Security Magic

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including  This Fireeye article . I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator. I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation. In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage) This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting. ...

Last month I analyzed a weaponized word document that came through e-mail. This is nothing special, I see these everyday, but this one gave me something interesting to play with. The file  https://www.virustotal.com/en/file/387ea7a4f82d7ba686ca8018684fd2fd803a9c05a4a47130845431d383d81b36/analysis/  launches the following VBS Script https://www.virustotal.com/en/file/fdf6b117b55302ecb7da95b68e9ca5e6882c12cbf41829dfb56688bb94595ea3/analysis/ The script performs HTTP traffic: GET http://ecovalduloir[.]com/fw[.]jpg (No longer available). When it was available, the file has an MD5 of bdd3cf6f227a368a5412f11a10831136,  see  https://www.virustotal.com/en/file/ce0e737d3eddbbb102867063f0b163d12358075691407542f9aecafa064538dc/analysis/ At first glance the JPEG look OK, here is a screen capture of what the file image looks like. When we look at this file through a hex editor it becomes more interesting. Here is the beginning, looks OK. Here is a snippet a...