Dumpster diving in Bin Laden's computers: malware, passwords, warez and metadata (I)

Monday, November 27, 2017


What would you expect from a computer network that belongs to a terrorists group? Super-encrypted material? Special passwords? The Central Intelligence Agency (CIA) on 1 November 2017 released additional materials recovered in the 2nd May 2011 raid on Bin Laden's compound in Abbottabad, Pakistan.  We have seen some news about movies, porn, games and several other stuff stored in those computers. But we will go further. We will focus on the security aspects of its 360 GB zipped information. Did they use passwords? Proxies? Encryption? Any special software?

A few hours after releasing the raw information from the hard drives from at least three computers found there, the CIA removed the content due to "technical" issues. 8 days later, they released the data back but now all Office documents were converted to PDF and EXE files were "deactivated" removing their headers for "security reasons". 



A few words about the CIA "technical issue"

Did the CIA regret in less than 24 hours? We do not know but what for sure happened is that, releasing it all again they added their own metadata.  For example, now we know they used LibreOffice 5.2 (that is not the latest version and has some security issues) to convert Office documents to PDF, and LibreOffice 5.0 to convert RTF. Does LibreOffice have a tool to convert to PDF few thousands of file? Yes, it does. They probably used lowrite, which is able to convert files to PDF from command line.

We used our https://metashieldclean-up.elevenpaths.com to analyse some data
But, for some reason, CIA made some mistakes. They did not correctly convert all of the DOCX files to PDF. Here is an example of the content of some of the files.

Messed up data after creating a PDF
These files were seized 5 years ago… why to be in a rush? They did not even check that files were properly converted before the re-release. Anyway, during the second release they removed some "malware". 815 different samples. We have checked them and find some interesting stuff. From those 815 "malware" samples, we checked against Virustotal:
  • Not found: 524
  • Found with 0 positives: 146
  • Found with more than 1 positive:  145
At least 146 samples are not considered malware by antivirus, but CIA does. That is ok, AVs are not always right, we already know… but, checking some samples manually, we do not see any evidence of malware on them.  Some are documents, some executables… did the CIA make a deeper analysis? Yes, that is what is seems. We took some random samples like 903A80A6E8C6457E51A00179F10A8FA8, not detected by any antivirus as of today and found what would look like malicious stuff. So good for the CIA here… or not.


Because this is the exception. The file does not look like malware if you take a deeper look. There are really lots of other documents that do not seem to be infected in any way or suppose a risk.  We manually checked. But for some reason they have been removed because of being specifically classified as "malware" or dangerous. Why removing them?

As we can tell, even .log files (just text) has ben labeled as malware by the CIA
Analyzing the memory (although computers were shut down)

Aside from the data re-released by the CIA, once we had all the original material, first "not obvious" action was grabbing pagefile.sys and hiberfil.sys and analyze them. These files are specially interesting because potentially, anything may be there. Literally. Hibefil.sys is a dump of the memory itself and pagefile.sys is the swap file, so chunks of memory from different processes are there and you literally may find urls, passwords… anything. We found two hiberfil.sys files, and seven pagefile.sys from at least three computers.

First things to try to sniff around is interesting URLS. Videos are always interesting. Mainly, videos for children. We found as well their anonymous proxies of choice, like "http://tproxy.guardster.com" where we can find the urls they were really visiting. Mainly Islamic forums.

But as we have detected, there are some malware IOCs there, like malware evidence in memory. For instance: 20080311cPxl31 (a Flash downloader popular during 2011),http://jL.chura.pl/rc/, http://218.25.11.147/download (quite old Chinese malware distributor, or does it what it looked like), http://59.106.145.58/ (related with MS08-067), http://85.17.138.60/traf/fgaX, 29x67629n689 (not a very common string...). This are all samples of strings found in memory.

But two of them are specially interesting. This string ftp://ggss:xsw2xsw2@ found in one of the pagefile.sys files, which obviously is an username and password from an FTP, belongs to this 4742ae6404fa227623192998e79f1bc6 sample. But this sample is not a popular malware. This raid had place in May 2011. But this sample was first seen in VirusTotal in 2015. How is it possible that it was not seen before anywhere? Not in any antivirus database for four years but just in some Abbotabd computer? It may be a specially unique automated crafted sample… but who knows...

Aside, there even more references to malware in pagefile.sys or hiberfil.sys files. This one looks specially interesting.

Chunk of memory from one of the computers

There is always the chance that this chunks of information in memory come from another source, like the user was just searching about it, AV signatures... but as of the place of the chunk itself we think the computer was infected. This "password sender trojan by: spyder" is really an ancient piece of malware from at least 2000.

Some ancient PDF file by SANS referring this keylogger


Thus, apart from the 815 potential malware files tagged as so by the CIA, some evidences found in the memory linked to other malware samples found in the computer itself make us think that those computers were quite infected.

By the way, their antivirus of choice was a pirated version of ESET32, since they all had the service running. Although some of them had references to AVG and some Kasperksy warez keys.

Hiberfil.sys were interesting for some other reason. LSASS process is there somewhere, and, if treated the right way, you may "mount" the process and check for credentials. That is what we have done. Try to guess passwords from the users logged in just when the file was created. We have tried with hiberfil.sys from SHAED-PC, one of the computers in Bin Laden's compound.

Using Debugging Tools for Windows (WinDbg),Windows Memory toolkit free edition and mimikatz, tried to find Windows passwords. The process is about converting the hiberfil.sys to a format WindDbg understands,  finding the LSASS base process, running mimikatz and the result was that there were no passwords at all.

Taking passwords out of hiberfil.sys file.


NTLM and LM are clearly null, so passwords were blank. We could go on and on analyzing pagefile.sys and hiberfil.sys for hours. But this is just a glimpse about what you may find.

In the next  blog entry we will dig deeper into the registry files, passwords used for communication, what programs run when the computers started up... and some other revealing clues.

* Dumpster diving in Bin Laden's computers: malware, passwords, warez and metadata (II)

Innovation and laboratory
innovationlab@11paths.com

No comments:

Post a Comment