Finally i'm happy to release my paper Analyzing MSOffice malware with OfficeMalScanner. This paper describes all features of the OfficeMalScanner suite in detail. Further i've updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety.

Get the Paper Here

Enjoy!

OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.

http://www.reconstructer.org/code/OfficeMalScanner.zip

Enjoy!

Thorsten Holz and me are giving a talk at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis.

I hope to meet a lot of interesting people again this year!

Cya on 29th and 30th May 2009 in Berlin!

Today I read an article on the New York Times website called A sneaky security problem, ignored by the bad guys

NY Times: A Sneaky Security Problem

I had a conversion by phone and mail with its author Robert McMillan from IDG News before and I've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article I would like to comment, as I disagree to most of his statements regarding rootkits.

enjoy!

http://www.reconstructer.org/papers/Rustock.C%20-%20When%20a%20myth%20comes%20true.pdf

On Thursday morning i will give talk on Rustock.C analysis at the Hack.lu in Luxembourg. After the conference is over, i will publish the slides on my site. I hope there will be some interesting speeches and good discussions on security and malware-analysis.

cu @ the conference!

cheers,
frank

With "More advanced unpacking - Part II" I show you how to decrypt an infamous real-life malware called WSNPOEM, (aka Infostealer.Banker.C) The binaries are usually created with a tool called ZEUS Builder, and there exist lots of different versions in the wild. I found samples with and without rootkit functionality. They are also "ontop" packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways.

1. Manual unpacking + import fixing
2. Manual unpacking + Auto import fixing
3. Auto unpacking/import fixing

Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.

Find the information on Reconstructer.org

Unbelievable but true. After 4 months of getting owned by other things making my life mad, i finally managed to release a new unpacking tutorial. This one goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!

Find the files here

No, i'm not dead. Just too busy in the last weeks. But today i have a new paper for you. It's an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.

http://www.reconstructer.org/papers.html

cheers,
frank

Since more and more malware are using the COM interface I thought it was time to write some reconstruction helpers and creating a video tutorial how to use it on a real life malware. You'll see how a complete function which uses the COM interface will be translated into far more readable code than before. The code itself dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. The IDAPython scripts are indeed also available on my site.

Practical COM Code Reconstruction at Reconstructer.org

Enjoy,
Frank Boldewin