Some fax virus

This morning I've seen some fax viruses come in as a standard "hey you got a fax, open the attachment". The zip file is about 26k and appears to be a zbot downloader.

Two mildly interesting things with this one. One is that after executing the exe, you actually fo get an rtf file displayed as a hotel booking for some place in greece. It uses the hotels phone numbers and info. So I assume they may be a little confused shortly when people contact them saying they booked no such room.

Secondly, after that rtf file is displayed the virus sleeps for a few minutes and then gets it's payload from http://<site>/hot24/banner.png. It is of course not a png, but an executable. Yet another reason to never trust extensions.

Here are some domains the downloader was reaching out to:

jean-roussel.org
proguardians.net
pensionmagda.cz
pianossimi.fr
furiod.comyr.com


The banner.png (actually an executable) is currently recognized on VirusTotal as a 1/51. Yikes.

https://www.virustotal.com/en/file/148cc3713abba28f4e0aa5c9f3352cabe8f3e257a0325d111ea486661d47aed7/analysis/1398694595/

Java and anal sex

Another day and another funny piece of code in a virus.

md5: 1d34692a57337fa75eb62d864e406f3a

In case you wanted the whole joke...

" Saying that Java is nice because it works on every OS is like saying that anal sex is nice because it works on every gender. "

Faronics Deep Freeze

So in malware testing, vm's will not always work for you. Some of the smarter malware will recognize it is in a vm and execute code differently or not at all sometimes. This leaves me with running malware on a live system. Obviously it's incredibly easy to just load malware on to a usb drive and run it on a machine. But then that machine can no longer be used for testing future malware since it is contaminated.

Having to reinstall windows and update every time I test something would be absurd. So my normal method has been the use of a SATA hard drive duplicator and a bunch of hard drives I found around the office (I have about 15). So I would get a good clean install on a machine and pull that drive as a master drive, and use it as a source to duplicate drives any time I needed to fire up a fresh test platform. While this works fine, it's still a time consuming pain. I have to pull the drive out and wait for the duplication to finish. Since it's a byte for byte duplicator, it took around 45 minutes per drive. This was fine for most days, but on days where I had a lot of new samples, this wasn't feasible.

After some poking around online, I came across Faronics Deep Freeze software. It seemed to fit the bill for what I needed. It allowed me to create a system how I wanted it, then "freeze" it. When frozen, all changes on the pc are reverted back to the initial frozen state upon reboot. It took some playing around with for me to get used to it. I had done all my updates and software installs in a frozen state at first, so the reboot wiped it all. But eventually I got it working.

So far it has been a great success. I ran across a small exe file to test yesterday, and it ended up being a downloader for cryptolocker. So I got the normal pop up screen saying I must pay whatever yadda yadda.

oh noes

After I gathered all my data, it was time to test out Deep Freeze. I clicked reboot and about 50 seconds later I was back to a clean desktop. I poked around and it looks like everything did indeed go back to how it was. I'm only on a trial but I do certainly plan to purchase this. I'm not yet convinced it's 100% bullet proof but it seems to work great so far. There are also some alternatives to it listed on wikipedia I may check out as well. Overall a good time saver so far.

A malware funny

Malware coders are people too. Yeah I hate malware, wish it would be gone, etc...but it's some time funny to see some of the things these people code. The simple things in life.

f871ad718f4b9b855f81f20901b43c91

Crap, Crappy and Crappier. Good naming schemes are important.

Jpg virus

A jpg virus isn't too common but they happen. Usually the message is some sort of social media email saying "hey check out my nekked bod" with an image attached. Even a savvy user may be roped in to running this virus. It's just a jpg right? What's the harm?

That's the harm. When you open this, bad stuff happens. In this particular case only 1 of 50 av companies are finding it as malicious (Qihoo-360 shows virus.exp.wrar.2014.0401). It looks to just be a dropper and downloads a zbot after it runs.

I always use examples like this when I hear people say careful browsing and common sense are all you need to stay safe. Image viruses are nasty things to catch if you aren't paranoid and investigate a file before opening.