Norwegian Honeynet Project » Videos

Analysing malicious PDF documents and shellcode

mkrakvik — Sun, 24 Aug 2008 18:14:33 +0000

It’s time for another video-post, and this time we’re going to look at a malicious PDF document attempting to exploit a known vulnerability in the Collab.collectEmailInfo() function. We’re going to show how you can extract the shellcode and perform some static code analysis using tools like HT and IDA Pro.

Click on image to show video (opens in new window)

For references, here are the tools used in the video:

Hope you’ll find it useful! :)

Obfuscating downloads

mkrakvik — Sun, 04 May 2008 20:18:49 +0000

Previously this year, we came across a downloader (win32.exe) that is making some effort in hiding its traffic. The downloader is making GET requests to files, such as search.jpg, winlogon.jpg, tibs.jpg and tool.jpg. Using tools like chaosreader and foremost to extract the files, you would find out that these files indeed are valid images (like the one shown to the left in this post).

However, if we look more closely, we find that these files has something more interesting appended past the JPG data. Below is a short video showing what’s inside winlogon.jpg.

Get the Flash Player to see this player.

This downloader was found on hightstats dot net, which, at that time, resolved to 88.255.90.252 (AbdAllah Internet, TR) – whose netblock is very well known for its malicious hosting. At the time of this writing, the domain resolves to 66.246.229.81 (Net Access Corporation, US) and is still serving these files. We’ve also seen this kind of obfuscation before, then with the image of a green frog – McAfee has mentioned this on their blog.

Now, what winlogon.jpg (..or the executable inside it) did, was to install BraveSentry, a rogue anti-virus/spyware product that claims to have found malware on your system in order to trick you to purchase their product.

This is not a new obfuscation technique, but it seems to be a characteristic for this group of spyware creators, that are pushing these rogue security programs.

Deobfuscating JavaScripts

mkrakvik — Tue, 01 Apr 2008 14:47:19 +0000

With the recent update of the Neosploit exploit pack, I thought I’d share a small tip on how to deobfuscate these kind of attacks. Here’s a short video demonstrating a generic method of deobfuscating JavaScripts, using the SpiderMonkey JavaScript interpreter and overriding the eval()-function. Hope you’ll find it useful!

Get the Flash Player to see this player.

Malware unpacking in OllyDbg

mkrakvik — Wed, 26 Mar 2008 11:48:20 +0000

From time to time, we come across malware that is more interesting than others. A couple of months ago we saw a trojan bot with MSN spreading capabilities. And as usual, the malware was packed. However, I was not able to identify the packer being used (using PEiD, and similar tools). So I tried unpacking this sample manually in OllyDbg, and discovered that it was actually using threads to unpack itself, something I haven’t seen before.

Below you can find my very first screencast, showing how this sample was unpacked. Enjoy! :)

(will open in new window)