Security Magic

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including  This Fireeye article . I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator. I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation. In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage) This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting. ...

Last month I analyzed a weaponized word document that came through e-mail. This is nothing special, I see these everyday, but this one gave me something interesting to play with. The file  https://www.virustotal.com/en/file/387ea7a4f82d7ba686ca8018684fd2fd803a9c05a4a47130845431d383d81b36/analysis/  launches the following VBS Script https://www.virustotal.com/en/file/fdf6b117b55302ecb7da95b68e9ca5e6882c12cbf41829dfb56688bb94595ea3/analysis/ The script performs HTTP traffic: GET http://ecovalduloir[.]com/fw[.]jpg (No longer available). When it was available, the file has an MD5 of bdd3cf6f227a368a5412f11a10831136,  see  https://www.virustotal.com/en/file/ce0e737d3eddbbb102867063f0b163d12358075691407542f9aecafa064538dc/analysis/ At first glance the JPEG look OK, here is a screen capture of what the file image looks like. When we look at this file through a hex editor it becomes more interesting. Here is the beginning, looks OK. Here is a snippet a...

A couple e-mails came into my one of my inboxes today that I wanted to quickly share. These e-mails contained subjects lines like this "Chase Alert! [2568828843]" and contained an e-mail body which read the following: This e-mail has been sent to EMAILADDRESS@hotmail.com by JPMorgan Chase & Co. Online Banking Chase ALERT: Due to an unusual number of failed login attempts, your online banking access has been temporarily suspended. To restore your account access please click: Log On to Chase Online and proceed with the verification process. IMPORTANT NOTE: If we do not receive the appropriate account verification within 24 hours, you will need to visit a Chase branch to restore your account access. Sincerely, Chase Online(SM) © Copyright JPMorgan Chase & Co. 2016 The links in these e-mails have a URI structure similar to these: hxxp://snacktast.info/99212afb7404efc9f6acd3f17238db46/index.php hxxp://snacktast.info/b9cc2a03f094783974f35b51bf7464e4/index.php...