Hackin9

InfoSec News

Softbank will acquire a 70% stake in Sprint Nextel, with the boards of both companies agreeing to the deal, which will be announced Monday, according to CNBC.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Update: In an attempt to get the link for the first script, I mistakenly put the link for another script. Fixed now. Thanks Michael for the oops :)
Ok ok the System on the title may be a bit too much for what this diary will show, but it will give you a nice idea on how to start to build your own analysis system using open source and free tools.
For the first part of this Diary we will focus on PE files, using three different tools for Static Analysis:
1) Malware.py -http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py
1) Pescanner.py -http://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py
2) Adobe Malware Classifier -http://blogs.adobe.com/asset/tag/malware-classification
3) sigcheck.exe (via Wine) -http://technet.microsoft.com/en-us/sysinternals/bb897441
The first tool is from the great book Malware Cookbook, and the authors made all the code available via Google Code. It is a collection of python scripts used during the several chapters. The one I will show here is called PescannerMalware.py.
This PescannerMalware.py script will give you several pieces of information that will help you on your static analysis.
The following example is the output of a known malware:


Meta-data
============================================================
File: wire-report.pdf.exe
Size: 190464 bytes
MD5: 0a0b73f2652f242e255ac9c1a7724dda
SHA1: 5ad43440eaf1c30b9e320a0ea06754ad67e9d66f
Date: 0x29EB59F0 [Tue Apr 14 22:17:20 1992 UTC] [SUSPICIOUS]
EP: 0x402a00 (.text)

Resource entries
============================================================
Name RVA Size Type
------------------------------------------------------------
RT_VERSION 0x3b058 0x3ec

Suspicious IAT alerts
============================================================
CreateProcessW
CreateProcessA

Sections
============================================================
Name VirtAddr VirtSize RawSize Entropy
------------------------------------------------------------
.text 0x1000 0x7000 0x7000 2.397724
.rdata 0x8000 0x2e000 0x23800 7.231950 [SUSPICIOUS]
.data 0x36000 0x3000 0x2600 2.536738
.ndata 0x39000 0x1000 0x800 3.405680
.ndata 0x3a000 0x1000 0x800 3.405680
.rsrc 0x3b000 0x444 0x600 3.980035

Version info
============================================================
LegalCopyright: Copyright (C) 2000-2010 TightVNC Group
InternalName: vncviewer
FileVersion: 1.5.2.0
CompanyName: TightVNC Group
PrivateBuild:
LegalTrademarks:
Comments: Based on VNC by ATT Research Labs Cambridge, RealVNC Ltd.
ProductName: TightVNC Win32 Viewer
SpecialBuild:
ProductVersion: 1.5.2.0
FileDescription: vncviewer
OriginalFilename: vncviewer.exe
Translation: 0x0409 0x04b0
---

This report shows a weird creation date, of 1992. Second, it shows a high entropy on the second PE section of this file, suggesting that it may be packed. Third, while the file name is Wire-report.pdf.exe, the version section shows information as it is a VNC application...
This script also allows you to integrate with YARA if you want, making it even more powerful.
Also, if you want to check the Packer, you may want to consider the Python script that the fellow Handler Jim Clausing created a few years ago:http://handlers.sans.org/jclausing/packerid.py
--
The second tool was created by a former co-worker, now working at Adobe. He created another python script that checks different characteristics of the PE file, and returns one of the three different results:
1,0,Unknown.

According the Adobe page, the Malware Classifier uses machine learning algorithms to classify Win32 binaries EXEs and DLLs into three classes: 0 for clean, 1 for malicious, or UNKNOWN.

Example:
pedros-MacBook-Pro:samples ppbuen0$ python AdobeMalwareClassifier.py -f wire-report.pdf.exe
1
Which means Malicious.
---
The third tool is a tool from Sysinternals. It is called Sigcheck. This tool helps you to identify file signed or not and help you on your assessment.
If you want to run it on Linux together with the other Python tools, you may want to consider Wine :) .
The output below is from our same exe from previous examples:

Verified: Unsigned
File date: 10:59 AM 8/9/2011
Publisher: TightVNC Group
Description: vncviewer
Product: TightVNC Win32 Viewer
Version: 1.5.2.0
File version: 1.5.2.0
Strong Name: Unsigned
Original Name: vncviewer.exe
Internal Name: vncviewer
Copyright: Copyright (C) 2000-2010 TightVNC Group
Comments: Based on VNC by ATT Research Labs Cambridge, RealVNC Ltd.
Just to compare, these are two outputs from other files:

1) Malware:
Verified: Unsigned
File date: 5:41 AM 9/28/2012
Publisher: Microsoft Corporation
Description: Microsoft (R) Internet Common
Product: Microsoft(R) Windows(R) Operating System
Version: 6, 0, 2900, 3138
File version: 6, 0, 2900, 3138
2) Windows ARP:
Verified: Signed
Signing date: 10:07 PM 4/13/2008
Publisher: Microsoft Corporation
Description: TCP/IP Arp Command
Product: Microsoft Windows Operating System
Version: 5.1.2600.0
File version: 5.1.2600.0 (xpclient.010817-1148)

--
Hopefully this will help you to start your own analysis system. The next part of this diary we will check tools/scripts for non-PE files, and integrate them.

--
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The brouhaha over Apple replacing Google Maps in iOS 6 with its own mapping technology has not changed customers' minds about the iPhone 5, according to a ChangeWave Research survey.
 
Internet Storm Center Infocon Status