tool. Using a step-by-step instruction, I break down each section of the code and how it works. This should be used as a template for creating any plugin, but I cover how to parse an OS X plist.

OSX Lion Window Preservation

Posted on Updated on

My first post on the SANS forensics blog is up!  The post covers a new feature in OSX 10.7 (Lion).  Lion saves the location of the windows and other data when the application closes. This additional data can be used to supplient your analysis. Mac is continuing to gain market share and we need to start taking a deeper look into this OS to get the most out of our investigations.

For more information about Mac incident response check out my previous post.

Creating a OS X Live IR CD-ROM

Posted on

About a year ago, I built my 1st OS X live response CD-ROM and I’m still not aware of any free tools to do this.  I’ve have heard that the Raptor CD-ROM is great for booting a machine that is powered off, but most of the time I’m dealing with live systems that need to have live analysis done.  Lets cover the basics so you can create your own.

Static Binaries

In OS X, they do not use static binaries.  When building your incident response disk, you must copy the binary files to the CD-ROM along with the required libraries. This topic has been covered many times in the Linux environment, but not OS X.  You want to make sure the machine you are using to collect the binaries from is a trusted machine. I used a freshly loaded  and patched laptop to complete this.

The command to determine what libraries are used by the specified binary in Linux is ldd. This tool is not available in OS X, but they do have a similar tool called otool which is part of the xcode toolkit that is free. Using the the command otool -L /bin/ps will list the required library files.

When I upgraded my laptop to Snow Leopard I was unsure if I would need to rebuild a new set of binaries for the latest version of the OS, but when testing this I did not receive any errors . I have not tried running the 10.6 binaries on a 10.5 system, so I’m not sure if there would be any backward compatibly issues. I have recently tried to run the universal desktop binaries on a OSX 10.4 server, but was not able to run them. This is a problem I’m going to look at when I get a little more time. The temporary fix is to create separate binaries folders if you need both desktop and server binaries. This may be the only solution to this problem, but I’ll let you know once I’ve tested more.

What binaries to include?

How to determine what commands should be ran, you should reference the previous post under what to collect. Additionally, Apples command_line admin guide is a great place to learn how to get the data you want out of the system.

ps
lsof
netstat
md5sum
ifconfig
route
iptables
cat
echo
vi
fdisk
mmls
fls
sed
screen
dd
dcfldd
bash
awk
cat
date
hostname
who
arp
serversetup
macrobber
PlistBuddy
fdisk
df
du
mount
find
crontab
less
md5
sha1
gzip
tar
kextstat
system_profiler
vmmap
ls
mount
disktool
which

Automation of disk creation

I have created a little script that uses a list of file, like the one included above, to find the required libraries, then move them into a /bin folder and /lib and rename the binaries to IR_filename. Renaming the binaries makes it very easy to tell what commands are being run by the responder. This saves time while you are reviewing the output and prevents you from chasing your own tail. To run the script, simply call the script and pass the location of the file that has the list of the binaries you want to have on the disk.

#./mac-ir.sh /Users/demo/filelist.txt
#!/bin/bash
#Created by:Tom Webb
#Version 0.1
#usage mac-ir-create.sh filelist

#Error if no file given
if [ -z "$1" ]; then
 echo -e "\nUsage: `basename $0` /path/to/file list"
 exit 1
fi

#Error if not sudo/root
if [[ $EUID -ne 0 ]]; then
 echo "You must be root/sudo to run the script"
 exit 1;
fi

echo "Enter the path where you want the /bin and /lib folders to be created"
read IR_LOCATION

#Setup DIR PATH
mkdir $IR_LOCATION/bin
mkdir $IR_LOCATION/lib

while read line; do

 FIND_BIN=`whereis $line` #Find the location of the binary file
 if  [ -z $FIND_BIN ]; then #if results empty
    echo "$line is not installed or in your path"
 else
   cp $FIND_BIN $IR_LOCATION/bin/IR_$line #Copies binary file to the new directory and renames it
   for i in `otool -L $FIND_BIN |sed '1d' | cut -d ' ' -f1`; #Takes the path of the bin file and looks up required libraries and removes the 1st line and set as a variable
   do
      cp $i $IR_LOCATION/lib #Copies the library file to the new IR Location for each library
   done
 fi
done <$1 #Use file from command line argument

Response Script

Having a script when doing live response is very important, because executing commands on a running system makes changes to it. But if you use a script, you have a documented list of what was ran and accessed on the system. Of course, any other commands that you run outside the script still need to be documented.  Consistency is also another important advantage. As systems get more complicated, it is becoming more difficult to remember to collect everything you need before the system is taken offline. Additionally, how often you are preforming IR on certain OS’s  can also make manual collection more challenging.

After running the script, you should have two directories (bin and lib).  We need to do something with these files, so  it’s time to build a script.  Like all good programmers it’s time to start with code that someone has already started. Pull down the old helix CDROM and under the static binaries directory is a script linux-ir.sh. This is the framework I used to build the script which I included below.  One major thing I changed in this script was the order in which data is collect. I would recommend follow NIST guidelines in SP800-86. On page 5-8 they list order as follows:

1. Network connections
2. Login sessions
3. Contents of memory
4. Running processes
5. Open files
6. Network configuration
7. Operating system time

The Apple Examiner website has a great list of some OS X specific items to collect. The best program I’ve found to script analysis of plist files is a program called PlistBuddy.  This program allows you to dump  both binary and XML files and convert them to ASCII.

I’ve created a starter script for gathering information. While this does not include all the commands that are listed in the Helix IR script, it does cover at least one command for all major information that should be gathered.  Many times responders will want to use different tools to get the same information and compare the output or sort the output in different ways. You will need to customize it for your needs, but if other commands should be added please let me know, and I’ll keep updating the script.

#Public MAC-IR.sh
#Version 0.1
#Author:Tom Webb
#usage ir_script.sh /path/to/folder containing bin and lib directory
#output is to standard out

#!/bin/bash
clear

if [[ $EUID -ne 0 ]]; then
 echo "You must be root or sudo to run script"
 exit 1;
fi

#Error if no file given
if [ -z "$1" ]; then
 echo -e "\nUsage: `basename $0` usage ir_script.sh /path/to/folder containing bin and lib directory"
 exit 1
fi

if [[ ! -d "$1" ]]; then
 echo "Directory does not exist"
 exit 1;
fi

BINDIR="$1/bin" #$1 is command line argument for path
LD_LIBRARY_PATH="$1/lib"
PATH=$BINDIR

IR_echo "========="
IR_echo "Start Date:"
IR_echo "========="
IR_date
IR_echo

IR_echo "========="
IR_echo "hostname:"
IR_echo "========="
IR_hostname
IR_echo

IR_echo "==================================="
IR_echo "netstat output(current connections)"
IR_echo "==================================="
IR_netstat -an
IR_echo

IR_echo "==================================="
IR_echo "lsof -i Network Connections"
IR_echo "==================================="
IR_lsof -i
IR_echo

IR_echo "=========================="
IR_echo "currently logged in users:"
IR_echo "=========================="
IR_who
IR_echo

IR_echo "=========================="
IR_echo "List of running processes:"
IR_echo "=========================="
IR_ps auxwww
IR_echo

IR_echo "=========================="
IR_echo "Memory Mapping of all Processes"
IR_echo "=========================="
for i in `IR_ps aux| IR_awk '{print $2}'`; do IR_vmmap $i ; done
IR_echo

IR_echo "============"
IR_echo "List of open files:"
IR_echo "============"
IR_lsof
IR_echo

IR_echo
IR_echo "======================"
IR_echo "serversetup -getDefaultDNSServer :"
IR_echo "======================"
IR_serversetup -getDefaultDNSServer *
IR_echo

IR_echo "=============="
IR_echo "routing table:"
IR_echo "=============="
IR_netstat -rn
IR_echo

IR_echo "=================="
IR_echo "arp table entries:"
IR_echo "=================="
IR_arp -an
IR_echo

IR_echo "======================"
IR_echo "Network interface info"
IR_echo "======================"
IR_ifconfig -a
IR_echo
IR_ifconfig -L
IR_echo

IR_echo "======================"
IR_echo "Mount"
IR_echo "======================"
IR_mount
IR_echo

IR_echo "======================"
IR_echo "disktool"
IR_echo "======================"
IR_disktool -l
IR_echo

IR_echo "======================"
IR_echo "macrobber"
IR_echo "======================"
IR_macrobber /
IR_echo

IR_echo "======================"
IR_echo "LS -LAR /System/Library/StartupItems"
IR_echo "======================"
IR_ls -laR /System/Library/StartupItems
IR_echo

IR_echo "======================"
IR_echo "LS -LAR /System/Library/StartupItems"
IR_echo "======================"
IR_ls -laR /System/Library/StartupItems
IR_echo

IR_echo "======================"
IR_echo "LS -LAR /Library/StartupItems"
IR_echo "======================"
IR_ls -laR /Library/StartupItems

IR_echo "=============================================="
IR_echo "/etc/hosts.allow"
IR_echo "=============================================="
IR_cat /etc/hosts.allow
IR_echo

IR_echo "=============================================="
IR_echo "cat /etc/passwd"
IR_echo "=============================================="
IR_cat /etc/passwd
IR_echo

IR_echo "=============================================="
IR_echo "cat /etc/group"
IR_echo "=============================================="
IR_cat /etc/group
IR_echo

IR_echo "==========="
IR_echo "   fstab   "
IR_echo "==========="
IR_cat /etc/fstab
IR_echo

IR_echo "==========="
IR_echo "SystemVersion.plist"
IR_echo "==========="
IR_PlistBuddy -c  Print /System/Library/CoreServices/SystemVersion.plist
IR_echo
IR_echo

IR_echo "==========="
IR_echo "ServerVersion.plist"
IR_echo "==========="
IR_PlistBuddy -c  Print /System/Library/CoreServices/ServerVersion.plist
IR_echo
IR_echo

IR_echo "==========="
IR_echo " SoftwareUpdate.plist  (Last softwareupdate)    "
IR_echo "==========="
IR_PlistBuddy -c  Print /Library/Preferences/com.apple.SoftwareUpdate.plist
IR_echo
IR_echo

IR_echo "==========="
IR_echo " /Library/Preferences/com.apple.preferences.accounts.plist  "
IR_echo "List of Deleted User Accounts "
IR_echo "==========="
IR_PlistBuddy -c  Print /Library/Preferences/com.apple.preferences.accounts.plist
IR_echo
IR_echo

for i in `IR_ls -l /Users |IR_awk '{print $9}'`; do #This setup up each user with a dir as a variable
 IR_echo "User $i"
 IR_PlistBuddy -c Print /Users/$i/Library/Safari/LastSession.plist
 IR_echo
done

IR_echo "==========="
IR_echo " /Library/Preferences/com.apple.alf.plist"
IR_echo "Firewall settings "
IR_echo "==========="
IR_PlistBuddy -c  Print /Library/Preferences/com.apple.alf.plist
IR_echo
IR_echo

IR_echo "========="
IR_echo "End Date:"
IR_echo "========="
IR_date
IR_echo

Finishing Up

Let’s make sure that you have everything ready to burn to a disk. You will need to make sure that your file permissions are correct.  In the example below I have my /bin and /lib dir in /tmp/ir directory.

#chmod  -R 755  /tmp/ir

Now its time to take the /bin and /lib directories along with the mac-ir.sh and burn it to disk. Once it’s burned we need to test it out.

1. Launch terminal.

This is under Finder -> Utilities -> Terminal

2. Find out your mounted CD-ROM drive.  From Terminal:

$mount |grep cd9660

/dev/disk1s0 on /Volumes/ir_1.0 (cd9660, local, nodev, nosuid, read-only, noowners)

3. Change directory to your cd mount

$cd /Volumes/ir_1.0

4. Determine where you want to output your results. You should not write the output to the system you are doing analysis on. I always carry two drives when doing analysis one small flash drive to dump volatile data and a large one for the disk image. You can also shoot the data across the network using cryptcat.

5. Run the script (this examples redirects the output to a removable drive /volumes/usb and filename is ir.txt)

$sudo ./mac-ir.sh /volumes/ir_1.0  >/volumes/usb/ir.txt

6. Before you shutdown the system, ALWAYS make sure that your script worked by checking the results file.