» External tools

Automatic analysis of malware behavior

carrumba — Mon, 04 Jan 2010 16:40:36 +0000

I just read about the tool Malheur designed for malware analysis. It looks interesting, I don’t know what other tools like this one are out there (if you know some of them, please leave a comment) but it is worth some minutes to read through their page.

After thinking some minutes about their approach using the MIST (malware instruction set) would the software still detect the malicious behaviour if instead of calling a function inside the software itself to create a new process with the according parameters.

instead of collecting all sensitive data and transferring it to the dropzone and triggering the alarm bell separating these two functions by calling :

malware.exe -collect >output.txt
malware -drop output.txt

I implemented it like that inside the SkypeTrojan.

Malheur is a tool for automatic analysis of program behavior recorded from malware. It has been designed to support the regular analysis of malicious software and the development of detection and defense measures.

Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning techniques.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.

TrueCrypt

carrumba — Mon, 23 Nov 2009 16:27:14 +0000


Tool name :	TrueCrypt

Description :	TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted drive. On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correct encryption key. Until decrypted, a TrueCrypt volume appears to be nothing more than a series of random numbers. The entire file system is encrypted (i.e., file names, folder names, contents of every file, and free space).

Homepage :	www.truecrypt.org

Hping2

carrumba — Sun, 15 Nov 2009 19:03:52 +0000


Tool name :	Hping

Description :	This handy little utility assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rulesets. It is also great for learning more about TCP/IP and experimenting with IP protocols.

Homepage :	www.hping.org

W32.Blaster.Worm source code.

carrumba — Fri, 13 Nov 2009 20:15:14 +0000


Name	Win32/Blaster/Worm (Lovsan, Lovesan)

Type	Spreader, Worm

Author	Unknown

Written in	C

Description	This worm was very active in 2003. It spreaded via an RPC vulnerability and executed a DoS attack on a specific date. It’s a well structured code, easy to read and understand. The intresting paragraphs are the spreader which attacks new victim system to learn and see how (easily) it is done and the usage of raw sockets in the payload which is in charge of the SYN flood attack.

Questions	Do you have a question about this RAT/bot/worm? At the bottom of this post you find the box where you can type and send your message.

Downloads	Source

Information	Wikipedia

Win32/ogw0rm source code.

carrumba — Sun, 08 Nov 2009 15:02:55 +0000


Name	Win32/ogw0rm

Type	Spreader, Worm

Author	Unknown

Written in	C

Description	Ogw0rm is a good example how malware propagates itself via Instant Messaging apps. It checks the process list for running IM applications and propagates itself by sending messages to new victims. It shows how to enumerate Windows, send key strokes to the OS, Registry stuff and a little networking stuff. A simple malware source to read on a rainy sunday afternoon.

Questions	Do you have a question about this RAT/bot/worm? At the bottom of this post you find the box where you can type and send your message.

Downloads	Source

The Metasploit Framework

carrumba — Sun, 27 Sep 2009 16:03:52 +0000


Tool name :	Metasploit Framework

Description :	The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Homepage :	www.metasploit.com

Defeating SSL using SSLStrip

carrumba — Tue, 11 Aug 2009 11:32:45 +0000

At BlackHat DC 2009 Moxie Marlinspike demonstrated how to subvert HTTPS with SSLStrip. SSLStrip intercepts HTTP traffic, watches for HTTPS links inside the data stream and maps these HTTPS links to HTTP. Whenever a victim clicks on such a mapped HTTPS link SSLStrip will notice it and act as a HTTP2HTTPS proxy server. All the data is available in cleartext to SSLStrip and an attacker can use this circumstance to his advantage.

If I find the time I will port the SSLStrip features to PERL to merge it with the HTTP proxy script I wrote to observe spam and anonymized traffic.

Here is the SSLStrip 0.4 packet from the local archive on Megapanzer.

This is the link to Moxie’s page.

See SSLStrip in action here :

Tor, The Onion Routing Project.

carrumba — Sun, 09 Aug 2009 22:28:24 +0000


Tool name :	Tor

Description :	Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features. For a free cross-platform GUI, users recommend Vidalia

Homepage :	www.torproject.org

Network sniffer/interceptor/logger for ethernet LANs.

carrumba — Sun, 02 Aug 2009 17:23:25 +0000


Tool name :	Ettercap

Description :	In case you still thought switched LANs provide much extra security Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Homepage :	ettercap.sourceforge.net

Tcpdump sniffer for network monitoring.

carrumba — Sun, 26 Jul 2009 17:00:53 +0000


Tool name :	Tcpdump

Description :	Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn’t receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity.

Homepage :	www.tcpdump.org