‏إظهار الرسائل ذات التسميات Malwares. إظهار كافة الرسائل
‏إظهار الرسائل ذات التسميات Malwares. إظهار كافة الرسائل

الجمعة، 4 أبريل 2014

Pyew The Python Malware Analysis Tool


Pyew The Python Malware Analysis Tool. Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool. 

PE Analysis
Take the sample with MD5 b6bd1640dcbd7b81970f8e4606b215e1. Simply, open it with Pyew: 
$ pyew b6bd1640dcbd7b81970f8e4606b215e1
PE Information
Sections:
   UPX0 0x1000 0x40000 0
   UPX1 0x41000 0x2f000 191488
   .rsrc 0x70000 0x2000 7680
Entry Point at 0x2ede0
Virtual Address is 0x46f9e0
Code Analysis ...
                                                                                                    0000   4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00    MZP.............
0010   B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00    ................
0040   BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00    in32..$7........
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0100   50 45 00 00 4C 01 03 00 EB BF 70 4B 00 00 00 00    PE..L.....pK....
0110   00 00 00 00 E0 00 8F 81 0B 01 02 19 00 F0 02 00    ................
0120   00 20 00 00 00 00 04 00 E0 F9 06 00 00 10 04 00    . ..............
0130   00 00 07 00 00 00 40 00 00 10 00 00 00 02 00 00    ......@.........
0140   04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    ................
0150   00 20 07 00 00 10 00 00 00 00 00 00 02 00 00 00    . ..............
0160   00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00    .....@..........
0170   00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00    ................
0180   48 1A 07 00 C4 01 00 00 00 00 07 00 48 1A 00 00    H...........H...
0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01C0   98 FB 06 00 18 00 00 00 00 00 00 00 00 00 00 00    ................
01D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01F0   00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00    ........UPX0....

When a PE file is opened with Pyew it starts the code analysis, shows section's names and the first block's hexadecimal dump. Checking the 1st block and section's names it seems the file is packed with UPX but to be sure we can check with Pyew executing the command "packer": 

[0x00000000]> packer
MSLRH V0.31 -> emadicius
UPX -> www.upx.sourceforge.net

Anyway, just to be sure, we will check how many functions did Pyew found and the code at entry point: 


[0x00000000]> print len(pyew.functions)
2
[0x00000000]> s ep[0x0002ede0:0x0046f9e0]> c0x0002ede0 ; FUNCTION start0x0002ede0 (01) 60                   PUSHA 0x0002ede1 (05) be 00104400          MOV ESI, 0x441000 0x0002ede6 (06) 8dbe 0000fcff        LEA EDI, [ESI-0x40000] 0x0002edec (0a) c787 88570500 047424b6 MOV DWORD [EDI+0x55788], 0xb6247404 0x0002edf6 (01) 57                   PUSH EDI 0x0002edf7 (03) 83cd ff              OR EBP, -0x1 0x0002edfa (02) eb 0e                JMP 0x0002ee0a     ; 1 0x0002edfa ----------------------------------------------------------------------
0x0002edfc (01) 90                   NOP 0x0002edfd (01) 90                   NOP 0x0002edfe (01) 90                   NOP 0x0002edff (01) 90                   NOP

Yes, it's an UPX packed file. I will unpack it with the upx tool and open the unpacked sample (md5 fdbfe5494841163e7e74b0e541584d47): 
$ pyew fdbfe5494841163e7e74b0e541584d47 
PE Information
Sections:
   .text 0x1000 0x53740 342016
   .itext 0x55000 0x774 2048
   .data 0x56000 0x1aac 7168
   .bss 0x58000 0x4cd0 0
   .idata 0x5d000 0x24d6 9728
   .tls 0x60000 0x34 0
   .rdata 0x61000 0x18 512
   .reloc 0x62000 0x5890 23040
   .rsrc 0x68000 0x4800 18432
Entry Point at 0x54314
Virtual Address is 0x455714
Code Analysis ...
                                                                               0000   4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00    MZP.............
0010   B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00    ................
0040   BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00    in32..$7........
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0100   50 45 00 00 4C 01 09 00 EB BF 70 4B 00 00 00 00    PE..L.....pK....
0110   00 00 00 00 E0 00 8F 81 0B 01 02 19 00 40 05 00    .............@..
0120   00 E6 00 00 00 00 00 00 14 57 05 00 00 10 00 00    .........W......
0130   00 60 05 00 00 00 40 00 00 10 00 00 00 02 00 00    .`....@.........
0140   04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    ................
0150   00 D0 06 00 00 10 00 00 00 00 00 00 02 00 00 00    ................
0160   00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00    .....@..........
0170   00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00    ................
0180   00 D0 05 00 D6 24 00 00 00 80 06 00 00 48 00 00    .....$.......H..
0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01C0   00 10 06 00 18 00 00 00 00 00 00 00 00 00 00 00    ................
01D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01F0   00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00    .........text...

This sample appears to be non packed (a file packed many times is very typical in malware) but anyway we will check again with the command "packer": 

[0x00000000]> packerBorland Delphi 3.0 (???)
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
BobSoft Mini Delphi -> BoB / BobSoft

OK, it's a binary compiled with Delphi. I will check how many functions did Pyew found: 
[0x00000000]> len(pyew.functions)
191
Wow, a lot of functions! It's clear that the file is not packed anymore. I will check if any AV detects it with VirusTotal: 

[0x00000000]> vtFile fdbfe5494841163e7e74b0e541584d47 with MD5 fdbfe5494841163e7e74b0e541584d47-------------------------------------------------------------------------------

F-Secure                 : Trojan.Crypt.Delf.AH
NOD32                    : Win32/Spy.Banker.SYR
F-Prot                   : W32/Trojan2.MFIB
VIPRE                    : BehavesLike.Win32.Malware.wlk (mx-v)
Sophos                   : Mal/Behav-053
Norman                   : W32/Malware
VBA32                    : Trojan.Win32.Delf.tqgAvast                    : Win32:Rootkit-gen
nProtect                 : Trojan.Crypt.Delf.AHGData                    : Trojan.Crypt.Delf.AHKaspersky                : Trojan.Win32.Delf.tqgBitDefender              : Trojan.Crypt.Delf.AHJiangmin                 : Trojan/Delf.rqcCommand                  : W32/Trojan2.MFIBPrevx                    : Medium Risk Malware
Antiy-AVL                : Trojan/Win32.Delf.gen
K7AntiVirus              : Trojan
AVG                      : Generic16.CMPFEmsisoft                 : Trojan.Win32.Delf.tqg!A2Avast5                   : Win32:Rootkit-genVirusBuster              : Trojan.Delf!/HJlkg0/NKU

Yes, some AV detect it and named it as Trojan Delf. 

Download
Posted by at
Labels: , ,

الثلاثاء، 11 مارس 2014

BYOD: A Security Risk or A Matter of Employee Productivity



BYOD: A security risk or a Matter of Employee Productivity

Wherever you go, you always keep your device (Smartphone, laptop, PDAs) with you. With evolving Smartphone concept, a BYOD (Bring Your Own Device) trend becomes popular in organizations. The concept of BYOD comes, when employees carry their personal device at the workplace, and connect to secure corporate network. At workplace, organizations should consider BYOD policy to make their employees secure and help IT department in managing such devices. A proper implementation of BYOD policy helps to make transparent network security by ensuring that employees are still obeying according to company governance policy and company security parameters.

What BYOD policy includes?

BYOD policy comprises the security requirements for each personal device, which is used by employee in the organization. It includes password configuration of device, prohibition of unknown software installation, data encryption, limiting activities like social sites engagement, email usage, carry out official data outside workplace, periodic IT audit to ensure the compliance of such policy.

Why BYOD Policy is Must?

The more products and services become accessible via mobile platform; security aspect becomes difficult for both organization and employee.
If organization does not adopt a policy for personal device, then the official data that employee carries in their Smartphone remains vulnerable. For example, when you are in cafe using unprotected WI-FI network, you might not be aware about the hacker who is monitoring your device, and can read all official data exists in your device. Another example, if your son or daughter accesses your Smartphone and clicks innocently on a banner ad that contain data stealing malware then the corporate information would be no longer safe on your device. It is true that BYOD brings flexibility and accessibility, but also brings security risks that help cyber attacker to swipe confidential data without your awareness.

Benefits of BYOD:

  1. There are several benefits associated with BYOD from both enterprise and employee point of view.
  2. When employees have their own device they use for personal and business purpose that could bring more productivity and mitigate frustration.
  3. The company can get rid from purchasing high-priced device for employees. Employees can take better care of their devices.
  4. The flexibility of employees will increase, and they can work remotely and do not need multiple devices while travelling from one place to another place.
  5. Even job hunters give the organization first preference that has BYOD policy. A well-defined policy helps recruiters to hire top talent in organization.

Disadvantages of BYOD:

Along with benefits, there are several disadvantages with BYOD concept.
  1. Data security is a main concern in BYOD. Employees can put an organization at risk, if an organization is not following strict policy for personal use of the device.
  2. When an employee leaves the company, retrieving of official data and information is worrisome because these data is quit important for organization. In this case, a written signed BYOD policy should be implemented helps to get back confidential data from an employee.
  3. All employees do not regular update their device with the latest hardware and software updates thus their devices become weak against updated patches. Even many of them do not install antivirus in their Smartphone, which is a serious concern, and could welcome malware attack.
  4.  Employees should lock their device. If the device is not protected with password or biometric security, then an unknown person can easily access personal data of the device.
  5. What we showed from the above piece of information is that BYOD has two sides of a coin. If organizations follow strict policy about the personaluse of the device, then it will enhance the efficiency of employees. For that, the IT department should discuss with employees, and aware them about the risks involved in infringement of BYOD policy. 

About the Author:
Abel Wike is the head of fraud prevention division at ClickSSL. She likes to focus on many security concepts including data breach prevention, security researches, data monitoring etc.
Posted by at
Labels: , ,

الأربعاء، 5 فبراير 2014

Behavior Investigation Of Malware

Malware Analysis is too important, even we use any security tool attackers might be entered to our networks. Malware Analysis basically divides in to parts:

1. Behavioral Analysis
2. Code Analysis


This is the first part of Malware Analysis i.e: Behavioral Analysis, means we will analyse the behavior of the malware and monitor the activities by malware. So here is the list of tools you will need for Behavioral Analysis.

Requirements:
  • VMware server with XP installed
  • Regshot
  • Process Monitor
  • Process Explorer
  • Wireshark
  • CaptureBAT
  • Fake DNS

 Download them from here.

OK, let's start it right away.

First, take a snapshot of the state of the machine’s file system and the registry. This will allow you to quickly see what major changes have occurred on the system after you infect it. For this you have to use "Regshot". To use it, enable the “Scan dir1” option, and in the corresponding window type “C:\”. Click “1st shot”.



After Regshot take the snapshot, run the malware program as "Administrator" privileges to allow the program to get the highest privileges. Now interact with the program a bit to make it functioning. Then end the malicious program and click on the 2nd shot from Regshot and click on compare. Now you’ll see a report that describes the major changes to the system’s state. In this case, we see that a few files were added to the system.







The two files that appeared on the system after we infected it are pas.txt and msnsettings.dat. Take a look at them using notepad. It looks like pas.txt has captured the logon credentials we used when logging into the malicious executable.The msnsettings.dat file looks like a configuration file of some sort.


Let us understand how the malicious program interacts with the file system and the registry with the help of  Process Monitor. To use Process Monitor, run it while infecting the system. Process Monitor records API calls that deal with file system, registry and other local activities. In the screen shot on this slide, you see attempts by our malware specimen to create pas.txt file and to locate the msnsettings.dat file.






Reverse-engineering malware can help you become better at incident response and forensic analysis. In our scenario, we have already discovered that Windows Live Messenger trojan makes use of the msnsettings.dat file. Now you know to look for it on the compromised system, even if you didn’t initially realize that this file was important.

Once you have a copy of msnsettings.dat, you can open it to see whether it reveals additional details about the program. As shown in the figure:


One is a string “test,” which we may be able to use later when trying to understand how the trojan processes the msnsettings.dat file. Another line, “gsmtp185.google.com” specifies an SMTP mail server; this suggests that our specimen has the ability to send email. The file also includes an email address, “mastercleanex@gmail.com”. This may be the recipient of the information that the trojan might attempt to send out. 

Another tool which is very helpful in Malware Analysis is CaptureBat.



CaptureBAT is similar to Process Monitor in that it records local processes’ interactions with their environment. CaptureBAT’s logs tend to be less noisy than those created by Process Monitor. This is because CaptureBAT comes with filters that eliminate the majority of standard, non-malicious activities from the logs.

If you launch CaptureBAT with the “-c” parameter, it will capture any files deleted in the background, allowing you to look at and restore even those files that the Windows Recycle Bin cannot capture.

Launching CaptureBAT with the “-n” parameter tells the tool to capture network traffic, like a sniffer would, saving the result into a local .cap file. As you can see in the picture, CaptureBAT confirmed our earlier findings about the malware specimen.

 

You can load the .cap file created by CaptureBAT into a full-feature network sniffer, such as Wireshark.





As you can see in the picture, the sniffer shows that the infected system has issued a DNS query, attempting to resolve the hostname “gsmtp185.google.com”. The “smtp” in the hostname suggests that the malware specimen is looking for a mail server to connect to, reinforcing our earlier theory of how the trojan might use this hostname.
To confirm how the specimen wishes to use “gsmtp185.google.com”, allow the trojan to resolve this hostname. Once it can resolve it, it will presumably attempt connecting to it, and you will be able to use a network sniffer to see what service the specimen is trying to access.To set up name resolution, insert an entry for the hostname into the “hosts” file on the infected system. A faster alternative is to use a tool called ApateDNS.




ApateDNS is a DNS server that you can configure to answer any DNS query with a single IP address of your choice. I usually suggest picking an IP address of some system in your lab on which you can run the service that malware may look for. This will redirect the connection to the host where you’d set up the listener, allowing the connection to be completed so you can learn about its purpose.

In our example, captured in the above picture, the network sniffer now confirmed that the infected system is attempting to connect to TCP port 25 on “gsmtp185.google.com”. 

OR YOU CAN USE "FAKENET" 
FakeNet automatically redirects network traffic, so there is no need to modify the hosts file or use ApateDNS with this tool. FakeNet emulates various common services, including HTTP and SMTP.




In our example, illustrated in the picture, FakeNet pretends to be a mail server, intercepting the email message that our trojan attempts to send though “gsmtp185.google.com”.

Now you can see the contents of the message that the trojan is mailing to the attacker. As highlighted on this slide, the message includes the victim’s Windows Live Messenger username and password. We also see that the exfiltrated data is directed to “mastercleanex@gmail.com”.

So this was the Behavioral Analysis of our malware. In this article we just analyzed the behavior of malware, processes, network services etc. to get the details about the malware. So as far we found these things:

1. Malware creates 2 files after launching, those files are: pas.txt and msnsettings.dat

2. It sends the Live messenger's credentials of user to the following mail server: 

Attacker's Mail server: gsmtp185.gmail.com

Attacker's email id: mastercleanex@gmail.com

After this article I'm working on Code Analysis of Malwares. I will do the code analysis of the same application that was used in this tutorial. So you can say this one is the first part of malware analysis. Second part will come soon.

About the Author: 
This article has been posted by Kislay Bhardwaj, He is a security researcher and specialized in Penetrating Testing, Cyber forensic, Linux security and other Security Assessments and Training.
Posted by at
Labels: , , , ,
الاشتراك في: الرسائل (Atom)