Posts

Malware Reverse Engineering

Malware DissembleAs the title of this blog states, this short blog is about malware reverse engineering. This seems to be a very popular topic among security experts. The idea of reverse engineering of malware is to find out what weakness did the malware expose on your side (network, operating system, etc).

After researching for approximately 3 days, this is one tough area to learn. Assembly language and system calls are the two objectives that you are looking into when dissembling malware. The system I used is Late 2013 iMac with a Windows 7 virtual machine installed on it. The virtual machine is isolated and is not connected to the network. I did use a dissembler which was used for static analysis. Debugger is great because it provides you with a great sense of on the fly action that the malware migh execute. Debuggers that I consider valuable are: IDA Pro, Immunity Debugger and Oly Debugger. The one I spent most time on was IDA Pro. Keep in mind that these tools are not cheap. IDA Pro for example Starter edition is USD$589 and Pro is US$1129. I do believe this particular area will see significant growth as Malware becomes more sophisticated and the attacks turn toward mobile users.

What was I able to do in 3 days? Take a look at the diagram above. I did manage to dissemble one particular type of Malware, however my skills are fairly basic in this area, and I’m unsure if I got all the systems calls. This was a Windows based Malware, see if you can guess what Malware it is?

 

 

WordPress Malware (PHP.Trojan.Uploader & Php.Trojan.StopPost)

WordPress as a platform is fantastic, and usually its a fairly secure. However, plugins that you use might be a different story. Some plugins are updated on weekly basis, and then there are those that are updated monthly, annually or sometimes are never updated again.

One of our clients runs a very active and informational website. The client had refused to do any updates because they were afraid that it might “break” something on their website. Which is totally understandable. For those of you who do updates on daily basis, sometimes its not a smooth progression and you spend more time troubleshooting the issue than anything else.

Client was hosted on a shared web server, and our firewall had alerted us that the website had been sending a large amount of SPAM. Approximately 200-300 emails per minute. We had immediately disabled the website and had ran a scan on the entire server.

As it turns out their website had been compromised via plugin and had injected itself authorizing use of the server’s mail resources. Upon further investigation the server had not been compromised just the clients website.

Here’s the complete log of what had been infected:

{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/ID3/header.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/images/smilies/options.php.suspected
{HEX}php.base64.v23au.184 : /home/user/web/website.com/public_htmlx/wp-includes/images/wlw/object.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/themes/twentyfourteen/inc/inc.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/uploads/2015/ajax.php.suspected
{HEX}php.cmdshell.unclassed.358 : /home/user/web/website.com/public_htmlx/wp-content/uploads/phpini.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/tinymce-advanced/css/test.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/js/javascript.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/css/test.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/display-widgets/session.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/inc/core/general.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/assets/images/player/view.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory-plugin/vendors/anet_php_sdk/lib/ssl/include.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory/business-directory-plugin/vendors/anet_php_sdk/tests/AuthorizeNetDPM_Test.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/model.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/google/service/Google_BatchRequest.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/class-api-libs.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/license-manager/samples/sample-theme-functions.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/stop-auto-update/dump.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/search.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/validation/object.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/css.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_album/module.nextgen_basic_album.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_pagination/view.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/fs/package.module.fs.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/seo-image/javascripts/css.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/gallery/gal1/thumbs/ajax.php.suspected

Unfortunately, the best we could do is restore from previous backup and perform a plugin update along with wordpress.

Moral of the story is, update your plugins people. And if the plugin is old, we wouldn’t recommend using it.