Malwr showing false positives with MP4 files

During my recent tests with MP4 files, I discovered a very interesting fact: Malwr is not compatible with MP4 files and will show false positives such as detecting shellcodes, startup and HTTP connections.

Malwr uses the standard Windows XP for analyzing malware. However, the Windows Media Player in Windows XP is not able to open MP4 files, and will therefore open Microsoft’s shell page, and perform a few other activities. One of them is detected as a startup method, however it actually isn’t.

Here are some of the Malwr links that are false positives (Found using Malwr’s search button):

https://malwr.com/analysis/ZmY4MGE4MzU3NjM1NGRiZWFkNmU2OTUxMTFkZGVhZDU/

https://malwr.com/analysis/NzY1OTMxNWE5ODVkNDA3NGIxMjhlNDEwMmIwOWI2OGU/

https://malwr.com/analysis/YjM3ZGFiNmY3YjA1NDg3ZWFmNzZlNjczNjlkNmNjYzI/

https://malwr.com/analysis/YjY4M2EwZDhhYjliNDI1YThhZTk0MDlhMTcwNjE5YzA/

https://malwr.com/analysis/MTBiOWI0Zjc5ZjRhNDBjODk2N2QzNzEzOTU0N2ZhODY/

 

Why there is no need for Microsoft Office

Microsoft Office is installed on almost every computer running Windows nowadays. However, the security aspect of it is pretty worrisome.  If you are to browse around Hackforums, you will find many people selling Word Exploits, silent and macro, available at very cheap prices. Some of the recent cyber attacks against Ukraine’s  power system have been delivered with the help of these exploits. So it is not really the best idea to open any Microsoft Word, Excel, or Powerpoint document. At least not with Microsoft Office.

A much more secure way to open these documents is to upload all of them to Google Drive, and then open them. This way none of the possible malicious scripts and macros are opened on your computer. And don’t worry, Google Drive won’t be harmed, since the macros are not processed by their system.

Just some small tips from me to those who do not wish to get malware on their system.

 

Analysis of Plasma RAT’s source code

I recently was browsing HackHound, when I found the source code for Plasma RAT. Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version. An analysis of the Botnet can be found on McAfee’s blog.

The AntiVM is not really the best. It searches for VM files, but does not search for the processes, the Hard Disk name, and so on. And in case a VM is detected, the AntisFound() function is called.

vmdetected

The Chrome stealer uses a module coded by RockingWithTheBest, who is a HackForums member, a link to the thread is here. The link is Google Webcache, since sadly HackForums seems to think that my country is not one that is worth serving (jk, I know there are many skids here who use LOIC).

stealer rockingwiththebest

The FTP password stealer simply steals FileZilla’s password through reading the file \FileZilla\recentservers.xml, which has password and server details in plain text.

The Torrent Seeder might be promising for malware spreaders who are interested in spreading with torrent. However, it requires Vuze, BitTorrent or uTorrent to be installed on the host machine. This would be a very powerful feature if the spreader is using Torrent as a spreading method, since victims would be guaranteed to have these torrent clients, and it would help the spreader gets more bots.

torrentseed

The process itself is heavily protected. It first set Access Right so that attempts to kill it will result in Access Denied, and also it sets itself as critical so the system goes into BSOD when the process is killed. The folder and the files are set the the user does not have access to them, as well as being hidden.

The Condis attack is new to me, I have never seen it before. After some research it turned out to be an attack that works by rapidly opening new connection and disconnecting (Hence the name ConDis), and it is primarily used to target game servers and TeamSpeak server. Slowloris, GET and POST flood, ARME attack, and UDP flood is also present. The GET and POST attack does not seem to have any user-agent string however, and the GET attack simply downloads the file. There also is Bandwidth Flood, which often is not really the most powerful kind of attack.

Inside the source, there is a resource called “a” that looks like a binary. The file is not detected by any AV at the time I am writing this (VT scan). The file’s Malwr indicates that it is malicious, since it adds itself to startup.  It might be a part of Plasma RAT, it might not be, since the source was leaked and maybe this is the leaker’s backdoor.

a resource

There is also a Hard Botkiller, which claims to be able to kill highly persistent bots such as BetaBot. It deletes the startup registry keys, and have a module that forces the deletion of a file,… The AV killer uses the Image File Execution method to get rid of the AV, and in case Admin Privilege is not presence, it attempts to social engineer the victim to accept the UAC prompt.

social engineer uac

The normal botkill attempts to identify which startup entry is malicious and which is not through several indicator. First, if it is Plasma RAT’s executable or the Miner executable, then it is not malicious. If it has a digital signature, then it is not. If it contains “cmd” or “wscript” in it’s name, then it is malicious. If it is located in  AppData, then it is. If the file attribute is Hidden or System, then it is flagged as malicious as well.

botkill

Now let’s go to the builder. As always, there is a very nice and detailed Term of Service in order to prevent the creator from being held responsible

tos

This RAT was originally a sold bot, since SealInitialize and Seal.RunHook and other NetSeal functions were found. The source was I found was as clear as daylight, so either the creator did not obfuscate the builder, or the builder was obfuscated with public obfuscators that are easily deobfuscated. When you are creating a commercial product, it is always a must to protect your source with a strong obfuscator, and sometimes heavy encryption that is decrypted runtime would work as well. This is where crypters can be used for reasons other than encrypting the stub.

So this is it for the analysis of Plasma RAT. Good bye and see you again.

 

Megalodon HTTP, Skidware and copy pasted code.

I recently obtained a copy of Megalodon HTTP’s web panel and builder(cracked). However, the builder turned out to be malicious, so I decided to look at the modules in the panel instead. Since Megalodon relies on downloading plug-ins, and almost nothing is placed inside the stub, this should be enough to show the details of Megalodon HTTP.

Megalodon HTTP’s panel had no obfuscation and no protection at all. The legendary miner turned out to be BFGMiner, which is in a folder called ‘out’. None of the files are renamed, and therefore I can work with it more easily. An interesting thing is that Megalodon kept all of the .txt files in the miner, including README, News,… which shows how this malware was made without care. Megalodon, instead of downloading all of the files directly, instead relies on a downloader to obtain the files from the server.

miner downloader

Conveniently, inside the bin folder, the output files are also not renamed. When I attempted to change the file extension from .bin to .exe for analysis, I got a few pop ups from Kaspersky Antivirus, of which one was very interesting:

stealer stolen

Megalodon used NetPass for password recovery! Seriously, there are much better password recovery modules that are publicly available, but I guess since NetPass is popular, the developers chose it. The only advantage of using NetPass instead of other modules that I could think of is that it is very lightweight.

Using JetBrains dotPeek to reverse engineer the bins, I found them completely unobfuscated. For example, the Slowloris module uses the user agent “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36” and simply have no other header, which might causes WAF to check the browser/show a CAPTCHA.

slowloris source

Megalodon also feature an XML-RPC attack that uses the pingback function in XML-RPC to reflect the attack on other sites. This amplification method is a public one and is commonly used. The user-agent is not different from the above. While there is not much amplification in this attack, it does help masking the bot’s IP.

The ARME attack is also utilized. However, unlike the other attacks, the ARME attack does not send an user-agent with it, and therefore could be easily prevented by a WAF. Also, since botnets on HF are often bought by 11 years old wanting to boot of a friend’s Minecraft server or his/her school’s online grade book, the end user will probably not know that the ARME attack is only effective on Apache server, and useless on NGINX. The header used should be challenged with Javascript or a CAPTCHA to prevent the attack: “\r\nRange:bytes=5-1300\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n”

The Botkiller uses the worst technique I have ever seen. It checks under the Run registry key that points to an executable file that contains “conhost.exe”, if any is found, it will attempt to kill the process and remove the registry key. If you refer to my previous post about common malware process name, there are many other names such as Windows Update, Security Service,… However, it is better than nothing I guess.

botkill

 

The uninstaller simply deletes all of the registry keys under Run, and then exit. This is not really a smart idea, since the malware process will not be eliminated until the next reboot. Not good at all if you found out you are being analyzed.

uninstaller

Flood.bin file is the only find I found that was obfuscated. However, it is done with Confuser 1.9.0.0, which could easily be deobfuscated through public tools. Like seriously, if you are developing malware, you should do something along the line of manual obfuscation, then obfuscation using a private obfuscator. Confuser is old and obsolete, and unless you mod it, it is useless. However, the obfuscation gives me suspicions that this module is coded by someone else.

The Syn attack tool is also weak, as it uses only 5 threads. While this does not consume much resources and therefore less noticeable, it also does not oppose much power on the target.

syn attack

There are a few other attack methods, however, they are obfuscated, and therefore I will attempt to deobfuscate them later on.

Another interesting module is the Homepage Changer. It is capable of changing the homepage of only Mozilla Firefox and Google Chrome. Well it is good enough for HF anyway, since these are the 2 most popular browsers. And seriously, if you are still using Internet Explorer and browsing my website, you should seriously consider an upgrade to Chrome/Firefox, or better yet, Tor browser and Epic browser.

So this is it for my analysis of Megalodon HTTP.  I will be analyzing more malware in the future soon, and remember to share, like and tweet about this blog post!

And also since you read to the end of the post, I will give you a very interesting thing I found while browsing through the panel files: This error log shows us in plain text the username of the hosting account Bin4ry used for his site (bin4ry.com): http://www.zunzutech.com/blog/wp-content/uploads/2016/03/errors.txt

Interesting, right?

 

Common things in most malware

Malware might varies in style, programming language, encryption and obfuscation method, as well as many other factors. However, they all have 1 similarities (Excluding cryptolockers): They attempt to look as similar to legit application as possible.
1. Process name

Most malware will try to look like common processes. Sometimes they will try to impersonate a system process. Some of the common names are conhost.exe, windowsupdate.exe, winupdateclient.exe,… When you see a process that seems suspicious because of these signs, you should run an AV scan and attempt to find any suspicious activities on your computer. If your AV solution does not detect anything, open up Task Manager, right click on the process, select “Open File Location”, and copy the file to your desktop. After that, you can upload it and forward it to me.

2. Installation Directory

This is the similarity in most malware. They will install themselves to a directory, so even if you delete the original file, the malware is still on the system. Some popular place for installation of such malware is the AppData folder, the Windows folder and the Temp folder. The Temp folder is the least popular of the three, since it is cleared regularly in order to preserve disk space. However, it is still commonly used.

3.  Attempts to hide process

Malware DON’T want to be spotted. So they try to hide their task from the Task Manager. Some might do this by attempting to replace the Task Manager, which could be done simply through a registry key, some might try to launch it from a different user, which isn’t really effective, or some just try to kill the task manager process.

So that is it for this post. I know it is kinda short, but that is because I am analyzing a RAT, which is somewhat unique since it uses PHP for connection.

 

Now blocked countries

Recently, in a log check, I found a lot of bad traffic, which were responsible for the 5000 failed logins to my site. They came from 9 small countries, which are all now blocked. I will not reveal the name of the countries, except for one, which is China.

Cheers.

 

The new Raspberry Pi 3: Ideal for developer

The new Raspberry Pi 3, with the same price tag of $35 as the Pi 2, has a lot of major improvement. It is now one of the cheapest IOT device you can use to develop with and build upon.

The new Pi 3 comes with a Built-In Wifi adapter, a 1.2GHz 64 bit Quad-Core ARM processor, which is 10 times the power of the old Pi 1. Other than that, it is still compatible and can be used with the old Pi 1 and 2.

Raspberry Pi is a powerful development tool at an extremely low price tag. At the cost of $35, you also get 1GB of RAM, 4 USB port, HDMI compatibility, and can easily run Raspbian, a modified version of Debian with the exact same functionality as the original version. For penetration testers, the small Pi can run Kali Linux with ease, and can be easily hidden and used in penetration tests.

So grab it now before the $35 sales expire! You can check out Raspberry Pi’s official site at raspberrypi.org and see all of their product! Stay tuned for more new updates.