DOCSLIB.ORG

Practical-Malware-Analysis Index.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Practical-Malware-Analysis Index.Pdf INDEX Symbols and Numbers administrator privileges, for malware launchers, 254 ! (bang symbol), 305 Adobe Reader -- operation, 112 CVE-2010-0188 critical % operation, 112 vulnerability, 424 % symbol, 423 overflow in, 705 | (pipe symbol), in Snort, 304 ADS (Alternate Data Streams) ++ operation, 112 010 Editor, 468 feature, 139 32-bit applications, WOW64 and, 448 Advanced Encryption Standard 32-bit rotate-right-additive hash, 418 (AES), 618 64-bit malware, 441–449 decrypting, 625–626 clues to functionality, 448 advapi32.dll, 17 labs, 450–451 imports from, 20, 480, 481 solutions, 723–732 obtaining handle to, 237 advertisements, pop-up, 560–561 A AES (Advanced Encryption Standard), 618 A, at end of Windows function decrypting, 625–626 name, 17 Agobot, 376 absolute addresses, 443 air-gapped networks, 29 vs. relative addresses, in OllyDbg, _alloca_probe function, 522 184–185 alphabetic encoding, shellcode abstraction levels, in x86 disassembly, decoder with, 697 66–67 Alternate Data Streams (ADS) accept function, 143, 144, 454 feature, 139 access token, 246 ALU (arithmetic logic unit), 68 accuracy, vs. expediency, 304 AMD64 architecture, 441 active window, logging, 239 “Analysis of the Intel Pentium’s ADD encoding algorithm, 276 Ability to Support a Secure add instruction, 74, 349 Virtual Machine Monitor” AddCodeXref function (IDC), 342 (Robin and Irvine), 373 address space, loading executable AND logical operator, in x86 into another process’s, 595 architecture, 75 address space layout randomization anti-debugging, 351–366 (ASLR), 184 checks, 656 AddressOfNameOrdinals array, 416 defeating techniques, 660 AddressOfNames array, 416 labs, 367–368 AdjustTokenPrivileges function, 246, solutions, 655–669 247, 454, 730 Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig anti-debugging, continued labs, 381–382 NTGlobalFlag flag, 659–660 solutions, 670–684 PhantOm protection from checks, process replacement, 683–684 658, 659 tweaking settings, 379–380 ProcessHeap flag, 658–659 VMware artifacts, 370–373 timing checks, 665–669 vulnerable instructions, 373–379, GetTickCount function, 668–669 678–679 with QueryPerformanceCounter, No Pill technique, 375 667–668 querying I/O communication rdtsc function, 669 port, 375–377 anti-disassembly, 327–349 Red Pill anti-VM technique, basics, 328–329 374–375 defeating disassembly algorithms, antivirus programs, and kernel 329–334 patching, 227 flow-oriented disassembly, antivirus scanning, 10 331–334 antivirus signatures, scan against, 478 linear disassembly, 329–331 Anubis, 40 false conditional branch, 336, 645, ApateDNS, 51–52, 57, 465, 483, 485 647, 653 malware DNS requests and, 489 labs, 350 APC (asynchronous procedure solutions, 645–655 call), 263 malware awareness of APC injection, 262–265 debugger, 351 AppInit_DLLs, 241–242, 572 manually repaired code, 648–649 for persistence, 575 obscuring flow control, 340–346 applications, access to device adding missing code cross- objects, 206 references in IDA Pro, 342 arguments in malware, OllyDbg to function pointer problem, debug, 532 340–341 arithmetic instruction, 74–76 misusing structured exception arithmetic logic unit (ALU), 68 handlers, 344–346 arithmetic operations return pointer abuse, 342–343 disassembly, 112–113 signs of, 645–646 in WinDbg, 211 techniques, 334–340 arrays, disassembling, 127–128 impossible disassembly, 337–340 arrows window, in IDA Pro, 90 jump instruction with constant The Art of Assembly Language condition, 336 (Hyde), 68 jump instructions with same ASCII strings, 11 target, 334–335 loading on stack, 724–725 NOP-ing out instructions with ASLR (address space layout IDA Pro, 340 randomization), 184 thwarting stack-frame analysis, ASPack, 398 347–349 assembly code, for process anti-virtual machine (anti-VM) tech- replacement, 258 niques, 369–380, 500, 678 assembly language, 67. See also C code finding using strings, 679–683 constructs in assembly highlighting anti-VM in IDA Pro, if statement, 113–114 377–378 for loop, 117 impact on malware analysis, switch statement, 124 673–677 while loop, 118 734 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig assembly-level debuggers, vs. packet structure, 643 source-level, 168 request from initial malware run, asynchronous procedure call 627–628 (APC), 263 sending by malware, 633–634, AT_INFO structure, 547–548 639–640 AttachThreadInput function, 454 string decoding, 636 attackers beep driver, 214 identifying investigative activity, 299 behavior of malware. See malware safely investigating online, 300–302 behavior Autoruns tool, 140, 241, 465–466 BeingDebugged flag, 354, 657–658 checking, 353–354 B Berkeley compatible sockets, 143–144 BFK DNS logger, 302 backdoor, 3, 121, 232–234, 479, BHOs (Browser Helper Objects), 157 519, 538 big-endian, 70 analysis, 537–538 binary data CreateProcess and Sleep functions Base64-encoding conversion, 277 for, 479 static analysis, 503–507 evading detection, 308–311 Binary File option, in IDA Pro, 88 HTTP reverse, 539 binary translation by VMware, in implementing, 524 kernel mode, 373 indications of, 493 bind function, 143, 144, 454 reading configuration file, 723 BinDiff, 466 sandbox and, 41 BinNavi, 466 backup images, of operating BitBlaze, 40 systems, 30 BitBlt function, 454 “Bad or Unknown 32-bit Executable blacklists, of IP addresses, 301 File” error, 363 Blink pointers, 414 bang symbol (!), 305 block cryptography algorithms, 626 base addresses blue screen, in Windows, 158 finding with PEview, 545 Bochs (debugger), 467 of kernel32.dll, finding with Bookmarks plug-in, in OllyDbg, assembly code, 415 199–200 for PE files in Windows, 184 boot.ini file, 207–208, 226 Base64 cipher, 277–280, 622 botnet controller, 234 custom substitution cipher, 280 botnets, 3, 234, 376 identifying and decoding, 278–280 bp command, in WinDbg, 211 Base64 encoding branching, in x86 architecture, 80–81 decoding, 624–625 breakpoints identifying in URL, 611 in debuggers, 171–175 padding, 610, 630 conditional, 175 Python program to decode hardware execution, 174–175 string, 289 software execution, 173–174 static pattern within, 631 deferred, 212–213, 554 base64_encode function, 610 hardware vs. software, 687 basename, 535 for kernel activity, 548 BCDEdit, 227 in OllyDbg, 188–191, 391 beaconing, 309, 611 command-line to set, 199 client-initiated, 311 scanning code for, 357 determining generation, 628–629 and self-decoding, 289 Practical Malware Analysis INDEX 735 © 2012 Michael Sikorski and Andrew Honig breakpoints, continued object-oriented programming, setting, 357 427–432 setting on stack, 690 inheritance and function in WinDbg, 211–212 overriding, 432 bridged network adapter, 34 overloading and mangling, Browser Helper Objects (BHOs), 157 430–431 brute-force XOR encoding, 271–273 this pointer, 428–430 bu command, in WinDbg, 212 objects creation and bu $iment command, in WinDbg, destruction, 437 213, 554 virtual vs. nonvirtual functions, buffer, malware placement of 432–436 value in, 538 Caesar cipher, 270 buffer-overflow attack, 421 call instruction, 119, 333, 386, 409 Burp Suite, 467 and finding OEP, 391–392 Buster Sandbox Analyzer, 473 position dependence, 408 byte array initialization, 680–681 for quick analysis, 521–522 bytecode, 67 with target based on DWORD pointer, 396 C call memory_location, 77 call stack trace, in OllyDbg, 193 C code constructs in assembly, callback type, 136 109–132 calling conventions, x64 architecture arithmetic operations disassembly, 112–113 differences, 443–447 array disassembly, 127–128 CallNextHookEx function, 260, 261, 454 function call conventions, 119–121 Canvas penetration-testing tool, 380 global vs. local variables, 110–112 Capture BAT, 467 capturing events if statements, 113–116 labs, 133–134 network traffic, 580 solutions, 501–513 stopping procmon from, 44 linked list traversal, 130–132 capturing screen, function for, 615 loops, 116–118 CBC (Cipher Block Chaining), 626 for loops, 116–118 cdecl calling convention, 119–120 while loops, 118 cell phone malware, 88 structures, identifying, 128–130 central processing unit (CPU) switch statements, 121–126 threads and, 149 if style for, 122–123, 124 in x86 architecture, 68 jump table, 123–126 CertOpenSystemStore function, 454 C programming language, 110 CF (carry) flag, 72 function pointers in, 340 CFB (Cipher Feedback), 626 main method and offsets, in x86 CFF Explorer, 467 architecture, 83–84 cfile.read command, 293 pseudocode for process chained encoding algorithm, 277 replacement, 258 CheckRemoteDebuggerPresent function, standard library, IDA Pro catalog 352, 454 of named constants, 102 child classes in C++, 432 The C Programming Language functions from parent class, 436 (Kernighan and Ritchie), 110 chunk size, dependency with entropy C++ analysis, 427–438 score, 284 labs, 439–440 Cipher Block Chaining (CBC), 626 solutions, 712–723 Cipher Feedback (CFB), 626 736 INDEX Practical Malware Analysis © 2012 Michael Sikorski and Andrew Honig ciphers, 270–280 check for arguments, 525–529 Base 64, 277–280 encoded, 636 Caesar cipher, 270 option analysis, 535–537 other encoding schemes, 276–277 running malware from, 493 XOR cipher, 271–276 Command Line plug-in, for OllyDbg, cisvc.exe 198–199, 657–658 PEview of original and trojanized launching, 660 versions, 584–585 command processing, and malware writing shellcode into, 583–584 signature, 644 class identifiers (CLSIDs), 155 command shell, thread input to, 636 and COM functionality, 518 comments classes, in object-oriented code, 428 in HTML, 506 classtype keyword, in Snort, 304 command character parsed client
Load more

Recommended publications
  • Cygwin User's Guide
    Cygwin User’s Guide Cygwin User’s Guide ii Copyright © Cygwin authors Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .4 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select . .7 1.7 What’s new and what changed in Cygwin . .7 1.7.1 What’s new and what changed in 3.2 .
    [Show full text]
  • Hunting Red Team Activities with Forensic Artifacts
    Hunting Red Team Activities with Forensic Artifacts By Haboob Team 1 [email protected] Table of Contents 1. Introduction .............................................................................................................................................. 5 2. Why Threat Hunting?............................................................................................................................. 5 3. Windows Forensic.................................................................................................................................. 5 4. LAB Environment Demonstration ..................................................................................................... 6 4.1 Red Team ......................................................................................................................................... 6 4.2 Blue Team ........................................................................................................................................ 6 4.3 LAB Overview .................................................................................................................................. 6 5. Scenarios .................................................................................................................................................. 7 5.1 Remote Execution Tool (Psexec) ............................................................................................... 7 5.2 PowerShell Suspicious Commands ......................................................................................
    [Show full text]
  • The Development and Effectiveness of Malware Vaccination
    Master of Science in Engineering: Computer Security June 2020 The Development and Effectiveness of Malware Vaccination : An Experiment Oskar Eliasson Lukas Ädel Faculty of Computing, Blekinge Institute of Technology, 371 79 Karlskrona, Sweden This thesis is submitted to the Faculty of Computing at Blekinge Institute of Technology in partial fulfilment of the requirements for the degree of Master of Science in Engineering: Computer Security. The thesis is equivalent to 20 weeks of full time studies. The authors declare that they are the sole authors of this thesis and that they have not used any sources other than those listed in the bibliography and identified as references. They further declare that they have not submitted this thesis at any other institution to obtain a degree. Contact Information: Author(s): Oskar Eliasson E-mail: [email protected] Lukas Ädel E-mail: [email protected] University advisor: Professor of Computer Engineering, Håkan Grahn Department of Computer Science Faculty of Computing Internet : www.bth.se Blekinge Institute of Technology Phone : +46 455 38 50 00 SE–371 79 Karlskrona, Sweden Fax : +46 455 38 50 57 Abstract Background. The main problem that our master thesis is trying to reduce is mal- ware infection. One method that can be used to accomplish this goal is based on the fact that most malware does not want to get caught by security programs and are actively trying to avoid them. To not get caught malware can check for the existence of security-related programs and artifacts before executing malicious code and depending on what they find, they will evaluate if the computer is worth in- fecting.
    [Show full text]
  • Pro .NET Memory Management for Better Code, Performance, and Scalability
    Pro .NET Memory Management For Better Code, Performance, and Scalability Konrad Kokosa Pro .NET Memory Management Konrad Kokosa Warsaw, Poland ISBN-13 (pbk): 978-1-4842-4026-7 ISBN-13 (electronic): 978-1-4842-4027-4 https://doi.org/10.1007/978-1-4842-4027-4 Library of Congress Control Number: 2018962862 Copyright © 2018 by Konrad Kokosa This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made.
    [Show full text]
  • Deep Dive Into OS Internals with Windbg Malware and OS Internals
    2012 Deep Dive into OS Internals with Windbg Malware and OS Internals An approach towards reversing malwares, shellcodes and other malicious codes to understand the ways in which they use the OS Internals for their functionality. Sudeep Pal Singh Honeywell 1/26/2012 Page 1 Table of Contents Preface ............................................................................................................................................................................ 3 Reversing Windows Internals .......................................................................................................................................... 4 Portable Executable Anatomy ......................................................................................................................................... 5 Data Directories of Interest ............................................................................................................................................. 7 Import Directory .............................................................................................................................................................. 8 Import Address Table .................................................................................................................................................... 12 Export Directory ............................................................................................................................................................ 13 Manual Walkthrough of Export Directory ....................................................................................................................
    [Show full text]
  • Cygwin User's Guide
    Cygwin User’s Guide i Cygwin User’s Guide Cygwin User’s Guide ii Copyright © 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Red Hat, Inc. Permission is granted to make and distribute verbatim copies of this documentation provided the copyright notice and this per- mission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this documentation under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this documentation into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the Free Software Foundation. Cygwin User’s Guide iii Contents 1 Cygwin Overview 1 1.1 What is it? . .1 1.2 Quick Start Guide for those more experienced with Windows . .1 1.3 Quick Start Guide for those more experienced with UNIX . .1 1.4 Are the Cygwin tools free software? . .2 1.5 A brief history of the Cygwin project . .2 1.6 Highlights of Cygwin Functionality . .3 1.6.1 Introduction . .3 1.6.2 Permissions and Security . .3 1.6.3 File Access . .3 1.6.4 Text Mode vs. Binary Mode . .4 1.6.5 ANSI C Library . .5 1.6.6 Process Creation . .5 1.6.6.1 Problems with process creation . .5 1.6.7 Signals . .6 1.6.8 Sockets . .6 1.6.9 Select .
    [Show full text]
  • Sample Content from Debugging Microsoft .NET 2.0 Applications
    Debugging Microsoft®.NET 2.0 Applications John Robbins (Wintellect) To learn more about this book, visit Microsoft Learning at http://www.microsoft.com/MSPress/books/8650.aspx 9780735622029 Publication Date: November 2006 Table of Contents Acknowledgments. .xv Introduction . .xvii Part I The Gestalt of Debugging 1 Bugs: Where They Come From and How You Solve Them . .3 Bugs and Debugging . 3 What Are Bugs? . 4 Process Bugs and Solutions . 8 Planning for Debugging . 17 Prerequisites to Debugging . 18 The Skill Set . 18 Learning the Skill Set . 20 The Debugging Process. 21 Step 1: Duplicate the Bug . 22 Step 2: Describe the Bug . 23 Step 3: Always Assume That the Bug Is Yours . 24 Step 4: Divide and Conquer . 24 Step 5: Think Creatively . 25 Step 6: Utilize Tools . 26 Step 7: Start Heavy Debugging . 27 Step 8: Verify That the Bug Is Fixed . 27 Step 9: Learn and Share. 29 Final Debugging Process Secret. 29 Summary . 30 2 Preparing for Debugging . 31 Track Changes Until You Throw Away the Project. 31 Version Control Systems . 32 Bug Tracking Systems . 36 Choosing the Right Systems for You . 37 Microsoft is interested in hearing your feedback about this publication so we can What do you think of this book? continually improve our books and learning resources for you. To participate in a brief We want to hear from you! online survey, please visit: www.microsoft.com/learning/booksurvey/ ix x Table of Contents Schedule Time for Building Debugging Systems . 38 Build All Builds with Debugging Symbols . 38 Treat Warnings as Errors . 41 Know Where Your Assemblies Load .
    [Show full text]
  • An Encrypted Payload Protocol and Target-Side Scripting Engine
    An Encrypted Payload Protocol and Target-Side Scripting Engine Dino A. Dai Zovi [email protected] Abstract into the remote process and then triggering the vulnera- Modern exploit payloads in commercial and open-source bility (the injection vector) in order to cause the remote penetration testing frameworks have grown much more process to execute the injected code (the payload). Tra- advanced than the traditional shellcode they replaced. ditionally, these payloads have been written in processor- These payloads permit interactive access without launch- specific assembly language, assembled, and extracted by ing a shell, network proxying, and many other rich fea- hand into reusable machine code components. These tures. Available payload frameworks have several lim- payloads were typically small and executed an operating itations, however. They make little use of encryption to system shell, causing them to be commonly referred to secure delivery and communications, especially in earlier as shellcode. Common shellcode variants included func- stage payloads. In addition, their richer features require tionality such as restoring dropped privileges, breaking a constant network connection to the penetration tester, out of chroot environments, and attaching the shell to making them unsuitable against mobile clients, such as an inbound or outbound network connection. This style laptops, PDAs, and smart phones. of payload construction was both labor and skill inten- This work introduces a first-stage exploit payload that sive. is able to securely establish an encrypted channel using With the growth of commercial penetration testing ElGamal key agreement and the RC4 stream cipher. The services and especially commercial penetration test- key agreement implementation requires only modular ing products, exploit payloads have gotten considerably exponentiation and RC4 also lends itself to an implemen- more capable and complex.
    [Show full text]
  • X86 Disassembly Exploring the Relationship Between C, X86 Assembly, and Machine Code
    x86 Disassembly Exploring the relationship between C, x86 Assembly, and Machine Code PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Sat, 07 Sep 2013 05:04:59 UTC Contents Articles Wikibooks:Collections Preface 1 X86 Disassembly/Cover 3 X86 Disassembly/Introduction 3 Tools 5 X86 Disassembly/Assemblers and Compilers 5 X86 Disassembly/Disassemblers and Decompilers 10 X86 Disassembly/Disassembly Examples 18 X86 Disassembly/Analysis Tools 19 Platforms 28 X86 Disassembly/Microsoft Windows 28 X86 Disassembly/Windows Executable Files 33 X86 Disassembly/Linux 48 X86 Disassembly/Linux Executable Files 50 Code Patterns 51 X86 Disassembly/The Stack 51 X86 Disassembly/Functions and Stack Frames 53 X86 Disassembly/Functions and Stack Frame Examples 57 X86 Disassembly/Calling Conventions 58 X86 Disassembly/Calling Convention Examples 64 X86 Disassembly/Branches 74 X86 Disassembly/Branch Examples 83 X86 Disassembly/Loops 87 X86 Disassembly/Loop Examples 92 Data Patterns 95 X86 Disassembly/Variables 95 X86 Disassembly/Variable Examples 101 X86 Disassembly/Data Structures 103 X86 Disassembly/Objects and Classes 108 X86 Disassembly/Floating Point Numbers 112 X86 Disassembly/Floating Point Examples 119 Difficulties 121 X86 Disassembly/Code Optimization 121 X86 Disassembly/Optimization Examples 124 X86 Disassembly/Code Obfuscation 132 X86 Disassembly/Debugger Detectors 137 Resources and Licensing 139 X86 Disassembly/Resources 139 X86 Disassembly/Licensing 141 X86 Disassembly/Manual of Style 141 References Article Sources and Contributors 142 Image Sources, Licenses and Contributors 143 Article Licenses License 144 Wikibooks:Collections Preface 1 Wikibooks:Collections Preface This book was created by volunteers at Wikibooks (http:/ / en.
    [Show full text]
  • What Are Kernel-Mode Rootkits?
    www.it-ebooks.info Hacking Exposed™ Malware & Rootkits Reviews “Accessible but not dumbed-down, this latest addition to the Hacking Exposed series is a stellar example of why this series remains one of the best-selling security franchises out there. System administrators and Average Joe computer users alike need to come to grips with the sophistication and stealth of modern malware, and this book calmly and clearly explains the threat.” —Brian Krebs, Reporter for The Washington Post and author of the Security Fix Blog “A harrowing guide to where the bad guys hide, and how you can find them.” —Dan Kaminsky, Director of Penetration Testing, IOActive, Inc. “The authors tackle malware, a deep and diverse issue in computer security, with common terms and relevant examples. Malware is a cold deadly tool in hacking; the authors address it openly, showing its capabilities with direct technical insight. The result is a good read that moves quickly, filling in the gaps even for the knowledgeable reader.” —Christopher Jordan, VP, Threat Intelligence, McAfee; Principal Investigator to DHS Botnet Research “Remember the end-of-semester review sessions where the instructor would go over everything from the whole term in just enough detail so you would understand all the key points, but also leave you with enough references to dig deeper where you wanted? Hacking Exposed Malware & Rootkits resembles this! A top-notch reference for novices and security professionals alike, this book provides just enough detail to explain the topics being presented, but not too much to dissuade those new to security.” —LTC Ron Dodge, U.S.
    [Show full text]
  • Flare-‐On 4: Challenge 10 Solution – Shell.Php
    Flare-On 4: Challenge 10 Solution – shell.php Challenge Author: Dominik Weber (@Invalid_handle) Summary Modelled after a real-world web shell, this crypto level is a PHP page containing an encrypted HTML stage2 with 3 encrypted JavaScripts. The HTTP POST variable flag is the key. This level is intended to be a two-stage password attack. The first stage gets the MD5 of the password and decrypt stage2, then the second stage derives the flag with a known-plaintext attack. Description: Figure 1 depicts the essential contents of shell.php <?php $o__o_ = base64_decode('<Base64 block omitted>'); $o_o = isset($_POST['o_o']) ? $_POST['o_o'] : ""; $o_o = md5($o_o) . substr(MD5(strrev($o_o)), 0, strlen($o_o)); for ($o___o = 0; $o___o < 2268; $o___o++) { $o__o_[$o___o] = chr((ord($o__o_[$o___o]) ^ ord($o_o[$o___o])) % 256); $o_o .= $o__o_[$o___o]; } if (MD5($o__o_) == '43a141570e0c926e0e3673216a4dd73d') { if (isset($_POST['o_o'])) @setcookie('o_o', $_POST['o_o']); $o___o = create_function('', $o__o_); unset($o_o, $o__o_); $o___o(); } else { echo '<form method="post" action="shell.php"><input type="text" name="o_o" value=" "/><input type="submit" value="&gt;"/></form>'; } ?> Figure 1: Contents of shell.php The HTTP post variable, o_o is the flag for the level. This string is then hashed with MD5 and the textual hash is the first 16 bytes of a decryption XOR key. The remainder of the key bytes is the MD5 of the reverse string array, truncated to password length size. The resulting XOR key is password length dependent and consists of characters 0-9 and a-f. This key decrypts the Base64 blob into a PHP function that gets executed. Looking at the code, we can see that the resulting plain text of this FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | [email protected] | www.FireEye.com 1 function has 2268 bytes.
    [Show full text]
  • Journey Into Hunting the Attackers
    Journey into hunting the attackers Asif Matadar 25/08/15 Labs.mwrinfosecurity.com | © MWR Labs Labs.mwrinfosecurity.com | © MWR Labs 1 #whoami • Incident Response Consultant @ MWR InfoSecurity working in the Investigations and Incident Response Practice: • Responding to and containing security incidents with a particular focus on advanced targeted attacks • Digital Investigations • Threat Intelligence • Guide clients through the implementation of Incident Response Procedures • Security Consultant @ MWR InfoSecurity working in the Security Assurance Practice • Previously worked for an ISP working as a Security Systems Engineer responding to security related incidents ranging from: • APT attacks, nation-state attacks, DDoS, phishing scams and web defacements to name a few • Worked primarily with complex *NIX systems • Degree in BSc (Hons) Forensic Computing Labs.mwrinfosecurity.com | © MWR Labs 2 Introduction An attacker can use a number of tools and techniques to retrieve the credentials without triggering Anti-Virus programs, these include built-in Windows Operating System commands or popular attacker tools. A number of scenarios were conducted to determine the artefacts on the File System along with Memory Analysis to identify malicious activity to aid an Investigator during an incident. A technique that was not explored was copying mimikatz over to the victim’s machine as it would’ve been triggered by Anti-Virus programs. An attacker can compile their own to get around that but the objective of this research was to use legitimate tools and built-in Operating System commands for malicious intent. Labs.mwrinfosecurity.com | © MWR Labs 3 1. Procdump on victim’s machine and run mimikatz remotely from attacker machine Scenario An attacker can use this legitimate program for malicious intent without the use of a remote shell.
    [Show full text]