FireEye Malware Intelligence Lab: Current Affairs

6 posts categorized "Current Affairs"

2010.06.21

World's Smallest PDF

About That PDF Thing

At PH-Neutral, I recently presented a bunch of information about how no two PDF readers will see a PDF file in the same way. Which is useful if you're trying to sneak an exploit past a smart A/V scanner. [Unfortunately, most A/V scanners are not even smart enough to find an exploit sitting in easy-to-read plaintext at the top of a well-formed file.]

Someone took a picture of one of my slides, which has been quite popular, based upon the number of retweets and views.

So, I'll explain how this works, for the benefit of everyone who wasn't there at the time&hellip

Continue reading "World's Smallest PDF" »

FE Malware Researcher on 2010.06.21 in Current Affairs, Events, Conferences, Symposiums, Exploit Research | Permalink | Comments (6) | TrackBack (0)

Technorati Tags: Acrobat, Additional Action, Didier Stevens, events, Julia Wolf, Lambda Calculus, language theoretic, Lisp, objects, OpenAction, PDF, PH_Neutral, smallest PDF, syntax, Tavis Ormandy, Twitter

2010.06.04

Some Notes About Neosploit

The Little Picture

I have a huge pile of notes on various types of malware and exploits. Meticulous details from where I look with my [metaphorical] microscope, but not a lot of big-picture stuff, because that usually takes much more time than just reading through a hexdump. So, I'm going to write a series of blog posts like these, looking at the little picture. Some of my explanations might be a little bit terse. I have a bad habit of going: "Here, look at this disassembly, isn't it obvious what it's doing". But, teaching how to read this stuff is a lot of work. So, I hope you don't find reading this to be too tedious if I'm short on explanations.

Some notes on Neosploit 2.0

The Attack Scheme

So, you're browsing along, and you hit an advert like http://ad.yieldmanager.com/iframe3?7VxIANuGDAAF9EgAAAAAA[A long Base-64 string goes here…]e7f9 which directs you to a page like http://ndpwrgg.info/images/wait.html, which looks like this:

Continue reading "Some Notes About Neosploit" »

FE Malware Researcher on 2010.06.04 in Current Affairs, Exploit Research, Malware Research | Permalink | Comments (4) | TrackBack (0)

Technorati Tags: argument.callee(), Encoding, Exploit, Exploitkit, firot, Java, Javascript, Julia Wolf, Neosploit, nerot, Obfuscation, Reverse Engineering, Toolkit, URL, Version String

2010.03.03

Black Energy Crypto

Introduction

Black Energy has been in the news again recently (well, it was recent back when I wrote the first draft of this).

I'm not here to talk about Citigroup, I'm here to talk about cryptography, and how to fail at it. That being said, allegedly Citibank was "hacked" using Black Energy, according to the Wall Street Journal. Citigroup flat out denies it, and aside from this assertion from the WSJ, there's no other information. But it doesn't make sense that "Black Energy" itself, or what is commonly referred to by that name, was used for some kind of banking attack; It's a DDoS bot.

Now, it could actually be Black Energy that's responsible, or something different which just looks like Black Energy. But lately, a very Black Energy-like DDoS "module" tends to get installed along with other malware such as Zeus, via the "Yes Exploit System", or via Oficla/Sasfis, and like every bot, it can download and execute arbitrary files upon command. I have no idea what, if anything, happened at Citibank, but I speculate that a Black Energy bot was just along for the ride. An infection of one bot, quickly leads to an infestation of many. [cute metaphor about infestations goes here] It's kinda like a big ball of malware goo.

Analogy

Ok, so you remember how the five robot lions in the show "Voltron" would form a giant robot to battle space monsters? Each lion had its own distinct identity, like one was green, and another one was pink, etc. but they could combine to form a single robot, with a distinct identity apart from each individual lion. Ok, well malware also combines together to form a giant robot.
[I was going to make the same analogy using the Constructicons as examples, they're evil bots you see… but that's just a little too obscure.]

Anyway, so for something less ambiguous… onto the technical part!

Continue reading "Black Energy Crypto" »

FE Malware Researcher on 2010.03.03 in Botnet Research, Current Affairs, Exploit Research, Malware Research | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: @comp.id, bad crypto, Black Energy, Citibank, COFF, Cr4sh, cryptanalysis, crypto, EXE header, hexdumps, howto, Julia Wolf, known plaintext attack, malware, Rich Header, Russian, stream cipher, symbols, toolkit, WSJ, XML, XML, xor, Yes Exploit System PE Header

2010.02.24

Conference Stuff

The Present

Hi-ho, Julia here. So, here's a summary of computer security conference related things that I'm involved with.

I'll be at the RSA Expo for at least one of the days next week (probably Wednesday). So if you see a blue-haired weirdo wandering around, asking vendors difficult questions¹, that's probably me. If you would like to wander around the Expo for free too, then enter the code EC10FIR [Expires Friday Feb 26] into the appropriate field from wherever this link <Register Now!> may lead you. You'll need to register — enter a bunch of personal information about yourself first, so that you can get a ton of junk mail later this year. However, note that the only thing they actually seem to check when you pick up your badge at the expo, is the name on your government issued photo ID. So, in previous years my job title has been Professional Tomato Squeezer, working for the Instrumentality of Penguins Project — which is how I know when marketers are using RSA's mailing list.

FireEye has a booth at RSA this year (Booth #332) See also: Official FireEye RSA2010 Stuff.

The Past

And from last October, these are my ToorCon 11 Slides [ironically PDF] They're almost the same as the ones from my Brucon talk, but with a little more stuff.

The Future

I'll be presenting a talk at PH-Neutral 0x7DA on how to do horrible things with PDF files. Not just exploits and syntax abuse/obfuscation, but tricks like generating the Mandelbrot set with the halftone screen spot functions.

I'm thinking of submitting a talk to Black Hat or Defcon. Are there any topics that you, the reader, would like to hear me talk about? Sure, I could do an in-depth technical talk on a specific botnet. Or a less-in-depth presentation on a whole bunch of different malware. Or a talk about reading/writing exploits and reverse engineering. Or an actually-good-talk on old-school phreaking. Of course, Defcon being Defcon, I could probably submit a talk on Goetic demon summoning (with live demonstration!) and it would get accepted. So… suggestions?

I promise that my next blog post will have more crypto and hexdumps in it.

¹ For example…
Vendor: Our product is software that you install on your windows laptop, which calls home to check if it has been stolen. And if so, deletes sensitive documents to keep them from falling into the wrong hands.
Me: So, what if rather than booting the laptop into Windows normally, the person who stole the laptop takes the hard drive out and reads the data with Linux?
Vendor: <crickets chirping> … You'll need to talk to one of our engineers.

Julia Wolf @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com

FE Malware Researcher on 2010.02.24 in Current Affairs, Events, Conferences, Symposiums | Permalink | Comments (2) | TrackBack (0)

Technorati Tags: BruCon, conference, Exposition, FireEye, hacking, Julia Wolf, PH-Neutral, RSA, RSA Expo, Toorcon

2010.01.14

PDF Obfuscation using getAnnots()

Since around October 2009, Neosploit ¹, a black-market exploit toolkit, has been fabricating PDF files in a slightly new way, but in a way which is difficult for many parsers to analyze for maliciousness. In summary, all of the metadata in a PDF is accessible from the Acrobat Javascript environment. And this metadata is being used for obscuring embedded Javascript code. A PDF parser would need to fill in all the document objects with the correct data, and evaluate the Javascript to find the exploit. (Needless to say, many PDF signature parsers don't do this.) These malicious PDFs ultimately install Mebroot (aka: Sinowal)².

[And, oh yeah, our product detects this.]

Breaking News

Update: There's another exploit toolkit doing similar metadata tricks to obscure a CVE-2009-4324 attack. (That's the most recent 0-day.)

Continue reading "PDF Obfuscation using getAnnots()" »

FE Malware Researcher on 2010.01.14 in Current Affairs, Exploit Research, Malware Research, Vulnerability Research | Permalink | Comments (4) | TrackBack (0)

Technorati Tags: 0-day, Acrobat, Adobe, Adobe Reader, annotation, attack, CVE, exploit, getAnnots, hexdump, howto, ISO 32000-1:2008, javascript, Julia Wolf, malware, Mebroot, Neosploit, obfuscation, PDF, shellcode, Sinowal, syncAnnotScan, toolkit, zlib

2009.01.14

Barbarians Inside the Cyber Gates

Critical government, military, and civilian networks have been repeatedly infiltrated to steal our intellectual property and national secrets. So, how do we build a modern, national cyber security policy as we enter into the 44th Presidency? The Center for Strategic and International Studies' report weighed in on this topic, but I think they missed the point in their technical recommendations.

Before I go further, I should introduce myself. I'm Ashar Aziz, FireEye's CEO and founder. I'll be chiming in to write about the big picture security issues that are facing CIO/CISO's, businesses, our national cyber infrastructure, and essentially anyone who does anything on the Internet these days.

Continue reading "Barbarians Inside the Cyber Gates" »

Ashar Aziz on 2009.01.14 in Current Affairs, General Security | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: botnets, cyber infrastructure security, cyber security, cybersecurity, malware, U.S. cyber security

FireEye Malware Intelligence Lab

Threat research, analysis, and mitigation | www.fireeye.com