Hackin9

WordPress to add free encryption for custom domains
IT World Canada
Infosec teams have to ensure their WordPress sites — and plugins — have been updated and patched. And as this January blog from Trend Micro notes, Let's Encrypt for can be abused by attackers who set up a malicious Web site of their own that uses ...

and more »
 

Reporter Magazine

Phishing for Info
Reporter Magazine
Recently, RIT was attacked by an unknown hacker who was attempting to illegally retrieve information from RIT's email network. RIT's Information Security Office (ISO) noticed the breach in mid to late March, and attempted to halt the scheme. In the ...

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

I often have to analyze malware samples on Windows machines.That is not always by choice. Sometimes I have no other option.

But this can cause problems. First of all: most malware targets Windows. If I make a mistake handling samples on a Windows machine, I infect the machine by accident. Not good, even in a VM.

Second: many Windows machines have anti-virus, and it can interfere with the analysis.

Here are some of the precautions I take with malware samples (not only on Windows, also on Linux and OSX):

I set the extension of the sample to .vir. So sample.exe becomes sample.exe.vir (I dont replace the original extension, I just append a new extension). Since .vir is not associated with any application on Windows, I can not launch it. If I double-click or press return by mistake, it will not execute the sample. If I type the name by mistake (because of tab-completion) in the command-line, it will not execute.

If I have control over the AV settings on the Windows machine, I will add an exclusion rule for the extension .vir. This will prevent the AV from scanning the sample.

I contain the sample in a password-protected ZIP file. I use the old ZIP format (not ZIPX). The password I use is infected (BTW, if you know where this tradition comes from, post a comment), and I use the ZipCrypto encryption (not the newer AES). Putting the sample in a password-protected ZIP file helps me preventing interference from the anti-virus, especially when I have no control over the anti-virus settings.

Each samples gets its own ZIP file. I dont put 2 samples in the same ZIP file.

The reason why I use the old ZIP format and the old ZipCrypto encryption, is that this format (and encryption method) is supported natively by Python. Many of my (malware) analysis tools written in Python support the analysis of samples stored in password-protected ZIP files. Like a tool I mentioned here several times: oledump.py. To start analyzing a malicious document file you can type oledump.py trojan.doc. But you can also store the sample trojan.doc in a password-protected ZIP file and analyze it with oledump directly: oledump.py trojan.doc.zip. This saves you from the hassle of extracting the sample first.

My tools also support piping: taking the output of one tool and feed it as input to the next tool. This preserves you from having to write malware to disk. Like I showed in my previous diary entry: extracting a VBE script from a document and decode it oledump.py -s 15 -d trojan.doc.zip | vbe-decode.py.

Of course most tools (excluding mine) do not support password-protected ZIP files as input. Thats one of the reasons I developed yet another tool :-) . zipdump.py. Take for example the strings command. If I want to look at the strings found in a sample contained in a password-protect ZIP file, I use zipdump to dump the content of the sample and pipe it into strings, like this: zipdump.py -s 1 -d sample.exe.zip | strings.

This can also work with some GUI applications, not only command-line tools. For example I can copy the hexdump of a trojan to the clipboard and then paste this in my favorite hex editor: zipdump.py -s 1 -x sample.exe.zip | clip. And then I use paste-from-hex in my hex editor. And now I can look at the EXE in my hex editor without having to extract it to disk.

You can find my tools here.

Please post comments with your tips on how to handle malware samples on Windows machines.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Ceylon Daily News

SL to increase internet penetration upto 50%
Ceylon Daily News
A 10% increase in internet penetration has the potential to drive a 1.2 increase in GDP, Telecommunications and Digital Infrastructure Minister Harin Fernando said. He made these views speaking at Asia's foremost information security conference 'Ground ...

 

Here is Why The FBI Director Puts Tape Over His Laptop's Webcam
Techworm
“I saw something in the news, so I copied it. I put a .... Techworm is a Security News Platform that centers around Infosec, Hacking, Xero-days, Malware, Vulnerabilities,Cyber Crime, DDoS, Surveillance and Privacy Issues and to keep you Informed and ...

and more »
 

Explorations in Data Destruction 7: Diamond Charge and Blast Suppression
SYS-CON Media (press release)
David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security ...

and more »
 
Internet Storm Center Infocon Status