Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

VERA 0.3 Released

VERA 0.3 has been released. This new version contains a bunch of new features and API improvements. The two biggest updates are the addition of the trace file parsing and analysis inside of the GUI. This alleviates the need for the gengraph.exe program. The next big feature is the integration with IDA Pro. Currently it only supports version 5.6 and 6.0 versions of IDA. Finally, VERA now includes documentation.

Download VERA 0.3 MSI File
Download VERA Documentation (PDF)

Please feel free to email me (dquist at this domain) if you have any comments. Those of you that have responded thank you very much.

Changelog:

* Added processing of trace files without having to use gengraph via new wizard
* Better handling of low memory situations
* Major code cleanup, refactoring, and new buzzwordy sounding tasks
* Added a toolbar, because everyone loves those
* Added IDA integration and IDA Pro module
* Fixed a bug involving parsing of non-traditional Ether trace files
* Now should support larger and more complicated graphs
* I'm getting paid to write and support VERA. :)

At Shmoocon 2011 I'll be rolling out the next version of VERA, complete with new features.

Detecting Malicious PDF Files

| |

For the past few days I have been completely immersing myself in PDF research in hopes to find better ways to detect malicious PDF files. I have collected a pretty good random sample set (15K) of PDF data and have a bunch of malicious files with the same statistics. I have wrote some basic tools to aid in my research and it would be nice to get some input on the results I have found so far.

The outline of the project can be found here:
http://pdfxray.9bplus.com/

The blog with all the research, data and tools that have been released can be found here:
http://blog.9bplus.com

Reversing the source of the ZeroAccess crimeware rootkit

| |

We recently undertook a project to update the hands-on labs in our Reverse Engineering Malware course, and one of our InfoSec Resources Authors, Giuseppe "Evilcry" Bonfa, defeated all of the anti-debugging and anti-forensics features of ZeroAccess and traced the source of this crimeware rootkit:

Part 1

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. It has 4 main components that we will reverse in great detail in this series of articles. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze.

LinkedIn "Meeting Docs"

|

MD5: 7227d2c555262145700be91ae991d91e

I just received this malware via LinkedIn. Upon quick inspection at CWSandbox (Sunbelt Software) this looks connected to padreim.ru, the file:
appears to exploit C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
hides itself in C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\TEMP\ as well as $tmp/doc~.dat
runs as C:\WINDOWS\system32\svrwsc.exe and numerous other service names

Just starting my analysis but wanted to get this out.

Sunbelt Software CWSandbox report
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=73306018&cs=7EB44195CE93B70BDD431D51DA773EDB

Virus Total Report
http://www.virustotal.com/file-scan/report.html?id=3eaf012380777e3b0944bb571ab676b6a79789a81236ccc6f70b2a00ea954af0-1285706380

Vera 0.20 - Now Available

After a lot of work, I'm happy to announce that Vera 0.20 is available for download. This release is a rewrite of the entire code base into wxWidgets. Based on some excellent feedback from my talk at REcon (an excellent con by the way) I've made some substantial changes to the backend code.

If you're not familiar with VERA, it's a visualization tool to help understand the dynamic execution of a program. It's made to take the instruction traces from Ether and generate directed graphs showing the overall flow and composition of a program. Identifying the OEP is easy, as well as looking for main loops and initialization sections of the program. You can read about VERA in my Vizsec 2009 paper for more information.

Here's the complete changelog:

Rewrite of entire codebase to wxWidgets (should allow for future ports to other platforms)
Added configuration file (~/.wxVera/wxvera.ini)
Read/save previous window position and size from/to config file
Fixed a graph centering problem
Added update checking code
Reloading of graphs more efficient
Added welcome message
Introduced notebook style for GUI

Please feel free to contact me (dquist at this domain) if you have any problems or suggestions for VERA. Thanks!

AV Testing Standards: Don't Like the Results of the Tests? Change the Rules

There were good responses, mostly from people in the AV industry, to my blog post about the malware testing standards. Overlooking my error linking to their original paper (sorry) there were some points I would like to address.

At the heart of this whole process, is exactly how dangerous a collection of malware is. For the consumers, I would argue, it's not dangerous at all. The malware industry is the only one who has to fear from it. Notice I didn't say just the AV vendors, but also the producers of the malicious software. In large part the authors depend on a closed, inside group of people unwilling to collaborate openly on the problem. If you look at the major sources of malware in academic research prior to the creation of large open collections, you'll see that there were some big problems. First, the samples were old and not representative of current threats. Second, those samples either did not work or were not malicious in nature. Finally, the samples are traded as something of value.

I'm no different, of course. I derive value both from the collection and from consulting. I do, however, go out of my way to support those doing open research as much as I can. If someone in academia needs access to samples, just contact me and I'll work something out. Likewise we have helped innumerable small businesses get their start in the malware world before they could enter the "circle of trust" mentioned by David Harley.

The "circle of trust" is often cited when discussing who can and cannot gain access to these samples. Over the course of the years I've joined four of these groups. While the vetting is done as best as possible, there's very little outside of an email address, and a recommendation keeping someone from joining. Antivirus vendors exchange malware with themselves at a much higher volume, but there is still a perceived difficulty of entering this area. Malware exists on the Internet in a freely available manner as a function of its being. Limiting sample access to a certain set of privileged people fundamentally hurts innovation and response by everyone.

There was also some allusion that I did not support malware testing at all. That is not the case. Malware defense systems should be heavily tested against a range of threats. The basis for my problems with the AMTSO is that it should *not* be composed of anyone in the AV industry. Consumer Reports did an excellent job exposing the ineffectiveness of AV vendors by producing new samples. Due to the very nature of the threat, there are going to be new samples that are discovered for the first time. If an AV software can't respond to this threat, it should not be given a favorable review.

The current set of players in the malware testing arena are profit driven. In and of itself that's ok, I'm all for capitalism, but in fairness there needs to be an independent authority. AV testing companies that publish open information on the effectiveness of scanning results are not independent. Without naming names, there is a prominent one claiming to provide results for the public, but instead is backed by every AV vendor in the industry. This testing company takes in new samples, scans them with all the products, then tells the vendors how their performance rates. What is not acceptable, in my view, are the shoddily written reports intended for consumers that report unethically high detection rates.

Finally I would like to address the ethics of the malware tester. One thing I agree with David Harley on is the need to represent the full scope of the testing process to the consumer. One of the things that the academic world does well is to produce research which can be recreated by other researchers. That's the intent, at least. AV testing standards advocated by the vendors cannot and will not provide the latest samples to malware authors. What this ends up doing is providing all the methods of testing, but not the actual data to test on. For those of us able to use new samples, it's not a problem. Others who have older data and are unable to acquire new malware (due to cost, time involved, etc.) are left with only one viable option: Synthesize new samples using the exact same methods available to the authors.

Vera 0.11 - Bug Fix Release

First of all, thanks for all the great feedback from everyone about Vera. Keep the feedback coming!

Vera 0.11 is out on the main Vera page. This release fixes a major memory leak for those of you who aren't running video cards with a gig of ram. This should also alleviate problems that were related to running under Windows XP. A future port to a wxWidgets version is underway. This will eventually allow for cross-platform versions, hopefully timed with the IDA QT release.

As always, please report bugs to dquist at this domain.

URLVOID: Suspicious url scanner

Urlvoid (beta version at the moment) is a free service that scan suspicious websites with multi engines to check if the site is safe to browse.

Its a virustotal like but for websites ;)

http://www.urlvoid.com/

Scanner list used by urlvoid:

McAfee SiteAdvisor, McAfee Trusted Source, PcTools Browser Defender, Norton SafeWeb, MyWOT, Threat Log, MalwareDomainList, hpHosts, ZeuS Tracker, Google Diagnostic, PhishTank, Project Honey Pot, ParetoLogic, Spamhaus, URIBL, Malware Patrol, SURBL, SpamCop, TrendMicro Web Reputation, Web Security Guard.

Released Buster Sandbox Analyzer 1.23

Buster Sandbox Analyzer 1.23 has been released.

Actually the tool is being hosted here: http://bsa.isoftware.nl

Version 1.23 introduces the automatic malware analysis mode. This mode allows the analysis of multiple files without any user intervention.

New version also adds other features like the digital signature verification.

The tool can be downloaded directly from: http://bsa.isoftware.nl/bsa.rar

Buster Sandbox Analyzer makes the malware analysis accesible to everybody in a simple and safe manner.

Intelligence and operational level by Siberia Exploit Pack

| |

Siberia Exploit Pack is a crimeware, evolution of Napoleon Exploit Pack, which we've done a brief description on another occasion. However, since the time of that description to this day, the landscape has expanded its developer.

In this regard, and while it ends up being one of the bunch, the interesting thing about this crimeware is information provided by their panel of statistics (intelligence for the attacker), by the way very similar to that provided by Eleonore Exploit Pack, which provide data regarding the success of business which has the exploit  pack for recruitment zombie, discriminating on the basis of these data:

  • Countries affected
  • Most exploited Operating Systems
  • Reference domains with the highest percentage by which vulnerabilities are exploited
  • Browsers exploited
  • Pre-compiled exploits in this version of the package

Let me stress (because it's a minor detail) with this collection of information is nothing more than to intelligence, which allows the attacker to know, at first instance:

In the former case, the population of which country is more vulnerable, perhaps because of their level of piracy, which brings to attention the lack of security updates for operating systems and applications, because as we will see to reach exploits, all these are known and have long been concerned with the patch that fixes the vulnerability.

In this case, the first five countries where this crimeware has higher infection rate include the United States, Britain, Canada, Russia and Germany.

The same approach is being pursued with the data we obtained on operating systems "vulnerable" in quotes because, as I said above, the degree of vulnerability of the OS depends directly on a number of aspects that should be covered by hardening, in which an important factor is the implementation of security patches.

For example, the vulnerability in MDAC (Microsoft Data Access Components) from the year 2006 (four years), described in Microsoft Official Bulletin MS06-014. The impact on operating systems have this version of crimeware, we can see in the picture below.

The list of operating systems is large and attacked the three with the highest vulnerability gap belongs to the family of Microsoft (which is obviously due to the massiveness of use), and other MS also.

However, the crimeware cover other non-Windows operating systems, including PlayStation consoles (GNU / Linux or Black Rhino) and Nintendo Wii (ironically a modified version of a GNU/Linux), in the case of OS used and Workstations high-end mobile phones, including:

  • Mac OS
  • GNU/Linux
  • FreeBSD
  • iPhone
  • Windows Mobile
  • Windows CE
  • Pocket PC
  • Symbian OS

Here we are beginning to recognize that criminals have broadened the scope of coverage, incorporating into its portfolio of options exploitation of vulnerabilities (through the browser) and recruitment of zombies on other operating systems used in other computer technologies.