Hey there!! After a long time, I am back again with a new blog. Today in this blog, I’m going to share with you some interesting stuff. In this write-up, I am going to tell you how I worked on a case study (“Digital Forensic Analysis of Malware Infected Machine”) during my university period.
If you’re ready, let’s get started with our case study.
The Commence:
Introduction:
“MAN-IN-THE-BROWSER” is a type of security threat in which a proxy Trojan infects a web browser and alters web pages, and transaction content, or inserts more transactions in a completely covert manner, all while remaining invisible to the user and web application host. The most important man–in–the–browser Trojans designed targeting banking and financial industries include Carberp, Silent banker, SpyEye, and Zeus. Zeus named the “King of Banking Trojans” and the first piece of malware to be marketed via license until 2011, originally appeared on the malware landscape in 2007.
The Zeus Trojan, also known as Zbot, was first discovered in 2007 and has since grown to become one of the most successful pieces of botnet software in the world, infecting millions of PCs and spawning a slew of identical malware based on its code. While the threat provided by Zeus lessened after its developer reportedly retired in 2010, when the source code was made public, several versions emerged, making this malware current and deadly once more. Zeus may infect Internet Explorer and Firefox browsers on Windows PCs. In 2012, a mobile variant known as ZitMo (Zeus in Mobile) was released, with the capacity to infect Windows, Android, Symbian, and BlackBerry OS, as well as defeat SMS-based banking –“out of band” two-factor authentication. Industry reports indicate that the most popular Malware next to Stuxnet that caused panic is Zeus.
In this report Scenario, I addressed forensic examination of “RAM, volatile data, system logs, and registry” acquired from a bank customer’s machine, and how open source and commercial tools were used to confirm the source of the attack, timestamps, and malware behavior. The bank benefited from this study in terms of regulatory and legal liability.
Body of the report:
In the “body Section,” of the report at first, I am going to discuss “Detailed description of the case” with the (Criminal “Suspect” and the “victim”) of the chosen case.
Detailed description of the case:
One of the banks that offer net banking services to its customers is “ABC Bank” (the client’s name has been changed). On April 2nd, 2014, one of ABC Bank’s customers (Air Ticketing Company) noticed new fields on the bank’s net banking authorization page, in addition to the standard fields of name, card number, expiration date, and security code. The customer provided the information, “expecting that the bank’s requirements had changed” as of April 1st, 2014 (the start of a new financial year in India), and lost more than $ 0.6 million in four days beginning April 2nd, 2014. The consumer asked the bank to refund the money, claiming that the bank was at fault for not employing “reasonable security standards”. Fig.1 shows the net banking authorization page with extra fields, as observed by the customer of ABC Bank. According to Section 43A of the Indian Information Technology Act, 2000, banks and other intermediaries that fail to maintain reasonable security standards shall compensate victims who have lost money through net/online banking with appropriate damages. Banks are also required to disclose cyber security problems to the Computer Emergency Response Team (CERT) under the Information Technology (Intermediaries Guidelines) Rules of 2011. (CERT-In). The Fraud Management & Digital Forensic team of TCS’ Enterprise Security and Risk Management (ESRM) business was engaged by ABC Bank to conduct a forensic investigation of customer machines to detect the presence of any malware and the root cause of the incident under timeframes.
The criminal suspect and the victim of the Case:
Criminal Suspect:
The Suspect in this case might be the “APT 41” group. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be an activity that falls outside the scope of state-sponsored missions. Based on early observed activity, consistent behavior, and APT41’s unusual focus on the video game industry, we believe the group’s Cybercrime activities are most likely motivated by personal financial gain or hobbyist interests.
APT41 infiltrated hundreds of computers and employed nearly 150 different types of malware, including backdoors, credential stealers, keyloggers, and rootkits. To disguise their malware and maintain persistence on certain target systems, APT41 has used rootkits and Master Boot Record (MBR) bootkits on a limited basis.
Victim:
The main victim of the case is the Air Ticket Company of “ABC Bank”. It is one of the famous banks offering net banking services to its customers. Besides this one of its online banking customers found that while performing online transactions it shows an additional field on the net-banking authorization page like date of birth, mother’s maiden name, sort code, etc. The customer becomes so assumed while filling the form because he/she has never seen that additional field/box before. On April 2nd, 2014 the customer thought that the company might update the transaction/authorization page from 1st April. After, 4 days the company was found to be lost more than $ 0.6 million. The customer arguing to pay back the money informing the fault is on the bank’s side for not taking — reasonable security practices. So, from the above, we can say that it’s all happened due to the poor Security practices.
Digital Evidence:
Any digital information acquired through computers, such as audio files, video recordings, and digital photographs, is considered digital evidence. In computer and Cybercrimes, the evidence acquired is crucial. Word processing documents, spreadsheets, internet browser histories, databases, the contents of computer memory, and computer backups are all examples of digital evidence that can be produced in a court of law. For the cybercrime case, authentic digital evidence is accepted.
Well, there are some different techniques used to handle digital evidence:
· Identification
· Collection
· Acquisition
· Preservation
· Analysis & Reporting
· Identification:
In the forensic process, it is the first stage. What evidence is available, where it is stored, and how it is stored are all part of the screening process (in what form). Before collecting digital evidence, information about Cybercrime could be obtained. Digital media can be computers, cell phones, digital cameras, biometric devices, printers, scanners, iPods, laptops, and so on. This basic data is similar to what is required in traditional criminal investigations. Cybercrime investigators use a variety of investigative methods during the identification phase, especially when it comes to obtaining information and evidence.
· Collection:
In Cybercrime, the crime scene is not limited to the availability of digital tools for cybercrime and or Cybercriminal targets. A cybercrime scenario, which includes many digital devices, systems, and servers, is equipped with digital gadgets that can contain digital evidence. The crime scene is protected from cybercrime, identification, and/or suspicion. By distinguishing users of all digital devices located in a criminal environment, the first responder identifies and protects the criminal environment from contamination while maintaining dangerous evidence.
· Acquisition:
There are various ways to obtain information. The method used is determined by the type of digital gadget. The process of obtaining digital evidence from mobile devices, such as mobile phones, is different from the process of obtaining evidence from a computer hard disk. Proof is taken from used digital laboratory devices unless made live (e.g., Static acquisition). Digital evidence should be collected from the forensics laboratory in a way that protects the integrity of the evidence.
· Preservation:
The purpose of archiving is to preserve digital evidence uninterrupted. At each stage of digital evidence management, the integrity of the evidence must be maintained. First responders, investigators, forensic experts, and/or digital forensics experts must demonstrate, where possible, that digital evidence is not tampered with during identification, collection, and discovery stages; their ability to do so depends on the digital device and the conditions they encounter. To do so, the backup series must be maintained
· Analysis and Reporting:
The process of digital forensics includes not only digital data processing, but also the analysis and interpretation of digital evidence (analysis phase) and the integration of analytical conclusions (reporting phase). Before the review of digital evidence, digital forensics analysts on board should be informed of search purposes and provided with specific information about the case, as well as additional information obtained during the investigation that may assist the forensics analyst in this section.
Digital Forensic Investigation (Malware Infected Machine Case):
Well, my chosen case Study is the “Malware Infected Machine” in which the Digital Forensics team visited the victim’s company the suspected infected machine was in — “switch-on” mode. The Forensic team investigated two stages:
Stage 1: Collection of digital evidence
Stage 2: Analysis of collected digital evidence.
Stage 1-Collection of digital evidence:
Using FTK Imager, the Digital Forensic team forensically photographed the Random Access Memory (RAM) in.dd format onto a forensically sterile medium. Registry files, event log files, internet history, and other volatile data from the suspicious machine, including a list of current programs/processes, network connections, and dll files loaded from the live system, were also collected. FTK Imager and Digital Evidence Forensic Toolkit were utilized to collect the evidence.
Stage 2-Analysis of collected digital evidence:
“Memory dumps”, “registry files”, and “event logs” were all used as sources of evidence for digital forensic investigation.
Type of evidence used in the criminal investigation of the case:
Well, after finishing the investigation in two stages digital forensic team found different types of evidence that are used in the criminal investigation of the case. While investigating they found a Trojan named virus — “PWS: Win32/Zbot.gen!GO” that infected process explorer.exe and also the child processes of explorer.exe such as — “jucheck.exe”, — “igfxpres.exe”, — “jusched.exe.”, Windows firewall was disabled, the IP address of system was updated, event logs were changed, registry, and also create an executable with a random name, Antivirus “Quick Heal Security” was uninstalled hooking API address and injecting code into webpages to monitor online banking activities
Tools Used for Investigation:
Well, in this case, the Digital forensic investigator team mentions some tools and techniques that are used for investigation.
Tools and Techniques:
A “tool” is a distinct, tangible thing used in acting to produce a product or result, such as a template or software program, while a “technique” is a defined systematic procedure to produce one or more outputs, which may also use one or more tools. In any case, evidence is the main proof to figure out the culprit. So, we must maintain the integrity of the digital evidence.
In this case, the Digital forensic investigator team has used some tools such as “Volatility”, “Event log browser”, “FTK imager”, “Autopsy” and also talk about “Registry Editor”.
· Memory Dump analysis:
A memory dump is a process of dumping all of the information in RAM to a storage disk. It is critical because the Windows registry, which holds program and system data used by both applications and the operating system, is loaded into memory when Windows starts up. Memory dumps are widely used by developers to capture diagnostic information during a crash to aid in troubleshooting and learning more about the incident. Volatility, a free memory analysis tool, and framework built- in Python, was used to interpret and analyze the RAM dump files. Volatility can read memory dumps from 32-bit and 64-bit Windows, Linux kernels, Mac OS X (10.5–10.9), and Android phones (32-bit and 64-bit). Many plug-ins in Volatility are useful for detecting malware infections. (Contributor n.d.)
A few useful ones are:
· Connscan-to list TCP connections;
· Pstree-to show processes in the parent/child tree
· Psscan-to scan for hidden or terminated processes
· Connections-to list open connections
· malfind-to detect hidden and injected code
· pslist-to print a list of loaded processes
The list of running processes was extracted from the RAM dump. The list shows some processes are hidden. The list of extracted processes is given in Fig. 3
The process tree that was extracted from the RAM dump shows a process named-“emvije.exe (PID 1688)”. This process is a child process of the “explorer.exe (PID 1240)” and is not associated with any application/program.
The list of network connections was also extracted from the RAM dump. From these connections, it appears that a connection has been established between the local system using PID 1240- explorer.exe and the IP address- “24.177.33.91”. This was suspicious because the explorer.exe as such does not initiate any connection.
The list of network connections also shows that the local IP address of the system is-“111.112.113.52.” A-“Whois” lookup was launched to determine the ownership and country of the IP address. The IP lookup reveals that it belongs to -“China Telecom- NINGXIA”. The Process ID that is associated with these connections is-“3696(jucheck.exe)” which is also a child process for-“explorer.exe (1240).”
The RAM dump was analyzed using the -“malfind” plugin of the Volatility framework to extract the process dumps associated with each process that is running. The malfind plugin extracts the process dumps that are infected with malware. The 35 process dumps produced by the volatility were uploaded to -“virustotal.com” to check if the processes present in the dumps are infected with any malware. Four process dumps — “explorer.exe, jucheck.exe, igfxpres.exe, jusched.exe” were reported to contain a high detection ratio for the presence of malware. The above four process dumps were found to contain malware named -“PWS: Win32/Zbot.gen!GO”. The malware is also known as -“Zeus Game over”, a Trojan that can hook API addresses and inject code into webpages to monitor online banking activities.
The RAM dump was analyzed using the — “malfind” plugin of the Volatility framework to extract the process dumps associated with each process that is running. The malfind plugin extracts the process dumps that are infected with malware. The 35 process dumps produced by the volatility were uploaded to — “virustotal.com” to check if the processes present in the dumps are infected with any malware. Four process dumps — “explorer.exe, jucheck.exe, igfxpres.exe, jusched.exe” were reported to contain a high detection ratio for the presence of malware. The above four process dumps were found to contain malware named — “PWS: Win32/Zbot.gen!GO”. The malware is also known as — “Zeus Game over”, a Trojan that can hook API addresses and inject code into webpages to monitor online banking activities.
· Registry Analysis:
The Registry files were parsed by using a registry viewer and were examined to identify the evidence related to malware. One of the characteristic behaviors of PWS: Win32/Zbot.gen!GO malware is disabling the Windows firewall by altering the registry key.
HKLM\System\Controlset002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall and sets the value to -“0”. The same alteration was found in the registry.
HKLM\System\Controlset002\Services\SharedAccess\Start to-“2” The same alteration was found in the registry.
The registry analysis also revealed the IP address of the system as “111.112.113.50” and the IP hook-up shows the service provider as -“China Telecom- NINGXIA”. The IP address of the system was updated to –“111.112.113.50”.
· Event Log Analysis:
The Windows event log is a complete record of system, security, and application notifications kept by the Windows operating system and utilized by administrators to diagnose and predict future issues. These event logs are used by applications and the operating system (OS) to record significant hardware and software operations that the administrator can use to diagnose operating system issues.
The Event log file, AppEvent.Evt, when parsed and analyzed by using EnCase version 7.1 software revealed that the antivirus-“Quick Heal Total Security” presents the system was uninstalled in the system on 01-April-2014 at 11:49:36 AM.
·FTK imager:
FTK Imager is a data preview and imaging tool that allows you to quickly analyze electronic evidence to see if it requires additional examination with a forensic tool like Forensic Toolkit. Create forensic images of local hard drives, CDs and DVDs, thumb drives and other USB devices, entire folders, or single files from various locations within the media.
In this case, the Digital Forensic investigator team used “FTK Imager” to forensically image the Random Access Memory (RAM) in.dd format onto a forensically sterile media.
· Autopsy:
Autopsy is a graphical interface for The Sleuth Kit and other digital forensics tools, as well as a digital forensics platform. It’s used by law enforcement, the military, and corporate investigators to look into what transpired on a computer. Autopsy is an important forensic tool because it can be used to help digital forensics investigators find potential evidence.
Tools Used to Maintain Integrity of Digital Evidence:
Well, in this case, the integrity of digital evidence is maintained throughout the entire investigation by generating the “hash value”, the -“digital fingerprint” of the evidence.
· Hash value:
A hash value is a fixed-length numeric value that uniquely identifies data. Hash values are employed with digital signatures to represent enormous volumes of data as much smaller numeric values.
To determine the integrity of data, it can be compared to a hash value. Data is usually hashed at a specific moment and the hash result is safeguarded in some way. The data can be hashed again and compared to the protected value at a later time. The data has not been changed if the hash values match.
· Digital fingerprint:
Digital fingerprinting is a process in which a distant site or service collects small pieces of information about a user’s equipment and assembles them into a unique picture, or “fingerprint,” of the user’s machine.
In most circumstances, fingerprinting is done by a third party rather than the site or app being used directly. As a person uses their device, a third-party tracker may be put on different apps or websites visited.
Well, “FTK imager” is used to maintain data integrity by creating a virtual clone of a hard drive. The use of the original drive must be minimized as much as possible to maintain a proper chain of custody. By creating the image of a Hard disk or Pendrive we can keep our file safely for a long time.
Motive of the Crime:
Cyber-attacks are becoming more common. Many firms, like Tesco, Ashley Madison, TalkTalk, and other significant corporations, had a terrible year last year. Phishing emails, virus attacks, and ransomware are the most common types of cybercrime affecting small businesses, with researchers estimating an average cost of £3,000 per organization.
A primary motivation for hackers is the money they can obtain by stealing your passwords, and bank details, holding your customer information for ransom, or selling your data to competitors or on the dark web. The desire to crack an unbreakable system and achieve notoriety from their peers drives a huge part of hackers. Certain sorts of hackers are driven by rage, and they utilize their skills to directly affect a person, organization, or company without fear of retaliation.
Best Approach that the Investigator Takes:
Malware is defined as “software designed to infiltrate or damage a computer system without the owner’s informed consent.”
Well, in this case, the Digital forensic investigator team can take the best approach to investigate the Malware infected machine in the following ways:
· Expand your malware sample size continuously.
- Use automation to optimize your efforts.
- Always use a secure environment to run malware
- Only analyze malware whose remote infrastructure is running
Findings:
The key findings of the forensic investigation of Indicators of Compromise are listed below:
· The Trojan “PWS: Win32/Zbot.gen!GO” infected the explorer.exe process as well as its child processes such as “jucheck.exe”, “igfxpres.exe”, and-“jusched.exe”.
· On April 1, 2014, at 11:49:36 AM, the antivirus “Quick Heal Total Security” was uninstalled from the machine.
· On April 1, 2014, the malware could have been installed in the system. This observation is based on the changes in the system that have occurred.
· On April 1, 2014, at 11:49:36 AM, the antivirus was removed from the.\
· On April 1, 2014, at 02:02:53 PM, the system’s IP address was changed to “111.112.113.50”.
· On April 1, 2014, at 02:46:21 PM, the Windows Firewall was turned off.
· 01–04–2014 02:46:21 PM is the most recent item in the registry. n
· 01-April-2014 02:46:21 PM is the most recent entry in the event log files “AppEvent.Evt” and “SysEvent.Evt”.
Conclusion:
In the investigation of a Windows-infected PC, forensic analysis of RAM, volatile data, event logs, and registry is critical. These indicators of compromise were subjected to forensic investigation. Not only was the source of the attack exposed in this case, but also the method of attack. Malware’s nature and behavior explorer.exe was infected. Deactivating the firewall, altering the event logs, modifying the registry hooking API, generating an executable with a random name address, and embedding code into web pages to keep an eye on what’s going on online Banking
activities are just a few of the elements of this Zeus variation. Trojan. The results received confirmed the case’s facts. With deadlines and safeguarded the bank against litigation and regulatory action regulatory responsibility. Also, we have to maintain data integrity. Maintaining data integrity is important for several reasons. For one, data integrity “ensures recoverability” “searchability”, “traceability (to origin)”, and “connectivity”. Protecting the validity and accuracy of data also increases stability and performance while improving reusability and maintainability
Recommendation:
In the “Recommendation Section,” I want to recommend that keep your operating system up to date, whether it’s Windows, Mac OS X, Linux, or another. Security patches are released regularly by OS developers to correct and plug security flaws. These updates will aid in the security of your machine. Keep your anti-virus software up to date as well. Keep your anti-
virus software is up to date as well. Viruses and malware are constantly being developed. The database of your scanning program is only as good as it is. It, too, has to be as current as feasible. An open Wi-Fi connection should never be broadcast. Encrypt with WPA or WPA2. WEP is no longer secure enough, as specialists can circumvent it in minutes.
Resources:
1. Donohue, B. (2013) The Big Four Banking Trojans- Kaspersky Daily [online] available from <https://www.kaspersky.com/blog/the-big-four-banking-trojans/2956/> [30 September 2021]
2. Defense Inc., D. (n.d.) Zeus Trojan — What It Is & How To Prevent It | Digital Defense [online] available from <https://www.digitaldefense.com/blog/zeus-trojan-what-it-is-how-to-prevent-it-digital-defense/> [30 September 2021]
3. What Does Digital Evidence Mean? (n.d.) available from <https://www.definitions.net/definition/digital+evidence> [30 September 2021]
4. Cybercrime Module 6 Key Issues: Handling Of Digital Evidence (n.d.) available from <https://www.unodc.org/e4j/en/cybercrime/module-6/key-issues/handling-of-digital-evidence.html> [30 September 2021]
5. Tools And Techniques (n.d.) available from <https://www.acethepmpexam.com/ppe/tools%20and%20techniques.html> [30 September 2021]
6. Contributor, T. (n.d.) What Is Memory Dump? — Definition From Whatis.Com [online] available from <https://whatis.techtarget.com/definition/memory-dump> [30 September 2021]
7. Gillis, A. (n.d.) What Is Windows Event Log? — Definition From Whatis.Com [online] available from <https://searchwindowsserver.techtarget.com/definition/Windows-event-log> [30 September 2021]
8. Schonning, N. (2020) Ensuring Data Integrity With Hash Codes [online] available from <https://docs.microsoft.com/en-us/dotnet/standard/security/ensuring-data-integrity-with-hash-codes> [30 September 2021]
9. What Is Fingerprinting? (2020) available from <https://ssd.eff.org/en/module/what-fingerprinting> [30 September 2021]
10. Khagram, A. (2017) The Motivations Of A Hacker [online] available from <https://www.swcomms.co.uk/blog/article/the-motivations-of-a-hacker/> [30 September 2021]
11. Autopsy (n.d.) available from <https://www.sleuthkit.org/autopsy/> [30 September 2021]
That’s all for this blog, I hope you guys enjoyed this form of learning. ❤
Till then keep learning, keep exploring, and do hacking………………………
You can follow me on Social Media:
Linkedin: https://www.linkedin.com/in/rohit-ray-19284b232/
GitHub: https://github.com/rohit273
Twitter: https://twitter.com/RHittttt
Instagram: https://www.instagram.com/ro_hit.exe/
Please follow and subscribe for more awesome upcoming blogs.
Bye until Next time.
