Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[CVE-2016-3996]KNOX clipboard data disclosure KNOX 1.0 - KNOX 2.3 / Android
 
[slackware-security] samba (SSA:2016-106-02)
 
[slackware-security] mozilla-thunderbird (SSA:2016-106-01)
 

Enterprise Innovation

Making P2P money transfer safe for Hong Kong
Enterprise Innovation
According to the Hong Kong Government InfoSec website, total monetary losses increased from HK$1,200 million in 2014 to about HK$1,828 million in 2015. ... Click below to register to read the full article and gain access to the latest news and analysis.

 

Softpedia News

Microsoft Patches Overhyped Badlock Vulnerability
Softpedia News
Details about this vulnerability were released last month, and the infosec community reacted negatively towards the researchers who discovered and reported the issue to Microsoft. Their reaction was because the researchers put together a website to ...

and more »
 

When I researched VBS-encoding for my YARA rule and Python decoding script, I noticed the encoded script had a header and trailer. I wondered if maybe you could have several scripts in the same file, so I added this to my research todo list.

But a couple of days ago I came across a maldoc sample (MD5 246f27b9ec2c16da7844369e9153b8cd) that wrote a VBE script to disk that consisted of an unencoded part (the URL) and an encoded part (the code to download and execute).


Take for example this VBS script:
MsgBox Encoded string
MsgBox variable

Encoding gives this VBE script:
#@~^KgAAAA==\ko$K6,J2 mK[[email protected]#@" />

The second popup does not contain a message because variable is an uninitialized variable (we get no error for using an uninitialized variable since we did not issue statement option explicit).

If we modify the VBE file and add an unencoded VBS script like this:
variable = Unencoded string
#@~^KgAAAA==\ko$K6,J2 mK[[email protected]#@" />

You can also have more than one encoded script inside the same VBE file. But encoding the script twice does not work.

Please post a comment if you experimented too with VBE scripts.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status