Friday, August 19, 2016

Decoding H-Worm

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including This Fireeye article.

I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator.

I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation.

In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage)







This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting.










When I delete all the garbage above this I end up with the following VBS.









For the purpose of saving space here, I only included a screen capture. To understand the magnanimity of of the aawaawaaaawaawswaaaaa string, if taking away wordwarpping it is 62 pages of text.

To deobfuscate this I took note of the Execute (awasw(aawaawaaaawaawswaaaaa) command and replaced it with some very common simple code.

Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="c:\users\USER\desktop\decoded.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write (awasw(aawaawaaawaawswaaaaa)) & vbCrLf
objFile.Close

The result of this is.....
































Hopefully this simple method for deobfuscating is found to be useful to others. Happy hunting!

Saturday, August 13, 2016

Example of obfuscated Malware hidden in JPEG

Last month I analyzed a weaponized word document that came through e-mail. This is nothing special, I see these everyday, but this one gave me something interesting to play with. The file https://www.virustotal.com/en/file/387ea7a4f82d7ba686ca8018684fd2fd803a9c05a4a47130845431d383d81b36/analysis/ launches the following VBS Script https://www.virustotal.com/en/file/fdf6b117b55302ecb7da95b68e9ca5e6882c12cbf41829dfb56688bb94595ea3/analysis/

The script performs HTTP traffic: GET http://ecovalduloir[.]com/fw[.]jpg (No longer available). When it was available, the file has an MD5 of bdd3cf6f227a368a5412f11a10831136,  see https://www.virustotal.com/en/file/ce0e737d3eddbbb102867063f0b163d12358075691407542f9aecafa064538dc/analysis/

At first glance the JPEG look OK, here is a screen capture of what the file image looks like.


When we look at this file through a hex editor it becomes more interesting. Here is the beginning, looks OK.



Here is a snippet a little further on.








At first glance this looks like it's XOR'd with key 73. To be sure, I go ahead and run XORSEARCH, a great tool by Didier Stevens, https://blog.didierstevens.com/programs/xorsearch/ where you can run a search for decoded strings, in my case I took a guess and ran the following command.

./XORSearch -s fw.jpg "DOS mode"

This is telling the script to cycle through different XOR keys to see if it finds the string "DOS mode" inside the file fw.jpg. The output I receive is:

Found XOR 73 position 1451: DOS mode....$

Telling me that 73 is the key that find a string "DOS mode", interesting.  XORSEARCH creates a decoded version of that file as fw.jpg.XOR.73. Lets look at the Hex editor again.




This looks like garbage right? Yeah, that's because the JPEG wasn't encoded to begin with, the appended file was encoded. We need go to the end of the JPG and to the beginning of the executable. Shown below:









Notice our text from the XORSEARCH is found here "DOS mode", this is an easy way to find the place in the hex editor where the decoded file is.  To isolate this file we need to remove everything before the executable header, which starts with MZ, so, I simply deleted everything prior and made MZ the start of my file and kept everything after it. I simply named this file test.exe for now.The result, a file with the hash of 5ba714dfafde422bdd5566893ee704a2