Tuesday, December 16, 2014

Hack on Sony with Malware takes out the network for 1 week - Destructive Malware

Dropper – prepares and then ends tasks by adding another type of malware to finish for the kill. This is why we often see more than one variant. Malware acts as a team of attackers which serve different functions for an overall agenda/goal.

“The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. “

The complied on date for the malware was 4-5 hours before deployment so Phishing is ruled out and more then likely its done through embedding into images on high traffic websites.

"The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. There are implications for data recovery in this. In the case of theDarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data. Destover data recovery is likely to be the same.
The chain of intermediary components leading to the destructive payload follows multiple stages (which have previously been described elsewhere), with capabilities set to run in several modes, just likeShamoon:
1.     The sample is run on a 32-bit OS for the first time.
2.     The sample is run on a 32-bit OS as a self-installed service, with one of several code paths.
3.     The sample is run on a 64-bit OS as a self-installed service.
On a first run, it creates the 'Backup and Restore Management' Windows brmgmtsvc service, adds its own executable and sets a startup '-i' switch. It also drops several copies of itself and starts each of them with a different switch: -m, -d, and -w.
-m (mbr overwrite):
This attempts to connect with the three IP addresses.  Even if this is unsuccessful, process execution takes place.
It fetches its resource that contains the compressed EldoS RawDisk driver, and writes it out to the temp directory as a 'usbdrv3.sys'.
It then installs the driver as the usbdrv3 service 'USB 3.0 Host Controller'.
After this, it starts the driver service and closes its service handle.
It then creates a filehandle to the driver with write permissions:
and writes to that handle with 64k strings of '0xAAAAAAAA'. ← note that the issue of a  lengthy license key (#99E2428…) is discussed in our 
Shamoon The Wiper - part ii blogpost.
It then creates new threads, each of which attempts to connect to any possible physical drive letter and overwrite them as well.
-d (data overwrite):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It gets the logical drives and traverses recursively through them, identifying all data files. If it is not .exe or .dll, the process overwrites file contents with '0x0df0adba' in a 20k chunk. This overwrite is completed from user mode, without the EldoS drivers.
It then attempts to delete the data file using the win32 api 'DeleteFileW'. As it recurses through all the system's directories, it attempts to delete .exe and .dll files.
-w (web server):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It stops the Windows Terminal Services from the cmd line: 'cmd.exe /c net stop termservice /y'
Then finds resource#85, decompresses and writes contents out to 'c:\windows\iissvr.exe'.
It launches the iissvr.exe process and exits.
iissvr is what it seems to be - a web server that maintains an encoded JPG, HTML and WAV file. It listens on Port 80 and serves these files. The full graphic and scrolling green warning can be found later in the article.

Description: Mystery_2
Lastly, after a two hour sleep, the original service restarts the machine with a call to ExitWindowsEx(EWX_REBOOT|EWX_FORCE, 0).   This forces an exit but delays the shutdown itself while system state file creation occurs."

I have edited this content and made it shorter so we can understand just the important items.

Monday, June 16, 2014

Check out a free Pen testing website

What you will learn?

  • SQL injections
  • Authentication issues
  • Captcha issues
  • Authorization issues
  • Mass Assignment attacks
  • Randomness Issues
  • MongoDB injections


  • A computer with a virtualisation software
  • A basic understanding of HTTP
  • Ability to write small scripts
  • Yes, that's it!

Thursday, September 26, 2013

Getting Up to date with Botnet's

As a Security consultant you will have to interact with botnets (Especially in financial networks). I wanted to give young security folks a good list of ways to stay on top of your botnet game.

1) Use network traffic and signatures sets to detect communication to C&C's from inside your network.

2) Keep in mind C&C's will often switch and you must have a view of the big picture to understand you might have a large scale attack from underground crime syndicates rather then several different attackers. (Know your enemy)

3)Best practice is to re-image the PC and more forward. Spend your time studying the malware in a sandbox, rather then having a reactive security response team.

Wednesday, August 28, 2013

DILL injection and Hooking _ A Malware Defense Guide

Trying to drill down to a botNet source and building a control plan,
when it has entered your network its not easy. You have to isolate,plan, and deploy changes sometimes all in the same day with no errors.
Not only do you have to understand the more you wait the less likely of a proper correction to a malware issue,
 it also will put you behind for future threats. You must PLAN robust solutions
which use your resources.
As a security professional you are the mystro of the cyber police and you will continue to need to decide on production changes to correct this issue and more then one right after the next.

Being able to make quick decisions in a fast moving environment while choosing wisely and effetely is the name of the game. Security is a community of cyber police who report similar situations and you are the detective to choose and use the best technologies and methods to mediate and correct your work place.
The Art of security...

Below is a great read I found from another blogger!

Please read and check out the reference links at bottom.

In this article we will learn about DLL Injection and then using it to perform Inline Hooking in remote process with practical step by step illustrations.
This is the part of our free "Reverse Engineering & Malware Analysis Course".
You can visit our training page here and all the presentations of previous sessions here

In windows each process has its own virtual address space in which it can load and unload any DLL at any time. But that loading and unloading of DLL is initiated by the process itself. Sometimes we may want to load a DLL into a process without the process knowledge.
There are many reasons (legitimate or otherwise) to do it. For example a malware author may want to hide the malicious activity by loading a DLL into a trusted process or may want to bypass security devices while on the other hand a person may want to extend the functionality of the original program. But for both the activities steps are same.
Here we will discuss on various way to Inject our code/DLL into remote process with practical examples. Then we will extend it to hook specific API function in the target process to perform our own tasks.
DLL Injection
If I am not mistaken then approximately 45-50% malwares these days use code injection to carry out the malicious activities. So it is very crucial to understand the concept of DLL injection for amalware analyst.

I will demonstrate the technique using assembly programming language. If your development environment is not ready then i would highly recommend reading my previous article on "Assembly programming basics – A beginner's guide" to get starting with assembly programming language.
There are couple of method by which we can inject DLL into a process. The latest versions of windows enforce session separation so some of the methods may not work on the latest version of windows like windows 7/8.
Couple of Dll Injection Methods:
Window hooks (SetWindowsHookEX)
App_Init registry key
ZwCreateThread or NtCreateThreadEx ? Global method (works well on all versions of windows)
Via APC (Asynchronous procedure calls)
In this article I will use CreateRemoteThread [Reference 1] method because it is the simplest approach and explains the overall logic. CreateRemoteThread will not work from windows vista onwards due to Session Separation/Isolation [Reference 4]. In such case you can use similar but undocumented function, NtCreateThread [Reference 2]
In fact it is not the problem with the CreateRemoteThread, it is the CsrClientCallServer method from Ntdll that returns false. If we can patch CsrClientCallServer to return success then we can inject DLL into a process using CreateRemoteThread itself. You can read more about it here.
Here I will focus on CreateRemoteThread on windows XP.
DLL Injection using CreateRemoteThread
There are primarily two situations
Inject DLL into a running process
Create a process and Inject DLL into it.
#2 is more suitable for this article because in later section I will cover hooking as well. While #1 is just the part of #2.Below is the line from MSDN about the CreateRemoteThread API.
Creates a thread that runs in the virtual address space of another process.
So it means CreateRemoteThread can create a thread into another process or we can say that it can execute
 a function into another process.
Let's look into its syntax.
      HANDLE WINAPI CreateRemoteThread(
  __in   HANDLE hProcess,                                               ?-------- 1
  __in   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in   SIZE_T dwStackSize,
  __in   LPTHREAD_START_ROUTINE lpStartAddress, ?---------2
  __in   LPVOID lpParameter,                                           ?---------3
  __in   DWORD dwCreationFlags,                                  ?---------4
  __out  LPDWORD lpThreadId                                      
Mentioned parameters are critical for our task
  #1 – handle to the process in which the thread is to be created.
  #2 – A pointer to function or entry point of the thread that is going to be executed
  #3 – parameters to the function
  #4 – Creation state of the thread
We all know that kernerl32.dll export LoadLibrary API to load DLL at run time and also kernel32.dll is loaded by default into every process. So we can pass LoadLibrary address to #2 and parameter to LoadLibrary in #3. When we pass arguments in this order then CreateRemoteThread will execute LoadLibrary with its parameter in another process and hence loads the DLL into external process.
The only problem here is that parameter to LoadLibrary must be in target process. For example if we use LoadLibrary (#2) with "mydll.dll"(#3) as parameter to Loadlibrary then the name "mydll.dll" must be in our target process.
Fortunately windows provide API to do that as well. We can write into any process usingWriteProcessMemory and can allocate space into another process using VirtualAllocEx API. But Before that we need handle to our process, we can get that using OpenProcess or CreateProcessAPI.
So our order will be:
Use OpenProcess or CreateProcess API to get the handle of our target process
Use VirtualAllocEx to allocate space into our target process
Use WriteProcessMemory to write our DLL name into our target process
Use CreateRemoteThread to inject our DLL into our target process
Above steps are enough to inject our DLL into a process. Although to inject into a system process we first have to set se_debug privilege to our process (means the process that will inject DLL into another process) but for simplicity I am ignoring that part.
If you remember "two situations" from the beginning of this part then we need a bit of more work for #2 i.e
Create a process and Inject DLL into it.
We first have to create a process and after that we will use above steps to inject our DLL into newly created process.
Let's look into CreateProcess syntax:
BOOL WINAPI CreateProcess(
  __in_opt     LPCTSTR lpApplicationName,
  __inout_opt  LPTSTR lpCommandLine,
  __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in         BOOL bInheritHandles,
  __in         DWORD dwCreationFlags,               ?-------- 1
  __in_opt     LPVOID lpEnvironment,
  __in_opt     LPCTSTR lpCurrentDirectory,
  __in         LPSTARTUPINFO lpStartupInfo,
  __out        LPPROCESS_INFORMATION lpProcessInformation
Here dwCreationFlags is the important parameter.  If you look into its definition on MSDN then you will see that it is used to control the creation of a process. We can set it to "CREATE_SUSPENDED" to create a process into suspended mode.

With CREATE_SUSPENDED flag CreateProcess will create the process and stop the execution of the main thread at the entry point of the thread. To start the process we can use ResumeThread API.
So our steps will be
Create Process in suspended state
Inject DLL into the process using above steps
Resume the process
Here is the complete program which mimics above steps
;Author: Amit Malik
;No error checking

.model flat, stdcall
option casemap:none


includelib kernel32.lib
includelib msvcrt.lib

greet db "enter file name: ",0
sgreet db "%s",0
dreet db "enter DLL name: ",0
dgreet db "%s",0
apiname db "LoadLibraryA",0
dllname db "kernel32.dll",0

startupinfo STARTUPINFO <>
fname db 20 dup(?)
dname db 20 dup(?)
dllLen dd ?
mAddr dd ?
vpointer dd ?
lpAddr dd ?


invoke crt_printf,addr greet
invoke crt_scanf,addr sgreet,addr fname
invoke crt_printf,addr dreet
invoke crt_scanf,addr dgreet,addr dname
invoke LoadLibrary, addr dllname
ov mAddr,eax
invoke GetProcAddress,mAddr,addr apiname
mov lpAddr,eax

;create process in suspended state
invoke CreateProcess,addr fname,0,0,0,0,CREATE_SUSPENDED,0,0,addr startupinfo,addr processinfo
invoke crt_strlen,addr dname
mov dllLen,eax

; Allocate the space into the newly created process
invoke VirtualAllocEx,processinfo.hProcess,NULL,dllLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov vpointer,eax

; Write DLL name into the allocated space
invoke WriteProcessMemory,processinfo.hProcess,vpointer,addr dname,dllLen,NULL

; Execute the LoadLibrary function using CreateRemoteThread into the previously created process
invoke CreateRemoteThread,processinfo.hProcess,NULL,0,lpAddr,vpointer,0,NULL
invoke Sleep,1000d

; Finally resume the process main thread.
invoke ResumeThread,processinfo.hThread
xor eax,eax
invoke ExitProcess,eax

end start
Select console application in WinAsm and assemble the above code.  It should create a process and inject our DLL into it.
For eg: you can create calc.exe process and can inject urlmon.dll into it, by default calc.exe doesn't load urlmon.dll.

Here is definition of Hooking from Wikipedia
In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a "hook"
Hooking is the most powerful technique available in computer software. A person can do almost everything on a system by applying hooks on the right locations.As stated in the definition that in hooking we intercept function calls or messages or events. Because it is taking the advantage of flow of execution so we can apply hooks on multiple locations from original file to system calls.
Primarily Hooks can be divided into two parts
User mode hooks
IAT (Import Address Table) Hooking
Inline Hooking
Call Patching in binary etc..
Kernel Mode hooks
IDT Hooking
SSDT Hooking etc..
In this article I will discuss Inline hooking technique which is one of the more effective hooking techniques.
Inline Hooking
In Inline hooking we overwrite the first 5 byte of the function or API to redirect the flow of execution to our code. The 5 bytes can be JMP, PUSH RET or CALL instruction.
Visually it can be explained by the following figures
Screenshot 1: Normal Call (Without hooking)

Screenshot 2: Call after hooking

As you can see in the above picture that the MessageBox function starting bytes are overwritten by JMP to MyHandler function. In MyHandler function we do our stuff and then transfer the control back to original function i.e MessageBox.
Now let's create a DLL that will hook MessageBox API and display our custom message instead of the real message.

To make a DLL we need following things:
MessageBoxA API address i.e pointer
Our function or code address i.e pointer
We can get MessageBoxA Api address using GetProcAddress.
Here are the steps:
Get MessageBoxA address
Get custom code or function address
Overwrite bytes at #1 with JMP to #2
Modify the parameter of original call
Transfer control back to #1
Here is the complete code deomonstrating Inline Hooking MessageBox function
;Author: Amit Malik
;No error checking

.model flat,stdcall
option casemap:none


includelib kernel32.lib
includelib msvcrt.lib
includelib user32.lib


tszMsg  db "Hello from Hooking Function",0
userDll  db "user32.dll",0
msgapi  db "MessageBoxA",0

oByte1 dd ?
oByte2 dd ?
userAddr dd ?
msgAddr dd ?
nOldProt dd ?

LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
 .if reason == DLL_PROCESS_ATTACH
 invoke LoadLibrary,addr userDll
 mov userAddr,eax
 ; Get MessageBoxA address from user32.dll
 invoke GetProcAddress,userAddr,addr msgapi
 mov msgAddr, eax

    ; Set permission to write at the MessageBoxA address
 invoke VirtualProtect,msgAddr,20d,PAGE_EXECUTE_READWRITE,OFFSET nOldProt

    ; Store first 8 byte from the MessageBoxA address
 mov eax,msgAddr
 mov ebx, dword ptr DS:[eax]
 mov oByte1,ebx
 mov ebx, dword ptr DS:[eax+4]
 mov oByte2,ebx

  ; Write JMP MyHandler (pointer) at MessageBoxA address
  mov byte ptr DS:[eax],0E9h
  ; move MyHandler address into ecx
  mov ecx,MyHandler
  add eax,5
  sub ecx,eax
  sub eax,4
  mov dword ptr ds:[eax],ecx
    .elseif reason == DLL_PROCESS_DETACH
    .elseif reason == DLL_THREAD_ATTACH
    .elseif reason == DLL_THREAD_DETACH
LibMain endp

MyHandler proc
  xor eax,eax
  mov eax,msgAddr
        ; change the lpText parameter to MessageBoxA with our text
  mov dword ptr ss:[esp+028h],offset tszMsg
        ; Restore the bytes at MessageBoxA address
  mov ebx,oByte1
  mov dword ptr ds:[eax],ebx
  mov ebx,oByte2
  mov dword ptr ds:[eax+4],ebx
        ; Restore all registers
        ;jump to MessageBoxA address (Transfer control back to MessageBoxA)
  jmp msgAddr
MyHandler endp

end LibMain
Select standard DLL under "New Project" tab in WinAsm and paste the above code into the editor area and assemble it.Now we have our DLL that will hook MessageBoxA and change the lpText parameter to our message.
We will inject this DLL into a "Hello world" program that I shown in my previous article "Assembly Programming – A beginner's guide"  with the help of our DLL inject program.
The output is shown in the below picture:

Both DLL injection and Hooking are powerful techniques and popularly used by malicious software as well as legitimate software from the years.
But as the saying goes if you have nuclear power then it is entirely depends on you whether you make a nuclear missile or use that power for solving problems.
Three ways to inject code into another process
Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7
MSR Detour Project - Hook SDK
Impact of Session 0 Isolation on Injection
Dill injection and Hooking