First Malware Analysis

Recently I began the process of looking for malware to start learning how to process things. Currently my skills are terrible, but I've got to start somewhere.

Found this email in my wife's hotmail as GMail would never let something like this arrive in my email. It was obvious to me it was malware as it was a “zip” file with what appears by the icon to be a Microsoft word document.

As we can clearly see Windows is not as easily fooled and properly labels it as an application. Simple Windows properties shows that it is an archive.

Using a universal extractor we obtained the following files

.text

.rdata

.data

Folder (/.rsrc)

Opening up .rdata in hex editors revels the following info

T.VirtualAlloc..©.GetCurrentProcess.¬.GetCurrentThread....CreateFileW.….GlobalAlloc.æ.EnumResourceLanguagesA..7.FindResourceExA.O.FreeResource..ö.GetModuleHandleA..9.GetStartupInfoA.X.GetTempFileNameA..Z.GetTempPathA..Œ.GlobalFree..ö.LoadResource....LockResource....MoveFileA. .SizeofResource..KERNEL32.dll..¨.DispatchMessageA..Õ.TranslateMessage..J.GetMessageA.é.UpdateWindow..¸.ShowWindow..4.RegisterClassExA..Ò.LoadCursorA.Ö.LoadIconA.•.DefWindowProcA.. .PostQuitMessage.Õ.EndPaint....GetClientRect...BeginPaint..g.CreateWindowExA.o.GetSystemMetrics....AdjustWindowRectEx....CallWindowProcW.-.CharNextA./.CharNextW.h.CreateWindowExW.–.DefWindowProcW..š.DestroyAcceleratorTable...DestroyIcon.ž.DestroyMenu. .DestroyWindow.Ï.EnableMenuItem..ì.EqualRect.î.ExitWindowsEx.ó.FindWindowW...GetClassInfoExW...GetCursorPos....GetDC...GetDesktopWindow..$.GetFocus..%.GetForegroundWindow.1.GetKeyState.U.GetParent.k.GetSubMenu..}.GetWindow.‚.GetWindowLongW..ˆ.GetWindowRect.©.IntersectRect.ª.InvalidateRect..µ.IsChild.Å.IsWindow..Í.KillTimer.Õ.LoadCursorW.Ù.LoadImageW..Þ.LoadMenuA.ã.LoadStringA.ä.LoadStringW.ó.MapWindowPoints.ÿ.MessageBoxW...MsgWaitForMultipleObjects...OffsetRect....PeekMessageA..).PtInRect..3.RegisterClassA..5.RegisterClassExW..L.ReleaseDC.N.RemoveMenu..c.SendMessageW..p.SetCursor.y.SetFocus..z.SetForegroundWindow.ž.SetTimer..¥.SetWindowLongW..§.SetWindowPos..¨.SetWindowRgn..Ä.SystemParametersInfoA.Å.SystemParametersInfoW.Ð.TrackPopupMenuEx..Ú.UnionRect...wsprintfA...wsprintfW...wvsprintfW..USER32.dll..ô.GetStockObject....LineTo..!.MoveToEx..F.Rectangle...CloseMetaFile.0.CreateDCW.E.CreateMetaFileW.N.CreateRectRgnIndirect.Í.DeleteDC..Ï.DeleteMetaFile..µ.GetDeviceCaps...LPtoDP..P.RestoreDC.W.SaveDC..{.SetMapMode....SetViewportOrgEx..“.SetWindowExtEx..”.SetWindowOrgEx..GDI32.dll.Y.RegOpenKeyA.ADVAPI32.dll..".Shell_NotifyIconA.SHELL32.dll...CoCreateInstance..%.CoGetClassObject..=.CoInitialize..R.CoRegisterClassObject.^.CoRevokeClassObject.f.CoTaskMemAlloc..g.CoTaskMemFree.h.CoTaskMemRealloc..k.CoUninitialize..z.CreateDataAdviseHolder..‚.CreateOleAdviseHolder.ù.OleLoadFromStream...OleRegEnumVerbs...OleRegGetMiscStatus...OleRegGetUserType...OleSaveToStream.H.WriteClassStm.ole32.dll.z.memcpy...._XcptFilter.%.__dllonexit.(.__getmainargs.:.__p__commode..?.__p__fmode..Q.__set_app_type..S.__setusermatherr.._._acmdln.m._adjust_fdiv..w._c_exit.z._cexit..‡._controlfp..›._except_handler3..¤._exit.Æ._ftol.ç._initterm.`._onexit.m._purecall.Ì._wcsnicmp..._wtoi.,.exit..A.free..t.malloc..Š.realloc.«.strtol..Ã.wcschr..Ä.wcscmp..Ð.wcsstr..msvcrt.dll

We can see the control triggers for what appears to be a Trojan remote control software. I had to break up the xml so that the blog will actually display the results.

Inside the folder, we see:

< ? xml version="1.0" encoding="UTF-8" standalone="yes"? >....    < assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" >....       < trustInfo xmlns="urn:schemas-microsoft-com:asm.v3" >....         < security >....           < requestedPrivileges >< requestedExecutionLevel level="asInvoker" uiAccess="false"/ >< /requestedPrivileges >....         < /security >....       < /trustInfo >....    < /assembly >

This provides improved remote control over the computer

http://blogs.msdn.com/b/cjacks/archive/2009/10/15/using-the-uiaccess-attribute-of-requestedexecutionlevel-to-improve-applications-providing-remote-control-of-the-desktop.aspx

Compiled with

T.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .w.a.s. .b.u.i.l.t. .w.i.t.h. .I.n.n.o. .S.e.t.u.p..
http://www.jrsoftware.org/isinfo.php

It is officially declared as Trojan-Downloader.Win32.Kuluoz.D

http://telussecuritylabs.com/threats/show/TSL20131022-08

Oh, Cisco...

I'll start this post off with that video because I feel great that my Cisco CCENT is out of the way at WGU, course COV1.
Its been a long month and a half for me. First I had an umbilical hernia surgery, quit a temp job because they weren't giving me the time off I needed to recover from the surgery. Next got sick with a nasty flu, followed up with family visiting for Thanksgiving. At the end of all that, my family and I caught a severe cold which turned into acute bronchitis. I am feeling 95% better now, I just have this terrible lingering cough which I've read on the internet is going to last possible 20 or so day. I'm on Day 15 and it doesn't seem to be getting better, so after Christmas, if I still have it, I'll be heading into my VA clinic to see if I can get something to clear it up.

So enough about that crap. About the CCENT test, lets see if I can come up with any pointers. Focus a lot on the subnetting stuff. It really will help. I know I hate it, and I have a lot of tables memorized because I hate it. Yes, I do know how to subnet and do the binary math, I just find it time consuming and rather use the shortcuts I know of. Next big section was the troubleshooting section. I had "four" questions that were troubleshooting. The reason why I quoted that was because the "four" was actually "16" because each problem and four additional questions that you had to answer. Throw in a few IPv6 stuff and some security and it summed up the test for me.

Whats next on my plate at WGU? Leadership Concepts and Applications (RIT1). I just want to shoot myself now. I really don't care for this topic as I find a lot of it BS, but I gotta do it. I just started reading my first chapter and I already feel the need to go take some Tylenol. I'm hoping to get this done in just a couple weeks. That is if I get off this blog and my other websites and actually read the chapters.

Oh the pain!

So I've been busy getting better and haven't done much studying. I had my umbilical hernia surgery on November 1st and I've been spending a lot of time sleeping and recovering my strength. its so weird how a little cut can take so much energy out of you. I had a bad reaction to my hydrocodone, broke out in a terrible rash, and had to be switched to oxycodone. I quit my temp seasonal job due needing more recovery time, and my boss deciding to switch my schedule making in hard work for me to recover, do my schoolwork at WGU, and spend time with my family.

Right now, I am working on COV1 at WGU which is CCNET from Cisco. Its rather hard for me to pay attention to because I do know a lot of this already. I just need to refresh my memory by having the videos running and watching them when I can. The videos for this class were from CBT Nugget. I like the videos, its just hard to focus on stuff when I am saying "yeah yeah I know this". I always struggle with knowing which protocols cover which idea, and also subnetting is always my nightmare.

And another is down

Took the LX0-101 from Comptia on Friday and scored a 660. Which isn't too bad but I would have preferred a much higher score than that but I felt like a few new things were thrown at me that I hadn't studied for.

Started studying for the LX0-102 this week and so far its going good. First pre-assessment score was 73%, and this afternoon I scored a 80%. 7% improvement over 1 day isn't too bad in my opinion. Need to get that to 90% before I am allowed to take the test.

Went to the VA to have the surgeon look at my umbilical hernia and my surgery is scheduled for November 1st. So that will be a fun week of pain + going to work. I am taking one extra work day off to make sure that I give myself plenty of time to deal with the pain.

Work work

I started a new position this week. A company was looking to fill some temp part time positions so I thought it wouldn't be that bad to get myself out for a while each day and do some work. Really nice to be able to buy Christmas gifts this year for my boys.

So far, I like it, its taking some getting use to, but I think I can handle it. A little stressed because they expect you to act like you have been working there for years as you deal with the customers, thought they understand you just started. They want to create that illusion with the customer.

I like my co-workers who are starting out with me, though one made a bone-head move and told them he needed to take a day off so he could do an interview with Apple. Yeah, he didn't last long as we are a right-to-work state. I did the same stupid mistake years ago and I learned from it. Hopefully he landed that job with Apple.

Studying is going good. Improved my overall testing score by 11% but still not good enough to request taking the DRV1 LX0-101 test, the first Linux+ test.

Oh, and apparently I have a new nickname, 'Sprinkles'. I was out of the room, came back and they told me that was my name.

It never ends

No matter how much time I throw at my Linux+ cert, the first test, it seems like there is even more to do. Got through learning about time management, print management, and a couple more things.I've completed nine chapters out of the twelve. After completing all the chapters, hopefully by the end of this week, I'm going to go back and study the worksheets and retake each chapter exam to prepare myself.

I took a practice exam this morning and got a 53%. Terrible. However, I think it was more like 56% due to a couple questions, I just forgot a letter to the command, so I really don't count those as I will learn those.

In my downtime, and keeping with the theme of this blog post, I have been working on a AOKP JB-MR1 release for the T-Mobile G2x, aka LGE P-999. Its a slow process. While I am familiar with Tegra 2 products, as I have done a CM10 and CM10.1 and a AOKP port for the Dell Streak 7, this is my very first phone I've worked on with dedication. I've been having some difficulties the last week or so getting the ota package to compile. Its been compiling about an unknown 'property' in build.prop and halting the build. Nothing I could do seemed to affect this and caused this error to go away. Well, after sometime, I looked at the P-990 (a similar device) and release that in the last updates of AOKP/CM10.2 the implemented some changes to the scripts, resulting in my build to fail. So I have to squash those commits and and implement my own custom releasetools set. I've got that in place and compiling is going on now.

Another day, another dollar

Part of what I do in my life is try to keep myself busy alongside my studies. I tend to get bored quickly and this can diminish my quality of study time. For example, posting on this blog because Linux static/dynamic libraries is brain-dulling.

Today I was informed that I am being offered a part-time temp position with TAOS. I will be a part of a 6 member team to provide Apple product tech support for a woman's perfume/makeup shop. This store uses iPod's, iPad's and MAC's to provide their customers instant access to the best female product for them. So we shall be helping their temp help in figuring out how to use the fang-dangled devices.

I have had three iPod's, the last two being touchscreen ones, and I consider myself familiar with them, but not a real tech support on them, so this will be good experience for me to learn from.

Now back to studying. My goal is the first Linux+ test in two weeks and there is so much material to do and I am having a hard time as typically when I have a problem with Linux, I use 'man' , '/?', '--help' to figure out what a command needs to look like but this test will require me to know so many commands by heart.

First one done

I took the day pretty much off yesterday as I "prepared" myself for the exam. I did a brief study, watched about 4 hours of "Bones" and then did one more practice exam, scoring a 92%. Felt like I was pretty much ready to take the test. I wanted to see how well my mind did with a brief study period, then hours and hours of distraction and how much I could recall. I was pretty sure I was ready for the CIW Web Design Specialist which is the course CUV1 at WGU.

This morning I took my test at my former community college, where I volunteer twice a week with my former instructor, helping out his new class.

I've been in the testing center many times before. I was scheduled for an 8:30am test, but no one was waiting so I started around 8:15am.

99% of the questions were NOT what I had studied. I had read on the discussion boards of the college, that the material we studied was outdated. For example, Firefox was listed as the #1 web browser, which is no longer true as Chrome holds the largest market share now. This chart shows usage as of 2012.

And here is another chart showing as of 2013

The questions on the test are similar in many aspects so I was able to extrapolate from my study and do well enough. It took me approximately 20 or so minutes to complete the exam and I scored a 78%. For the perfectionist inside of me, this is not good enough but my student mentor, Joyce, was very happy for me as I am way ahead in my schedule for completion of this semester.

My next class is Operating Systems 1, class ID of DRV1 which is actually the first part of the CompTIA Linux+ , LX0-101. I am pretty familiar with Linux, as I use it exclusively for my Android ROM development for the Dell Streak 7. So I am excited to start this next class. First class, I was scheduled for 6 weeks, I took 9 days.

WGU, another step closer to my future

Wow, its been a while since I've posted to a blog. There are has been so many changes in my life.
I've lost my job, went back to school, received my AAS in Information Security and Digital Forensics, and onto my Bachelors in IT-Security now at Western Governors University.

I found out about WGU actually from a supervisor on an internship. I was doing an internship with my community college's security engineer, working on configuring the school's IDS and every week he had these calls he had to do with someone he had said was his student mentor. After asking him futher he mentioned he was going for his Masters in Security from a school called WGU. I thought that was pretty cool, but tossed it out of  my mind. As time went by, graduated and began looking for a job. I had one strong possible job and was even packing up to move when financially it wasn't going to work. I began the process of registering at Boise State University and was pretty much all setup to get my Bachelors in Applied Science, minor in Computer Science. However, I was pretty disappointed that I was going to have to complete three more math classes just to begin the computer science part and I wasn't even wanting anything really to do with computer science as I hate programming.

As time got closer to getting ready to go to BSU, I was talking things over with the wife, and I had mentioned to her about WGU and out of curiosity, we both looked at their website and discovered they had a Bachelors program and it was completely online and would give me tons of certifications as a way of completing each class. That is something that was a great interest to us as all the good schools with security programs were not in our state nor offered online classes exclusively. I began the process of finding more information the very next day and quickly was guided through the enrollment process and I took care of transferring transcripts, financial aid, VA GI bill stuff, and getting excited more every day.

I started my first day of class on Sept 1st and have a student mentor named Joyce who is an electrical engineer (Masters degree) at Lockheed. She is there to make sure I stay on track and focused.

My first class is CUV1, which is actually a CIW Web Design Specialist certification. In the first day, I did 8 chapters and took a practice exam scoring 75% easily. There was a lot of JavaScript, CSS, and XHTML questions that I had a tough time with. I did another 8 chapters and started scoring 80-84% on the practice exams. In order to "test out" of the class and take your certification exam, you need to consistently score 85% or better. I proceeded to skip the next 14 chapters which had to do with various softwares and designing websites and graphics with them, something I have no interest in. The last 4 chapters had to do with JavaScript, databases, web site maintenance practices, and a few other subjects. After completing those I did 600 questions which covered the entire book and started doing 94-97% on the practice exams.

So where does that put me? I'm on Day 11 of my first class and I take my exam tomorrow. I was scheduled to take at maximum 6 weeks to complete this class.

This is another reason why I chose this school. My pace, my time. I am a quick learner and don't need as much time to absorb information as a lot of people do. I don't meant to brag, this is just the way I was made.

I am excited to start this school and I want to do well. I want to write down about my classes in this blog to record my experience.

Oh yeah, this station on Pandora helps me drown out noises and distractions. http://t.co/vzoKHmDVh1