Security Magic

H-Worm or Houdini Worm is a VB Script which uses obfuscation techniques in an attempt to hide  code. I'm not here to reinvent the wheel, there's already good articles on H-Worm, including  This Fireeye article . I will however point out that with the right indicators in Snort, network traffic can be used to pin down a host which may be beaconing to a known URI structure for H-Worm, including the POST is-ready indicator. I had observed one host which had a VBS file in startup named adobe_flash_player.vbs. Since this host had tripped my snort signature, I decided to look at this as a file of interest. This particular file had a couple layers of obfuscation. In this screen capture we see the file appears to be a JPG file (although, it doesn't actually display, it really appears to be garbage) This is an attempt to have an analyst potentially brush it off as a malformed JPG. However, if we scroll down to the end of the file we see something interesting. ...

Last month I analyzed a weaponized word document that came through e-mail. This is nothing special, I see these everyday, but this one gave me something interesting to play with. The file  https://www.virustotal.com/en/file/387ea7a4f82d7ba686ca8018684fd2fd803a9c05a4a47130845431d383d81b36/analysis/  launches the following VBS Script https://www.virustotal.com/en/file/fdf6b117b55302ecb7da95b68e9ca5e6882c12cbf41829dfb56688bb94595ea3/analysis/ The script performs HTTP traffic: GET http://ecovalduloir[.]com/fw[.]jpg (No longer available). When it was available, the file has an MD5 of bdd3cf6f227a368a5412f11a10831136,  see  https://www.virustotal.com/en/file/ce0e737d3eddbbb102867063f0b163d12358075691407542f9aecafa064538dc/analysis/ At first glance the JPEG look OK, here is a screen capture of what the file image looks like. When we look at this file through a hex editor it becomes more interesting. Here is the beginning, looks OK. Here is a snippet a...

A couple e-mails came into my one of my inboxes today that I wanted to quickly share. These e-mails contained subjects lines like this "Chase Alert! [2568828843]" and contained an e-mail body which read the following: This e-mail has been sent to EMAILADDRESS@hotmail.com by JPMorgan Chase & Co. Online Banking Chase ALERT: Due to an unusual number of failed login attempts, your online banking access has been temporarily suspended. To restore your account access please click: Log On to Chase Online and proceed with the verification process. IMPORTANT NOTE: If we do not receive the appropriate account verification within 24 hours, you will need to visit a Chase branch to restore your account access. Sincerely, Chase Online(SM) © Copyright JPMorgan Chase & Co. 2016 The links in these e-mails have a URI structure similar to these: hxxp://snacktast.info/99212afb7404efc9f6acd3f17238db46/index.php hxxp://snacktast.info/b9cc2a03f094783974f35b51bf7464e4/index.php...

In my last post  http://security5magics.blogspot.com/2015/12/an-obvious-e-mail-scam-lets-see-where.html I ran through a quick analysis of a very prominent e-mail scam used today. The scam uses a link which has a PHP file holding a piece of java script at the end. The java script is a redirect to another site, usually a fake pharmacy site. I felt showing a quick decoding of what the java script does, the following code is very similar to the code from my first post, but is from a different spam e-mail I received today, which leads to a different site. Check it out. script type="text/javascript" function suddenlye() { suddenlya = 5; suddenlyb = [124, 110, 115, 105, 116, 124, 51, 121, 116, 117, 51, 113, 116, 104, 102, 121, 110, 116, 115, 51, 109, 119, 106, 107, 66, 44, 109, 121, 121, 117, 63, 52, 52, 120, 114, 102, 119, 121, 117, 110, 113, 113, 120, 123, 102, 113, 122, 106, 51, 119, 122, 44, 64]; suddenlyc = ""; for (suddenlyd = 0; suddenlyd < suddenlyb.leng...

I get a lot of spam in my e-mail accounts, as I'm sure everyone reading does. One campaign that is seen often is an attempt to trick the user into believing that they are getting a message from YouTube, Facebook, Skype or other major sites. The messages are typically caught by spam filters, and often can be spotted as a fake by a simple glance. I felt I would share one today, just because I thought it would be fun to see where it takes me. For analysis I use a spare laptop running Ubuntu as the host and have Virtual machines running with Security Onion, SIFT and Windows 7 32bit. For this particular exercise I used SIFT excursively, and when finished I refresh my SIFT VM. OK, enough of the boring stuff, here's the message I got in my Spam box: Right away notice the subject doesn't exactly look reputable, neither does the sender address in this case. The rest of the message is crafted very simply, the foal is only to get the user to click the "View mails"...