Skip navigation.

dannyquist's blog

Large Batch of Kraken Samples

Paul Royal was gracious enough to send a large collection of Kraken samples. You can download them from the list here. Thanks Paul!

RSA 2008: Reverse-Engineering Malware and Commercial Software Armoring

If you're going to be at the RSA 2008 conference, please join myself and Colin Ames in our talk "Reverse-Engineering Malware and Commercial Software Armoring" on Thursday April 10 at 9:10am in the Research Revealed track. We'll generally be around the conference so be sure to say hello.

Here's the abstract:

"Protecting software from reverse-engineering has been a common goal of both commercial software and malware authors. Anti-reverse engineering techniques will be demonstrated and methods of circumventing them will be presented. A forensically sound kernel-based monitoring system will be shown as an effective way to monitor and instrument running applications."

Storm Worm Hoax

This year's April Fool's day trick was to post a near exact copy of the Storm Worm propagation page on our website. The big change that I made was to swap out the executable with a custom compiled one. The code wasn't all that complicated. It was just a normal Visual Studio Win32 console project with a single printf that said, "Yes it's a joke. :)". I then swapped out the debugger file link with a link to YouTube. Most people that downloaded and analyzed the file seem to get the joke at that point but others took concern and were nice enough to notify us of the problem. The file even found it's way onto VirusTotal for scanning.

Here are the complete number of people who downloaded the executables over the day:

foolsday.exe - 266 accesses
kickme.exe - 220 accesses
funny.exe - 1991 accesses

Sophos: RAPIL

When they aren't busy misclassifying benign research tools as malware, Sophos Labs is busy developing new and exciting malware protection. Their latest tool, RAPIL, detects a hacker writing evil programs. When this hacker is detected the computer is locked and the malware is prevented.

This was my favorite april fool's joke of the day. :)

"An exciting day in SophosLabs. After long and arduous efforts, we announce our new beta technology offering to defeat the hackers, which we are currently referring to as RAPIL (Recognition and Analysis of Potentially Intruding Lifeforms)."

Updated Saffron-DI Code 0.2a

I've fixed a bug inside the Saffron-DI code that was released at last year's Blackhat USA. It should result in better dumps of executables. I've tested it out with the latest version of Intel's PIN (As of this writing 2.3-17236, IA32)

Saffron-DI 0.2a

Installation instructions are on the original Covert Debugging post. If you have any bug reports please feel free to contact me and I'll look into it.

The kernel release of Saffron will be ready Real Soon NowTM.

Good Assembly Book: PC Assembly Language

One persistent question I've run across every time I teach malware analysis or exploit writing is "What's a good book on assembly?" There are a couple of books on the topic, but they either suffer from too much detail or focus on outdated operating systems. Typically my response to anyone wanting to learn assembly of any type has been to compile code, and then look at the resulting assembly output.

Paul Carter has written an assembly book called PC Assembly Language. From the website:

"I taught Computer Science at the University of Central Oklahoma for 10 years. During this time I taught an introductory course in PC Assembly Language programming. I grew frustrated at teaching 16-bit real mode programming and decided to change to 32-bit protected mode. However, I soon ran into a problem. I could not find a textbook that covered 32-bit protected mode assembly programming! So, I decided to write my own."

It's even been translated into French, Italian, German, Spanish, Simplified and Traditional Chinese.

Storm Worm Process Injection from the Windows Kernel


I spent a few hours looking at the storm worm and wrote up a quick informal paper on how to extract the actual malicious payload. If you're interested in how to use asynchronous procedure call to inject code into a userspace process this paper might be interesting to you.

Storm Worm Process Injection from the Windows Kernel

This paper will detail the analysis methods of W32/StormWorm.gen1 and show a process injection method it uses to run malicious code in user-space. This variant loads a driver into the kernel which then injects itself into the running services.exe process. The worm then connects to a P2P network sending spam, initiating DDoS from the infected computer. This technique does not use a packer in the traditional sense but a two-stage loader to inject itself into a running process from kernel space. I will show the decoding process and methods for extracting the true malicious code from the driver executable.

VMware Vulnerability: Time to Upgrade

Core Security found a pretty spectacular vulnerability in Vmware. If you have shared folders with the guest OS a program running inside the VM can modify any file on the host. Given how dependent we are on VMs for malware analysis it would be a good idea to upgrade. Hats off to Core for finding this bug.

"A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it."

McAfee Site Advisor Gives us the "Bad" Rating

McAfee SiteAdvisor is a service that is available to everyday users to determine the "safety" of websites. The idea behind it is that you can use their software prior to visiting to determine whether or not you want to visit a site. It is very similar to the Google warnings, and Stop Badware. It was recently pointed out to me that Offensive Computing is now officially listed as a bad site.

I'm not upset by this, in fact, I think it's a really good idea to have us listed here. The big reason for this is that we do in fact collect and spread malware albeit for research purposes. The type of people that would use the SiteAdvisor service really have no business coming here. It's a good thing.

If SiteAdvisor actually rated us down because we distribute malware that would be a completely valid reason. Instead the reason listed on their site at the time of this writing was the following:

"When we tested this site we found links to, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs."

Frank Boldewin runs and he makes valid contributions to the field of research. This entire conviction reeks of automated scanning. Since Frank analyzes real malware he probably had a sample included in his files. Since we link to his site (happily I might add) we are therefore guilty. This seems like an extremely naive way to perform a test of maliciousness. What's more a quick glance of other malicious sites reveals that we are in good company. Examples of other malicious sites include projects such as Metasploit.

UPDATE 2/21/2008 We are now officially listed as "good". Thanks McAfee

Shmoocon 2008: Malware Software Armoring Circumvention Content

We just finished giving our talk at Shmoocon 2008, which is a slight update of our Blackhat 2007 talk. Under great peer pressure we decided to give a live demonstration of Saffron-kernel. It crashed the first time but the second attempt worked well. We unpacked two sets of packers live on stage: TeLock and Vmprotect. Afterwards we were even able to unpack a random binary from the audience. Thanks to the Shmoocon organizers and everyone who got up early to see our talk.

Presentation PDF
Original Saffron DI code This is our material from Blackhat 2007. This is a proof of concept, and not production code.

Shmoocon is a really nice conference. If you get a chance to attend I highly recommend it.

Syndicate content