Example malware unpacking and analysis: part 1, unpacking

Lo! I still live! I apologize for the very very long delay that I’ve been putting everyone through lately, I’m sure I was terribly missed ;) *Ahem*, anyway, on with the post:

Introduction

Firstly, malware analysis and reverse engineering has always been incredibly interesting to me and I noticed that ever since my OEP finding tutorial for UPACK, I’ve also gotten a lot of google searches for “how to reverse malware” and other such things, so, I figured I’d share my meager knowledge, seeing as how other blogs have been so helpful thus far, and they always say the best way to learn something is to teach it. I decided that it would be cool to start a series about analysis from start to finish, explaining how I analyze the file. Anyhow, enough of my rambling, on with the analysis! Read more

May 9, 2008 | Filed Under analysis, assembly, disassembly, engineering, imprec, malware, microsoft110.exe, oep, ollydbg, part 1, peid, reverse, unpack, upx | 3 Comments 

Collaborative analysis efforts with simple to use interfaces

You know what would be really helpful? I mean, actually helpful to people in the security industry as a whole? We need some kind of collaboration tool that allows many different users to view, download, analyze, tag, describe and ask questions about any and all kinds of malware, network captures and security logs. I’ve been talking to some of the #rawpacket guys/gals about how it would work, so now I’m stealing their ideas for a blog post ;)

For example, let’s say you discover a new binary malware that one of your honeypots caught, here’s how I envision this would work out:

  1. You register an account at the collaboration website, you can additionally assign your pgp key to your name, security people like to know who they’re actually talking with.
  2. You upload the file, in this case it’s a .exe file, tagging it with a basic description (“nepenthes honeypot caught this transferred over ftp, I think it’s a trojan, etc, etc”) and tags so it becomes searchable (exe, malware, binary, ftp).
  3. The file/pcap is anonymized (optional, but would be extremely nice)
  4. After the initial upload, the collaboration server performs super-basic, but good baseline analysis on the file, saving the results for later. For a .exe file, it could be things like md5sum, clamscan and strings. For other types of files, different tools could be used (*cough* an automated NSM-Console session *cough*), etc
  5. The malware is displayed on the page, security gurus log into their account, have the ability to download the binary to play with it themselves, and are encouraged to share what they found when doing their analysis (and how). They have the ability to upload screenshots, short video clips, textfiles, whatever would help with the analysis. This of it like a traditional website ‘shoutbox’, but with comments on a particular piece of malware or network capture.
  6. Users can also create correlations between different submissions, Example: “This is the link to the network capture for the worm exploiting this particular binary malware”, now we can draw pretty graphs!
  7. Discussion continues until the file has been “figure out”. Give people ‘karma’ or whatever to encourage posting.
  8. ????
  9. Profit!

In all seriousness, you know what I think would be great about this? The community as a whole benefits from the knowledge and talent of people who are good at an individual skill. For instance, I might suck at binary malware analysis, but I can help decode what’s going on with a network trace picked up by an IDS. Community is created, knowledge is shared, security can be improved, people become familiar with the parts of security in which they lack knowledge, everyone is happy.

Make the framework distributable, small groups of people can set up their own collaboration for working with extremely confidential files, think Trac, but instead of bug reports and svn tracking, malware/pcap collaboration and research.

There are projects already like this, I’m excited for the direction that OpenPacket is going with packet captures, upload a file and it’s automatically run through tshark, giving you a baseline to start working with. I think that if the idea is expanded, we can get a lot of different people involved. I know I’d certainly like to get better at doing binary analysis.

Does this sound interesting? It certainly does to me. I’m curious if anyone else is interested, leave me a comment and let me know if you’d be interested in something like this! (Maybe if 40 hours suddenly appear out of nowhere I’m start working on it…)

P.S. I didn’t think of all of this myself, thanks to all the people in #rawpacket for their ideas :) Just want to give credit where it’s due… ;)

February 12, 2008 | Filed Under analysis, binary, collaboration, malware, pcap, research | 3 Comments 

DNS poisoning FUD

In response to one of today’s articles on Ars Technica titled “DNS poisoning used to redirect unwitting surfers“. I highly respect Ars and read their articles regularly, however, in this case, I believe this article may be causing more FUD, which is not especially helpful in this case.

In the article they discuss DNS servers that can potentially serve bad information from requests, what the article *sounds like* is that this is an attack on legitimate DNS servers in order to get them to serve bad data (which would be far more serious). In actuality, the attack is using malware to change a user’s DNS settings to point to an evil DNS server, which in turn serves evil entries to the machine when a user tries to access a site like chase.com for banking.

Essentially, it’s a very advanced form of phising that uses malware to set correct settings. This is NOT the DNS poisoning attack the article vaguely describes, which would be if hackers were to able to get trusted DNS servers to send false data. It’s sad that a trusted source like Ars published the article under such a misleading title. More readership I suppose? (or honest mistake, personally I don’t think Ars would do it intentionally).

On another note, would you click on a gmail webclip that looked like this??

gmailwebclip

I’m guessing that the site isn’t malicious, just in a different language and thus displayed in “???” instead of whatever the original language was. Still, I’m curious why gmail thought I would be able to read something since 99.9% of all my email is in English. I’m also curious what a lay user would think of a webclip like that.

I apologize for the lack of consistent posting lately, I’ve been hard at work on the nsm-console for inclusion in the upcoming Hex 1.0.2 release. More posts to come!

December 12, 2007 | Filed Under ars technica, dns, fud, gmail, hex, malware, nsm console, poisoning | Leave a Comment 

Bad Behavior has blocked 250 access attempts in the last 7 days.