|
Archive for May, 2008
Tuesday, May 20th, 2008
All malware researchers love strings. They allow us to gain valuable insights into the possible behavior of the sample being investigated. Even IT professionals, who do not research malware professionally, can make good use of these clues.
Here’s a quick example of strings in a malware disassembly listing:
00403100 Security Troubleshooting.url00403120 ot.ico00403128 %s/soft/?c=%1.1d%d%1.1d00403140 Online Security Guide.url0040315C ts.ico00403164 %s/test/?c=%1.1d%d%1.1d0040317C Online Security Test.url00403198 *.securemanaging.com004031B0 *.safetyincludes.com004031C8 *.securewebinfo.com004031DC 85.255.117.158004031EC 88.255.74.19700403300 195.95.*.*0040330C 194.187.*.*00403318 turbocodec.com00403328 flyvideonetwork.com0040333C websoft-c.com0040375C plus-codec.com0040376C freerealitympegs.com00403784 inc-codec.com00403794 user_pref("browser.search.selectedEngine", "Search");004037D0 user_pref("browser.search.selectedEngine"00403840 \profiles.ini00403850 Mozilla\Firefox00403908 Software\Microsoft\Internet Explorer\New Windows\Allow00403940 %sVersion\Internet Settings\ZoneMap\EscDomains\%s004039A8 Domains\%s
Right off the bat, one might guess that there is probably something fishy going on with these domains in relation to Firefox and Internet Explorer settings. A quick google search on some of these domains yields many results which are seemingly related to malware. If the search result is some what ambiguous, a researcher can always plug a string into ThreatExpert to find related malware behavior.
Searching for “securewebinfo.com” on ThreatExpert yields plenty of results. Most of the strings found in this particular sample match up very nicely to the results found, so it is reasonably safe to assume that this sample is probably a variant. However, if the search results were inconclusive, one of the next steps a malware researcher can take is to disassemble the file in the IDA Pro.
What is this malware actually doing with those strings? We are glad you asked!
Below is the image of the strings in the disassembler. The following items are shown moving from left to right: the address in memory where the strings reside, the automatic name IDA gave this location, the string data itself, and last but not least, the cross reference (XREFs).
Navigating to one of the cross references changes the view to an array of string pointers as seen in the image below. This array also contains a cross reference, but to a function this time.
The function seen below was labeled “modify_IEXPLORE_SecurityZones” as it was found to call sub-functions which modify the registry associated with Internet Explorer’s Security Zones.
The last loop in this function, “AddAllowPopup_loop”, executes once for each item in the domain_name_array. Each item in the array will be added to the AllowPopup registry key. The next time Internet Explorer is run, those domains will be allowed to display pop-up windows at will. This code confirms our suspicions of malicious behavior.
Posted in Obfuscation, Reversing, Unpack | No Comments »
Wednesday, May 14th, 2008
Another open source fuzzing toolkit update was released today, the “Peach Fuzzing Platform v2.0″.
Fuzz. As in Peach. Ha!
Anyways, how does fuzzing effect the security of one’s computer? Directly, it does not. Indirectly, it does.
Fuzzing an application or service is the process of introducing malformed and unexpected input, often in combination with expected input, to an application consuming data. This process can identify bugs or flaws in software, and lead to the identification of buffer overflows, format string errors. Once these bugs are uncovered, determined individuals may sometimes write code to exploit these bugs. Not all bugs are exploitable.
The easier, more open and popular it is to fuzz applications, the more likely it is that vulnerabilities are found in applications. The frequent hotfixes and updates that Microsoft releases to patch the vulnerabilities in their OS and browser software sometimes are found by individuals performing fuzz testing (and, most likely, some amount of reversing). Rumor has it, the largest fuzzing project in the history of software development was performed by the Microsoft developers and security teams themselves over the past couple of years on their own compiled code.
The Peach platform can fuzz data consumers of many types, including file format parsers, network services, third party plugins like those from Quicktime and Adobe, most any software.
ImmunitySec and Dave Aitel has been releasing this sort of software for years, with SPIKE, SPIKE proxy, and Sharefuzz.
What do our readers think of ethical hacking, exploit development and the spread of these sorts of tools? Please post a comment if you have an opinion on the subject. We’d love to hear from you.
Posted in Blackhat, Exploit, Penetration testing, Software Release | No Comments »
Wednesday, May 14th, 2008
Several interesting surges in malware activity are showing up today. The most highly propagated that we are seeing is a large increase in the past 24 hours of an old friend that’s been labelled “Trojan.Agent”. The filename that we are seeing the most of is “wingmmesc.exe”, and it continues to run rampant without much in the way of AV detection, including the new and improved engines to detect suspicious obfuscation:
We are investigating its spread and its packing techniques. While the outer layer was packed with upx, another layer of protection needs to be peeled back, which may explain low AV detections. In the past, this sort of stuff was spread via emails with “enticing” (often pornographic) messages with links to urls, like hxxp://aliodsf . com / video.exe. We’ll get back with more detail.
Update…It appears to be related to the Sality family, because we’re seeing lots of familiar Sality “WINEUJE.EXE” activity related to the downloader, a worm that’s run around for a long time now, especially in Asia. It attempts to download .gif files from “kukutrustnet888.info” and “microupdate14.info”, both domains that we’ve seen from this family before. We’ll rename this one to a more appropriate Sality label, and more AV detections should begin to pick up, now that we’ve uploaded it to virustotal for sharing.
Posted in Dropper, Obfuscation, Undetected malware | No Comments »
|
|
|
|
