Page 3 of 3 FirstFirst 123
Results 51 to 52 of 52

Thread: .:Windows Security, Maintenance and Optimizing Guide :.

  1. #51
    Xtremely High Voltage Sparky's Avatar
    Join Date
    Mar 2006
    Location
    Ohio, USA
    Posts
    16,048
    Something to add to the anti-spyware list. Malwarebytes works great, I have had a couple systems I was working on that spybot removed stuff, ad-aware removed some stuff, but there was still a few things left. Malwarebytes took care of the rest
    The Cardboard Master
    Crunch with us, the XS WCG team
    Intel Core i7 2600k @ 4.5GHz, 16GB DDR3-1600, Radeon 7950 @ 1000/1250, Win 10 Pro x64

  2. #52
    Xtreme Addict
    Join Date
    Jul 2006
    Location
    Between Sky and Earth
    Posts
    2,035
    Quote Originally Posted by SparkyJJO View Post
    Something to add to the anti-spyware list. Malwarebytes works great, I have had a couple systems I was working on that spybot removed stuff, ad-aware removed some stuff, but there was still a few things left. Malwarebytes took care of the rest
    Ok, I'll add-it later along with "SUPERAntiSpyware". I've infected my system intentionally with a common spyware which I know how to remove, but Malwarebytes found 0 results, wile SUPERAntiSpyware removed it. So guess it's signatures dependent but I tried it with an 2002 old dummy file and still got 0 results. So if you say it's good I'll keep on trying it and add it latter if it turns up to be good. Then again tools are just tools which leads me to this recent article:

    Well, today wasn't exactly a tough handler's shift so I thought I would look in my spam folder for something interesting.
    There is always something interesting in there, subject wise most are things which aren't even mentionable in public. However, in many of these emails are links and at the end of the link is the world of malware. So, I feel compelled to follow them (in a nice, safe environment). Today's attempt was a complete success on the first piece of spam I opened. Sure enough I found a nice executable at the other end just waiting to be downloaded. What a relaxing way to spend a Saturday, doing a little malware analysis.

    I opened it in Ollydbg, got past the packer and took a look at the strings in the file. Sure enough, this file wasn't one filled with good intentions. If you a look at the strings below, you can see what I'm talking about at first glance.

    Address Disassembly Text string
    00401000 MOV EAX,1 (Initial CPU selection)
    00401037 MOV DWORD PTR SS:[ESP+14],my_hots_.00410 ASCII "CbEvtSvc"
    004010CB PUSH my_hots_.00410C04 UNICODE "-k"
    004010DA PUSH my_hots_.00410C0C UNICODE "netsvcs"
    0040110C PUSH my_hots_.00410C04 UNICODE "-k"
    004014A5 MOV ECX,my_hots_.00410D58 ASCII " "
    00401710 PUSH my_hots_.00410C3C ASCII "user"
    00401731 PUSH my_hots_.00410C44 ASCII "os=%d&ver=%s&idx=%s&user=%s"
    004018B5 PUSH my_hots_.00410C60 ASCII "%s&ioctl=%d&data=%s"
    004018F4 PUSH my_hots_.00410C30 ASCII "74.50.109.2"
    004018FD PUSH my_hots_.00410C78 ASCII "ldr/client03/ldrctl.php"
    00401902 PUSH my_hots_.00410C90 ASCII "POST /%s HTTP/1.1
    Connection: Close
    Content-Type: application/x-www-form-urlencoded
    User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Host: %s
    Content-Length: %d

    %s"
    00401C37 PUSH my_hots_.00410C30 ASCII "74.50.109.2"
    00401C4A PUSH my_hots_.00410C30 ASCII "74.50.109.2"
    0040340A PUSH my_hots_.00410EA8 ASCII "%s-%x"
    00403561 PUSH my_hots_.00410EB0 ASCII "%s\%d.exe"
    0040361A PUSH my_hots_.00410EC0 ASCII "D7EB6085-E70A-4f5a-9921-E6BD244A8C17"
    00403915 PUSH my_hots_.00410EE8 ASCII "%d.%d.%d.%d"
    00403B29 PUSH my_hots_.00410EF8 ASCII "CbEvtSvc.exe"
    00403BC5 PUSH my_hots_.00410F08 ASCII "%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs"
    00403BD5 PUSH my_hots_.00410BF8 ASCII "CbEvtSvc"



    I checked out the IP found in the strings above and grabbed its source code. The only thing on the page was this:


    "<html><body><h1>It works!</h1></body></html>"


    So now I'm wondering if this malware has fangs yet or if its being distributed in a trial mode. I launched the malware on
    one of my VM windows images and found that it looked pretty benign. Here is where it started to get interesting. I used a
    tool called RegShot to get a "before" snapshot of my machine state. After launching the malware I used it to get an "after"
    snapshot of my machine state. There didn't seem to be any files dropped on my harddrive, however there is a mention of a
    file above called "CbEvtSvc.exe". When I launched the malware, I also had some other tools running. I like to use other
    tools too when I'm doing behavioral analysis like: RegMon, FileMon, ProcessExplorer, TCPView, etc. Both RegMon and FileMon show that CbEvtSvc.exe was busy on my system. As a matter of fact, FileMon had this entry:

    3:11:24 PM my_hots_video.e:796 CREATE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Options: OverwriteIf Sequential Access: 00130196
    3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 SUCCESS Change Notify
    3:11:24 PM my_hots_video.e:796 SET INFORMATION C:\WINNT\system32\CbEvtSvc.exe SUCCESS Length: 87040
    3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 SUCCESS Change Notify
    3:11:24 PM my_hots_video.e:796 QUERY INFORMATION C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe SUCCESS Length: 87040
    3:11:24 PM my_hots_video.e:796 WRITE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Offset: 0 Length: 65536
    3:11:24 PM my_hots_video.e:796 WRITE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Offset: 65536 Length: 21504
    3:11:24 PM my_hots_video.e:796 SET INFORMATION C:\WINNT\system32\CbEvtSvc.exe SUCCESS FileBasicInformation
    3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 Change Notify
    3:11:24 PM my_hots_video.e:796 CLOSE C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe
    SUCCESS
    3:11:24 PM my_hots_video.e:796 CLOSE C:\WINNT\system32\CbEvtSvc.exe SUCCESS


    So the file had been created, but where was it? I used explorer to look for it and found nothing. I then used cmd.exe to
    look at the directory for the file and nothing was there. I thought maybe its hidden and I can reference it another way. From the command prompt, I tried to run the following command in system32 directory: dir *cb* and guess what, my window closed on me. I tried this method again and could find any other variety of files this way as long as it wasn't the first letters of that filename. Now I'm thinking rootkit capabilities...cool! Since my antivirus did not have issues when I downloaded the file using wget, I thought I'd throw it at a few sites and see what they thought of my new toy. Norman Sandbox provided this analysis which disturbed me:

    my_hots_video : Not detected by Sandbox (Signature: NO_VIRUS)


    [ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS
    * Compressed: NO
    * TLS hooks: NO
    * Executable type: Application
    * Executable file structure: OK

    [ General information ]
    * File length: 87040 bytes.
    * MD5 hash: 1f4d13b31116860e0a3b692052856941


    VirusTotal provided me results showing 14/36 (38.89%) vendors had detection for this file. Not great coverage by any means, but at least some vendors know that its bad and have a signature for it.


    I'm not done with this file yet, its rather interesting. What I really wanted to point out is that my tools did not provide me with accurate answers. Tools are simply that...just tools. As you work with malware, its important to have many ways to confirm your results. Its just as important NOT to totally rely on your tools to provide you with the answers. You HAVE to understand the tools your using. Don't become so dependant on one way of verifying something. I run many tools at the same time when I work with malware. Each has a different purpose as well as strengths and weaknesses. It's important to know them and not just rely on a single method. In essence you want to look at malware from many different angles and never forget that your tools are only so good and may not provide you with the right answer. Nothing can replace your analysis skills and your ability to understand what your seeing.

    .............

    LE: After further examinations, I guess that tool could be good for beginners since is efficient enough to remove a rogue product like "XP AntiVirus 2008" - with popper definitions it might work well against other similar threats.
    Last edited by XSAlliN; 09-08-2008 at 04:03 AM.

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •