You are browsing the archive for Malware Analysis.

The not so boring land of Borland executables, part 2

December 18, 2014 in Forensic Analysis, Malware Analysis

In the part 1 we explored the case of the resource timestamps that may come handy while building a timeline, or at least when you are trying to figure out when a specific Borland executable was compiled (I use ‘Borland’ here, but we know it means all the possible variations of Borland-esque compilers/products we can think of: Delphi, Borland C++, Code Gear, Embarcadero) .

The other interesting fact you may come across is the family of Borland files that are compiled with an old version of Borland C++. They have 2 very interesting and peculiar properties:

  • They have 2 exports: __GetExceptDLLinfo ___CPPdebugHook
  • They also include an original name of the executable

The first one makes it easy to recognize them.

The second one, while it may not be the most forensically interesting information it may still give you some clues for further research. It may come handy if the exported name is unique enough as it may allow e.g. to search for samples from the very same family (e.g. on Google, VirusTotal, Malwr)

For example, running the good-old pedump.exe over the file with a hash 3E19EF9C9A217D242787A896CC4A5B03 gives us the following:

exports table:

  Name:            winmgmtc.exe
  Characteristics: 00000000
  TimeDateStamp:   00000000 -> Thu Jan 01 08:00:00 1970
  Version:         0.00
  Ordinal base:    00000001
  # of functions:  00000002
  # of Names:      00000002

  Entry Pt  Ordn  Name
  00001059     1  __GetExceptDLLinfo
  0000C128     2  ___CPPdebugHook

The Export Directory is populated with the name of the original .exe and followed by 2 exports.

And yes, many online AV checkers/sandboxes do not show this information.

So, 2 things to remember now:

  • If it is an older Delphi file, check its resource section’s compilation timestamp
  • If it is Borland C++, check the export directory

3500+ Visual Basic coders cannot be… wait a second

December 10, 2014 in Batch Analysis, Malware Analysis

Update

Originally, this post had an incorrect title :) By mistake I used “3500K” which is equivalent to 3.5M. The number should be 3500 a.k.a. 3.5K

Old Post

The number of malware writers is enormous. This is a fact. If someone tells you that there are only 10-100 active ppl or groups doing so, then maybe they are right. But… they are most likely not.

Clustering large number of samples allows us to cherrypick a lot of interesting statistics. I shared quite a lot of them back in 2012-2013. Over last weekend I crunched my databases again and this time I focused on Visual Basic ‘goodness’.

Despite being old, this programming platform still has a lot of followers. It ‘helps’ writing RunPE  wrappers and their authors often leverage VB’s built-in virtual machine which produces executables that are a big pain to analyze w/o some dedicated tools.

Now, my focus on VB was very specific. If you ever looked at the VB apps before, you know that they often leave traces of the original project path used by the application author inside the file. Yes, the ‘.vbp’ path. Looking through a histogram of all normalized .vbp paths extracted from a decent collection of malware I was able to find over 3500 user names used in the profiles of people who code them (focusing only on c:\users\* and c:\documents and settings\*). The number is pretty high, but that is not surprising.  If you add it to 7000 names I extracted in 2013 from debug strings then we are already crossing 10K profiles (possibly people). Multiply it by 2 since I excluded a lot of non-user-accountish paths, and the same name can belong to many people.

Of course, stats are always biased:

  • I don’t have all samples
  • Some of these paths could be automatically generated/modified/made up
  • Lots of other reasons

but numbers speak for themselves anyway.

Here is a list of top user names – lots of variations of the Admin account in multiple languages top the list:

  • Administrator
  • Administrador
  • Admin
  • Administrateur
  • user
  • Owner
  • ADMINI~1
  • Pedro
  • David
  • Usuario
  • pc
  • 2fast4you
  • IubHost
  • ben
  • box1
  • xp
  • DANIEL
  • M3
  • Master
  • Tolga
  • o_O
  • M3N3G@TT1_
  • sher soft
  • Jhon
  • Antrax10

Various interesting names are also on the list:

  • Alpacino
  • WHO
  • Metal_Zone
  • LORDOFDARK
  • MicrosoftCorporation
  • Emperor Zhou Tai Nu
  • mitnick
  • KingOfHackers
  • ^_^
  • AnTiviRus7
  • Compaq_Owner
  • Hacker test Machine
  • KillerMadara
  • x-men
  • ghost prince
  • HACKED-PC
  • SkY-NeT SySteMs
  • Administrator.VIRUS
  • Sauvegarde [ Don’t Toutch ]
  • Evil Karma
  • DJ-HacKeR
  • Fuck Yu !
  • H4x0r!
  • o-._.-o
  • Oracle Machine
  • Jesus Cristo
  • oussama
  • OWNED LAN HOUSE
  • $T0N3R
  • DeV-PoInT HaCkEr
  • FUCKWIT
  • GETFUCKED
  • ~RED_DEVIL~
  • 0p3nf1r3
  • BaD HackeR
  • PrediatOr
  • PuNkDuDe
  • redC0mmand3r
  • Soda_Da_Pimp
  • British_Intel
  • Saeed_virus
  • wolverine
  • Computer Zimmer
  • E.M.I.N.E.M
  • _M3t4m0rf0siS_
  • -$-BaNdO’s CoRp-$-
  • A__L__I__E__N
  • BrainFart
  • FaTaLCoDeR
  • FUCK OFF
  • fucked up
  • FuckYou
  • g0df4th3r