This webblog will tell and story about my software development and anything related to computer security.

Unpacking AutoIt Script

by Kamil Alta | Friday, January 08, 2010 in , | comments (1)

AutoIt is a known BASIC-like scripting and self-contained into UPX packed executable file. AutoIt also has been known to be used by virus author to create malicious program and spread it through all over network or media storages.

Here it is I show a sample that I've got from somebody who sent it to me. Most antivirus is already detected as W32/Almanahe.B. It seem this virus is still in the wild on some country. Ok, let focus on the topics. On this tutorial, let assume that you already have a sample of application or malware sample that compiled with AutoIt.

How do we know that it is an AutoIt file?
Its pretty simple to detect this kind of file. For me, just load up your sample with Notepad.exe. and search for 'AU3!EA' keyword. It will jump to the bottom of the file and there is some 'garbage' thing started with 'AU3!EA' character. And that was and encrypted AutoIt script that we want to decrypt. Lame way but fast to detect it.


The tools that we need for this dynamic analysis/reverse:
1. PEiD
2. myAutToExe.exe

All you need to do, download the tools above. Run PEiD and load-up your AutoIt sample file into it. You will see something similar with the picture below:

I use the sample malware from the people sent it to me. The PEiD will look show you some basic information and said it was compiled with Microsoft Visual C++ 7.0.

Next, run your myAutToExe.exe and drag and drop your sample AutoIt file into the top textbox. It will automatically start analyzing the file and extracting the script.

After the process it will look like this (picture above). All processing data will be saved as log, source code and resources file.

There it is, a sort file with the source code of the malware (or program). The source code file will be saved as .au3 extension file and can be viewed with any text editor. Starting from this point we can analize this piece of malware easily without needed to using complicated way (static analysis).

Here it is a screen shot of the source code that we already have. Seem like this people trying to expose itself by inserting their information into the source code. LoL.

Since this AutoIt script can be readable by any one, there is a few AutoIt script malware that I found that already obfuscated  to prevent analyzer from easily trace their code. I'll explain this type on next blogpost...

Malware Playground

by Kamil Alta | Sunday, November 29, 2009 in , | comments (0)


Around 3 month ago, I was starting developing a sandbox tool for easy to analyst any of malware sample that can generate at least basic information from the sample. I just named it Malware Playground as its work to 'play' with almost all Windows programs within it. Sound funny like a kids playing with knife but wearing a shield. The program itself has been developed using Microsoft Visual Basic 6 and working with more than 20 other programs.



At this moment, this program includes all required features for doing malware analyst. Here it is some features:
+ Save report as text and HTML format.
+ Analysis can be started at your own choice such as you can dump process memory instead of analyst all of the function (Registry, Dump, Handle, String, Port, Files and Folders, AV alias and so on).
+ Work with Windows platform (on VMWare or VirPC).
+ Work together with Sandboxie.
+ Drag and drop and warn before start analyzing it.



Malware Playground is still in development and some advanced features still remains in progress. Here it is list of features that currently in development:
+ Network activities
+ Process activities
+ Smart suggestion and recommendation technologies.
+ Add more AV alias detection
+ Security Risk Level perimeter.
+ Provide an official website for useful information and services.
+ Integrates with web interfaces that allowed user uploading their malware sample.
+ Save all known threat object into database.
+ Mapping all origin location for the malware and visualize on global map.

While this useful tools is still in progress, I was unable to provide a fully compiled program to give a test but you can leave a comment and suggest for more features.

Interesting about W32.Virut variant

by Kamil Alta | Wednesday, September 09, 2009 in |

Within last 2 month, I continuously reading and made some RCE for well known viruses call W32.Virut or other malware analyst named it as W32.Sality. This is not a new virus. It is already detected around 2006. Since last 2 month I received more than 20 report from my friend around Malaysian about this virus that already infecting their labs and PCs.

W32.Virut is a parasitic file infector, polymorphic and backdoor capabilities. Once it has been executed it will inject its code into winlogon.exe process and create a new thread in that process. But its depend on version of the variant. Other variant injecting their code onto smss.exe and csrss.exe process. It infects all EXE and SCR file type by appending to the last section of the host file and set it entry point to point to viral code. So, any execution from the infected file will run the viral code first before passing to host code. W32.Virut prevent its execution from running on Virtual Machine such as VMWare or Virtual PC and make it difficult to trace its presence, thread and processes. Also, its polymorhic making my sandbox generate inaccurate result and need manually analyst.

PICTURE 1From Picture 1, it is clearly shown that the string inside the W32.Virut is working its jobs such as adding its process list to the Windows Firewall, Disabling System File Protection, Modify HOSTS file, contacting external server address and as well as Windows API pointing to Windows DLL files.

W32.Virut has already generate a few hundred variant generated from its polymorphic technique. Making it hard to detect with a simple static Hash detection.



Solution: Repair & Cleaning
There is many tools out there for quick repair your infected file. One of the best tools is AVG Win32/Virut Removal. It free to download & use.

RCE - W32/Autorun.82944

by Kamil Alta | Saturday, June 06, 2009 in | comments (2)


A few days ago I have discover a virus that spread using common known media, USB Flash disk. This virus seem to be the same as other malware and it was compressed with PECompact utilities. The worm itself has been written using Microsoft Visual Basic 6.0. This worm is commonly known as W32/Autorun.worm!n (McAfee), TR/Crypt.PEPM.Gen (Avira), Win32.Worm.VB.NXY (BitDefender).

File Information

File Name: various
Size: 82,944 Bytes
Type: Trojan
Static File: Yes
MD5 Checksum: 22b52c23e6dd2809733e011a8eedab03


File Name / Process File Name

This virus commonly use several file name to spoof it self as a folder. Here it is some sort of file name has been use by this malware:

1. romantic.exe
2. forever.exe
3. System Volume Information.exe
4. love.exe
5. task.exe
6. userinit.exe
7. system.exe
. autorun.inf


There is 2 common process file name used by this worm:
1. userinit.exe
2. system.exe

Startup / Registry Alteration

The worm altering Windows registry as a startup point everytime Windows load.

Key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=c:\windows\userinit.exe

Other modified registry key is:
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoDriveTypeAutoRun"
"NoDriveAutoRun"

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt"
"ShowSuperHidden"
"Hidden"

Payload

The worm seem to overwrite a %systemroot%\system32\drivers\etc\hosts file and set every unwanted domain name to pointing to localhost (127.0.0.1) IP. Most of the listing are computer security website including antivirus, firewall and download site.

The worm also contain some DDoS attack code which will send a random packet to the target.

Programming

This virus has been created by people who was new to the programming especially Visual Basic 6. Take a look some of their codes, it uses many timer to use their malicious function thus, making this worm unstable and taking alot of CPU usages.

Other Analysis:

Here it is some extracted string from the compiled Executable file.
Download here

Other analysis:
Analysis from Virus Total

VDEF updates for Portable Antivirus is available to download.

Extract AutoIt Script

by Kamil Alta | Thursday, September 25, 2008 in , , | comments (0)

This is quite old technique to extract an AutoIt script from the compiled EXE files espeacially malware. You can refer this tutorial from my video uploaded to YouTube.

Extract AutoIt Script Video Tutorial



Actually this kind of extracting method is depending on AutoIt version. Currently this tutorial show you how to extract AutoIt EXE version 3.2.2.0. Other version will be available soon.

AT4RE FastScanner

by Kamil Alta | Thursday, September 22, 2005 in , | comments (0)

AT4RE FastScanner is one of packer, PE info, compiler, cryptor detector  with plug-in capabilities. This tools works same like other packed detector to give alternative usage for user.





An example show you PE file is being analyzed with all basic information shown.


Show you PE section with all available offset.


Disassembler is another advantage giving user to analyze and finding useful instruction.


AT4RE FastScanner can be downloaded from:
Here

PROTECTiON iD

by Kamil Alta | Wednesday, September 21, 2005 in , | comments (0)

Another small tools with great features. As I downloaded the latest one, there interfaces was changed and little bit confuse if some user new to it but again this great tools comes with special features.



Features

- detection of every major PC ISO Game / App protection
- sector scanning CDs / DVDs for Copy Protections
- covers more than 430 (different!) protections including exe protectors, .net protectors, packers, dongles, licenses & installers
- files / folders can simply be drag & droped into pid (link files will re resolved too)
- strong scanning routines allowing it to detect multiple protections in one file
- easy scanning via shell context menu
- usefully misc tools included
- coded 100% in Win32 assembly language
- fully 32bit & 64bit compliant
- working on every Windows OS from Win9x to windows Vista
- no additional files are required (like VB Runtimes, MSVC dlls or ASPI drivers)

PROTECTION ID can be downloaded from:
Here

ExeInfo PE

by Kamil Alta | Tuesday, September 21, 2004 in , | comments (0)

ExeInfo PE have some same features with PEiD but with some extra function to make it more easier and faster to access such as





Main interfaces is very similar to PEiD but with some great functionalities. 


With Rip button all resources can be extracted at once and saved into current directory.


With tools menu user can get a lot of information inside PE files such as registry key, OEP, save resource section, XoR permutator (easy to reverse any reversed string such as ROT13) and many more.


File Menu offer to you multiple options about taking action to your analyzed file. WYSIWYG.


EXEInfo PE can be downloaded from:
http://www.exeinfo.xwp.pl

PEiD - PE Identifier

by Kamil Alta | Tuesday, September 21, 2004 in , | comments (0)

This small tools have a big features for those who want to extract information from PE files.



PEiD have its own special features:
1. It has a superb GUI and the interface is really intuitive and simple.
2. Detection rates are amongst the best given by any other identifier.
3. Special scanning modes for *advanced* detections of modified and unknown files.
4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities.
5. Multiple file and directory scanning with recursion.
6. Task viewer and controller.
7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer.
8. Extra scanning techniques used for even better detections.
9. Heuristic Scanning options.
10. New PE details, Imports, Exports and TLS viewers
11. New built in quick disassembler.
12. New built in hex viewer.
13. External signature interface which can be updated by the user.

Well, I use it for long time and this is the great and fast tools for getting PE information without need to install anything.

PEiD can be downloaded from here:
http://www.peid.info

Explorer Suite

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)

This one of most advanced freeware tools for Reverse Code Engineer. Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

- Explorer Suite (Multi-Platform Version, Recommended)
- Explorer Suite (x86 Version)
- CFF Explorer (x86 Version, stand-alone, Zip Archive)

- CFF Explorer Extensions Repository 




The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. 



Features:

  • Process Viewer
  • Windows Viewer
  • PE and Memory Dumper
  • Full support for PE32/64
  • Special fields description and modification (.NET supported)
  • PE Utilities
  • PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
  • View and modification of .NET internal structures
  • Resource Editor (full support for Windows Vista icons)
  • Support in the Resource Editor for .NET resources (dumpable as well)
  • Hex Editor
  • Import Adder
  • PE integrity checks
  • Extension support
  • Visual Studio Extensions Wizard
  • Powerful scripting language
  • Dependency Walker
  • Quick Disassembler (x86, x64, MSIL)
  • Name Unmangler
  • Extension support
  • File Scanner
  • Directory Scanner
  • Deep Scan method
  • Recursive Scan method
  • Multiple results
  • Report generation
  • Signatures Manager
  • Signatures Updater
  • Signatures Collisions Checker
  • Signatures Retriever

TrID - File Identifier

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)

TrID is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded rules, TriID has no such rules. Instead, it is extensible and can be trained to recognize new formats in a fast and automatic way.
TrID has many uses: identify what kind of file was sent to you via e-mail, aid in forensic analysis, support in file recovery, etc.
TrID uses a database of definitions which describe recurring patterns for supported file types. As this is subject to very frequent update, it's made available as a separate package. Just download both TrID and this archive and unpack in the same folder.

The database of definitions is constantly expanding; the more that are available, the more accurate an analysis of an unknown file can be. You can help! Use the program to both recognize unknown file types and develop new definitions that can be added to the library. See the TrIDScan page for information about how you can help. Just run the TrIDScan module against a number of files of a given type. The program will do the rest.
Because TrID uses an expandable database it will never be out of date. As new file types become available you can run the scan module against them and help keep the program up to date. Other people around the world will be doing the same thing making the database a dynamic and living thing. If you have special file formats that only you use, you can also add them to your local database, making their identification easier.
To get you started, the current library of definitions is up to 3833 file types and growing fast.
TrID is simple to use. Just run TrID and point it to the file to be analyzed. The file will be read and compared with the definitions in the database. Results are presented in order of highest probability.




For more information and download click here.

OllyDump for OllyDebugger

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)

OllyDump is one of advanced memory dumping tools. It is easy to use with OllyDbg as a plugin. Once the process is being debugged at runtime, it will be automatically search for PE section. But this tools does not give you automatically an OEP for any compressed PE file. You still have to find their OEP offset manually and write down the offset to the OllyDump window. The picture below show you how the OllyDump plugin works for dumping UPX packed file.



Just simply add your founded OEP to the Modify box and hit Dump button to save as a dumped file. You can edit the listed section for your own usages. You can easily dumping PE file without need to highlight all the debugged code and choose 'Follow in Dump > Selection'. This way sometime does not produce an accurate result.

You can find OllyDump here or here.

LordPE Deluxe

by Kamil Alta | Sunday, September 19, 2004 in , | comments (0)


LordPE Deluxe is one of the greatest tools for making process dump on memory for along time. It was developed by yoda. Here it is what this tools can do:

+ Dump process from memory and save as file.
+ Dump process module
+ Get Basic information about PE header.
+ Rebuild any PE file (realign, wipe relocation, rebuild import table, etc)



Author website can be reach at http://y0da.cjb.net but it no longer exist I guess. You can try get it from here.

Subscribe to: Posts (Atom)



Latest Threats

Loading...

Followers

Sponsor