Disable 445 outbound

Just a friendly reminder to make sure you’re only allowing port 80, 443, and maybe 8080 outbound from your network.  According to this recent US CERT alert advanced attackers are using email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol.  This sends the user’s credential hash to the remote server prior to retrieving the requested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password.

TCP ports 445 or 139 and UDP ports 137 or 138 (SMB) should only be allowed internally !!!


REMnux: Distro for Reversers

Lenny Zeltser, SANS Instructor, has released a customized distribution targeted at malware reverse engineers.  From the REMnux page:

REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

Malware Analyzers

(This article was originally published on June 9, 2009 — new resources added below)

Do you ever receive a suspicious file via email or hesitant to download software from a webpage?  You can upload the executable to one of the malware analyzers below and they’ll run it through several different AVs and give you the results. CWsandbox will also take a basic attempt to reverse engineering the app and let you know what type of handles it’s creating. Some very neat tools….

Analyzing Malicious PDF Documents

So you want to get your feet wet?

  1. Grab Didier Stevens tools here: http://blog.didierstevens.com/programs/pdf-tools/
  2. Grab malicious PDF samples here: http://www.malwaredomainlist.com/mdl.php?search=pdf+exploit&colsearch=All&quantity=50 *Be careful, these are live samples!
  3. Video Tutorial: Didier on analyzing a PDF Document: http://www.youtube.com/v/tHVi2wKCkTc
  4. You’re going to run into some heavily obfuscated JavaScript.  Read this article: http://isc.sans.org/diary.html?storyid=2358
  5. Other deobfuscation tools: Malzilla, SpiderMonkey (need to handle document.write), debug via Rhino, Firefox add-on (haven’t tried this one)

Malware authors: Best storage / hiding locations

Have you just injected a running process’ memory?  In most cases, unless your an adept author and have written a root-kit you want your malware to remain persistent via auto-run, registry, start-up etc.  Where do you store your persistent launcher?  A clever idea would be to determine what AV the victim is running — if any 🙂  Once you determine which AV is running you should check whether or not any files or directories are excluded from scanning.  If so you’ve just found the perfect location for your loader.

Here’s what I’ve come up with so far:

AVG – Configuration files in binary format; No registry entries

Microsoft Security Essentials:  HKLMSOFTWAREMicrosoftMicrosoft AntimalwareExclusionsPaths

Trend: Check out these registry locations:

  • HKLMSOFTWARETrendMicroNSCTmProxyWhiteList;
  • HKLMSOFTWARETrendMicroPC-cillinNTCorpCurrentVersionPrescheduled Scan Configuration (ExcludedFile & Excluded Folder keys)
  • HKLMSOFTWARETrendMicroPC-cillinNTCorpCurrentVersionReal Time Scan Configuration (ExcludedFile & Excluded Folder keys)
  • HKLMSOFTWARETrendMicroPC-cillinNTCorpCurrentVersionScan Now Configuration (ExcludedFile & Excluded Folder keys)

**Here’s a Microsoft KB article about their recommended locations for exclusion: http://support.microsoft.com/kb/822158