Tuesday, February 24, 2015

Quick analysis of a VisualBasic based Password-Stealer

After the analysis of Golroted i was able to get the key to the attacker's server (actually they gave it to me by embedding it in the code isn't it), using that key i was able to spot an email-message that was used in a spear-phishing campaign.
Spam message
The email-message had an attachment file that i am going to analyze in this post.

Sunday, February 22, 2015

Quick analysis MSIL/Golroted (Stealer)

Golroted purpose is to steal various information from the victim machine (you can read the full description about it in the Microsoft Malware Protection Center).

This particular sample is obfuscated using Smart Assembly and packed inside a .NET based RunPE, after unpacking we can read the code of the malware.

This malware upload the information it steal from the victim through Email and\or FTP. The username and the password of the Email address and the FTP accounts stored in the file itself in an encrypted form.
Encrypted data

Tuesday, September 24, 2013

How to extract BetaBot config info


In this article i will show you how to extract the configuration section of the bot, this section is encrypted inside the bot and decrypted while the bot is running.

Few months ago i built a tool that can extract the configuration of the bot in offline mode (that is without running the bot in debugger) i achieved that by reverse engineer and studying how to get the key from the bot and build  in order to decrypt the configuration section from the sample.

Lately when new versions of the bot came out i found that it is much simpler to extract the info i needed using a debugger than to update the tool, this method is what i am going to guide you through in this article.

In order to follow along you need an unpacked sample of the bot (you can get the one i am using in this article here, password is: infected).

This article targets the latest version of the bot (1.5), the technique presented here do work on earlier versions too.

Friday, June 14, 2013

The case of Win32.Filecoder Ransomware

Few days ago i have got a computer that was infected with Win32\Filecoder.NAG, this nasty ransomware has encrypted the user files and presented the following message to the user:

So basically in order to get your files back you should pay 300$.

I have done a little bit of reverse engineering of this ransomware in order to try to find a way to get the key without paying the ransom.

Wednesday, May 1, 2013

Elite Keylogger Detection and Analysis

Elite Keylogger is a kind of malware (from the victim POV) that is sold by a company called WideStep, this company are marketing this product as being "100% undetectable" as you can see in info page:

Invisible to anti-virus software

It’s no secret that anti-virus and anti-spyware applications will constantly try to detect and block even legitimate monitoring applications like Elite Keylogger. Elite Keylogger does a great job hiding its own modules from anti-virus, anti-rootkit and anti-spyware apps. Elite Keylogger ensures it's not detected during regular scans and even after you update your anti-virus software. It implements a number of unique algorithms to stay hidden.
Here i will show you how to detect if this keylogger is installed on the computer and how to access its configuration GUI interface in order to see all of the configuration the attacker has set.

This article targets the latest version (5.0.183) currently being sold by WideStep.

Tuesday, March 5, 2013

Warbot C&C Panel

This bot doesn't have many capabilities besides DDOS attacks, in addition it let you run other files on the victim machine so it has a Loader capabilities too. This bot is cracked and available to download online.

In this specific server the mysql server was wide open (root, toor) hence i was able to add another user to the warbot database and since warbot has the its user list on the database i was able to login.
529 bots isn't enough?!

Monday, March 4, 2013

SpyEye Trojan Analysis - Part 2

After the trojan has been started using the CreateProcess call from explorer.exe (injected code, read part 1 for more details) it checks that it runs from the usual location it is suppose to be run (which in our case is C:\algonic\algonic.exe) :

Branch to second stage