H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including This Fireeye article.
I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator.
I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation.
In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage)
This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting.
When I delete all the garbage above this I end up with the following VBS.
For the purpose of saving space here, I only included a screen capture. To understand the magnanimity of of the aawaawaaaawaawswaaaaa string, if taking away wordwarpping it is 62 pages of text.
To deobfuscate this I took note of the Execute (awasw(aawaawaaaawaawswaaaaa) command and replaced it with some very common simple code.
The result of this is.....
Hopefully this simple method for deobfuscating is found to be useful to others. Happy hunting!
I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator.
I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation.
In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage)
This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting.
When I delete all the garbage above this I end up with the following VBS.
For the purpose of saving space here, I only included a screen capture. To understand the magnanimity of of the aawaawaaaawaawswaaaaa string, if taking away wordwarpping it is 62 pages of text.
To deobfuscate this I took note of the Execute (awasw(aawaawaaaawaawswaaaaa) command and replaced it with some very common simple code.
Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="c:\users\USER\desktop\decoded.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write (awasw(aawaawaaawaawswaaaaa)) & vbCrLf
objFile.Close
outFile="c:\users\USER\desktop\decoded.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write (awasw(aawaawaaawaawswaaaaa)) & vbCrLf
objFile.Close
The result of this is.....
Hopefully this simple method for deobfuscating is found to be useful to others. Happy hunting!
Comments
Post a Comment