Malware Exercise 2015-08-31 – What’s the EK? What’s the payload?

TL;DR Basically this is one of Brad’s typical spot the malware within the PCAP from a drive-by infection. Nothing exciting like the previous one, but still good practice. Unfortunately I did get some of this one wrong (stupid me for not updating Snort rules in Security Onion). Also, one thing to note about this one that threw me for a loop. Trying to export objects in Wireshark did not work for me. I ended up using CapTipper’s “dump” command to export all the objects from the PCAP into a directory. My Results IP address of the Windows computer that was…

Continue reading

Malware Exercise 2015-08-07 – Someone was fooled by a malicious email

Prologue about this and future “Malware Excercise” posts I have been wanting to blog about my experiences playing with malware and trying to figure out how they work, techniques that helped me dissect them, tools that I used, etc… but never really had the chance/time to sit down and do it outside of work. Since Security Researcher Brad Duncan (follow him on Twitter or via his site at Malware Traffic Analysis) has started to do lab exercises for other researchers/analysts I figured that it would be a good way of killing two birds with one stone (doing the exercise and…

Continue reading

Allowed memory size of ‘XXX’ error in Security Onion – Fixed!

So off and on while playing with Security Onion and Squert over the past several months, I have come across the dreaded “PHP Fatal error: Allowed memory size of X bytes exhausted (tried to allocate Y bytes) in /var/www/squert/.inc/callback.php” error when pulling up a full PCAP in either ELSA or Squert. Looking around at different posts via the SO group on Google and on Google itself, I could never “fix” the issue. Most of the time the answer was to do the following: You’ll need to increase the memory_limit setting in php.ini and restart Apache.

Continue reading

15-02-2015 – Sweet Orange infection

So while at work the other day I came across an interesting alert that, thankfully, was not successful. The following is what I got once I got home and was able to run this on my test VM. So let the party begin! The start of the infection chain starts here via this site (which I searched from Google): hxxp[:]//emmalinebride[.]com/decor/best-ombre-wedding-ideas/&rct=j&frm=1&q=&esrc=s&sa=U&ei=i7zbVLvYHovdatCRgqgF&ved=0CBQQFjAA&usg=AFQjCNEcGHpoa885u50SmO64kUXJ_gUH-Q Once the page loaded, there was an interesting call on port 8085 as you can see below: GET /adm/lines.php?norway=3 HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Referer: http://emmalinebride.com/decor/best-ombre-wedding-ideas/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;…

Continue reading

Part 2 of 3 : Nice email – Subject: Employee Documents – Internal Use

As the title suggest, this is the continuation of my investigation into a malicious Dyre email that I received a while back. If you did not see my initial post (and mind you, first blog about malware analysis), then you can find that here. The other thing that I am going to do is use  a new tool created by Omri Herscovici called CapTipper. For more information about this tool, check out his page here.

Continue reading

Part 1 of 3 : Nice email – Subject: Employee Documents – Internal Use

So I figured that it is time that I start putting SO (Security Onion) to good use and start trying to find malware to dissect. So I started going through the SPAM/JUNK mail folders in the different email accounts that I have. After checking several emails, I came across the following email: From: “invoice” <no-replay@invoice.com> To: <redacted> Subject: Employee Documents – Internal Use The email headers for this are as follows: Delivered-To: redacted Received: by 10.96.187.137 with SMTP id fs9csp1765471qdc; Wed, 21 Jan 2015 04:48:40 -0800 (PST) X-Received: by 10.229.102.68 with SMTP id f4mr57827176qco.15.1421844520124; Wed, 21 Jan 2015 04:48:40 -0800…

Continue reading

Security Onion and Elsa issues

So the other day while reviewing alerts in Squert I noticed a lot of alerts triggering for ‘ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack.’ The rule for this is: alert tcp $EXTERNAL_NET [443,465,993,995,25] -&gt; $HOME_NET any (msg:”ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack”; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:”|16 03 00|”; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3;) This got me thinking why am I just now starting to see this alert after running SO for a couple months now? Looking into the…

Continue reading