lundi 7 septembre 2009

0wn3d...Or not !

Recently I attended the SANS GCIH (GIAC Certified Incident Handler) courses in London. I don't want to make too much advertise for it, it is not the goal of this post but anyway, it's a great course and I had a great time there.

Of course, when you're in a room full of other people learning about compromising computers, you expect strange things to happen on the wireless network.

And something strange happened to me during the second day of the course : my computer couldn't connect anymore to the network. I tried to figure out what was happening but couldn't find any problem.

The machine was an XP SP3, fully patched. I'm not using Windows usually (except at work), but it was better for the course. Anyway, I switched to an Ubuntu and had the same trouble : no connection.

Since it was the end of the day, I got back to my hotel and came back early the next morning, to try to fix the problem. I talked about it with someone from the SANS staff, Tomasz, and he told me he had noticed a strange behaviour from one machine, which was sending a hell of a weird trafic, almost taking all the bandwidth. The machine had quickly been blacklisted on the wireless network, according to its MAC address. And guess what ? The MAC address was my wifi card's one.

Well of course, as an incident handler, I immediately thought : hell, I've been compromised. After telling the SANS dudes I had not been running anything special on my machine and not knowing what was up, we decided to have a look at the trafic sent by my machine. It was sending packets on the network like crazy, but there were only two kind of packets : "BROWSER Election Requests", and "Local Master Announcement" ...


This was definitely not the behaviour of a malicious attacker or malware. For a moment I thought it was a hardware problem with my network card, but under Ubuntu there was no such behaviour.

Anyway, I ended the GCIH course using my Ubuntu, with an XP under VirtualBox.

I left the course on the saturday afternoon, after the capture the flag event (which was really great btw), but I told Tomasz that I would keep in touch, and would investigate the machine later on.

I didn't touch the machine for some weeks (you know this feeling, when you've always got something else to do and can't fight it...) and then I decided I would look at it quickly : I made a full dd of the Windows partition, and decided not to follow the usual forensics rules and just boot the machine. After all, it was mine, and I had a dd in case I would have time to do real forensics on it.

Together with my friend David Bizeul, who was interested in the case, I had put the machine on a hub with another machine, running a network sniffer. The results were the same than before : the machine started to send these crazy packets again, eating a good 25% of the bandwidth I had (10M).

A quick jump in command line, to see more about the activity, immediately proved something was definitely wrong :


All of my UDP ports (except the 256 first ones) were opened, by a unique process.

Now what was the process exactly ? Look here :


My machine was not infected by a malware. It was not compromised. You guessed it right, it was just an incompatibility problem between VMware Player and my hardware,which is from an Asus 1000H (eeepc).

The version I was using :


End of the story... I still wanted to blog about it because it could happen to a lot of other people using the same hardware, and to give a clear answer to my SANS friends about this machine, which had been a curiosity... I'm taking this occasion to say hi to the great people from the SANS : Tomasz Miklas, Terry Neal, Pieter Danhieux... And hi to Ben, and all the nice people I met in London :-)

See ya ! :-)