Quickpost | Didier Stevens

Tuesday 29 August 2023

Quickpost: PDF/ActiveMime Maldocs YARA Rule

Filed under: maldoc,Malware,Quickpost — Didier Stevens @ 18:07

Here is a YARA rule I developed to detect PDF/ActiveMime maldocs I wrote about in “Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs“.

It looks for files that start with %PDF- (this header can be obfuscated) and contain string QWN0aXZlTWlt (string ActiveMim in BASE64), possibly obfuscated with whitespace characters.

rule rule_pdf_activemime {
    meta:
        author = "Didier Stevens"
        date = "2023/08/29"
        version = "0.0.1"
        samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
        description = "look for files that start with %PDF- and contain BASE64 encoded string ActiveMim (QWN0aXZlTWlt), possibly obfuscated with extra whitespace characters"
        usage = "if you don't have to care about YARA performance warnings, you can uncomment string $base64_ActiveMim0 and remove all other $base64_ActiveMim## strings"
    strings:
        $pdf = "%PDF-"
//        $base64_ActiveMim0 = /[ \t\r\n]*Q[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim1 = /Q  [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim2 = /Q \t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim3 = /Q \r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim4 = /Q \n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim5 = /Q\t [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim6 = /Q\t\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim7 = /Q\t\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim8 = /Q\t\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim9 = /Q\r [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim10 = /Q\r\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim11 = /Q\r\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim12 = /Q\r\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim13 = /Q\n [ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim14 = /Q\n\t[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim15 = /Q\n\r[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim16 = /Q\n\n[ \t\r\n]*W[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim17 = /QW [ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim18 = /QW\t[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim19 = /QW\r[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim20 = /QW\n[ \t\r\n]*N[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
        $base64_ActiveMim21 = /QWN[ \t\r\n]*0[ \t\r\n]*a[ \t\r\n]*X[ \t\r\n]*Z[ \t\r\n]*l[ \t\r\n]*T[ \t\r\n]*W[ \t\r\n]*l[ \t\r\n]*t/
    condition:
        $pdf at 0 and any of ($base64_ActiveMim*)
}

The regex used to detect characters QWN0aXZlTWlt interspersed with whitespace characters (YARA string $base64_ActiveMim0) has no atoms (for YARA’s Aho-Corasic algorithm) larger than 1 byte, and thus generates a warning, that prohibits its use for hunting with VirusTotal.

That is why I replaced that regex with 21 regexes that all start with 3 fixed bytes and thus allow YARA to select atoms that are large enough.

Quickpost info

Leave a Comment

Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs

Filed under: maldoc,Malware,My Software,Quickpost — Didier Stevens @ 10:50

jpcert reported a new type of maldoc: “MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file –“.

These maldocs are PDF files that embed a Word document (ActiveMime) in MIME format.

ActiveMime documents can be analyzed by combining my emldump.py tool and oledump.py.

ActiveMime documents were heavily obfuscated in the past, and this is also the case here. As emldump.py version 0.0.11 was only able to handle the obfuscation of 2 of the 3 samples mentioned by jpcert, I released a new version to handle more obfuscation.

Here is an analysis example for sample 5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d.

Run emldump (version 0.0.12 or later) with option -F to fix the obfuscation of the mime-version header:

To find the part where the ActiveMime file was hidden, use option -E %HEADASCII% to view the first 20 characters of each part:

Here we can see that part 14 is not a JPEG file, but an ActiveMime file.

We extract it and pipe it into oledump.py:

That ActiveMime file contains VBA code:

These maldocs (at least the 3 samples shared by jpcert) can be detected by pdfid with option -e to display extra information:

There are a lot of bytes outside streams (usually for PDFs, there shouldn’t be) and the count of stream and endstream documents is different.

But like I said, these are detections for these 3 samples, it’s possible to modify those samples to remove the anomalies.

Quickpost info

Comments (2)

Saturday 12 November 2022

Quickpost: Testing A USB Fridge (Update)

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

I performed some extra tests with my USB fridge (see Quickpost: Testing A USB Fridge).

Here is how the temperature evolved when I put a can with cold water (around 12° C) in the USB fridge:

The temperature increased around 2° C over a period of 12 hours (room temperature was around 17 °C).

That required around 57 Wh.

And the temperature at the top of the can increased more than at the bottom:

For reference, here is how the temperature evolves of a cooled can of water left on the desk in that same room (so not inside the USB fridge):

Quickpost info

Leave a Comment

Sunday 6 November 2022

Quickpost: Testing A USB Fridge

Filed under: Hardware,Quickpost — Didier Stevens @ 14:50

A couple years ago, I received a USB fridge from NVISO’s Secret Santa.

It uses a Peltier element with a fan.

I did the following test: overnight, I let the fridge run for 12 hours. It contained an Aluminum can filled with water at room temperature (around 17° C).

I used a power meter to measure the electric energy consumption, and a multimeter with a thermocouple (type K) to measure the water temperature. The thermocouple was at the bottom of the water, not touching the bottom of the can.

The USB fridge consumed 60.717 Wh over that period, and the water temperature (at the bottom) was around 14.7 °C when I stopped the test. After the test, I moved the thermocouple to the top of the water, and there the temperature was 16.9 °C.

My multimeter logged the temperature every 60 seconds, resulting in this chart:

Notice that the first 12 minutes, the temperature rises a bit, and then starts to lower (I’ll do more experiments to try to figure out why it rises first). And then, when the cooling starts, it gradually slows down. Around 8 hours 45 minutes into the test, the water temperature reaches 14.80 °C and from then on barely changes.

The can is coolest at the bottom, as can be observed in this thermal image:

More pictures:

You don’t get much cooling from this USB fridge for the amount of energy it takes. I didn’t RTFM, so maybe its purpose is not to cool a can from ambient temperature down to a nice cool drink, but to keep a can cooled in a real fridge, cool when it’s sitting on your desk.

But most likely it’s an inefficient USB gadget 🙂

Quickpost info

Leave a Comment

Monday 31 October 2022

Quickpost: BruCON Travel Charger

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

In my BruCON speaker goodie bag, I found a travel adapter & USB charger:

I already have a similar travel adapter, but this BruCON travel adapter has one extra important feature for me: a USB C port.

As I still had my setup ready for testing the electrical energy consumption of devices, I quickly tested the standby power of this charger.

It’s average standby electrical power consumption is 236,46 mW. Standby means: I plug the adapter into an electrical outlet (230V) without connecting any device for charging.

I imagine that for a travel adapter, standby consumption is not that important, as one would use it only occasionally.

Quickpost info

Leave a Comment

Saturday 22 October 2022

Quickpost: Testing A Lemon Battery

Filed under: Hardware,Quickpost — Didier Stevens @ 21:59

In a chat with my colleagues, we were joking about charging smartphones with a lemon battery.

And I actually wanted to know what magnitude of electrical energy we were talking about.

So I connected a lemon battery to an electronic load:

I took a lemon, inserted a zinc and copper piece of metal (a couple centimeters deep) and connected an electronic load to draw 1 mA of current.

I let it run for a couple of hours until no more measurable current flowed.

The electronic load dissipated 0,034 Wh of electrical energy over that period. Hence, we can assume that the lemon battery delivered 0,034 Wh.

I’m sure the lemon battery could deliver more energy, by “resetting” it: cleaning the electrodes, inserting them in another place in the lemon, …

After a bit of searching through the web, I’m going to assume that a typical smartphone nowadays has a battery of 10 Wh. So we would need 294 times (10 Wh / 0,034 Wh) the electrical energy delivered by my lemon battery to charge a smartphone.

Except that, the 0,9 V that the lemon battery does deliver, is by far not enough to be able to charge via the USB interface. We need 5V, so, 5,555… lemon batteries connected in series.

On the screenshot above, you can also see that 37 mAh was measured. Notice that you can not compare this to the mAh rating of a (smartphone) battery, because both values involve different voltages.

Comparing this to a button cell like a CR2032 (Dutch Wikipedia article, because there’s no English Wikipedia article): the CR2032 has a 225 mAh electrical charge (on average) and a 2.0 discharge voltage. That’s 225 mAh * 2.0 V = 450 mWh. Or 13 times more than my lemon battery (34 mWh).

Here are more pictures of the lemon after the experiment (one week later):

Quickpost info

Comments (1)

Saturday 8 October 2022

Quickpost: Standby Power Consumption Of An Old Linear Power Supply

Filed under: Hardware,Quickpost — Didier Stevens @ 11:41

In my blog post “Quickpost: Standby Power Consumption Of My USB Chargers (120V vs 230V)“, I looked at the power consumption of several of my USB chargers in standby mode (e.g., not connected to a device to be charged).

These are switched-mode power supplies.

They consume considerably less standby power than linear power supplies, like this one:

These contain a transformer to go from a high voltage (AC) to a low voltage (AC), and then contain some electronic components, for example a diode bridge and capacitors, to convert the low voltage AC electricity into DC.

I tested this old power supply I had lying around, and it consumed 1.6836 Wh when tested with my power meter during one hour:

That’s 14,75 kWh for a year. Which is about 10 times more than my worst switched power supply tested here.

So, if you are planning to follow the advice of energy experts here in Europe (and watch out, quite a few are not experts at all, just echo chambers) to reduce your electric energy consumption and save money, consider the following points (their idea is to unplug chargers you don’t use).

Start with your linear power supplies, they consume the most (a tip to recognize them: they are heavy compared to the switched-mode ones, because of the transformer; and they are old)
If you are going to do this daily, take into account mechanical wear and tear. Like on the pins of the power plug, the cables …
To avoid that extra wear and tear, you can plug your power supplies into a power-strip with a switch
I have a laptop power brick that regularly cause the power plug to spark when I plug it into a socket. That’s also something you want to avoid.

Quickpost info

Leave a Comment

Thursday 22 September 2022

Quickpost: Tuning The Electric Energy Consumption Of My TV

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

TLDR: reducing the sound volume level of our TV has no (significant) impact on its electric energy consumption, but reducing the back-lighting does.

Here in Belgium, mainstream media is full of news with tips to reduce energy consumption.

Some good tips, some bad tips … That’s mainstream media for you 🙂

Recently, there was an article with the following tip: “reduce the sound volume level of your TV to save energy” … (I’m not linking to this article).

It is true that a speaker (and the audio amplifier) requires power. And that there is a positive correlation between electric energy consumption and sound volume level. Large speakers can draw quite some amps…

But I was a little doubtful that lowering the sound volume level of our TV with a view clicks, would have a significant/measurable impact. Because some time ago, I already made measurements, and our TV drew 120 Watt maximum. So I did not expect a big impact.

Anyways, one has to make measurements to know if there is a (significant) impact or not.

We have a 55 inch QLED Samsung TV from 2018. The test protocol I worked out is the following: start to play a long movie (LoTR) and measure the electric energy consumption during one hour exactly (with a GW Instek GPM-8310 digital power meter). Don’t touch the TV or remote while testing is going on, and make sure that no dynamic settings are enabled that can influence the electric energy consumption (like ambient light based brightness control).

I measured at 3 sound volume levels: 20, 19 and muted. And I did this twice.

Here are the results:

Sound level	Electric energy consumption (Wh)
20	117,74
19	117,74
0 (muted)	117,66

For our TV, there’s no difference between a sound volume level of 20 and 19.

And by completely muting the TV, we save 0,08 Watts. That’s a very small amount. To put that in perspective, we would have to watch 125 hours of muted TV to power a 10 Watt LED light-bulb for 1 hour.

Of course, that’s for our TV. If you have a TV with a powerful soundbar and extra speakers, your measurements will be totally different.

While going through all the settings of our TV, there is one thing I noticed: the back-lighting setting was set to its maximum (20).

I reduced the back-lighting to 10 and measured again. That made a significant change: 77,666 Wh in stead of 117,74 Wh (both at sound volume level 20, our usual setting). That’s a 34% reduction in electric energy consumption. That’s a significant reduction, but …, don’t forget that the back-lighting setting happened to be at its maximum.

We will keep it like that for the moment, and see if we still enjoy watching TV.

Quickpost info

Leave a Comment

Wednesday 14 September 2022

Quickpost: An Inefficient Powerbank

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

I tested a small powerbank that I have, and it’s very inefficient.

It takes 10.07 Wh to charge:

And it delivers 5.95 Wh when I discharge it (5V at 0.250 mA).

So I only got 59% back of the energy I put in.

This powerbank is quite old, it might have become so inefficient over the years. Google searches tell me that you should get at least 85% efficiency.

Although this powerbank still works fine, and his very handy to me because of its small form factor, I’ll see if I can get a more efficient one with a similar form factor.

Quickpost info

Leave a Comment

Tuesday 13 September 2022

Quickpost: “Exploding Multimeter”

Filed under: Hardware,Quickpost — Didier Stevens @ 12:22

I made a mistake and destroyed my old multimeter.

It’s a 30+ year old multimeter, and it had become very dirty because of all the dust it collected while I used it in a home renovation project, years ago. It was still functional, so I used it for years like that.

But recently, after discovering YouTube “restoration videos”, I got the idea to open it up and clean it.

The result was very good. Until I used it the first time to measure a 230V cable. Then there was a big flash inside the casing, and all the lights went out.

This is how it looks now (notice the black soot marks on the orange plastic):