All posts by Jacob Soo

[ n00b Post ] How to check if you have the MS-017-010 Windows Security Update installed

There are so many blogs out there that encourage users to update their Windows OS in particular MS17-010 to protect them from falling victims to WannaCrypt.

But as a normal home user, how do they know whether their machine already have the latest security update and protected from this?

I’ll write in details on how normal home users can check whether they systems are updated or not.

  1. The number in the security update file is usually tied up with the KB (Knowledge Base) number. We can find the official Security Bulletin here: “Microsoft Security Bulletin MS17-010 – Criticalhttps://technet.microsoft.com/library/security/MS17-010 


    Figure 1:
     Screenshot of KB numbers
     

  2. The numbers in the brackets are the KB numbers. Now that we know the security update file that we should install.  Let’s check for the security updates that we have installed on our Windows machines.  We can use one of the built-in tool by Microsoft to do just that.
    Figure 2:  systeminfo command

    Once we do that, you should see something like the image below:

    Figure 3: Screenshot of returned output from systeminfo

  3. As you can see, my VM didn’t have the latest Security Update.  Windows 7 require “4012212” or “4012215” depending your Windows 7 version.
  4. By clicking on the earlier mentioned link, https://technet.microsoft.com/library/security/MS17-010We can click on the relevant Security Update file that we should install.
  5. In my case, the link that I should click on is : http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012212I should see the following image:

    Figure 4: Downloading of Security Update file

I hope this is a simple to understand guide for home users.
I promised that i would write technical blog posts again. 😀

Best Regards
Jacob Soo

[ Technical Teardown : “Your 2016 Tax Report From IRAS”. In Word 2003 XML Document (.xml)? ]

Several days ago, i saw this “Old Technique” being used again. But i wasn’t interested with it until today when i saw that it’s trying to spoof as Inland Revenue Authority of Singapore (IRAS)

So what is this “Old Technique” that i’m talking about.  It’s basically using the good old “Word 2003 XML Document” trick.  But i’ll walk you through the entire process

[ Sample used in the analysis ]
MD5: 25abc03eb402c1b6b99543cca626c78d
SHA256: 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the email file 143c59cf481a921b99061557684194041d8462cd31f75ff806b9f1b22940a35d

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious email with Visual Studio Code.

As we can see from the above image, the attacker seems to be  sending this spoofed email as  if they are from IRAS and we can find out several things from the email headers

EMAIL HEADERS:

  • Date: Wed, 26 Apr 2017 06:51:42 +0800
  • From (possibly spoofed): “Inland Revenue Authority of Singapore “<tax_no_reply-no@iras.gov.sg>
  • Subject: [IRAS: IMMEDIATE ATTENTION] Your 2016 Tax Report!!!
  • Message-ID: <77724133945041300816867@WIN-2TAK14O2BL3>

However, if we analyse it properly, we know that the attacker probably sent this from this IP address : 62.210.139.92.

Received: from 62-210-139-92.rev.poneytelecom.eu
(62-210-139-92.rev.poneytelecom.eu [62.210.139.92])

Based on the above image, we can see the contents of that email message that it’s trying to do social engineering on the victims and asking the victims to open the “doc” file

EMAIL MESSAGE:

 

[ Part 2 : Email attachment ]

Now let’s try to look at the attachment and we can see this.  No worries, let’s Base64 decode it.

What is interesting after Base64 decoding it, i don’t see a .doc file.  Rather, what we could see is an XML file as shown here.

 

When you open a Microsoft Office Word 2010 XML document, Microsoft Office Word 2007 XML document, or a Microsoft Office Word 2003 XML document, your Microsoft Internet Explorer will not display the document by using the default Internet Explorer. Instead, if you had Microsoft Office installed.  Microsoft Word will open the XML document instead.  Why is this so?

Let’s take a look at the image above.  Starting from Word 2003, Word documents are built using XML in what Microsoft calls the WordprocessingML. Basically Windows will detect this XML (because of the mso-application declaration) and will launch Word if you double-click it.  Microsoft got a good Overview of WordProcessingML here.

But let’s inspect this XML file first.

 

First thing that caught my eye is this.

It’s seems like it’s asking victims to “Enable Content to view” Smells like Macros again.

If we were to look further down, we can see the reference to “/word/vbaProject.bin” as shown in the image below.

Ok, more Base64 decoding to do. Once we decoded, we can spot the familiar “D0CF11E0A1B11AE1

Ok, now let’s save this Base64 decoded file and use Profiler to parse it again and we should be able to see this.

Ok, let’s deobfuscate this Macro and we should get back something like the following:

So basically it’s just downloading the payload from http://travelbag[.]ca/lk/lk/kdabz.exe

The hash of this malware is “305B32DDC8786A56FABDA1114F6BF549AEB1B283FB3915D6076D49A7E5265FCB

Since that malware is developed in .NET, i shall leave the reversing of the malware as an exercise to the readers.

[ Part 3 : Side Note ]

I know some of you are wondering did attackers made this by hand?  I highly doubt so.  I don’t want to encourage script kiddies in replicating this but it’s really simple 🙁

Thanks & Regards
Jacob Soo

 

 

[ Technical Teardown: Analysing MalSpam Attack – 標的型攻撃メール ]

Yesterday afternoon, there is an alert about MalSpam attack happening in Japan.
https://www.cc.uec.ac.jp/blogs/news/2017/04/20170425malwaremail.html

Malware authors have been sending malware via zipped attachments in spam emails for a long long time but many people are still puzzled at why/how it works. I will try to fill in the required information about where to look out for information and how decode some of the information.

Firstly, we are going to learn how are a bit about the .msg file format and how is it used to store a message object in a .msg file, which then can be shared between clients or message stores that use the file system.

In order to analyze the .msg file without Outlook, we can read more about the file format from:

The purpose of this post is to give a better technical understanding of how attackers makes use spam emails to spread malware.

[ Sample used in the analysis ]
MD5: 3370c5c8d0f42a33a652de0cc2f923ed
SHA256: 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587
Sample:

[ Part 1 : Getting Started ]
For those who want to follow along, this is a linkg to the .msg file 8613d560b4ab064bb6380fd999b65ef1a436b1f16161ef8789137691e8844587

Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious .msg file using Profiler.

 

Each “__substg” contains valuable pieces of information. The first four of the eight digits at the end tells you what kind of information it is (Property). The last four digits tells you the type (binary, ascii, Unicode, etc)

  • 0x007d: Message header
  • 0x0C1A: Sender name
  • 0x0C1F: Sender email
  • 0x0E1D: Subject (normalized)
  • 0x1000: Message body

Since this is a forwarded email (SOC-Mail00135 【注意:標的型攻撃メール?】FW 固定床炉処理日報),  we can see that it’s most probably a spoof email from a Japanese Institution.

 

[ Part 2 : Email attachment ]
Since we can’t do proper email investigation, let’s look at the attachments.  Let’s look at “Root Entry/__attach_version1.0_#00000000” and refer to the specifications again.

  • //Attachments (37xx):
  • 0x3701: Attachment data
  • 0x3703: Attach extension
  • 0x3704: Attach filename
  • 0x3707: Attach long filenm
  • 0x370E: Attach mime tag

If we were to look at “__substg1.0_3704001F”, we will see that the filename of the attachment is called “M58A33~1.zip” and the display name “__substg1.0_3001001F” of the attachment is called “M58A33530641949.zip”.

 

Now let’s look at the actual data located within “__substg1.0_37010102” as shown below.

We can see that the zip file contained a .docx file, “vhlwspyw.docx

Now, let’s press “Ctrl+A” to select the entire contents. Then copy it into a new file as shown in the image below

 

We can now analyse the .docx but let’s use Profiler instead since it can already parse this entire Outlook file and identify what is inside the attachment.

As we can see from the image below, the docx contained an embedded OLE object which is actually a Javascript file.

The extracted Javascript looks like this.

After deobfuscation, its using PowerShell to download the payload from http://ca[.]tradelatinos[.]co/js90.bin?LIOv

However the payload is unavailable when i tried to grab it, but i’ve found these other js90.bin for same campaign.

Hashes of Malicious .DOCX

Hashes of Malware

These are all Ursnif or Dreambot and there are articles and reversing tutorials on them.  So i shall leave it as an exercise for the readers.

  • http://www.seculert.com/blogs/ursnif-deep-technical-dive
  • https://www.youtube.com/watch?v=raoL6_0A5aw

Some of the subject titles of the emails are:

「付け出し」,「 発送の御連絡」,「のご注文ありがとうございます」,「固定床炉処理日報 」 , 「給料振込の件」

Thanks & Regards
Jacob Soo

[ Technical Teardown: Exploit & Malware in .HWP files ]

This article will focus on teaching analysts on analysing malicious JavaScript code within the HWP files and a walkthrough of how we can analyse .HWP files that was used to deliver malware.

[ 1st Sample used in the analysis ]
MD5: 8EB5A3F38EB3DE734037AA463ADE7665
SHA256: D0361ADB36E81B038C752EA1A7BDC5517B1E44F82909BC2BD27B77B2652667EE
As of writing, the detection rate for this sample according to VT is 12/54

[ Part 1 : Understanding OLE compound file ]
We need to first understand how OLE compound files work.
Inside these OLE compound files, there are folder (storage) and file (stream). We will use SSViewer(http://www.mitec.cz/ssv.html) to take a look into the interior of the malicious .hwp file.

Most of the Streams in .hwp files are “zlib compressed“. We can see from the image below that the structure in .HWP files differs from .doc files.

However, today we are going to focus on “DefaultJScript“. You may ask why that? Well, think of “DefaultJScript” as VBA in Office documents.

1

 

[ Part 2 : Getting Started ]
For those who want to follow along. Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment.

Now, let’s start getting our hands dirty…and open the suspicious .hwp file with Cerbero Profiler.

As we can see from the image below, the data within “DefaultJScript” looks gibberish. So how do we make sense out of it?

2

As i’ve mentioned earlier, most of the streams within .hwp are “zlib compressed
So let’s “Select All” within the “DefaultJScript” stream and press “Ctrl+T

Now let’s add “Unpack Zlib” and remember to check the “Raw” checkbox and add it as shown in the image below.

3

Then let’s press “Preview” and have a look.

4

After decompressing the raw bytes, we can start to see some readable words. But it seems to be in Unicode.

Now let’s add in another filter to remove the “00” bytes.
Select “Replace“, change the mode to “Bytes” and add in “00” for the “In” value as shown below.

5

We should get back something like the one shown below.

6

If we were to analysed the decoded JavaScript, we can see more interesting stuff as shown in the image below.

7

So it seems that the JavaScript is doing Base64 decoding of the very long string and dropping it as “msvcr.exe”
I wrote the following Ruby script to decode the Base64 String.

After Base64 decoding the string, the output file looks like this,
8

The hash of this malware is 765834b1b780dacda8baa671c76328445cb8278099bad375ee22130f48920a7a
We won’t be going through this malware this time round.

[ 2nd Sample used in the analysis ]
MD5: a986a3fdf2afba98de21f0596a022b9b
SHA256: bd8fa7793f2192d4ff3979526955d5d6c965218eb0c0fe579f8ef0602357d5a9
As of writing, the detection rate according to VT is still pretty low. 3/53

[ Part 3 : Getting Started on analysing Exploits in .HWP files ]
This is a .hwp file containing an exploit (Most probably CVE-2013-4979 or CVE-2013-0808).
I drew a diagram like the one shown below to illustrate the general idea of how this exploit works.

9

For this particular exploit, the first thing we should be looking at is BinData/BIN0001.EPS as shown below.
10

There is an unknown error upon opening the document using hwp2010.
11

Nevertheless analysis can still be done by extracting the EPS files from the doc
Let’s do a quick network check by opening the eps file using hwp2010 and we can see that the exploit was indeed executed and connect to www.ethanpublishing[.]com/ethanpublishing/phpcms/templates/default/member/account_manage/teacup.jpg if we use FakeNet or similar tools.

We suppose that teacup.jpg” is most likely the payload. However, the jpg file is no longer found using the url so we cannot conduct further analysis on it.

12

Let’s go on to focus our analysis on the vulnerablity that was exploited by the eps file.

Opening the file eps file in the text editor we can identify a few components of the exploit.
The green block represents a NOP sled using 0xB5.
The blue block represents a NOP sled using 0x90.
The red block represents the shellcode.

13

Following the shellcode is this line of post script command

This command would execute a “Heap spray”. 500 blocks of the NOP sleds and shellcodes would be ‘sprayed’ in the memory. The NOP sleds and shellcodes is allocated as a string with a length of 65535 characters.

Next we want to determine which vulnerable process is the exploit targetting.
We do so by trying to search for traces of the NOP sleds and shellcodes in the memory of the vulnerable process.
At first it looks like the vulnerable process is likely hwp.exe or HimTrayIcon.exe

14

However, we could not locate any trace of NOP sleds and shellcodes in both processes.

At this point, I wonder if other child processes could be created by Hwp.exe. These child processes could have termininated after the execution of the shellcode.

One ‘trick’ we used was to modify the start of the shellcode with the opcode “0xEBFE” which is actually an infinite loop. This would allow the process that executed the shellcode to run continously without terminating.

15

Now we can attach our debugger into the gbb.exe process and we located the NOP sleds and shellcodes

16

Now after locating the vulnerable process, we have to debug into it to locate where the vulnerable code is exploited.
We now located the code in where hwp.exe created the gbb.exe process.

17

We shall modify the “CreationFlags” to CREATE_SUSPENDED. This would allow us to attach debugger at the start of the execution of the gbb.exe process.

18

After tracing the code we located the instructions in gsdll32.dll that executed the NOP sled “0xB5B5” which is MOV CH,B5

19

From the vulnerable instructions, we can more or less conclude that the vulnerablity is indeed based on CVE-2013-0808
For more information on CVE-2013-0808, you can read it up this article by CoreSecurity.
https://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability

In the meantime, we hope you enjoyed reading this and we would be happy to receive your feedback!

Best Regards
Jacob Soo & peta909

[ Sharing ] Where’s Wally! – Tracking where did victims come from.

I’ve written about shortened urls for 4 times. Twice in this blog and twice in an older website that i didn’t maintained anymore.

I have seen recently that a lot of people still blindly click on shortened URL that they see in FaceBook, forums or “familiar names” on their smartphones.
Today, i will do a quick short post about 2 recent shortened URLs, what’s the purposes and where did the victims come from.

[ Case Study #1 ]
The 1st link here is where : https://bitly[.]com/1TVH4va will lead to : http://onedayonemillion[.]com/postdk[.]apk
This .apk file is actually MazarBot.

You can read more about MazarBot here:

As alot had been written about MazarBot, we also want to know more about the Bit.ly url and the following Bit.ly url will show the statistics of where did victims come from.
https://bitly.com/1TVH4va+

As you can see from the image below, there are 5, 037 clicks on this shortened url since 25th May 2016.
4,569 clicks on 25th May 2016 alone.
tracker69.0x0001

8 of the clicks were coming from FaceBook and 15 clicks were from forums, mobile, etc. The rest are direct, meaning click on this shortened url. Possibly via sms, WhatsApp, etc.
tracker69.0x0002
tracker69.0x0003

We can also see the Geographical distribution of the victims who clicked on this shortened url.
tracker69.0x0004

Basd on the image above, it seems like most of the people were from Denmark and some parts of Europe.
One thing that puzzled me and got me curious…. why is the author of MazarBot targeting Danish people?

 

[ Case Study #2 ]
The next shortened url which we will be looking at is https://bitly[.]com/22kQ0Am

Again, let’s check the statistics and where is the final url by appending “+” without the double quotes as shown here: https://bitly.com/22kQ0Am+
h–ps://bitly[.]com/22kQ0Am will redirect to h–p://dl[.]dropboxusercontent[.]com/s/rlqrbc1211quanl/accountinvoice.htm

Nice, the link is on DropBox. Let’s download the page using wget or anything that you prefer.
I decided to use wget as i already have it on this particular machine.

I just did a quick wget to check what is inside this accountinvoice.htm and i got back the following:

You can change document.write to console.log or alert to get back the unescape string. But for the benefit of non-technical users, you can just go to http://meyerweb.com/eric/tools/dencoder/
and paste the escaped string and decode it.
You should get back the following:

Great, it’s doing a redirect. Let’s do a base64 decode and we should get back this.

Hmmmm…seems like it’s a Phishing link more than an ExploitKit link since the title is “Sign In“.

As i don’t want to alert the phisherman too much, i tweak my wget as followed:

After i grab the page, we can see that it’s indeed a “Google Drive” phishing page.
tracker69.0x0005

I hope this short post will serve as a good reminder to all not to blindly click on shortened urls unless you totally trust the source or verify it yourself.

Happy Reversing
Jacob Soo

[ Sharing ] Analysing and retrieving the Statistics from shortened URLs

I’m going to talk about how you can view or check whether someone else clicked on the same shortened url as you.
This is also pretty useful if you want to know whether you are a target of a scam or being targetted to a drive-by.

The url which i’m going to test today is this:
http://www.dailychanges.com/

Let’s go through some of the URL shorteners and how we can get more info from these shortened URLs.
Bit.do
======
The original shortened link is http://bit.do/bKoMw
But if you append a “-” without the double quotes like this http://bit.do/bKoMw-
You will get to the statistics page for this shortened url.
It gave some important information about Referer sites, Referer pages and even visitors IP.
Probably dangerous if users are being targetted.

Next we will talk about Is.gd
Is.gd
======
The original shortened link is http://is.gd/MyG7K6
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://is.gd/stats.php?url=MyG7K6

Next we will talk about
Goo.gl
======
The original shortened link is http://goo.gl/z8w84
But if you append a “.” without the double quotes or “info” like this http://goo.gl/z8w84+ or http://goo.gl/z8w84.info
Once you go to the statistics pages, you will be redirected to something like this below.
https://goo.gl/#analytics/goo.gl/z8w84/all_time

Next we will talk about
Bit.ly
======
The original shortened link is https://bit.ly/1LsiFyY
But if you append a “.” without the double quotes like this https://bit.ly/1LsiFyY+
Using the statistics page, you can also check which other user are also sharing the exact same url as you did.
Please note that if the other user(s) used Google analytics in the url, you might not be able to see them in your statistics page.

Next we will talk about
crop.is
=======
The original shortened link is http://crop.is/NV8
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://crop.is/NV8+

tiny.ph
=======
The original shortened link is http://tiny.ph/2mCe
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.ph/2mCe+

tny.im
=======
The original shortened link is http://tny.im/3Bm
In order to access the statistics, they can simply change the url to something like the one below.
http://tny.im/3Bm+

tiny.cc
=======
The original shortened link is http://tiny.cc/xtad8x
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.cc/xtad8x~

Then again, if there isn’t any means to check the stats of the shortened URL.
Always make sure to use online services like http://longurl.org/ to make sure the shortened url is not redirecting to some malicious url.

I hope that readers will find all the information written here useful.

Have Phun
Jacob Soo