I picked up another similar listener to the Groupon one the other day. This again is an attached ZIP file with an exe inside.
It says its from paypai.com depending on your font the i will look like a L.
The exe looks like it has been reused but I don’t see any mention of it’s original file name. The original name appears to have been stickiestfilm.exe md5 42bbb627d3bcc12745e8a6fbd4b2c825.
It also appears to have been used in several other campaigns according to it’s technical data.
So far the only behavior I have seen is that it opens a command shell on local port 8000 TCP and awaits incoming connections. I did not see it send any out bound packets of yet.
Next is some source analysis.
First I have to say that I dislike having to do this. My main problem is that if you are going to take the time to pack and attempt to protect your EXE, it’s obvious that you are up to no good.
For legitimate applications there is times when you would want to do this, but if it’s some random EXE from a payload…
In my cases I try to avoid working with the source file, I will do as much as possible by running it a lab. But you can miss timed actions and other types of triggers. Also there is hardly a magic bullet to deal with these, as a start I use PEiD. After that is all about what packs that EXE and you tracking it down. If a generic tool won’t unpack it you are in for a fun day looking for something.
In other cases if the file is packed all at once, but it does not have any defense mechanisms you can dump the running EXE from memory. Sometimes you can have a file that has multiple sections packed, then you can mix in some anti-analysis tools and its not a enjoyable process.
Ecuador says that the UK is threatening to enter it’s embassy to arrest Mr.Assange. Ahead of the annoucmance on Thursday on if they will allow asylum. I don’t know how much stranger this whole thing can get.
When doing analysis I try to keep away from the infection machine, I keep my lab statically setup with an IP, and DNS, Gateway pointing at another machine. For a basic target all you need to do is have tcpdump running to capture any networking requests. If you want to get more complicated you can start emulating services like DNS and WWW.
In most cases the basic connection information will give you just enough to create an IDS/IPS signature.
I am not going to cover the basic setup of a VMWare based lab, really you can use what ever you want as long as you can attempt to keep it isolated from the system.
I use VMWare for a couple reasons, mainly for the ability for me to take vm’s from fustion, workstation, ESXi and move them back and forth if needed.
The man reason is to try and avoid vmware detection, which you can do with some info from here.
Here is what you needed to add to the VMX file of the vm.
I have found that if you are in the middle of a series of snapshots the best thing to do is revert, shutdown, add to VMX, set the VMX to read only, power on and play.
Here comes the next step in the ATM arms race.
If there is something just out of reach people will find a way to get to it. I’ll be honest I make a point not to use ATM’s.
This is pretty interesting;
I watched this TED video a couple weeks ago, and had a similar thought.
Well except the Aussie break was before the data retention law. But it’s not a stretch to see some sort of breach. To me it would be more something that an insider would do like BManning, but either scenario will do what is needed.
Special release of BackTrack just for Blackhat.
The good news is the detection ratio is now up considerably since I first started working with this sample. Initially 2 of 41 scanners detected the sample when I first got a hold of it, now it’s 28 of 41. The bad news is that I have been stepping it through a debugger and there is a couple SEH chains to follow but so far I have found nothing new.