You are browsing the archive for Batch Analysis.

3500+ Visual Basic coders cannot be… wait a second

December 10, 2014 in Batch Analysis, Malware Analysis

Update

Originally, this post had an incorrect title :) By mistake I used “3500K” which is equivalent to 3.5M. The number should be 3500 a.k.a. 3.5K

Old Post

The number of malware writers is enormous. This is a fact. If someone tells you that there are only 10-100 active ppl or groups doing so, then maybe they are right. But… they are most likely not.

Clustering large number of samples allows us to cherrypick a lot of interesting statistics. I shared quite a lot of them back in 2012-2013. Over last weekend I crunched my databases again and this time I focused on Visual Basic ‘goodness’.

Despite being old, this programming platform still has a lot of followers. It ‘helps’ writing RunPE¬† wrappers and their authors often leverage VB’s built-in virtual machine which produces executables that are a big pain to analyze w/o some dedicated tools.

Now, my focus on VB was very specific. If you ever looked at the VB apps before, you know that they often leave traces of the original project path used by the application author inside the file. Yes, the ‘.vbp’ path. Looking through a histogram of all normalized .vbp paths extracted from a decent collection of malware I was able to find over 3500 user names used in the profiles of people who code them (focusing only on c:\users\* and c:\documents and settings\*). The number is pretty high, but that is not surprising.¬† If you add it to 7000 names I extracted in 2013 from debug strings then we are already crossing 10K profiles (possibly people). Multiply it by 2 since I excluded a lot of non-user-accountish paths, and the same name can belong to many people.

Of course, stats are always biased:

  • I don’t have all samples
  • Some of these paths could be automatically generated/modified/made up
  • Lots of other reasons

but numbers speak for themselves anyway.

Here is a list of top user names – lots of variations of the Admin account in multiple languages top the list:

  • Administrator
  • Administrador
  • Admin
  • Administrateur
  • user
  • Owner
  • ADMINI~1
  • Pedro
  • David
  • Usuario
  • pc
  • 2fast4you
  • IubHost
  • ben
  • box1
  • xp
  • DANIEL
  • M3
  • Master
  • Tolga
  • o_O
  • M3N3G@TT1_
  • sher soft
  • Jhon
  • Antrax10

Various interesting names are also on the list:

  • Alpacino
  • WHO
  • Metal_Zone
  • LORDOFDARK
  • MicrosoftCorporation
  • Emperor Zhou Tai Nu
  • mitnick
  • KingOfHackers
  • ^_^
  • AnTiviRus7
  • Compaq_Owner
  • Hacker test Machine
  • KillerMadara
  • x-men
  • ghost prince
  • HACKED-PC
  • SkY-NeT SySteMs
  • Administrator.VIRUS
  • Sauvegarde [ Don’t Toutch ]
  • Evil Karma
  • DJ-HacKeR
  • Fuck Yu !
  • H4x0r!
  • o-._.-o
  • Oracle Machine
  • Jesus Cristo
  • oussama
  • OWNED LAN HOUSE
  • $T0N3R
  • DeV-PoInT HaCkEr
  • FUCKWIT
  • GETFUCKED
  • ~RED_DEVIL~
  • 0p3nf1r3
  • BaD HackeR
  • PrediatOr
  • PuNkDuDe
  • redC0mmand3r
  • Soda_Da_Pimp
  • British_Intel
  • Saeed_virus
  • wolverine
  • Computer Zimmer
  • E.M.I.N.E.M
  • _M3t4m0rf0siS_
  • -$-BaNdO’s CoRp-$-
  • A__L__I__E__N
  • BrainFart
  • FaTaLCoDeR
  • FUCK OFF
  • fucked up
  • FuckYou
  • g0df4th3r

Sandboxing and Message Box Default Reply (Error Message Instrument)

September 3, 2013 in Batch Analysis, Malware Analysis

I have read about Message Box Default Reply the other day and it crossed my mind that it could be used to help with some aspects of sandbox automation.

What is Message Box Default Reply? Windows supports a mechanism that enables a default reply for MessageBox windows; that is – it automatically ‘clicks’ for you a default button on the message boxes.

To enable it, all you have to do is to create a EnableDefaultReply value in Registry as shown below and restart the system

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Error Message Instrument]
 "EnableDefaultReply"=dword:00000001

Once the key is set and computer restarted, all standard message boxes will be automatically ‘clicked’. Check the link provided above as the mechanism enables logging and offers a few other settings which are covered in detail on Microsoft web pages.