Friday, August 19, 2016

Decoding H-Worm

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including This Fireeye article.

I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator.

I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation.

In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage)







This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting.










When I delete all the garbage above this I end up with the following VBS.









For the purpose of saving space here, I only included a screen capture. To understand the magnanimity of of the aawaawaaaawaawswaaaaa string, if taking away wordwarpping it is 62 pages of text.

To deobfuscate this I took note of the Execute (awasw(aawaawaaaawaawswaaaaa) command and replaced it with some very common simple code.

Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="c:\users\USER\desktop\decoded.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write (awasw(aawaawaaawaawswaaaaa)) & vbCrLf
objFile.Close

The result of this is.....
































Hopefully this simple method for deobfuscating is found to be useful to others. Happy hunting!

Saturday, August 13, 2016

Example of obfuscated Malware hidden in JPEG

Last month I analyzed a weaponized word document that came through e-mail. This is nothing special, I see these everyday, but this one gave me something interesting to play with. The file https://www.virustotal.com/en/file/387ea7a4f82d7ba686ca8018684fd2fd803a9c05a4a47130845431d383d81b36/analysis/ launches the following VBS Script https://www.virustotal.com/en/file/fdf6b117b55302ecb7da95b68e9ca5e6882c12cbf41829dfb56688bb94595ea3/analysis/

The script performs HTTP traffic: GET http://ecovalduloir[.]com/fw[.]jpg (No longer available). When it was available, the file has an MD5 of bdd3cf6f227a368a5412f11a10831136,  see https://www.virustotal.com/en/file/ce0e737d3eddbbb102867063f0b163d12358075691407542f9aecafa064538dc/analysis/

At first glance the JPEG look OK, here is a screen capture of what the file image looks like.


When we look at this file through a hex editor it becomes more interesting. Here is the beginning, looks OK.



Here is a snippet a little further on.








At first glance this looks like it's XOR'd with key 73. To be sure, I go ahead and run XORSEARCH, a great tool by Didier Stevens, https://blog.didierstevens.com/programs/xorsearch/ where you can run a search for decoded strings, in my case I took a guess and ran the following command.

./XORSearch -s fw.jpg "DOS mode"

This is telling the script to cycle through different XOR keys to see if it finds the string "DOS mode" inside the file fw.jpg. The output I receive is:

Found XOR 73 position 1451: DOS mode....$

Telling me that 73 is the key that find a string "DOS mode", interesting.  XORSEARCH creates a decoded version of that file as fw.jpg.XOR.73. Lets look at the Hex editor again.




This looks like garbage right? Yeah, that's because the JPEG wasn't encoded to begin with, the appended file was encoded. We need go to the end of the JPG and to the beginning of the executable. Shown below:









Notice our text from the XORSEARCH is found here "DOS mode", this is an easy way to find the place in the hex editor where the decoded file is.  To isolate this file we need to remove everything before the executable header, which starts with MZ, so, I simply deleted everything prior and made MZ the start of my file and kept everything after it. I simply named this file test.exe for now.The result, a file with the hash of 5ba714dfafde422bdd5566893ee704a2 


Sunday, April 17, 2016

Chase Alert E-Mail Phishing Same

A couple e-mails came into my one of my inboxes today that I wanted to quickly share. These e-mails contained subjects lines like this "Chase Alert! [2568828843]" and contained an e-mail body which read the following:

This e-mail has been sent to EMAILADDRESS@hotmail.com by JPMorgan Chase & Co. Online Banking Chase ALERT: Due to an unusual number of failed login attempts, your online banking access has been temporarily suspended. To restore your account access please click: Log On to Chase Online and proceed with the verification process. IMPORTANT NOTE: If we do not receive the appropriate account verification within 24 hours, you will need to visit a Chase branch to restore your account access. Sincerely, Chase Online(SM) © Copyright JPMorgan Chase & Co. 2016

The links in these e-mails have a URI structure similar to these:
hxxp://snacktast.info/99212afb7404efc9f6acd3f17238db46/index.php hxxp://snacktast.info/b9cc2a03f094783974f35b51bf7464e4/index.php 

A quick look at virustotal shows indicators that this site is a phishing site. https://www.virustotal.com/en/url/462fc3b660a9a5d0d0de48a76b641d4567aea5e4e8f53019b871cd49d3cbf6d2/analysis/1460917680/

Curious to see what the phish looks like, I fired up my VM and clicked around a little.


Here's some screen shots.


Unlike other similar scams I've seen in the past, this one does not redirect you to the real Bank website, instead, it simply prompts for you to enter your password, in the background the user/password information is being posted to the attackers server.