YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal

2013.01.06

Finished automation of a process to upload samples from multiple trackers.

Hope You can add it to Your systems and daily jobs.

History, requirements and installation – see here

Link to getYAPS.py

don’t forget to remove _.txt )

What added: 

1. Added check of sample, if it already present on VirusTotal database. If so – just data dumped to log

2. If sample not present – it uploaded to VirusTotal.

3. All info about samples: Is sample new, SHA256 hash, detect ratio and URL to review – dumped to vtlog.txt at same dir

4. Comments added – in case You need to comment samples. by default enabled on already detected samples. Edit comment variable if needed. Currently there is a problem to comment just submitted file – will be solved.

5. All this within ToS of VirusTotal and thx to them for good tool 🙂

Hope it useful not to me 🙂

Stay Safe

D.L.

 

 

DNS switch as anti-forensics feature in Malware

2012.12.20

Recent malware sample, that was grabbed by me (and few other’s, I am certain), perform very interesting thing:

Have a look at code:

mk1

 

It literally change main DNS server on victim machine, and then – perform look-up for it C&C, based on pseudo-random domain.

Interesting, I say 🙂 especially, if You do DNS cache review/passive DNS monitor for living 🙂

As I see, in this particular case, even if malware not succeeded  to switch DNS server, it continue to run.

So, our purpose is to prevent it from doing this.

How? … Group Policy!

Create new, go to User Configuration\Administrative Templates\Network\Network Connections and on “Prohibit access to properties of a LAN connection” policy do Enable

Actually, it prevent any user on computer, even Local Admin, from changing network configuration manually.

In addition – its Recommended to have internal DNS server for LAN and on border router block outgoing DNS traffic from IP’s that different from IP’s of Your internal DNS server.

Additional info about this piece of malware:

Size: 890 Kb

SHA: 72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f

VT: [18/45]https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/

Must see in comments to this file – analysis of binary done by @unixfreaxjp

Similar sample analysis by Conrad Longmore at Dynamoo’s Blog here

Stay Safe

D.L.

 

 

YAPS.py – Yet another Python script to upload samlpes to VirusTotal.com

2012.12.11

this is SMALL simple Python script to upload bulk of malware samples to virustotal.com

Grab here yaps.py [don’t forget to remove _.txt at the end]

To use – need python installed, VirisTotal API key and Requests library for python

How to install Requests library: 

Install it with pip

$ pip install requests

or easy_install

$ easy_install requests

How to et API key of VirusTotal.com

1. register on virustotal.com

2. Go to Profile -API and grab the key

3. Incert it in api_key variable value in script before You run it

 

YAPS.py Usage:

python yaps.py path/to/malware.exe

But major usage is – upload mass of samples at once.

python yaps.py  path/to/*

Output to console, in JSON format.

This is beta, no comments, ratings and nice output logs present here, just raw upload.

Request features and I’ll update the script.

Stay Safe

D.L.

 

Refresh HTTP header in EK Landing Page, or “200% success attack”

2012.12.09

Yesterday,  some brief review of casual threat draw my attention by serving two different Exploit Kits  landing pages thru one include.

Actually, its not new, because there was multiple attempts to increase surface of attack by bot-masters.

Among those methods:

1. Include different injections into hacked server webpages [lame, but worked :)]

2. Use legit or barely-legit TDS (Sutra\SimpleTDS) to route traffic based on internal rules to different Exploit Kits page

3. Using various client-server solutions (scripts with embedded algorithm of traffic forward) with internal capability of routing traffic.

Here is another one 🙂 And it based on very popular in marketing formula “2 in 1”

Look at recent response from Exploit Kit (RedKit in this case)

GET h00p://michellechaso.co.uk/hmiq.htm

Ok, You say, what interesting in this (yeah-yeah, some changes in RedKit landing page, I saw them too 🙂 ) look at HTTP header!

Refresh: 20; URL=h00p://link_2_malware.domain/links/1.php

This is something new (for me, at least).

Let’s look at HTTP_Headers cheat sheet.

So, in simple words it command to browser: stay on this page 20 seconds, then move to next link.

Next link is BlackHole2 EK, that lead us to Kelihos.F variants  droppers.

Technically, it not route traffic between different ExploitKits, it literally infect victim twice:

1. Redkit Drop it’s payload in first 20 seconds.

2. After 20 seconds, victim redirected to BlackHole2 EKand infected again.

Have to say, that it’s common practice, to rent “installs” of malware on infected machines, to increase “return” ratio. But method is new, so be aware and stay protected 🙂

Stay Safe!

D.L.

 

 

 

Read Content-Encoding: gzip data from captured stream

2012.09.21

Well, it appear to be easy, but not for me 🙂

Here how looks like capture result in Wireshark:

If You Google “Content-Encoding: gzip decode”, You got list of solutions, none of which worked for me 🙂 Ok, but I have to be sure it RedKit Exploit Kit payload page!

Ok, lets see what we can do.

Read more…

Download Youtube video via HTML5 (.webm)

2012.08.23

Recently web-tool that I was using to download webm video from YouTube for offline courses, so I asked my Twitter friends to help find other way,  without toolbars and apps.

and here is response after few hours from Friend of mine, Mohab Ali aka 0xAli:

On his site You can see the string You need to past at address bar when You at YouTube video page

this solution working, tested Opera and IE.

Cheers!

D.L.

 

Tags :   

Local copy of Directory Listing with wget

2012.07.26

Well, sometime You need to get local copy (or not local:) ) of some folders with Directory Listing enabled. It usually looks like basic webpage with “Index of …” at title

wget for each folder that mirrored, create multiple file copies of dynamically created Index page:

index.html 
index.html?C=D;O=A 
index.html?C=D;O=D 
index.html?C=M;O=A 
index.html?C=M;O=D 
index.html?C=N;O=A 
etc... 

Annoying, a lot of useless request to server (that already overloaded by Your good will) and not nice for eye to watch Your local copy.
Don't found simple solution on Google, so here is mine:

 wget -r -p -np -e robots=off -U mozilla -R index.html* http://website/file_archive/ 

Explanation: 
-r - recursive 
-p - get all 
-np - don’t ascend to the parent directory 
-e robots=off - don't care about what robots.txt say
-U mozilla - I am Mozilla! :))
-R index.html* - reject files index.html* (dangerous if files in subfolder include index.html files, but I am talking about archives)
Have fun and try to respect those whom sites You dump.

Tags :     

Free AV tools (updated 23.07.2012)

2012.07.23

Once I did list of free tools You may use to cleanup Your computer without payment.
Looks like it time to renew – for me and my guys to use, and to all to use for Your purposes.

Free Antivirus on-demand scanners:

CureIT (DrWeb project)
http://www.freedrweb.com/download+cureit/gr/

CureIT 7 beta

http://www.freedrweb.com/download+cureit+free/beta/

TrenDMicro free cleanup tool:
http://housecall.trendmicro.com/
All other free tools of TrendMicro (incl HijackThis):
http://free.antivirus.com/clean-up-tools/
Symantec Removal Tools:

Outdated, but in case You need it:
http://www.symantec.com/business/security_response/removaltools.jsp
AVZ
http://www.z-oleg.com/secur/avz/download.php

Kaspersky Removal Tool:

http://www.kaspersky.com/antivirus-removal-tool-register

Rootkit eliminator (BlackLight):
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/index.html

Avast offline scanner:
http://files.avast.com/files/eng/aswclnr.exe
F-Secure offline scanner:
http://download.f-secure.com/estore/fseasyclean.exe

Microsoft Safety Scanner:

http://www.microsoft.com/security/scanner/en-us/default.aspx

Sophos Virus removal:

http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

Antimalware tools:
Malwarebytes:
http://www.malwarebytes.org/
Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Spybot:

http://www.spybot.info/en/mirrors/index.html

Microsoft Windows Malicious Software Removal Tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Comodo Cleaning Essentials (malware cleanup and process )

https://www.comodo.com/business-security/network-protection/cleaning_essentials.php

Emsisoft Emergency Kit:

https://www.emsisoft.com/en/software/eek/
Online Scanners
Symantec:
http://security.symantec.com/sscv6/WelcomePage.asp
McAfee:
http://home.mcafee.com/Downloads/FreeScanDownload.aspx?affid=0

BitDefender
http://www.bitdefender.com/scanner/online/free.html
Fast QuickScan (BitDefender Memory scan tool)
http://quickscan.bitdefender.com/
Panda:
http://www.pandasecurity.com/activescan/index/
F-Secure:
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/

CA Scanner:

http://cainternetsecurity.net/entscanner/

Rising AV:

http://www.rising-global.com/products/online-scanner-intro.html

Online File analysers:

http://www.virustotal.com/

Free AV solutions:

AV: Bitdefender Free
http://download.bitdefender.com/windows/installer/en/bitdefender_free.exe

AVG:

http://free.avg.com/us-en/download-free-antivirus

Rising

http://www.rising-global.com/Download/Rising-Free-Utilities/Rising-Free-Antivirus.html

Avira

https://www.avira.com/en/download-start/product/avira-free-antivirus

Microsoft Security Essentials

http://windows.microsoft.com/en-US/windows/products/security-essentials

 

URL Analysers:

Symantec: http://safeweb.norton.com

URLVoid (multiple engines): http://www.urlvoid.com/

DrWEB online check: http://online.drweb.com/?url=1

Useful tools:

HiJackThis

http://sourceforge.net/projects/hjt/

 Process Explorer by Mark Russinovich

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

AntiRootkit TDSSKiller by Kaspersky

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Updated 23.07.2012

Special thx for updates 0xerror http://www.scoop.it/t/h4x0r5

Microsoft Safety Scanner – offline scanner with CLI!

2012.07.03

Or I missed, or nobody told me, but:
Brand New Microsoft Safety Scanner available for usage
From here: http://www.microsoft.com/security/scanner/en-us/default.aspx or http://safety.live.com
Not require Internet to perform scan, include all definitions inside and (!!) support Command Line options.
/Q or /quiet - quiet mode
/? or /help - displays help
/N - detect only mode (this is useful)
/F - force full scan
/F:Y - full scan + automatically clean infected
/H - detect high and severe threats only

You can download it with Command line too:

Direct links:

for x64: http://definitionupdates.microsoft.com/download/definitionupdates/safetyscanner/amd64/msert.exe

for x86: http://definitionupdates.microsoft.com/download/definitionupdates/safetyscanner/x86/msert.exe

Actually, very ascetic interface, no ads whatever (as most AV tools)

Perform cleanup without interrupting user (if not mentioned otherwise via CLI)

Log file placed %systemroot%\debug\msert.log

So, update Your remote managed machines with new options )

KMS server – WTF?

2012.06.28

Again about basics.

Turns out, that new graduates of MCSE2003 (yes, they are still people who learn it 🙂  ) told that KMS is “license server, separately installed and required to activate Open (Volume or whatsoever) Licensed Software”.. OMG.

On new installed server with KMS key, under Administrator user:

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-YYYYY-ZZZZZ-QQQQQ-TTTTT

+ enter

Result:

Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Installed product key XXXXX-YYYYY-ZZZZZ-QQQQQ-TTTTT successfully.

Now Go to Computer – right click – Go down – Activate online. Done.

In case of no internet- run:

C:\Windows\system32\slui.exe 4

Choose “Other ways” Choose Telephone. Go on…

p.s. Special for U, David… 🙂

Tags :