In this quick and right to the point video find out which #VMtools were released with which #ESXi build #vmwaredailytip(s) are very quick tips to help you expand your knowledge around working with virtualization. These tips are not meant to be all encompassing but more of a way to build your awareness. Feel free to […]
In this quick and right to the point video I explain what, how, and when to use the VMware Compatibility Guide. #vmwaredailytip(s) are very quick tips to help you expand your knowledge around working with virtualization. These tips are not meant to be all encompassing but more of a way to build your awareness. Feel […]
Many modern malware samples implement defensive techniques. First of all, we have to distinguish sandbox-evasion and anti-debugging techniques. Today, sandboxes are an easy and quick way to categorize samples based on their behavior. Malware developers have plenty of tests to perform to detect the environment running their code. There are plenty of them, some examples: testing the disk size, the desktop icons, the uptime, processes, network interfaces MAC addresses, hostnames, etc.
On the opposite, anti-debugging techniques are implemented to make the life of malware analysts more difficult. That’s the next step in the “malware analysis pyramid”, executing the malicious code into a debugger. Here again, they are many techniques available from very easy ones provided by the Microsoft API like isDebuggerPresent()[1] which returns 1 or 0 depending on the process being attached to a debugger. Note that this API call just checks the flag ‘isDebugged” located in the second byte of the PEB[2] or “Process Environment Block”.
Another technique is to search for interesting programs via their window title and the API call FindWindow()[3]. Easy to spot a running “x32dbg”. Usually, when a program is being debugged, its execution is very slow. Thanks to GetTickCount()[4], it is possible to detect a long time between two system calls.
Some techniques are less usual but used from time to time. I found one yesterday via my sandbox:
The Windows kernel allows allocating memory in different ways depending on the future usage. When the malware will perform process injection, the memory must be allocated with the flag PAGE_EXECUTE_READWRITE (0x40). It’s the case in the sample (see above).
There exist many flags for memory allocation[5], one that is interesting is PAGE_GUARD (0x100). Here is the description from the Microsoft documentation:
“Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception and turn off the guard page status. Guard pages thus act as a one-time access alarm.“
From a malware perspective, this is very interesting! Guard pages can be used by packers to unpack memory pages “on-demand”: they are allocated and protected by PAGE_GUARD then accessed. The generated exception is intercepted and, if it matches the memory page, the content is processed. But, more interesting, the technique of guard pages detection can help to detect the presence of a debugger with the creation of PAGE_GUARD memory page and accessing it. If the exception STATUS_GUARD_PAGE_VIOLATION occurs, it’s assumed no debugging is in place.
Here is an example of protected memory allocation from the sample:
If you are interested in this sample, its SHA256 is 4251133ebe04bf0de34a7a1972342c77442942a4c2417f28c56145b2ee9ad451[6]. It has a VT score of 17/73.
[1] https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent
[2] https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
[3] https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindowa
[4] https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount
[5] https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants
[6] https://www.virustotal.com/gui/file/4251133ebe04bf0de34a7a1972342c77442942a4c2417f28c56145b2ee9ad451/behavior/Dr.Web%20vxCube
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I earned my first VMware Certified Professional certificate back in September of 2005, in preparation for a 6 month contract at a pharmaceutical that required it. So glad I had the opportunity to get the funding to make that happen, and I kept it going for many years. The thing is, I eventually wanted to find a way to document some ideas and tips and what I learned from deploying VMware, beyond just passing the VCP test. So I began blogging at TinkerTry in 2011.
After 3 years of content creation, I heard about the vExpert program, hoping I’d get in by applying. Gladly, I did, earning my first vExpert back in 2014.
I’m writing this quick article to help encourage you, my TinkerTry reader, to consider applying to vExpert for yourself. If you’re here reading this, you are quite likely in possession of some skills that can help others if you’re willing to take the time to share them. Not because you have to, but because you want to.
If you need a little help with your first-time application, I would encourage you to reach out to your local vExpert Pro at vexpert.vmware.com/directory/pro. These amazing volunteers who are willing to give of their free time to go well above-and-beyond, specializing in helping you get your application in with your best foot forward. If you read the fine print under the huge directory, you’ll see that they are fueled by stroopwafels!
The VMware vExpert program is not about passing a certification test. There is no test. Instead, it’s an advocacy program, recognizing that you’ve given back to the VMware virtualization community in a significant way, and are willing to take a moment to document your efforts. The benefits are many-fold, including access to the VAST library of VMware software downloads and license keys, snazzy looking logos for your blog and/or social channels or videos, access to special events and slack channels, and of course, recognition by your colleagues and IT professional peers that you’ve made the effort to help others in their IT professional careers. I for one am grateful and proud to be a vExpert since 2014, and I sure hope to continue to enjoy being a vExpert for many years to come.
Apply now at:
Program Overview
The VMware vExpert program is VMware’s global evangelism and advocacy program. The program is designed to put VMware’s marketing resources towards your advocacy efforts. Promotion of your articles, exposure at our global events, co-op advertising, traffic analysis, and early access to beta programs and VMware’s roadmap. The awards are for individuals, not companies, and last for one year. Employees of both customers and partners can receive the awards. In the application, we consider various community activities from the previous year as well as the current year’s (only for 2nd half applications) activities in determining who gets awards. We look to see that not only were you active but are still active in the path you chose to apply for.
Criteria
If you are interested in becoming a vExpert the criteria is simple. We are looking for IT Professionals who are sharing their VMware knowledge and contributing that back to the community. The term “giving back” is defined as going above and beyond your day job. There are several ways to share your knowledge and engage with the community. Some of those activities are blogging, book authoring, magazine articles, CloudCred task writing, active in Facebook groups, forum (VMTN as well as other non VMware) platforms, public speaking, VMUG leadership, videos and so on.
This article and video assume you’ve already installed vSphere 7 in your home lab, and you are now seeking a little guidance on exactly how to go about applying your license keys during the 60 day evaluation period, without any interruption in running your (non-production) workloads.
“There is no more space for virtual disk .vmdk” error when starting vSAN VM FAQ: Support statement for 512e and 4K Native drives for VMware vSphere and vSAN vSAN Health Service – Data Health ? vSAN Object Health How to manually remove and recreate a vSAN disk group using esxcli vSAN “Proactive rebalance” and “Automatic
The post Top 20 articles for vSAN, May 2020 appeared first on VMware Support Insider.
By — Paul Turner, VP Product Management, Cloud Platform Business Unit, VMware VMware is committed to bringing great products to market that meet our customers’ short and long term needs. This means listening to our customers when designing compelling new products and when we provide world class support throughout the product lifecycle. In
The post Announcing Extension of vSphere 6.7 General Support Period appeared first on VMware vSphere Blog.
Introduction
Today’s diary reviews Polish malicious spam (malspam) from Tuesday 2020-06-02 pushing ZLoader malware. Also knowna s Terdot or DELoader, ZLoader is the latest variant from this family of malware that’s been active for years.
Shown above: Flow chart for this infection chain.
I was tipped off to this activity by the following posts on Twitter:
The malspam
Unfortunately, I was not able to get a copy of the emails to show what they look like. However, the subject line I found was:
The attachments
The attachments from this malspam have a template that uses Polish and English language encouraging recipients to enable macros.
Shown above: Screenshot of an attachment from this malspam.
Infection traffic
Infection traffic caused by this example was all HTTPS. I used the Any.Run sandbox with MITM for analysis on the spreadsheet to get a decryption key for the HTTPS traffic, and I was able to view the URLs and responses behind the encryption.
Shown above: HTTPS traffic from the infection filtered in Wireshark with a decryption key.
Shown above: HTTPS request and response for the ZLoader DLL.
Shown above: HTTPS request and response for ZLoader command and control (C2) traffic.
Forensics on an infected Windows host
When enabling macros on the malicious Excel spreadsheet, the victim host retrieved the ZLoader DLL as shown in the previous section, saved the DLL to the victim’s Documents folder, and ran it using rundll32.exe.
Shown above: Infected host running the ZLoader DLL after enabling macros.
Shortly after the DLL is run, it’s moved to a newly-created folder under the infected user’s AppDataRoaming directory, where it’s made persistent through a Windows registry update. Several other decoy folders are created under the AppDataRoaming folder during the infection. If the infection runs long enough, some decoy files are placed in these decoy folders.
Shown above: The Windows registry update to keep ZLoader persistent.
Shown above: ZLoader and decoy folders under the infected user’s AppDataRoaming directory.
Indicators of Compromise (IoCs)
Date and subject of the emails:
Infection traffic:
Certificate issuer data for HTTPS traffic on 84.38.183[.]227:
Associated malware:
SHA256 hash: c0848753a51472209624f631955a9ad9ff39d5b9fc9686c6f0da0530239916e8
SHA256 hash: 8e0238b207985132e60e6f5bc764a6756bce554f9c27b922f1d7e40950a3bbdc
SHA256 hash: 26625bd8081701ab5a248b4f6e726cd5ef07b43c817e5499b766f89980532952
SHA256 hash: 79c2eadd88f3fb91479d982e6b36d5dc7c2d465ff9580a434241f7b353c33289
SHA256 hash: ad658b2da165f31ac7649cf909c5b3330f2e3efde15f0196edc0f90f462965ea
SHA256 hash: f9f231d7b4e601b8703218d6f72fb167472060ce3e42a351743c613e6447c3cc
Final words
As always, these types of infections target out-of-date systems. They’re not very effective against fully-patched and up-to-date computers running the latest version of Microsoft Windows. The default virus & threat protection settings should stop these samples of ZLoader from infecting a Windows 10 host. Real-time protection and Tamper Protection are designed to prevent such activity.
However, malware authors constantly adjust their malware in an attempt to escape detection. With the low cost of distribution through email, and with poor security practices among potential victims, campaigns pushing ZLoader and other malware will remain cost-effective. I expect we will continue to see ZLoader in the coming weeks and months.
—
Brad Duncan
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Update 1: Added disassembler output.
When I teach FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques, one of the things we talk about is stackstrings. This is a technique that is used to ‘hide’ strings from the malware analyst (well, from normal use of the Linux strings command) by placing a string onto the stack 1 character (byte) at a time, usually by allocating a chuch of memory and then using MOV instructions to place the string into the allocated chunk of memory. I’ll call this Type 1 Stackstrings, since this is the standard stackstring most folks think of when discussing them. We also mention a couple of tools that can be used to find these. However, in my examination of shellcode, I’ve discovered what I’m calling Type 2 Stackstrings that these tools don’t usually find, though when looking at the ASCII strings they are sort of visible. I’m sure other malware analysts have seen this, but I’ve never seen it explicitly documented, so I figured I’d take a little time and explain what I’m seeing (and ask if anyone has tools that pull these kind of strings, I’ve just opened an issue/feature request for FLOSS on Github to add this). These type 2 stackstrings are pushed onto the stack 4 bytes at a time using the actual PUSH instruction rather than MOVs. I don’t usually see this type of stackstring in ordinary malware, I most often see it in shellcode, though I understand that it also gets used by Metasploit. It turns out that in x86 assembly one of the opcodes for the PUSH instruction is opcode 0x68 which when converted to ASCII is the lowercase h character, so, you’ll see h<4 ASCII chars> followed by another h<4 ASCII chars>, etc. to push the string onto the stack 4 bytes at a time. That is probably a bit more efficient than the allocate space then move 1 character at a time.
As I said above, if you just look at ASCII strings you can sort of see these stackstrings as noted in the 2 samples below
You can see it in the raw data
But, if I throw this is a disassembler, those strings still aren’t obvious.
You can see the pieces since they get pushed in (sort of) reverse order. In the first example you can see the string wininet being pushed, in the second there are a bunch of them (ExitProc, URLDownloadToFile, urlmon.dll, and LoadLibraryA). Hopefully, my “feature request” in FLOSS will get implemented soon, but does anyone else have tools that pull these type 2 stackstrings? Any other thoughts? I welcome your comments either here, or via our contact page, or email.
—————
Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Amazon FSx for Windows File Server provides fully managed, highly reliable file storage that is accessible over the Server Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft Active Directory integration, consistent with operating an on-premises Microsoft Windows file server. Today, we are happy to announce two new features: storage capacity scaling and throughput capacity scaling. The storage capacity scaling allows you to increase your file system size as your data set increases, and throughput capacity is bidirectional letting you can adjust throughput up or down dynamically to help fine-tune performance and reduce costs. With the capability to grow storage capacity, you can adjust your storage size as your data sets grow, so you don’t need to worry about growing data sets when creating the file system. With the capability to change throughput capacity, you can dynamically adjust throughput capacity for cyclical workloads or for one-time bursts to achieve a time-sensitive goal such as data migration.
When we create a file system, we specify Storage Capacity and Throughput Capacity.
The storage capacity of SSD can be specified between 32 GiB and 65,536 GiB, and the capacity of HDD can be specified between 2,000 GiB and 65,536 GiB. With throughput capacity, every Amazon FSx file system has a throughput capacity that you configure when the file system is created. The throughput capacity determines the speed at which the file server hosting your file system can serve file data to clients accessing it. Higher levels of throughput capacity also come with more memory for caching data on the file server and support higher levels of IOPS.
With this release, you can scale up storage capacity and can scale up / down throughput capacity on your file system with the click of a button within the AWS Management Console, or you can use the AWS Software Development Kit (SDK) or Command Line Interface (CLI) tools. The file system is available online while scaling is in progress and you’ll have full access to it for storage scaling. During scaling throughput, Amazon FSx for Windows switches out the file servers on your file system, so you’ll see an automatic failover and failback on multi-AZ file systems.
So, let’s have a little trip through the new feature. We’ll look at the AWS Management Console at first.
Before we begin, we assume AWS Managed Microsoft AD by AWS Directory Service and Amazon FSx for Windows File Server are already set up. You can obtain a walkthrough guide here. With Actions drop down, we can select Update storage capacity and Update throughput capacity
We can assign new storage capacity by Percentage or Absolute value.
With throughput scaling, we can select the desired capacity from the drop down list.
Then, Status is changed to In Progress, and you still have access to the file system.
First, we need a CLI environment. I prefer to work on AWS Cloud9, but you can use whatever you want. We need to know the file system ID to scale it. Type in the command below:
The endpoint differs among AWS Regions, and you can get a full list here. We’ll get a return, which is long and detailed. The file system ID is at the top of the return.
Let’s change Storage Capacity. The command below is the one to change it:
The <new capacity> should be a number up to 65536, and the new assigned capacity should be at least 10% larger than the current capacity. Once we type in the command, the new capacity is available for use within minutes. Once the new storage capacity is available on our file system, Amazon FSx begins storage optimization, which is the process of migrating the file system’s data to the new, larger disks. If needed, we can accelerate the storage optimization process at any time by temporarily increasing the file system’s throughput capacity. There is minimal performance impact while Amazon FSx performs these operations in the background, and we always have full access to our file system.
If you enter the following command, you’ll see that file system update is in “IN_PROGESS” and storage optimization is in “PENDING” at the bottom part of the log return.
After the storage optimization process begins:
We can also go further and run throughput scaling at the same time. Type the command below:
The “new capacity” should be <8 or 16 or 32 or 64 or 128 or 256 or 512 or 1024 or 2048> and should be larger than the current capacity.
Now, we can see that throughput scaling and storage optimization are both in progress. Again, we still have full access to the file system.
With throughput scaling, we can select the desired capacity from the drop down list.
When we need further large capacity more than 65,536 GiB, we can use Microsoft’s Distributed File System (DFS) Namespaces to group multiple file systems under a single namespace.
Storage capacity scaling and throughput capacity scaling are available today for all AWS Regions where Amazon FSx for Windows File Server is available. This support is available for new file systems starting today, and will be expanded to all file system in the coming weeks. Check our documentation for more details.
– Kame;
XLMMacroDeobfuscator is an open-source tool to deobfuscate Excel 4 macros. I wrote diary entries about it here and here.
In my first diary entry, I remark that I also had to install a missing Python module. This is no longer the case with the latest versions, I just install it with a single pip command.
The author also commented on my diary entry, suggesting the use of a couple of options to yield a cleaner output ready for grepping.
Like this:
Indeed, this provides cleaner output when grepping for http URLs, for example:
And this output can also be used to extract the relevant macros, with inverted greps for RUN, GOTO, …, like this:
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
