Just some small changes.
peid-userdb-to-yara-rules_V0_0_2.zip (https)
MD5: BE287BE1CB4EAFC360B1105C47F81819
SHA256: DC673DC90420F880EBDC8A0298410B3B8D90AFBCCE868A3E075DB5AAF898A188
Wednesday 18 March 2015
Update: peid-userdb-to-yara-rules.py
Tuesday 17 March 2015
Update oledump.py Version 0.0.12
This update adds support for metadata and fixes an XML parsing bug.
oledump_V0_0_12.zip (https)
MD5: 0AB5F77A9C0F1FF3E8BE4F675440A875
SHA256: 6F87E65729B5A921079B9E5400F63BE6721673B7AC075D809B643074B47FB8D3
Monday 16 March 2015
Quickpost: Metasploit User Agent Strings
I searched through the Metasploit source code for User Agent Strings (starting with Mozilla/).
This is what I found:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N
Mozilla/4.0 (compatible; Metasploit RSPEC)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Wednesday 11 March 2015
VBA Maldoc: We Don’t Want No Stinkin Sandbox/Virtual PC
Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment.
The following statements are executed right before the malicious actions begin:
If IsSandBoxiePresent(1) = True Then End
If IsAnubisPresent(1) = True Then End
If IsVirtualPCPresent = True Then End
The presence of SandBoxie can be detected by the successful load of DLL Sbiedll.dll or the presence of string [#] in the Windows’ title. In this sample, the DLL is checked (1).
The presence of Anubis can be detected by checking the serial number of the system drive, checking Windows’ Product ID, checking the name of the application or the user. In this sample, the serial number is checked (1).
The presence of virtualization is detected by enumerating the services\disk and looking for strings “virual”, “vmware” or “vbox”.
With the help of Google, I discovered that the criminals copy/pasted 7 year old code posted on a forum here, here and here. It’s in Spanish, while the Excel document has code page 1251 ANSI Cyrillic.
Monday 9 March 2015
A New Type Of Malicious Document: XML
Since last week we see XML documents being spammed: they are actually Microsoft Word documents with VBA Macros.
I wrote an ISC Diary entry (I’m a SANS ISC Handler now) detailing the internals of these XML files.
oledump is updated to parse these XML documents.
oledump_V0_0_11.zip (https)
MD5: 02AEF764545213E1B1A5895AD0706F78
SHA256: 162EE94B1A4533956EE2CE0CB13ECDF2FF6C18A0597685E690B8524526FD694E
Friday 27 February 2015
Update oledump.py Version 0.0.10
This version handles corrupt VBA macro streams without crashing. Corrupt VBA macro streams are marked with an E indicator (error).
And an update to the plugin_http_heuristics and plugin_dridex plugins.
oledump_V0_0_10.zip (https)
MD5: 450C28232254F8FF3AF5E289F58D2DAB
SHA256: 139671E5E69200CECCE0EF730365C1BF1B7B8904B90E3B1E08E55AB040464C73
Thursday 19 February 2015
Update: oledump.py Version 0.0.9
The plugin_dridex plugin was updated.
And oledump.py has a new option: –quiet: only print output from plugins.
oledump_V0_0_9.zip (https)
MD5: 849C26F32397D2508381A8472FE40F90
SHA256: 74887EA3D4362C46CCBF67B89BB41D7AACE9E405E4CB5B63888FEDCE20FD6A07
Wednesday 18 February 2015
Analyzing A Fraudulent Document With Error Level Analysis
Some time ago I had the chance to try out an image forensic method (Error Level Analysis) on a PDF. It was a fraudulent document (a form), but with a special characteristic: the criminal converted the original form (a PDF) to JPEG, edited the JPEG with a raster graphics editor, and then inserted the edited JPEG in a PDF document. This gave me the opportunity to try out Error Level Analysis (ELA) on a “text document”.
I can’t share the PDF, but I recreated one to use in this blogpost.
First I search for images in the PDF document:
pdf-parser.py -s image example-edited.pdf
Result:
obj 4 0
Type:
Referencing: 6 0 R
<<
/Font
/XObject
<<
/Im4 6 0 R
>>
/ProcSet [/PDF/Text/ImageC/ImageI/ImageB]
>>
obj 6 0
Type: /XObject
Referencing:
Contains stream
<<
/Type /XObject
/Subtype /Image
/Width 680
/Height 965
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Filter /DCTDecode
/Length 233133
>>
The image is in object 6. I extract the image:
pdf-parser.py -o 6 -d example-edited.jpeg example-edited.pdf
Here it is:
If you Google for Error Level Analysis, you’ll find a couple of websites that provide online image forensics. But that was not an option for me, I could not share the document.
I found this C program for ELA, and later I wrote my own Python program (what else?), that I’ll use for this example:
image-forensics-ela.py example-edited.jpeg example-edited-ela.png
The colored pixels reveal the word I edited. You can see it better when I overlay the 2 images:
image-overlay.py -a 0.6 example-edited.jpeg example-edited-ela.png example-edited-overlay.png
FYI: there is also a GIMP plugin for ELA.
You can download the examples and programs here:
blogpost-ela-files.zip (https)
MD5: 4F3071A9162C5CA8B7B10A41F662093A
SHA256: CBA786368D7BAF65E1E9F854C315BFB60FF89910429106513A0C41C180D8FCAB
Tuesday 17 February 2015
Update: oledump.py Version 0.0.8
This new version brings support for multiple YARA rule files.
The plugin_http_heuristics plugin was updated, and there is a new plugin: plugin_dridex.
oledump_V0_0_8.zip (https)
MD5: 29EBF73F5512B0BC250CD0A0977A2C72
SHA256: 09C451116FCDE7763173E1538C687734D92267A0D192499AFD118D8D923165B9
Monday 16 February 2015
Update EICARgen Version 2.1
Version 2.1 of EICARgen can create an Excel spreadsheet (.xls) with the EICAR test file embedded with OLE.
Didier Stevens 