Monday, October 28, 2013

This morning I've read this in the AlientVault blog: "Google was flagging the php.net website as potentialy harmful".

It is really interesting because if you can spread malware from php.net which according to Alexa, php.net is the 228th most visited site in the world, you will be able to infect to millions of computers.

Currently we can't analyze the php.net website because the page which was hosting the malicious code  has been removed, but the guys from Barracuda have published a PCAP file taken from a computer which visited this website and was infected.

If we upload the PCAP file to VirusTotal we can see the URLs which were visited by the infected computer in the "File details" section. You can see the report of this PCAP file here:




We can see that the www.php.net website was visited. If we open the PCAP file with Wireshark and we look at the "Follow TCP Stream" of the petition  www.php.net/userprefs.js  we can see the script with the obfuscated code in the picture below. (This malicious code has been removed from the website)


The guys from Alienvault have decoded the script. Here they have published the picture below with the code de-ofuscated. We can see an IFRAME with a 10x10px size which redirects the connection to another website was able in the php.net site.


If we research with Wireshark the link contained in the IFRAME in the picture above, we can see how the code is trying to get the information about the computer. It wants to know if the browser has the Java or AdobeReader plugins installed and enabled.


The next URL where the computer is redirected is /PluginDetect_All.js. In the payload of this connection we can see that the hackers are using PluginDetect in order to detect the browser plugins.


In the PCAP file we can see how the computer send a POST connection telling to the website if it has the Java or AdobeReader plugin enabled. Then, the web browser is redirected again.


The connection is redirected again to other site...


...where there are another iframe...


... to this site...


..which is the last site visited before to detect a malicious executable.

The next URL which was visited is marked in bold in VirusTotal. This means that the files that were downloaded are categorized as malware by some antivirus engines.


If we click in the sha256 link...


...we can see that this executables are categorized as malicious.


Now, the computer is infected. The first network connection that the malware does is to visit a website where there are a javascript that detects the computer location.



If we check the next network connections, we can see a lot of them creating connections by 16471/UDP port. This port is usually used by the ZeroAccess Trojan. At the bottom of this post you will find the links which redirects you to other Post talking about some analysis of this Trojan.


If we look at the Snort alerts, we can see the security events detected by this IDS. We can see that it has detected the ZeroAcces Trojan and other interesting events.


CONCLUSION

If we trust in the PCAP file that Barracuda offers us, we can tell that www.php.net was compromised. The hackers uploaded a javascript to this site  which redirects to another one where there was a web plugin detector. Depends of what browser plugins are enabled in the computer, the website could redirects you to a Java or AdobeReader exploit. Then, after exploiting the vulnerability,  a trojan that seems to be the ZeroAccess trojan is donwloaded and installed. It seems that this trojan is focused in click-fraud.


You can learn more about ZeroAccess Trojan here:

http://www.behindthefirewalls.com/2013/06/zeroaccess-trojan-network-analysis-part.html

http://www.behindthefirewalls.com/2013/06/zeroaccess-network-analysis-part-ii.html

http://www.behindthefirewalls.com/2013/06/detecting-zeroaccess-in-your-network.html

http://www.behindthefirewalls.com/2013/04/trying-avoid-callbacks-to-botnet-using.html


Great info:

http://www.alienvault.com/open-threat-exchange/blog/phpnet-potentially-compromised-and-redirecting-to-an-exploit-kit

http://news.netcraft.com/archives/2013/10/24/php-net-blocked-by-google-false-positive-or-not.html

http://barracudalabs.com/2013/10/php-net-compromise/

http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf 


Posted on Monday, October 28, 2013 by Javier Nieto

1 comment

Monday, October 21, 2013

Some days ago, I discovered in my network a computer trying to make connections through a port which is not allowed in my next generation firewall. I located the suspicious host and I began to look for malicious processes running on it. Thanks to Process Explorer  I swiftly discovered that a VBS (Visual Basic Script) was running in the computer.

I found the script in the windows file system and when I opened it, I could see the code below.



It appears that the file was cypher but it is not a normal Base64 encryption... Staring at the file I found some strings at the bottom of the file which they were not cyphered...



We know that Base64 uses a character to indicate padding which is often "=". In the picture above we can see a lot of "==" characters followed by "-". It is as if it were not a unique string cyphered, but multiples strings coded one by one and separated by "-"... could this be possible?

In this website www.base64decode.org we can decode Base64 strings. If we decode the Base64 string "Jw==" we can see it corresponds to the ASCII string " ' ". If for example we decode the Base64 string "DQ==" we can see it corresponds to the ASCII string " d "...  Ok, we know how to decode the script... Each Base64 string is separated with an "-" and corresponds to a single character. But how can we decode it quickly?

The first thing I thought was to make another script to decode the first one but I chose to get there another way... If used the notepad to replace the character " - " for a line spacing, I would have a document with one line for each Base64 string like in the picture below.


Now, we can decode all coded strings by just executing a Linux command.
base64 -d script_to_decode.vbs



We can see the entire script uncoded and now we can continue researching the malware behaviour. Reading the code, I could say that this script is used to connect with the command and control server in order to download instructions and upload data from the infected computer. 

To continue researching the malware, we could change the hostname for another one where we would have a computer listening on the port 8088. We will receive the HTTP GET or POST petitions from the infected computer. Doing that, we would know what commands are used in this Botnet without the requirement of doing an advanced static analysis.


Posted on Monday, October 21, 2013 by Javier Nieto

No comments

Tuesday, October 15, 2013

If you have not read the previous post of this topic, you can see it here: Static analysis of a packed malware sample with Cuckoo Part1

In the second post on this topic, I am going to talk about how to research some imports that we have got, to try to figure out what the malware does. Notice it is really difficult to know what the program exactly does by only performing only a basic static analysis, but it offers us a real insight into its goal.

To see the imports that I am going to talk about, you can visit the Cuckoo's report of the unpacked sample here and go to the Static Analysis section.

Library KERNEL32.DLL

We can see an import called CreateProcessW which it is able to create new processes.

The VirtualAllocEx, WriteProcessMemory imports would be a hint of it will lead with some form of process injection.
 
A lot of API related with file management can be seen. This program can read, write, create files...


With FindFirstFileW, FindNextFileW API the program searches in the filesystem and copies files. 

IsDebuggerPresent This API detects if the program is being debugged and if it is, it can change its behaviour... It is common to find this API in malware samples... With this technique the malware developers are trying to make the malware analyst’s task more difficult.

Library ADVAPI32.dll

Here we can see that the program call to the functions below in order to create, edit or remove register keys:


COMCTL32.dll and GDI32

These imports are related to the use of images...

ImageList_Create, ImageList_Remove, ImageList_Destroy, ExtCreatePen, SetPixel ...

MPR.dll

These imports are related with network connections. Two of them draws our attention.

  • WNetGetConnectionW: This import retrieves the name of the network resource associated with a local device and it could have three parameters; lpLocalName, lpRemoteName and lpnLengt.
  • WNetGetConnectionW: This import makes a connection to a network resource and can redirect a local device to the network resource.

USER32.dll

This DLL is involved in the manage of user-interface components like button, scroll bar, etc ...

WININET.dll

With this DLL the program could implement high level network functions like FTP or HTTP.

The program could be able to read files just downloaded from the Internet. Also it could make requests to an URL like it were a browser.


I want to remark these two imports:

  • FtpOpenFileW: "This function initiates access to a remote file for writing or reading."
  • FtpGetFileSize: "This function retrieves the file size of the requested FTP resource."

But why am I remarking on these imports? If we run this sample malware in a lab machine which is running a sniffer, we could get the username and password of the remote FTP (if it has it) which the malware is connecting with to upload or download information. Notice the FTP protocol sends the username and password to the server througth the network in clear text... It could be really interesting...

WSOCK32.dll

It is a network DLL but we can not see the imports. We would need to research in deep...

CONCLUSION

As mentioned above, it is really difficult to know what the malware does only with a basic analysis but we can say about the sample which we have analyzed...

  1. It is a malware sample because the majority of the anti-virus vendors have detected it as Backdoor.
  2. The malware developers try to hide the program's code packing the file.
  3. The developer tries to make malware analysis a difficult task by using IsDebuggerPresent API. (You can learn a trick about how to not be detected by the malware when you open the executable in a debugger).
  4. When the program is executed, it calls to a lot of APIs in order to read and search files. Maybe the program steals private information reading documents or writing the password captured by a possible keylogger.
  5. It has graphical capabilities. It is possible that it has a GUI.
  6. Network resources API calls have been found in the malware imports. There are possibilities that the malware will try to steal information from our local network or trying to infect to other users through the shared resources.
  7. It has network functions such as HTTP and FTP. The malware could get into a botnet network and receive the orders through the Internet. Also, it is possible that the program uploads the data that has been stolen via HTTP or FTP to the hacker servers.

Posted on Tuesday, October 15, 2013 by Javier Nieto

No comments

Wednesday, October 09, 2013

Currently, I am really interested in the malware behavior. I think is essential to learn how the malware is evolving if we want to fight with this pest...

In this post I am going to talk about some steps to make a Basic Static Analysis of a malware sample. Also we will see some techniques used by malware developers in order to try to hide their malicious activities to the anti-virus systems and to the malware analyst's tasks.

We can use tools like Dependency Walker, PEview, PEBrowse Professional, PE Header Summary to achieve our goal but in this post we will use Cuckoo Sandbox.

Cuckoo Sandbox offers us more features than  the ones offered by the tools mentioned above like Behavioral Analysis, Network Analysis...

You have two options, install Cuckoo in your computer or use the online free version here https://malwr.com/. If you choose the second option, I recommend you to be registered in their website because you will get more details about your malware like getting traffic captures...

Ok. Let's go. I have submited the sample to the Cuckoo website. You can see the report here. If someone wants the sample, just let me know... It is called sexe-online.exe.

Remember in this post I going to talk only about the Static Analysis. For this, we will go to this section in the report above.

First of all, we can see that this file has been recognized by the majority of the anti-virus systems...



Now we need to go to the Static Analysis section. Here we can see that this file has three sections: UPX0, UPX1 and .rsc.



We can check that this file has been compressed with UPX. You can see the file has no size in the disk (RAW DATA = 0x00000000) but it has size in memory when it is uncompressed by itself (VIRTUAL ADDRESS = 0X00001000).

Part of the malware's code is packed in order to obfuscate it. It makes difficult to be detected and analyzed.

If we go to the "Strings" section, we can not see a lot readable strings...



If we go back to the Static Analysis section, we can see few Imports because the file is packed. The few imports that we can see are related with packed code like LoadLibrary and GetProcAddress which allow a program to access any function in any library on the system.



If the sample is packed, we can not get valuable information, for this we will unpack the file in order to get access to all the imports in order to be able of analyzing its behaviour. We can download here the UPX program to uncompress it.

I usually work with Linux. With the command below you can unpack the file and export it to a new one.



The executable called sexe-online_uncompress.exe has just unpacked. We submit it to Cuckoo again and we will see how we get more details about it.

You can see the report of the unpacked sample here.

Now, the uncompressed file has commonly PE sections:

  • .text: This section should be contain the program's code.
  • .rdata: The .rdata section contains the imports an export information.
  • .data: This section contains the programs global data.
  • .rsrc: This sections usually contains the resources needed by the executable like images, icons...


If we go to the the static analysis section we can see that now we can see a lot of imports more...


With these imports we can figure out what the malware sample does... Just clicking on the import name, we will be redirected to the the Microsoft Developer Network where we can find useful information...

You can continue reading about this Basic Static Analysis example in the next post which will be published in a few days where we are going to try of figure out what the malware activity is.


Continue reading here: Static analysis of a packed malware sample with Cuckoo Part2


Posted on Wednesday, October 09, 2013 by Javier Nieto

No comments

Monday, October 07, 2013

Virustotal is a free online service that analyzes files and URLs in order to detect viruses, worms, trojans and other kinds of malware using a lot of anti-virus engines and website scanners.

Currently, when you upload a file in order to check out if it could be malicious, Virustotal compare it with the anti-virus signatures of the security vendors below:

Agnitum, AhnLab-V3, AntiVir, Antiy-AVL, Avast, AVG, Baidu-International, BitDefender, Bkav, ByteHero, CAT-QuickHeal, ClamAV, Commtouch, Comodo, DrWeb, Emsisoft, ESET-NOD32, F-Prot, F-Secure, Fortinet, GData, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kaspersky, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, MicroWorld-eScan, NANO-Antivirus, Norman, nProtect, Panda, PCTools, Rising, Sophos, SUPERAntiSpyware, Symantec, TheHacker, TotalDefense, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot.

In my opinion, the only bad thing about this service is that Virustotal doesn't give us the option of not sharing the sample with the anti-virus vendors. If you are developing your own malware (I hope you don't do that) or you are researching a new sample and you upload it to Virustotal, you are sharing your files with the anti-virus companies and you will lose exclusivity.

I know the majority of yours have worked with Virustotal but... Do you know all its features?

Here, I'm going to show you the majority of Virustotal features and some tricks.

How to work with Virustotal:




 










  • Also, if you open VirusTotal Uploader from Start -> All programs -> VirusTotal Uploader 2.0 you will be able to select a process running in your computer and upload to Virustotal in order to check if it is a malicious process or not.






  • Also, with VTzilla, Virustotal install a toolbar in your Firefox browser. Here you can look for viruses, hashes or scan the site you are currently visiting. 



  • Virustotal app for mobile. With this tool, you can detect if the applications installed in your mobile are detected by some anti-virus. You only need to install it and just open it.



  • Email: Sending an email to scan@virustotal.com with the suspicious file attached to the email. You should write "SCAN" in the subject field if you want to receive the results in plain text. If you want to receive the result in XML format, you should write SCAN+XML in the subject field. (Maximum file size: 32M)



  • Public API: You can upload files to Virustotal without the necessity of using the web browser. It allows you to build your own scripts to work with Virustotal automatically. Nmap has a script that helps you to look for a hash in the Virustotal database from the command line interface but first of all, you need to obtain your API key. To get it, you need to register at the Virustotal website. You can see the key in your user profile. Remember this service mustn't be used for commercial products or services purposes.



nmap --script http-virustotal --script-args='apikey="key",checksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"'




Virustotal offers us other valuable information. In the "File Detail" section you can see the file's details below:

  • PE signature block.
  • PE header basic information.
  • PE sections.
  • PE imports.
  • Number of PE resources by type.
  • Number of PE resources by language.
  • ExifTool file metadata.

I don't want to dig into this information in this post because in future posts I'm going to talk about the basics steps to start with how to analyze the malware behaviour.


Posted on Monday, October 07, 2013 by Javier Nieto

No comments