Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Malware Hunting Guide v1.0

 
Post new topic   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Tutorials
View previous topic :: View next topic  
Author Message
Moore
Moderator


Joined: 31 May 2004
Last Visit: 16 Jun 2014
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Sat Mar 04, 2006 2:27 pm    Post subject: Malware Hunting Guide v1.0 Reply with quote

#############################################

Malware Hunting Guide

#############################################

By Moore

If you are interested in helping us to track down new Spyware/Adware/Crapware IPs but you have no idea where or how to start , or you are curious how people go about it , this post might offer some useful ideas.

When I started collecting and hunting IP addresses in 2002 there were already many people actively working on fighting spyware , building blocklists and Hosts files.

Researchers such as Eric L. Howes , The Webhelper , Paperghost , Sponge , Andrew Clover , Mike ( from MVPS Hosts ) and many other experts spend a great deal of their time to provide extensive information and methods of protection for people to use.

I hope that more people will get involved in helping to spread the same kind of information , and participate in hunting down and putting a stop to threats that people will face while using the internet , so we can all have a much safer experience..

#############################################

Leading anti-spyware resources:

SpywareWarrior ( Suzi )
Spyware Warrior

StopMalvertising ( Kimberly )
Stop Malvertising
Stop Malvertising - Twitter

Ben Edelman
http://www.benedelman.org/

Paperghost - Chris Boyd
Now working for GFI Labs
Paperghost- Twitter
ThreatTrack Blog

S!ri
S!ri Blog

Roger Karlsson
http://www.kephyr.com/

--

Eric Howes - Security Center
http://www.spywarewarrior.com/uiuc/main-nf.htm

The Rogue Anti Spyware List
http://www.spywarewarrior.com/rogue_anti-spyware.htm

--

The Webhelper - Patrick Jordan
- His site is no longer online - Now working for GFI Labs ( via Sunbelt acquisition )

Alex Eckelberry
GFI Labs / Vipre Product Manager - https://twitter.com/alexeck

Andrew Clover
http://www.doxdesk.com

ReveNews ( Wayne Porter )
http://www.revenews.com/author/wayneporter

###########################################

SPYWARE TRACKING & IP RESEARCH :

Kephyr.com malware research page:
http://www.kephyr.com/spywarescanner/pus-p...ces/index.phtml

Expert Hijack Discussion threads :
http://www.wilderssecurity.com/threads/cws-variants.28658/

Spyware Discussion thread:
http://www.dslreports.com/forum/remark,10399574~mode=flat

BISS Malware IP Research Forum:
http://www.bluetack.co.uk/forums/index.php?showforum=83

Sponge's Anti Spyware Site / Spyware IP blocklist:
- Offline

#############################################


A great insight into the amount of work Eric L Howes puts into his excellent IEspyads / Agnis blocklists [ from a post at dslr forums in 2003 ] :


FAQ: Where does info for IE-SPYAD/AGNIS come from?

By ERIC L HOWES

http://www.dslreports.com/forum/remark,6418090~root=security,1~mode=flat

Quote:
Hi All:

I've been getting this question a lot in recent months (esp. as updates to IE-SPYAD and AGNIS have become more frequent). The answer is a bit involved, so I thought I'd post a somewhat detailed explanation or answer.

I get my info from a number of different sources:

1) Stephen Martin's HOSTS file (and other block lists)

IE-SPYAD and AGNIS were originally based on Stephen Martin's HOSTS file (»www.smartin-designs.com/), and every time he updates the HOSTS file, I update my block lists as well.

When Stephen Martin does release an update, I go through his list of changes, looking for new domains that are primarily associated with advertisers, marketers, and crapware pushers. I then visit those domains to verify that they are in fact used by marketing and advertising outfits. I do not blindly dump updates to the HOSTS file into IE-SPYAD and AGNIS -- I pick and choose.

Also, I do occasionally look at other block lists that folks have built for web filtering programs. Aside from Stephen Martin's HOSTS file, though, many of these other block lists aren't maintained very well, so it's rare that I find much of anything that I didn't already have.

2) SpywareInfo Support Forums

Mike Healan's SpywareInfo hosts several important discussion forums:

»www.spywareinfo . com/yabbse/index.php#3 [ No longer online ]

...where people with spyware problems can seek help. In particular, the "Spywatch," "Spyware Removal," and "Browser Hijacking" forums are esp. useful. Users regularly bring system logs generated with HijackThis! and StartupList (both available from »www.spywareinfo.com/~merijn/ ) into those forums for troubleshooting advice. Those logs (and the discussions that result from them) are invaluable for identifying new sources of spyware/adware/hijackers.

3) Other Spyware Reference Sites

I constantly comb through several well-known spyware reference sites for leads on new forms of crapware and the outfits that distribute them:

and.doxdesk.com
»www.doxdesk.com/parasite/

CounterExploitation
»cexx.org/adware.htm

PestPatrol (Safersite)
»www.pestpatrol.com/
»www.safersite.com/

Spyware Guide
»www.spywareguide.com/

All four of the above sites keep excellent data about spyware, adware, hijackers, and dialers, including distribution and uninstallation information.

4) Anti-Spyware Program Updates

I monitor the updates to programs such as:

Ad-aware
»www.lavasoft.de/

SpywareBlaster
»www.wilderssecurity.net/spywareblaster..

SpyBot Search & Destroy
»security.kolla.de/

...looking for new forms of crapware. SpyBot Search & Destroy is esp. useful because of the included .NFO files that contain detailed info on the programs it targets. Occasionally, all I'll get is the name of a program or direct marketing outfit -- some digging in Google turns up the rest.

5) News Stories

Direct marketers and crapware pushers are often desperate to get their names in front of the public in order to attract sales and investors. Thus, major tech media outlets such as:

CNet
»news.com.com/

IDG
»www.idg.net/

Wired.com
»www.wired.com/news/

ZDNet
»www.zdnet.com/

...(to name a few) regularly carry stories about direct marketing outfits and spyware pushers, esp. those who are doing things new and noteworthy. The online technology sections for newspapers such as:

New York Times
»www.nytimes.com/

San Francisco Chronicle
»www.sfgate.com/

San Jose Mercury News
»www.bayarea.com/mld/mercurynews/

Washington Post
»www.washingtonpost.com/

...are also helpful in this regard.

6) Discussion forums

I monitor privacy & security oriented forums such as:

DSLR/BBR Security forum
»Security
»Security

Wilders.org
»www.wilderssecurity.com/

GRC's newsgroups
»grc.com/discussions.htm

...as posters often provide useful info about and pointers to new forms of advertising and spyware.

7) Web sites of direct marketers themselves

I spend a good amount of time going through the web sites of known advertisers and spyware pushers themselves. You'd be surprised what a little digging can turn up. When I visit a direct marketer's web page, I look at the HTML source as well as the following sections of the web site (if they exist):

* About Us (Our Company)
* Partners
* Privacy Policy
* Products
* Services
* History
* Demos
* Contact Us

I'm looking for affiliated/related web sites, names of products and services, names of partners/affiliates, etc. Esp. in the case of adult-oriented companies, the network of relationships can be quite complicated.

I'll often follow up by doing searches within Google (which can be a more trustworthy/reliable source of info than the marketers and crapware pushers themselves). Occasionally I stumble across web sites that yield a "mother load" of links to direct marketers and crapware pushers. This is esp. true of web sites targeted towards webmasters (and adult site webmasters), as such web sites often include handy indices of direct marketing networks, technologies, partnering programs that webmasters might be interested in.

A lot of this is just persistence and following one link to another, looking through the HTML source for web pages, or taking the name of a marketing outfit and digging for info in Google.

Cool My own web-surfing

I monitor my firewall logs and track down new entries based on info that I find there. I pay attention to what's happening at web pages that I visit. I've even been known to drop all my "defenses" and deliberately go trolling for spyware and other obnoxious direct marketing gimmicks at dodgy web sites.

If I come across an unfamiliar program, I'll download it and inspect it. I unpack .CAB files when necessary, and look at the Properties and Digital Signatures for each file. I also look at installer .INF files for clues as to the origin or author of the program. Again, often all it takes is a name that I can plug in to Google.

---

So, there's no one source for the information that feeds into AGNIS and IE-SPYAD. It comes from a lot of different places.

Hope the above has been of interest.

Best,

Eric L. Howes


#############################################
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |


Last edited by Moore on Mon Jun 16, 2014 3:22 am; edited 9 times in total
Back to top
View user's profile Send private message Visit poster's website
Moore
Moderator


Joined: 31 May 2004
Last Visit: 16 Jun 2014
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Sat Mar 04, 2006 3:16 pm    Post subject: Reply with quote

««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

:: Malware Hunting Guide - Version 1::

««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

By Moore

:: [ work in progress ] ::

This is my basic setup for hunting malware hijack sites for harvesting their IP addresses.

It's a work in evolution so expect some changes...

When dealing with live hijack sites/exploits VMWare is probably one of the best ways to safely investigate malicious sites, protecting the physical host computer from any potential damage.

Basically VMWare allows you to run a virtual operating sytem , including various linux distros and almost all windows operating systems. [ for those that have never heard of these virtual thingies ? ]

-

I use the workstation version , but you can find more information about the free VMWare server here:
http://en.wikipedia.org/wiki/VMware_Server

GSX Setup guide by Wng_z3r0 :
>> Site Offline

Free VMWare Player:
http://www.vmware.com/download/player/

You can also get a free copy of the Browser Appliance Virtual Machine -
http://www.vmware.com/vmtn/vm/browserapp.html

Download pre built virtual machines:
http://www.vmware.com/vmtn/vm/
http://www.vmware.com/vmtn/vm/community.html

-

I used nLiteOS to build my own custom XP pro installation CD to run as an .iso image in VMWare. With nLiteOS you can remove most things from windows that are not needed , services / programs and files especially to reduce your installation cd / .iso size dramatically.

http://www.nliteos.com/

I find that this way the test system will run a lot smoother and lighter for getting hijacked than my regular system and this is also very helpful if you have limited ram in your host OS.

-

For security , It's a good idea to check that drag and drop & shared folders are disabled in your VMWare guest OS preferences.

Please read the Vmware sticky! [for links to install guides and info ]
http://www.bluetack.co.uk/forums/index.php?showtopic=7749

-

Older versions of VMWare have a vulnerability in the vmnat [ network address translation ] , which could alllow exploit code to be executed on the host computer. So use the current version or dont use nat if you are going to use an older version. Or just try to make sure your host computer is very well protected.. Wink

-

:: Virtual Options ::

You could also use Virtual PC instead of VMWare if you prefer.

Software such as Faronics Deepfreeze / Shadowstor's ShadowUser can create virtual disks to protect your physical operating system if you cannot run a virtual operating system in VMWare/VirtualPC.

Deepfreeze allows you to freeze a copy/snapshot of your harddrive, and you can revert your hardrive back to that original clean state on reboot unless you are in thaw mode.

While in thaw mode your computer is not protected, and you can perform any system maintennance/updates etc before switching back to freeze mode again.. To save any data while in freeze mode you will need to set up a thawed partition to store that data.

Shadowuser uses up your harddrive space but works very well and allows you to save changes to disk that you approve. It's not really the best option if you have low disk space , but more suited for those with a lot of free space.

Shadowsurfer http://www.shadowstor.com/download.html is freeware and will alllow you to surf protected but it does not allow you to save any data so you would have to write down any information you need for evidence.

FirstDefense-ISR etc might also be an option. Goback is another similar protection but I can't recommend the Symantec version.

System restore built into windows is not recommended and certainly not reliable.

You could also use a knoppix bootdisk or whatever else you prefer that will protect you. There are probably even more options if you look hard enough.

What if choose to do malware hunting in your normal computer anyway ?

Without any of those protections listed above, you risk direct infection from trojans ,viruses ,all kinds of malware/exploits , keyloggers and rootkits. You may need to at least have a disk image for restoring a backup when your system gets toasted beyond repair. Not if but when.

If you aren't using VMware or some other protection to shield your system , you should at least back up your registry beforehand.

Make copies of all the system files that will probably get infected , and implement various system monitors so you can detect and remove anything malicious/unwanted after the hijack.

««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IP HUNTING

««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

You could call it footprinting or network reconnaissance , I like to call it IP hunting .

There are a many ways of getting IPs , maybe start your search with a site picked from a spyware blacklist / hosts file and see where it leads.. researching peoples hijack this logs for hijack links , song lyric sites , your local bad crack site , trojanised pornsite farm or wherever you think you might find this junk.. using google , search for keywords that relate to hijacks , blacklists , exploits etc.. there is a lot of activity to be found if you look for it. Adult webmaster forums often will expose malicious sites.

If you are a beginner, start with the small stuff [ if you want ] and work your way up to the nasty suff.. At least if you wind up in over your head and you are are in a virtual OS you can easily revert any damge .. not so easy to recover from if you do it on your actual system without being fully prepared.


So , the first step is to identify your target.

Learn to develop your own network of finding new sites that need investigating or blocking. The first post ^ in this thread should help give you some ideas. Wink

Next , try to gather any information about the site without actually visiting it , you can even grab it's source code without needing to visit the site.

A quick google search , whois and retrieve the source code shouldnt take more than a few minutes and you will have the basic information of the site to work with.

Information digging.

At Bluetack you can use the BIMS database to whois sites and see if they are listed already or not in the Hosts file and blocklists.

If you only have an IP address to start with , use Centralops to get more info through the domain dossier page:

http://centralops.net/co/

If you have the domain name of the site , use whois.sc to get a list of all domains listed on the same IP.

http://www.domaintools.com/

I recommend joining up to whois.sc so you can use the reverse whois page for extra details on the sites..

More good whois sites:

http://whois.webhosting.info
http://www.samspade.org/
http://www.dnsstuff.com/
http://www.completewhois.com/
http://www.all-nettools.com/toolbox
http://www.demon.net/external/

http://ws.arin.net/cgi-bin/whois.pl - wildcard search
http://ripe.net/cgi-bin/search/gdquery.cgi?
http://www.apnic.net/apnic-bin/whois.pl

Good search page:
http://www.fixedorbit.com/search.htm

Look up IP's in the spam db here :
http://spews.org/

Tracing Tools:
http://www.spamhuntress.com/wiki/Tracing_tools

Tutorials:
http://www.spamhuntress.com/wiki/Tutorials

Spam Tracking Page:
http://www.rahul.net/falk/index.html#howtos

IP Hunting Guide:
http://www.bluetack.co.uk/forums/index.php?showtopic=52

--------------------------------------------------------
::Protected Browsing:
--------------------------------------------------------

Input a url and retrieve page source code information without the need to access the site directly:

http://www.web-sniffer.net/
http://sniffuri.org/
http://python.morp.org/harpy/
http://www.submitexpress.com/snooper/

Linkscanner can scan a page for hidden exploits :

http://linkscanner.explabs.com/linkscanner/


--
The online http viewer page by Rex Swain , can grab most pages source codes, it will not work on all sites though..
--
HTTP VIEW PAGE :
--
http://www.rexswain.com/httpview.html

Other tools:
http://www.rexswain.com/cgi-bin/cookie.cgi
http://www.rexswain.com/ssidemo.shtml

------

The freeware program sam spade 1.14 has a source grabber :

http://www.samspade.org/ssw/
http://www.samspade.org/ssw/download.html
http://www.samspade.org/ssw/screenshot.html

Quote:
Browse the web, viewing the raw HTTP traffic rather than the rendered HTML. This lets you see the http headers and the raw HTML. Very handy for debugging CGI scripts.

It will not send any identifying information to the webserver, and by not supporting file download, java, javascript, cookies or anything else it has far fewer security holes than real browsers. As it doesn't render the HTML it makes attempts to hide information (such as hidden form fields, white-on-white text, meta fields etc.) obvious. These make it a useful tool for investigating malign websites


--

You may come across sites with encoded links that load the hijacks , and at first glance they may not look like much but these are hidden for a reason.

http://webhelper4u.com/CWS/VladZone/cws_vl...neexploits.html

Here is a small list of javascript decoders and tools that may help:

http://www.samspade.org/t/js.cgi - not working ?
http://www.netdemon.net/tools.html
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
http://www.opinionatedgeek.com/dotnet/tool...IP/default.aspx
http://gosu.pl/dhtml/JavascriptDecoder.html
http://gosu.pl/demo/JavascriptDecoder/JavascriptDecoder.html
http://spamlinks.net/track-trace-decode.htm

Arrow This site below may give off an alert for Nod32 [ or possibly some other anti-virus] users about a trojan from the page in temporary files, but it's just a false positive from the javascript in the code examples.
It has got some very good info:
http://scriptasylum.com/tutorials/encdec/encode-decode.html

http://www.gooby.ca/decrypt/ - javascript decoder -
http://www.gooby.ca/decrypt/decoders/ord2char.php
http://www.saltstorm.net/lib-soya/examples...oder.wbm?pod=js
http://www.greymagic.com/security/tools/decoder/
http://javascript.internet.com/equivalents/url-revealer.html
http://www.monetizers.com/encoder-decoder.php

---------------------------------------------------------------------------------
::The Hijack::
---------------------------------------------------------------------------------

There are no rules as to how you should go about recording a hijack , everyone has their own tools and techniques , you will need to work on your own methods for harvesting malware sites safely.

This part may take a long time , as bundled hijacks can keep downloading more malware until your system practically dies.

The main thing you need to do is take the steps to ensure you are not also a victim , and your computer doesnt end up a spambot or worse rendered unusable.[ ie: use vmware ]

Blocking port 25/SMTP in your external/host firewall is always a good idea. You can log all the outbound connections from a spambot hijack in your tests system , without actually allowing anything to escape your system onto the net and cause havoc to others.

So, load up the hijack site and let it go and do whatever it has to do to infest your computer, while you log it all with such things as a registry monitor, file monitor and firewall logs.

A sniffer is also a very good idea so you can get a detailed view of any information being sent , including the packet contents which will be useful when dealing with stealth keyloggers or any other stealth transmissions.

I will sometimes run a sniffer inside the guest os and on the outside host os as well for comparison , depending on what I think I will be dealing with.

Most of the time you can never really know what's going to happen, so just try to be prepared.

Sometimes too much information in all these logs can just drive you nuts.

One thing I use is filemap bootlog to log all the new exe files that will show up on reboot and sometimes dirmon to log file changes in C drive , windows and system32 folder. There are many free file monitors available.

Regrun anti file replacement will also help keep track of your important files and let you know which ones have been attacked and let you make backups , as well as detecting changes to the registry and allowing you to backup the registry keys.


Load up the hijack site -


On the first run of the site sometimes I will use SSM or ProcessGuard to block each file as it loads , to freeze each of the hijack .exe's .dll injections/API calls while I make a rar copy of the file in the folder directory its located in.

I use a dual paned windows explorer to be able to move around and track where the files are executing from.

I sometimes use a program called piky basket, which is helpful for collecting malware files on the fly. It's like a virtual basket that you load files into and then move them all at once to your specified malware storage folder.

You could also just start the hijack and kick back and wait for it to finish, then collect your logs and files, if your system survived.

I use SSM's alert window or outpost component control [ if it pops up] to find the location/path of the file. This works good for collecting any .bat and .tmp files before they can be self deleted. I want to get everything they use to run the hijack , not just the files they leave behind.


let the hijack run and fill up your logs ..


The filemon and regmon logs will fill up very fast , so its a good idea to set up the filters to not log any of your other programs. I log explorer and exclude as much else thats running as I can.. there is a limit though to how many programs you can exclude from the logging.


Collect logs [ Inctrl, filemon, regmon , outpost, sniffer logs ] + all malware files

I rename any files that are collected , change the file extension from file.exe to file.exe.old for example , so they arent able to execute and then rar/zip them.

Scan files at jotti / virustotal and with various scanners [ kaspersky , ewido , etc whatever you prefer] for evidence:


http://www.kaspersky.com/scanforvirus
http://virusscan.jotti.org/
http://www.virustotal.com


You should password protect them if you plan on submitting the malware files to anyone , so they do not get eaten by the spam filters/antivirus.


Now maybe restore your computers snapshot / image .. or live with the junk on your computer for a bit and slowly tear it to bits :Z: and learn a bit more about how they breed .. leaving just one tmp file behind for instance may result in the fullblown infection re-occuring soon after your clean up ... so you get to do it all over again Very Happy

You can use this point to practice your malware removal skills and tools without breaking someone else's computer if you make a few mistakes.

--


The next step , on my test computer is to unpack/disassemble each of the files I have collected.

The aim is to search for any url strings or IPs that may be used and record them into the log for submission.


Packed/Compressed/Crypted files

From the Viruslist's Watershed in malicious code evolution page ,
http://www.viruslist.com/en/analysis?pubid=167798878

Quote:
Cyber criminals are using packing programs more and more frequently in an attempt to make their malicious programs undetectable.

Year Increase in packed malware relative to other malware

2003 28.94%
2004 33.06%
2005 (forecast) approx. 35%


Not all files will be packed , but the more deadly files will usually be packed and crypted to try to evade detection and "attempt" to stop people from inspecting the code.

An example of the various protection tools available:
http://www.softpedia.com/get/Programming/P...ers-Protectors/

Sometimes I'll use the view option inside winrar to read a file just to see if there's anything identifiable. You can usually tell what kind of file you are dealing with by looking for simple things like "this program cannot be run in dos mode" etc , which would mean its a win32 program and has a PE header.

PE file format:
http://msdn.microsoft.com/msdnmag/issues/0...PE/default.aspx
http://msdn.microsoft.com/library/default....n_peeringpe.asp
http://win32assembly.online.fr/pe-tut1.html

So you could try scanning it with peid to find out if the file has been packed or not -

Quote:
PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 470 different signatures in PE files


http://peid.has.it/

-

If you have spybot you could also try this:
http://www.safer-networking.org/en/filealyzer/
Quote:
FileAlyzer is a tool to analyze files - the name itself was initially just a typo of FileAnalyzer, but after a few days I decided to keep it. FileAlyzer allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE).

Using FileAlyzer is as simple as viewing the regular properties of a file - just right-click the file you want to analyze and choose Open in FileAlyzer.


-

UPX is a very popular file compression to pack files , probably because it's freeware , http://upx.sourceforge.net/ - which can be easily upacked using upx -d

http://www.pe-explorer.com/
- PE-explorer has a built in upx unpacker plugin.

Resource Hacker can help view unpacked files :
http://www.angusj.com/resourcehacker/

-

Some interesting scenarios to get you thinking Very Happy

http://www.counterhack.net/0x10_first_place.html
http://www.counterhack.net/0x10_second_place.html
http://www.counterhack.net/0x10_third_place.html

Deeper look into Malware:
http://searchlores.org/malware.htm

Use a program to extract the strings [ any readable letters / characters ] :

ProcessXp from sysinternals.com for string/memory dumps of running processes is the best by far .. [ download link further down ]

From Foundstones forensics toolkit ,
BinText : Finds Ascii, Unicode and Resource strings in a file.

http://www.foundstone.com/resources/freetools.htm
http://www.foundstone.com/resources/proddesc/bintext.htm

Sysinternals strings extractor:
http://www.sysinternals.com/Utilities/Strings.html

You could also try using urlsearch* to extract IPs and domains from most files [.html, .exe files etc etc] a lot quicker than you ever could by hand.

--

Here's a sample file xxxx.exe , programmed in delphi , unpacked , which holds the following urls to load even more files from .loadcash.biz hijack site , disassembled with IDA free.


Code:

SLP0040365C_http___www_loadcash_biz_adverts_:
   db 'z11.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP0040364C_1_dat:
   db '1.dat'
   Align 4
   dd FFFFFFFFh
   dd 0000002Fh
SLP0040365C_http___www_loadcash_biz_adverts_:
   db 'http://www.loadcash.biz/adverts/soft/reserv.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000007h
SLP00403694_z12_exe:
   db 'z12.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP004036A4_2_dat:
   db '2.dat'
   Align 4
   dd FFFFFFFFh
   dd 0000002Bh
SLP004036B4_http___www_loadcash_biz_adverts_:
   db 'http://www.loadcash.biz/adverts/soft/12.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000007h
SLP004036E8_z13_exe:
   db 'z13.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP004036F8_3_dat:
   db '3.dat'
   Align 4
   dd FFFFFFFFh
   dd 0000002Dh
SLP00403708_http___www_loadcash_biz_adverts_:
   db 'http://www.loadcash.biz/adverts/soft/ieac.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000007h
SLP00403740_z14_exe:
   db 'z14.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP00403750_4_dat:
   db '4.dat'
   Align 4
   dd FFFFFFFFh
   dd 0000002Dh
SLP00403760_http___www_loadcash_biz_temp_sof:
   db 'http://www.loadcash.biz/temp_soft/on-line.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000007h
SLP00403798_z15_exe:
   db 'z15.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP004037A8_6_dat:
   db '6.dat'
   Align 4
   dd FFFFFFFFh
   dd 00000030h
SLP004037B8_http___www_loadcash_biz_adverts_:
   db 'http://www.loadcash.biz/adverts/soft/desktop.exe'
   Align 8
   dd FFFFFFFFh
   dd 00000007h
SLP004037F4_z16_exe:
   db 'z16.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP00403804_7_dat:
   db '7.dat'
   Align 4
   dd FFFFFFFFh
   dd 00000030h
SLP00403814_http___www_loadcash_biz_adverts_:
   db 'http://www.loadcash.biz/adverts/soft/toolbar.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000009h
SLP00403850_cmd32_exe:
   db 'cmd32.exe'
   Align 4
   dd FFFFFFFFh
   dd 0000000Bh
SLP00403864_twink64_exe:
   db 'twink64.exe'
   Align 4
   dd FFFFFFFFh
   dd 0000000Ah
SLP00403878_host32_exe:
   db 'host32.exe'
   Align 4
   dd FFFFFFFFh
   dd 0000000Dh
SLP0040388C_intronsad_exe:
   db 'intronsad.exe'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP004038A4_5_dat:
   db '5.dat'
   Align 4
   dd FFFFFFFFh
   dd 0000002Eh
SLP004038B4_http___www_loadcash_biz_adverts_:
   db 'http://www.loadcash.biz/adverts/soft/block.exe'
   Align 4
   dd FFFFFFFFh
   dd 0000002Eh
SLP004038EC_Software_Microsoft_Windows_Curre:
   db 'Software\Microsoft\Windows\CurrentVersion\Run\'
   Align 4
   dd FFFFFFFFh
   dd 00000021h
SLP00403924__internat_dll_LoadKeyboardProfil:
   db ' internat.dll,LoadKeyboardProfile'
   Align 4
   dd FFFFFFFFh
   dd 0000000Ch
SLP00403950_ControlPanel:
   db 'ControlPanel'
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP00403968__adv_:
   db '?adv='
   Align 4
   dd FFFFFFFFh
   dd 00000005h
SLP00403978__num_:
   db '&num='
   Align 4



You can get a free version of IDA pro which works ok or Ollydbg etc .. [ see tools list below ]

For more info see:

http://www.openrce.org/
http://www.securityfocus.com/infocus/1637
http://www.securityfocus.com/infocus/1605
http://www.zeltser.com/reverse-malware-paper/

Good info:
http://www.securitywarrior.com/

Reverse Engineering Hostile Code
http://www.lurhq.com/reverseengineering.pdf

IDA Forum:
http://www.datarescue.com/cgi-local/ultimatebb.cgi


#######################################
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |


Last edited by Moore on Mon Jun 16, 2014 3:23 am; edited 6 times in total
Back to top
View user's profile Send private message Visit poster's website
Moore
Moderator


Joined: 31 May 2004
Last Visit: 16 Jun 2014
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Thu Sep 28, 2006 9:22 am    Post subject: Reply with quote

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

:: MALWARE HUNTING TOOLS :: [work in progress] ::

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

The setup :

//////////////////////////////////////////////////////////////////////////////////////

By Moore

These are just my preferences , you might rather use something else. Whatever works best for you, use it.


XP sp1 Host computer running VMWare :

- Router
- Outpost 2.5 in block most mode + HTTP log [ blockpost disabled ]
- Sniffer [ commview/whats transferring/smartsniff etc ] -
- Usual security apps

-

XP sp1 VMWare guest OS

- VMWare settings: NAT mode

- Outpost 3.51 in rules wizard mode
- spyware plugin disabled / component control on normal / HTTP logger plugin for recording urls/IPs -

Rules wizard mode prompt - Helpful if you want a controlled infestation and screenshots like this :



- System Safety Monitor application monitor enabled only -

I use it for monitoring what files are being executed/hijacked and preventing file execution:



- Regrun
+ registry backup/restore utililty/watchdog/registry tracer + registry/services monitor..

Registry Tracer watches [ custom] registry keys for modifications.
Customisable anti-replacement/file protection list for any system/program files.

Helps to detect and remove spyware/trojans/viruses , internal weekly updated database of malicious files , detects wide range of system modifications [ and lots lots lots more ]

+ anti file replacement - on shutdown this will catch any protected files being replaced like wininet.dll and let you make a copy of both files before shutting down.




Inctrl

Make before and after shots of your system/drive for comparison , to determine what files were modified or added.

Run this before the hijack and then again after its all installed to get a log of the changes in registry. Also take a before and after hijack this log for comparison ..

-

Regshot is free alternative to Inctrl..

Quote:
RegShot is a small utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2. in addition, you can also specify a folder (with sub folders) to be scanned for changes as well.


http://www.snapfiles.com/get/regshot.html
http://www.snapfiles.com/screenshots/regshot.htm

-

Filemap by BB

Logs all new files in your system after reboot and allows you to compare with previous alerts/logs.

-

Sysinternals Software :

Filemon - monitors file activity
Regmon - monitors registry activity
ProcessXP - monitors running processes
TCPview - monitors active internet connections

-

Port explorer - may be useful in detecting hidden transmissions also has a packet spy feature.

SmartWhois - Blocklist Manager Whois / any whois site etc
Tracking down those responsible through their domain / network info.

-

The Unlocker -
Great for deleting files that are either locked or in use , can delete multiple files at once or delete difficult files on reboot.

http://ccollomb.free.fr/unlocker/

-

I either disable my Hosts file or make sure not to install a custom one for running hijacks , so nothing gets blocked.

Always remember to check the Hosts file to see if it's been replaced by redirections to more hijack sites/blocking antivirus sites and save the data as evidence too.

Location:
%\system32\drivers\etc\hosts

When I run a hijack harvest I want to be able to monitor as much as possible without restricting the infection too much.

Sometimes when I feel I have enough data to go through, I'll just switch on Blockpost/Outpost[blockmost] and processguard to block everything running thats malicious.. or even then reboot and remove everything from startup registry keys with Regrun , and start collecting all the files once everything has been locked down...

##################################
:: Tools List ::
##################################

Blue = shareware - Green = Freeware

##################################

Outpost Firewall Pro 3.51/4.0 --

[ With HTTP logger plugin ]

The leading software firewall available , offers real time spyware protection and catches infections in it's database immediately.

New powerful host intrusion protection features now available in 4.0 version.

Extensive logging of all internet connections / Domain-IPs / HTTP transmissions including all files used..

Outpost 4.0 :
http://www.agnitum.com/

HTTP logger plugin :
http://www.outpostfirewall.com/forum/showthread.php?t=11668

Regrun
http://www.greatis.com

SSM - System Safety Monitor - [Still free for now]
- Stops malware in its tracks.
http://syssafety.com/product.html

ProcessGuard:
http://www.diamondcs.com.au/processguard/
Advanced Process Termination :
http://www.diamondcs.com.au/index.php?page=apt
Advanced Process Manipulation :
http://www.diamondcs.com.au/index.php?page=apm


Sysinternals-
http://www.sysinternals.com/

Filemon - monitors file activity in realtime
http://www.sysinternals.com/Utilities/Filemon.html
Regmon - monitors registry activity in realtime
http://www.sysinternals.com/Utilities/Regmon.html
ProcessXP - monitors running processes
http://www.sysinternals.com/Utilities/ProcessExplorer.html
TCPview - monitors active internet connections
http://www.sysinternals.com/Utilities/TcpView.html
Autoruns - comprehensive auto startup manager
http://www.sysinternals.com/Utilities/Autoruns.html
Rootkit scanner
http://www.sysinternals.com/Utilities/RootkitRevealer.html

[ IDA freeware version download ]
.http://www.datarescue.be/idafreeware/freeida43.exe

LordPE
http://www.softpedia.com/get/Programming/F...rs/LordPE.shtml
http://mitglied.lycos.de/yoda2k/LordPE/info.htm

OllyDbg:
http://www.ollydbg.de/
http://www.ollydbg.de/quickst.htm

Graphical Interface to RegSvr32 1.0
http://www.softpedia.com/progDownload/Grap...nload-2899.html

Dependency Walker 2.1
http://www.dependencywalker.com/

Quote:
Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more



Filemap
http://www.dogkennels.net/filemap/

Monidir:
http://www.contactplus.com/products/freestuff/monidir.htm

Dirmonitor:
http://www.snapfiles.com/get/dirmonitor.html

Cachemonitor:
http://www.enigmaticsoftware.com/cachemonitor/

ApiMonitor:
http://www.rohitab.com/apimonitor/

*Urlsearch:
http://people.freenet.de/h.ulbrich/
http://people.freenet.de/h.ulbrich/urlsscr.png

Sam Spade 1.14
http://www.samspade.org/ssw/download.html

Belarc Advisor:
http://www.belarc.com/free_download.html

Fingerprint [ install monitor ] :
http://www.snapfiles.com/get/fingerprint.html

What Is Transferring :
Freeware sniffer
http://www.wfshome.com/wit.htm

Attribute changer
Lazy way to change file attributes , handy for resetting malware files that are set as hidden /system files.
http://www.snapfiles.com/get/achanger.html


==

More tools:
http://programmerstools.org/taxonomy/term/58
http://www.insecure.org/tools.html
http://www.softpedia.com/get/Programming/
http://invisiblethings.org/tools.html
http://www.snort.org/docs/snort-win2k.htm

===

------------------------------------------
Recovery Console:
------------------------------------------

http://www.computerhope.com/issues/ch000627.htm
http://www.iamnotageek.com/a/52-p1.php

------------------------------------------
Command-line reference A-Z
------------------------------------------

http://www.microsoft.com/resources/documen...-us/ntcmds.mspx
http://www.microsoft.com/resources/documen...us/percent.mspx


##################################


Submit malware harvest logs/ malware IPs here:
http://www.bluetack.co.uk/forums/index.php?showforum=83


##################################


Bluetack guide to Sniffers:
http://www.bluetack.co.uk/forums/index.php?showtopic=1384

Anti-trojan/Rootkit Guide:
http://www.spywarewarrior.com/viewtopic.php?t=10027

More on file monitors:
http://kareldjag.over-blog.com/categorie-69557.html


///////////////////////////////////////////////////////


Report sites/companies:

Register Your Complaint About Malware That Has Infected You
http://www.malwarecomplaints.info/


//////////////////////////////////////////////////////


Submit Malware files here:

Quote:

Agnitum:
http://www.agnitum.com/products/outpost/submit_files.php

Sunbelt
http://research.sunbelt-software.com/software_submission.aspx

PCTools :
http://www.pctools.com/mrc/submit/

Kephyr.com
analyse [at] kephyr.com

Panda Software Virus Sample Submission
http://www.pandasecurity.com/submitvirus.htm

Symantec/Norton Virus Sample Submission]
http://securityresponse.symantec.com/avcenter/submit.html

AVG
E-mail Address(es):
virus@grisoft.cz

[Network Associates/McAfee Virus Sample Submission]
http://www.mcafeehelp.com/displaydoc.asp?d...&CategoryId=243

Computer Associates
E-mail Address(es):
virus@cai.com

DrWeb
E-mail Address(es):
Antivir@dials.ru

F-Prot
E-mail Address(es):
viruslab@f-prot.com

F-Secure
E-mail Address(es):
samples@f-secure.com

Kaspersky
E-mail Address(es):
newvirus@kaspersky.com

TrojanHunter
E-mail Address(es):
submit@trojanhunter.com

McAfee
E-mail Address(es):
virus_research@nai.com

NSClean/BOClean
E-mail Address(es):
support@nsclean.com

Nod32
E-mail Address(es):
samples@nod32.com

Norman Antivirus
E-mail Address(es):
ANALYSIS@NORMAN.NO

Sophos
E-mail Address(es):
samples@sophos.com

Trend Micro
E-mail Address(es):
virus_doctor@trendmicro.com

Lavasoft
E-mail Address(es):
research@lavasoft.de



####################################

Feel free to post any comments , questions or additions that may be useful here:

http://www.spywarewarrior.com/viewforum.php?f=23

Good hunting !


####################################
© Moore - www.bluetack.co.uk ®
####################################
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Tutorials All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group