Slides about an in depth analysis of CVE-2013-3906 exploiting a TIFF bug inside a Microsoft Office Winword file. This bug was exploited in a targeted attack in November 2013.
A new version of Officemalscanner/RTFScan has been released. This update includes a generic decryption loop detection, enhanced shellcode patterns and bugfixes. Enjoy!
The new version of the OfficeMalScanner suite introduces RTFScan. As you might know, there are several samples in the wild, using the RTF format as OLE and PE-File container. So here is a very first version of RTFScan. It currently is able to scan for malicious traces like shellcode, dumps embedded OLE and PE files and other data containers. Buffer decryption in RTFScan is not supported in this release, as OMS and RTFScan will be enhanced to a cryptanalysis feature to break keys up to 1024 bytes in seconds. The old brute force feature in OMS will be kicked then.
I found some time to update OfficeMalScanner lately. So here is Version 0.54! Next to bugfixes, it now has its own RtlDecompressBuffer library to support VB-macro extraction on WINE. Further the document format is detected (word, ppt, excel) and is able to extract embedded flash files (compressed and uncompressed).
Last week i had a speech at the CAST forum about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
H-online released my next article of the CSI:Internet forensic series. In this part it's kernel debugging time. Learn how to find the TDL4 rootkit in live memory.
H-online just released my article contribution for the 2nd season of CSI:Internet. As you might know from former releases of this series it combines a story close to reality with technical stuff. This time i introduce you the usage of an awesome malware forensic framework called "Volatility". Hope i can inspire people with this little contribution as it inspired me. The features i use in this article are just a small set of what is possible with this framework.
Today i had a talk at the Ruhr University of Bochum "Hunting rootkits with Windbg". I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy!
Just released a small Windbg script i use while rootkit hunting and searching for kernel callbacks. See the readme.txt for usage infos.
While investigating a new malware i came across strange requests to a Siemens SCADA WinCC + S7 database. This was the first time i've seen malware which targets process control systems and their visualisation components often used in critical infrastructures and manufacturing.
Read more here Trojan spreads via new Windows hole
Believe it or not. I'm not dead. Just horrible busy with thousands of things in the last months. I shortly wanna point out, that Sebastian Porst from Zynamics an me have done a detailed analysis on the latest PDF / Flash 0day currently being spread. If you are interested in that stuff follow that link here A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day
I made several new updates for OfficeMalScanner, including a new "inflate" feature for Ms Office 2007 documents. You can download the package from the code section. Enjoy!
Finally i'm happy to release my paper Analyzing MSOffice malware with OfficeMalScanner. This paper describes all features of the OfficeMalScanner suite in detail. Further i've updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety. Switch to the paper section and enjoy reading!
PH-Neutral 2009 is over and it was a great conference. My new tool called "OfficeMalScanner", a MS office forensic util can be downloaded from the code section now!
Thorsten Holz and me are giving a talk on "Analyzing exploitable file formats" at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis. I hope to meet a lot of interesting people again this year! Cya on 29th and 30th May 2009 in Berlin!
Today i read an article on the New York Times website called A sneaky security problem, ignored by the bad guys
I had a conversion by phone and mail with its author Robert McMillan from IDG News before and i've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article i would like to comment, as i disagree to most of his statements regarding rootkits.
"It's extremely difficult to write code for your kernel that doesn't crash your computer," said Alfred Huger, vice president of Symantec's Security Response team. "Your software can step on somebody else's pretty easily."
I think this statement comes from the mentioned crashes that Rustock.C produced while analyzing it. But in fact it just crashed if the decryption failed because the rootkit gets analyzed on another box, than the original infected one (check my slides for details). The Rustock familiy has proven to have stable code, as well as other creatures from its author like MEBROOT. If it crashed victims boxes all the time, they had reinstalled their OSes very quickly, but in fact i know people who had this beast on their boxes for 1 year without any crash and without even knowing about its existance.
"Huger agrees that while rootkits are still a problem for Unix users, they're not widespread on Windows PCs."
Yep, sure. How old is the last well known rootkit on Unix please? 3 or 4 years? And what about rootkits on Windows? Rustock, Srizbi, Ascesso, Mebroot (Here is a bigger list: Antirootkit.com Stealth Malware List
"Rootkits make up far less than 1 percent of all the attempted infections that Symantec tracks these days."
If i just count all those useless malwares created with lame kits or code written by some kiddies, then rootkits might be only 1 percent, but if i take a look at the real effective SpamBots, Banking Trojans and so forth, nearly all of them use rootkit techniques to hide its tracks.
Ok, that's all for now. Sorry for being so rude on Al's statements, but i had to clarify this.
Just came back from the hack.lu in Luxembourg. It was a great conference, with fine speeches and a lot of fun. The slides of my talk are up now and can be downloaded from the papers section. Enjoy!
Everyone wondering why i haven't published my analysis results for Rustock.C ? The main reason was i'm giving a talk about my research on the hack.lu 2008 on 23th October in Luxembourg. Right after the speech you will be able to download my slides on this site, in case you are interested. Hope to meet some interesting people at hack.lu!
Today a friend from Threatexpert posted a blog entry on unpacking the top-notch rootkit RUSTOCK.C ! We shared some tricks and ideas before unpacking was possible and are both really glad we finally managed to get inside this beasty. Be sure there will be more details on its hooking tricks, infection ways and C&C communications in the next few days or weeks.
Just updated the ClassAndInterfaceToNames package. The classes and interfaces list has grown a lot. Thanx to Sirmabus for adding all these new entries.
Sorry for being lazy at the moment, but since some weeks i have permanent problems with my spinal disk, making it impossible to do some cool research. I really hope the doctors get this fixed very soon.
Just added some links to interesting sites. Check them out in the links area.
With "More advanced unpacking - Part II" i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. - 1. Manual unpacking + import fixing - 2. Manual unpacking + Auto import fixing - 3. Auto unpacking/import fixing - Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.
Unbelievable but true. After 4 months of getting owned by other things making my life mad, i finally managed to release a new unpacking tutorial. This one goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!
No, i'm not dead. Just too busy in the last weeks. But today i have a new paper for you. It's an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.
Right after finishing my COM reconstruction helpers, i present you today a movie, that aims to be a practical COM code reconstruction tutorial. The analysed function of this malware dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. And as it makes heavy use of the COM interface, it was the perfect candidate to show you how this nasty code can be restored to a far better readable code. Enjoy!
On the flight back from New York i had some time to write a small python script, which generates IDAPython code from vtable structures inside the include files of the Microsoft PSDK 2003-R2. The generated script adds all known vtable structures from the PSDK to an IDB file to save time while reconstructing COM code. Hope it's useful for others as well. Enjoy!
This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.
Brian Krebs from "The Washington Post" wrote a nice article on his blog about BITS here:
VMEDetect v0.1 is a small commandline tool written in assembly, which makes use of the RDTSC trick to check for the presence of VMWare and VirtualPC.
This is a little proof of concept code to test, if your application-firewall alerts when bitscode.exe tries to download and execute fwbypassalert.exe from this site.
Also check out Elia Florio's blog for more information on this problem.
There's a new version of SYSER available, a SoftICE like kernel debugger with a nice GUI. Supported OSes are Windows 2000, XP, 2003 and VISTA!!! Software and Documentation can be found here:
Also check out the Links section. Added a bunch of nice sites.
I put a new paper online. It is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!
There's a new flash movie on manual unpacking and Auto-IAT fixing UPX and Aspack in the papers section. This might be useful for people who are new to malware analysis and don't have a clue how to unpack and repair a binary.
IDAAPIHelp v0.3 is ready for download! The API database has grown a lot (16,1 MB) and includes Windows Platform SDK, DDK, NTundoc as well as MSCRT APIS like free, memset, malloc, fopen etc. now.
Today i have a small IDAPython script for you, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile. The package can be found in the ccode section.
It seems that Oleh Yuschuk strikes back in the near future with a new release of his rocking debugger Ollydbg, but read by yourself.
After some lazy months i've finally found the time to release something. Superkill is a is small tool to kill processes, which are normally protected from being stopped on application level. After starting Superkill it detaches its driver from the RC_DATA resource area, installs it as service and runs the driver. Communication between applevel code and driver is being handled through the DeviceIoControl() function. Full source code included. Flip to the ccode section for downloading.
Just read Matt Pietrek's blog and i'm completely aghasted at the moment. Compuware retired Driverstudio and therefore SoftICE, my beloved debugger. This is a really sad day for me and i'll booze as hell on the PH-Neutral conference tonight, to quickly forget what i read some minutes ago.
here's the link to the blog post:
as well as an obituary from one of its parents:
My first paper is a step by step guidance how to use the world's best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points. Flip to the papers section for further reading.
Welcome to my little site. Here you'll find several papers & code regarding reverse engineering which is hopefully useful for others as well. Feel free to discover the different sections and download some stuff of my work. Don't miss to visit the other cool links to friends and other good reverser sites. I'll try to update this site on a regular basis, but remember that i do this in my very spare time. So don't blame me if there's a month without an update. Now enjoy the content here and just drop me some lines if you have questions regarding this page or constructive reviews of my work(email can be found in the about section).