• SECTION I - MALWARE ANALYSIS - PART 3 - week Oct 17
  UPDATE: Oct 31 - Answers bellow!

BEFORE CONTINUE _ PLEASE READ THIS DISCLAIMER!

The following file is a REAL piece of MALWARE! - If you decide to go further, please note that I WILL NOT be responsible for any damage that it may cause in your system!

A machine was presenting a strange behavior on the corporate. The Incident Response Team was called to check the machine. The user said that the only thing that he remembers was that he was checking a  Windows Update website...

Bellow is our little piece of malware - BoOtIoS2.exe-e50e87ad5d34cf8d16d01447821d629d.zip

Password: infected

Now, I would like that you answer the following questions:

1. What is a .cmd extension? In which systems that this file extension would work?

2. Did you check the MD5 of the unzipped binary? Does it match?

3. Is it packed? If yes, which packed was used?

4. What is this piece of malware claiming to be?

5. Please describe the process which this malware will try to get installed on the system.

6. After some investigation on a machine that had this malware installed, was verified that the machine was trying to access something related to "*msn*" and "*yahoo*"... Does this malware have something to do with it? If so, with which purpose? :-)

7. In the same machine, was observed that some registry entries were messed up...Again, does this malware have something to do with it? If so, why?

8. Please, describe how this malware tries to install softwares (and which ones) in the machine...

9. If you could give only one advise to your users, based on what you observed on this malware, what would you say?

10. Do you think that our affected user was lying to the IR Team?

11. Finally(!!), how would you classify this malware?

TIPS:I would strongly recommend that you read Tom Liston's Following the Bouncing Malware series on the ISC Diaries
 

I am trying to get some prizes for the best ones, but didnt have much luck yet...so, the prize will be have the name here! :-) 
The answers must be submitted before Oct 31 to my email: pbueno $$ ( isc. sans. org ) .

Also, If could you send it on a PDF format, would be great!

Thanks again, and good luck!

Pedro Bueno

--------------------------------------------------------

Answers - Oct 31

One more time: Excellent work!!!

Really appreciated the answers received! And I know that you had so little time!! Really great guys!

Some really interesting phrases that you sent in your work:

"This is possibly a remnant of an older version of the malware or a view of things to come."

"By doing this, when IE goes to any webpage on the Internet that wants to install an ActiveX control or plug-in, the install will be allowed automatically without any prompting to the user."

"Using the textarea trick from Tom Liston (http://isc.sans.org/diary.php?storyid=689) to decode the code"

"As there does not appear to be any evidence of remote exploit (at least from the information given), it appears highly probable that the only way the binary would get executed on a target system is via social engineering, that is, delivering the binary to the user (for example, via email) and enticing/persuading them to execute it"

"the best advise to users would be to never (ever ever ever :) open, save or execute any software that they had received from an untrusted or unverified source, though in most cases it's probably better to err on the side of safety and say “never execute anything received as an attachment in email"

"after a quick Google search found that Tom Liston's “Follow the bouncing malware – part2” had stepped through the analysis of what must have been similar malware that also used an “outers” parameter. In that case – unsurprisingly – Tom Liston had cracked it, and had even provided the C code to decode it!"

"Ahh. Windupdates. Home of ‘targed advertising’. Not MS updates but something more insidious( http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094091 )"

TOP 6

1. Rudolph Pereira
2. Dean De Beer
3. Tyler Hudak
4. Anthony Thompson
5. Randy Armknecht
6. Michel Jordon

The next one is another good one that is not on the top ones but put a good effort on it!

• Jeremy Scott

And Once again, I really hope that you all enjoyed it!!...because....

I have a new gift to you!!:-)

Pedro Bueno ( pbueno //%// isc. sans. org)