|
Archive for December, 2007
Monday, December 31st, 2007
In a post earlier this month, I presented steps for unpacking and restoring the IT/IAT of a suspicious BHO for analysis purposes. In that case, it was packed with a tool called “Upack”, otherwise known as the “Ultimate PE Packer” by its author Dwing. Upack often is used on executable files around 40kb in size. It compresses the file’s contents with the LZMA algorithm and adds an unpacking stub to the target file for self-decompressing at runtime.
In other words, to make a file smaller for download and delivery without requiring a decompression utility like WinZip or WinRar to already be installed on another system at runtime, an author can compress their executable creation with this tool.
This posting will work with the PE file that was recreated from that previous work.
Here are some of the steps we used to work on this file, leaving off at the last step to identify some behaviors of this malicious file:
Change PE file to .exe in PE header, rename dll to exe extension
Load into Ollydbg
Find OEP (original entry point) — pretty easy with Upack
Break at oep and dump file from memory to disk
Fixup IAT with ImpRec and write to dumped file
Rename fixed file and modify PE header back to dll
Load into IDA Pro 5.1 with the IDA Python plugin installed…
When we load this file into IDA Pro, the disassembler now can provide a listing that can be used to reverse engineer the component’s functionality. Without properly unpacking the file and fixing up the imports, the disassembler cannot analyze the code.
However, the listing doesn’t seem to immediately reveal much about the component’s activity. But knowing that this component is a BHO helps identify key areas for reversing progress. We do see fundamental Win32 API calls like “AtlInternalQueryInterface” and “AtlComPtrAssign”, leaving clues about COM programming within the component. The location of these calls can lead us further down the control flow to locations where COM calls can be further analyzed and easily understood. Joe Stewart published information about reversing OLE, but this code is more complex than a common SubmitHook trojan.
Frank Boldewin’s Python scripts come in handy for walking through these COM calls — the listing now reveals a section where the code obtains the “document” interface within the web browser and enumerates its connection points. We can set memory breakpoints on these sections for further analysis, and when we visit various banking web sites, we can see that the BHO is building an event sink:
Once the event sink is set, GetKeyState is then called on “KEY_DOWN” events. The component can check on each individual keystroke as they are hit. And it appears that the only keystrokes being checked are the ones emanating from the userid and pass input fields.
So, we’ve got a dll that identifies Urls of banks and other financial institutions and, after parsing and identifying an “interesting” Url, then constructs an event sink attached to very specific fields within the browser’s web page — namely, userid and password input fields. This ActiveX component will log these keystrokes and send them off the system. The component calls “HttpSendRequestA” to send off the banking usernames and passwords it just collected from these fields. I think that we’ve found an interesting piece of malware, quite possibly a password stealer for banking websites. We’ll add more technical detail to this post as time permits.
It helps to be able to dump this file and modify it for static analysis.
Posted in Password stealing, Reversing, Unpack | No Comments »
Monday, December 31st, 2007
A “Strategy” thread was started on the DailyDave mail list by Dave himself, criticizing information warfare papers:
“If you’re reading an information warfare book or paper you’ll invariably see a lot of:
1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd)
2. Declarations that information warfare is an “asymmetric attack”
Dave goes on to drop a couple product names and then describe the money saving mono-culture Microsoft technology implementations within the US .com and .mil communities, and describes it as poor strategy:
“Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric.”
Unfortunately, this past year was a record year for data breaches, according to a couple of groups. (Although, I’m not sure that statement is completely true. It seems more to have been a record year for reporting breaches, due to a number of new factors. Incident reporting has always provided only a cloudy window into actual events.)
Any way you slice it, in light of the sheer volume of security breaches, Dave’s statement about the mono-culture of .com and .mil communities is a troubling one — in spite of a year of record profits for the .com community and record budgets for the .mil community, it seems that technology implementations still are not getting the budget or focus that they require when it comes to effectively addressing security needs.
Another poster on the list responded to Dave’s complaints by posting a book review about “Spec Ops: Case Studies in Special Operations Warfare: Theory and Practice” by William McRaven, a U.S. Navy SEAL commanding officer. I got a chance to check it out this past week and the eight case studies McRaven analyzes really are fascinating (if you’re a bit of a military history buff). The theory and principles at the beginning of the book (summarized on the DailyDave post) can be applied to analysis of the targeted attacks that have become much more commonplace on the net. It’s a stimulating read for security enthusiasts, and applies well to the ongoing security breaches around the world:
“If you can’t draw the parallels to general security practices from those principles then the book is not for you, otherwise you might find yourself ripping through the book and thinking in an entirely different light by the final chapter.”
Posted in Book/Doc review, Penetration testing, Security breach, Strategy | No Comments »
Monday, December 31st, 2007
What a generous way to bring in the new year. The Storm/Peacomm gang, the same group whose activities we presented at VB2007 and posted about previously, has not disappeared. The holidays brought a round of Christmas-themed spam, complete with a simple link to a njinx servers and the promise of a friendly xmas related message. In the past couple of days, they have turned towards a new year theme:
“Happy New Year!
Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run. Enjoy!”
Consistent with their past attacks, the executable name is themed as well. We have seen “happynewyear2008.exe”, “happy_2008.exe” located on servers in Poland and multiple sites around the world. But in a small departure from using just unregistered ip addresses, these malware serving web hosts are now registered with cute, related DNS .com domains, like “newyearwithluv” or “hellosanta”. The gang broke another trend and flashy graphics on the sites are not present either.
We are seeing a strong uptick in the number of users actually running these files (happy-2008.exe, happynewyear2008.exe, happy_2008.exe, happy_2008.exe, happynewyear.exe) on their systems. Please exercise caution when visiting links that were sent to you, update all of your system patches at the Microsoft Update site, and if using Quicktime or Firefox, update them as well.
Cheers to secure computing and happy New Year!
Posted in Exploit, Social Engineering, Storm, Virus Bulletin, Vulnerability | No Comments »
|
|
|
|
