Claudiu Francu | Blog

Preface

What i’m going to write now, includes several true stories, but no actual companies nor persons will be named. However, you will understand quite easily what is all about!

Let the story’s begin…

1. You work for a big company. That company is in the IT security field. Your job there is as a head hunter. You do your best to get in the company all the talented and hardworking people, and to keep a distance from the others. You keep track of everybody in your company. You know their strengths, and their weaknesses also. You also keep contact with those who keep track of the employees performances, so that you know where your company has weak spots and good spots. You know what you need, you know where your company lacks. And you search for it. You do your homework. You ask around, you follow social networks, you see what others have published, what’s their potential, what’s their past, what’s their employment status and so forth.

2. Every now and then, somebody what’s to be part of the IT security field. He’s young, passionate, does his homework and tries to get it. It’s very tough. Why? Well, it’s simple. In this field, everybody wants to be ahead of all others more then in any other filed. Everybody wants to be the first that discovers this bug, that exploits it, that presents his paper about it at BlackHat, that think about this solution and implements it, or that has the best people. That someone, will be quite discouraged when he will realize all this. But still, he pursuits his dream. He makes a lot of contacts in the industry, he documents his findings and he doesn’t stop dreaming of becoming some day a part of the IT security. Even more, he finds bugs in the products of this company’s, in their webpages, and he discloses them responsibly.

This is the part where our two stories meet, and unfortunately there can be only 3 endings…

a) THE HAPPY END – the head hunter sees the potential of this person. He searches for his work. He sees it and recognizes this talent and passion. They meet. An offer is put on the table. It will not be the right price (it rarely is), but still, the bright kid is happy that someone noticed him and his work, his talent, his passion (you can’t put a price on the last two, do you get it now?) and he says yes. Remember, everything started from posting a few vulnerabilities in the products/webpages of the company.

b) THE BAD END – the head hunter doesn’t notice this person. He fails to see his talent and passion. Instead of meeting with him, they conclude that it’s best to say thanks and (optionally) send him a few promo products as a thank you gift.Now don’t forget, this person is young and passionate. He still need to eat. He must survive somehow. What does he do? He goes on the Internet, he buys a botnet for a few bucks and suddenly his the enemy of the company that made him switch sides. He will earn some good money, he will become greedy and eventually he will get caught (or not, but it doesn’t matter, since YOU have lost him).

c)THE END – the head hunter also doesn’t notice this person. He has potential, he is talented and passionate, but he isn’t recognized by the head hunter. He applies to several jobs, but because of his youth he doesn’t succeed to get a job in the field. He doesn’t want to switch sides, he doesn’t want to work with/for the bad guys.

Because he must also eat, he switches the field. He succeeds easily, but unfortunately the company lost a potential extraordinary talent in the never ending battle with the bad guys (their numbers grow exponentially because of the fast winnings that they make).

Which of these three stories would you want to see? Which one does it seem correct to you? I know that life isn’t all sugar in life, but every now and then, you must also take risks as a security company.

So please, do your job and find that person that has the talent and the potential to make it in this field. Don’t let him pass away. Invest in him. Give him an opportunity. Let him prove it to you. Take your chance. His success value far more than his failure. This applies for him, and also for you.

So please, read this and do your job (head hunter or not) !!!

As stated here before, this is the new address for my blog. I’ve given it a new face and I’ve changed the platform from blogger/blogspot to WordPress.I was first a little reticent to host my blog on my domain, and right I was. It wasn’t an easy transition, but since blogger/blogspot could not offer me what I wanted, I had to change something. And I did…

First stage, I had to install WordPress. This wouldn’t normally pose any problem, but I had to configure a database for it. Since my hosting company doesn’t have a tutorial/FAQ/easy database setup manual, it took my a little bit to do it.

Second stage, the WordPress install procedure. This wasn’t hard at all, because WordPress is quite easy to install. Put the files in the right place, access the proper script and then installation begins automatically.

Third stage, importing the content from blogger/blogspot to WordPress. This is were things got a little complicated. There’s no easy straight way that worked for me (or at least none that I could figure out by myself) of importing the old blog to WordPress. WordPress has an option to import from blogger, but from an unknown reason this solution didn’t worked for me. I kept receiving an message telling me that I had no authorization to do this (even tough I have supplied the proper blogger username and password).

There was another option to create a temporary blogger account, copy the old blog content to this account and only after that I could import it automatically to WordPress. Since I didn’t want to create another account on blogger just to delete the 2 blogger accounts after that (facebook tells you anything in this sense of nonsense?), I’ve decided not to proceed in this direction.

The other option that I had, was to manual import the old content into my new database. And I did it. Copy the old content, reformat it, put it in the database, correct the timestamps, copy the comments, also correct the timestamps, and this step was over. I tell you, I was very happy when it ended (now I truly appreciate the value of of scripts ) and glad that I pulled it of.

The final stage, configure my new blog. This envolved installing and configuring themes and scripts to accommodate my tastes. It wasn’t a big deal, since the hard work was already done (populating the database).

After all this stages, this is my final work. Please, feel free to explore it, test it, break it and don’t hesitate to write a comment if there’s something that you want to tell me.

PS: Being a security blog, there’s one more final detail that I have to add. After configuring your WordPress blog, don’t forget to install at least one of the two plugins (i use both) that scan your blog for exploits and malware: Exploit Scanner and WP-MalWatch.

Stay safe!

So, I’ve picked up on this rather late (Sunday around 10 PM – GMT +3:00), but it doesn’t matter since i’m kind of new when it comes to Reverse Engineering. This was the message from PandaLabs:

As promised, this 1st challenge is here: 1st-challenge.exe. To solve it, you have to create one valid license key for 999 users of this program.
The license key has to be sent to pandachallenge at pandasecurity dot com before next Monday at 17:00 (GMT+2). To avoid any problem with the mail filters, any attachment has to be compressed (zip or rar) with password (panda). Remember that there is no need to register, just download the file and enjoy!
The 1st one to send a valid license key will be the winner of the iPad. Good luck all!

So begins the story…Load the file in OllyDbg. this is what you’ll see:

Hit Alt+E to see the Modules Window, select 1st-challenge.exe, right click on it and click View Names (Ctrl+N). Type “ReadFile”, right click on it and select “Toggle breakpoint on import”.
What we’ve done so far is when the ReadFile API is hit, Olly breaks. Run the program, and our breakpoint has a hit. Since we can see that we’re inside the kernel32.dll (this is the dll that contains our ReadFile API).

Please look at the EDX register. It says “UNICODE “wnloads\\license.k”. This license.k is the file that this challenge reads. Create a file called license.k in you 1st-challenge.exe directory, come back in Olly and redo the steps explained until here. Now select Debug-Execute till user code from the menu (or just press Alt+F9).

Scroll up a few lines and you’ll see something like this:

0041B629    PUSH 0                                       ; /pOverlapped = NULL
0041B62B   LEA EBX,[LOCAL.1]         ; |
0041B62E   PUSH EBX            ; |pBytesRead = 0142FD40
0041B62F   PUSH ECX ; |BytesToRead = 74D718AF (1960253615.)
0041B630   PUSH EDX                                   ; |Buffer = 0142FCB8
0041B631   PUSH EAX                                   ; |hFile = 00000001
0041B632   CALL              ; \ReadFile

Now F8 it in Olly (a looot of times, yes, don’t be scared) until you reach this portion of code:

00401721   |.  895E 2C           MOV DWORD PTR DS:[ESI+2C],EBX
00401724   |.  8B55 DC           MOV EDX,[LOCAL.9]
00401727   |.  8B45 F8           MOV EAX,[LOCAL.2]
0040172A   |.  E8 F1B50100       CALL 1st-chal.0041CD20                                              ;bad boy 1
0040172F   |.  8B45 F8           MOV EAX,[LOCAL.2]
00401732   |.  E8 F9BC0100       CALL 1st-chal.0041D430
00401737   |.  EB 05             JMP SHORT 1st-chal.0040173E
00401739   |>  E8 829D0100       CALL 1st-chal.0041B4C0
0040173E   |>  8D85 5CFFFFFF     LEA EAX,[LOCAL.41]
00401744   |.  E8 17120000       CALL 1st-chal.00402960

You see the call at 0041CD20? This is the badboy1. Press space when you reach at this instruction (don’t execute it yet), press the Space button (this is to assemble it), write “nop” and press Enter. This is how it should look like now:

00401724   |.  8B55 DC           MOV EDX,[LOCAL.9]
00401727   |.  8B45 F8           MOV EAX,[LOCAL.2]
0040172A       90                NOP                                                                                ; no more bad boy
0040172B       90                NOP
0040172C       90                NOP
0040172D       90                NOP
0040172E       90                NOP
0040172F   |.  8B45 F8           MOV EAX,[LOCAL.2]
00401732   |.  E8 F9BC0100       CALL 1st-chal.0041D430
00401737   |.  EB 05             JMP SHORT 1st-chal.0040173E
00401739   |>  E8 829D0100       CALL 1st-chal.0041B4C0
0040173E   |>  8D85 5CFFFFFF     LEA EAX,[LOCAL.41]

Press F8 again a few times, until you reach here:

004017A0   |.  DFE0              FSTSW AX
004017A2   |.  9E                SAHF
004017A3   |.  0F85 08010000     JNZ 1st-chal.004018B1                                                   ;  bad boy2
004017A9   |.  8B45 F8           MOV EAX,[LOCAL.2]
004017AC   |.  8B40 24           MOV EAX,DWORD PTR DS:[EAX+24]
004017AF   |.  E8 1C770100       CALL 1st-chal.00418ED0
004017B4   |.  83EC 0C           SUB ESP,0C

Go until JNZ 1st-chal.004081B1, press Space and write JE instead of JNZ. This ensures us that the jump will not be taken. Press F8 a few more times, until you see this:

004017DE   |.  DED9              FCOMPP
004017E0   |.  DFE0              FSTSW AX
004017E2   |.  9E                SAHF
004017E3   |.  74 05             JE SHORT 1st-chal.004017EA
004017E5       E8 D69C0100       CALL 1st-chal.0041B4C0                                              ;  bad boy 3
004017EA   |>  E8 818F0000       CALL 1st-chal.0040A770
004017EF   |.  89C3              MOV EBX,EAX

The last step here is to nop the call made to 0041B4C0 (i think you how by now). Finally, right click, Copy to executables -> All modifications -> Copy all, right click on the new window, Save file, and save it as incomplete-1st-challenge.exe. If you’ve lost yourself somewhere, you can find the files here.
So, let’s recap! What was the challenge? The challenge was that the binary should have written
Registered for 999 user(s)
Congratulations!

What does it say now? It says this:
Registered for xxx* user(s)
Congratulations!


*xxx is a number from -999 to 999.


This message appears regardless to what the license.k file contains. Sure, I failed, but since the challenge isn’t running anymore, the author has written a few words about this challenge:


The challenge is a crackme consisting in a little virtual machine developed in Free Pascal (http://freepascal.org). This VM has 5 general purpose registers (R0-R5), 5 registers for arguments (A0-A5), it has no memory and “texts” are stored in the registers, no matter if the value is a text, a decimal or a whole number, and the virtual machine supports a little more than 10 instructions (mov, hlt, xor, add, sub, …).
When the executable binary is run, it looks for the file “license.k”. This file is the “program” to be run by the virtual machine. Some random values are passed to this program in the arguments from A0 to A3. These random values will be the coefficients in the following elliptic curve:
result = sqrt(a*x**3 + b*x**2 + c)
The program has to move the values that have been passed to it from the arguments A0-A3 to R0-R3, operate with them in order to obtain the final result, put this value in the A0 entry and put the number of users for which it is licensed in A1. As simple as that!
To make this task not so awful for me, while I was developing it, I created a quite rough (but effective) compiler in Python of some assembler code invented by me. The final assembler code with comments is as follows:
;
; Given the following equation:
;
;    sqrt(A*X^3 + B*X^2 + C)
;
; The coefficients are hold in the following registers:
;
; A0 -> A
; A1 -> B
; A2 -> C
; A3 -> X
;
; We can’t operate with any of the A* registers ; so move the values to general purpose registers MOV  R0, A0 ; R0 -> A MOV  R1, A1 ; R1 -> B MOV  R2, A2 ; R2 -> C MOV  R3, A3 ; R3 -> X MOVS  3, R4 ; R4 -> 3 POW  R4, R3, R4 ; R4 -> x^3 MOVS  2, R5 ; R5 -> 2 POW  R5, R3, R5 ; R5 -> x^2 MUL  R0, R0, R4 ; R0 -> ax^3 MUL  R1, R1, R5 ; R1 -> bx^2 ADD  R0, R0, R1 ; R0 -> ax^3 + bx^2 ADD  R0, R0, R2 ; R0 -> ax^3 + bx^2 + c ABS  R0, R0, R0 ; y = abs(ax^3 + bx^2 + c)
SQRT R0, R0     ; y = sqrt(y)
MOV  A0, R0 ; Store the result in A0
MOVS 99, R0
MOV  A1, R0 ; Store in A1 the number of license users ; DUMP ; <- Uncomment this for debugging purposes
And that’s all  The source code of the crackme and the “compiler” is already available (here).

You see the challenge now? It wasn’t easy, and VM’s are always a pain to debug!!!
As always, feedback is always welcomed! [and help, of course ]

PS: I know the code look bad, but this theme is bad for writing assembly code. I’ll probably replace it in the near future!

Today I woke up and the twitter was full of news about the new undetected sample of SpyEyes. VirusTotal reported that no antivirus could detect it, yet. I got a sample (thank you Ben Koehl and Chae Jong Bin) and sent a sample to Kaspersky. I then waited and waited and waited. I just pushed the manual update of my KIS 2010 (produced by Kaspersky), but still undetected. So I started to do my reasearch…

Kaspersky Lab is a computer security company, co-founded by Natalya Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products. The Kaspersky Anti-Virus engine also powers products or solutions by other security vendors, such as Check Point, Bluecoat, Juniper Networks, Sybari (now acquired by Microsoft), Netintelligence, GFI Software, F-Secure, Clearswift, FrontBridge, G-Data, Netasq, and others. Altogether, more than 120 companies are licensing technology from Kaspersky.

Also, in my point of view Kaspersky Lab does the best job when it comes to detecting malware.

As seen on viruswatch, they receive a lot of e-mails. Frankly, I would not like to be in their skin. A security researcher has thousands malware samples to analyze per day, if you count only the e-mails received, not including what their honeypot intercepts. It’s a massive amount of work.

The process is not as simple as you would think. First a malware is out in the wild. Somebody gets it and sends it to them. They scan it with their own tools. They confirm it’s indeed a malware. They release a signature. The signature gets pushed on their servers. The end user’s antivirus checks automatically for update, and only after that the malware if detected/deleted/disinfected from the users PC.

When a user’s antivirus updates, it check’s for a Kaspersky Lab server. There are 22 servers spread across all over Europe (yes, i live in Europe) and can be browsed starting from http://dnl-eu1.kaspersky-labs.com-http://dnl-eu22.kaspersky-labs.com. All 22 servers are perfect synchronized every second, so what’s on one server, you can find on all other 21 servers.

The signature it’s on the server. Your antivirus first checks to see if there are any new updates since the previously update (it uses the u0607g.xml.dif file for this), then it checks what components exactly are updates (Malware, Banners, Phishing sites, Spam, Malicious scripts, Suspicious sites, Network attacks, Rules for security analyst). If there are new malware signatures on the server (the file 2.kdb-i386-0607g.xml.dif is used), then the antivirus gets the new signatures files (usually apuXXXX.dat files) and finally updates the new informations about the database (time of update, number of threats detected, etc.). After this, if you scan your file, it’s finally detected as a malware.

After doing other things, I’ve checked Kaspersky’s database again and scaned my malware sample. It now detected as Trojan-Spy.Win32.SpyEyes.nj, but as seen here, new variants have been written and detected by KIS 2010. Good job guys!

The report can be found here and at the moment of writing only Comodo and Kaspersky detect the malware (Heur.Suspicious for Comodo and Trojan-Spy.Win32.SpyEyes.nj for Kaspersky). At least we’re safe for now!

1. It’s hard to get a good sample as an individual. It’s almost as hard to get it as an AV company. No sample, no analysis, no signature, no quality.

2. The bad guys are always a few steps ahead. If you take my samples example, the time when it was first detected is 08:07 and the time when the signature was pushed on server was 16:39. This means that the sample has 8h 32m to create havoc on the victim computers. This means good $ for the bad guys.

3. Even now, only 2 AV’s detect it. This is bad. There should be some kind of help between the AV companies. I know that it’s a competition for the best antivirus, but the one that finally suffers is the user, the one that actually pays for the AV. This is not fair at all.

We need better heuristic methods. Instead of taking the time to release a signature, the heuristic scan should have detected the malware sample as a threat from scan no.1, push the result on the server and release it to all other users that use the same AV. This is of course idealistic, because the size, the costs and the time to scan for an AV would grow up exponentially. Still, as everything related to human kind, we are the weak link in this chain!

[Disclaimer: This article is written for educational purposes only. I'm not affiliated with any AV company, nor do I advertise for one. I just write my ideas freely, as this was the intent when I started blogging]

PS: Feedback is always welcomed, or just say hi at this e-mail: klaudyus|at|gmail.com

Here we are again, after talking in short about Buster Sandox Analyzer. I will not bore you with details about installing Sandobxie or , because they did a great job of covering that on their own website.

I’ve promised you that we will talk about Virut in this second tutorial. Win32.Virut.C is a dangerous malware, very complicated, but since it’s no 0day (actually it was detected back in 2007), there are a lot of good papers about it.

A basic introduction of the malware you can find here, and a few technical papers that I’d recommend for reading are: Review of the Virus.Win32.Virut.ce Malware Sample written by Vyacheslav Zakorzhevsky from Kaspersky Lab, Virut Encryption Analysis written by the guys from SecureWorks and Under the Hood: Virut written from the guys at TeamFurry.

[Please, take your time to study the analysis of the malware. At least read the basic introduction, because without it, this article with make no sense whatsoever.]

So back to the practical part of this article. If you get a sample of Virut, you’ll see that analyzing it in it’s form is in vain. What’s your next step? Try loading it in a sandbox. We’ll try it one by one, and I’ll post the results:

CWSandbox

Sandbox analysis: here

Things learned:

- created a C:\8884425.exe file; created a R30S mutex

Anubis

Sandbox analysis: here

Things learned: -

ThreatExpert

Sandbox analysis: here

Things learned:

- please read the report, it covers a lot of details

Comodo Instant Malware Analysis

Sandbox analysis: here

Things learned:

- please read the report, it covers a lot of details

EUREKA Malware Analysis

Sandbox analysis: here

Things learned:

- it tried to unpack the .exe file; provided string and dns of “unpacked” .exe; created an unpacked .asm
[i can't confirm if this output was based on previous analysis, or run-time analysis]

Norman Sandbox

Sandbox analysis: here

Things learned:

- anti debug/emulation code present; mutex, section, modify memory, modify OS kernel function

Let’s try the same thing now, except that only this time we use BSA.

Buster Sandbox Analysis
Sandbox analysis: here
Things learned:
- process created, service opened, mutex created, registry keys opened, registry keys modified, privilege escalation
[it totally missed the NtCreateFile and alike functions, and also the port connections].

Conclusions

We can observe that the job of a malware researcher is not easy. PandaLabs reports that it had 22,000 new malware samples to analyze per day in 2008, so if you do the math , you can easily see that the researcher has around few seconds to spend per malware analysis. This is an ongoing battle.
Dinamic analyzing a malware is not easy. There’s no one tool available for the public that can tell you all the possible threats that a malware posses.
It’s almost impossible for a malware researcher to do the static analysis on the blind (meaning without a basic dynamic analysis up front). It’s hard to get right away into the code and have no idea for what to look into.
An old malware like Virut (dated from 2007) is still a problem for the public sandboxes  and we need better tools available for the public, in order to do a better malware research.
Buster Sandbox Analysis gives us overall good results. If we filter the noise and explore the real things that happen, we obtain a good result. Also a plus, is the fact that we have control, and it’s offline.
I want to finish this article by asking a question on the AV companies: How do you expect to educate great people regarding malware defense, with so poor quality public sandboxes?

PS: I want to thank Costin Raiu for providing me the Win32.Virut.Ce sample. It helped me a lot!

One final note: feedback is always welcomed, please post your opinions/questions in the comment section.