Sunday, November 29, 2009

Malware Playground

Around 3 month ago, I was starting developing a sandbox tool for easy to analyst any of malware sample that can generate at least basic information from the sample. I just named it Malware Playground as its work to 'play' with almost all Windows programs within it. Sound funny like a kids playing with knife but wearing a shield. The program itself has been developed using Microsoft Visual Basic 6 and working with more than 20 other programs.

At this moment, this program includes all required features for doing malware analyst. Here it is some features:
+ Save report as text and HTML format.
+ Analysis can be started at your own choice such as you can dump process memory instead of analyst all of the function (Registry, Dump, Handle, String, Port, Files and Folders, AV alias and so on).
+ Work with Windows platform (on VMWare or VirPC).
+ Work together with Sandboxie.
+ Drag and drop and warn before start analyzing it.

Malware Playground is still in development and some advanced features still remains in progress. Here it is list of features that currently in development:
+ Network activities
+ Process activities
+ Smart suggestion and recommendation technologies.
+ Add more AV alias detection
+ Security Risk Level perimeter.
+ Provide an official website for useful information and services.
+ Integrates with web interfaces that allowed user uploading their malware sample.
+ Save all known threat object into database.
+ Mapping all origin location for the malware and visualize on global map.

While this useful tools is still in progress, I was unable to provide a fully compiled program to give a test but you can leave a comment and suggest for more features.

Wednesday, November 11, 2009

iPhone Worm - Ikee

While surfing on the internet at Bayu Beach Resort, Port Dickson, found something interesting on the internet. It is iPhoneOS.Ikee worm. This kind of virus is rarely found especially on Apple iPhone. The worm do some basic function such as spreading via SSH and changing wallpaper as their payload.

During infection, this little worm will change victim wallpaper to Rick Astley image (80's singer). The worm has been written by Ashley Town a 21 years old unemployed programmer from Wollogong, Australia.

Upon executing the virus code, the worm will scan an IP address using default SSH configurations. IP range may be vary at random pool as well as copying it self to the startup folder and do some payload by changing default wallpaper. The worm source code also has been reveal as the picture below show some function that change the wallpaper and various commented code.

More detail report can be found here.