Sunday, November 29, 2009

Malware Playground


Around 3 month ago, I was starting developing a sandbox tool for easy to analyst any of malware sample that can generate at least basic information from the sample. I just named it Malware Playground as its work to 'play' with almost all Windows programs within it. Sound funny like a kids playing with knife but wearing a shield. The program itself has been developed using Microsoft Visual Basic 6 and working with more than 20 other programs.


At this moment, this program includes all required features for doing malware analyst. Here it is some features:
+ Save report as text and HTML format.
+ Analysis can be started at your own choice such as you can dump process memory instead of analyst all of the function (Registry, Dump, Handle, String, Port, Files and Folders, AV alias and so on).
+ Work with Windows platform (on VMWare or VirPC).
+ Work together with Sandboxie.
+ Drag and drop and warn before start analyzing it.

Malware Playground is still in development and some advanced features still remains in progress. Here it is list of features that currently in development:
+ Network activities
+ Process activities
+ Smart suggestion and recommendation technologies.
+ Add more AV alias detection
+ Security Risk Level perimeter.
+ Provide an official website for useful information and services.
+ Integrates with web interfaces that allowed user uploading their malware sample.
+ Save all known threat object into database.
+ Mapping all origin location for the malware and visualize on global map.

While this useful tools is still in progress, I was unable to provide a fully compiled program to give a test but you can leave a comment and suggest for more features.

Wednesday, November 11, 2009

iPhone Worm - Ikee


While surfing on the internet at Bayu Beach Resort, Port Dickson, found something interesting on the internet. It is iPhoneOS.Ikee worm. This kind of virus is rarely found especially on Apple iPhone. The worm do some basic function such as spreading via SSH and changing wallpaper as their payload.

During infection, this little worm will change victim wallpaper to Rick Astley image (80's singer). The worm has been written by Ashley Town a 21 years old unemployed programmer from Wollogong, Australia.


Upon executing the virus code, the worm will scan an IP address using default SSH configurations. IP range may be vary at random pool as well as copying it self to the startup folder and do some payload by changing default wallpaper. The worm source code also has been reveal as the picture below show some function that change the wallpaper and various commented code.




More detail report can be found here.

Thursday, October 15, 2009

New Portable Antivirus on few final stage!


This week I was updating new Portable Antivirus code with some user friendly features. This is one of the most advanced anti virus made by my self. Here it is a few change I have made this week for Portable Antivirus project:

+ New name; now it is Data0.Net Portable Antivirus.
+ Better system tray icon & pop up message.
+ Support multi language including Bahasa Melayu.
+ Speed up database reading for fast scanning.

Those code make me sleepless but its worth it. I'm happy to finish it but still got few more step. I need to finish up my beta sandbox tools called 'Malware Playground'. Sound funny but it could be an advanced sandbox soon.

Friday, October 2, 2009

Cyber-Communalism

Since a few years ago, Malaysia, Indonesia and other south east Asian country have make some mistake that generating communalism or in easy word 'big misunderstanding' whether about culture, political, terrorism or religious. In cyber world also get the impact of this misunderstanding. Indonesian could call Malaysia as 'Malingsia' while Malaysian people could call them as 'Indonesial'.

communalism art

Internet alone we can find so many articles, libel, forum, blog and many more about this issue (Example 1). Wikipedia also has been describe details about Communalism. This will give impact to all Asian country especially between Malaysia and Indonesia. As an example below show you many website from Malaysia has been defaced because of this issue:



 

Most of this issue produced by local/foreign media making the conflict more complicated and people will think different and negative perception each other by just read or hearing rumors. As I wrote this topic, there was the latest hot issue such as Pendet dance and Island. While the real thing is, there is none of this issue are truth.

Wednesday, September 9, 2009

Interesting about W32.Virut variant

Within last 2 month, I continuously reading and made some RCE for well known viruses call W32.Virut or other malware analyst named it as W32.Sality. This is not a new virus. It is already detected around 2006. Since last 2 month I received more than 20 report from my friend around Malaysian about this virus that already infecting their labs and PCs.

W32.Virut is a parasitic file infector, polymorphic and backdoor capabilities. Once it has been executed it will inject its code into winlogon.exe process and create a new thread in that process. But its depend on version of the variant. Other variant injecting their code onto smss.exe and csrss.exe process. It infects all EXE and SCR file type by appending to the last section of the host file and set it entry point to point to viral code. So, any execution from the infected file will run the viral code first before passing to host code. W32.Virut prevent its execution from running on Virtual Machine such as VMWare or Virtual PC and make it difficult to trace its presence, thread and processes. Also, its polymorhic making my sandbox generate inaccurate result and need manually analyst.

PICTURE 1From Picture 1, it is clearly shown that the string inside the W32.Virut is working its jobs such as adding its process list to the Windows Firewall, Disabling System File Protection, Modify HOSTS file, contacting external server address and as well as Windows API pointing to Windows DLL files.

W32.Virut has already generate a few hundred variant generated from its polymorphic technique. Making it hard to detect with a simple static Hash detection.



Solution: Repair & Cleaning

There is many tools out there for quick repair your infected file. One of the best tools is AVG Win32/Virut Removal. It free to download & use.

Saturday, June 6, 2009

RCE - W32/Autorun.82944


A few days ago I have discover a virus that spread using common known media, USB Flash disk. This virus seem to be the same as other malware and it was compressed with PECompact utilities. The worm itself has been written using Microsoft Visual Basic 6.0. This worm is commonly known as W32/Autorun.worm!n (McAfee), TR/Crypt.PEPM.Gen (Avira), Win32.Worm.VB.NXY (BitDefender).

File Information

File Name: various
Size: 82,944 Bytes
Type: Trojan
Static File: Yes
MD5 Checksum: 22b52c23e6dd2809733e011a8eedab03


File Name / Process File Name

This virus commonly use several file name to spoof it self as a folder. Here it is some sort of file name has been use by this malware:

1. romantic.exe
2. forever.exe
3. System Volume Information.exe
4. love.exe
5. task.exe
6. userinit.exe
7. system.exe
. autorun.inf


There is 2 common process file name used by this worm:
1. userinit.exe
2. system.exe

Startup / Registry Alteration

The worm altering Windows registry as a startup point everytime Windows load.

Key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=c:\windows\userinit.exe

Other modified registry key is:
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoDriveTypeAutoRun"
"NoDriveAutoRun"

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt"
"ShowSuperHidden"
"Hidden"

Payload

The worm seem to overwrite a %systemroot%\system32\drivers\etc\hosts file and set every unwanted domain name to pointing to localhost (127.0.0.1) IP. Most of the listing are computer security website including antivirus, firewall and download site.

The worm also contain some DDoS attack code which will send a random packet to the target.

Programming

This virus has been created by people who was new to the programming especially Visual Basic 6. Take a look some of their codes, it uses many timer to use their malicious function thus, making this worm unstable and taking alot of CPU usages.

Other Analysis:

Here it is some extracted string from the compiled Executable file.
Download here

Other analysis:
Analysis from Virus Total

VDEF updates for Portable Antivirus is available to download.

Wednesday, May 6, 2009

New Microsoft Windows 7 RC Launch!

Just a few minutes ago, I've read google news that Microsoft is already launch a new Microsoft Windows 7 Release Candidate (RC). Well, I'm still not finish yet exploring Windows 7 Beta Build 7000 but this is the chance to get free and unlimited licenses number from Microsoft product. Gotta get it now.


To download Microsoft Windows 7 RC click here!

Sunday, May 3, 2009

Are you with Windows 7?

Microsoft Windows 7
After 4 month of using Microsoft Windows 7 Ultimate, I think there is much more improvement compared with Windows Vista Ultimate. Only a few minor bugs I found on Start Menu and visual effect thing. Well, as I read a news from ComputerWorld, Windows 7 could be lunch this August but still no specific date. Hope it much better after the first release.

Windows 7 taskbar have totally different compare with other Windows version. When many Windows opened, taskbar will appear only an icon with a great stable thumbnail preview. Also, when user try to open many Windows Explorer, all the Windows will be grouped into one icon on the taskbar until user over their mouse cursor on it to choose which Window they want to use.

Well, here it is a few minor uncomfortable thing/bugs I found my self on Windows 7 Ultimate Beta Build 7000:

1. Start menu scroll bar some time cannot be scroll or dragged by mouse.
2. In some cases, the wallpaper disappear and leave only plain color.
3. When I lock the Windows and the logged in back, the screen resolution reset to the recommended setting (another rarely situation).
4. Some old application (mine was Macromedia Fireworks 8) still can't totally support Aero/transparent window effect.

Saturday, April 18, 2009

Data0.Net Temporary down!

This week Data0.Net and several website has temporary down due to the change of new server from Germany to Malaysia. This may take a week to transfer all the data. Hopefully, it work better than before.

Wednesday, April 1, 2009

You together with Conflicker!

Mmm... I have already monitoring this worm since it it was first version... I think around the end of last year. This worm have some unique technique to spread itself along with their payload. After I discover this worm hiding itself on 'recycler' folder on somebody USB flash drive. On some version this worm cannot be just delete to remove it. It will need special permission in order to remove it completely. But, once its running on your PCs with network. Your network could be clogged because this worm has an abilities to generate about 500 domain name by itself. The worm is not designed by non-professional programming. This 'guy' have a programming skill and the worm was designed to create a huge network clog. Quite interesting to me. 

The complete and detailed analysis can be found from the link below:

Sunday, March 29, 2009

What is Heuristic?

Many people ever heard about Heuristic detection or in other name some security product called it TruPrevent, AHeAD as well as Portable Antivirus called it Alternator Heuristic Technology (AHT). In simple word, Heuristic technology is a method to determine if the program is similar to the previous detection of common viruses.

Here it is a good explanation about Heuristic taken from Wikipedia:

Heuristic (/hju??r?s.t?k/) is an adjective for methods that help in problem solving, in turn leading to learning and discovery. These methods in most cases employ experimentation and trial-and-error techniques. A heuristic method is particularly used to rapidly come to a solution that is reasonably close to the best possible answer, or 'optimal solution'. Heuristics are "rules of thumb", educated guesses, intuitive judgments or simply common sense. Heuristics (hyu-?ris-tiks) as a noun is another name for heuristic methods.

In more precise terms, heuristics stand for strategies using readily accessible, though loosely applicable, information to control problem solving in human beings and machines.[1] Forensic engineering is an important tool in tracing defects in products and processes. The Heuristic Model or commonly referred to as the (gut-level approach) is a simplified method of decision making that put emphasis on internal personality attributes of the decision maker.

There is several way for making Heuristic detection:

  1. Detecting double extension file
  2. Detecting based on PE-Section hash
  3. Detecting based on Resource Section
  4. Detecting based on Compression method
  5. Detecting based on String
  6. Detecting based on API
and many more...

Friday, March 20, 2009

Data0.Net Problem?


Well, there was almost 2 weeks already that my data0.net domain went down. But this is not affected to all country and area. I was informed that TMNet was trying to do something with undersea cable that connected to the Europe. Data0.Net was currently hosted at Datacenter located in Frankfurt, Germany.

I was reported that a few major domain also affected such as www.syok.org, www.asiahoster.com, www.lombongit.net and so on.

Friday, March 6, 2009

AsiaHoster.com Web Hoster!

Well, after a few weeks i'm keep monitoring this web hoster. It seem that this provider should take care very much about their server since there is many domain shared into one server. This because the server always down 3-4 times a weeks and sometime 1 time a day. It may take around 1-3 hours downtime.

As we can see below, the picture that cause of server down.

It seem someone from the shared hosting use lot of memory that may cause of the server down and all people on the shared domain loose their advantaged with unfair usage. AND, its keep low. I don't know how much domain name parked on this server.

Little detailed:

The main datacenter seem located at Frankfurt, Germany.



Here it is a few domain name list known shared with ns1.asiahoster.com and ns2.asiahoster.com:
  1. http://ahmadfaidhi.com/
  2. http://blog.ahmadfaidhi.com/
  3. http://fairuji.nasz.my/
  4. http://hujan.org/
  5. http://image.syok.org/
  6. http://rekreasikota.summitmy.com/
  7. http://rocker.smktip.com/
  8. http://savoc-nru.syok.org/
  9. http://syok.org/
  10. http://torrent.syok.org/
  11. http://www.ahmadfaidhi.com/
  12. http://www.asiahoster.com/
  13. http://www.fairuji.nasz.my/
  14. http://www.hujan.org/
  15. http://www.indiefanzine.com/
  16. http://www.jejakpuncak.summitmy.com/
  17. http://www.limemyth.com/
  18. http://www.mykjkk.com/
  19. http://www.nasz.my/
  20. http://www.penfluid.com/
  21. http://www.summitmy.com/
  22. http://www.syok.org/
Some of the website listed above is already change their server due to the lack of server response.

Saturday, January 31, 2009

Google Problem? Turn all result to "This site may harm your computer"

Today and a few minutes ago, i'm trying to search some plugin for my Wordpress pages on Google Search but suddenly all search result turn into "This site may harm your computer". As you can see below is an images from the result.


Then, if you click on one of those link it will turn result that says "Warning - Visiting the website may harm your computer!". See the images below.


If we click to all link came from the result it will give a warning of a fake malware. This also include search on images. All the link will return result from the following URL example.

http://www.google.com.my/interstitial?url=http://wordpress.org/

and another error images a few minutes ago...



I guess maybe Google people are trying to test something on the server in real situation...

Saturday, January 24, 2009

"Downadup" worm infections skyrocket

The number of desktops and servers infected by the "downadup" worm has skyrocketed to nearly nine million, according to security firm F-Secure.

That is an increase of more than six million since Thursday last week, when F-Secure warned that the worm was affecting corporate networks and spreading rapidly.

The worm, also known as "conficker", is a large family of network that causes various problems, including locking network users out of their accounts.

F-Secure said in a blog that the spread of the worm was "amazing" and that the situation was not getting better.

The firm ascribes the rapid infection rate to the fact that there are several different variants of the worm.

The most common variant F-Secure has been tracking is creating 250 possible domains each day, the firm said.

ComputerWeekly.com


Monday, January 5, 2009

What is a computer virus?

To put it simply, a computer virus is just a small computer program that can replicate itself and place itself on a computer without the computer user knowing it. They typically come attached to other files. These files are typically executable files with a (.exe) file extension. People often use the term virus to mistakenly label other troublesome programs that are really malware or adware. There is a difference. Most malware and adware do not replicate themselves and therefore are not technically considered viruses. However, these days, malware is a far more common type of infection. Other things that can infect a computer but aren't really viruses are things like computer worms and Trojan horses.
Trojan horses are very common these days. As their name implies, they often sneak into a person's computer because they come packaged as a useful program like a screensaver or something. Then, once they are installed on the computer, they open up ports (like a secret door to the internet) on your computer and allow other types of infections to sneak in. These other infections come in totally unannounced. You won't realize they are there until your antivirus program happens to detect them. By then, it is possible that their intended damage has already occurred.
This is why it is important to have a firewall on your computer. The firewall increases the computer's security by closing all of these doors and locking them. The firewall only allows doors to open that are used by common programs like web browsers and email. For another port (door) to be opened, the firewall program usually asks for permission from the computer user. That's why you get the messages popping up in the lower right hand corner of your computer asking if it is okay for something to happen.
Another type of infection is the computer worm. Computer worms are like viruses except they do not come attached to any other files. These worms can move from computer to computer across a network. They move from computer to computer by going through open ports. This is the biggest benefit of having a firewall to keep those ports closed and locked. The internet is one giant network. So, just by being connected to the internet, your computer is exposed to this type of infection.
Adware is another type of program all together. Typically, these program come bundled with other software as well. When downloading some music sharing software, if you read all the fine print you would see that the reason that software is free is because it comes bundled with an adware program. The adware program will make pop ups come up on your computer. It might also modify your internet browser so that your search results are influenced in some way that benefits the author of the program.
I can honestly say from experience that you can guarantee getting an infection by using your Windows based computer to browse the internet regularly if you do not have an adequate firewall on your computer. The firewall is far more important than your antivirus software itself. This is one of the most misunderstood computer security issues among the general public.

Sunday, January 4, 2009

Download Portable Antivirus

Portable Antivirus 1.6





OR

You can try a previous version of Portable Antivirus which can be downloaded from the link below:
Portable Antivirus 1.5

Get it from CNET Download.com!