Posts

Showing posts from May, 2012

Painting a Picture of W32.Flamer

Image
Painting a Picture of W32.Flamer : The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into 'apps' and the attackers even appear to have something equivalent to an 'app store' from where they can retrieve new apps containing malicious functionality. To get an idea of how all these components fit together, the best place to start is a file called mssecmgr.ocx . This is W32.Flamer's main file and it is the first element of the threat executed by an infected computer. The file mssecmgr.ocx contains a large number of sub-components. A breakdown of the various components and how they are stored in this file are shown in Figure 1 below: Figure 1. Overview of W...

"How to Extract Flash Objects From Malicious MS Office Documents"

Image
"How to Extract Flash Objects From Malicious MS Office Documents" : Authors of malicious Microsoft Office document can execute code on the victim's system using several techniques, including VB macros and exploits. Another approach, which has been growing in popularity, involves embedded Flash programs in the Office document. These Flash programs can download or directly incorporate additional malicious code without the victim's knowledge. This note demonstrates several steps for extracting malicious Flash objects from Microsoft Office document files, so you can analyze them. We take a brief look at using strings, Pyew, hachoir-subfile, xxxswf.py and extract_swf.py tools for this purpose.

Flame: Bunny, Frog, Munch and BeetleJuice…

Image
Flame: Bunny, Frog, Munch and BeetleJuice… : As already mentioned in the previous blog post about Flame, the volume of its code and functionality are so great that it will take several months for a complete analysis. We’re planning on continually disclosing in our publications the most important and interesting details of its functionality as we reveal them.At the moment we are receiving many inquiries about how to check systems for a Flame infection. Of course the simplest answer, for us, is to advise to use Kaspersky Lab Antivirus or Internet Security. We successfully detect and delete all possible modifications of the main module and extra components of Flame.However, for those who want to carry out a detailed check themselves, at the end of this article we will give the necessary recommendations and advice. MSSECMGR.OCX The main module of Flame is a DLL file called mssecmgr.ocx. We’ve discovered two modifications of this module. Most of the infected machines contained its “big” ver...

Update: virustotal-search

Image
Update: virustotal-search : I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then). What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database. If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force. And if you don’t want to include your API key in the program source code, you have two alternatives: use option –key and provide the API key on the command line define environment variable VIRUSTOTAL_API2_KEY with the your API key virustotal-search_V0_0_3.zip ( https ) MD5: 89D4848...

Searching With VirusTotal

Image
Searching With VirusTotal : Did you know that you can search VirusTotal ? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to identify the file. There are several tools to submit a batch of files to VirusTotal, but I didn’t find any that just searches VirusTotal for a list of search terms via VirusTotal’s API . Thus I wrote my own Python program. It accepts a file with a list of hashes, and produces a CSV file with the result. Here is an example displayed with InteractiveSieve : To get this program working, you need to get a VirusTotal API key and add it to this program. You need a VirusTotal account to get your API key. And my program respects VirusTotal’s rate limitation (4 requests per minute), I don’t want it to DoS VirusTotal. virustotal-search_V0_0_1.zip ( https ) MD5: 0F3A1E18C79DFDB143CCC2F860E2C4B2 SHA256: BD213BBC55A9048DBB7B890209E2831EF81049B45ABE9091E01F0692F...

Instant decryption of MS Office 2010 documents now possible

Instant decryption of MS Office 2010 documents now possible : Passware announced Passware Kit Forensic 11.7, which includes live memory analysis and subsequent decryption of MS Word or Excel 2007-2010 files. In addition, the new version instantly decrypts PGP Wh...

Razorback 0.5.0 released

Image
Razorback 0.5.0 released : The Razorback team has released version 0.5.0. You can find the new version of Razorback here:   http://sfi.re/JlWZ0U .  We have also updated the virtual machine, which you can get here:  http://sfi.re/IAW1oa . This release adds support for running inspection nuggets on Windows. At this time we have tested on Windows 7, but XP support should be coming in the future. You can download the Windows installers here:  http://sfi.re/JZ3MEI .    Along with the Windows support we have created a number of new nuggets that use it. Here are all of the nuggets that we currently support on Windows: AVG Nugget - AVG Antivirus scanning that works with the free version of AVG. Avast Nugget - Avast Antivirus scanning that requires non-free Avast Pro. Avira Nugget - Avira Antivirus scanning that will work with the free version of Avast with the command line scanner extension installed. Kaspersky Nugget - Kaspersky Antivirus scanning that ...

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection

The Institute for National Security Studies (Israel) falls prey to Poison Ivy infection : The Websense® ThreatSeeker® Network has detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs. While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field. The website appears to be injected with malicious code for over a week now. (Websense'  ACE  provided protection against the type of injected malicious code since early 2009) One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac ...

Microsoft kicks Chinese company out of vulnerability sharing program

Image
Microsoft kicks Chinese company out of vulnerability sharing program : After an investigation into the embarrassing proof-of-concept leak, Microsoft said MAPP partner Hangzhou DPTech Technologies breached the strict non-disclosure agreement.