Malware Reverse Engineering

Malware DissembleAs the title of this blog states, this short blog is about malware reverse engineering. This seems to be a very popular topic among security experts. The idea of reverse engineering of malware is to find out what weakness did the malware expose on your side (network, operating system, etc).

After researching for approximately 3 days, this is one tough area to learn. Assembly language and system calls are the two objectives that you are looking into when dissembling malware. The system I used is Late 2013 iMac with a Windows 7 virtual machine installed on it. The virtual machine is isolated and is not connected to the network. I did use a dissembler which was used for static analysis. Debugger is great because it provides you with a great sense of on the fly action that the malware migh execute. Debuggers that I consider valuable are: IDA Pro, Immunity Debugger and Oly Debugger. The one I spent most time on was IDA Pro. Keep in mind that these tools are not cheap. IDA Pro for example Starter edition is USD$589 and Pro is US$1129. I do believe this particular area will see significant growth as Malware becomes more sophisticated and the attacks turn toward mobile users.

What was I able to do in 3 days? Take a look at the diagram above. I did manage to dissemble one particular type of Malware, however my skills are fairly basic in this area, and I’m unsure if I got all the systems calls. This was a Windows based Malware, see if you can guess what Malware it is?

 

 

WannaCry Ransomware received how many payments?

As everyone knows by now WannaCry / WanaCrypt0r ransomware would encrypt your hardrive, lock you out and simply ask for payment between $300.00 to $600.00 to restore access back. There are certainly users out there that paid, but how many paid and how much did WannaCry / WanaCryptor. According to ActualRansom

The three bitcoin wallets tied to #WannaCry ransomware have received 296 payments totaling 48.86359565 BTC ($99,448.11 USD).

It is a very impressive amount of money for a few days of work.

How do I refresh the hosts file on OS X?

Ever wanted to block certain hosts on your MAC and then simply clear DNS cache. It’s actually fairly easy. This brief tutorial is for OSX 10.9+.

1. Open your TERMINAL (Launchpad > Other > Terminal).

2. To edit your hosts file simply type in:

sudo vim /etc/hosts

3. Type “i” to insert or edit the hosts file.

4. Lets say we wanted to block ads from this particular domain: pubads.g.doubleclick.net. The format would go as follows:

0.0.0.0 pubads.g.doubleclick.net

You can also do this localized format as well:

127.0.0.1 pubads.g.doubleclick.net

5. Once you are happy with the changes click “esc” on your keyboard. Then :wq

That’s is, you have now edited your hosts file on your MAC.

6. We now need to flush the DNS. In your terminal type in:

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Hopefully, this helps someone to block porn, social network, gambling and so on. If you don’t have a list, there is a great community that grabs information from adaway.org, mvps.org, malwaredomainlist.com, someonewhocares.org, yoyo.org, and potentially others to create their lists. Have a look by clicking this > hosts file that is updated.

Project Zero Cloudflare Hack

On February 18, 2017 Tavis Ormandy, a research analyst with Google’s Project Zero, revealed delicate information spilling from sites utilizing Cloudflare’s proxy services, which are utilized for their content delivery network (CDN) and distributed denial-of-service (DDoS) mitigation services. Cloudflare gives an assortment of services to a ton of sites – to at least couple of million. Tavis informed Cloudflare promptly. A couple includes in Cloudflare’s intermediary services had been utilizing an imperfect HTML parser that spilled uninitialized memory from Cloudflare’s edge servers in some of their HTTP reactions. Helpless components in Cloudflare’s services were handicapped inside hours of accepting Tavis’ divulgence, and their services were completely fixed with every defenseless element completely re-empowered inside three days. Cloudflare has a point by point review about Cloudbleed’s basic issue and their reaction to it – Click here.

Should I be worried?

Not if you are hosted with Primary Technologies. We have NEVER endorsed third party CDN providers such as Cloudflare. If you are or been hosted elsewhere than your data may have been spilled. Any merchant’s site utilizing Cloudflare’s intermediary service could have uncovered your passwords, session treats, keys, tokens, and other touchy information. In the event that your association utilized this Cloudflare intermediary benefit between September 22, 2016 and February 18, 2017, your information and your clients’ information could have been spilled and stored via web crawlers.

Who is affected?

Prior to Tavis’ divulgence, information had been spilling for quite a long time. It’s too early to know the full extent of the information that was spilled and the locales and services that were influenced (in spite of the fact that we’re headed toward a nice begin). There is right now a decent lot of perplexity and misalignment on the status of different services.

Jailbreak 10.1.1

Project-zero has detailed instruction on a kernel exploit that is capable of jailbreaking iOS 10.1.1. Here’s a screenshot:

Jailbreak 10.1.1

Therefore, if you are looking to jailbreak manually, CLICK HERE. Instructions are detailed and if you follow them, you should be able to jailbreak your device.

As mentioned in our previous post, if you have updated to the latest iOS 10.2, this kernel exploit will not work. Please downgrade to 10.1.1 (still signed by Apple).

iOS 10.2 Jailbreakers Avoid

According to multiple sources iOS 10.2 has closed all the kernel vulnerabilities that were available. If you have any hope to jailbreak your iDevice on iOS10, simply upgrade to the last version that appears to be jailbreakable which is 10.1.1. As of right now its still signed and its possible to downgrade if you made a mistake and jumped on 10.2.

iCloud bypass … is it?

I got really excited when news broke out that there was a way to iCloud bypass any iOS version via memory leak. Here is the process:

1. When you are asked to join a network, simply choose a new network and in the first field simply put many emojis into it. If you get around 100 in there, simply copy and paste until you feel that the phone has locked up.

2. When you feel the phone is locked simply hold the power button, and when asked to shutdown, click cancel

3. Then start swiping all over the screen. Anywhere. Go crazy.

4. That’s it, the password screen should crash and it should take you to the springboard. Problem is, when you get there you can’t do anything.

Is it really a iCloud bypass? Well, you are getting by one screen, but you are still locked out. I personally thought it was the real deal, but its not.

EDIT: The “iCloud bypass” has been patched in iOS 10.2b

iOS Safari Virus Detected 18444232465

1-844-423-2465

This strange pop-up started occurring via Safari. Every time Safari was opened it would simply open the mail up and it kept re-opening every time you canceled. I couldn’t figure out which website was the offender. Regardless if you see phone number: 1-844-423-2465 (not affiliated with Apple) it is a good indication that your Safari has somewhat been hi-jacked.

Solution: Simple go to Settings > Safari > Clear History and Website Data. That will hopefully solve your issue.

5 second video freezes / locks up iPhone on iOS10 iOS9

Really strange bug was found inside of iOS 10 (and tested on iOS 9). If you run a short 5 second video it will run like any other normal video. The video has sound, and lasts 5 seconds. You can even close the video after you view it, or leave it open in the background. It does not make a difference. About 5-10 seconds later after viewing the video, you will notice your phone simply slow down and eventually it will lock up / freeze. The only way out of it is a hard reboot. After reboot everything seems to be back to normal. This works on any device such as iPad, iPhone, iTouch running on iOS 10 and iOS 9. I haven’t had the opportunity to try earlier versions of the iOS

What is it? Memory leak? Virus? Not sure as of yet, please use caution before running the video. Due note that the video did NOT affect Android devices

5 Second Crash Video

How to hard reboot:

iPhone 7 = hold down power and down sound rocker

All others = hold down home button and power button.

Edit: I found an old iPod touch running iOS 8.4. And the video above had no issues locking it up. I wonder how far does this go?

Edit (December 3, 2016): The above has been patched on iOS 10.2b. It appeared to be a memory leak.

Microsoft Outlook ActiveSync 14.0 and your cell phone

When you connect your cell phone to Outlook.com email service, do you ever wonder what sort of information Microsoft has on your cell phone? You can actually check and see, by going to your OPTIONS > MOBILE DEVICES under your outlook.com account. You should get a screen similar to the one below:

 

Mobile Devices

Now before we go any further. I do have 4 devices hooked up, 2 are cell phones, and other 2 are applications (located on the tablet+desktop). Let’s concentrate on the 2 cell phones. I have a BlackBerry and an iPhone. Let’s see what they have logged on those two devices.

You might already be surprised that BlackBerry actually reveals your full phone number to Microsoft. Online they only show last 4 digits, but believe me…Microsoft has your full phone number, whether you like it or not. iPhone surprisingly does not gives your number out to Microsoft. 1-0 for iPhone.

I have selected BlackBerry (highlighted) and all you we need to do is click on the little pencil to see additional information. Let’s see what information they have on the BlackBerry:

BlackBerry Details

I have removed last 4 digits of my phone number, Device ID and Device IMEI. Microsoft had the entire identity of my phone. EVERYTHING!. If you are keeping count, that’s iPhone 4 and BlackBerry 0.

Let’s look at the iPhone:

iPhone Mobile Device Details

iPhone did not reveal everything, as a matter of fact they have shown limited information. The only thing I had removed is Device ID. I probably could have left it, as I don’t see that same ID listed anywhere on the box or on the device. Final Score: iPhone 4 and BlackBerry 1.

Is BlackBerry truly a privacy oriented company? From what we had observed here, no they are not. As a matter of fact they didn’t keep anything private from Microsoft (Outlook client).

Thanks for reading.