You are browsing the archive for Malware Analysis.

But VT says so!

October 23, 2014 in Malware Analysis, Preaching

Update

Fixed some grammar mistakes & added a few bits about regression testing.

Old post

I am really tired today so the only thing I can do is preaching :) I have a few (I hope cool) research posts piled up, but really no time recently to polish them and publish. Pls wait for the second half of November when I am back from holidays.

Anyways…

I love social aspects of IT Security and how certain myths and beliefs shape the mindset of people working in this field. I fall for many of these myths myself, but I do so as a consciously weak mind and I always try to find out what other people think about it, often to discover that I was taken for a ride yet another time. The last sentence highlights how smart I am so now you better pay attention ;)

Today I want to talk about Virus Total.

It’s an awesome web site that went from a resource known to a few  to ‘yet another lucky guy acquired by Google’.

Now, let me tell you one thing: Virus Total’s importance is the biggest B/S in the IR universe. Note that I love VT, I just hate the perception of its importance.

There are many reasons, but the simplest to pick up on is “but VT says so”.

It is not uncommon nowadays for people – often including these who can’t distinguish a virus from a trojan – to utilize VT on daily basis and treat its statistics as a deity that tells them about law & order in the software/sample universe.

I uploaded the file XYZ to VT and it says: bad.

Hmm…

Let me tell you a little secret of Antivirus industry here:

  • Problem: Lots of samples. Mucho unknown samples
  • Question: How to cut the corners?
  • Answer: Use other AV to tell us if it is bad; if we get lucky, we will generate an automatic def/sig for it and move on; we can be smart and rely on the judgment only if at least 1,2,3…N of them say so, but we still cut corners.

Yup. You heard that right.

Your VT score is now worth mierda. One guy detects it, suddenly everyone detects it. Human involvement = 0, maybe 1. All of it is bots at work. And sometimes the first guy realizes it was an FP and removes the sig. Yet the others who blindly followed don’t. Not everyone cares or can afford regression testing and the file remains ‘detected’ forever.

VT is a resource that presents you an aggregated information from various providers including, but not limited to:

  • antivirus vendors
  • sandboxes
  • result of running various proprietary tools
  • etc.

but it DOES NOT tell you how many of these detections/hits are derived from each other: vendors, others on the list, some heuristic rules.

Read the score. Understand it. But also understand the context of it.

It’s unreliable & you should NOT use it blindly or you will make bots replace you as a decision maker.

Beyond good ol’ Run key, Part 17

August 31, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

.NET components (a couple of DLLs loaded anytime .NET apps are executed) in the Windows 8.X have been somehow modified and when they are loaded they look for an environment variable called APPX_PROCESS. I am not sure what it is – googling around didn’t bring any results, but experimenting with it led me to a discovery of yet another phantom DLL called WinAppXRT.dll. If the environment variable is set anytime some .NET components are loaded they in turn will attempt to load the aforementioned DLL (e.g. launching powershell or any .NET app should be enough).

Since environment variables can be set via Registry we can use it to develop yet another persistence mechanism.

Adding the following:

[HKEY_CURRENT_USER\Environment]
"APPX_PROCESS"="1"

and dropping the WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the WinAppXRT.dll is loaded everytime user launches an application using .NET.

WinAppXRT