Friday, July 18, 2014

#11 Dyre banker aka CdIL aka Win32/Win64 Battdil - Inside the Webpanel

What I have learned over the years as a hobby malware analyst is whenever you think you are the first who discovered a new malware family, you can be sure at least a dozen people are already working on the threat. And I am not speaking about what you can later see in public...

As in the case of the recently discovered banker named Dyre this is no exception. While cleaning up my malware collection yesterday, I stumbled upon a malware threat which Anton Cherepanov and I briefly analyzed 3 months ago. After a quick search on the Internet, I realized that this sample which was first discovered by ESET and named Win32/Battdil.A respectively Win64/Battdil.A is the recently publicated threat named Dyre or Dyreza banker. You can read about this malware here:

http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/
https://www.csis.dk/en/csis/news/4262/
https://www.csis.dk/en/csis/blog/4318/
http://stopmalvertising.com/malware-reports/introduction-to-dyreza-the-banker-that-bypasses-ssl.html
http://stopmalvertising.com/malware-reports/analysis-of-dyreza-changes-network-traffic.html

Monday, June 23, 2014

#10 Malware spread over Facebook - TrojanDownloader:Java/Carastavona.E

Earlier today, I stumbled upon a blogpost by Bitdefender which describes a malware sample that spreads across Facebook users:

http://www.hotforsecurity.com/blog/its-not-funny-facebook-users-tricked-into-bitcoin-mining-9263.html

I thought to give it a shot, since I have realized in my last article that reversing Java malware is quite funny, probably because it is easier and not that exhausting as looking over hundreds/thousands of lines of disassembled code. Unfortunately, the article doesn't give any hashes, just the file name of the malware sample which is named IMAG00953.zip.

Friday, June 20, 2014

#9 Blitzanalysis: Embassy of Greece Beijing - Compromise

It's friday afternoon, I had a bit of free time and stumbled across this tweet by PhysicalDrive0 (thx!) two hours ago and thought to give it a try to finally add a new article to this Blog (first of 2014):

https://twitter.com/PhysicalDrive0/status/479921770838102017

So, I went to Google to search for the domain of the Embassy of Greece Beijing and added the (allegedly) malicious java file package that was found by PhysicalDrive0:

Monday, September 9, 2013

#8 Back to the future - Analysis of an old Downloader

This article is an analysis of a Downloader first discovered ITW in 2006. It is widely detected by Anti-Virus vendors, also several reports are available:

http://www.threatexpert.com/report.aspx?md5=a595b08e16a0605e34c9bc310af89c2c
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=285381
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Bckdr-QIB/detailed-analysis.aspx

It uses a couple of interesting techniques, although it later showed some were implemented in a sloppy way:

- Uses some sort of code obfuscation
- Sensitive strings are encrypted
- uses a kernelmode driver to hide its process

Virustotal statistics indicate this downloader is still in use, although the server of the sample I have analyzed isn't available anymore (more samples see Appendix).

Sample (UPX packed)
Target machine: x86
Size: 13.824 bytes
Compilation timestamp: 2006-11-25 19:29:09
SHA1: f18803def56bf6bfb067459ee6a9589d9f135c29
Virustotal: https://www.virustotal.com/de/file/2f771a5e0c9cda7bf8a6a771ba62585babb2df4eaa8be82accd9a3ca81d883a8/analysis/
Download (pw: infected): https://www.dropbox.com/s/8831saoza7nc1f7/downloader_f18803def56bf6bfb067459ee6a9589d9f135c29.zip
Appendix samples (pw: infected): https://www.dropbox.com/s/u4fei8nszhbwnn0/Appendix_samples.zip

Sunday, August 11, 2013

#7 Brief description of a signed Adware/PUP Downloader

To publish articles more frequently and thus making this Blog a bit more interesting, I decided to drop my intention to only write "in-depth" analyses about "special" malware. From today, I start to also release information about my "every day" discoveries, which in the past always ended up in the trash (and there was a lot of them :-)). Of course, these "every day" Blogposts can not be that technical and detailed as a complete malware analysis, but I hope it's interesting anyway.

To start with, this Blogpost is something like a warming phase to my upcoming article about a cross-platform (x86/x64) "Adware" family with some interesting techniques.

So let's go...

The downloader comes in two different sizes (376.9 KB, 381.5 KB) and with a lot of instances (see list of hashes at the end). Two samples of each size can be downloaded here:

Sample - 376.9 KB
VT Report: https://www.virustotal.com/en/file/12f5186551b9df98b7f994b69cebddc379141703204e313fe92497923bd1cca4/analysis/
Download (PW: infected): https://www.dropbox.com/s/djnja6c7fs5g9nu/Signed_AdwarePUP_Downloader_376-9.zip

Sample - 381.5 KB
VT Report: https://www.virustotal.com/en/file/0979c745740bf09e1ad53fd5e15b0753a6be6493cadbad9b94781e013b440155/analysis/
Download (PW: infected): https://www.dropbox.com/s/caul2lpb7y4apa2/Signed_AdwarePUP_Downloader_381-5.zip

Wednesday, June 19, 2013

#6 South Korea Incident - Analysis of a tiny Downloader

In this short Blogpost I am going to dissect a Downloader which is part of the ongoing "1Mission" campaign against targets in South Korea (thanks Chae Jong Bin for pointing me at). The Downloader comes in the form of a DLL and has the small size of 4 KB. What remains unknown is the way the DLL gets executed (through exploit/loader/...). Except its small size there isn't anything special about this malware. Unfortunately the file it wanted to download isn't available anymore, so there is no chance to dig deeper...

DLL sample
Size: 4.096 Bytes
Timestamp: 2013-05-30 03:54:37
MD5: 17e3e09c27d26c81c9f33882279d6319
SHA1: c467f59cddba2d029044f6f2b22b6b2123b341b6
Report: https://www.virustotal.com/en/file/5b011ebdf1a5a0fd93a933cb40b59fcb8c35667529e28cf0c9d63f92985c4d5d/analysis/
Download: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2690&p=19700#p19700

Wednesday, April 24, 2013

#5 South Korea Incident - New Malware samples

A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: http://www.symantec.com/connect/blogs/south-korean-banks-and-broadcasting-organizations-suffer-major-damage-cyber-attack and http://www.symantec.com/connect/blogs/are-2011-and-2013-south-korean-cyber-attacks-related). As it turned out, the Droppers I found are from the same attackers like described in the Symantec article. So I did another search on the Internet to find more malware samples which I will now present in this article. For me, it would take a long time to analyze all these samples, so I release them now that other people can also take a look at them.

To make it clear, this Blogpost is just an overview of the various malware samples and no analysis! Therefore all credit goes to the people who provided me the samples: Chae Jong Bin (MD5 hashes), Artem Baranov (samples), Xylitol (samples).