.

Help me understand

<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Dec 19, 2012 9:56 am

Help me understand

So someone I know got hit with some malware recently, and i'm trying to understand exactly what happened, as best I can. Heres the sequence.

non admin User downloaded a zip file, and scanned it with MSE. While MSE didnt alert (strangely) it did in fact detect a trojan in the zip file and it was supposedly removed.

After the scan the user preceded to unzip the supposedly now clean zip file. This triggered some kind of malware that killed MSE, User immediatly took remediatory action.

Now, it appears to me that one of several possibilities existed... here are my thoughts:

original trojan was easily detected, was this intentional, perhaps luring the target into a false sense of security?

traditionally trojans drop files, or provide access through which further comprimise can occur. There have been no indicators of further comprimise, what am I missing?

What caused MSE to be killed? I know that commands can be executed to kill AV, but they generally require Admin or SYSTEM privlidges, user was un-privlidged. I thought maybe some sort of client side exploit to gain privlidges. I'm just not sure.

Finally, the user immediatly pulled the network cable, scanned the computer in safe mode, and regular mode with up to date scanners (3) and nothing else was detected, but can we trust this? outside of MSE which was originally killed, the other software installed at the time did not stop or detect an attack. In addition the user ran a networksniffer, and did not detect any malicious traffic after the comprimise...

Thoughts?
sectestanalysis.blogspot.com/‎
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Dec 19, 2012 11:36 am

Re: Help me understand

One thought:

scanned the computer in safe mode, and regular mode with up to date scanners (3) and nothing else was detected


To be detected, this requires the malware to be known by the scanners.
GSEC, eCPPT, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Dec 19, 2012 11:39 am

Re: Help me understand

I know it's not too hard to encode and obfuscate malware. Using Metasploit makes it quite easy: http://oldmanlab.blogspot.ca/2011/11/metasploit-shellcode-obfuscation-to.html

That being said, it doesn't answer everything. I am curious to see what the others think of that...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Dec 19, 2012 11:49 am

Re: Help me understand

exactly I was thinking maybe the first trojan wasn't encoded, designed to be detected, whereas there was hidden malware that wasn't detected.
sectestanalysis.blogspot.com/‎
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Dec 19, 2012 3:27 pm

Re: Help me understand

I'd doubt that any malware author would deliberately design something to be detected. A detection of anything would surely only increase user suspicion of what's being installed vs an installation with no AV alert?

Even with encoding/obfuscation techniques you're not guaranteed to bypass AV, overtime these become known to the AV vendors. Hence, why one may have been detected and not the other.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Dec 19, 2012 5:40 pm

Re: Help me understand

So what do you guys think happened here?
sectestanalysis.blogspot.com/‎
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Dec 19, 2012 8:18 pm

Re: Help me understand

It's certainly possible this was an 0 day on MSE. If it is, maybe the vulnerability the attacker used requires MSE to pick up some kind of virus, to trigger his 0 day exploit. Since MSE runs as SYSTEM, if you pwned it, you' would be able to kill the service and ultimately control the box.

What's the name of the virus it successfully caught?
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Dec 20, 2012 7:13 am

Re: Help me understand

It detected a trojan, i'll have to try to have them get the name.
sectestanalysis.blogspot.com/‎
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Dec 20, 2012 1:20 pm

Re: Help me understand

Is there any evidence that something malicious actually occurred when the file was extracted? Maybe MSE just crashed. Maybe your acquaintance has found the 0-day ;)

User's will also bend the truth to avoid embarrassment. I'd get a copy and do analysis in a safe environment before jumping to grand conclusions. That'll get you a lot farther than just speculating.
The day you stop learning is the day you start becoming obsolete.
<<

encryptedmind

Newbie
Newbie

Posts: 8

Joined: Fri Apr 05, 2013 12:23 am

Post Wed Apr 17, 2013 4:33 am

Re: Help me understand

1. This looks like a parsing bug in MSE that was exploited using a malformed zip file. A thing about the user in question is that he may have mistaken an executable file for a zip file (they come in a few variations themselves). As unzipping a zip file will not cause the contents to execute by themselves. If it was self extractable then execution could have configured. This would constitute a social engineering attack.

2. The 0 day theory is quite probable as well given the tools required for this are freely available.

3. It also could be that a malware was already running on the pre infected system and the contents of new zip files were part of its launching code. This might be in sync with your zip file extraction trigger. Malware like Flame remained undetected for years, its quite plausible a similar attack vector was being utilised.

4. Futher this could be a bug in MSE where the scanning logic is bypassed to make MSE execute the malware, based on the format trickery done on the zip.

5. Alien invasion is not really that far off.....

Ahh... so the conspiracy theory ends here.....

Any links to the malware in question, I could analyse it and give you more details.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software