Some Malware Analysis Tools

I just recently went through a great, albeit difficult, Malware Analysis course. It was very informative and it stretched my ability to understand and follow. The usual DISCLAIMER applies: use the tools at your own risk and your own malware.

Here are some of the free tools we used (and there are a lot of free tools available):

We first installed Virtual Box

Then used the following for Surface Analysis:
Hash Analysis – HashTab (free for personal or private use)
File Type Analysis – TrID
String Analysis – BinText and Sysinternals’ String.exe
Binary Editor – HxD
Pack Analysis – CFF Explorer

Runtime Analysis:
Sysinternals’ Process Explorer
regshot
WinPcap
Wireshark
Sysinternals’ Process Monitor
TCPView
FUndelete (Sysinternals’ old software)
Autoruns
ADSSpy

Static Analysis:
IDA Pro Free
MSDN Library
OllyDbg Version 1
Immunity Debugger
Python 2.5

---

Some Malware Analysis Links:

Practical Malware Analysis PDF by Kris Kendall from BH 07
PenTestIT’s Atool (I’ve never used this but you may want to check it out)
Malware Analysis Tools – from the SANS diary of 2006
Malware Analysis for Fun and Profit PDF
Malware Analysis Presentation from HK’s Professional InfoSec Association

Advertisement

Black Hat Presentations, Flash App Tools, Free AV and News

The next BlackHat.com webcast will be about Mobility and Security on May 21 1pm PDT (Friday, May 22, 2009 at 4 AM in Manila, according to The World Clock).

Black Hat Webcast 9 (34MB audio, around 79 mins running time; WebSync version is here) is a preview of the Black Hat Conference in Amsterdam that was held from April 16-17, 2009 (see link to presentations below).
The following people and their presentation topic were in this webcast:

Enno Ray – Attacking Backbone Technologies
Charlie Miller and Vincenzo Iozzo – Fun and Games with Mac OS X and iPhone Payloads
Stefano Zanero – Web App Firewall Based on Anomaly Detection
Roberto Gassira’ and Roberto Piccirillo – Hijacking Mobile Data Connections

Past Black Hat Conferences:
Video of Charlie Miller and Vincenzo Iozzo’s presentation on Mac and iPhone payloads (152 MB)
Black Hat Europe 2009 (Amsterdam) Media Archives
Black Hat USA 2008 Archives

---

Flash App Vulnerability Tools

Exposing Flash Application Vulnerabilities with SWFScan
Flare
SWFIntruder

---

Free Anti-Virus

F-Secure Online Scanner Beta Program

---

InfoSec News

(Inquirer.net) Has your e-mail address won in a lottery?
(Computerworld PH) Report: Web continues to rise as security threat

(Inquirer.net) RP gov’t websites vulnerable to hacking
(Inquirer.net) Cyber spies hack into DFA computers
(Inquirer.net) RP needs cybersecurity program–CICT
(Inquirer.net) PNP experts tell how to catch a hacker

(Inquirer.net) Purge 2-M ‘flying’ voters, Comelec told
(Manila Times) Lawmaker to hack Comelec electronic counting machines
(Inquirer.net) Hack poll machines and win P100M
(Inquirer.net) P100M hack reward ‘dishonors’ poll automation
(Inquirer.net) Hacking poll results to take lots of time
(Inquirer.net) Comelec to tap DOST on poll machine testing
(Inquirer.net) Comelec mulls inclusion of more provinces in poll automation

(Inquirer.net) Comelec eyes YouTube stardom to lure voters

(PhilStar) Is quitting Twitter more popular than re-tweeting?
(IT Matters.com) Twitter — a rising marketing channel?

(PhilStar) Globe backs ICT Awards

(Inquirer.net) RP seeks removal from USTR watch list
(Inquirer.net) Twitter, Facebook abuzz over Pacquiao win

(Computerworld) Facebook’s privacy options
(Computerworld) How Facebook mucks up office life
(Wired) PIN Crackers Nab Holy Grail of Bank Card Security

(SecurityFocus) Researcher argues for CERTs with teeth
(Inquirer.net) Cyberspies hack into US fighter project
(H Security) Linux cache poisoning attacks easier than on Windows?
(Computerworld) 20 kick-ass network research projects

(Computerworld) Leaked copies of Windows 7 RC contain Trojan
(Computerworld) Botnet probe turns up 70GB of personal, financial data
(Computerworld) Heartland earns back spot on PCI-approved list

(The Register) Security researchers fret over Adobe PDF flaw
(H Security) Demo exploits for new vulnerabilities in Adobe Reader
(SecurityFocus) Companies slowest to fix Office, Acrobat flaws
(SecurityFocus) JavaScript flaw reported in Adobe Reader

(The Register) US Congress wants hack teams for self-penetration
(Boston.com) US looks to hackers to protect cyber networks
(NY Times) ‘Hackers wanted’ ad fed security misconception

(The Register) Botnet hijacking reveals 70GB of stolen data
(The Register) Twitter breach gives behind-the-scenes Obama peek

(The Register) Firefox finds more pesky bugs
(H Security) Firefox 3.0.10 fixes critical vulnerability

(The Register) Hacker behind P2P botnet gets no jail time
(The Register) US military’s cyberwar rules ‘ill-formed,’ says panel
(NY Times) Panel Advises Clarifying U.S. Plans on Cyberwar
(The Register) Adobe users imperiled by critical Reader flaw

(H Security) Lost+found: Worms, Exploits, Online Scanners
(NY Times) H.P. Labs Pulls Out the Measuring Stick

Using Local Transforms in Maltego

Maltego is an open source tool developed by Paterva for rapid information gathering and correlation of data available from the Internet. With the release of Maltego 2.0.2 last January 2009, users can now develop their own local Transforms from any programming language as long as it follows the local Transform Specification. A “Transform“ is an instance of information gathering that processes Entities (e.g. IP addresses, ports, emails, person’s name) either as input or output. A sample Transform can take a DNS name as input and determine its IP address as output. Another Transform can take an individual’s full name as input and determine the websites where his full name can be found as output. Maltego shows the Transform results including the relationships using a graphical user interface.

By default, Transforms are launched from the Maltego client and executed on Paterva’s Transform Application Server (TAS) accessible from the Internet.  Local Transforms execute locally on the user’s computer and not on a TAS. A sample local Transform below takes an “IP Address” Entity as input, launch an NMAP TCP Connect Scan against that IP address and displays the results in Maltego as “Service” Entities. The script for this local Transform can be easily programmed in PERL using the NMAP-Parser module.

The screenshot above shows that  IP address 10.10.10.3 has three open ports with active services running.

Local Transforms provide users the flexibility and power to integrate other security tools (e.g. NMAP, Nessus, Metasploit). Users may be able to centralize security tool execution and documentation in Maltego.

Much ado about Conficker

There’s been much hullabaloo about the Conficker worm lately, especially since it’s supposed to phone home to around 500 servers (from a possible 50,000) this coming April 1st. So much so that even the New York Institute of Photography has sent an e-mail warning and telling photographers to back up their files just in case. Microsoft started a group called Conficker Cabal around mid last month that has unfortunately only had partial success, since on March 5th, around a fifth of infected machines updated themselves from variant B to variant C.

I doubt that typical users will get affected by it that much… BUT if you’re an Admin that wasn’t able to patch soon, then you may be in for a long day.

Researchers from the Honeynet Project have released a proof of concept (PoC) to detect the worm by using network scanners. The PoC code can be found at the Computer Science site of the University of Bonn.

Nmap has released 4.85 Beta 5 which contains the Conficker detection logic, and so have Qualys and nCircle.

You can also check out Dan Kaminsky’s personal blog for more info. By the way, his blog has a cool little tool that may detect if your DNS is vulnerable to what he discovered last year (check out this illustrated guide to the vulnerability).

Other Conficker News:
(Computerworld) Researchers exploit Conficker flaw to find infected PCs
(Security Focus) Researchers find way to detect Conficker
(The H Security) German researchers develop network scan for Conficker worm
(SC Magazine UK) Malware expert believes that Conficker author will create a new variant
(SC Magazine US) Conficker detection tool released as D-Day nears

---

Seminars and Conventions
ISACA Manila will be holding their annual conference with the theme, “IT Governance: Solving the Puzzle” this coming April 14 and 15 at the Renaissance Hotel, Makati City. The conference will have a plenary session on IT Governance topics such as IT Management, IT Security, IT Auditing and IT Risk Management. For more info, check out the ISACA Manila Conference Website, call the Secretariat at (+632) 894-2533, (+63919) 288-4410, or email them at secretariat@isaca-manila.org.

---

More on Poll Automation and some Tools

Readers of this blog may be getting bored about poll automation, however there are news articles that are pertinent and give good arguments that I believe ought to be posted here.

Dennis Posadas, the Deputy Executive Director of the Philippine Congressional Commission on Science, Technology and Engineering, wrote an article entitled, “Computers can be hacked, so what?” The article details that we take a lot of technology based risks everyday, but it doesn’t mean that we shouldn’t use them. In other words, we make dozens of cost-benefit analyses each day but in the end we mostly benefit.

I am all for the automation of elections, there’s a possibility of it being a game changer and we may actually have a lot less fraud at the polls… something unheard of in my generation. However, I believe that it should be correctly implemented to minimize fraud, because if not, all those billions of pesos in taxpayer money might not go to the pockets of our corrupt officials… oops I mean, all that money will be for nought, and we’ll have the same or even more problems than we do with the un-automated version. The length of time for implementation and the logistical challenges full poll automation presents just strenghthens the case that maybe partial automation may be better.

Technology is an enabler, it can enable poll fraud to be harder, or it can actually make it easier. It all depends on the process.

Intelligent, competent and honest people should run the show (poll automation in this case). Leaders that put too much confidence and give statements that a yet implemented system cannot be hacked, borderline on ignorance, and shouldn’t be there at all… unless of course they have technical advisors that are the best the country can offer.

---

Re-post of earlier Comments

I am re-posting an earlier comment by dts, made by Patrick Dailey since its in the comments section and may not be seen by people who don’t check the comments.

dts said
March 21, 2009 at 10:14 am e

Comments made by
Patrick Dailey CISSP, GCFA, IT Audit and Security Consultant – Managing Director at DigiThreat Solutions
[http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=29343049&gid=1851931]

From an IT project management point of view, 80,000 machines with source code, voter information data, vote data, and other information will be installed throughout the country. Additionally, the provision of transmission of data to a centralized location (presumably via Internet) will have to be procured from each location where the machines are installed. Supplies of ballot paper, training, technical support, and warehousing are all part of this project, and all aspects of this project need to be completed by May 10th, 2010 (417 days from now). The winning bidder is announced on April 27th, 2009, giving the bidder 378 days to complete all tasks.

To say that this project is ambitious would be an understatement – let’s do the math. It will require that the winning bidder install the machines, the software, and (hopefully) test an average of over 200 machines a day, travel not included. This does not account for machines that are dead on arrival. Internet access will need to be procured at locations throughout the country. Ever tried to get an Internet connection procured in a remote province? It can take months to get a reliable connection even in Metro Manila. What about remote islands that offer no Internet service whatsoever?

Logistics will also play a major role – while slightly less than 2000 mothballed counting machines from the 2004 election are sitting in four floors of storage (costing taxpayers P30 million a year), how much storage will 80,000 counting machines require? If the same size of machines and stacking capability is utilized as is the current storage, it will require 160 floors, or roughly 40 hectares, of storage space. Phasing the storage of equipment in warehouses will add to the complexity of the project, and delivery of machines and other materials to the end location to install (and coordinating with the installers) would almost require a Ph.D. in logistics, if there was such a degree. Add training and technical support to the equation, and you have an extremely difficult project. I have no reason to doubt Mr. Tolentino when he has confidence in the bidders capabilities, but this type of project would stretch many large multi-national companies. Simply put, whoever wins this project has their hands very full, and I do wish them the best of luck.

Assuming the bidder can survive the project demands and logistics, they will then have to contend with the security risks that are involved with this undertaking. While “hackers” are the “in” thing to talk about, they are a very small subset of the overall security risks. Here are some very basic IT security questions the winning bidder should be asking before even bidding on the project:

-Are there a defined information security policies and procedures for this project?
-What is the overall network architecture of this project, including systems, ports, data transmission, data locations, and other pertinent information? Where are its weak points?
-Will firewalls be a part of the architecture? What is blocked? What is allowed? What is needed?
-Are wireless technologies utilized? If so, is it secured, or can someone sit outside the precinct offices and modify the votes?
-Is SMS an option being considered, and if so, what is being done to secure SMS?
-How does the transmission of data occur? Is it encrypted? If so, how?
-Is data transmission from one location to another vulnerable to man-in-the-middle or other attacks? If you do not know what a man-in-the-middle attack is, it is probably recommended that you not bid on this project.
-What happens if there is no electricity, or there is an outage during the middle of the election? What happens if there is an Internet/telco outage? Is there a detailed continuity and/or recovery program? If so, does the introduction of people handling the data provide added risk?
-How is the centralized data secured? Is it centralized on a SQL database? If so, how secure is your SA password and how vulnerable are you to SQL injection attacks?
-What if there are discrepencies between the vote tallies at the precinct, and the vote tallies that ends up being stored at the centralized location? What happens?

Many more IT questions could and will be asked, but the IT questions go well beyond the source code of the application. The source code could be absolutely fine, but if the underlying architecture has problems, then there are significant risks. It’s like building a mansion on an unstable slope – it might look good, but will crumble at the first sign of stress.

In a case such as elections, people pose an additional risk. Some questions to ask include:

-Will all programmers, installers, and other employees undergo background checks to help ensure that they cannot be compromised by third parties?
-How are devices physically secured from being compromised? Are guards watching them? If so, do they know what to look for? Or are they part of the problem?
-What if it weren’t typical “hackers”, but a foreign government trying to ensure that their preferred candidate gets elected? If you think that is far-fetched, then why were both the campaigns of John McCain and Barack Obama hacked by a foreign entity last year while leading up to the election? Why is the Chinese government repeatedly alleged to be hacking into foreign government systems?

The project scope, risks, and huge budget make this an extremely difficult endeavor. While Mr. Tolentino makes some pretty bold statements, it’s ultimately up to the winning bidder to follow through on the assertions he has made. Our company, as I am sure many other information security companies, would love to see the finished product. However, the source code is only a small component of the overall product and project, and will not give an overall picture of the security of the 2010 elections.

---

Seminars and Conventions

DEFCON Philippines BeerTalk II will be on April 24, 2009 7PM at Grilla, Paseo De Roxas Avenue Branch (near Greenbelt), Makati City, Philippines

THE 2ND SOCIAL NETWORKING AND E-BUSINESS CONFERENCE 2009 will be on April 23 – 24, 2009 at the Grand Ballroom, Hotel Intercontinental, Makati City, Philippines

---

Tools for Man in the Middle Attacks

Middler by Jay Beale
sslstrip by Moxie Marlinspike

---

Tips

(The H Security) The right way to handle encryption with Firefox 3

---

Other InfoSec News

(SC Magazine US) Internet Explorer 8 “critical” flaw in final version
(Computerworld Philippines) New IE8 still the slowest browser
(SearchSecurity) Internet Explorer 8 includes a bevy of security features
(Computerworld) IE8 best at blocking malware sites, says Microsoft sponsored study
(The Register) A grim day for browser security at hacker contest
(The H Security) Pwn2Own 2009 ends: Smartphones & Chrome unbroken

(The Register) Newfangled rootkits survive hard disk wiping
(Security Focus) Researchers aim low to root hardware

(SC Magazine US) OWASP Security Spending Benchmarks Report published
(Computerworld Philippines) Asia’s top infocomm event continues to chart region’s IT direction
(Security Focus) China more friend than foe, says white hat
(Computerworld) In poor economy, IT pros could turn to e-crime

(Security Focus) Cybercriminals optimize search for cash
(The Register) Scareware affiliates playing search engines
(Washington Post – Security Fix) Web Fraud 2.0: Data Search Tools for ID Thieves
(The Register) Cybercrime server exposed through Google cache

(The Register) Worm breeds botnet from home routers, modems
(The H Security) Botnet based on home network routers
(The H Security) An Analysis of Conficker-C
(Computerworld) Conficker’s next move a mystery to researchers

(The H Security) Twitter XSS vulnerability
(SecurityFocus) No more bugs for free, researchers say
(The H Security) HP publishes free security tool for Flash developers

(Computerworld) Start-up unveils hybrid cloud/on-site backup service

(SearchSecurity) Diebold ATMs in Russia targeted with malware
(The H Security) Windows Trojan on Diebold ATMs

(SearchSecurity) Firms muddle security breach response, expert says

(SearchSecurity) Microsoft Threat Management Gateway has some drawbacks

Info Sec News, Dec 2, 2008

A rootkit was found in an Enterprise Information Security software, reports Heise Security and The Register.

Another vulnerability was found in the popular VLC media player. So if you can, update.

The Chicago Tribune reports that a new round of cyber attacks has the Pentagon worried. They normally get a whole number of attacks per day, however, the magnitude and way the new attacks are being done are apparently designed to specifically attack military networks. Heise also covers the same topic here and here.

The Linux on iPhone project has released the first results of its project.

Anti-virus seems to be ineffective versus new malware that makes zombies out of PCs. Stuart Staniford talks about it in his blog.

WordPress update fixes XSS vulnerability.

Google denies security hole in GMail.

Microsoft adds malware detection to its Webmaster tools. Speaking of Microsoft, a new windows worm builds a massive botnet worth around half a million computers and growing.

For the first time, Apple quietly recommended Anti Virus software in a technote. About.com has Mac Anti-Virus recommendations. iAntivirus and ClamXav are free.