securitybananas.com

To my big surprise I received an invitation for the BlackHAtUSA Microsoft party on Thursday at the Hardrock Hotel. Official statement in the email:The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft products and online services safer by finding and reporting security vulnerabilities. In recognition of your efforts, you are cordially invited to our Microsoft Security Appreciation Reception at Black Hat USA 2010 hosted by the MSRC and Ecosystem Strategy Team (MSRC EcoStrat).

Thanks guys, really an honour and see you there next week!

At day two of the HITB conference in Amsterdam, I decided to go for some hands-on. An interesting lab was offerd by IOactive’s Wes Brown. Wes is a security researcher and malware analyst who has analyzed thousands of samples.
Wes handed over a bootable cd-rom based on QEMU with Malnet 2 for the labs.

Why analyzing Malware? to better understand threats against our networks and to develop countermeasures. Some people analyze malware to create better malware.
Regarding the past it’s now all about exploiting the human. Goal is to get the injection in. Attacking is done through social networks and torrents/p2p.

A good malware analyst needs:
- Mindset: Meticulous data collection–? Logical processes–? Thinks outside the box–? Tenacious
- Technical –? Good systems understanding–? Good understanding of programming–? Some reverse engineering skills – Attitude –? Ties into motivations discussed earlier

We really need to understand the perspective of malware. There are cultural assumptions of what Malware is. We need to flag what it is.

To build a malware lab, a good start is to virtualize it and use Vmware. On the other hand, some malware has a build-in detection for VMware. For Malnet, they decided to use QEMU The cool virtualization tricks are: serial debugging, copy on write, memory imaging and fast reversion of images for analyzing thousands of samples a day.
Using Qemu with Qcow2 block compression and Nlite takes Windows XP and creates a small VM.

Why automate malware analysis?
There are too many samples to analyze manually. Recent days have seen 10,000 executables with unique MD5checksums per day.–? A good malware analyst can only manually analyze a few dozena day at most.Automation ensures consistency of results. –? Consistent results can be stored in database. The Database can be used to search for interesting or relevantmalware to analyze.The analysis can all happen from the database.

Static Forensics Basics
A lot can be determined without ever running the malware sample. This is less costly. Static forensics can be conducted in a matter of seconds. other basics:

• PE File Forensics – Section headers – Entropy of sections can be measured.
• Disassembly of Malware – Distorm, stream disassembler. – IDA Pro in batch mode is better.
• Strings dump of Malware

Unimplemented: Signed Executables
• Looking at the signature, description, and publisher on an executable is a key part of static forensics.
• Malware often masquerades as prominent publisher updates or executables.
• By building a corpus of valid white-listed files, we can use a database to compare samples against.
• For example, if malware masquerades as a DirectX installer; is it signed? What is the publisher, version field?
Do we have valid installers of the same publisher?
• Unimplemented due to no easy native Linux tools to examine this data.
Probably will implement for v1.2 of LiveCD.

Dynamic Forensics Basics

We actually run the malware sample inside a contained environment.
Run inside QEMU VM. – Screenshots – Memory dump. – Copy on write file.
Examine changes: – Registry dump. – Copy on write file. – Network packet capture.

The Malnet 2 cd-rom features some great analysis tools and features:
- screendump commands
- memorydump commands
- snapshot commands
- md5sum support
- pcap network forensic analysis tools like Wireshark, tshark and Chaosreader.pl
- registry dumps
- copy on write files

By using the open source memory forensics tool Volatility, you can dump e.g. the processes/network connections of the running machine when the dump of the system was made.

For running malware in a VM there is a golden rule of five minutes.

After the theory and small demonstraions of Wes, time for hands-on. Really a great session!

Rob is using a metaphore about building a bridge and critical infrastructure getting online. He is talking about cyber tzar, the Obama shut-down-the internet-button. For the time being you are in charge that no big computer breakdowns are happening.

At the end of this week the HITB conference will be held in Europe. Amsterdam is the city to be and I will attend this conference. I think my schedule for this conference will be:

Day 1
- Welcome & Keynote
- Breaking Virtualization by switching to Virtual 8086 mode – Jonathan Brossard
- From Russia with Love 2.0 – Fyodor & The Grugq
- Web in the middle-attacking clients – Laurent Oudot
- JIT-spray & advanced shellcode – Alexey Sintsov
- Having fun with Apple’s IOkit – Ilja van Sprundel

Day 2
- Keynote 2
- Malware Analysis Lab
- Subverting Windows 7 x64 Kernel with DMA attacks – Christophe Devine & Damien Aumaitre
- Top 10 Web 2.0 attacks – Shreeraj Shah
- The traveling Hacksmith 2009/2010 – Saumil Shah

Yesterday evening I received an email if I would like to speak on BHat USA about my topic ‘forensic research/security of virtual environments. Really appreciate it and I’m thankfull to Him for giving me this chance and oppertunity to meet great people in Vegas.

J. D. Durick is discussing my BHAt paper on his website:

VMforensics

Thanks for the comments and compliments! Really appreciate it!

C.

This paper was written a while ago and formed the base of a File Carving workshop held at ITUnderground 2009.
Have fun with it and if you like to do some research: go file carving on VM’s provided by vendors. The results can be quit fun.
If you have found some nice results, please share it with the community and I will publish it on the blog.

Introduction to file carving

A couple of days to go and then up to Black Hat in Barcelona. Paper and presentation were delivered on time after some stressfull moments.
Reading through the schedule of this year, there are several interesting talks, but I have to make a selection. I intend to follow the next ones:

Day 1:
# Cyber[Crime|War] Charting dangerous waters (Iftach Ian Amit)
# Unveiling Maltego 3.0 (Roelof Temmingh)
# Fireshark (Stephan Chenette) or Next Generation Clickjacking (Paul Stone)
# SAP Backdoors: A ghost at the heart of your business (Mariano Nuñez Di Croce)
# Attacking JAVA Serialized Communication (Manish Saindane)
# Reception

Day 2:
# Practical Crypto Attacks Against Web Applications (Thai Duong & Juliano Rizzo)
# Hiding in the Familiar: Steganography and Vulnerabilities in Popular Archives Formats
(Mario Vuksan, Tomislav Pericin & Brian Karney)
# Oracle, Interrupted: Stealing Sessions and Credentials (Steve Ocepak & Wendel G. Henrique)
# 0-knowledge Fuzzing (Vincenzo Lozzo)
# Virtual Forensics………………………….

If you’re going to be in Barcelona I hope to meet you and may we have some interesting talks.

For all phreaskers: if you type following code on your I-phone you can enter the fieldtest modus.

*3001#12345#*

After this you can read the GSM cell data:
*********************
* – MM info *
* – UMTS Cell Environment *
* – PDP Context list *
* – GSM Cell Environment *
*********************
Have Phun!

Last weekend a couple of friends asked me to look ater their websites; they got complaints from users when visiting their websites their antivirus software start alerting. So starting up my malware research machine I used Mcafee File-insight to go over the website. My avir (NOD32) went crazy and alerts popped-up.
It looked like if all index.html and index.php files were infected.

When analyzing these pages I discovered at the bottom of the source code obfuscated script code.

Putting this code up to Virustotal, I got following response:

S/TrojanDownloader.Agent.NRO trojan – NOD32
Trojan-Downloader.JS.Pegel.c – Kaspersky
MD5 : f6040c041562a481ea0b4d6a79d0ca49

After cleaning the index.* files I did a last check and downloaded the folder of the website to check if I forgot to check some files; My avir again full alerts, now all *.js files were infected.

Ok, analyzing time, what is this trojan doing:
It is injecting hidden I-frames with all kind of URL’s referring to different sites.

example:
hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg.com/zshare.net/
hxxp://wowhead-com.gougou.com.redtube-com.viewhomesale .ru:8080/58.com/58.com/google.com/rediff.com/uol.com.br/
hxxp://it168-com.sky.com.xe-com.viewhomesale .ru:8080/google.com/google.com/pagesjaunes.fr/sify.com/nate.com/
hxxp://seznam-cz.king.com.boston-com.viewhomesale .ru:8080/linkedin.com/linkedin.com

UPDATE: thx Herzel for pointing me to your blog: here are some screenshots of the code analysis:
Blog

Earlier variations of this malware were already detected, but this variant is using code obfuscating and is using two ways to spread:

- inserting script code into the bottom of index.html and index.php files
- attaching/inserting to *.js files

Word has been spread that the Gumblar team is responsible for this virus

Affected websites should:

* Delete or restore from backup infected files.
* Patch all software on the box.
* Change all password especially FTP ones
* Review logs