A computer infested with pest.

There is this PC i am working on at the moment which at first had ransom-ware installed, and got fixed by this guy who actually thought that to install a pirated version of Windows 7 was a good idea - and gave the owner back his machine.. A couple of days later the owner gave me a call (yeah after the malware was removed!!)  and had some issues with installing common programs so he could go back to everyday use of his PC.

After installing needed software and patching the OS, i found yet another malware-sample. This was clearly a old sample, the mothership had moved on as the sample could not contact certain domain. Without wanting to do so much more, i went on and installed software. 

So now, 30 days later i am sitting with a computer in my lap which are yelling for a Genuine Windows 7-version, and installed version is Win7PRO, key supports HomePremium OEM. To make things a bit more fun the recovery partition was also deleted during the "repair". Next time, please hit ALT+F10 during computer boot-process - at least try it - before deleting it! I am not sure how the process went when this computer got "fixed", and the latter example might not even work to remove some malware-samples.

It is not every day i create Windows USB-sticks so i decided to document this funny incident. 

Todo

1. Download proper windows version

Found this blog where i could download a windows 7 version: http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/windows-7-home-prem-oa-acer-group/d6606520-8a45-4f47-a5ed-22978f4f602d

2. Create filesystem on stick

2.1. Create a ntfs partition with fdisk

start fdisk /dev/sdb, and i performed actions shown in picture below

2.2 Create NTFS filesystem.

Install ntfsprogs and ntfs-3g from repository

sudo mkfs.ntfs -f /dev/sdb1

3. Mount windows 7 iso and USB-stick.
Iso

sudo mount -o loop Downloads/X17-58996.iso /media/cdrom0/

Usb-Stick

sudo ntfs-3g /dev/sdb1 /media/usb0

4. Copy files from ISO to USB-stick

sudo cp -R /media/cdrom0/* /media/usb0/

4.5 Make a cup of tea and chill while it copy

5. Download ms-sys-*.tar.gz from http://ms-sys.sourceforge.net/#Download, unpack, compile and install.

In order for this to work i had to install gettext-package from repository and change dir to path of downloaded ms-sys*.tar.gz file before executing command below.

sudo apt-get install gettext; tar -xzvf ms-sys-*.tar.gz ; cd ms-sys*; make && sudo make install 

Next we can create a Windows 7 MBR on the device

sudo ms-sys -7 /dev/sdb

Unmount USB-stick, cross yer fingers while booting up the computer.

6. Create partitions 
Create backup partition (i decided to use 15GB)
Create OS partition

Make things easy

If one want to do this using GUI, i would believe that gparted package from debian-based linux distros could be used to format and create file-systems needed. To copy the files i would believe that unetbootin could be used as well. I have not tried this my self - so i can not confirm this work, but it does pretty much the same so why not.

Suspicious Domains

Malware are often trying to "phone home" to a command and control-server (C&C) or exploit a client by redirecting web-queries to a "malicious-landing-page", and often malware are relying on Domain Name System(DNS) to perform this action. By using DNS the botnet herder can move their mothership of listening C&C(s) quite easily, both by changing domain-names often to avoid detection of the IP-address of the mothership as well as well as move C&C to another node without upgrading all bots. Often these domains are created with fake credentials and used for a short period of time. Therefor one tell-tail to detect, not necessarily malicious network activity, but suspicious network activity, could be by obtaining whois information on the domain and especially "Created on" date. One could divide these results into a few "priority-levels" (1-3), where #1 is within a week, #2 is within a month and #3 within six months.

I made a tool to ease the analysis of a packet capture file (pcap) using Ruby and PacketFu-gem. The tool parses through network packets looking for DNS queries, if it receives such query it will do a simple Whois on the domain. If the domain is created within one of the three given levels shown above, it will be reported as a suspicious domain.

A simple test from a lab-environment is seen below, where we see two domains created this very week, that is a suspicious domain.

Of course, when we see the results it is quite easy to distinguish these two domain names from more common words, but the latter are often used as well - and this is at least one easy way to extract DNS queries and look for suspicious domain-names.... By using Snort a couple of days later on the same pcap-file i got confirmation on my findings, both alerted as "ET CNC Reported CnC Server IP".

I first saw this while doing analysis on one of the many different malware-samples shown in the "A botnets compromise" blog-series, where the different samples changed domain name frequently.