Skip to content

Malware analysis

looking for the perfect virus

The Easter Bunny has been kidnapped, and YOU have to save him! Quickly collect yourself and help save him. Put on your detective hat and start investigating the clues provided.

We managed to intercept a message from the kidnappers. Unfortunately it seems to be scrambled in some way. We also managed to intercept a ciphered message from one of the criminals and the cipher text below. The cipher text was once considered unbreakable, however newer techniques of cryptoanalysis have proven how to beat it. Listen to the intercepted message from the kidnappers, or attack the cipher message. Your choice.

The intercepted message can be played back here: http://securesolutions.no/intercepted%20and%20scrambled%20message.mp3

The cipher text looks like this:

Dsemvnqwlnmmzvi! Cc jagpbussnpwg tfgzvlroknt mlta cfwjgkr vqu phywl bfx kni Rxutrk Tztydi btsj lh tux asmhfesuygp qf gai Piiuii Zieoqrvlxd. Bxf gioqvkclf aegm ivgtkwfcwlyr fpmd btgxiubpdrw, xsidlw ku cbr! Vhngod nes cfav tlqd jhvv, ide M yutr fv wnl jfv. Xfvv ow geg fvgew xqsx fl xub Gafmic Kxbpckrtb: jtgi://ahe.ifglxiflnugbsya.dp/iryxro-ehneppvwf-xyk-qlpveer-sq-bxf-qzywvki-enlxpz-rvree/

Hva aoh emvm yu? Pvgzr x eozfiyb qoh ckx zb mnbp :)

How will you aid the investigation? Anyone with an interest in cryptanalysis might attack the cipher directly, however the rest of us, along with some Google Fu, may start with the intercepted message.

Good luck! The Easter Bunny depends on you!

The first one to email the answer to PenTestVideo sans.org (yes, that’s the email alias to our team of judges) will win a SANS Pen Test T-Shirt as well as a SANS NetWars T-Shirt! Please use an e-mail subject of “SAVING THE EASTER BUNNY” for your e-mail at PenTestVideo sans.org.

Best regards,
http://pen-testing.sans.org/blog/pen-testing/2014/04/17/easter-challenge-the-mystery-of-the-missing-easter-bunny
—————————————————————————————————-
Nu am fost primul care a reusit sa dezlege misterul iepurasului rapit, maybe next time.

Decriptarea mesajului interceptat: http://securesolutions.no/intercepted%20and%20scrambled%20message.mp3
Dupa cateva failuri la decriptarea manuala a mesajului(credeam ca este un One Time Pad cu cheie scurta, dar m-am inselat). Am inceput sa rezolv clallenge-ul step by step si ghidat de o veche invatatura populara “Daca ai incercat totul si nu functioneaza, citeste instructiunile de utilizare”, la recitirea enuntului mi-au sarit in ochi “scrambled” & “Google Fu”

google> mp3 scrambled si am aflat ca de fapt e reversed, asa ca l-am urcat pe: http://www.mp3-reverser.com/en/ si am obtinut ceva inteligibil: http://www.sendspace.com/file/3bt9tv

Delta Lima Break
Delta Romeo Oscar Papa Bravo Oscar X-ray Uniform Sierra Echo Romeo Charlie Oscar November Tango Echo November Tango Break
Charlie Oscar Mike Break
Uniform Break
16108286 Break
Kilo India Delta November Alfa Papa Papa Echo Delta Bravo Uniform November November Yankee Break
Juliett Papa Golf

Pentru trasmiterea mesajului s-a utilizat NATO phonetic alphabet, dupa decodare se observa ca este un url: http://dl.dropboxusercontent.com/u/16108286/kidnappedbunny.jpg
Kidnapped Bunny
La deschiderea pozei intr-un Hex-editor:
Kidnapped Bunny - hidden message
Am aflat:
Algoritmul de criptare: Vigenere
Parola: Numele unui oras + Marca aparatului de fotografiat

Un mic script python si aflam datele necesare pentru aflarea parolei:

from PIL import Image
from PIL.ExifTags import TAGS

image = "kidnappedbunny.jpg"
try:
    im = Image.open(image)
except:
    exit()
d =dict(im._getexif().iteritems())
for key in d.keys():
    print TAGS.get(key),":", d[key]

rezultat:
GPSInfo : {0: (2, 3, 0, 0), 1: 'N', 2: ((60, 1), (23, 1), (3567, 125)), 3: 'E', 4: ((5, 1), (19, 1), (969, 50))}
Model : XcanteliQ

Cam urata prezentarea coordonatelor gps, asa ca am apelat la o solutie profesionista:
Bunny Gps coordonates

Folosind site-ul: gps-coordinates.net aflam si numele orasului
Bunny town

Cunoscand algoritmul de criptare, cuvintele ce formeaza parola si utlizand site-ul http://f00l.de/hacking/vigenere.php am obtinut mesajul original:

Congratulations! by successfully deciphering this message you could let the easter police know of the whereabouts of the easter terrorists. the criminals have successfully been apprehended, thanks to you! thanks for your good work, and i hope it was fun. here is the final part of the easter challenge: http://www.securesolutions.no/easter-challenge-the-mystery-of-the-missing-easter-bunny/

did you like it? leave a comment and let me know :)

Pe site-ul cu pricina: http://www.securesolutions.no/easter-challenge-the-mystery-of-the-missing-easter-bunny/ mai avem de introdus o parola pentru a salva iepurasul, dar nu doresc sa ridic tot misterul astfel incat nu voi posta parola
Bunny is safe

Un challenge frumos, putea fi rezolvat foarte usor Dsemvnqwlnmmzvi! = congratulations! + tabelul pentru criptare/decriptare Vigenere => Cheia utilizata la criptare/decriptare => Challenge Solved.

Bookmark/FavoritesEmailFacebookTwitterShare

Name: Noah 2014 Original Soundtrack [Clint Mansell].ex
Size: 1752156
Md5 hash: 6f6550976963f22c3f7367c9d195a9dc
SHA1 hash: c00e58d7dbbb4e747c8685754e3bfdce2e90d803

FileVersion : 3.3.8.1
FileVersion: 3, 3, 8, 1
FileDescription:

antivirus detection: Detection ratio: 7/49

 Antivirus               Result 	               Update 
 AntiVir 	         TR/Dropper.Gen 	       20140415 
 CMC 	                 Trojan.Win32.Generic!O  20140411 
 ESET-NOD32 	         a variant of Win32/Injector.Autoit.ABQ 	 20140415 
 K7AntiVirus 	         Trojan ( 700000111 ) 	 20140414 
 K7GW 	                 Trojan ( 700000111 ) 	 20140414 
 Qihoo-360 	         Malware.QVM10.Gen 	 20140415 
 TrendMicro-HouseCall 	 TROJ_GE.3B0BC417 	 20140415 
 AVG 	? 	 20140415 
 Ad-Aware 	? 	 20140415 
 AegisLab 	? 	 20140415 
 Agnitum 	? 	 20140414 
 AhnLab-V3 	? 	 20140414 
 Antiy-AVL 	? 	 20140415 
 Avast 	? 	 20140415 
 Baidu-International 	? 	 20140415 
 BitDefender 	? 	 20140415 
 Bkav 	? 	 20140415 
 ByteHero 	? 	 20140415 
 CAT-QuickHeal 	? 	 20140415 
 ClamAV 	? 	 20140415 
 Commtouch 	? 	 20140415 
 Comodo 	? 	 20140415 
 DrWeb 	? 	 20140415 
 Emsisoft 	? 	 20140415 
 F-Prot 	? 	 20140415 
 F-Secure 	? 	 20140414 
 Fortinet 	? 	 20140413 
 GData 	? 	 20140415 
 Ikarus 	? 	 20140415 
 Jiangmin 	? 	 20140415 
 Kaspersky 	? 	 20140415 
 Kingsoft 	? 	 20140415 
 Malwarebytes 	? 	 20140415 
 McAfee 	? 	 20140415 
 McAfee-GW-Edition 	? 	 20140415 
 MicroWorld-eScan 	? 	 20140415 
 Microsoft 	? 	 20140415 
 NANO-Antivirus 	? 	 20140415 
 Norman 	? 	 20140415 
 Panda 	? 	 20140414 
 Rising 	? 	 20140414 
 SUPERAntiSpyware 	? 	 20140415 
 Sophos 	? 	 20140415 
 Symantec 	? 	 20140415 
 TheHacker 	? 	 20140413 
 TotalDefense 	? 	 20140415 
 TrendMicro 	? 	 20140415 
 VBA32 	? 	 20140415 
 VIPRE 	? 	 20140415 
 ViRobot 	? 	 20140415 
 nProtect 	? 	 20140415

process:
C:\Documents and Settings\Administrator\Application Data\Noah 2014 Original Soundtrack [Clint Mansell].exe

network activity:
b294237.no-ip.biz
b294237.no-ip.org

persistence:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe c:\documents and settings\administrator\application data\noah 2014 original soundtrack [clint mansell].exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adobe c:\documents and settings\administrator\application data\noah 2014 original soundtrack [clint mansell].exe

new files:
c:\Documents and Settings\Administrator\Application Data\
Noah 2014 Original Soundtrack [Clint Mansell].exe

c:\Documents and Settings\Administrator\Application Data\dclogs\
2014-04-15-3.dc

registry:
HKEY_CURRENT_USER\Software\DC3_FEXEC\

malware type: DarkComet

Pentru detectarea semnaturilor am utilizat o varianta a algoritmului de cautare Boyer–Moore realizata de Ameer Ayoub

  • scaneaza toate fisierele executabile(PE files)
  • tipareste numele si locatia fisierelor identificate
  • dictionar pentru stocarea semnatuilor {“nume malware”: “hex bytes” }
  • lista false positive
  • logs: nr fisierelor scanate; nr fisierelor care nu au putut fi scanate, eventual si adresa lor
  • utilizeaza semnaturi simple (hex)
  • python 2.7
  • lent :))

F:\
FP F:\FPtest.exe
malw1 F:\M6s1.exe
malw2 F:\M6s2.exe
Nr fisiere scanate: 170
Fisiere care nu au putut fi scanate: 0

from win32api import GetLogicalDriveStrings
import sys
import os
import hashlib

# Boyer Moore String Search implementation in Python
# Ameer Ayoub <ameer.ayoub@gmail.com>

# Generate the Bad Character Skip List
def generateBadCharShift(term):
    skipList = {}
    for i in range(0, len(term)-1):
        skipList[term[i]] = len(term)-i-1
    return skipList

# Generate the Good Suffix Skip List
def findSuffixPosition(badchar, suffix, full_term):
    for offset in range(1, len(full_term)+1)[::-1]:
        flag = True
        for suffix_index in range(0, len(suffix)):
            term_index = offset-len(suffix)-1+suffix_index
            if term_index < 0 or suffix[suffix_index] == full_term[term_index]:
                pass
            else:
                flag = False
        term_index = offset-len(suffix)-1
        if flag and (term_index <= 0 or full_term[term_index-1] != badchar):
            return len(full_term)-offset+1

def generateSuffixShift(key):
    skipList = {}
    buffer = ""
    for i in range(0, len(key)):
        skipList[len(buffer)] = findSuffixPosition(key[len(key)-1-i], buffer, key)
        buffer = key[len(key)-1-i] + buffer
    return skipList

# Actual Search Algorithm
def BMSearch(haystack, needle):
    goodSuffix = generateSuffixShift(needle)
    badChar = generateBadCharShift(needle)
    i = 0
    while i < len(haystack)-len(needle)+1:
        j = len(needle)
        while j > 0 and needle[j-1] == haystack[i+j-1]:
            j -= 1
        if j > 0:
            badCharShift = badChar.get(haystack[i+j-1], len(needle))
            goodSuffixShift = goodSuffix[len(needle)-j]
            if badCharShift > goodSuffixShift:
                i += badCharShift
            else:
                i += goodSuffixShift
        else:
            return i
    return -1

def md5Checksum(filePath): # calculeaza md5 fisier
    fh = open(filePath, 'rb')
    m = hashlib.md5()
    while True:
        data = fh.read(8192)
        if not data:
            break
        m.update(data)
    return m.hexdigest()

dicsig = {"malw1":"78200000000000004C20000000000000000000006A2000000020000054", "malw2":"6A00680030400068073040006A00E80D0000006A00E800000000FF2500204000FF25082040"}
falsepositive = ["abb01a09857e9758a7737d31ac5598d6", "abb01a09857e9758a7737d31ac55987"]

radacina = GetLogicalDriveStrings().split("\x00") #lista partitii
nescanate     = [] # fisiere care nu au putut fi scanate
totalfisiere  = 0  # nr fisiere scanate

for i in range(0, len(radacina) - 1): # iterare fisiere
  print radacina[i] # partitia in care scaneaza 
  for root, subFolders, files in os.walk(radacina[i]):
    for file in files:
      fullpath = os.path.join(root, file)
      totalfisiere += 1
      try:
        with open(fullpath, "rb") as handle:
            if handle.read(2).encode("hex") == "4d5a":  #if PE file
                fisier = handle.read()
                for i in dicsig.keys():
                    semnatura = dicsig[i].decode("hex")
                    rezultatscan = BMSearch(fisier, semnatura) 
                    if rezultatscan != -1:
                        if md5Checksum(fullpath) not in falsepositive: 
                            print i ,"\t", fullpath
                        else :
                            print "FP\t", fullpath
                            break
      except Exception as exceptie:
        print str(exceptie), fullpath
        nescanate.append(str(exceptie))

print "Logs:\n"        
print "Nr fisiere scanate:", totalfisiere
print "Fisiere care nu au putut fi scanate:", len(nescanate)

Fisiere pentru teste: http://ge.tt/553GmPU1/v/0?c
File: Fisierepentruteste.rar MD5: 3c01091d8b5c02a1053aac8277f3ccff