Finding New Obfuscated Strings in ZeuS 2.x Variants

ZeuS is one of the most notorious info-stealing malwares. Last year, ZeuS source code was leaked but some variants still continue to infect many machines and update their functions.
I wrote an IDAPython script to decode obfuscated strings in ZeuS 2.x variants. The script decodes all strings included in the specified data structure, then compare with strings of leaked version (2.0.8.9). If you find new command strings like this, you should analyze the new function.
Before use, you should configure the following values.

• decode_structure_array: the name of a structure (key, size, ptr to encoded string) array
• func_getA: the function name to decode ASCII strings
• func_getW: the function name to decode Unicode strings

Limitation:

• The script is only effective to Zeus variants using fastcall convention (1st arg=ecx, 2nd arg=edx).
• The script fails to resolve data references to some strings (no xrefs) because the script needs array ID for tracking cross-reference, but in some cases like non-constant values or condition branchings, it's difficult to determine the ID statically. I may improve the algorithm later.

Download

Bug Fixed: NTFS SI/FN Timeline EnScript

I've fixed a critical bug in finding $MFT entry. Let me know if you have any question or problem.

Download

Quick Review: Redline with IOC Report

Redline 1.5 supported a function checking IOC (Indicator of Compromise) in a specified memory image. The only unsatisfaction about IOC for me was the time-consuming task executed by IOC Finder, but it seems to be solved.

Deobfuscating SpyEye Wrapup

At my friend's request, I've released SpyEye 1.3.45 deobfuscation script.

My script performs two deobfuscations.

1st deobfuscation is resolving various information from 4bytes hash values (described in Part1).  It resolves the following information:

• library function names (kernel32/ntdll/advapi32/wininet/ws2_32),
• function names exported by SpyEye plugins,
• process names for malicious code injections and
• file names included in config.bin.

The objective of 2nd deobfuscation is to recover important strings. It calculates start addresses and lengths based on specified dword values, then executes the custom xor routine (in more detail, see Part2).

As a bonus, I added a trivial code for enumerating installed folder name and mutex name. Note the names are encoded after executing SC2 that is the initialization routine of C1.

You should configure "names_to_resolve" folder path and function name for 2nd deobfuscation to run the script.

Enjoy your analysis ;-)

Download

Analyzing SpyEye 1.3.45

I've analyzed SpyEye 1.3.45 bot program. I found some interesting features.

Deobfuscating SpyEye Part2

SpyEye obfuscates the target process name of the code injection by using custom xor. I wrote part2 script to decode it.

Deobfuscating SpyEye Part1

SpyEye, a notorious crimeware, uses an obfuscation technique when calling library functions. Specifically, it calls objective functions by searching function name's hashes calculated in advance (That's exactly what shellcode would do). I wrote an IDAPython script deobfuscating its disgusting code.

Download

Usage: execute the script and specify two text files including kernel32/ntdll function names. After the execution finished, you can see comments of function names at instructions pushing hashes and calling functions resolved by the hashes.

NOTICE: I expect the script needs to be modified because the progress of my analysis is an early stage. So this is Part 1 ;-)

Comparison of Memory Forensic Tools

Currently, we have some options when analyzing memory images. Mandiant released Redline, that is the replacement of Audit Viewer. HBGary distributed Responder Community Edition at CEIC, and Volatility Framework 2.0 was released a few days ago. I tested them including my EnScript and consider their capabilities and limitations

Update: Immunity Debugger Script Setting Memory Breakpoints on Execution (NX-bit Version)

以前公開した実行時にメモリブレークポイントを張るスクリプト（ollyboneクローン）は以下のような動作を行う。

1. カーネルドライバ経由で指定したメモリセクションのPTEのユーザモードビットを落としてTLBキャッシュをクリア
2. 該当セクションへのメモリアクセスが行われるとページフォルトが発生
3. ページフォルトをフックして、メモリアクセスがread/writeによるものであれば一旦ユーザモードビットを戻してDTLBへキャッシュ、実行によるものであればシングルステップ例外へジャンプ

TLBを使ってread/writeと実行を区別する辺りはShadow Walkerの実装に似ている。
ところで、3.のDTLBへのキャッシュが動作するかはVMに依存するようだ。たとえば、Hyper-Vは適切に処理してくれるが、VMWare Workstationはキャッシュがされずread/write時の命令がぐるぐるとループしてしまう（ように見える）。
そもそも、ollyboneが作られたときはDEPを有効にできる（PAEを有効にできる）CPUがそんなに普及していない時であり、今時DEPを有効にできないマシンなんてほとんど無いよね、と思う。
そこで、ユーザモードビットを使うトリッキーな方法ではなく、DEP用のNXビットを使う王道の実装に修正してみた。

「immbone_nx.zip」をダウンロード

以下の環境で動作を確認。

• Immunity Debugger 1.8*
• Windows XP SP3
• MS Hyper-V, VMWare Workstation

詳しい使い方は前回の記事を参照のこと。前回との違いは以下。

• DEPを有効にする（/noexecute=AlwaysOn）
• デバッガの例外無視設定でSingle-step breakの代わりにMemory access violationをuncheck

んで、ここまで作っといて、自宅PCのCPUがDEPに対応していないことを知るのだった・・

Immunity Debugger Script: Setting Memory Breakpoints on Execution for DLL

OllyBonE written by Joe Stewart is an excellent tool for semi-automatic unpacking. It allows users setting memory breakpoints on execution in order to find an original entry point in a dynamically-allocated memory section. However, OllyBonE doesn't support the setting at addresses greater than main module (e.g., DLL addresses).
So, I wrote the Immunity Debugger port.

Reserved Address Space in Windows Physical Memory

Memory forensic practitioners know the difference in size between physical memory (raw) image and crash dump image of Windows. For example, if we acquire 256MB RAM, we have the following images.

The reason why the size of crash dump is smaller than raw's one is crash dump generally cannot include memory address space reserved by devices. Specifically, it's the limitation of MmPhysicalMemoryBlock.

On the other hand, raw image seems to contain the reserved space in terms of the size, doesn't it? I tested physical memory acquisition tools with a suspicious look.

Update: Memory Forensic EnScript

I added TCP connection scanning modules for Windows 7/2008.

Update: Timeline EnScript

I improved Timeline EnScript parsing NTFS FileName Attribute timestamps. The new version excludes Internal/Folder entries from the parsing target. If you wanna include the entries, you can use the previous version by renaming Timeline Report.EnScript~.

Download

Memoryze: Missing Connections (Settled)

In my previous article, I said Memoryze missed TCP connections. Now, I've revalidated the fact.

BlackManta for ID1.8

slightly-changed version for Immunity Debugger v1.8

マルウェア解析系書籍を読んでみた

転職してからマルウェア解析をする機会が出てきたので、本を読んで知識を補強。

EnScript: Carving PE Files

I wrote an EnCase EnScript that carves PE format files like .exe and .dll from selected entries (mostly, unallocated clusters of the file system).

Making Filename Attribute Timeline

Honestly, Timeline function of EnCase is impractical. So when I wanna make a timeline, I always use Timeline Report EnScript written by Geoff Black. This EnScript is very nice! I modified it to add NTFS Filename (FN) Attribute timestamps to timeline. Checking FN Attribute timestamps prevents malwares from concealing from timeline analysis by changing Standard Information (SI) Attribute timestamps like Metasploit Timestomp.

Memoryze: Missing Connections

Memoryze is the best memory forensic tool among free softwares without any doubt.

Reading Shellcode Part1

シェルコードを読んでみたが、確実に忘れそうなのでメモ。

CrashDump Analyzer 0.95

クラッシュダンプの解析ツールをアップデート。32bit OSに対応。

PsEntropyPEB Matching Mode

メモリイメージ内の実行ファイルの近似を取ることで、あるホストで実行されているマルウェアが別のホストに感染／実行した場合でも速攻で発見することができる。
まず、既に解析済みのマルウェアのEntropyを計算する。

次に、別のホストを調べる場合、Matching Modeにチェックを付けて先ほど検出したマルウェアのEntropy値を入力して実行する。

結果から、各ホストで実行されている同様のマルウェアを検出できたことが分かる。検出された実行ファイルは別のpackerでpackingされていたがメモリイメージ内なのでその影響を受けずに検出できる。

調べる対象のホストが数十、数百にスケールしても一度イメージを取得すれば瞬時に調べることができる。
HBGaryやFTKなどのリモートからのイメージ取得機能と組み合わせれば、それなりに使えるかな？

「MemoryForensicToolkit_Ver1.83.zip」をダウンロード

EnCase EnScript "Memory Forensic Toolkit" Version 1.82

I've released three modules: PsEntropyPEB, PsEntropyVAD and VadDump for XP 32bit image.

Entropy: Detecting Similar File and Polymorphic Malware

Entropy Near-Match Analyzer is a built-in feature of EnCase Cybersecurity,
but EnCase Forensic users can also use it because the EnScript API has already been unveiled.

TCP connections in Vista/7 memory images

以前の記事でも書いた通り、Vista/7などではTCPTオブジェクトが無くなり、同じやり方では通信の情報（IPアドレス、ポート番号、プロセスID）を取ることができなくなっているので、コネクション情報をhookするドライバを使って関連するデータを探してみた。が、結局みつけられず。

Review: FTK 3.1 Memory Image Analysis

FTK3.1のメモリイメージ解析機能を試してみた。

IDT Hook Detection before Memory Image Acquisition

MoonSols Windows Memory ToolkitにIDTフックを検出する機能が追加されたそうなので、IDTのページフォールトハンドラをフックするコードを書いて確認してみた。

EnCase EnScript "Memory Forensic Toolkit" Version 1.69

Version 1.69 supports Windows Server 2003 R2 on x86 machines.

Download

Note: VadSearch and ConnList do not work on 2003.

Malware Analysis using Responder 2.0

Responder が2.0になってマルウェアの動的解析機能が強化された。

HBGary Responder cannot detect hidden/dead processes!

Unfortunately, HBGary Responder cannot extract hidden processes by rootkits or already-terminated processes.  I tested 2 experiments.