The other day I was looking at some malware that was interesting because it employed a strategy that allowed it to avoid a hard-coded IP address for the callback domain without being susceptible to DNS filtering.  The program would first attempt to resolve the malicious domain name using the host’s built in DNS resolution, but if that failed the host would then open a UDP connection on port 53 to a public DNS server and resolve the host directly.  Read on for more details.

Continue reading →

We’re releasing an update to the FakeNet tool to version 0.91 which can be downloaded here.  The following improvements have been made:

• The dummy listener that listens on all ports now automatically detects SSL and if the connection is SSL it will decrypt the content and display it to the user.  This is very useful for when malware uses SSL to encrypt traffic to an unusual port.
• Python is loaded dynamically so that if Python fails to load because the user does not have the Visual Studio redistributables the program will continue to execute without Python support.
• The NXDomain feature has been added to the DNS server to return a domain not found message for the first n times that a domain is requested.  This is very useful is determining if a malware sample calls out to more than one domain if the first domain is blocked.
• An option to output the text that is sent to the console to a text file as well.  Several users have asked for this feature.
• Improvement in the generated .pcap file.  Some other programs were having trouble parsing the pcap data because the source and destination address were the same.  To resolve this one end of the connection is recorded as 127.0.0.1 and the other end is recorded as 127.0.0.2.  Additional TCP handshakes have been added to the packet recpature.

As usual we welcome feedback that could be used to improve the quality of this tool.

I will be signing books at SOURCE Boston.  Mandiant has kindly agreed to sponsor the event.  The first 20 people to stop by the Mandiant table on Tuesday, April 17^th from 4:00 to 4:30pm will receive a FREE copy of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.  If you don’t make it on Tuesday, don’t worry!  I’ll do it all over again on Wednesday, April 18^th from 5:30 to 6:30pm.

Already own a copy? Stop by and say hello.  I would love to hear your feedback and I would be glad to answer any questions you may have.

This was a fun and fast (<150 pages) read. It was a good book for me to read on vacation because you can read it a chapter at a time. Each chapter is an independent story taking you through the journey of finding a single software vulnerability. The author, Tobias Klein, is someone whom I was already familiar with by his website and we even reference his tool ScoopyNG in Chapter 17 of PMA.

For someone new to and interested in finding vulns, reading this will help you identify your gaps really quickly and also tell you if you are going to enjoy this type of work. If you aren’t very excited by the content, then trust me, you don’t want to be an exploit developer. You really need a background in programming and vulnerabilities to comprehend everything in this book. The appendix doesn’t cover enough for a beginner. Having a couple pages on defining a buffer overflow or type conversion error is enough to refresh someone who has done this before, but not enough to teach someone new to the material. The good thing is that if you want to be good at malware analysis you need the same solid C background that you will need to read this book. Long story short – learn C if you want to reverse or bug hunt!

Continue reading →

EBP was designed to provide a “Base Pointer” for the current function so that all parameters and local variables would be at a fixed offset from the base pointer even as the stack pointer moved with push and pop instructions.  This made it easier to generate assembly and was very beneficial for debugging because it made it easier to trace backwards up the stack and see what path of function calls led to the current instruction.  However, due to compiler improvements EBP is used less often so back tracing up the stack is more difficult.

Continue reading →

When reviewing disassembly, some instructions are more important than others.  You can use a simple script to color instructions that you’re interested in and make them stick out.  You can use either IDAPython or IDC scripts to make color the interesting instructions.  Most professionals use IDAPython for their scripting, but I’ll talk about IDC because it’s available in the free version of IDAPro and I suspect some of our readers are just flirting with malware analysis and haven’t purchased the full version (also because I have an irrational bias against python).  The most important instruction that I like to highlight is the call instructions, but I also highlight instructions commonly used for data encoding (non-zeroing XORs), anti-VM (sidt, sgdt, str, etc), and anti-debugging (int 3, rdtsc, etc).  This makes it easier to locate more interesting code during disassembly.

Continue reading →

I’ll be at CanSecWest in Vancouver.  On Thursday from noon-2pm I’ll be signing copies of the book.  Pick up a signed copy of the book or bring your copy by for a signature.