August 29, 2007

Investigating File Deletion from Windows File Servers - Part I

I have found myself in this situation a few times now: some critical files disappear from a file server and I am tasked to find out how it happened.

Sometimes I was able to solve the mistery, but other times I couldn't. The most important factor is the information available for me to investigate. Give me a full network trace of the server's traffic and lots of auditing information in the system's logs and I'll tell you that the chances of success are pretty high. Take away any of these elements and things become much more difficult.

Possible causes for important files 'magically' disappearing from a Windows file server are almost infinite. Just to name a few, it could be a bug in the operating system (I haven't seen this kind of bug in many years, but it's certainly possible), malicious software running in the server (this I've seen much more often), or a malicious system administrator or user error (even more often).

Yet another possibility is that someone with valid authentication credentials (e.g. username and password) accessed the folder containing the files through the network using the normal Windows file sharing protocol (SMB/CIFS) and simply deleted them, intentionally or unintentionally. This is the case that I'll be analyzing in detail in this series of articles.

So, how far could you go into finding out who, when, how, and from where removed the files if all you had was a network trace? And if you didn't have a network trace but you had system logs? Do you want to try?

Let us start with the network trace. Here you can find a network capture file, in pcap format (tcpdump, wireshark, etc.) obtained in a lab environment simulating the deletion of some files from a file server. The lab network was just a single Ethernet segment with two systems: a Windows XP (client) and a Windows Server 2003 (server).

If you want to play around with it, (just for fun and the learning experience, no prizes this time, sorry) you can try to find the answers to the following questions:

Q1 - How many files were deleted?
Q2 - When?
Q3 - How?
Q4 - Who did it?
Q5 - From where?

In the next article in this series I'll be showing how to obtain the answers to these questions from the network capture file provided. So, stay tuned!

Labels: ,

August 19, 2007

You Are the Best Firewall

A few weeks ago, while walking with the family enjoying the summer sunset, I saw the following poster in the street:

The poster slogan says: "You Are the Best Firewall". The sunny Spain is well known for its hot and dry summer, specially far from the coast. During the summer period one of the major threats against our nature are... FIRES!! Therefore, Madrid's government has launched an awareness campaign to prevent thousand of green forests hectares from being burned; a very valuable asset for us and future generations.

First time I saw the poster I thought: "... an infosec awareness campaign in the town? (sorry, security obsession)" :) The parallelism between both worlds is amazing. It is not new that during the last three years, the information security threats and attack vectors have changed from the common firewall-protected scenario against scans looking for vulnerable services, to the current user-focused attacks where the user actions help to compromise systems. Therefore:

You are the best firewall!!

The best way of dealing with this type of threats is through user awareness, trying to minimize the unintentional user actions that lead to a system compromise, or to a forest to get on fire. This awareness poster is fabulous: it has a short, straight and simple slogan that directly involves the user (KISS principle), it provides the phone number you need to call in case you make out a fire (incident response: what to do and who to contact if you detect an intrusion), and list the most important things you DO NOT have to do (real-world examples and guidance).

This is obviously related with our previous 3wplayer post, and corroborated by a recently deployed server, running on port TCP/443 on a SOHO environment (xDSL Internet line). I carefully monitor all the traffic from and to this system, and after five days it still has not received a single SYN packet! This low scanning rate was not the one we had three years ago.

If there is no big change in the current security and malware business, my prediction is that in a few years we will get similar general government campaigns focused on protecting your information and computer at home from being compromised and fall victim of a botnet, phising and trojan-backdoor attacks, identity theft, etc., in the same way we had campaigns to reduce fires and traffic accidents nowadays. An ounce of prevention is worth a pound of cure. Remember... You, your friends, family, relatives, neighbors, etc... are the best firewalls!!


August 13, 2007

Asking for help again

While we still wonder which is the latest vulnerability in our operating systems that can allow the attackers to own them, some real hackers are trying easier ways to obtain access to the John Doe's systems. And there is no easier method than asking for help through social engineering. When the target himself installs the malicious software into his system, it is very likely that the results are excellent for the attacker.

This method has been used several times before, sometimes using infected versions of legit software and sometimes with the bare malicious software (and some promise of a better life attached to it). The later method (more or less) is the one used by the 3wplayer.

Although some information is available, today only 3 out of the 32 anti-virus engines (F-Secure, Ikarus & Rising) available through VirusTotal are able to detect malware in the latest version of 3wplayer (3wPlayer- However, for the security concerned, it is quite suspicious the way it tries to get users to install the software.

I have received several reports of people downloading contents from P2P networks that when trying to play the downloaded avi with "impossibly cool" content, they only get a short message claiming that the file cannot be played with media player and that it needs 3wplayer that is available through their website (not included here to avoid stupid mistakes).

While I don't support the share of copyrighted content, I still believe that people should be aware that most media players are able to extend their format support by using the required codecs, and that it is quite unusual to try to compete against the most popular mediaplayers without selling (or even giving for free) some product to encode content in their format, so people are able to create enough content to really push the demand for the player.

Have a safe P2P experience!