Friday, December 28, 2012

Malware Analysis #1 Protip

As someone who does malware analysis and reversing one of the first things I do to get some quick intel on a sample is I run it against a virus engine. Specifically, I use (VT). A lot of people are already familiar with and use VT. If you are not familiar, VT is an aggregation of virus scanning engines that anyone can submit their samples to online and receive a report of which engine detected what signature. VT has many practical uses within information security, and has two methods of submitting samples. You can upload the file, or you can submit a hash of the file. VT also has two important features that are more to the point of this post. VT has a public API that allows anyone to automate submissions, as well as a database feature which archives all the submission and records their results. This database feature is what allows for the hash search function.

One of the biggest mistakes I see people making when using VT as a malware analysis tool is uploading the sample, period. Below is a screen shot of a sample submitted to VT. Notice the last data point, the ‘Analysis date’:

This date shows when the sample was analyzed. This is a big deal because if you can see that date, then so can the bad guy that sent you the malware! For a while I've explained this to people but haven’t been able to prove it until I saw a tweet from @mubix today where he released a ruby script called VT-Notify (link here) to do exactly this. The script runs in a loop that periodically checks VT for the file and reports back via a log or email once the file has been detected. Not just detected in by A/V in general, but actually detected by your target since VT is a manual process that requires a user with suspicion to upload the file.

Since VT is usually my first stop performing malware analysis, if I upload the file, and it warns the bad guy, then by the time I get to actually reversing the malware and understanding its purpose, the bad guy could have easily packed up shop, crafted a new payload and re-engaged me.

Without further ado, the #1 Malware Analysis Protip is STOP uploading your files to VT. Start with a hash search. If nothing was found then chances are it is custom malware targeted to just a few people; handle with care. The longer the attacker thinks their payload is not detected, the longer they will try and use it and the more time you have!

I hope this helps anyone beginning their journey into malware analysis or anyone that realizes how much they are tipping their hand by submitting those files. Also, a big thanks to @mubix for creating a well written script that showcases the issue with this problem. Mubix makes a point that the script can be used in other do-good style fashions for monitoring critical directories. Definitely take some time to check it out.

Thursday, June 7, 2012

Nuclear Pineapple

Okay, maybe we aren't hooking a nuclear power plant to our little 5 volt WIFI router, but we are damn well coming close!

So the wifi pineapple is this awesome little device that the fellows over at the Hak5 shop @hakshop sell to assist in wireless pen-testing.  You can read more about the pineapple here: and pick one up for yourself at only $99.

However, while using the pineapple I was going through battery's in my little 4 AA battery pack like crazy.  So I started searching for a USB battery pack and came across this: New Trent iGeek IMP99D 9900mAh External Battery Pack for $62

From there I just need a USB to Barrel cord adapter and I was good to go.  I picked one up from for $5: USB2TYPEM 3 Feet USB to Type M Barrel 5V DC Power Cable This cable is a  USB socket into a 2.1mm ID 5.5mm OD Barrel plug socket (with the positive inside, this is important).

I did a trial of this setup and have had it running over 3 days and counting. This is perfect for long time engagements like Rick Rolling a college, or whatever other dastardly deed you can come up with. The best part is with a rough investment of $70, I never have to buy anymore AA batteries again!

Wednesday, May 23, 2012

Update to (MEmoryze String MappER) is a tool I wrote a few weeks ago. Since then I've used it in every forensic investigation that involved memory analysis.  When I first wrote the tool, I was still learning and understanding the SQLite database schema that Memoryze creates; because of which I wrote a disclaimer.  Since then I am now confident that my process returns the exact same data you would get if you went through the results with the Auditviewer GUI.

Anyhow, using this tool so often, I started to get frustrated and want more information on the pid itself. I just updated the code on git ( to offer more details on the pid.

Below is a screenshot from a case I'm working with the new version.  Let me know what you think and if there is a feature you want me to add to this.  I think I'm going to put a flag for IP address in there next. searching av.db for "devil1"

Friday, May 11, 2012

Inline passive network tapping on a budget.

Recently I’ve had a need to actually sit between a host and its network connection to watch its traffic because I wasn’t able to interfere with the host.  I had quite a few challenges in doing this and was surprised that a lot of people that used taps didn’t actually understand how to use them. 

For the most part there are two types of taps, active and passive.  When you have an active tap, you have the ability to alter traffic in real time.  This is great for MITM (Man in the Middle).  A passive tap will give you just a copy of the data and you cannot modify any data.  There is also a bunch of other names vendors will use like breakout, aggregating, etc.  I will only be discussing a passive tap, not active.

Things you will need:
  • A Physical network tap.
  • A linux computer (I used Debian 6.0.4 i386)
  • At LEAST 2 network cards (3 if you want a management network)

For passive taps there are a lot of options.  However the thing that will determine how much you will pay depends on if you want 10/100 or gigabit.

Gigabit requires power and the devices will range around the $1,000 dollar mark, like this one by Black Box:

If you don’t mind dropping the connection down to 10/100, Michael Ossmann (@michaelossmann) created the Throwing Star LAN tap which you can buy for $14.99 from the awesome folks at Hak5:

He has also recently created the PRO version, which at $39.99 adds more professionalism and durability but is essentially the same:

It is important to note that Mike has installed two capacitors on his taps which force the host to negotiate down to 10/100.  This isn’t a horrible thing unless you’re trying to monitor high speed traffic that requires that gigabit throughput.

No matter which tap you bought, the tap has 4 ports. Looking at the graphic below, you'll see two ports will be used to connect from the source host to the target host.  The other 2 will go into the linux box to receive the transmit and receive signals.

Basic Wiring of a Passive Network Tap
Image from:

This is a problem since it only gives us one side of the story.  This is where our Linux box comes in.  It is going to aggregated the two interfaces (this is the reason for two open NICs) into what’s called a bonded interface.

To setup our Debian Linux box, I used the stock distro and added the following:

    sudo apt-get install ifenslave

I then wrote a bash script to do the following for me, but you can just type the commands in one line at a time:

    sudo modprobe bonding
    sudo ifconfig eth0 promisc up
    sudo ifconfig eth1 promisc up
    sudo ifconfig bond0 promisc up
    sudo ifenslave bond0 eth0 eth1

That’s it!  Fire up wireshark and use bond0 as your interface to listen to. 

In order to test to make sure both transmit and receive ports of your tap are working, from either the host machine or another machine on the network, ping something.  You should see both reply and requests inside wireshark (ensure that ICMP is allowed or else your results will be wrong).

Friday, March 23, 2012

MESMER -- MEmoryze String MappER

What a way to start a blog, with a tool ...

Working in incident response, there are a lot of tools and resources at your disposal.  One of the tools I rely heavily on is Memoryze by Mandiant. Memoryze is a free tool that allows an investigator to quickly analysis memory in search of evil.  You can download it here.  There is also a visual wrapper to display the output in a GUI called AuditViewer, also from Mandiant and also for free and can be downloaded here.

Both Memoryze and AuditViewer do an awesome job at parsing and displaying memory for analysis.  One of the things Memoryze allows you to do is pull all the strings it finds.  This is excellent if you have a certain evil bread crumb your following. However, the AuditViewer GUI isn't too user friendly and is missing some major functionality, such as sorting and searching.  I tried searching the .xml file, and while I did find my evil bread crumb there wasn't much I could do with it, or was there a way to reliably map it to a PID (Process Identifier, a unique tag for each process running).

There was also an av.db file generated that contained hits for my evil bread crumb.  av.db is actually a sqlite database file that Memoryze creates.  As I searched through the database I noticed that it dynamically made multiple tables that started with 'strings_', which when I looked at the schema inside one of these tables I found actually had a mapping of pid to string.

I decided this would be an awesome way to correlate evil bread crumbs with processes running in live memory so I decided to make a python script.

The script is called MESMER (MEmoryze String MappER) and takes two arguments:

  • -f    This is the path to the av.db file that Memoryze creates.
  • -s    This is the string you want to search the file for, use double " ". The string is NOT case sensitive.
In the sample below I am searching for devil1, something McAfee has by default.
Below is a screen shot of my findings: searching for string devil1
So the results show the PID the string belonged to, based on the database that Memoryze produced, and the FULL string it matched on.

Last but not least, I have uploaded the python script on my github page at:  -- Special thanks to Xavier for peer reviewing my code.

If you use the tool and find it useful, or more importantly find a flaw, please let me know here -- or on twitter @JC_SoCal