I really need to remember to post on here more often lol..
Having spent last Thursday/Friday attending Kawaiicon I’m awash with cuteness.. But continuous scrubbing in the shower is helping get rid of it. For those of you scratching your head, KiwiCon, NZ’s favourite info sec conference is taking a break, and Kawaiicon is the somewhat cuter replacement.
Highlights for me were Peter Gutmann, Matthew Daley, and Mike Loss.
Peter’s talk on automotive control systems is enough to put me off owning a modern vehicle now or anytime soon until car manufacturers find a suitable way of having reliability and security.
Matthew made everyone in the room who’s employer uses a Gallagher/Cardax access system cringe a little bit at just how many insecure systems are out their in the real world.
Mike’s talk was a highly amusing anecdotal account of his first ever Red Team exercise.
Last night while I was sitting around suffering from a bout of insomnia after working late, I received a phishing email with a thinly disguised VBScript attachment. Being I was wide awake and not really having anything else to do, I decided to pull it apart and see what makes it tick. I’m no security researcher, but I have an interest in that area, and I thought it might be an interesting way to kill time.
At the time I received the email, only 2/19 scanners on Jotti recognized the VBS as malware, and 3/19 recognized the zip container it was in.
Obfuscated VBS malware
As you can see from the screenshot, all of the constant, variable and function names have been converted to random strings. Many of the strings have been obfuscated by breaking them down into constituent characters. There are also numerous extraneous variables, functions and pointless IF statements, although the extraneous functions may be part of a standard copy & paste template of functions.
The first thing I did was tidy up the layout of the code, for example indenting each function and IF statement to help improve the readability. I also concatenated the variables that had been split into characters back together. Then it becomes a bit like a jigsaw puzzle, finding the easy bits and working from there. I started with obvious ones, for example “Set YDh = CreateObject(“Scripting.FileSystemObject”)” it’s pretty obvious the variable should be something like objFSO. Examining functions and objects with parameters and comparing to the documentation lets you make further progress. If you have a WinHttpRequest object, and that object is then being called with “Object.Open “GET”, RFz5, False” you can then deduce that RFz5 is a variable containing a URL, and label it as strURL or some such.
After spending a bit of time doing this, and removing the extraneous functions and variables I had some code that made sense and was easy to follow. The script attempts to make a web request to one of several websites, and if it’s happy with the response it saves the response body as a .DLL file in the temp folder, then executes it via rundll32 with a couple of parameters.
For obvious reasons I’m not going to post the full code of what I ended up with, but this screenshot of the main code sans functions should give you an idea.
Cleaned up code
I was pleasantly surprised to see that less than 12 hours after I received the email, Microsoft had AV definitions out that detected and removed both the VBS and the container. I’ve heard quite a few people slag off the Microsoft AV product, but given that as of this post only one third (6/18) of the scanners on jotti had definitions for this, I think they deserve some credit!
