Just a friendly reminder to make sure you’re only allowing port 80, 443, and maybe 8080 outbound from your network. According to this recent US CERT alert advanced attackers are using email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. This sends the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password.
TCP ports 445 or 139 and UDP ports 137 or 138 (SMB) should only be allowed internally !!!
Lenny Zeltser, SANS Instructor, has released a customized distribution targeted at malware reverse engineers. From the REMnux page:
REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.
(This article was originally published on June 9, 2009 — new resources added below)
Do you ever receive a suspicious file via email or hesitant to download software from a webpage? You can upload the executable to one of the malware analyzers below and they’ll run it through several different AVs and give you the results. CWsandbox will also take a basic attempt to reverse engineering the app and let you know what type of handles it’s creating. Some very neat tools….
A high level overview to perform live memory captures and analysis:
- capture memory via moonsol’s win32dd
- parse memory snapshot with mandiant’s memoryze
- analyze results via audit viewer
- or analyze using the volatility framework — neatly packaged in SAN’S Sift Workstation
So you want to get your feet wet?
- Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
- Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
- Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
- Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)
Have you just injected a running process’ memory? In most cases, unless your an adept author and have written a root-kit you want your malware to remain persistent via auto-run, registry, start-up etc. Where do you store your persistent launcher? A clever idea would be to determine what AV the victim is running — if any 🙂 Once you determine which AV is running you should check whether or not any files or directories are excluded from scanning. If so you’ve just found the perfect location for your loader.
Here’s what I’ve come up with so far:
AVG – Configuration files in binary format; No registry entries
Microsoft Security Essentials: HKLMSOFTWAREMicrosoftMicrosoft AntimalwareExclusionsPaths
Trend: Check out these registry locations:
- HKLMSOFTWARETrendMicroPC-cillinNTCorpCurrentVersionPrescheduled Scan Configuration (ExcludedFile & Excluded Folder keys)
- HKLMSOFTWARETrendMicroPC-cillinNTCorpCurrentVersionReal Time Scan Configuration (ExcludedFile & Excluded Folder keys)
- HKLMSOFTWARETrendMicroPC-cillinNTCorpCurrentVersionScan Now Configuration (ExcludedFile & Excluded Folder keys)
**Here’s a Microsoft KB article about their recommended locations for exclusion: http://support.microsoft.com/kb/822158