(Editor’s Note: This post was written by an information security engineer who works for a Bit9 + Carbon Black customer. The engineer submitted this post after “hunting for evil” using Carbon Black and wanted to share the information with the #Bit9Blog readership. As a policy, Bit9 + Carbon Black does not reveal its customer names, so the author of this post and his employer are anonymous.)
Recently, I had the opportunity to play with Carbon Black in a live environment and go hunting for evil.
A common behavior for Zeus malware is to spawn a svchost.exe child from an unsigned parent process. Though this is not guaranteed malicious behavior, it’s uncommon enough to be a good place to start looking for Zeus or other nasty software. To do this in Carbon Black, you’d run a process search like this:
This query is looking for unsigned processes (i.e., filter out the processes with a digital signature) that have a child process of svchost.exe.
I didn’t find Zeus himself, but I did find something that looked pretty malicious. The bulk of the hits that returned from this search were for a single host:
I dug into rpcnetp.exe a little bit for some more detail. It spawns svchost, of course, but that in turn spawns iexplore (Internet Explorer) and something called “upgrd.exe.”
Upgrd.exe runs a batch file “c:\windows\system32\upgrd.bat” that runs through a number of steps. Details about each step are available within Carbon Black, but not included here. The Internet Explorer process makes one connection to “search.namequery.com“:
Here’s the whole process tree:
At this point, I had unsigned software spawning Internet Explorer for beaconing purposes as well as running some kind of batch script. It looked like malware, it acted like malware, but was it really malware?
Armed with this information and with these questions in mind, I went looking around on the Internet to see if I could find anything more. Luckily, I found a recent article by a Kaspersky researcher about this exact thing. The article discusses the Absolute Computrace software made by Absolute Software Corp.
Here’s one indication from Carbon Black that we’re talking about the same thing:
Computrace has also been known as LoJack and it is an anti-theft BIOS add-on. One of its capabilities is to provide remote access to your stolen laptop. Part of the point of the Kaspersky post is that Computrace exhibits a lot of the same behavior as malware, but is often whitelisted by AV vendors. I found that out of 57 AV vendors, zero deemed it malicious.
The Kaspersky researchers are concerned that Computrace could be hijacked by malicious parties to provide an easy backdoor into a system.
“We believe that Computrace was designed with good intentions, but our research shows that vulnerabilities in this software can turn a useful tool into a powerful weapon for cybercriminals,” they said.”
A quick search in Carbon Black for the process rpcnetp.exe can tell you how many hosts are running this software.
Malicious or not, Carbon Black gave me insight into powerful software running on endpoints to which other security tools turn a blind eye. This is clearly useful information and highlights the kind of visibility that Carbon Black provides.