Malware hunt – wildfowl to find

2014.01.31

More than twice for the last 24 hours I was asked the non-trivial question:

Where do You find the targets for the malware hunt, if You’re not a  part of the big team, malware researcher or not own a honeynet.

Actually, if You do want to fight a malware, IMHO it is very useful to have a honey-pot system, or, at least, be in security business somehow. It will provide You a non-stop flow of the malicious targets to review. But if  You not, and You still want to help?

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, here are the few links, that  aggregate latest known threats, that You can practice on:

Read more…

Adobe – why are You still using it and how to replace it?

2013.10.05

If You not yet aware of, Adobe reported that sources of few of  most used applications on user’s desktops worldwide is stolen.

As a result, we definitely should expect wave of new 0days and more sophisticated attacks. If all previous history of Adobe products not convinced You to remove them from Your machine, I think this is a time 🙂

First of all – do You really need Adobe on Your [or You’re customers] machines?

For Flash: Many sophisticated streaming video services [Youtube as example] allow You to see it content without Flash, based on HTML5 technology for long enough. For others – well, You may consider usage of PepperFlash [same sources, originally]. You may download streaming files from bunch of services and watch them locally [VLC will help You out]. Or – not play games, decline to see ton’s flash ads and switch to non-flash alternatives of Your favourite services. Contact vendors, tell them – You not using Flash anymore.

For Acrobat Reader: You already have plenty of options to choose. Foxit, Nitro, Evince [my recommendations]. Yes, not all of them work with browser, not every application or webservice know to interact with them. Your PC – Your choice 🙂

OK, let’s start:

OS:

Windows:  Uninstall Adobe Flash and Adobe Acrobat Reader from Your computer and reboot.

Linux: use Your package manager. If You have no idea, what I am talking about – You should learn about system You using, bit more. But, for instance – in graphical mode You have Software Center in Ubuntu and PackageKit in Fedora. 🙂

But that’s not all!

Flash Player:

In Firefox You may even disable Flash or Block it execution on page, without Your permission.

To completely disable it: – Tools – Add-ons – Plugins – Choose Shockwave Flash Player and choose “Never Activate”. and then – restart the browser

To block it from execution: You may install nice add-on called FlashBlock, that will allow You to permit execution of Flash application once in a time. Here You still vulnerable, but now It’s totally Your decision, and not “good will” of person who create web page.

In Chrome You’ll need to disable internal Flash plugin.

Enter in browser address bar “chrome://plugins/” with no quotes, press enter and drill down till “Adobe Flash Player” brick will appear. Choose “Disable” and restart the browser.

In Internet Explorer You’ll need to go to Tools – Manage Add-ons and among add-ons find Adobe *, pick each one of them and click “Disable”, and then restart the browser.

Well, maybe after all those changes Internet became less familiar, bit more difficult to find suitable service, but definitely faster, and way more secure for Your specific computer.

Good luck!

D.L.

p.s. Suggestions, replacements and ideas – in comments, will add them with proper credit 🙂

Update1: thx  Mohab Ali for some fixes in text 🙂

Tags :   

Reveton.N malware – Safe Mode included.

2013.01.31

Reveton.N malware quite known recently, it’s Ransomeware that lock Your PC and demand money.

See Microsoft Encyclopedia for screenshots and some details about it.

interesting is, that most of  removal instructions that Google found start from Boot in “Safe mode”

And my sample from 2 days ago infect victim in way, that in “Safe mode” nice window that demand money, reappear (!)

Ok, how?

Simple, actually. It inject itself into WMI service, as ServiceDLL both in ControlSet001 and ControlSet003

Local path of DLL is victim current %TEMP% folder

So, updated cleanup instructions for Reveton.N malware:

1. Reboot and press F8, choose “Safe mode with command prompt” and boot with Your current user

2. In command prompt (black window) type in

cd %TEMP%

and press Enter

then type in

del /q *.dll

and press Enter

type in

shutdown /r /f /t 00

press Enter

Computer will restart

3. Download proper antivirus and clean Your computer with it from all other malware You have on Your PC. 

Stay Safe!

D.L.

 

 

 

 

Javascript include: from attacker to victim & how to check?

2012.11.19

Because of all that happened recently, let me be quick 🙂

Various soft present to automatically add text within webpages on compromised websites.

Those chain of samples for recent attack I followed 🙂

Step1:

Hacker intrude on poorly configured website: thru software flaw, poor configuration or stolen credentials.

Software (shell) uploaded to remotely manage such website, link written in database of compromised websites.

Step2:

Bundle of websites sent a command to add to each (or specific, default for example) page malicious code:

Sample1

Read more…

Tor Proxy for Malware Analysis

2012.10.16

I don’t know how You working,, but I usually work thru Tor – and thx for our Friends from TorProject for their effort in anonymity.

But – If You research malware thru it – there are issues that I learned by myself, and now centralizing it for those who also interested.

My twitt

 

was, as it appear, not 100% clear and create more mess than clear things up.

So – let’s structure it a bit 🙂

Read more…

Read Content-Encoding: gzip data from captured stream

2012.09.21

Well, it appear to be easy, but not for me 🙂

Here how looks like capture result in Wireshark:

If You Google “Content-Encoding: gzip decode”, You got list of solutions, none of which worked for me 🙂 Ok, but I have to be sure it RedKit Exploit Kit payload page!

Ok, lets see what we can do.

Read more…

Extracting EXE file (in HTTP stream) from captured packets file with Wireshark

2012.09.09

When You hunt for malware, it common situation when You got a lot of TCPDump files, where all the infecting process saved as step-by-step.

No matter what tool You use for dumping this stuff – You always can view it later with WireShark

Today I was in process of testing BHEK for malicious payload, when malware distributing host “suddenly” died. And part of samples i still not archived for future reversing!

But – wait a minute! sniffer dump file! just need to extract data. But how?

Read more…

Download Youtube video via HTML5 (.webm)

2012.08.23

Recently web-tool that I was using to download webm video from YouTube for offline courses, so I asked my Twitter friends to help find other way,  without toolbars and apps.

and here is response after few hours from Friend of mine, Mohab Ali aka 0xAli:

On his site You can see the string You need to past at address bar when You at YouTube video page

this solution working, tested Opera and IE.

Cheers!

D.L.

 

Tags :   

Extract MSI in Linux\Windows

2012.08.05

If You have MSI file, its some sort of archive\, that Microsoft Installer use to pack installation files.
to analyze it, You need to extract them
Under Windows, in command line You run:
msiexec /a PathToSourseMSI /qb TARGETDIR=DirectoryToStoreExtractedFiles

Under *nix systems
1. rename file.msi to file.msi.zip
2. Extract as regular zip or  use 7zip unpacker.

Tags :     

Local copy of Directory Listing with wget

2012.07.26

Well, sometime You need to get local copy (or not local:) ) of some folders with Directory Listing enabled. It usually looks like basic webpage with “Index of …” at title

wget for each folder that mirrored, create multiple file copies of dynamically created Index page:

index.html 
index.html?C=D;O=A 
index.html?C=D;O=D 
index.html?C=M;O=A 
index.html?C=M;O=D 
index.html?C=N;O=A 
etc... 

Annoying, a lot of useless request to server (that already overloaded by Your good will) and not nice for eye to watch Your local copy.
Don't found simple solution on Google, so here is mine:

 wget -r -p -np -e robots=off -U mozilla -R index.html* http://website/file_archive/ 

Explanation: 
-r - recursive 
-p - get all 
-np - don’t ascend to the parent directory 
-e robots=off - don't care about what robots.txt say
-U mozilla - I am Mozilla! :))
-R index.html* - reject files index.html* (dangerous if files in subfolder include index.html files, but I am talking about archives)
Have fun and try to respect those whom sites You dump.

Tags :