Posts

Showing posts from 2012

toolsmith: Security Investigations with PowerShell

Image
toolsmith: Security Investigations with PowerShell : Prerequisites Windows, ideally Windows 7 or Windows Server 2008 R2 as PowerShell is native There are 32-bit & 64bit versions of PowerShell for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 as well. Introduction Windows power users have long sought strong fu at the command line. In the beginning, Bill said “Let there be shell.” And lo, there was command.com and cmd.exe . Then Jim said, there must be scripting support and automation, and thus the likes of Windows Script Host and WMIC were brought to light. But alas, there were challenges; no shell integration, no interoperability. Then unto thee was delivered the shell prophet Monad (see the Monad Manifesto ), later renamed Window PowerShell in 2006. In a nutshell, PowerShell is powerful. Alright, enough of the PowerShell parable. Really though, any sysadmin running modern Windows platforms is likely using or has used PowerShell. Full disclosure: I work...

Malicious PowerPoint File Contains Exploit, Drops Backdoor

Image
Malicious PowerPoint File Contains Exploit, Drops Backdoor : We discovered a malicious MS PowerPoint document that arrives via an attached file attached to specific email messages. The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player ( CVE-2011-0611 ) to drop a backdoor onto users’ systems. Users who open the malicious  .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops “Winword.tmp” in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file “Powerpoint.pps”, tricking users into thinking that the malicious file is just your average presentation file. Based on our analysis, “Winword.tmp” is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malwar...

WebDAV Server to Download Custom Executable or MSF Generated Executables

Image
WebDAV Server to Download Custom Executable or MSF Generated Executables : Metasploit comes with dllhijacker module The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for.  Anyway, someone asked me if it was  possible to download a file (specifically a pre-generated exe) over WebDAV.  I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist. So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless). The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set yo...

Painting a Picture of W32.Flamer

Image
Painting a Picture of W32.Flamer : The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality. To get an idea of how all these components fit together, the best place to start is a file called mssecmgr.ocx . This is W32.Flamer's main file and it is the first element of the threat executed by an infected computer. The file mssecmgr.ocx contains a large number of sub-components. A breakdown of the various components and how they are stored in this file are shown in Figure 1 below: Figure 1. Overview of W...

"How to Extract Flash Objects From Malicious MS Office Documents"

Image
"How to Extract Flash Objects From Malicious MS Office Documents" : Authors of malicious Microsoft Office document can execute code on the victim's system using several techniques, including VB macros and exploits. Another approach, which has been growing in popularity, involves embedded Flash programs in the Office document. These Flash programs can download or directly incorporate additional malicious code without the victim's knowledge. This note demonstrates several steps for extracting malicious Flash objects from Microsoft Office document files, so you can analyze them. We take a brief look at using strings, Pyew, hachoir-subfile, xxxswf.py and extract_swf.py tools for this purpose.

Flame: Bunny, Frog, Munch and BeetleJuice…

Image
Flame: Bunny, Frog, Munch and BeetleJuice… : As already mentioned in the previous blog post about Flame, the volume of its code and functionality are so great that it will take several months for a complete analysis. We’re planning on continually disclosing in our publications the most important and interesting details of its functionality as we reveal them.At the moment we are receiving many inquiries about how to check systems for a Flame infection. Of course the simplest answer, for us, is to advise to use Kaspersky Lab Antivirus or Internet Security. We successfully detect and delete all possible modifications of the main module and extra components of Flame.However, for those who want to carry out a detailed check themselves, at the end of this article we will give the necessary recommendations and advice. MSSECMGR.OCX The main module of Flame is a DLL file called mssecmgr.ocx. We’ve discovered two modifications of this module. Most of the infected machines contained its “big” ver...

Update: virustotal-search

Image
Update: virustotal-search : I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then). What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database. If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force. And if you don’t want to include your API key in the program source code, you have two alternatives: use option –key and provide the API key on the command line define environment variable VIRUSTOTAL_API2_KEY with the your API key virustotal-search_V0_0_3.zip ( https ) MD5: 89D4848...

Searching With VirusTotal

Image
Searching With VirusTotal : Did you know that you can search VirusTotal ? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to identify the file. There are several tools to submit a batch of files to VirusTotal, but I didn’t find any that just searches VirusTotal for a list of search terms via VirusTotal’s API . Thus I wrote my own Python program. It accepts a file with a list of hashes, and produces a CSV file with the result. Here is an example displayed with InteractiveSieve : To get this program working, you need to get a VirusTotal API key and add it to this program. You need a VirusTotal account to get your API key. And my program respects VirusTotal’s rate limitation (4 requests per minute), I don’t want it to DoS VirusTotal. virustotal-search_V0_0_1.zip ( https ) MD5: 0F3A1E18C79DFDB143CCC2F860E2C4B2 SHA256: BD213BBC55A9048DBB7B890209E2831EF81049B45ABE9091E01F0692F...

Instant decryption of MS Office 2010 documents now possible

Instant decryption of MS Office 2010 documents now possible : Passware announced Passware Kit Forensic 11.7, which includes live memory analysis and subsequent decryption of MS Word or Excel 2007-2010 files. In addition, the new version instantly decrypts PGP Wh...

Razorback 0.5.0 released

Image
Razorback 0.5.0 released : The Razorback team has released version 0.5.0. You can find the new version of Razorback here:   http://sfi.re/JlWZ0U .  We have also updated the virtual machine, which you can get here:  http://sfi.re/IAW1oa . This release adds support for running inspection nuggets on Windows. At this time we have tested on Windows 7, but XP support should be coming in the future. You can download the Windows installers here:  http://sfi.re/JZ3MEI .    Along with the Windows support we have created a number of new nuggets that use it. Here are all of the nuggets that we currently support on Windows: AVG Nugget - AVG Antivirus scanning that works with the free version of AVG. Avast Nugget - Avast Antivirus scanning that requires non-free Avast Pro. Avira Nugget - Avira Antivirus scanning that will work with the free version of Avast with the command line scanner extension installed. Kaspersky Nugget - Kaspersky Antivirus scanning that ...

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection : The Websense® ThreatSeeker® Network has detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs. While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field. The website appears to be injected with malicious code for over a week now. (Websense'  ACE  provided protection against the type of injected malicious code since early 2009) One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac ...

Microsoft kicks Chinese company out of vulnerability sharing program

Image
Microsoft kicks Chinese company out of vulnerability sharing program : After an investigation into the embarrassing proof-of-concept leak, Microsoft said MAPP partner Hangzhou DPTech Technologies breached the strict non-disclosure agreement.

Weibo Accounts Compromised to Spread Phishing Campaign

Weibo Accounts Compromised to Spread Phishing Campaign : The Websense® ThreatSeeker® Network has detected a wave of phishing campaigns spreading on the Chinese social network " Sina Weibo ". Sina Weibo is a Chinese microblog website, like a hybrid of Twitter and Facebook, that has more than 300 million registered users as of February 2012. ...( read more )

Both Mac and Windows are Targeted at Once

Image
Both Mac and Windows are Targeted at Once : Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers. On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS. This is explained further in the following illustration: When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type ...

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline

Image
Investigating Indicators of Compromise In Your Environment With Latest Version of Redline : Recently, Mandiant ® released a new version of Redline ™ . If you are not familiar with Redline, it is a great tool for investigating a specific Windows host in depth. We will have a more thorough look into Redline in the next month or so. What I wanted to touch on today is one of Redline’s brand new features: you can now use Indicators of Compromise (IOCs) to drive your Redline investigations. If you are not familiar with IOCs, I urge to you take a moment and head over to http://OpenIOC.org and have a look around. IOCs are the best way for finding indications of compromise and/or intrusion throughout your enterprise. IOCs are one of the main technologies that power Mandiant Intelligent Response, Mandiant’s flagship IR appliance, and have previously been accessible in free products with IOC Editor & IOC Finder . Some blog entries that might help bring you up to speed are Ryan Kazanciya...