Monday, June 30, 2014

That Bytes!

Large amounts of code can do a lot of things.
Small amounts of code can do less.
Common sense right.

Take for example the size of a biological virus and computer virus.
The chart at the bottom of this wiki shows the sizes of biological viruses.

             1,759 bytes = Small Biological Virus
             9,000 bytes = Small Computer Virus
           23,000 bytes =  Errors found in DNA of Lung Cancer.
          226,000 bytes = Zeus Computer Virus.
       2,470,000 bytes = Larger Biological Virus
     20,758,528 bytes = Chinese APT Computer virus looked at earlier.

3,200,000,000 bytes  = RAM size a 32-bit Operating System can use efficiently.
3,200,000,000 bytes  = Human code (DNA is 3.2 Gigabytes of base-pairs)

This 3.2 Gigs is kept in each cell of your 100 Trillion cell body.
I'm assuming only humans are reading this.
Cancer is basically damaged code.

A small virus might just be a downloader with the only purpose of downloading larger files.
A large virus could be filled with many different capabilities.

Capabilities include:
  • multiple exploits
  • multiple tools for stealing information
  • multiple ways of controlling the host
  • multiple ways of getting around defenses and evading detection
  • multiple ways of preventing its removal
When deciding to look across an entire enterprise by hash value such as MD5,
It would go much faster if you search by byte size first.

Then hash only the files that match the given file size.
This saves time by not hashing every file on the network.

It would be interesting if we could look across our entire body by byte size and then look for cancer in only the cells that have abnormalities.

We need a lot more people to be literate in computer and DNA code if we are to solve our most difficult problems.

Sunday, June 15, 2014

Mandiant APT1 Import Hash

Mandiant released an article on the importance of Import Hashing. (Imphash)
The article listed hash samples reported as APT1.

Google has hits for these hashes on Malwr.
Using these URL hits MalwareViz created the below graphs.

The graphs looks similar with only one callback.
All are currently detected by an AntiVirus.
Some show one dropped file.

Imphash: 2c26ec4a570a502ed3e8484295581989
Note: This file crashed during  execution, so no callback.

Imphash: b722c33458882a1ab65a13e99efe357e

Imphash: 2d24325daea16e770eb82fa6774d70f1

Imphash: 0d72b49ed68430225595cc1efb43ced9

Imphash: 959711e93a68941639fd8b7fba3ca28f

 Imphash: 4cec0085b43f40b4743dc218c585f2ec

Imphash: 3b10d6b16f135c366fc8e88cba49bc6c

Imphash: 4f0aca83dfe82b02bbecce448ce8be00

Imphash: ee22b62aa3a63b7c17316d219d555891

Imphash: a1a42f57ff30983efda08b68fedd3cfc

Imphash: 7276a74b59de5761801b35c672c9ccb4

Wednesday, June 4, 2014

Zeus and CryptoLocker creator on FBI Wanted List.

USA TODAY article.

FBI states Evgeniy Mikhailovich Bogachev, aka "Slavik", created Gameover Zeus and CryptoLocker.

Gameover Zeus -

Malware is commonly distributed through mass e-mailing targets. Someone in the organization will open the attachment or click the link and infect their machine with a virus.

This particular malware will watch and record every keystroke.  It will watch for and steal banking credentials and send that information to a remote server.

Here we see the remote servers in Blue.
The virus found on the compute is in Orange at the bottom.

Gameover Zeus Bogachev "Slavik" - Malware Visualizer

Zeus -

Some malware will try to hide their malicious Internet Traffic with regular looking traffic. Some will check to see if they have Internet access before unpacking and sending traffic to their real locations. This graph shows Internet Traffic to legitimate Google sites of and There is also malicious Internet Traffic to an IP address and URL.

The ".tmp" file is usually deleted as a temporary holding place for the ".exe" file. A ".bat" file can be many things but it is included in malware that is coded to delete the original file after the original file has been renamed and copied to a hidden directory location.
 Zeus Malware Visualizer

CryptoLocker -

Notice the large amount of Internet Traffic.
Most of it is no longer associated to an IP address which is why it's pointing to an empty node.

The group at the bottom are still communicating to a Command and Control Server at IP address
Of that group half have the word Sinkhole.

CryptoLocker Malware Visualizer

Monday, June 2, 2014

Who's on First? Understanding Bases.

There was a question about Base64 so lets talk about bases.
A "base" is how many "things" you have to communicate with.

In English you have 26 letters.
English is Base26, if you only use lower case "abcdefghijklmnopqrstuvwxyz".

If you include upper case "ABCDEFGHIJKLMNOPQRSTUVWXYZ" then you just included 26 more bases.

Many humans like English. (Base26)
Computers like to read Binary using 1 or 0. (Base2)

Some humans read Japanese.
It is said that you need to know at least 3000 Japanese characters (Kanji, Katakana, Hiragana) to read a Japanese newspaper.
That's Base3000 and that's not even all of the Japanese characters!

When successfully communicating we have to change (convert, encode, translate, whatever) your message from one base to another base.

You are hoping that someone who reads the message will NOT be able to understand it.

For example the APT Malware had the call back - ''
The creator could have easily left the callback in English.

But instead, it was converted into Base64 to hide from those who easily read English.
It becomes necessary for us to recognize the code we are seeing and convert it into something we are better at reading.

    Base2   (Binary)             = 1 or 0
    Base4   (DNA)               = ATCG
    Base10 (Decimal)          = 0123456789
    Base16 (Hexadecimal)   = 0123456789abcdef
    Base64 = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=

Here we convert the word "MalwareViz" into other base options.

Base2 (Binary) = 1 or 0
    M              a              l                w               a              r              e               V              i     
    01001101 01100001 01101100 01110111 01100001 01110010 01100101 01010110 01101001

Base4 (DNA)  = ATCG
    M                    a                     l                     w                     a                       r                            

    e                       V                      i                   z

Base16 (hex) = 0123456789abcdef
    M  a   l    a    r   e   V    i   z
    4d 61 6c 77 61 72 65 56 69  7a

Base64 = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=

Base Japanese

Using Python:
  Base16 (hex)
    >>> 'MalwareViz'.encode('hex')
    >>> '4d616c7761726556697a'.decode('hex')

    >>> 'MalwareViz'.encode('base64')
    >>> 'TWFsd2FyZVZpeg==\n'.decode('base64')