Posts

Showing posts from February, 2015

What to do with MD5 checksums of files provided as an Indicator of Compromise?

Image
As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment.  I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.  Though the company I work with states that is a feature request that they have.

Let's say I am researching the Dyre Banking Trojan and I pull up SecureWorks report about it located at http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/.  As I scan through the report I come to the following section listing the MD5 checksums of the files I should look for on my enterprise network.



This is where Clam-AV can assist.  You can create a custom database with these MD5 hashes.  The format for a custom database with MD5's is hash:file size:malware name.  So I then create the file as follows:

md5hash:?:Dyre_Trojan

However, I quickly notice that I do not have th…

Volatility Script to Extract the Registry Keys where Powelik is Stored

Below is a bash script that will analyze the dllhost.exe process for the registry entries that could contain the Powelik trojan.  If it detects the entry it will attempt to dump the registry keys where the powelik malware would be located.

#!/bin/bash
# Script to collect information by utilizing volatility
# Script is built to quickly identify the Powelik Trojan until the malware changes

####  Configurable Settings #############
homeDir=`pwd`
memImage="$homeDir/mem.dump"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
#########################################
date
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"

if [ ! -d $outputDir ]; then
    mkdir $outputDir
    mkdir $outputDir/vaddump
    mkdir $dumpDir
    mkdir $tempDir
fi

# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Su…

Notes on Malware Analysis of the Trojan Powelik

Working with the Powelik Malware today, I thought I would record some of my notes so I could refer back to how I utilized volatility and other tools.

To find the malware it is embedded in the registry under a random key at the following location:

HKEY_CLASSES_ROOT\CLSID\{<random}

To further identify that, you can google various other pages that have an analysis online about Powelik.  Another way to find the registry key is to conduct a vaddump on the process of dllhost.exe which powelik utilizes:

vol.py -f mem.dump --profile=Win7SP0x86 vaddump -p <processid of dllhost.exe> -D <output>

Then search for signs of the CLSID\{<random>} registry key using the following command:

strings <output>* | grep -i -e "CLSID"

To extract the malware I used volatility to first identify where the registry hives are located:

vol.py -f mem.dump --profile=Win7SP0x86 hivelist

This gives you the virtual offset for the UsrClass.dat file for the user.  Then you can use that to p…

Deobfuscating Javascript

Today I came across some javascript madness inside of a file that initially appears as a Word Document in an email.  Below is a picture of some of the madness:

var a=''; var b=''; function lq() { b = 'eval'; a += 'ADODB'; tqk(); }; function j() { b = 'eval'; a += 's.Exp'; eky(); }; function ye() { b = 'eval'; a += 'ti'; xk(); }; function rbx() { b = 'eval'; a += '357'; dke(); }; function mx() { b = 'eval'; a += 'ment'; fr(); }; function jp() { b = 'eval'; a += '+St'; rxh(); }; function uuz() { b = 'eval'; a += ' ca'; d(); };

As you can tell little pieces of the actual code scattered everywhere.  To first deobfuscate the code I placed a line break between each semi-colon and new function.

cat file.txt | sed 's/function/\nfunction/g'

The above command just does a string substitution adding a new line in before the function call.  Then I noticed the variab…

Links inside of Emails - The good, the bad and the ugly...

Image
So I was listening to the following podcast and it began discussing a question about links inside of emails. I have pasted from the transcribed notes the discussion below. Thanks Steve and Leo for the great podcast. GIBSON RESEARCH CORPORATION http://www.GRC.com/ SERIES: Security Now! EPISODE: #494 DATE: February 10, 2015 TITLE: Listener Feedback #206 SPEAKERS: Steve Gibson & Leo Laporte SOURCE FILE: http://media.GRC.com/sn/SN-494.mp3 FILE ARCHIVE: http://www.GRC.com/securitynow.htm
"...LEO: Justin Aborn in Boston. He wants to know how to be sure about emailed links. He wants to know how whether to click on them: My bank just emailed me a clickable link. I'm 99.9% sure it's truly them, but I navigate to their site by hand, rather than click on the emailed link. To check the fit of my tinfoil hat, what do you recommend as the minimum procedure to confidently click an emailed URL? It would be a lot more convenient if we could just click on them. STEVE: Y…

Fuzzing to Stack Based Overflow Exploit with MinaliC

Image
For the computer science class that I am teaching I introduced stack based overflows.  To demonstrate the concept I utilized vulnserver.exe and mentioned it in previous blog posts.  This lab involved MinaliC.

You can refer to the following web site for the exploit http://www.exploit-db.com/exploits/24958/.  We are going to step through this.  Also the exploit published is for XP SP2 Pro we will be using XP SP1.

1. We first run the MinaliC webserver on Windows XP SP1.  The vulnerable application can be downloaded from the exploit-db.com link above.



2.  Then I am going to use python to connect to the web page to pull down the above page and we will start there.

#!/usr/bin/python

import socket

server = '172.16.102.132' # Change to the IP Address of Windows XP SP1 VM
destPort = 8080

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, destPort))

pageRequest = 'index.htm'
hostInfo = 'test.com'

httpRequest =  'GET /' + pageRequest + '…

Netflix Streaming Blocked by Sophos UTM

Image
*** This solution no longer works with updates that Sophos has applied or changes that Netflix has made!

I was helping a friend with a Sophos UTM and found that netflix would not stream on their mobile devices.  We went into the settings and through studying the weblog and how netflix URL's are put togehter and created the following regex to add an exception so the AV would not scan the URL:

^http://.*.netflix.com/.*
^http.*?o=.*v=[0-9]&e=[0-9]{10}&t=.*$

Below is a screenshot of the exception that was created:


Now as long as the bot masters do not create a bot that uses that regex to exfil data it will work great!!  Oh by-the-way the Sophos UTM is free for home use.  It is a nice Unified Threat Management (UTM) for home use and is a lot better than a router you can buy out of the store.

Updated Powershell Script to Fix Unquoted Path Vulnerabilities

Here is an updated powershell script to fix unquoted path vulnerabilities:


Install Cuckoo Sandbox Notes

I thought I would record my notes on installing the cuckoo sandbox.  These notes do not cover the setting up of the configuration files for the sandboxes. 

#!/bin/bash

# Created to install cuckoo Sandbox on Kali linux
# Taken from: http://cyberwarzone.com/perfect-cuckoo-sandbox-installation-guide
# Most of what is in the above link worked

#apt-get install python
#apt-get install python-sqlalchemy python-bson

# If the following repositories are not present they need to be added to /etc/apt/sources.list
# From: docs.kali.org/general-use/kali-linux-sources-list-repositories
#deb http://http.kali.org/kali kali main non-free contrib
#deb http://security.kali.org/kali-security kali/updates main contrib non-free
#deb-src http://http.kali.org/kali kali main non-free contrib
#deb-src http://security.kali.org/kali-security kali/updates main contrib non-free
#deb http://repo.kali.org/kali kali-bleeding-edge main - This will install the kernel 3.18 headers you have to work with this...

# With the bleeding edg…