You are browsing the archive for 2012 August.

HexDive 0.4

August 19, 2012 in HexDive, Malware Analysis, Software Releases

It’s been a while since I updated HexDive, so I took some time today to fix a few things + add new keywords.

So, what’s new?

Mainly lots of new keyword sets. Some are just a tip of an iceberg and I will be extending these as I go through a malware collection in the future, but even at this stage these should certainly help in picking up some new interesting stuff, including but not limited to:

  • new banking-related strings
  • more information stealing strings (PStore, Firefox, FTP programs, Certificates, etc.)
  • keystrokes (thx Corey)
  • anti-sandbox tricks (partially based on an excellent summary post from Joe Security LLC and interesting new technique described by F-Secure)
  • swearwords
  • lots of new registry keys related to settings, games, P2P, and lots of other applications
  • some default passwords occasionally used by worms
  • generic malware strings (lots of them, I still need to classify them, but at least they are already in the set)

You can download current version of HexDive here. If your .exe download is blocked, you can try a zip file.

p.s.

I still don’t pay too much attention to a Linux version – this is lower priority than a different feature I am currently working on (stay tuned).

 

Bonus update:

hdive ran over two gauss samples

  • 08D7DDB11E16B86544E0C3E677A60E10_100-dskapi.ocx
  • 5604A86CE596A239DD5B232AE32E02C6_smdk.ocx

Various classes of interesting strings are highlighted:

08D7DDB11E16B86544E0C3E677A60E10_100-dskapi.ocx

CorExitProcess
mscoree.dll
null
null
support
open
support
support
kernel32.dll
local
local
local
default
local
dddd, MMMM dd, yyyy
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
urlmon.dll
SeTakeOwnershipPrivilege
inflate
deflate
abcd
ABCD
abcd
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeRestorePrivilege
LoadLibraryW
kernel32.dll
GetCommandLineW
Sleep
kernel32.dll
FreeLibrary
kernel32.dll
VirtualFree
kernel32.dll
ExitThread
kernel32.dll
DeleteFileA
kernel32.dll
MoveFileExA
kernel32.dll
ntdll.dll
SeRestorePrivilege
SeBackupPrivilege
RegCreateKeyExW
RegSaveKeyW
RegRestoreKeyW
RegOpenKeyExW
RegFlushKey
RegCloseKey
RegSetValueExW
RegDeleteValueW
RegQueryValueExW
ObtainUserAgentString
HttpSendRequestW
InternetQueryOptionW
InternetSetOptionW
InternetCloseHandle
InternetQueryDataAvailable
HttpAddRequestHeadersW
InternetReadFile
HttpQueryInfoW
InternetOpenW
InternetConnectW
HttpOpenRequestW
OpenProcessToken
ImpersonateLoggedOnUser
AdjustTokenPrivileges
LookupPrivilegeValueW
RegDeleteKeyW
SetEntriesInAclW
FreeSid
MoveFileExW
CloseHandle
DeleteFileW
CreateMutexW
Sleep
GetCurrentProcessId
VirtualAlloc
LoadLibraryW
CreateThread
GetModuleFileNameW
VirtualFree
GetCurrentProcess
GetModuleHandleA
OpenProcess
GetLastError
GetFileSize
ReadFile
CreateFileW
GetPrivateProfileStringW
FreeLibrary
GetProcAddress
GetSystemTime
DuplicateHandle
MultiByteToWideChar
LoadResource
SizeofResource
LockResource
GetVersionExW
CreateToolhelp32Snapshot
GetFileAttributesW
GetModuleHandleW
SetFileTime
WriteFile
Process32FirstW
ReadProcessMemory
Process32NextW
WriteProcessMemory
VirtualAllocEx
CreateRemoteThread
VirtualFreeEx
LocalFree
LocalAlloc
LoadLibraryA
TerminateProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThreadId
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
ExitProcess
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapDestroy
HeapCreate
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
GetCPInfo
GetACP
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
SetFilePointer
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
WriteConsoleA
WriteConsoleW
CreateFileA
FlushFileBuffers
GetSystemMetrics

5604A86CE596A239DD5B232AE32E02C6_smdk.ocx

CorExitProcess
mscoree.dll
null
null
support
open
support
support
local
local
local
default
local
kernel32.dll
dddd, MMMM dd, yyyy
england
chinese
chinese
chinese
chinese
GetProcessWindowStation
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
deflate
Jean-loup Gailly
Mark Adler
true
RegOpenKeyW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
TerminateThread
CreateThread
Process32NextW
CreateToolhelp32Snapshot
GetLastError
Process32FirstW
DuplicateHandle
GetCurrentProcess
SetEvent
GetLogicalDriveStringsW
GetSystemTime
DeviceIoControl
CreateFileW
GetDriveTypeW
FindClose
FindFirstFileW
FindNextFileW
LocalAlloc
GetProcAddress
FreeLibrary
LoadLibraryA
TerminateProcess
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThreadId
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetModuleHandleA
Sleep
ExitProcess
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
WriteFile
InitializeCriticalSection
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetFilePointer
WriteConsoleA
WriteConsoleW
CreateFileA
FlushFileBuffers
GetFileSize
GetFileAttributesW

Windows Disco

August 7, 2012 in Compromise Detection, HWD, Malware Analysis, Software Releases

Detecting malware on a live system is often very difficult and requires special tools and lots of experience.There are situations though when some simple techniques can be used as well. This post introduces one such technique and provides a simple demo tool (toy really) you can use to play around.

The technique itself relies on a simple fact that many keylogging malware apps utilize a hidden ‘worker’ window and often offer extensive GUI that is not typically visible, but can be accessed by a malicious user after pressing a combination of keys. Worker window receives all intercepted keystrokes that are being sent by a hook procedure and GUI is used to set up keylogger parameters/view logs, etc. So, since such ‘working’/hidden GUI windows are not visible to the user, but they are still windows one can still enumerate them and present them to the user (even if windows are invisible).

This is exactly what Windows Disco does. It walks through all processes and their windows and takes a screenshot of each window, then saves it to a temporary PNG file in a current subfolder (named disco); you may review all these files either in an application itself, or in an Explorer, IrfanView or other image viewer.

For naysayers: yes, of course this can be so easily bypassed and is of course not foolproof – everything can be hooked and both enumeration and screenshot-taking prevented as well as keylogging can be implemented in a different way, but this is a demo of a trivial technique, not a ‘solve it all’ software 😉 who knows… with more and more malware moving back from kernel to userland such simple techniques may turn to be actually useful.

Another similar technique that might be potentially useful is hotkey enumeration – provided that keylogger registers a hotkey in a documented way one could use a hotkey enumeration tool to find suspicious associations (again I know this is far fetched, many keyloggers use state machine to trigger their hidden GUI, but always… ). The tool + src to enumerate hotkeys and article in Russian can be found here and  here.

As usual, testing on VM first is advised. Occasionally the GUI may be less responsive, pls be patient and kill it if necessary.

The whole procedure ends when MessageBox pops up showing how many windows have been enumerated.

 

The following screenshots have been taken from various keylogging applications; as you can see some are more ‘ostentatious’, some less.

As mentioned earlier, all files are saved in a ‘disco’ directory and can be reviewed using various browsers:


You can download HWD here.