After the (very) high-level introduction of the part I, we are going to start to go a little bit deeper in the subject. Let’s start by having a closure look to the memory (RAM) and the related registers (e.g. general purpose registers, segment registers, EFLAGS and EIP). The goal is not to make a complete overview of how RAM is working, but keep in mind the overall objective: malware analysis. Therefore we won’t review everything and we will reduce the scope to x86 (32 bits) architectures (as it’s the most common architecture).
Under OS X if you are interest to find out which process is using internet you can using the following command:
lsof -i -P -n
This command normally list all the open file on the system, but using the -i option it will list all the “internet” files. Continue reading “[OS X] List processes using internet”
This article is an attempt to introduce some of the key concepts of x86 Assembly Language. It will focus on how such language is used by malware analyst to understand what a malicious software is doing and how it has been programmed by its author. Before going into more details, this article will explain some of the general concept and why assembly code is used to do malware analysis.
Here are the latest graphs of my honeypot. Overall “normal traffic”, at the exception of several attempts to download a file named “h.exe” from a particular IP address. However it seems that this host has been cleaned in the meantime as all attempts results in a “404 Not Found”.
[Update] I have done a bit more research regarding this particular IP address. It seems that this host has been used for other piece of malwares based on the Malc0de database:
Wireshark ? Qu’est-ce que c’est ?
Voici, une liste non exhaustive des fonctionnalités de base de ce logiciel:
- support de plusieurs protocoles (une centaine au total)
- capture du trafic en mode on/off line
- fenêtre de visualisation à trois volets
- fonctionne sur plusieurs systèmes d’exploitation: Windows, Linux, OS X, Solaris, Free BSD, netBSD, etc.
- utilisation de filtres pour faciliter l’analyse des données
- analyse du trafic VoIP
- lecture/écriture dans plusieurs formats: tcpdump, Pcap NG, Catapult DCT200, Cisco, Microsoft, etc…
- possibilité de compresser/décompresser les fichiers de capture à la volée
- les données peuvent être analysées sur plusieurs interfaces différentes: Ethernet, 802.11 (wifi), PPP/HDLC, ATM; Bluetooth, USB, Token Ring, Frame Relay, etc.
- support de la décompression de plusieurs protocoles comme IPsec, Kerberos, SNMP v3, SSL/TLS, WEP et WPA/WPA2
Certains peuvent également se demander pourquoi utiliser un tel logiciel? D’autres diront immédiatement que ce genre de logiciel est utilisé afin de faire de “l’écoute” sur le réseau et de pouvoir ainsi obtenir l’accès à des données confidentielles.
Premièrement, l’utilisation de Wireshark peut être particulièrement utile afin de trouver et réparer une panne ou un problème dans un réseau. Cet outil permet d’obtenir une meilleure compréhension de l’environnement et de l’infrastructure du réseau. Deuxièment, et je ne souhaite pas lancer un débat ici, effectivement ces outils peuvent être utilisé à des fins de Ethical Hacking.
Cuckoo is a malware analysis system. Based on the description on the website:
Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.
It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.
But it can do much more…
It’s up to you to discover what and how.
Some of the results that Cuckoo generates are:
- Trace of performed relevant win32 API calls
- Dump of network traffic generated during analysis
- Creation of screenshots taken during analysis
- Dump of files created, deleted and downloaded by the malware during analysis
- Trace of assembly instructions executed by malware process
In addition, Cuckoo allows you to:
- Automate submission of analysis tasks
- Create analysis packages to define custom operations and procedures for performing an analysis
- Run multiple virtual machines concurrently
- Script the process and correlation of analysis results data
- Script and automate the generation of reports in the format you prefer
Find below the latest graphs of the honeypot I’m running. Overall an increase in the number of connection with some huge speak at the end of April and beginning of May.
Note: due to a system restart, the honeypot was not running for a few days at the end of May beginning of June.
Note 2: this honeypot is a Dionaea instance. If you want to set up an instance on your server, follow the step-by-step guide on the Dionaea website.
Information about the Flame virus have been published in the the last few days of May 2012. This discovery has been made two years after Stuxnet (June 2010) and less than a year after Duqu (Sept. 2011). Despite the fact that those three virus have different objectives, they have in common their complexity and the fact that they have been probably developed by people with “unlimited” resources. So where are we now? Is this cyberwar? or this is the natural evolution of cyber criminal?
What is Flame? How does it work?
Easy question, but difficult answer! In short Flame is a little bit of everything. The best way to describe it to use the term “attack toolkit”. It’s a toolkit because it’s modular approach allow him to become a backdoor, a worm, it can also perform various malicious activities such as key logger, network sniffing, listening to audio interface, steal information, enable Bluetooth and scan other devices, etc. In short it can do more or less everything a hacker will dream of. Also, based on the experience of the security industry with Stuxnet everybody was expecting several Zero-Day attacks. There is actually no evidence of such type of attack in Flame. Especially there is still some questions about the initial infection vector. However Kaspersky has observed that a fully patched Windows 7 was still being infected, raising more suspicion about a zero day attack. Further analysis highlight a different story… Continue reading “Flame – Cyberwar in action?”
Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!