Tuesday, February 23, 2021

Your AV is Trying to Tell You Something: VBN's Part 1

Symantec VBN (quarantine) files have been rather troublesome for most people. I've read what articles I could find and looked at various tools on the subject but at some point, they all failed. There had to be something everyone was missing. And there was! As a community, we figured out that there were two types of VBN files. Depending on where they were in the folder structure determined whether they contained the quarantined file, or so we thought.

Shane King had shared his research into VBN's which laid the groundwork for the majority of my research. His methodology into extracting the quarantined content worked majority of the time, but not always. I was looking though Symantec's quarantine location one day and noticed some rather large VBN's in the location where they should only contain metadata and not quarantined content. When I XORed the data, I soon realized these larger files too contained quarantined content. A third VBN type!

Quarantine folder structure








Focusing back on the first structure in the VBN, they all looked the same. There had to be something in this structure that indicated what type of VBN we are dealing with. Back to Shane's work, there were a lot of unknowns in this structure. Looking through the unknown parts of the structure, I was able to figure out what the timestamps meant and various other things, but no indication on what would come next after this structure. It wasn't until I started playing around with Symantec's Qextract tool that I found my answer.

Qextract gives detailed output of the VBN files in the quarantine folder. By looking through this output, I was able to find the majority of the locations in the VBN file where Qextract was getting its information from. There was one part of the output that stood out to me, Record Type.  With this information, it confirmed my hypotheses that there were three different types of VBN. 






















Now that we know there are different types of VBN's and a way to identify them, we can figure out what structures come next in the VBN file. I am going to stop here for now. I will cover the different structures of each record type in the next series of posts. In the mean time, below is the layout for the first structure. The VBN Metadata structure. *Note: This applies to VBN files found on Windows. Linux layout is still a work in progress.

test.md

VBN file format V1 (Windows - SEP 11)

VBN Metadata

Offset Length Field Description
0 4 Size Size of the VBN Metadata section, 0xe5c
4 384 Description FQP of Quarantine File
388 984 Log Line Information on event.
1372 4 Data Type Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates)
1376 4 Record ID VBin ID/VBN Name
1380 8 Date Created Indicates a time of creation of object on the file system. (Windows Filetime)
1388 8 Date Accessed Indicates a time of last access of an object. (Windows Filetime)
1396 8 Date Modified Indicates a time of last modification of content. (Windows Filetime)
1404 4 Data Type Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info)
1408 484 Unknown Will require further investigation as to the purpose of this entry.
1892 48 Storage Name Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange)
1940 4 Storage Instance ID Will require further investigation as to the purpose of this entry.
1944 384 Storage Key Will require further investigation as to the purpose of this entry.
2328 4 Data Type Value which can describe the subsequent data.
2332 4 Unknown Will require further investigation as to the purpose of this entry.
2336 8 Unknown Will require further investigation as to the purpose of this entry.
2344 4 Data Type Value which can describe the subsequent data.
2348 4 Quarantine Data Size Size of Quarantined Data (bytes)
2352 4 Date Accessed Indicates a time of last access of an object. (Unix: 32 bit Hex)
2356 4 Date Modified Indicates a time of last modification of content. (Unix: 32 bit Hex)
2360 4 Date Created Indicates a time of creation of object on the file system. (Unix: 32 bit Hex)
2364 4 VBin Time Time data was quarantined. (Unix: 32 bit Hex)
2368 8 Unknown Will require further investigation as to the purpose of this entry.
2376 16 Unique ID Unique GUID
2392 260 Unknown Will require further investigation as to the purpose of this entry.
2652 4 Unknown Will require further investigation as to the purpose of this entry.
2656 4 Record Type 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine
2660 4 Quarantine Session ID Name of subfolder where VBN is stored
2664 4 Remediation Type Type of remediation

0 None
2000 Registry
2001 File
2002 Process
2003 Batch File
2004 INI File
2005 Service
2006 Infected File
2007 COM Object
2008 Host File Entry
2009 Directory
2010 Layered Service Provider
2011 Internet Browser Cache
2668 4 Unknown Will require further investigation as to the purpose of this entry.
2672 4 Unknown Will require further investigation as to the purpose of this entry.
2676 4 Unknown Will require further investigation as to the purpose of this entry.
2680 4 Unknown Will require further investigation as to the purpose of this entry.
2684 4 Unknown Will require further investigation as to the purpose of this entry.
2688 4 Unknown Will require further investigation as to the purpose of this entry.
2692 4 Unknown Will require further investigation as to the purpose of this entry.
2696 768 Wide Description FQP of Quarantine File (Unicode)
3464 212 Unknown Will require further investigation as to the purpose of this entry.

VBN file format V2 (Windows - SEP 12 +)

VBN Metadata

Offset Length Field Description
0 4 Size Size of the VBN Metadata section, 0x1290
4 384 Description FQP of Quarantine File
388 2048 Log Line Information on event.
2436 4 Data Type Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates)
2440 4 Record ID VBin ID/VBN Name
2444 8 Date Created Indicates a time of creation of object on the file system. (Windows Filetime)
2452 8 Date Accessed Indicates a time of last access of an object. (Windows Filetime)
2460 8 Date Modified Indicates a time of last modification of content. (Windows Filetime)
2468 4 Data Type Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info)
2472 484 Unknown Will require further investigation as to the purpose of this entry.
2956 48 Storage Name Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange)
3004 4 Storage Instance ID Will require further investigation as to the purpose of this entry.
3008 384 Storage Key Will require further investigation as to the purpose of this entry.
3392 4 Data Type Value which can describe the subsequent data.
3396 4 Unknown Will require further investigation as to the purpose of this entry.
3400 8 Unknown Will require further investigation as to the purpose of this entry.
3408 4 Data Type Value which can describe the subsequent data.
3412 4 Quarantine Data Size Size of Quarantined Data (bytes)
3416 4 Date Accessed Indicates a time of last access of an object. (Unix: 32 bit Hex)
3420 4 Unknown Will require further investigation as to the purpose of this entry.
3424 4 Date Modified Indicates a time of last modification of content. (Unix: 32 bit Hex)
3428 4 Unknown Will require further investigation as to the purpose of this entry.
3432 4 Date Created Indicates a time of creation of object on the file system. (Unix: 32 bit Hex)
3436 4 Unknown Will require further investigation as to the purpose of this entry.
3440 4 VBin Time Time data was quarantined. (Unix: 32 bit Hex)
3444 4 Unknown Will require further investigation as to the purpose of this entry.
3448 4 Unknown Will require further investigation as to the purpose of this entry.
3452 16 Unique ID Unique GUID
3468 260 Unknown Will require further investigation as to the purpose of this entry.
3728 4 Unknown Will require further investigation as to the purpose of this entry.
3732 4 Record Type 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine
3736 4 Quarantine Session ID Name of subfolder where VBN is stored
3740 4 Remediation Type Type of remediation

0 None
2000 Registry
2001 File
2002 Process
2003 Batch File
2004 INI File
2005 Service
2006 Infected File
2007 COM Object
2008 Host File Entry
2009 Directory
2010 Layered Service Provider
2011 Internet Browser Cache
3744 4 Unknown Will require further investigation as to the purpose of this entry.
3748 4 Unknown Will require further investigation as to the purpose of this entry.
3752 4 Unknown Will require further investigation as to the purpose of this entry.
3756 4 Unknown Will require further investigation as to the purpose of this entry.
3760 4 Unknown Will require further investigation as to the purpose of this entry.
3764 4 Unknown Will require further investigation as to the purpose of this entry.
3768 4 Unknown Will require further investigation as to the purpose of this entry.
3772 768 Wide Description FQP of Quarantine File (Unicode)
4540 212 Unknown Will require further investigation as to the purpose of this entry.

No comments:

Post a Comment