recvfrom
commented
5 years ago <<<<<<<<<< Hello recvfrom, I would like to work on this!
Open recvfrom opened 5 years ago
recvfrom
commented
5 years ago <<<<<<<<<< Hello recvfrom, I would like to work on this!
recvfrom
commented
5 years ago >>>>>>>>>> Great! The issue has been assigned to you
(TODO Boilerplate text about where to get help, a reminder to keep the ticket updated with progress and to unassign it to yourself if you can't end up working on it, the next steps in the process, etc.)
recvfrom
commented
5 years ago <<<<<<<<<< I've analyzed the malware and here is my report:
[RESEARCH NOTES]
The samples had the following variations from what was described in the report:
<...>
[DETECTION BREAKDOWN]
Vbs.Malware.Hworm;Engine:51-255,Target:7;0&1;22706f7374222c22687474703a2f2f22202620686f737428646e73292026222f222026202269732d73656e64696e6722;3d20706f737420282269732d7265616479222c696e666f726d6174696f6e29
Look for two strings related to interacting with the malware's C2
VIRUS NAME: Vbs.Malware.Hworm
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: 0&1
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
"post","http://" & host(dns) &"/" & "is-sending"
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
= post ("is-ready",information)
[ALERTS]
$ clamscan -d followon.ldb Hworm/
Hworm/5284908fbd95d51512f2a7e716de73a8e2ff8ffa3192a0718f67504e0ad62756: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/d77f6c30ca497858d9639f5b49d82ed301d3caf69987151d39eb2f6445010b5d: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/7ff87433d61252f3b8660946e42cc2ca9c2eb73d668565c81ea49afba36ae7a8: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/be19bcffbc608d6d1039d08dff5b8730886413121ee569654c81e00ad5d835f8: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/a73056c1e6f5b38fc5785d3ec5b71dedd2d22582650cd0e891cab2d655ebc85b: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/fd5ad7560ebcec8df84511da5fbe5eaf9b8965f288a547432351709ee28af605: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/faf226f245e59507ef84d2f8c52e0718ff9a147a37008c88d1dab005ec100479: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/9409d75ac21ce39c66fc64f621c70dfafc5ff143899c23a5bdbe2ac5624c8699: Vbs.Malware.Hworm.UNOFFICIAL FOUND
Hworm/437c82a99f51664157b26a17ec5cf50e1090e41d31bc51cd490b9b46a0defc2d: Vbs.Malware.Hworm.UNOFFICIAL FOUND>>>>>>>>>> Your signature has been reviewed and was approved! It will be published soon as Vbs.Malware.Hworm-6735698-0. Please submit a PR adding contribution to the hall of fame!
Overview Analyze the Houdini / H-Worm VBScript and write a ClamAV signature that detects it
Proposal The Houdini / H-Worm VBScript is a fairly simple RAT written in VBScript. It is documented in detail at: https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html
We've seen new variants surface as Windows Executables created by VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS.
Technologies Involved
Expected Difficulty
Technical Info PEs containing the VBScript:
437c82a99f51664157b26a17ec5cf50e1090e41d31bc51cd490b9b46a0defc2d 5284908fbd95d51512f2a7e716de73a8e2ff8ffa3192a0718f67504e0ad62756 7ff87433d61252f3b8660946e42cc2ca9c2eb73d668565c81ea49afba36ae7a8 9409d75ac21ce39c66fc64f621c70dfafc5ff143899c23a5bdbe2ac5624c8699 a73056c1e6f5b38fc5785d3ec5b71dedd2d22582650cd0e891cab2d655ebc85b be19bcffbc608d6d1039d08dff5b8730886413121ee569654c81e00ad5d835f8 d77f6c30ca497858d9639f5b49d82ed301d3caf69987151d39eb2f6445010b5d faf226f245e59507ef84d2f8c52e0718ff9a147a37008c88d1dab005ec100479 fd5ad7560ebcec8df84511da5fbe5eaf9b8965f288a547432351709ee28af605
Use
clamscan --debug --leave-temps <sample dir> 2>&1 | grep "bytecode: scanning extracted file"to extract.All samples can be downloaded from malshare.com