Tuesday, September 23, 2014

IR and the help desk


Here's the scenario:
Get an email from the help desk saying that a user's machine has been infected with a Trojan (not just any malware, a Trojan!)

The machine was located in a different state from myself, and there is a lack of forensic tools for the organization, but I was able to get a colleague to create a memory image and disk image.  He then sent me the memory image to investigate.

Trying to get a little more detail, went back to the help desk and asked for details about what the user reported, what the help desk did, any key dates, & why they thought the machine was infected.  Turns out, the user said that files were disappearing and reappearing from her desktop.  The help desk then said that they had installed & run malwareBytes on the machine, but that didn't fix the problem.

The help desk said that they did not have any documentation of what they had done or when, but if I looked at the logs for malwareBytes that should tell me what I needed to know. (!)

With the idea that desktop files were the issue, I created a timeline from the memory image and used 'Desktop' as my pivot.  I was able to find that the user had been accessing the desktop files the day the issue had been reported, but also noticed that the Hidden attribute was set.  Hmmmm.... back to the help desk.

This time, they told me that they had gone into folder properties and set the 'Show Hidden Files..' option to true.  But that the files were still shadowed after they did this, so the machine must have a Trojan. 

Shadowed files and folders?  I had to go back and look at my machine to figure out what they meant by this one:
See how those files are lighter, faded looking?  That's shadowed (files that are marked as hidden files). Now we come to the idea that the files weren't being removed, they were just set as hidden. 

Back to the help desk to ask when the user first reported having problems.  They forwarded me an email from the user dated 4 days prior to the contact with InfoSec where the user said her issues with email had been fixed.  I still have no idea how this relates to the problem of hidden files. The also mentioned at this point that since running malwareBytes had not fixed the problem, they restored everything that had been quarantined.


The date of the initial report didn't really help, so working backwards in the timeline, I was able to find a point in time where the Users folder appears to have had the 'Hidden' attribute set.  When this attribute is set manually (right-click, properties, check hidden), the pop up screen gives you the option to make this change recursive (default) or only to the folder in question.
Looking at the timeline, the change was definately recursive!

Once I had that point in time, I tried to work backwards to find if there was an executable that was run, or a web page - anything that could explain how this was set accidentally.  Unfortunately, I did not find any smoking guns. I could see that after the properties were recursively set, the user logged off fairly quickly and the next set of events line up with when the help desk started installing tools.  It is possible that the user herself actually changed this attribute without realizing the effect this would have.

I went back to the help desk to see if they could "help" anymore.  They gave me a few more details (the user said she was working fine and then stuff disappeared, the help desk received the laptop the following morning).  They also said that they could no longer restore the user's files.

I never received a copy of the disk image, so could not help in restoring the files. 2 months later, I still haven't received the disk image from the company and the user had not asked for her machine or the files back!

So here's the recap of what the help desk did:
1. Installed a tool to "jiggle" the mouse so the machine wouldn't log out
2. Installed and ran malwareBytes
3. Changed registry properties (show hidden files)
4. Restored everything that malwareBytes had quarentined
5. Called infoSec

The actions taken by the help desk aren't bad - but the many, many conversations to get the information about what they did was painful.  They never mentioned the mouse jiggle tool that I saw in the timeline. And the idea of restoring quarantined files before they called infoSec is strange - I don't know what they thought that would do for us.

If the help desk had a standard process, or were instructed to take detailed notes - this would have made life much simpler.  It may not have allowed me to find the root cause, but it would have cut a few days out of the process where I was waiting for the help desk to give me more information.

In my ideal world, the help desk would take a memory image before starting to work on machines they think are infected with malware.  I know this would take time, and that help desks are busy, but in those instances where they can't solve the problem, that image could be invaluable.