SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

"Humankind cannot stand very much reality." - TS Eliot

SECTION I - MALWARE ANALYSIS - PART 4 - week Nov 02 - UPDATE: RESULTS! Dec 05 - bellow

BEFORE CONTINUE _ PLEASE READ THIS DISCLAIMER!

The following file is a REAL piece of MALWARE! - If you decide to go further, please note that I WILL NOT be responsible for any damage that it may cause in your system!

Okay! Now, some explanaitions about our little malware:

First, it IS based on a real malware! It is slighten modified version , but still, a real malware!

Malware name and md5: 58d07b9eec151ae840f28c9129b4d6a0 *credito-ma4.scr

Download it here! ( Password = infected)

So, our little story today...:) One user in the organization received a phone call from his bank manager, telling that his account was empty and if something wrong happened. Our little Joe was completely astonished!! What did happen, he knew that he had some money in that bank account! So, he decided to take a look at his account and saw a lot a strange transfers from his account to a lot of different accounts...

As he doenst have computer at home, he only uses his online bank at work and though that someone had stollen his passwords.

The Incident Response Team was called to check his computer and found the following file in his computer, called credito.scr.

Your mission, if you decided to accept :) is to answer the following questions, regarding this incident:

1. Is this file packed? If so, which packer?

2. Without running the file, what do you think that this malware can and will do?

3. Now, using any methods available to you, which changes, if any, will this malware do in the system, among new files and registry entries...?

4. Now, what is the purpose of this malware?

5. When will this malware be triggered?

6. Could you show any example of this malware behavior?

7. How do you think that this malware arrived in his computer? If the malware does not provide this information, what is your guess?

8. Do you think that this malware had anything to do with Joe´s case?

Ok guys, now the TIPS for this one:

Check the previous Quizes...
BancoBrasil, Bradesco, Itau, Unibanco, NossaCaixa are some brazilian bank names
Be sure to allow open relay in your mail server...;)
Be sure to properly configure your dns server...;)

Another thing...What about make this a live quiz? :) The reason is that most of this malware is in portguese language...and most of you doesnt speak portuguese, right?:) So, everytime that you have any doubt about some phrases or words in portuguese, you can send me an email and I will post the translation here, ok?:)

So, expect daily updates here... on the Dictionary Section bellow!

Dictionary Section:

Items added - Nov 03 - questions received on Nov 02

What's branco ? Bank ? ->correct

Senha ? -> password

dfgitos ? is that a typo for digitos ? -> correct

I guess "cartpo invßida" is card invalid. -> correct

Preencha corretamente ? -> fill it in the correct way

Conta is probably account. -> correct

Banco Do Brasil Logando ...... Aguarde.. - Microsoft Internet Explorer -> Banco do Brasil is a brazilian bank...

Logando -> Logging, Aguarde -> wait

Bradesco ? -> Brazilian Bank

Senha 'Atendimento' Invßido ? What's invalid ? -> Invalid Self service password

Senha do 'cartpo' invßida ? -> The Card password is invalid

CPF em branco ? What's CPF ? -> Think in CPF as SSN

Resposta secreta sem branco ? Something to do with the bank again...but what ? -> Secret Answer is Blank

Preencha corretamente o campo 'Chave de acesso' ? -> Fill the Access Key field

Gerenciador Financeiro ? -> Software to use the bank without internet

Ocorreu um erro no Internet Explorer, abra novamente uma janela de Browser ? Probably an error occured in IE...

Novo sistema de login em fase inicial ? Initial phase of the new Login System

Thanks!

Pedro Bueno ( pbueno //%// isc. sans. org) - Ah! The answers must be submitted until Nov 30! One month is enough, right?! ;) Ah, again...dont forget to submit on PDF format...

RESULTS! DEC 05

Hello again!:) First, some statistics about this Malware Analysis Quiz!

We had 1604 visits to the Malware Analysis Quiz IV.

We had 173 downloads of our malware.

Really nice!:)

Well...about the results:

The Top 1 was :

- Rudolph Pereira - His analysis can be found here ! It was a real complete one, where he provided both dead and live analysis, interacting with the Malware.

A new tool was presented in this analysis, the Foremost tool ( http://foremost.sourceforge.net ), "Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery."

Another good analysis was provided by Antony Thompson. Antony didnt go through the end of questions on a live analysis, however, he presented some good points:

- On Antony´s analysis, another new tool was presented: DFM Editor - this tool is a "Standalone editor for Delphi Form files (*.dfm) in both binary and text format." and can be found here: http://www.mitec.cz/

- He got a nice explanation for one string: Shell DocObject View. And he pointed a good reading for it: http://www.codeguru.com/Cpp/misc/misc/internetexplorer/article.php/c8163

Guys, really good!!! You got there!

Now, check our new quiz!

Pedro Bueno ( pbueno //&&// isc. sans. org )


		Infocon: GREEN
		Permanent Handler on Duty on This Page: Pedro Bueno