Hi folks,

Over a year now, Storm has dominated the Malware of its class. (still?)
One of the biggest challenge has been the diversity of packers used on its various versions.

So here is our challenge.

1 - pick up any sample of the Storm Worm Trojan.
2 - unpack it and reconstruct the IAT if needed.
3 - upload your unpacked binary to a fileserver and submit the link here with your comments.

ps* Please don't forget to mention the md5sum of the sample you've chosen.

Clarity of the final unpacked code is what is more appreciated.
So pick up a sample packed with a packer you know quite well to save you some time.

Found this on Packetstorm, i remember that Mudge did make a joke on this topic several years ago in his presentation @ Blackhat.

http://www.theregister.co.uk/2008/04/28/malware_copyright_notice/

A new contest called Race to Zero is being held at Defcon this year. The premise is that you take a modern virus and modify it to evade detection by antivirus companies. The AV industry is officially crying foul, saying that this only encourages bad behavior. The organizers say it will point out the shortcomings of modern AV engines.

I'm going to ruin part of the contest: It's scandalously easy to circumvent any antivirus engine with a trivial amount of work. There has been evidence of this: The Consumer Reports scandal is one of them. The point is that it is not difficult to apply some seemingly minor and trivial modification that completely evades detection. The AV companies know it, the malware authors know it, the only people who don't have a clue are the consumers. Shaking their confidence of spending $60 per year on updates is something that the AV vendors fear. That's why the lawyers are probably going to get involved very quickly.

In lieu of this sure to be scandalous con drama, I propose a secondary contest. Antivirus vendors all race each other to develop signatures for the new variants as quickly as possible. Bring your best analysts to Defcon, or engage the home analysts, and show the true value of a good AV company: its signature development and reverse engineering teams.

Following a friendly heads up from someone yesterday morning, I re-loaded the
following Kraken samples into my honeypot:

1d51463150db06bc098fef335bc64971
65b958bf6f5eddca3d9455354af08b6f
6ec7d67d5553cbec2a99c7fbe385a729
7ecef2f126e66e7270afa7b803f715bc
8fd8c67103ec073d9303a7fbc702f89a

and began monitoring them. Each sample proceeded to update itself;
the updated binary is around 160KB, given a random name and
placed in the system32 directory, and no longer has an imagefile icon.

The names/MD5 values of samples I got are:

26bd8e696629edba4a1d610d1062b3f1 jtliutnj.exe
36a8c8cce65c9ab46fca127de9dcc5d1 niksojrjbg.exe
b5f65d971d7362512dafdb473ef5888d xfkmrb.exe
5f94989145b4bf69cf81c223b15ec653 yy.exe
5c9274a4483ed540fd433a2cd885e561 zp.exe

As someone mentioned, it does indeed appear that Kraken/Bobax has changed
(perhaps reverted?) its C&C to HTTP. The honeypot session for
1d51463150db06bc098fef335bc64971 goes something like the following:

UTC 15:30 - Honeypot infected with 1d51463150db06bc098fef335bc64971.
UTC 15:45 - niksojrjbg.exe appears in system32 directory.
UTC 15:50 - Last TCP/UDP 447 packets (host 209.160.65.66) observed.
UTC 16:00 - Spam run commences.
UTC 16:10 - First observed HTTP communication with C&C.

The samples do not appear to be using DNS to obtain IPs of the C&C
servers. The C&C IPs I've been able to identify from the samples are
208.101.52.82, 208.101.54.243, and 208.101.42.28. Communication is
performed by the victim making an HTTP POST (poststring attached);
receipt of binary data with a bogus MIME type follows:

If you are using Apple application in Windows, i'm pretty sure you encountered this.

Couple weeks ago there has been a series of reaction specifically those who understands information security, criticizing about Safari 3.1 piggybacking or stealth installation through Software Update. [full story here]

The interesting news, Apple listened and fixed this issue in its latest Software Update tool for Windows version 2.1.

Apple fixed the issue by creating two sections: (1) Updates (2) New Software. This shows that Safari 3.1 is no longer piggybacking in software updates since it has its own category as New Software, which is good.

But, the tick boxes were still filled-in by default? [full story here]

Hello!

We developed a free utility (Online Solutions Autorun Manager - OSAM) that helps to find malware/rootkits at computer's startup. It may be very useful for malware analysts, helpers and other users.

Here is an overview and download link.

I hope to find here a beta-testers for our software and get some feedback and suggestions to improve it! If you have any questions feel free to contact me.

Las Vegas, NV May 31 - June 9, 2008

HD Moore and Valsmith will be teaming up to teach a course on Tactical Exploitation at SANS in Las Vegas.

Here is the link to the course:

Course Description

Penetration testing often focuses on individual vulnerabilities and services, but the quickest ways to exploit are often hands on and brute force. This two-day course introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits. The class alternates between lectures and hands-on testing, providing attendees with an opportunity to try the techniques discussed. A virtual target network will be provided, along with all of the software needed to participate in the labs.

Here is the link to the Summit:

Summit Webpage

and you can sign up here:

Registration

See you all there!

V.

Paul Royal was gracious enough to send a large collection of Kraken samples. You can download them from the list here. Thanks Paul!

I have written a small Perl script that will extract the IP addresses and Port numbers from the Storm Worm configuration file. Right now this file can be found on an infected machine in the C:\windows directory and is currently named "aromis.config". This is a fairly simple script to run and it contains the ability to parse multiple files as it accepts wildcard characters "*" and/or multiple filenames. If your interested here is a link to it: storm_config_decoder_pl. Feel free to contact me if you have any questions or comments.

If you're going to be at the RSA 2008 conference, please join myself and Colin Ames in our talk "Reverse-Engineering Malware and Commercial Software Armoring" on Thursday April 10 at 9:10am in the Research Revealed track. We'll generally be around the conference so be sure to say hello.

Here's the abstract:

"Protecting software from reverse-engineering has been a common goal of both commercial software and malware authors. Anti-reverse engineering techniques will be demonstrated and methods of circumventing them will be presented. A forensically sound kernel-based monitoring system will be shown as an effective way to monitor and instrument running applications."