My Road to Digital Forensics Excellence

The malware made you do it?

Posted by Paul Bobby on June 25, 2012

I was having a conversation with a co-worker about various things and the topic of the trojan defense was raised. He started chuckling. I asked why, and he dismissed it as the far fetched final gasp of air muttered by the unfortunate soul facing the consequences of his actions. Well perhaps not as dramatically stated as that, but you get the point. I told him I disagree with that sentiment 100%, and proceeded to tell him why. Upon reflection I figured this is something to blog about and invite any comments in the event I’m completely off base with this.

TL;DR – You are not as in control of the content of your hard drive as you think you are, especially with respect to the content managed by your web browser.

TL;DR #2 – Any process that generates artifacts from computer initiated actions aswell as human initiated actions is a candidate for the malware defense.

So when you think about the trojan defense, what comes to mind? Like my buddy I bet most people who dismiss the trojan defense imagine some sort of malware that secretly makes use of your internet connection and downloads CP to a hidden folder just waiting for law enforcement to discover it. Well that’s not too unreasonable, maybe ransomware or extortionware designed specifically for financial gain, but that’s not what I’m thinking about. Or how about this, malware that plays solitaire, or does your homework, or watches movies, or is a cyber-yenta using your IM program? All this stuff in a corporate environment that creates a case for mischarging – did they malware do it? Of course not. But again that’s also not what comes to mind when I think of the malware defense as it is not appropriate for those types of scenarios in which activity is generated by human initiated actions.

Let me ask a couple of rhetorical questions. Do you believe it’s possible for malware to alter the contents of your hard drive? I would hope the answer is yes. Unless it’s some proof of concept code or experimental code, most malware can and does manipulate your OS, which leads to manipulation of the hard drive. Do you accept the possibility that malware can introduce new content to your hard drive? Again, the answer should be yes. Thirdly, of the set of malware is there a subset that is specifically designed to intercept, hijack or otherwise interfere with the normal web browsing process of your OS and its web browsers? The answer is yes, there is a group of malware that is designed to manipulate normal web browsing processes, for example, BHOs, activex, flash, even exploiting the normal function of your browser by, say, opening up multiple tabs when you click ‘home’, tabs which may contain thumbnail pages of clickthrough content to objectionable websites.

Malware doesn’t even have to be on your computer. Imagine one day visiting and discovering that a disgruntled employee decided to deface the website somehow. Your browser dutifully renders the website request content to be delivered to you, over the network, rendered in memory or virtual memory and ultimately stored on your hard drive in your caching mechanism. Perhaps the web page is ‘too big’ to fit in your browser and you would only see the content if you scrolled down to view it. Has that content already made it to your hard drive? Of course… There are accelerators and other browser add-ins that can cause all sorts of content to be transmitted over the network, rendered/processed in memory and stored all on your hard drive, giving the appearance of the end user specifically requesting such data.

So do you see where I’m going with this? It was at this point that my co-worker realized what I was hinting at. You are not as in control of the content of your hard drive as you think you are, especially with respect to the content managed by your web browser. The malware doesn’t have to specifically ‘go out and get badness’, no, on the contrary, by interfering with your web browsing process, malware can cause all sorts of content to inadvertently be deposited on to your hard drive.

Have you ever executed Sysinternals’ Process Monitor and watched all the activity go by when the OS is supposedly ‘idle’? It’s mind boggling the amount of stuff that goes on. Put on top of that web browsing and you get what is, in my opinion, the ‘noisiest’ thing you can do with an operating system. Data read/written to network sockets, read/written to memory and read/written to the hard drive. Even the OS can cause web browsing traffic to occur – really gumming up the works when it comes to discerning human-initiated versus computer-initiated traffic. And all the while, malware, designed to interfere with normal web browsing processes, generating its own traffic.

Let’s take an example from the corporate world. Imagine an employee walking by your cube and sees porn on your screen. They contact the ethics officer who subsequently opens a case. Technical assistance is requested to discover any evidence that can substantiate and the analyst finds pornography in the temporary internet files area of the hard drive. Is the employee fired just because it’s there?” Good lord I hope not, in fact the analyst shouldn’t even submit any report based solely on the presence of content only (note this might raise your hackles, but I’ve read/observed cases from both corporate and law enforcement in which this is exactly what happens). Rather the analyst needs to provide a narrative describing how  the content got there in the first place. Perhaps a mistyped search term or URL? Perhaps a compromised web advertisement place holder? (you’ll need your manual reconstruction skills for that one, and the next). Perhaps a compromised website in general? Perhaps malware on the local computer? Perhaps the individual really is seeking inappropriate content. The key to this investigation is accurately describing the actions that caused this content to be placed on the computer.

So, is the trojan defense actually plausible? You bet it is, for specific scenarios of course. Web Browsing being the most common. So I would caution anyone against dismissing the malware defense too quickly simply because it sounds too fantastic or unrealistic. Another scenario that comes to mind is P2P.

Update: 7/7/12 (a real CP ransomware story. how about that)

Update2: 8/14 (FBI alert regarding ransomware)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: