Monday, May 26, 2014

What's Under the Hood

MalwareViz_0735b7781096c9de80ee1bd4619e5bbf Start FlashUpdate.exe VirusTotal VirusTotal Alerts=31 Start->VirusTotal

This file on malwr.com looks interesting as somebody tagged it as Chinese APT.
The file did not run correctly as there was no network traffic and no created files.

The goal here is to find Network Traffic or Created Files.
Lets take a look "under the hood".

Start gathering information by just looking around.
Look at the "String" tab in malwr.com under "Static Analysis".

Doing searches on the strings for "http" or "connect" can help, but does not help for this malware.
Lets drag and drop it into Immunity Debugger and look for some more English.
This is not debugging, we are just using a Debugger to look around.


Chinese APT


"English-ish" strings that stick out are in the far right column.
These can be Google searched to find their meaning.

Here is the part that we sound like Shawn Spencer from "Psych".
We are not really sure what's going on, but we "see" things.

We see something about Registry Query Values, Draw Icon, string lengths.
Wait I'm sensing something...

The string that sticks out is not the String Length "lstrlen" but the fact that it contains a Base64 string.
What? Why?
How do we know it is Base64 and what is Base64?

It is the equal signs at the end that gives it away.
"d3d3Lmdvb2dsZS1ibG9nc3BvdC5jb206ODg4OA=="
The "=" or "==" is added to the end of a Base64 string if the characters it started with are not long enough to finish a Base64 encoding.

Decoding this string using Base64 and Python we see:
Python 2.7
>>> "d3d3Lmdvb2dsZS1ibG9nc3BvdC5jb206ODg4OA==".decode('base64')
'www.google-blogspot.com:8888'

This looks like Internet traffic!
But it looks kind of legitimate?
We recognize the words google and blogspot.

Just like biological viruses will try and trick your immune system that they belong there,
computer viruses also will try and hide by looking legitimate.

Red flags:
    1) Port 8888.
            This is not a common Internet port.
            Why isn't is using port 80 (http) or port 443 (https)?
    2) Creation date of this URL is 10-jan-2014.
            Why so recent?
            The real Google Blogspot or blogger.com was created 22-jun-1999.
    3) Notice the Name Servers.
            NS01.TIANKENG-TIANKENG.NET vs NS1.GOOGLE.COM (blogger.com)
         An interesting side note is the name Xiaozhai_Tiankeng is apparently the worlds deepest sinkhole.
         It's found in China.










This looks like at least one callback.
We should not assume there is only one but it gives us something to go on.
We can use this to look through our Internet traffic to see how many machines in our network have tried to go to this site.

What about Created files?
We will take a look at that in another blog.

The graph can be updated to look like this:

MalwareViz_0735b7781096c9de80ee1bd4619e5bbf cluster1 Internet Traffic Start FlashUpdate.exe VirusTotal VirusTotal Alerts=31 Start->VirusTotal point1 VirusTotal->point1 www.google-blogspot.com www.google-blogspot.com point1->www.google-blogspot.com

Tuesday, May 20, 2014

Seeing Malware is believing Malware.

Link to MalwareViz.com.
https://www.malwareviz.com/gallery/gallery

Code.
It's in everything.
It is the instructions of life.
It runs our bodies and our machines.

Yet most of us can't see it or read it.
Code is created to make our lives automated that we may be free.

There is also another code.
This code goes by many names.
This code is created to steal, destroy and cause pain.

It is malicious and it is everywhere.
Constantly testing our defenses to find where we are most vulnerable.

MalwareViz was created to see this code:
To visualize malicious software called "malware" to understand it.
To encourage all to open their eyes to see and their mind to read.