Category Archives: GoodWare

Not installing the installers

Posted on by

Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you add some scale and automation to it, you may actually find some value there. For both Red and Blue sides of the fence.

The most popular installers for Windows are Nullsoft and InnoSetup (apart from MSI). Luckily, we have good decompilers available for both of them (InnoUnp and 7z), so one wanting to explore the possibilities just needs to run these on a bunch of clean samples.

The decompilation results are interesting for many reasons.

If the installer is signed, it may execute its installation script and may bypass EDRs. I have obviously no idea if it is always the case, but if VT says it’s signed and ‘green’ by all AVs, the chances are high that whatever the sample does, it will be permitted to do so.

The opportunity this fact brings to RT is that some of installers’ actions may help to deliver some functionality that RT can abuse.

Many installers add a run key. It’s a lame use case, but one could run such installer, get all the settings in place via a trusted, signed binary, and then swap the executable referenced by the Run key with a payload of choice.

Another opportunity for RT is domain recycling. Many older installers refer to domains that no longer exist. By combing the decompiled installation scripts you may find domains that you could re-use. It is highly possible that an old, but non-existing software developer had all the green marks from web proxy/IDS/IPS, even e-mail security vendors, VT and this setting has never been updated. By recycling such domain you may get a nice way to create a ‘clean’ C2 channel, deliver phish/malspam. And if you are very very lucky, some people may be still using that old software. What if the software has an auto-update mechanism? These could form potential big bounty wins using a legacy autoupdate mechanism as a supply-chain attack .

DLL sideloading or Lolbin executable spawning via installers is also possible. Either via a clever race condition, one-off opportunities or by leveraging GUI that pauses the installer for a moment (enough time to swap files in a tmp folder). Really depends on scenario and you may not find a lot of such installers, but hey… it’s possible.

From a forensic perspective, decompilation of installation scripts gives us yet another way to discover clusters of ‘clean’ paths and file names. It can form a nice exclusion list for analysis. There is also a great opportunity to create exclusion list for process parent-child relationships — many installers are ‘told’ to run some executable at the end of the installation, or simply open a browser to navigate to a site in a default browser. Most sandboxes and EDRs are blind to it and their analysis results often include lots of unnecessary artifacts that could potentially be excluded from such reports. For example, if an analyzed sample’s decompilation script tells us the installer does open the browser, the whole chain of events that follow could be excluded from the final report.

Ever wondered what is a source of some process, services, tasks running on a system? Combing through decompiled installation scripts brings a lot of answers to this question. And even more, it provides an explanation to many command line switches we see in the process parent-child relationships. We may not know their meaning, but we may learn they are preprogrammed inside the installation scripts! Aka build a nice list of ‘good command line switches’ for specific processes.

The ‘open browser at the end of the installation or uninstall’ scenarios are very useful for us too. We can use them to detect very specific events of users installing software that is outside of the acceptable use policy. Yes, we can use EDR or asset inventory tools for that too, but what if the software is portable? Any clue of an install event is important.

Finally, you could possibly write signatures/yara definitions for installation scripts that could help to detect different version of the same software w/o a need to sandbox them.

I am sure there are more ideas out there.

Good file… (What is it good for) Part 3

Posted on by

We have our sampleset. We have our metadata.

What’s next?

You can very quickly script searches that will look for specific files, or their properties. I mentioned section names, PDB paths, icons, but there is more.

In my older blog post I highlighted a presence of a copy&paste crypto code block present in a number of ‘good’ files I have looked at. The reason I recognized these samples is pretty simple: they used API calls that happen to be on the list of all APIs that are of my interest.

So…

Once you get your sampleset processed, generated its preliminary metadata, you can look at the properties extracted from the files and/or either re-run some additional metadata collection tasks (often narrowed down to specific file types), and/or … disassemble/decompile these files for some quick code-based post-processing & … quick wins. The above example is one of them.

What these post-processing tasks could be?

Running yara, capa is of course a ‘must-do’ and it’s trivial. But that’s not everything. You can (and should) run instrumented oleview, or olewoo to extract additional OLE/COM info from embedded type libraries. They not only give us info about unique GUIDs, but often point us to proprietary COM interfaces and methods of interest that could be used to do some ‘funny’ stuff – think: file downloading, program execution, escalation of privileges, etc.

The next targets are drivers – they themselves are of always of interest, because ‘who runs code in kernel – owns the box’. @hFirefox (Twitter account doesn’t exist anymore as of today) created a number of POCs showing that legitimate, signed, yet vulnerable kernel drivers can be abused to deliver payloads of (user mode) choice. There is definitely more vulnerable drivers out there, and guess what… some basic kernel driver analysis can be also done statically.

If you look at a number of them, you will start recognizing a lot of patterns. For instance, it’s not uncommon for kernel mode driver developers to include the whole list of debug messages that often help understanding the internals of their creations. To be precise… for instance, grepping for ‘IOCTL_’ prefixed strings inside kernel drivers will give us a lot of hints with regards to what the driver does, and how it operates. And yes, it will give us names of many IOCTLs as well!

Yup.

We can bulk analyze these.

How?

Yes, I will cover this soon 🙂