Tuesday, June 23, 2009

All feedback is good feedback

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to “Screw you my friend Aver” (well its actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean “AVer” (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden message that are only revealed during reverse engineering. My personal favorite was from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

The Rinbot authors where particulary well known for getting frustrated at AV companies for detecting their creations (ironically made easier by all of those nice messages they included for us to use in malware signatures). They were fairly generous in distributing their pent up annoyance with everyone from SANS to CNN included. In particular they really disliked people refusing to name their malware as they had intended.

Rinbot is not the only malware to include such strings, recently the TSPY_ZBOT family also started with messages giving out about blog articles by Avira and Microsoft. In fact these messages have been going on for years, another one from a WORM_MYDOOM variant back in 2004 read:

we will attack f-secure,symantec,trendmicro,mcafee , etc.
The 11th of march is the skynet day lol .

Its always nice to get feedback on your work, even more so when its the bad guys complaining that we are doing too good of a job.

posted by Robert McArdle @ 2:37 PM   0 Comments

Friday, June 12, 2009

5 Must Have Tools (from ISSA Talk)

On Tuesday I attended the very interesting talk held by the ISSA in Dublin, where several Microsoft employees spoke about Windows 7, their own internal IT security setup, and a good overview of the Conficker Worm by Elda Dimakiling and Francis Ten Seng. This was followed by 2 short presentations - Paul Collins, head of IT with Hypo Real Estate Group showed the capabilities of the very useful MSAT tool, and I demoed some useful malware analysis tools. Overall really enjoyed the event, and will continue to attend the ISSA events in the future.

I thought that I may as well stick up the tools in question on this blog post so that they are all linked in one location. I often get asked to fix friends computers, and always carry around a copy of these tools on a USB key - if you know what you are doing you can clean about 90% of all Windows malware with them. I'd advise any security professional to download all 5 and play around with them for 30 minutes, you'll be happy you did.

Ice Sword (Mirrored Download - Use This)
Ice Sword is a fantastic tool for Rootkit detection. It will allow you to see hidden processes, registry keys, services etc on the infected machine. In addition to this it will actually let you directly read and write areas of process memory, and includes a basic dissassembler. It also has another host of features such as inspection the systems SSDT and looking at Layered Service Providers. In any malware analysis Icesword is my first port of call, remove any rootkits from the system so that you can continue your analsis.

GMER
Gmer is another Rootkit removal tool, again with many other features built in. Personally I prefer Ice Sword, but you really should have both at hand - sometimes malware will successfully hide, or kill one or the other.

Autoruns
Now that you have removed the rootkits from the PC, Autoruns is Step 2. It is a fantastic tool which shows every singles system load point (i.e. All of the executable which will be started during Windows startup). As it returns quite a large amount of information, here are some tips on where to start looking (as you get more used to the tool, this will become 2nd nature):
  • Check the following Tabs first - Logon, Internet Explorer, Scheduled Task, Services, Image Hijacks, Winlogon.
  • Pay particular attention to any entries that do not have an associated Publisher or Description, especially anything in the System32 or Windows folders. There is a very nice Right-Click-> Verify function that will test the digital signature of the executable.
  • For executables you are unfamiliar with try the Right-Click->Search Online feature. Interestingly this uses Yahoo search - but I would not be surprised to see a Bing version in future.
  • Delete any suspicious load points and then refresh. If the value is being recreated thats normally a sure sign that its bad.
Process Explorer
Think Task Manager on steroids. Some tips:
  • Pay particular attention to Packed Images (highlighted in Purple)
  • As well as killing processes, you can also suspend them. This can sometimes be better as some malware will have a 2nd process or dll watching the first, and if it is removed from memory will automatically restart it - suspending the process means that it is still in memory, but not doing anything.
  • Most of the really cool stuff is in the Right-Click->Properties menu. The Thread tab is very powerful - allowing you to kill/suspend individual threads within a process. Malware likes to create remote threads in processes so if you are having difficulties removing it pay close attention to any threads injected into Winlogon, Explorer or IExplore.
  • The TCP/IP tab will show you any network activity of the process.
  • Strings is another excellent tab - showing human readable strings in a file. Note that you can look for strings in the Image (the file) or in Memory. Memory is normally more useful especially if the file is packed.
Process Monitor
A very simple, yet incredibly powerful tool. Every single File, Registry, Process and Network access performed on the system is intercepted and logged. You can use Filters to only see the details you are interested in. This is particulary useful if you are noticing certain registry keys, files or processes being recreated by a threat - as it will show you the process responsible for recreating them (quite often Explorer or Winlogon, which indiciates an injected malicious thread).

Oh and if you have spent the suggested 30 minutes mucking about with these and want to know where next to go on your quest to become a security tool guru - all of the Microsoft Sysinternals tools are now available in single download - http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx .

I know that I've lost all my street cred by actually praising a Microsoft product (none of the cool kids are returning my calls), but sometimes they really do get it 100% right

Labels:

posted by Robert McArdle @ 1:25 PM   0 Comments