Some Malware Analysis Tools

I just recently went through a great, albeit difficult, Malware Analysis course. It was very informative and it stretched my ability to understand and follow. The usual DISCLAIMER applies: use the tools at your own risk and your own malware.

Here are some of the free tools we used (and there are a lot of free tools available):

We first installed Virtual Box

Then used the following for Surface Analysis:
Hash Analysis – HashTab (free for personal or private use)
File Type Analysis – TrID
String Analysis – BinText and Sysinternals’ String.exe
Binary Editor – HxD
Pack Analysis – CFF Explorer

Runtime Analysis:
Sysinternals’ Process Explorer
regshot
WinPcap
Wireshark
Sysinternals’ Process Monitor
TCPView
FUndelete (Sysinternals’ old software)
Autoruns
ADSSpy

Static Analysis:
IDA Pro Free
MSDN Library
OllyDbg Version 1
Immunity Debugger
Python 2.5

---

Some Malware Analysis Links:

Practical Malware Analysis PDF by Kris Kendall from BH 07
PenTestIT’s Atool (I’ve never used this but you may want to check it out)
Malware Analysis Tools – from the SANS diary of 2006
Malware Analysis for Fun and Profit PDF
Malware Analysis Presentation from HK’s Professional InfoSec Association

Advertisement

Black Hat Presentations, Flash App Tools, Free AV and News

The next BlackHat.com webcast will be about Mobility and Security on May 21 1pm PDT (Friday, May 22, 2009 at 4 AM in Manila, according to The World Clock).

Black Hat Webcast 9 (34MB audio, around 79 mins running time; WebSync version is here) is a preview of the Black Hat Conference in Amsterdam that was held from April 16-17, 2009 (see link to presentations below).
The following people and their presentation topic were in this webcast:

Enno Ray – Attacking Backbone Technologies
Charlie Miller and Vincenzo Iozzo – Fun and Games with Mac OS X and iPhone Payloads
Stefano Zanero – Web App Firewall Based on Anomaly Detection
Roberto Gassira’ and Roberto Piccirillo – Hijacking Mobile Data Connections

Past Black Hat Conferences:
Video of Charlie Miller and Vincenzo Iozzo’s presentation on Mac and iPhone payloads (152 MB)
Black Hat Europe 2009 (Amsterdam) Media Archives
Black Hat USA 2008 Archives

---

Flash App Vulnerability Tools

Exposing Flash Application Vulnerabilities with SWFScan
Flare
SWFIntruder

---

Free Anti-Virus

F-Secure Online Scanner Beta Program

---

InfoSec News

(Inquirer.net) Has your e-mail address won in a lottery?
(Computerworld PH) Report: Web continues to rise as security threat

(Inquirer.net) RP gov’t websites vulnerable to hacking
(Inquirer.net) Cyber spies hack into DFA computers
(Inquirer.net) RP needs cybersecurity program–CICT
(Inquirer.net) PNP experts tell how to catch a hacker

(Inquirer.net) Purge 2-M ‘flying’ voters, Comelec told
(Manila Times) Lawmaker to hack Comelec electronic counting machines
(Inquirer.net) Hack poll machines and win P100M
(Inquirer.net) P100M hack reward ‘dishonors’ poll automation
(Inquirer.net) Hacking poll results to take lots of time
(Inquirer.net) Comelec to tap DOST on poll machine testing
(Inquirer.net) Comelec mulls inclusion of more provinces in poll automation

(Inquirer.net) Comelec eyes YouTube stardom to lure voters

(PhilStar) Is quitting Twitter more popular than re-tweeting?
(IT Matters.com) Twitter — a rising marketing channel?

(PhilStar) Globe backs ICT Awards

(Inquirer.net) RP seeks removal from USTR watch list
(Inquirer.net) Twitter, Facebook abuzz over Pacquiao win

(Computerworld) Facebook’s privacy options
(Computerworld) How Facebook mucks up office life
(Wired) PIN Crackers Nab Holy Grail of Bank Card Security

(SecurityFocus) Researcher argues for CERTs with teeth
(Inquirer.net) Cyberspies hack into US fighter project
(H Security) Linux cache poisoning attacks easier than on Windows?
(Computerworld) 20 kick-ass network research projects

(Computerworld) Leaked copies of Windows 7 RC contain Trojan
(Computerworld) Botnet probe turns up 70GB of personal, financial data
(Computerworld) Heartland earns back spot on PCI-approved list

(The Register) Security researchers fret over Adobe PDF flaw
(H Security) Demo exploits for new vulnerabilities in Adobe Reader
(SecurityFocus) Companies slowest to fix Office, Acrobat flaws
(SecurityFocus) JavaScript flaw reported in Adobe Reader

(The Register) US Congress wants hack teams for self-penetration
(Boston.com) US looks to hackers to protect cyber networks
(NY Times) ‘Hackers wanted’ ad fed security misconception

(The Register) Botnet hijacking reveals 70GB of stolen data
(The Register) Twitter breach gives behind-the-scenes Obama peek

(The Register) Firefox finds more pesky bugs
(H Security) Firefox 3.0.10 fixes critical vulnerability

(The Register) Hacker behind P2P botnet gets no jail time
(The Register) US military’s cyberwar rules ‘ill-formed,’ says panel
(NY Times) Panel Advises Clarifying U.S. Plans on Cyberwar
(The Register) Adobe users imperiled by critical Reader flaw

(H Security) Lost+found: Worms, Exploits, Online Scanners
(NY Times) H.P. Labs Pulls Out the Measuring Stick

Using PortableTor on a USB for Anonymized Browsing

Back in January, I wrote about Anonymization and mentioned PortableTor from a USB stick. The Easter break allowed me to try it on a USB I just got from CD-R King (Php 480 for 4GB ain’t bad). Long story short, Tor was originally made by the US Naval Research Lab and has been said to be used by some three letter US Agencies to shadow people on the net. It works by bouncing your packets around a distributed network of relays run by volunteers all over the world. However, its also been used by some hackers to keep their anonymity even though Wikipedia describes its limitations as:

“Tor cannot (and doesn’t try to) protect against an attacker who can monitor both traffic going into the Tor network and also traffic coming out of the Tor network, such as the United States government which has the capability to monitor any broadband internet traffic under the Communications Assistance For Law Enforcement Act and can therefore see both ends of the Tor connection. Tor tries to protect against traffic analysis, but Tor does not have the ability to prevent traffic confirmation (also called ‘end-to-end correlation’).”

Being in Manila, I wonder what capability the Philippine government has with regard to monitoring broadband traffic. I know they have some, I’m just not sure about the extent.

You can check out the Tor Project site here.

I’ll be re-doing it from scratch for this article and will be giving step by step instructions. I recommend running from a USB for people who frequent Net Cafe’s. For this article I’ll just be using Portable Firefox and not the whole suite available at Portable Apps and will be using an old 512MB drive on L:

Typical caveat: I have no idea if this will work for you and please do back up before you try this.

Step 1
Get Mozilla Firefox Portable then download it to your USB drive (Around 8 MB)

Step 2
Download the PortableTor Application to your USB drive (Around 7.8 MB)

Step 3
Click on the Portable Tor App executable on your USB drive and extract it to your USB drive

Step 4
Do the same for Mozilla Firefox Portable (I had to point to my USB drive letter which in this case is drive L:)

Step 5 (Optional)
Delete the Installer Files (NOT the folders).

Step 6
Go into the PortableTor folder and click on PortableTor.exe
You should then see additional icons on your system tray (typically on the lower right which contains the clock), and if you have a an application firewall (and you should), it will prompt you if you want to allow the applications (yes its plural) access to the Internet

Step 7
Go back to your Firefox Portable folder and click on FirefoxPortable.exe (You are then prompted whether or not to store your session on your USB stick)

Step 8
Once Firefox is running from your USB, go to Tools>Options>Advanced>Network
Then click on Settings and check if you are using local host and port 8118 (You can change this port but I won’t be discussing that here) which is the default port of PortableTor

Tools>Options>Advanced>Network>Settings

Step 9
Head over to What Is My IP Address? to check if it works.

What is My IP Address?

Step 10
You can then check where your assigned IP is by clicking on the number, in this case, Stockholm… yes I’m in Stockholm because I couldn’t stand the summer heat of Manila… NOT.

So that’s it, you can run more anonymously on the net using PortableTor, albeit much slower than usual (also dependent upon the particular proxy you’re using). In my limited, unscientific testing, my download speeds varied from 1/5th to 4/5th’s its usual speed. The Tor network also encourages you to run a relay (the bandwidth of which you can limit) so that the overall speed of their network becomes a bit faster.

I haven’t tried this out for Instant Messaging, but I soon will.

If you found the above do it yourself USB for Anonymized Browsing interesting, you might also want to check out the XeroBank Browser which its site says to be, “the most popular free and open-source anonymous web browser in the world, with over 9 million downloads.”

---

Info Sec News
(BusinessWorld Online) BSP urges tighter e-banking security
(Computerworld Ph) CICT: Timetable for 2010 automated polls tight
(Inquirer.net) COMELEC Chief Says, ‘No more debates on poll automation’
(PhilStar.com) UP Diliman holds first campus-wide automated polls
(IT Matters.com.ph) Online filing system bogs down one day before April deadline
(IT Matters.com.ph) BPO office builders ditch expansion plans
(IT Matters.com.ph) Ayala outsourcing unit bullish of prospects amid downturn
(IT Matters.com.ph) Convergys opening three more contact centers, to hire 3,100

(Reuters) Facebook, YouTube at work make better employees: study

The H Security Conficker Information Site
(The H Security) Conficker test
(The H Security) Simple Conficker test for end users (Description)
(University of Bonn) Conficker Online Infection Indicator

(Computerworld UK) Police e-crime unit teams with banks for first arrest
(SearchSecurity) RSA panel to discuss surveillance, privacy concerns
(Wash Post Security Fix Blog) Report: China, Russia Top Sources of Power Grid Probes
(The Register) Student sentenced for F-ucked up grade hack

(SecurityFocus) Microsoft patches a passel of flaws
(SecurityFocus) Twitter targeted by XSS worms
(SearchSecurity) Oracle issues 43 updates, fixes serious database flaws
(Reuters Video) Symantec sees more malicious threats (approx 2 mins)
(Inquirer.net) Book a bed and breakfast, catch a ‘virus’

(SC Mag US) Despite downturn, IT security spending to increase
(Computerworld) Privacy rules hamper adoption of electronic medical records, study says
(Computerworld) ‘Mafiaboy’ spills the beans at IT360 on underground hackers
(Computerworld) 1 in 5 Windows PCs still hackable by Conficker
(Computerworld) Botnet operators may be able to profit from Conficker update
(Trend Micro News) Trend Micro Discovers New Variant of Conficker: WORM_DOWNAD.E

---

Site News
Updated the following links pages:
“Software Vulnerabilities” links to “Software Vulnerabilities and Dataloss” and included DatalossDB;
“Security Policy and Best Practices” links to include Information Security Policy World, Windows Security.com’s PDF, Princeton University’s PDF;
“Web App Security” to “Secure Coding and Web App Security” and included US Homeland Security’s Build Security In website

Using Local Transforms in Maltego

Maltego is an open source tool developed by Paterva for rapid information gathering and correlation of data available from the Internet. With the release of Maltego 2.0.2 last January 2009, users can now develop their own local Transforms from any programming language as long as it follows the local Transform Specification. A “Transform“ is an instance of information gathering that processes Entities (e.g. IP addresses, ports, emails, person’s name) either as input or output. A sample Transform can take a DNS name as input and determine its IP address as output. Another Transform can take an individual’s full name as input and determine the websites where his full name can be found as output. Maltego shows the Transform results including the relationships using a graphical user interface.

By default, Transforms are launched from the Maltego client and executed on Paterva’s Transform Application Server (TAS) accessible from the Internet.  Local Transforms execute locally on the user’s computer and not on a TAS. A sample local Transform below takes an “IP Address” Entity as input, launch an NMAP TCP Connect Scan against that IP address and displays the results in Maltego as “Service” Entities. The script for this local Transform can be easily programmed in PERL using the NMAP-Parser module.

The screenshot above shows that  IP address 10.10.10.3 has three open ports with active services running.

Local Transforms provide users the flexibility and power to integrate other security tools (e.g. NMAP, Nessus, Metasploit). Users may be able to centralize security tool execution and documentation in Maltego.

More on Poll Automation and some Tools

Readers of this blog may be getting bored about poll automation, however there are news articles that are pertinent and give good arguments that I believe ought to be posted here.

Dennis Posadas, the Deputy Executive Director of the Philippine Congressional Commission on Science, Technology and Engineering, wrote an article entitled, “Computers can be hacked, so what?” The article details that we take a lot of technology based risks everyday, but it doesn’t mean that we shouldn’t use them. In other words, we make dozens of cost-benefit analyses each day but in the end we mostly benefit.

I am all for the automation of elections, there’s a possibility of it being a game changer and we may actually have a lot less fraud at the polls… something unheard of in my generation. However, I believe that it should be correctly implemented to minimize fraud, because if not, all those billions of pesos in taxpayer money might not go to the pockets of our corrupt officials… oops I mean, all that money will be for nought, and we’ll have the same or even more problems than we do with the un-automated version. The length of time for implementation and the logistical challenges full poll automation presents just strenghthens the case that maybe partial automation may be better.

Technology is an enabler, it can enable poll fraud to be harder, or it can actually make it easier. It all depends on the process.

Intelligent, competent and honest people should run the show (poll automation in this case). Leaders that put too much confidence and give statements that a yet implemented system cannot be hacked, borderline on ignorance, and shouldn’t be there at all… unless of course they have technical advisors that are the best the country can offer.

---

Re-post of earlier Comments

I am re-posting an earlier comment by dts, made by Patrick Dailey since its in the comments section and may not be seen by people who don’t check the comments.

dts said
March 21, 2009 at 10:14 am e

Comments made by
Patrick Dailey CISSP, GCFA, IT Audit and Security Consultant – Managing Director at DigiThreat Solutions
[http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=29343049&gid=1851931]

From an IT project management point of view, 80,000 machines with source code, voter information data, vote data, and other information will be installed throughout the country. Additionally, the provision of transmission of data to a centralized location (presumably via Internet) will have to be procured from each location where the machines are installed. Supplies of ballot paper, training, technical support, and warehousing are all part of this project, and all aspects of this project need to be completed by May 10th, 2010 (417 days from now). The winning bidder is announced on April 27th, 2009, giving the bidder 378 days to complete all tasks.

To say that this project is ambitious would be an understatement – let’s do the math. It will require that the winning bidder install the machines, the software, and (hopefully) test an average of over 200 machines a day, travel not included. This does not account for machines that are dead on arrival. Internet access will need to be procured at locations throughout the country. Ever tried to get an Internet connection procured in a remote province? It can take months to get a reliable connection even in Metro Manila. What about remote islands that offer no Internet service whatsoever?

Logistics will also play a major role – while slightly less than 2000 mothballed counting machines from the 2004 election are sitting in four floors of storage (costing taxpayers P30 million a year), how much storage will 80,000 counting machines require? If the same size of machines and stacking capability is utilized as is the current storage, it will require 160 floors, or roughly 40 hectares, of storage space. Phasing the storage of equipment in warehouses will add to the complexity of the project, and delivery of machines and other materials to the end location to install (and coordinating with the installers) would almost require a Ph.D. in logistics, if there was such a degree. Add training and technical support to the equation, and you have an extremely difficult project. I have no reason to doubt Mr. Tolentino when he has confidence in the bidders capabilities, but this type of project would stretch many large multi-national companies. Simply put, whoever wins this project has their hands very full, and I do wish them the best of luck.

Assuming the bidder can survive the project demands and logistics, they will then have to contend with the security risks that are involved with this undertaking. While “hackers” are the “in” thing to talk about, they are a very small subset of the overall security risks. Here are some very basic IT security questions the winning bidder should be asking before even bidding on the project:

-Are there a defined information security policies and procedures for this project?
-What is the overall network architecture of this project, including systems, ports, data transmission, data locations, and other pertinent information? Where are its weak points?
-Will firewalls be a part of the architecture? What is blocked? What is allowed? What is needed?
-Are wireless technologies utilized? If so, is it secured, or can someone sit outside the precinct offices and modify the votes?
-Is SMS an option being considered, and if so, what is being done to secure SMS?
-How does the transmission of data occur? Is it encrypted? If so, how?
-Is data transmission from one location to another vulnerable to man-in-the-middle or other attacks? If you do not know what a man-in-the-middle attack is, it is probably recommended that you not bid on this project.
-What happens if there is no electricity, or there is an outage during the middle of the election? What happens if there is an Internet/telco outage? Is there a detailed continuity and/or recovery program? If so, does the introduction of people handling the data provide added risk?
-How is the centralized data secured? Is it centralized on a SQL database? If so, how secure is your SA password and how vulnerable are you to SQL injection attacks?
-What if there are discrepencies between the vote tallies at the precinct, and the vote tallies that ends up being stored at the centralized location? What happens?

Many more IT questions could and will be asked, but the IT questions go well beyond the source code of the application. The source code could be absolutely fine, but if the underlying architecture has problems, then there are significant risks. It’s like building a mansion on an unstable slope – it might look good, but will crumble at the first sign of stress.

In a case such as elections, people pose an additional risk. Some questions to ask include:

-Will all programmers, installers, and other employees undergo background checks to help ensure that they cannot be compromised by third parties?
-How are devices physically secured from being compromised? Are guards watching them? If so, do they know what to look for? Or are they part of the problem?
-What if it weren’t typical “hackers”, but a foreign government trying to ensure that their preferred candidate gets elected? If you think that is far-fetched, then why were both the campaigns of John McCain and Barack Obama hacked by a foreign entity last year while leading up to the election? Why is the Chinese government repeatedly alleged to be hacking into foreign government systems?

The project scope, risks, and huge budget make this an extremely difficult endeavor. While Mr. Tolentino makes some pretty bold statements, it’s ultimately up to the winning bidder to follow through on the assertions he has made. Our company, as I am sure many other information security companies, would love to see the finished product. However, the source code is only a small component of the overall product and project, and will not give an overall picture of the security of the 2010 elections.

---

Seminars and Conventions

DEFCON Philippines BeerTalk II will be on April 24, 2009 7PM at Grilla, Paseo De Roxas Avenue Branch (near Greenbelt), Makati City, Philippines

THE 2ND SOCIAL NETWORKING AND E-BUSINESS CONFERENCE 2009 will be on April 23 – 24, 2009 at the Grand Ballroom, Hotel Intercontinental, Makati City, Philippines

---

Tools for Man in the Middle Attacks

Middler by Jay Beale
sslstrip by Moxie Marlinspike

---

Tips

(The H Security) The right way to handle encryption with Firefox 3

---

Other InfoSec News

(SC Magazine US) Internet Explorer 8 “critical” flaw in final version
(Computerworld Philippines) New IE8 still the slowest browser
(SearchSecurity) Internet Explorer 8 includes a bevy of security features
(Computerworld) IE8 best at blocking malware sites, says Microsoft sponsored study
(The Register) A grim day for browser security at hacker contest
(The H Security) Pwn2Own 2009 ends: Smartphones & Chrome unbroken

(The Register) Newfangled rootkits survive hard disk wiping
(Security Focus) Researchers aim low to root hardware

(SC Magazine US) OWASP Security Spending Benchmarks Report published
(Computerworld Philippines) Asia’s top infocomm event continues to chart region’s IT direction
(Security Focus) China more friend than foe, says white hat
(Computerworld) In poor economy, IT pros could turn to e-crime

(Security Focus) Cybercriminals optimize search for cash
(The Register) Scareware affiliates playing search engines
(Washington Post – Security Fix) Web Fraud 2.0: Data Search Tools for ID Thieves
(The Register) Cybercrime server exposed through Google cache

(The Register) Worm breeds botnet from home routers, modems
(The H Security) Botnet based on home network routers
(The H Security) An Analysis of Conficker-C
(Computerworld) Conficker’s next move a mystery to researchers

(The H Security) Twitter XSS vulnerability
(SecurityFocus) No more bugs for free, researchers say
(The H Security) HP publishes free security tool for Flash developers

(Computerworld) Start-up unveils hybrid cloud/on-site backup service

(SearchSecurity) Diebold ATMs in Russia targeted with malware
(The H Security) Windows Trojan on Diebold ATMs

(SearchSecurity) Firms muddle security breach response, expert says

(SearchSecurity) Microsoft Threat Management Gateway has some drawbacks