Challenge 9: The Root of the Problem

Wednesday, November 9, 2005, 15:17

Dillon McCabe had put in six solid years working for Markwell Publishing—half of them as a one-man IT department. He had essentially pieced the network together with chewing gum and tin foil when there was no budget at all, and he had put in 80-plus–hour weeks to handle all of the network administration tasks as well as the technical support issues for the desktop systems. Markwell Publishing owed him.

Dillon had been there through it all since the company was launched. He'd been through times when he wasn't sure he would be paid at all, and raises and bonuses were virtually unknown. Now that Markwell Publishing had survived to adolescence and was making a name for itself, one of its larger competitors had started to take notice. Slyck Press had approached Dillon with a job offer for substantially more money than Markwell was paying him.

He tried to rationalize that it was out of some sense of loyalty and fellowship, but the real reason Dillon went to Frank Samuels, Markwell Publishing's founder and president, was simple greed; he asked for an increase in pay and benefits above and beyond what Slyck Press had offered him. If he could use the Slyck Press's offer as leverage, he hoped he would be able to earn the money he wanted while staying with coworkers he knew and with a network he architected.

Frank thought about it, but said that he didn't believe the job was worth the kind of money Dillon was asking for. Dillon was shocked and disappointed when Frank did not counter. On the spot, Dillon gave his two weeks' notice and left Frank's office more than a little disgruntled.

He would have simply walked out on the spot, but he decided to do some "patching" of some computers before moving on to his new position with Slyck Press. He downloaded some tools to his USB flash drive and proceeded to "update" a few key systems.

Tuesday, January 10, 2006, 09:08

It was going to be one of those days, apparently. Noah had barely walked to his desk and sat down when Greg, the head of the advertising sales group, came to see him.

Noah Chapman had been working in the IT group of Markwell Publishing for almost three years, but he had just recently been moved up to the position of managing network administrator and all of the dirty work that entailed when Dillon McCabe had left the company for a more lucrative position with another publisher.

He would be more impressed with himself, and his promotion, if it weren't for the fact that only three people were on the IT team, including himself, and his promotion came by seniority, not by virtue and dedication.

He picked up his Markwell Publishing mug, a company gift for everyone last Christmas in lieu of real bonuses, and took a sip of his coffee with hazelnut-flavored creamer. "What can I do for you, Greg?" Noah asked.

"Well, this may sound very strange, but is there any way that Dillon may somehow be getting information from my computer?" said Greg.

"I am sure it is technically possible. Why do you ask?" said Noah.

"Since he left, we have lost a number of contracts and bids for new business. Every time we lose, it seems that Slyck Press is the one that beats us, and they seem to beat us by only a little bit. It just seems too coincidental to me," Greg said. "I think maybe he is somehow getting information from my computer so that he knows what we are bidding or what we are offering so they can swipe the business from us."

"OK. Let's go take a look," said Noah.

Noah and Greg walked across the office to the advertising sales team area. Seated in a small sea of cubicles, with walls just high enough to prevent the team from making eye contact and being distracted by each other, were approximately 20 employees diligently sending e-mails and placing phone calls to sell ad space in Markwell Publishing's various magazines.

The two walked past the advertising sales team and into Greg's office. Noah could hear the power supply and fan and the distinct noise of the hard drive grinding away as the activity light on the front of Greg's laptop flickered and flashed.

"Can you figure out what is going on?" asked Greg.

"I can't be sure yet. For starters, though, since you think the computer may have been compromised, I can't trust any of the files or utilities on it. Thankfully, I have a diagnostics disc with the tools I need. The Helix Live CD tools give me just about everything I need, and I added a few of my own, too," Noah said. "That way, I can run my utilities from a known clean CD instead of a suspect computer."

Noah put his diagnostics CD into the computer's CD-ROM drive and opened a command prompt. He searched his bag of tricks on the diagnostics CD and ran FPort, a free forensic utility from Foundstone. Foundstone was founded and run by the authors of McGraw-Hill/Osborne's venerable Hacking Exposed books. Foundstone had since been purchased by McAfee, but it still operated as a separate division, and the free utilities that Noah had come to rely on were still available.

C:Fport-2.0>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid	Process	Port	Proto	Path
1060	svchost	135	TCP	C:WINDOWSsystem32svchost.exe
4	System	139	TCP
4	System	445	TCP
1132	svchost	1025	TCP	C:WINDOWSSystem32svchost.exe
4	System	1063	TCP
0	System	3587	TCP
0	System	3588	TCP
0	System	3595	TCP
0	System	3596	TCP
1320		5000	TCP
1320		123	UDP
0	System	123	UDP
0	System	137	UDP
0	System	138	UDP
1060	svchost	445	UDP	C:WINDOWSsystem32svchost.exe
4	System	500	UDP
1132	svchost	1032	UDP	C:WINDOWSsystem32svchost.exe
4	System	1623	UDP
0	System	1900	UDP
0	System	2355	UDP
0	System	3089	UDP

"What is all that gibberish?" Greg inquired.

"This utility will not only show us which TCP and UDP ports are open, but it will also link them to the applications that are using them so we can identify any unknown or suspicious ones," Noah explained.

Running FPort didn't lead to any epiphanies, so Noah went back to the diagnostics CD. This time he ran Process Explorer, a free utility available from Sysinternals. Process Explorer examines the processes running on the system and maps them to the handles or dynamic link library (DLL) files that they have open.

"Nothing there either," said Noah. "Perhaps Dillon was more clever than I give him credit for."

Noah went back to his CD and found a tool called BlackLight, a utility from F-Secure. "This utility can detect files and processes that are hidden even from the Windows operating system." Noah was trying to keep Greg informed of what he was doing.

Noah ran BlackLight and generated the following results:

fsbl-20060211223720.log

(start logfile)

02/11/06	9:37:20	[Info]: BlackLight Engine 1.0.30 initialized
02/11/06	9:37:20	[Info]: OS: XP 5.2.3790 (Service Pack 1)
02/11/06	9:37:22	[Note]: 7019 4
02/11/06	9:37:22	[Note]: 7005 0
02/11/06	9:37:24	[Note]: 7006 0
02/11/06	9:37:24	[Note]: 7011 1448
02/11/06	9:37:25	[Note]: 7018 2032
02/11/06	9:37:25	[Info]: Hidden process: C:rootroot.exe
02/11/06	9:37:25	[Note]: 7018 10180
02/11/06	9:37:25	[Info]: Hidden process: C:Program Files Internet Exploreriexplore.exe
02/11/06	9:37:25	[Note]: FSRAW library version 1.7.1014
02/11/06	9:37:48	[Info]: Hidden file: C:WINDOWSqservice.exe
02/11/06	9:37:48	[Note]: 7002 0
02/11/06	9:37:48	[Note]: 7003 1
02/11/06	9:37:48	[Note]: 10002 2
02/11/06	9:37:48	[Info]: Hidden file: C:WINDOWSservices.dll
02/11/06	9:37:48	[Note]: 10002 2
02/11/06	9:37:48	[Info]: Hidden file: C:WINDOWSJiurlPortHide.sys
02/11/06	9:37:48	[Note]: 10002 2
02/11/06	9:37:48	[Info]: Hidden file: C:WINDOWSkurlmon.dll
02/11/06	9:37:48	[Note]: 10002 2
02/11/06	9:37:48	[Info]: Hidden file: C:rootBeniOku.txt
02/11/06	9:37:48	[Note]: 10002 3
02/11/06	9:37:48	[Info]: Hidden file: C:roothook.dll
02/11/06	9:37:48	[Note]: 10002 3
02/11/06	9:37:48	[Info]: Hidden file: C:rootProAgent.exe
02/11/06	9:37:48	[Note]: 10002 3
02/11/06	9:37:48	[Info]: Hidden file: C:rootroot.exe
02/11/06	9:37:48	[Note]: 10002 3
02/11/06	9:37:48	[Info]: Hidden file: C:rootServer.exe
02/11/06	9:37:48	[Note]: 10002 3
02/11/06	9:37:49	[Note]: 10002 3
02/11/06	9:37:49	[Note]: 10002 3
02/11/06	9:37:49	[Note]: 10002 3
02/11/06	9:37:49	[Note]: 10002 3
02/11/06	9:37:49	[Note]: 10002 3
02/11/06	9:38:14	[Info]: Hidden file: C:WINDOWSsystem32HookApi.dll
02/11/06	9:38:14	[Note]: 10002 2
02/11/06	9:49:38	[Note]: 7007 0

(end logfile)

Noah checked out the BlackLight log and noted some of the hidden files. He did not recognize anything offhand, so he did a Google search for the first one on the list -- qservice.exe. Some of the Google results suggested that qservice.exe was related to a Trojan called ProAgent, which Noah noticed was also one of the hidden files detected by BlackLight.

"Very sneaky, Mr. McCabe," Noah said, admiring his former boss's creativity.

Noah opened an Internet Explorer web browser window and went to the Trend Micro virus information website at http://www.trendmicro.com/vinfo. He did a search for ProAgent and came up with the following description:

Description:

This Trojan steals e-mail and Instant Messenger (IM) password from the affected system. Upon execution, it drops a copy of itself in the Windows folder and logs the user's keystrokes. It then sends the information to the remote malicious user via e-mail.

It also creates a registry entry that enables its automatic execution at every system startup.

"According to this, the ProAgent file detected by BlackLight is sending information from your computer to an outside e-mail account," Noah explained. "So we have a pretty good idea of what is going on here and who is responsible for it. I have a little more investigating to do. After I get more information, we can take our findings to management I think."

"If you say so," said Greg. "I'm still catching up."

Questions:

1. What built-in Windows tool could have been used to identify open ports?
   
   
   
   
   
2. How should Markwell Publishing have handled Dillon's departure to protect against this attack?
   
   
   
   
   
3. How can the company protect its internal systems and data from being abused through the inappropriate use of USB flash drives?
   
   
   
   
   
4. What else can Markwell Publishing do to try to safeguard its systems from rootkits?