The Case of the Tricky Tool

Looks can be deceiving. There are times when you think an analysis is going to be easy, and everything points in that direction, until you hit a snag. This happens. Sometimes you've made an assumption that is wrong, sometimes there is a little trick the attacker is doing, and sometimes your tools fail you. This is one of those times.The Malware I received a malicious attachment in my email yesterday that uses a technique that I've started to see more and more in documents - utilizing the metadata fields to hold some of the malicious code. The advantage to this technique is that it spreads the code throughout the document and makes it more difficult to analyze. Despite this, all signs pointed to this being an easy document to analyze. As you'll see, I was wrong.resume.docMD5: e618b9ef551fe10bf83f29f963468adeSHA1: 93993320c636c884e6f1b53f9f878410efca02daSHA256: d400d6392a17311460442e76b26950a0a07e8a85c210c31e87a042a659dc9c52Once more, I used REMNux to statically analyze the file. Yes, I could have executed it with Lazy Office Analyzer to speed up my analysis, but frankly my Windows VM is temporarily fubar'd, so I was stuck doing it this way.The first step in my analysis was to figure out what type of document I was...
Read more

Document Analysis – 2018-newsletters.xls

Today I received what was clearly a malicious document in my email, so to celebrate the publishing of my second PluralSight course - Performing Malware Analysis on Malicious Documents - I thought I'd go through the analysis of the document.The document came in as an attachment in email and was named 2018-newsletters.xls.MD5: 46fecfa6c32855c4fbf12d77b1dc761dSHA1: c028bc46683617e7134aa9f3b7751117a38a177dSHA256: 4e8449f84509f4d72b0b4baa4b8fd70571baaf9642f47523810ee933e972ebd9You can download the file from here. The password is the last 8 characters of the filename, all lowercase.To analyze it, I'm going to use REMNux, the malware analysis Linux distribution put together by Lenny Zeltser. This distro has all the tools we need to analyze the document.The first thing I need to do is figure out what type of Office document we're dealing with. By running the Linux file command on the document, it tells us we're dealing with the composite file format, or structure storage format, of Office. Knowing this helps us figure out what tools we can use on the file.Next, I want to see if there's anything interesting inside of the document. There are lots of tools that can be used for this, but...
Read more

Malware Analysis Course on Pluralsight!

Since 2010, I have been running my Introduction to Malware Analysis course at various conferences and organizations, and have taught over 200 students. I've heard from many of my former students that they've used what they learned in the course to help them successfully combat malware in their organizations - some have even gone into the malware analysis field themselves!I only teach my course once or twice a year; for the past few years it has only been at DerbyCon. The problem with that is the material sits unused for most of the year, with no one gaining benefit from it.So, when I was approached by the great people at Pluralsight to record my course and put it online, I jumped at the chance. It was a long process to do, but well worth it. This week, the course was released under the name Malware Analysis Fundamentals.Malware Analysis Fundamentals is an online version of my Intro to Malware Analysis course. The course takes you from knowing nothing about malware analysis to being able to manually analyze malware in a safe and consistent manner. Like my regular course, you still analyze real...
Read more

Malicious DNS Namespace Collisions

Over the last few weeks, I've noticed a problem come up again in multiple places that I first saw many years ago and apparently is still very common - DNS Namespace Collisions. DNS namespace collisions occur when a private domain name is able to be resolved on the public Internet; whether it is intentional or not. ICANN has a lot of information on this if you are looking for a deep dive on the subject; instead I will be focusing on the potential security issues.The Issue Let's start with an example. Suppose you own the Internet domain example.org. This is your Internet presence - all your emails are @example.org, your web servers are in this domain, even your Active Directory domain is corp.example.org. All is well in the world.When configuring hosts in your organization, one of the things you will do is set up your DNS suffix search list. This is the list of domains your systems will add to a host name if they can't initially resolve it. In our scenario, your DNS suffix search list is example.org and corp.example.org. So, if a host attempts to resolve mailserver, they might also try mailserver.example.org and mailserver.corp.example.org.And let's...
Read more