Posts

toolsmith: Security Investigations with PowerShell

Image
toolsmith: Security Investigations with PowerShell : Prerequisites Windows, ideally Windows 7 or Windows Server 2008 R2 as PowerShell is native There are 32-bit & 64bit versions of PowerShell for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 as well. Introduction Windows power users have long sought strong fu at the command line. In the beginning, Bill said “Let there be shell.” And lo, there was command.com and cmd.exe . Then Jim said, there must be scripting support and automation, and thus the likes of Windows Script Host and WMIC were brought to light. But alas, there were challenges; no shell integration, no interoperability. Then unto thee was delivered the shell prophet Monad (see the Monad Manifesto ), later renamed Window PowerShell in 2006. In a nutshell, PowerShell is powerful. Alright, enough of the PowerShell parable. Really though, any sysadmin running modern Windows platforms is likely using or has used PowerShell. Full disclosure: I work...

Malicious PowerPoint File Contains Exploit, Drops Backdoor

Image
Malicious PowerPoint File Contains Exploit, Drops Backdoor : We discovered a malicious MS PowerPoint document that arrives via an attached file attached to specific email messages. The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player ( CVE-2011-0611 ) to drop a backdoor onto users’ systems. Users who open the malicious  .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops “Winword.tmp” in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file “Powerpoint.pps”, tricking users into thinking that the malicious file is just your average presentation file. Based on our analysis, “Winword.tmp” is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malwar...

WebDAV Server to Download Custom Executable or MSF Generated Executables

Image
WebDAV Server to Download Custom Executable or MSF Generated Executables : Metasploit comes with dllhijacker module The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for.  Anyway, someone asked me if it was  possible to download a file (specifically a pre-generated exe) over WebDAV.  I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist. So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless). The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set yo...

Painting a Picture of W32.Flamer

Image
Painting a Picture of W32.Flamer : The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality. To get an idea of how all these components fit together, the best place to start is a file called mssecmgr.ocx . This is W32.Flamer's main file and it is the first element of the threat executed by an infected computer. The file mssecmgr.ocx contains a large number of sub-components. A breakdown of the various components and how they are stored in this file are shown in Figure 1 below: Figure 1. Overview of W...

"How to Extract Flash Objects From Malicious MS Office Documents"

Image
"How to Extract Flash Objects From Malicious MS Office Documents" : Authors of malicious Microsoft Office document can execute code on the victim's system using several techniques, including VB macros and exploits. Another approach, which has been growing in popularity, involves embedded Flash programs in the Office document. These Flash programs can download or directly incorporate additional malicious code without the victim's knowledge. This note demonstrates several steps for extracting malicious Flash objects from Microsoft Office document files, so you can analyze them. We take a brief look at using strings, Pyew, hachoir-subfile, xxxswf.py and extract_swf.py tools for this purpose.

Flame: Bunny, Frog, Munch and BeetleJuice…

Image
Flame: Bunny, Frog, Munch and BeetleJuice… : As already mentioned in the previous blog post about Flame, the volume of its code and functionality are so great that it will take several months for a complete analysis. We’re planning on continually disclosing in our publications the most important and interesting details of its functionality as we reveal them.At the moment we are receiving many inquiries about how to check systems for a Flame infection. Of course the simplest answer, for us, is to advise to use Kaspersky Lab Antivirus or Internet Security. We successfully detect and delete all possible modifications of the main module and extra components of Flame.However, for those who want to carry out a detailed check themselves, at the end of this article we will give the necessary recommendations and advice. MSSECMGR.OCX The main module of Flame is a DLL file called mssecmgr.ocx. We’ve discovered two modifications of this module. Most of the infected machines contained its “big” ver...

Update: virustotal-search

Image
Update: virustotal-search : I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then). What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database. If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force. And if you don’t want to include your API key in the program source code, you have two alternatives: use option –key and provide the API key on the command line define environment variable VIRUSTOTAL_API2_KEY with the your API key virustotal-search_V0_0_3.zip ( https ) MD5: 89D4848...