Stay protected against Ransomware

Ransomware is here to stay. This is something becoming clearer by the minute. It is a very lucrative business if we judge it by the successful infection effectiveness rate and, to a lesser extent, due to rescue payment rates by the affected parts.

To the already infamous Cryptolocker, CryptoWall, TorrentLocker, TeslaCrypt and others, we have to add the recent HydraCrypt and UmbreCrypt. All of them with slight variations over the previous ones in an attempt to avoid the scarce barriers that Antivirus institutions are introducing, together with some initiatives more or less imaginative, and somewhat effective, in order to identify the activity of this kind of threat.

Recently, the CNI (Spanish National Intelligence Center), through the CCN-CERT, published a Ransomware guide where they had compiled some ransomware variants together with file decrypting tools that different Antivirus companies provided, after disarticulating several criminal networks or after deep analysis of malware samples.

[Read more…]

Yara for Incident Handling: a practical case

Yara is an initiative that’s become more and more popular for incident handling, especially over the last year. This project has been widely spoken about on this and other blogs.

Here I’m going to show you a practical example for using incident handling triggered by ransomware. Over the last months there has been an increase in this type of malware that, in spite of the many warnings from those of us working in security and incident handling, is still having quite a big impact. Fortunately, the most recent incidents of ransomware where I have been involved, the compromise has only affected one user each time, which allowed us to focus more on the scope of the encrypted archives than on identifying the equipment that may have been compromised.

Extension identification

One of the first cases we were involved in was an incident with CTB-Locker. On this occasion, a user reported a message appearing on his desktop informing him that his archives had been encrypted and asking for a ransom to recover them. Once part of the incident had been contained by disconnecting the equipment from the network and identifying it as the only one affected (let’s not go into this here) we went on to determine which archives had been encrypted and which ones could be recovered (we would never recommend paying the ransom).

[Read more…]

Snort’s Reputation Preprocessor

Snort’s reputation preprocessor is not something new; in fact, it appeared in August 2011 in version 2.9.1. Up to that moment, the only way to manage blacklists was to create a rule with the list of IP addresses blacklisted, such as BotCC rules (emerging-botcc.rules).

alert tcp $HOME_NET any -> [,,,,,,,,,,,,,,,,] any (msg:"ET CNC Shadowserver Reported CnC Server TCP (group 1)"; flags:S; 
reference:url,; reference:url,; 
threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; 
flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404000; rev:3259;)

However, this method has a length restriction and you end up with tens of backlisted IP rules with names such as “ET CNC Shadowserver Reported CnC Server UDP (group 49)” or “ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (group 43)”.

However, that’s not the main problem of this method: the main issue is performance. Taking into account that they are detection rules, packet processing is much more expensive and global performance worsens. When packet throughput is very high and there are many blacklist entries such as Shadowserver,, Malwaredomains… and our own lists, Snort performance becomes a problem and it is necessary to find a better way to manage blacklists. Then it’s time to use this preprocessor.

[Read more…]

Nmap –script http-joomla-brute. Where THC-Hydra doesn’t fit.

During a recent audit I wanted to try the strongness of the passwords used and I tried a simple dictionary attack against the login form of Joomla! just in case there was any account with one of those weak passwords. The form was as follows:

The method pointed by Rafa in is post: THC-Hydra: Obtaining user credentials by brute-force is fully valid for simple forms but in this case we can’t use it. If you look at the form HTML code we see that in addition to the parameters username and passwd, it has a hidden field that changes in each session. Let’s see the code:

We can see that the last field, which has a value of 1, consists of 32 hexadecimal digits that are generated every time, so we can not know a priori its value and include it the request for THC-Hydra. The petition using the above tool would be something (security parameter remarked in bold):

$ hydra -l admin -p admin1234 <server> http-post-form "/index.php:username=^USER^&

However, it will not work because the generated code is different every time, so the result will be a message “Invalid Token“. Because of this, and after several unsuccessful attempts trying to retrieve and include unsuccessfully that value in the THC-Hydra request, I jumped to nmap to see if there was any script that could help me in this situation.

Indeed, after searching for information on Google I found a script that seemed to do what I wanted: http-joomla-brute. I checked código“>the code and I saw that it was using the parameter “security token” to build the request, so I figured it would work in this situation.

if response.body then 
	_, _, security_token = string.find(response.body, '<input type="hidden" 
                                           name="(%w+)" value="1" />') 
if security_token then 
	stdnse.print_debug(2, "Security Token found:%s", security_token) 
	stdnse.print_debug(2, "The security token was not found.") 
	return false 

The above code searches the token in the form returned by the server and stores it in security_token, that will be used later to send the POST. Therefore, in case that the form includes this kind of safety mechanism we could use nmap as follows:

$ nmap -p80 --script http-joomla-brute --script-args 'userdb=user.txt,passdb=~/john-1.7.9/run/
brute.firstonly=true' <server>

Starting Nmap 6.00 ( ) at 2013-01-30 14:49 CET 
Stats: 0:07:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Stats: 0:09:06 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Nmap scan report for <server> (192.168.XXX.XXX) 
Host is up (0.0038s latency). 
80/tcp open  http 
| http-joomla-brute: 
|   Accounts 
|     No valid accounts found 
|   Statistics 
|_    Performed 3546 guesses in 605 seconds, average tps: 5 

Nmap done: 1 IP address (1 host up) scanned in 604.97 seconds 

I hope it helps you and saves some time since I spent some time with THC-Hydra trying the tool to take that parameter automatically. However, if anyone knows another way to do this please say it in the comments.

New MFTParser plugin in the alpha version of Volatility

Last week, playing with a forensics challenge left by Jack Crook (@jackcr) in the GCIH LinkedIn group, I upgraded Volatility to version 2.3_alpha. In this challenge, the author had included the RAM dump and the disk timeline of each one of the affected computers, and a capture file of the network traffic. However, reviewing the novelties included in this Alpha version I saw a couple of them quite interesting: mbrparser and mftparser.

Mftparser, as indicated in the Volatility webpage, scans and analyzes entries in the Master File Table (MFT). The plugin scans the memory dump for possible MFT entries and prints out information for certain attributes. For more information see OMFW 2012: Reconstructing the MBR and MFT from Memory.

Despite having the timeline, I decided to try the new plugin and compare the output with the one we had been provided. The output can be displayed in a tabular format or, and here is where it gets powerful, in the body format of Sleuthkit (with option –output=body).

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin mftparser –output=body
Volatile Systems Volatility Framework 2.3_alpha

Scanning for MFT entries and building directory, this can take a while
(FN) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
(SI) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
(FN) 0x12d588|WINDOWS\Prefetch\|11727|---a-------I---|0|0|424|1353971273|
(FN) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
(SI) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
(FN) 0x2bbee0|(Null)|11728|---------------|0|0|432|0|0|0|0
(FN) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353971306|1353971306|
(SI) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353980005|1353980005|
(FN) 0x311000|WINDOWS\Prefetch\|11728|---a-------I---|0|0|480|1353971306|13
(FN) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971435|1353971435|
(SI) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971493|1353971493|

Then you just have to run mactime (included on Sleuthkit) on this file and you get a system timeline from the RAM dump.

mbelda@audit:~/Forensics/jackcr-challenge$ mactime -b  ENG-USTXHOU-148/body.txt >  

I find this especially useful when, for reasons of size or availability, we can not have a disk image to get the information about the creation or access times of certain files.

Here’s an example. Thanks to searching for strings (strings command with the IP showed with the command connscan) directly on the RAM dump, we find a mail received by the user is that contains a link to a suspicious executable file:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin connscan

Volatile Systems Volatility Framework 2.3_alpha
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x01f60850                        36569092
0x01ffa850          1024
0x0201f850         4
0x02084e68         628
0x020f8988         696
0x02201008         628
0x18615850         4
0x189e8850          1024
0x18a97008         628
0x18b8e850                        36569092
0x18dce988         696

mbelda@audit:~/Forensics/jackcr-challenge$ strings ENG-USTXHOU-148/memdump.bin > 
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/strings.txt


Received: from d0793h ( [])
        by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
        Mon, 26 Nov 2012 15:00:07 -0500
Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
From: "Security Department" <>
To: <>, <>,
Subject: Immediate Action
Date: Mon, 26 Nov 2012 14:59:38 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
This is a multi-part message in MIME format.
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus.  This is critical and must be done ASAP!  Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions.  Failure =
to install this anti-virus may result in loosing your job!
Please donwload at
The IS Department
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META content=3D"text/html; charset=3Diso-8859-1" =
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18702">

Running the iehistory plugin (also new in this version 2.3 of Volatility) we could confirm that the user clicked the link:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/ --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin iehistory

Volatile Systems Volatility Framework 2.3_alpha
Process: 284 explorer.exe
Cache type "URL " at 0x2895000
Record length: 0x100
Location: Visited: callb@
Last modified: 2012-11-26 23:01:53 
Last accessed: 2012-11-26 23:01:53 
File Offset: 0x100, Data Offset: 0x0, Data Length: 0xa8

But it would be thanks to the timeline created by the plugin mftparser that we could confirm he did not only clicked the link but also that the file was downloaded and executed, and thus the system compromised.

mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/body_mactime.txt
Mon Nov 26 2012 23:01:54      472 mac. --------------- 0  0  10117    Documents and Settings\
                                                                       callb\Local Settings\Temp
                              352 macb ---a-------I--- 0  0  11721    System Volume Information\
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\SYMANT~1.PF
                              584 mac. --------------- 0  0  3420     WINDOWS\system32\CatRoot2
                              824 .a.. --------------- 0  0  3432     WINDOWS\system32\CatRoot2\
                              344 mac. ---a----------- 0  0  6996     WINDOWS\system32\CatRoot2\
                              352 .a.. ---a----------- 0  0  8499     WINDOWS\system32\CatRoot2\
                              344 .ac. -h------------- 0  0  8610     WINDOWS\system32\6to4ex.dll
                              336 mac. ---a----------- 0  0  8611     WINDOWS\system32\CatRoot2\
                              472 mac. -----------I--- 0  0  8823     System Volume Information\
Mon Nov 26 2012 23:01:55      352 m.c. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                              344 mac. ---a----------- 0  0  206      WINDOWS\system32\drivers\
                              416 .a.. ---a----------- 0  0  3438     WINDOWS\system32\CatRoot2\
                              416 .a.. ---a----------- 0  0  3439     WINDOWS\system32\CatRoot\
                              576 .a.. -h------------- 0  0  45       WINDOWS\inf
                              344 mac. ---a----------- 0  0  7161     WINDOWS\system32\wbem\Logs\
                              352 .a.. ---a----------- 0  0  8071     WINDOWS\inf\syssetup.inf
                              568 ..c. -hs--------I--- 0  0  8835     Documents and Settings\callb\
                              344 m.c. -hsa-------I--- 0  0  8836     Documents and Settings\callb\
                              344 .a.. --s------------ 0  0  9481     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                              344 .a.. --s------------ 0  0  9482     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                              472 .a.. --s------------ 0  0  9483     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
Mon Nov 26 2012 23:01:56      352 macb ---a-------I--- 0  0  10216    System Volume Information\
                              360 mac. ---a----------- 0  0  3355     WINDOWS\inf\syssetup.PNF
Mon Nov 26 2012 23:01:59      352 .ac. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                              352 macb ---a-------I--- 0  0  11705    System Volume Information\
                              936 mac. rhs------c----- 0  0  71       WINDOWS\system32\dllcache
Mon Nov 26 2012 23:02:07      352 .a.. ---a----------- 0  0  23813    WINDOWS\system32\racpldlg.dll
Mon Nov 26 2012 23:03:10      472 macb --------------- 0  0  7556     WINDOWS\webui
Mon Nov 26 2012 23:03:21      488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\
                              488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 .a.. ---a----------- 0  0  24145    WINDOWS\system32\ipconfig.exe
Mon Nov 26 2012 23:03:55      376 mac. ---a----------- 0  0  3436     WINDOWS\system32\CatRoot2\
Mon Nov 26 2012 23:04:14      352 .a.. ---a----------- 0  0  23351    WINDOWS\system32\drivers\
Mon Nov 26 2012 23:04:24      336 mac. ---a----------- 0  0  9790     WINDOWS\system32\CatRoot2\
Mon Nov 26 2012 23:06:34      504 macb ---a----------- 0  0  11710    WINDOWS\ps.exe
                              472 m.c. --------------- 0  0  28       WINDOWS
Mon Nov 26 2012 23:06:35      504 m.c. ---a----------- 0  0  11710    WINDOWS\ps.exe
Mon Nov 26 2012 23:06:47      416 macb ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:48      416 mac. ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:52      440 macb ---a----------- 0  0  11723    WINDOWS\webui\ra.exe
Mon Nov 26 2012 23:06:56      344 macb ---a----------- 0  0  11724    WINDOWS\webui\sl.exe
Mon Nov 26 2012 23:06:59      368 macb ---a----------- 0  0  11725    WINDOWS\webui\wc.exe
                              288 m... ---a----------- 0  0  11739    WINDOWS\system32\wc.exe
Mon Nov 26 2012 23:07:31      352 .a.. --------------- 0  0  11470    WINDOWS\system32\iertutil.dll
                              344 .a.. ---a----------- 0  0  11498    WINDOWS\system32\urlmon.dll
                              344 .a.. ---a----------- 0  0  11502    WINDOWS\system32\wininet.dll
                              488 mac. ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 macb ---a----------- 0  0  11726    WINDOWS\webui\netuse.dll

The other highlighted files are those that Dropper creates when executed in order to compromise the PC. If anyone wants to see the final report of the challenge, follow the link below provided by Bryan Nolen (@BryanNolen) at Volatility page.

@Jackcr Forensics Challenge.