Wednesday, April 9, 2014

HeartBleed May 'Broken Your Heart' as Data Leaks

Recent OpenSSL bug called Heartbleed (CVE-2014-0160) causing million of website in trouble. Heartbleed test developed by Filippo Valsorda has been release as open source. I just give some play around with Heartbleed.

BTW, What is Heartbleed bug? Heartbleed bug is actually vulnerability on OpenSSL cryptography library that cause any user to read system memory (Affected on vulnerable version only).

Dalam bahasa Malaysianya, ia adalah kelemahan yang terdapat pada library kriptografi perisian OpenSSL yang membolehkan pengguna luar membaca sistem memori (terjejas pada versi tertentu sahaja).

As I giving test to several Malaysia website, most critical organisation website exposed to this vulnerability including government.


Filippo also provide a website for you to test your webserver and if it is vulnerable you will get message like image below:


Alternatively you can access to Malaysia honeynet heartbleed website to test your webserver:
http://heartbleed.honeynet.org.my/

Here some good advice how to protect yourself from heartbleed bug:
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/

References:
http://heartbleed.com/
https://github.com/FiloSottile/Heartbleed
http://filippo.io/Heartbleed
http://heartbleed.honeynet.org.my/
https://gist.github.com/harlo/10199638

~ alternat0r

Thursday, March 13, 2014

Dendroidbot Quick Analysis

As I get the sample of Dendroid APK malware I decided to make quick analysis on it. Thanks to +Mila Parkour for the sample.


DB01F96D5E66D82F7EB61B85EB96EF6E
52A30B58257D338617A39643E2216D0C

The original sample is protected with Dexguard to give extra protection on its code as its will appeared to be obfuscated when decompiling.

The following permission can be used once it has been installed:
  • directly call phone numbers
    • read phone status and identity
    • reroute outgoing calls
  • edit your text messages (SMS or MMS)
    • read your text messages (SMS or MMS)
    • receive text messages (SMS)
    • send SMS messages
  • take pictures and videos
  • record audio
  • precise location (GPS and network-based)
  • read call log
    • read your contacts
  • read your Web bookmarks and history
  • modify or delete the contents of your SD card
  • find accounts on the device
  • full network access
    • view network connections
  • retrieve running apps
  • prevent phone from sleeping
  • modify system settings
    • test access to protected storage
As we analyzed the java class, its also can determine if its running on emulator or not. There are many functionality that would be able to completely spy your phone as we going through its java classes.


initiate() load pre-defined configuration with base64 encoded.


Here from VirusTotal detection list:
https://www.virustotal.com/en/file/099a57328de9335c524f44514e225d50731c808145221affdd684d8b4dad5a1d/analysis/

Although, this sample is an earlier version of Dendroid. Some user might already found recent version of it bind with other application to make it seem legitimate apps.


~ alternat0r

Wednesday, February 19, 2014

Countdown to Windows XP End of Support

The end of Windows XP support will be on Saturday, 8 April 2014.


http://windows.microsoft.com/en-US/windows/products/lifecycle


Saturday, February 1, 2014

ApacheBench behind the Encoded VBE file

Recently I received a VBE file from a friend that looks suspicious with its encoded content and request to do quick analysis on it. So, I manage to play around with it and see what's inside.

The file name that I got is s64.vbe (0B826D9869B139B2C5BB139234C08D43) which is an encoded script file content. The size of this file is around 608,904 bytes. The content of the encoded file is shown below:


To decode this file I use scriptDecode.vbs from Jean-Luc Antoine. The output of the decoded file is a VBScript as shown in the picture below:


If we scroll to the bottom of the file we can see this is some kind of Windows binary file that is converted into ASCII format within VBS. The file svchost.exe is the file name use to save into the disk and run it.


Most of antivirus product is already detect this file as malicious:

https://malwr.com/analysis/YzkzNDUxOTlmOTQxNDAxYmEwNjdmNGI4MTk5YjBmYzI/share/1a8cbf4acb5944d1856d04d4e72b8ed7

https://www.virustotal.com/en/file/6b01071c7936d4a1ba1f53b5651db5f604dfe7f5aa3e4ed38d48f6ba66eebd5e/analysis/

The svchost.exe (333ABC2F9864B70F7EF48B049CBA9286) file is a program called ApacheBench command line utility. At first place, this program use to measure performance test of HTTP web servers. Although, the binary file that I got is not correctly run as it not responsive sometimes. It is possible to use this tool as DDOS attack.

~ alternat0r

Friday, June 21, 2013

Python - Basic VirusTotal Uploader

Just my little/quick note about submitting malware sample to VirusTotal.com. Be reminded that this python code is not handling an error properly. Just for quick reference.

import postfile
import sys, getopt

def main(argv):
 inputfile = sys.argv[1]
 host = "www.virustotal.com"
 mfile = inputfile
 selector = "https://www.virustotal.com/vtapi/v2/file/scan"
 fields = [("apikey", "YOUR PUBLIC API KEY")]
 file_to_send = open(mfile, "rb").read()
 files = [("file", mfile, file_to_send)]
 json = postfile.post_multipart(host, selector, fields, files)
 print json
 
if __name__ == "__main__":
 main(sys.argv[1:])

You can replace the 'YOUR PUBLIC API KEY' with your own key. Get it at VirusTotal.com.

~ alternat0r

Monday, February 18, 2013

'Business Flash Player' appear to be Facebook spammer


Just received this wild Facebook post that suddenly tagged me for unknown reason. Its look like a community page that received 87 million user 'Like' on it. That's something fishy to me.


This look suspicious to me when the provided URL is unreadable to me. Obviously it is in unicode character or IDN. It's Armenian language there (ask Google translate or Wikipedia).

Well, lets check it out whats so special about this FB post. Once you click on that weird URL you will be redirected to the fastotolike.com. The website looks like some kind of 'auto-like' or click jacking script.


If you click anywhere on the page you will be prompted another strange popup (I'm using Google Chrome for this test). The popup message prompt you to install some kind of plug-in or extension for Chrome. There is multiple popup open up 8 times according to its javascript. See image below:


Looking at the source code you will find there is Turkish language hoping that user will click the 'Add' button.


It's look like the app is available at Google Web Store and disguise as 'Business Flash Player !' With no description and no screenshot, definitely looks fishy. See image below:




If you try to install it you will see your extension appear in the Chrome Extensions list.


Lets take a look on installed extension source code. There is two link which is one of it will be redirect to malicious website. See image below:


The redirect URL will be go to the http://fastotolike.com/yeni.php which is some how reveal its long line comment source code. So, for this test I just uncomment the js code and make it beautiful.



This script is look like responsible to post a spam to the victim user Facebook wall. The post appear to be submit along with picture of random girl dancing on Youtube.





Thursday, November 29, 2012

Analysis on TOR_Browser malware

694DD57886B32AD850224A783198D9FE, 10D52767B537B2F9F564481665B029E6, 761EA80A1C0019D6CB606BB646EBE57F

The sample has been already circulated around few weeks ago. But still found less information about this malware on internet. Thus, I decide to make some quick analysis.

Basic File Information
Received filename : Tor_Browser.exe
Original Filename : suf70_launch.exe
Executable vendor : Indigo Rose Corp.
File size : 707,793 bytes
MD5 hash received from report:
694DD57886B32AD850224A783198D9FE (Installer file 707,793 bytes) 10D52767B537B2F9F564481665B029E6 (Malicous PE file 9,080 bytes) 761EA80A1C0019D6CB606BB646EBE57F (Malicous PE file 74,240 bytes)
MD5 hash from official website:
Official installer file is about 22MB size while the sample is only 700kb.

Summary

The sample that we received is in PE installer file. Using TOR Project file icon. While in installation wizard, user will notice that there is no EULA appear on the screen:


The installer file is a malware dropper. Upon finished installation, the malware will not execute itself automatically. Thus, it will need user interaction to reboot their PC or run it manually from Start Menu.

If user run it from Start Menu, it will run itself from C:\Program Files\Tor Browser\Tor_Browser.exe. This PE file will then run another process from the following location:
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe
Then run the %RANDOMNAME%.bat dropped at Windows Temporary folder. This will delete the previous file Tor_Browser.exe after the process has been terminated.

The running fake explorer.exe process will doing several malicious activity including keylogger, save keystroke in encrypted form, resolve IP into malware author DNS.

The explorer.exe will remain it process in memory.

Process Activity

Upon execution of the sample its create the following mutex:
XXXXOOOO


This will make sure only single process of itself is running.

File & folder

Upon installation the following file has been created:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tor Browser\
    жÔØ Tor Browser.lnk
    Tor_Browser.lnk

C:\Users\<user profile&gt>\AppData\Roaming\Help\
    CREATELINK.EXE (Legit file use to create a shortcut link)
    iexplore.exe
    IconCacheBt.DAT (Encrypted fake explorer.exe file)
    IconConfig.DAT (Encrypted keylogger configuration)

C:\Program Files\Tor Browser\Tor_Browser.exe
C:\Windows\Tor Browser\uninstall.exe -- Non-malicious file
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe

This malware sample also create a shortcut link as a startup to the following folder:
C:\Users\<userprofile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The shortcut file will be linked to the following file location:
C:\Users\<userprofile>\AppData\Roaming\Help\iexplore.exe

Windows Registry

The malware will create the following registry key:
HKCU\Software\Microsoft\Windows\DbxUpdateBT
"Mark"="ay"

NOTE: This registry key use to mark the current machine as already infected.
The malware also read the following registry key:
HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\
and try to read the following value "~MHz". This value is storing a current CPU speed.


Keylogger Activity

Save key stroke from user input to the following file:
C:\Users\<user profile>\AppData\Local\Temp\win_32.sys

All captured key stroke is saved in encrypted form (Using compression library).


Network

Trying to connect to the following IP:
222.82.13.89:80
Domain name found on the malware. Trying to resolve IP from the following DNS:
 mychangeip1.ddns.info
 mychangeip.ddns.us

Miscellaneous

The malware sample (iexplore.exe) also contain a digital certificate embedded to it while fake explorer.exe does not have any digital certificate.


The digital certificate may be stolen and has been revoked.