Tuesday, June 27, 2017

Petya Ransomeware Attack : What to Do immediately


Petya/Petwrap ransomware

What is Petya Ransomeware do?
Ans: 
Ransomware, Petya does not encrypt files on a targeted system one by one.
Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Why it spreads fast?
Ans : Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)
So patch both first!

Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, and others

Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.


Actions to be taken:
1. Block source E-mail address
wowsmith123456@posteo.net
2. Block domains:
http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ

3. Block IPs:
95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247
4. Apply patches:
Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

6. Update Anti-Virus hashes
a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
As of a Kill-switch can be used for #Petya Ransomware. 
i.e. Just create a file "C:\Windows\perfc"
Does this affect you?* 

Though this attack is largely targeting companies, it's important you stay vigilant and take following precautionary measures.

- Always make sure your anti-virus is up-to-date to maximize the protection available to you.

- Don't click too quickly. This attack may be spreading through phishing or spam emails, so make sure you check an email's content for legitimacy. Hover over a link and see if it's going to a reliable URL. Or, if you're unsure about an email's content or the source it came from, do a quick search and look for other instances of this campaign, and what those instances could tell you about the email's legitimacy.

- Do a complete back up. Back up all your PCs immediately. If your machine becomes infected with Petya ransomware, your data could become completely inaccessible. Make sure you cover all your bases and have your data stored on an external hard drive or elsewhere.

- Apply system and application updates.Making sure your operating system is up to date will help contain the spread of this malware.

Monday, June 19, 2017

Electronic Evidence where to find in Files

Electronic Evidence where to find in files 

Windows Searches — For years, one challenge in digital investigative analysis has been proving a user not only had something significant to an investigation on their computer, but that he knew it was on there. Two of the easiest ways help prove knowledge of a file is to prove the user was searching for it or accessed it. In order for Microsoft to enhance the user experience, Windows tracks the names of files you access and search for in multiple locations. As previously discussed, the Windows registry is essentially several databases called registry hives. Each user has his own primary registry hive called the NTUSER.DAT. This registry hive tracks information specific to each user’s activity and preferences. Starting in Windows 7, when a user conducts a search on his computer using the Windows search function or the “Charm Bar” in Windows 8-10 (the magnifying glass that appears when you move your mouse to the right edge of the screen), Windows records each search in temporal order in the “NTUSER.DAT\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\WordWheelQuery” registry key. Because the searches are recorded in temporal order, an analyst can frequently see indications of the user’s thought process as he searched for particular files. 

File Access —– Windows also records in numerous artifacts when a user opens or attempts to open non-executable files. Four of the most useful digital artifacts to identify files opened or attempted to be opened are “LNK” files (pronounced as “link” files), Jump Lists, and several “most recently used” registry keys. 

LNK files — A LNK File is an artifact that has existed since Windows XP. LNK files are also known as a “Windows Shortcut” files and are created anytime a user opens or attempts to open a nonexecutable file. A LNK file is created even if the file opened is on a network or external drive. When an opened file is later deleted, its LNK file does not get deleted with it. Windows creates and stores approximately 149 LNK files in the user’s home directory under the “AppData\Roaming\Microsoft\ Windows\Recent” directory. LNK files contain a wealth of information including the modified, accessed, and created dates and times of the file opened; the full directory path, volume name, and volume serial number from which the file was last opened; and the file size. 
Starting in Windows 10, Microsoft added rules to when LNK files would be created in addition to when files are opened. On earlier versions of Windows 10, a LNK file was created for the directory to which any file was copied. The creation of a LNK file for the directory a file was copied to was stopped on later versions of Windows 10. However, on versions as early as version 1607, Microsoft created a LNK file for the directory a file is opened from. Additionally, when a directory is created, Windows creates a LNK file for the directory created and for the created directories “parent” and “grandparent” directory. In addition to all the information LNK files record, LNK files also record the last time a file was opened. 

Jump Lists — One of the newest artifacts to identify files opened by a user are “Jump Lists.” Starting in Windows 7, Microsoft introduced two types of jump lists: “AutomaticDestinations” and “CustomDestinations.” Automatic and Custom jump lists are created and stored in their respective directory in each user’s home directory under the “AppData\ Roaming\ Microsoft\ Windows\Recent” directory. Each application can incorporate its own jump lists as a “mini-start” menu. Automatic Destinations allow a user to quickly “jump” to or access files they recently or frequently used, usually by right-clicking the application in the Windows taskbar. CustomDestinations allow a user to pin recent tasks, such as opening a new browser window or create a new spreadsheet to the jump list. Jump lists are essentially mega LNK files. Each jump list can record upwards of the last 1,000 files opened by each application. As jump lists are essentially compound LNK files, they contain all the same information as LNK files, such as when each file was opened, modified, accessed, and created; dates and times that the file was opened; the full directory path, volume name, and volume serial number from where the file was last opened; and the file size. 

Most Recently Used (MRU) Registry Keys – As previously mentioned, the Windows Registry is a series of massive databases that track system configuration and user activity. There are several registry keys that track most recently used items. An analysis of these registry keys can help an analyst quickly identify files accessed. Every application developer has the option of creating registry keys specific to his application configuration and user activity. Three of the most useful registry keys that track files accessed are “RecentDocs,” “Microsoft Office FileMRU,” and “OpenSavePIDMRU.” 

RecentDocs — The “RecentDocs” registry key tracks the name and order of the last 10 files opened for every file extension (e.g. .doc, .docx, .jpg, etc.). The registry organizes each of the last 10 files opened in sub keys named by the file extension. A sub key named “folder” is also created when the first folder is opened using the Windows Explorer. This sub key tracks the name of the last 30 folders opened. Each user has his own RecentDocs registry key located in his NTUSER.DAT registry hive under the “\Software\ Microsoft\ Windows\ Currentversion\ Explorer” registry key. The master RecentDocs key maintains a master list, organized in temporal order of the last 150 files or folders opened. By analyzing the order that particular files were opened, analysts have often been able to refute claims that a single type of file was opened by mistake. In one trade secret case, it was helpful for the analyst to show the pattern of files opened that all related to the same subject matter. 

Applications Specific Most Recently Used (MRU) — With every Windows application, developers have the ability to create their own set of registry keys to track specific configuration and user activity for their application. If a specific application is used to commit or facilitate a crime or is otherwise significant to an investigation, it is often advantageous for the analyst to determine both if the application has its own set of registry keys and what actions those keys record. Two excellent examples are “Winzip,” which records the name of the last several zip files created using the Microsoft Office suite of applications. Each application in the Office suite has its own set of “FileMRU” (most recently used files) that tracks most recent files used and when they were opened. Additionally, starting with Office version 365 and 2016, Microsoft Office tracks the “reading location” for each Word, PowerPoint, and Excel document opened and when each file was closed. Using this information, an analyst can determine not only what document was last opened and when it was closed, but also that the user had scrolled to and was on page 32 of the document when it was closed. 

OpenSavePIDMRU — Windows has some basic dialog boxes that all programs can use when a user opens or saves a file. Some may have noticed that when saving files, a dropdown arrow in the file name dialog entry location appears. By clicking on the arrow, you will see several of the most recent file names you have saved for that application. These file names are saved as a part of the “OpenSavePIDMRU” registry key which is located under the “NTUSER.DAT \ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ ComDlg32\ OpenSaveMRU” registry key. A record of the last 10 to 25 names of the last files opened or saved using the Windows Common Dialog Box are stored under sub keys based on file extension.


Navy man in Jail for 2 years for Child Pornography, cyber crime in India

Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...