Archive for May, 2010

VirusTotal on Android

May 31, 2010

I just got this idea while going through the Android Scripting Environment (ASE) for Python. How many of us would have liked to have a Virus Total client for Android smartphone? Obviously the number would be extremely low. However got this idea of experimenting a VT client for Android smart phones.

So lets start a small experiment:

Main Menu of Android application

Android Main Menu

Now, Click the ASE ( Android Scripting Environment ). Please note the emulator is already installed with the ASE and Python scripts. Please refer the google code page if any help is needed regarding ASE installation.

The experimental script in action

Script in action

Now, enter the md5sum value that needs to be queried and press enter

Results of the script

Results for the MD5

I just tried this script as a HelloWorld exercise for Python in Android.  I will write something more useful in the near future and post it.

Cheers 🙂

Malware Vs Python = Immunity

May 25, 2010

I have been analyzing a bunch of Game password stealing Trojans to find out similar patterns among those bunch of samples. The payload of the sample is simple:

  1. It first uses the “shell32.SHGetSpecialFolderPathW” API to get the Program Files folder path.
  2. Checks for any running instance of Tibia game window.
  3. If Tibia game is running, it uses “kernel32.ReadProcessMemory” to read the process memory to fetch the password.
  4. It then initializes the socket library using “WS2_32.WSAStartup”
  5. Resolves the server host name using “WS2_32.inet_addr” and sends the stolen credential using “WS2_32.send

Simple payload. So what’s exciting here to blog about it.

There is! This family again a classic example to demonstrate the power of Python and Immunity. With a elegant Justin script, it only took less than a second to stalk all the above mentioned information.


The scope for malware analysis automation that python provides is just amazing 🙂

My Java mentor used to tell me,”whenever you get tired about programming, just design and build a neat Java program. That will give you a cup of coffee’s refreshment.”

I just feel the same about Python for Malware analysis.

Cheers 🙂

FileWatcher for the dynamic analysis of File infecting parasitic virus

May 14, 2010

Have you ever felt the need of a simple FileWatcher utility that can monitor the files modifed and newly created file in a directory during a program’s execution?

Of course, the obvious choice would be Sysinternals’ ProcMon/FileMon that can achieve this with surgeon’s precision and there could not be any better utility to beat the functionality. However I often felt that while replicating a file infecting parasitic virus, it would be great to have a very simple utility that can monitor for the modified files / newly dropped files and copy them into separate folders automatically.

This utility is developed to address that need.

Starting the application

Starting the application

Once the filewatcher is started, you can start the replication of file infector. (Typically you can watch any mounted network hgfs share). When any files in the target folder is modified the filewatcher will trigger a chain of events to copy the modified file into C:\ModifiedFiles folder.

Picking Modified files

Picking Modified files

Similarly, the newly dropped files will be picked and copied to C:\NewFiles

To keep things simple, the filewatcher runs as a single threaded application hence it will not respond to any other events. Hence to stop the execution one must copy a file called “final.txt” in the folder where FileWatcher is running.

The output:

colected files

colected files

Cheers 🙂

A Malware stalker that speaks

May 7, 2010

The idea is to create a very simple sandbox system which accepts a malware sample as input and produce a .mp3 file and a .txt file that has the replication data of the malware.

I have started believing  in automating malware analysis only after I got introduced to the great Pedram’s PAIMEI framework and Ero’s Pefile module. IMHO, it is one of the most powerful and elegant, extensible framework for automating reverse engineering.

Some time back, I played with the sample hook application that comes with the PAIMEI’s hook container and started customizing it. Just to add some spice, i have integrated PySpeech to speak the stalking information of malware execution.

Here are few snapshots:

Start Stalker

Once started, the stalker will break on every dll load event and allow you to set breakpoints any APIs exported in the dll.

Adding hook in WriteFile

Sample execution

Type something in notepad and try to save the file to trigger WriteFile API. Since we have registered a hook on the WriteFile, the arguments and the response will be recorded.


The stalker also can operate in a mode where you can exclude the API calls made from library functions.

I am working on the known issues to improve and hopefully make this as a useful sandbox sooner.

My sincere thanks to Pedram, Ero for their wonderful python libraries.

Cheers 🙂

Analysis of a Backdoor Trojan Heloag

May 3, 2010

Win32/Heloag is a family of Backdoor trojans. The effect of the Heloag infections depend on the availability of their master  server. Recently, I came across a variant of this family which is one of the easiest targets for reverse engineering due to their nature of being unpacked, unencrypted plain binary.

Lets begin the analysis summary 🙂

Surface analysis:
File : 50.exe
Size : 177152
MD5 : C2896D95F7DF56AFCB9E33DE5D87C9F0

A quick check with virustotal says it is being detected by 23 AntiVirus vendors.

One foot down into the binary:

A quick investigation of the import table of the binary show many imported functions and here are some of the interesting imports given that it is already detected by so many AV vendors.


0x411160 => WSAStartup
0x411164 => socket
0x411168 => WSACleanup
0x41116c => send
0x411170 => closesocket
0x411174 => recv
0x411178 => htons
0x41117c => inet_addr
0x411180 => connect
0x411184 => inet_ntoa
0x411188 => gethostbyname
0x41118c => sendto

Entrypoint : 0x401080

ImageBase : 0x400000 Packer ID : Microsoft Visual C++ 6.0

Dynamic Analysis:

A quick dynamic analysis does not reveal any significant info as the binary did not show it real colour much except few TCP SYN packets to some arbitary server. Knowing about the typical behavior of backdoors, its quite a easy guess that the backdoor actually tries to reach out it master server and since the master server is taken down, it hangs in the SYN_WAIT status.

So what next??
Lets give this piece of malware a little more home environment. Next time, a simulated virtual internet infrastructure is created using a linux server running essential services (like honeyd, arpd,ircd, etc.,) Guess what, the malware started to prosper in the newly “simulated” environment where the earlier dead server is now active for the malware. A TCP connection has been established now between the malware and its “master server” (The linux server).

TCP connection snapshot

However, the network communication does not reveal any interesting information. After all, we have simulated the master server right!! So it has left us to force the static analysis to find out more information about its behavior.

Static Analysis:
The entry code is not so surprasing. Starts with a NOP instruction and makes a CALL to a procedure that starts interesting routines. The first call it makes leads to a routine where it collects information about the target machine’
computer name and initializes the Winsock dll.

Then, the code flow calls the inet_addr() to prepare a socket connection with the hardcoded master server’s ip address. After that the htons() method is used to specify the port number.

0x1F9A = 8090, The communication happens with the  server through port no: 8090.
Then, Two new threads of execution is started, one thread opens a port ( a backdoor ) and waits for active connection requests. The other thread attracts our attention that is responsible for establishing connection with the master server and to carryon the payload.
The other thread attracts our attention that is responsible for establishing connection with the server and to carryon the payload.

The flow ensures that if the connection is not established it runs into a loop having a time bound sleep (100 ms) before again trying for a new connection attempt. If the connection is established successfuly, in our case yes (courtesy: to the simulated server), it invokes the send() API to send the information collected at the procedure name ( the name of the infected machine ).

and invokes a time bound blocking call recv() to receive the response from the server.

If the trojan does not receive any information, it invokes a sleep() API to sleep for 180 seconds before making another recv() call

0x2FB20 = 180000ms

The APIs URLDownloadToFileA, InternetReadFileA(), WinExec() are used to download an arbitary URL and spawn. Hope you have enjoyed the analysis this simple piece of malware!! Next time meet you with a polymorphic piece.