Here I've linked the first two parts of W32/Skintrim Reverse Engieering of a Badly Coded Malware
a Malware that is not working and appears really little, I've repaired it and I'm reversing it completely,
Skintrim appeared to be really articulate.
Here the first three blog posts:
Soon I will publish the #4 part.
Giuseppe 'Evilcry' Bonfa'
Offensive Computing is now on Twitter! Follow OComputing for all the malware and reverse engineering 140 characters can handle.
My Blackhat talk is over and I think things went really well. As promised here is the latest information on the slides. To be able to use VERA you will need to follow the installation instructions from the Ether project. Thanks again to everyone who attended and thank you for all the great questions.
If you're going to try and use Ether (which you definitely should) make sure you run Debian Sarge (or Etch or Lenny) with a 64-bit installation. From there the installation instructions from the Ether site should be all you need.
Read more for usage instructions.
Finally i'm happy to release my paper Analyzing MSOffice malware with OfficeMalScanner. This paper describes all features of the OfficeMalScanner suite in detail. Further i've updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety.
A lot of press is going around the discovery of the SymbOS/Yxe threat, I have just uploaded a sample of the threat to Offensive Computing, in hopes that fellow researchers here will help me identify the BOT elements of the threat.
If your looking for a challenge this is it. The File is the EPOC based executable, not the SISX package, thus you should be able to get this decompiled in IDA right away without having to do any extractions.
MD5 of the sample 24D40DD68DCC17F9DAB29C9CFE3529A0.
I recently came across this patent from Network Associates by Igor Muttik. Here's the abstract:
"One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls."
Reading through the claims it appears that they have patented much of what was the state of the art of academic research in the early 2000's. I'm shocked with how loosely the patent is written. Comparing system calls might have been novel at the time, but the real magic is finding a matching algorithm for them. That algorithm, I would think, would be the real patentable material. Then again that's why I'm not a patent lawyer.
A few conference acceptances are in so I can now lift the cone of silence and share some of the research I've been doing.
Lately I've been using Artem Dinaburg and Paul Royal's excellent Ether Malware Analysis system they presented at ACM CCS last year. This is some very good work that allows you to instrument a running binary extremely well. The paper they have written is very good. I've submitted some patches to the project and overall it's in good shape. I'll write up a more detailed post about using the Ether framework later. Those of you that have been using Saffron should check out this system. Even though it requires dedicated hardware it's a much more robust system.
Using Ether I've been working on my visualization tool for better dynamic and static analysis integration. I call it VERA: Visualizing Execution for Reversing and Analysis. Using the dynamic trace data and unpacking capabilities of Ether, VERA helps you to better unpack unknown binaries, reduce the reversing time, and generally make the whole process easier. I've shown it to a pretty limited set of people, mainly the students in my Reverse Engineering courses, and it seems to be reasonably well received.
I will be talking about VERA at some conferences and workshops this summer and fall. The first is the Blackhat USA Briefings 2009 and Defcon 17. This talk will show how to integrate the reversing process into using Ether and also demonstrating VERA. I'll be giving a live demo and release the tool here.
A more formal treatment will be at the Workshop on Visualization and Security 2009 (VizSec). This paper will outline the nitty-gritty details of the Reverse Engineering process and how VERA fits into it.
I hope to see you this summer. Several former OC members will be giving talks too so it should be a worthwhile experience.
OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.