System7 » malware

REMnux: Distro for Reversers

The Gunslinger — Mon, 26 Jul 2010 12:09:52 +0000

Lenny Zeltser, SANS Instructor, has released a customized distribution targeted at malware reverse engineers. From the REMnux page:

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

Malware Analyzers

The Gunslinger — Thu, 17 Jun 2010 16:22:45 +0000

(This article was originally published on June 9, 2009 — new resources added below)

Do you ever receive a suspicious file via email or hesitant to download software from a webpage? You can upload the executable to one of the malware analyzers below and they’ll run it through several different AVs and give you the results. CWsandbox will also take a basic attempt to reverse engineering the app and let you know what type of handles it’s creating. Some very neat tools….

win32 memory capture & analysis cheat sheet

The Gunslinger — Mon, 14 Jun 2010 12:33:25 +0000

A high level overview to perform live memory captures and analysis:

capture memory via moonsol’s win32dd
parse memory snapshot with mandiant’s memoryze
analyze results via audit viewer
or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation

Analyzing Malicious PDF Documents

The Gunslinger — Tue, 20 Apr 2010 11:50:00 +0000

So you want to get your feet wet?

Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
You’re going to run into some heavily obfuscated JavaScript. Read this article: http://isc.sans.org/diary.html?storyid=2358
Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)

Malware authors: Best storage / hiding locations

The Gunslinger — Wed, 27 Jan 2010 03:11:11 +0000

Have you just injected a running process’ memory? In most cases, unless your an adept author and have written a root-kit you want your malware to remain persistent via auto-run, registry, start-up etc. Where do you store your persistent launcher? A clever idea would be to determine what AV the victim is running — if any Once you determine which AV is running you should check whether or not any files or directories are excluded from scanning. If so you’ve just found the perfect location for your loader.

Here’s what I’ve come up with so far:

AVG – Configuration files in binary format; No registry entries

Microsoft Security Essentials: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

Trend: Check out these registry locations:

HKLM\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\;
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Prescheduled Scan Configuration (ExcludedFile & Excluded Folder keys)
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration (ExcludedFile & Excluded Folder keys)
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Scan Now Configuration (ExcludedFile & Excluded Folder keys)

**Here’s a Microsoft KB article about their recommended locations for exclusion: http://support.microsoft.com/kb/822158

‘Analyzing Malicious Documents’ cheat sheet

The Gunslinger — Mon, 07 Dec 2009 12:24:28 +0000

Just saw this at the Internet Storm Center…Analyzing Malicious Documents Cheat Sheet Some really great info covering Microsoft Office documents and PDFs. Mentions some useful tools to help with analysis and the general approach to be followed depending on type of document.

Zeus/Zbot Information and Tracking the Banking Trojan

The Gunslinger — Tue, 20 Oct 2009 15:39:18 +0000

Zeus is a crimeware kit, which steals credentials for various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for $700 and the exe builder for $4000.

The dangerous thing is anyone with resources can use the Zbot builder and package new variants making creating a definition difficult.

Once Zeus is on a system it uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts – in the criminal world these people are called “drops”, and their accounts are called “drop accounts”.

The purchased builder is very granular; can you imagine logging in to your online banking website and additional fields appear that seem to blend into the page:

Due to security measures, please provide the answers to all the security questions listed below:

Your first school
Your mother’s maiden name

What is the first letter of the name of your high school?
What is the first letter of the name of your pet?
etc…

Zeus Tracking Project (C&C servers overlayed w/ Google Maps)

Detailed Zeus reverse engineering

Webinar about the bot

Malware Analyzers Part deuce

The Gunslinger — Fri, 17 Jul 2009 14:35:10 +0000

Several weeks ago I posted about different free malware analyzers (sandbox environments). I’ve stumbled across another free tool from Mandiant which is their Red Curtain offering. Red Curtain will scan a given local directory or drive and analyze each file assigning it a threat score. It takes into effect whether the file is signed, packing, and the entropy which could be suspicious.

Another plus is the tool can be remotely deployed which is great for LAN & enterprise environments.

*I believe all their tools only run on Windows.