Hmmm..Real Antivirus? or just another rouge AV...
Wednesday, October 29, 2008
Wednesday, October 22, 2008
quick check of trojan's downloaded file
Some bots and trojans are using simple encryption to download other component. When you trace malware, you might see some url to be downloaded, but when you manually fetch it, its nothing by a gibberish data. First they download a relatively small file say, ff.rar, from malicious web hosting site. The file is not actually a RAR achive but contains data that looks encrypted. But when try to decrypt it, the file may contain the actual link of the malicious file or component to be downloaded by the malware.
Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL
Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.
Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:
00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe
Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe
Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL
Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.
Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:
00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe
Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe
Friday, October 17, 2008
Reverse Engineering Links
Gathered from different sources (eg. my own bookmarks, forum, blog, etc):
http://www.openrce.org
http://woodmann.net/collaborative/tools/index.php/Category:Hardware_Reversing_Tools
http://www.woodmann.com/crackz/index.html
http://www.woodmann.com/forum/index.php
http://www.codebreakers-journal.com/
http://www.tuts4you.com/download.php?list.17
http://www.tuts4you.com/
http://www.exetools.com/
http://ap0x.jezgra.net/
http://www.crackmes.de/
http://www.reverse-engineering.info/
http://www.w00zl3.net/
http://korupt.wordpress.com/
http://www.reteam.org/
http://www.reconstructer.org
http://www.antirootkit.com
http://www.rootkit.com
http://evilcry.netsons.org
http://evilcodecave.wordpress.com
http://offensivecomputing.net/
http://zairon.wordpress.com/
http://www.ivanlef0u.tuxfamily.org/
http://arteam.accessroot.com/
http://uninformed.org/
http://dvlabs.tippingpoint.com/
http://www.matasano.com/log/category/reversing/
http://reversengineering.wordpress.com/
http://indefinitestudies.wordpress.com/2008/09/25/automatic-unpacking/
http://www.quequero.org/Reversing
http://www.codeproject.com/KB/cpp/funccaller.aspx
http://www.datarescue.com/laboratory/
http://www.nynaeve.net
http://www.datasecurity-event.com/downloads.html
http://xchg.info/ARTeam/Tutorials/
http://www.reverse-engineering.net/
http://www.reversing.be/
Others:
http://www.intel.com/products/processor/manuals/
http://www.openrce.org
http://woodmann.net/collaborative/tools/index.php/Category:Hardware_Reversing_Tools
http://www.woodmann.com/crackz/index.html
http://www.woodmann.com/forum/index.php
http://www.codebreakers-journal.com/
http://www.tuts4you.com/download.php?list.17
http://www.tuts4you.com/
http://www.exetools.com/
http://ap0x.jezgra.net/
http://www.crackmes.de/
http://www.reverse-engineering.info/
http://www.w00zl3.net/
http://korupt.wordpress.com/
http://www.reteam.org/
http://www.reconstructer.org
http://www.antirootkit.com
http://www.rootkit.com
http://evilcry.netsons.org
http://evilcodecave.wordpress.com
http://offensivecomputing.net/
http://zairon.wordpress.com/
http://www.ivanlef0u.tuxfamily.org/
http://arteam.accessroot.com/
http://uninformed.org/
http://dvlabs.tippingpoint.com/
http://www.matasano.com/log/category/reversing/
http://reversengineering.wordpress.com/
http://indefinitestudies.wordpress.com/2008/09/25/automatic-unpacking/
http://www.quequero.org/Reversing
http://www.codeproject.com/KB/cpp/funccaller.aspx
http://www.datarescue.com/laboratory/
http://www.nynaeve.net
http://www.datasecurity-event.com/downloads.html
http://xchg.info/ARTeam/Tutorials/
http://www.reverse-engineering.net/
http://www.reversing.be/
Others:
http://www.intel.com/products/processor/manuals/
Tuesday, October 07, 2008
VS2005 compiled exe error
The following error shows when you transferred or copied your VS2005 compiled program to other machine. This is I think
c:\test> BlueFish.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
Similar problem discussion about SxS (side-by-side) issue can be found here.
Another similar discussion I found from this link.
Anyway, I tried changing settings in my VS2005 which just worked fine, but not sure if its the correct solution. Here;s the settings as screenshots:
c:\test> BlueFish.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
Similar problem discussion about SxS (side-by-side) issue can be found here.
Another similar discussion I found from this link.
Anyway, I tried changing settings in my VS2005 which just worked fine, but not sure if its the correct solution. Here;s the settings as screenshots:
Subscribe to:
Posts (Atom)