Didier Stevens

Wednesday 15 February 2017

Quickpost: ClamAV and ZIP File Decryption

Filed under: Malware,Quickpost — Didier Stevens @ 0:00

While reading-up on ClamAV and YARA, I came across something I wanted to try for some time: have ClamAV decrypt and scan a password protected ZIP file.

It can be done by creating a .pwdb password signature file, as explained in section 3.12 of Creating signatures for ClamAV.

I created one signature for password “infected”:

ZipPasswordInfected;Engine:81-255;0;infected

ZipPasswordInfected is the name I gave to the signature.

Engine:81-255 defines the required functionality level of the ClamAV engine. If I’m not mistaken, 81 is version 0.99.

0 indicates that the password is in ASCII.

infected is the password to attempt ZIP decryption.

And then I can pass the password signature file to clamscan with option -d. Or I can put the password signature file in the database directory.

In this example, notepad.exe is stored in a password protected ZIP file (password infected), and is_pe_file.yara is a YARA rule to detect PE files.

clamscan.exe -d is_pe_file.yara -d passwords.pwdb notepad.exe.zip
notepad.exe.zip: YARA.is_PE_File.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.21 MB
Data read: 0.14 MB (ratio 1.50:1)
Time: 0.063 sec (0 m 0 s)

Quickpost info


Monday 30 January 2017

Quickpost: Dropbox & Alternate Data Streams

Filed under: Forensics,Quickpost,Reverse Engineering — Didier Stevens @ 0:00

When I got this popup while moving a file from a Dropbox folder, I immediately thought Alternate Data Stream:

20170124-221042

I ran my filescanner on the file, and found an ADS with name com.dropbox.attributes:

20170128-094319

From the Magic HEX value, we can see that the content of the stream (frozen-sea-foam.mp4:com.dropbox.attributes) starts with 0x78 (and the streamsize is 83 bytes). 0x78 hints at zlib deflated data.

If you are not that familiar with magic values, you can use my file-magic tool:

20170128-224649

Trying to decompress the ADS with translate.py gives us JSON data {“dropbox_fileid_local”: {“machineid_attr”: {“data”: “aa4xliox7z5n0qewxOlT3Q==”}}}:

20170128-102645

The data field looks like BASE64, so let’s try to decode it with base64dump.py:

20170128-104110

It decodes with BASE64 to data that looks random. From the names in the JSON data, we can deduce that this is probably a machine ID.

Remark 1: as it could well be my unique machine ID, I altered the value of the ID.

Remark 2: my file-magic.py tool is beta.

Remark 3: if you wonder what the video frozen-sea-foam is, I have it on Instragram.

 


Quickpost info


Thursday 17 November 2016

Quickpost: Zone.Identifier

Filed under: Quickpost — Didier Stevens @ 0:00

Mostly as a reminder for myself, here is how to set the Alternate Data Stream to mark a file as originating from the Internet.

notepad install.exe:Zone.Identifier

Text:
[ZoneTransfer]
ZoneId=3


Quickpost info


Friday 30 September 2016

Quickpost: Enhancing Radare2 Disassembly Listing

Filed under: My Software,Quickpost — Didier Stevens @ 9:00

I threw a program together to add information to Radare2 disassembly listings: radare2-listing.py. I’m putting it in beta, because I hope there is another way to do this in Radare2 (e.g. without a program). So if you know of a better way to do this, please post a comment.

The tool looks for text pushed on the stack, and then adds a comment with the string build up on the stack.

Before:

20160930-104507

After:

20160930-104558

 

Monday 16 March 2015

Quickpost: Metasploit User Agent Strings

Filed under: Quickpost — Didier Stevens @ 0:00

I searched through the Metasploit source code for User Agent Strings (starting with Mozilla/).

This is what I found:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N
Mozilla/4.0 (compatible; Metasploit RSPEC)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

Quickpost info


Monday 25 November 2013

Quickpost: nmap & xml

Filed under: Networking,Quickpost — Didier Stevens @ 20:46

A quick tip: since more than a year now I’ve been including xml output with each nmap scan I perform. I discovered that the xml output contains more (explicit) data than the other forms of output.

Example:

nmap -oG test.csv -oX test.xml scanme.nmap.org

Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-23 05:05 EST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.65s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9929/tcp open  nping-echo

Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

The grepable output:

20131125-214105

The xml output:

20131125-214254


Quickpost info


Saturday 24 August 2013

Quickpost: Proxy Cookies

Filed under: Forensics,Networking,Quickpost — Didier Stevens @ 11:20

Cookies set bij network proxies can be identified by their name.

BlueCoat proxy cookies start with BCSI-CS-.

Cisco IronPort proxy cookies start with iptac-. The string after iptac is the serial number of the device.

Google for these and you’ll find some examples.

More info later.


Quickpost info


Sunday 4 August 2013

Quickpost: Rovnix PCAP

Filed under: Forensics,Malware,Networking,Quickpost — Didier Stevens @ 21:04

Microsoft’s Malware Protection Center has a blogpost on a version of Rovnix that uses its own TCP/IP stack.

I used Wireshark to capture the network traffic generated by this sample when it is executed in a VMware guest.

20130804-225716

I ran the sample on a XP SP3 guest machine in VMware. The hostname is XPPROSP3 (this name will appear in the HTTP GET request).
The guest uses NAT.
I ran the Wireshark capture on my host machine on the VMware Virtual Ethernet Adapter.
I removed some traffic coming from my host machine (NetBIOS Name Service and DHCPv6 to be precise).

When I executed the sample on XPPROSP3, it rebooted after a few seconds.

The trace:
The 37 second gap between packet 6 and 7 is due to the reboot of XPPROSP3
Packet 44: DNS request for youtubeflashserver
There are 3 HTTP requests. Notice User-Agent FWVersionTestAgent in all 3 GET requests.
Packet 50: first GET request with hostname XPPROSP3 as a parameter. Response: 404
Packet 61: second GET request, malformed. Response: 400
Packet 70: third GET request, malformed. Response: 400

rovnix-capture-filtered.zip (https)
MD5: C941D1716B6248C3FBFB4DFFA8AD2E86
SHA256: 51EDA61199DD9EDC1E50C5A9B5A4B69F32DB74E90CF098849554C56217D06EFD


Quickpost info


Wednesday 15 May 2013

Quickpost: Signed PDF Stego

Filed under: Encryption,Hacking,PDF,Quickpost — Didier Stevens @ 14:08

A signed PDF file is just like all signed files with embedded signatures: the signature itself is excluded from the hash calculation.

Open a signed PDF document in a hex editor and search for string /ByteRange. You’ll find something like this:

36 0 obj
<</ByteRange[0 227012 248956 23362 ]            /Contents<308226e106092a864886f7

This indicates which byte sequences  are used for the hash calculation (position and length of each sequence). So in this example, byte sequence 227013-248955 is excluded, because it contains the signature in hex format padded with 0x00 bytes. This padding is not part of the DER signature, you can change it without changing or invalidating the signature.


Quickpost info

Thursday 15 November 2012

Quickpost: Spiders and CCTV

Filed under: Physical Security,Quickpost — Didier Stevens @ 15:12

Spiders can be anoying when you own a CCTV system. Here is a picture of a spiderweb in front of one of my cameras with integrated IR LED illuminator:

You can see that the reflection of IR light on the spiderweb is so strong that the glare hides all details behind the spiderweb.

So when you install an outdoor CCTV camera, think about spiders. Try to position the camera in a place where there are no spiders.

When you google for “CCTV spider repellent”, you will find chemical products that should repel spiders from CCTV cameras. But I’ve not had the opportunity to test out such products, they don’t ship outside their country of sale.


Quickpost info


Next Page »

Blog at WordPress.com.