Malware Archives | Page 3 of 26

January 21, 2018 by Didier Stevens

Quickpost: Retrieving Malware Via Tor On Windows

I sometimes retrieve malware over Tor, just as a simple trick to use another IP address than my own. I don’t do anything particular to be anonymous, just use Tor in its default configuration.

On Linux, its easy: I install tor and torsocks packages, then start tor, and use wget or curl with torsocks, like this:

torsocks wget URL torsocks curl URL

On Windows, its a bit more difficult, because the torsocks trick doesn’t work.

I run Tor (Windows Expert Bundle) without any configuration:

This will give me a Socks listener, that curl can use:

curl --socks5-hostname 127.0.0.1:9050 http://www.didierstevens.com

option –socks5-hostname makes curl use the Socks listener provided by Tor to make connections and perform DNS requests (option –socks5 does not use the Socks listener for DNS request, just for connections).

wget has no option to use a Socks listener, but it can use an HTTP(S) proxy.

Privoxy is a filtering proxy that I can use to help wget to talk to Tor like this.

I make 2 changes to Privoxy’s configuration config.txt:

1) I change line 811 from “toggle 1” to “toggle 0” to configure Privoxy as a normal proxy, without filtering.

2) I add this line 1363: “forward-socks5t / 127.0.0.1:9050 .”, this makes Privoxy use Tor.

Then I launch Privoxy:

And then I can use wget like this:

wget -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 URL

Port 8118 is Privoxy’s port. If you want, you can also put these options in a configuration file.

Often, my wget command will be a bit more complex (I’ll explain this in another blog post, but it’s based on this ISC diary entry):

wget -d -o 01.log -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 --no-check-certificate URL

I can also use Tor browser in stead of Tor, but then I need to connect to port 9150.

Quickpost info

October 30, 2017 by Didier Stevens

Analyzing A Malicious Document Cleaned By Anti-Virus

@futex90 shared a sample with me detected by many anti-virus programs on VirusTotal but, according to oledump.py, without VBA macros:

I’ve seen this once before: this is a malicious document that has been cleaned by an anti-virus program. The macros have been disabled by orphaning the streams containing macros, just like when a file is deleted from a filesystem, it’s the index that is deleted but not the content. FYI: olevba will find macros.

Using the raw option, it’s possible to extract the macros:

I was able to find back the original malicious document: f52ea8f238e57e49bfae304bd656ad98 (this sample was analyzed by Talos).

The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:

This can be clearly seen using oledir:

September 26, 2017 by LCDI

Enfuse 2017 Reflection – Emily Platz: Combating Fileless Malware

Introduction

It was bright and early – 8:00 AM – on the first day at Enfuse. I had just arrived at my first session, How to Combat Fileless Malware; I was a little nervous, but just as excited to be in Las Vegas to learn everything I could from professionals in my field of study. The audience was greeted by Lior Ben-Porat, a security researcher from a company called Hexadite. Over the next hour, Mr. Ben-Porat took us through exactly what fileless malware is, why it’s an increasing problem and how to combat it.

What is Fileless Malware?

Fileless malware, I learned, is essentially a system breach that doesn’t require any malicious files to reach the victim’s computer. Usually the attacker will use a convincing spam message or email that initiates a connection once a user accesses it. Once this connection is established, programs like Powershell are used to run commands that extract information without the user knowing. During the session we learned about Kovter, which is a (nearly) fileless malware that can maintain a connection for long periods of time through persistence. We even got to see Kovter in action through a live demonstration; it was eye-opening to see how much damage it can do without being noticed by the operating system.

fileless malware Enfuse

Mr. Ben-Porat also talked about why fileless malware is such a problem. Since it is not technically malware – due to the fact that it doesn’t rely on any kind of software to work – most antivirus programs cannot detect it. Another issue is that it can go unnoticed for such a long time. A user will most likely not know they have been attacked as the scripts sit in their registry and remain undetected by antivirus software.

How to Combat Fileless Malware

Finally, we come to the solution: how do we actually combat fileless malware? Mr. Ben-Porat was able to summarize the solution into three categories: Suspect, Incriminate, and Remediate. The first step, suspecting, is probably the most difficult: in essence, you are trying to locate malware that wasn’t ever downloaded in the first place. The best thing you can do is learn your machine. Know what’s good and what’s supposed to be there. Also look at processes and compare their normal properties: it’s a big red flag if there is more than one of the same process running at one time.

Incrimination can be done with thorough analysis of the machine. Look at antivirus signatures and maybe try sandbox analysis to try and detect the offender. Unfortunately, each memory instance that you examine may be different from the last: to solve this, you can use distance metrics or hashing to find identical instances.

Finally, remediation: since the malware is in memory, you can terminate processes that you believe are infected, but don’t forget to look in the registry or NTFS for persistence.

After the Session

I learned so much from this session and I’m glad to have the opportunity to share my experience in this blog. It really opened my eyes to what other invisible threats are out there that we know nothing about. Unfortunately, fileless malware doesn’t seem like something that is very preventable at the moment; however, the information gained will give me and hopefully others the ability to catch it as soon as possible.

I decided to do some research about Hexadite after the conference and found some really cool things: they’re currently using artificial intelligence to help respond to attacks so the employees have more time to research and develop better ways to mitigate threats. Using AI for antivirus capabilities is great because it might someday be able to respond to attacks instead of just identifying them after they happen. Hexadite has also joined forces with Microsoft to remediate attacks even faster and to minimize the time that attacks affect companies all over the world.

Conclusion

I had an amazing time at Enfuse. I learned a ton of information from people who use Cybersecurity and Digital Forensics every single day. I was able to talk to a lot of digital forensics professionals about their careers and how they got there. I was able to get hands-on with new software that Guidance is introducing soon as well as valuable EnCase skills which I hadn’t been able to practice in the past. I’m very grateful for Champlain College and Guidance Software for giving me the opportunity to attend the conference; it was an experience that I will never forget and hope to see again. I encourage you to get yourself involved with the Leahy Center for Digital Investigation at Champlain if you want to gain great work experience and have the opportunity to attend Enfuse.

Like us on Facebook and follow us on Twitter for more information on Enfuse Conference.

The post Enfuse 2017 Reflection – Emily Platz: Combating Fileless Malware appeared first on The Leahy Center for Digital Investigation.