System7

Spread the word, information is free.

Archive for category malware

Malware authors: Best storage / hiding locations

Jan 26

Posted by The Gunslinger in malware, security | No Comments

Have you just injected a running process’ memory?  In most cases, unless your an adept author and have written a root-kit you want your malware to remain persistent via auto-run, registry, start-up etc.  Where do you store your persistent launcher?  A clever idea would be to determine what AV the victim is running — if any :-)   Once you determine which AV is running you should check whether or not any files or directories are excluded from scanning.  If so you’ve just found the perfect location for your loader.

Here’s what I’ve come up with so far:

AVG – Configuration files in binary format; No registry entries

Microsoft Security Essentials:  HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

Trend: Check out these registry locations:

  • HKLM\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\;
  • HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Prescheduled Scan Configuration (ExcludedFile & Excluded Folder keys)
  • HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration (ExcludedFile & Excluded Folder keys)
  • HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Scan Now Configuration (ExcludedFile & Excluded Folder keys)

**Here’s a Microsoft KB article about their recommended locations for exclusion: http://support.microsoft.com/kb/822158

‘Analyzing Malicious Documents’ cheat sheet

Dec 7

Posted by The Gunslinger in malware | No Comments

Just saw this at the Internet Storm Center…Analyzing Malicious Documents Cheat Sheet Some really great info covering Microsoft Office documents and PDFs.  Mentions some useful tools to help with analysis and the general approach to be followed depending on type of document.

Zeus/Zbot Information and Tracking the Banking Trojan

Oct 20

Posted by The Gunslinger in malware | No Comments

Zeus is a crimeware kit, which steals credentials for various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for $700  and the exe builder for $4000.

The dangerous thing is anyone with resources can use the Zbot builder and package new variants making creating a definition difficult.

Once Zeus is on a system it uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts – in the criminal world these people are called “drops”, and their accounts are called “drop accounts”.

The purchased builder is very granular; can you imagine logging in to your online banking website and additional fields appear that seem to blend into the page:

  • Due to security measures, please provide the answers to all the security questions listed below:
  • Your first school
  • Your mother’s maiden name
  • What is the first letter of the name of your high school?
  • What is the first letter of the name of your pet?
  • etc…

Zeus Tracking Project (C&C servers overlayed w/ Google Maps)

Detailed Zeus reverse engineering

Webinar about the bot

Malware Analyzers Part deuce

Jul 17

Posted by The Gunslinger in hardware & software, malware | No Comments

Several weeks ago I posted about different free malware analyzers (sandbox environments).  I’ve stumbled across another free tool from Mandiant which is their Red Curtain offering. Red Curtain will scan a given local directory or drive and analyze each file assigning it a threat score. It takes into effect whether the file is signed, packing, and the entropy which could be suspicious.

Another plus is the tool can be remotely deployed which is great for LAN & enterprise environments.

*I believe all their tools only run on Windows.

Malware Analyzers

Jun 9

Posted by The Gunslinger in malware | 1 Comment

Do you ever receive a suspicious file via email or hesitant to download software from a webpage?  You can upload the executable to one of the malware analyzers below and they’ll run it through several different AVs and give you the results. CWsandbox will also take a basic attempt to reverse engineering the app and let you know what type of handles it’s creating. Some very neat tools….

http://www.virustotal.com/

https://cwsandbox.org/

Please let me know if you’re aware of any others…