Friday, April 29, 2016

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer.

I Heart Malware!

I love malware, I really do.  And let’s face it, malware gets a really bad rap!  After all, it’s evil, it’s vicious, and no one wants it, right?  Hmmm…that’s funny, cuz I download as much of it as I can!  It fascinates me, almost to the point of getting me in trouble with one of my Supervisors.  Yup.  As it was so delicately explained to me, “Mary Ellen, malware to you is like a needle to an addict.  I can remove the drug but the needle is still stuck in your vein.”  There’s a back-story to that which I won’t bore you with, but it was all in good fun mind you, he was absolutely right-on with his assessment and here's why.  I was way too focused on commodity malware, meanwhile behavioral hunt-work such as lateral movement and looking for good-tools (#Goodware) being used for bad was taking too much of a backseat.  But, I digress.

So why do I enjoy looking at malware so much anyway?  Well, it’s smart enough to sneak through a ton of sensors (like a good pen-tester), and occasionally it’s very well written.  OK, so where am I going with all of this?

I was recently discussing a custom piece of “malware” that a co-worker had written, and as he was describing it to me, my mind was racing to a million different places.  What a cool piece of code!  Most of the a/v engines were calling it malware, but it was really just a cleverly crafted program that wasn’t evil at all. Yes, it stopped a process to inject something then started it back up again, but it didn't do anything malicious per se.

OK, OK, so the hardcore malware entomologists amongst the group could argue that in fact that’s actually not malware to begin with, it’s #goodware…but the end-point solutions are all whacking it due to its “malcode”, so doesn’t that make it malware?  If malware was strictly defined by heuristics, maybe, but that could lead to too many false positives.

What’s my point?  Whatever you want it to be.  If your take-away is simply to think about “good code” vs. “malcode” then maybe that’s beneficial to you.  If you’re now wondering about or reevaluating your current security controls and why those solutions are allowing grayware or adware into your enterprise, then maybe that’s helpful also.  And BTW, what files does your organization currently allow or block?  Do you allow zips?  If so, do you block zips if they're encrypted?  Or, maybe you filter zips by file-type content, like .exe, .js or .scr inside of a zip (of course one could manually change the file extensions to bypass)?  Additionally, are there files that you block as attachments straight-up such as .doc, .docm, .rtf or .xls?

I wrote the above blurb earlier in the week but didn't have a chance to post it, and just today a friend sent me a link to a FAR BETTER post, so check that one out too!

Friday, April 22, 2016

What Language Does Malware Dream In?

PREFACE: I am not an expert on any of the following, I'm merely sharing my ideas and questions, almost stream of conscious style, cuz sometimes when you ask wacky questions, you glean actionable intel. The following is a learn-as-I-go exercise and not definitive data or even perhaps 100% correct, it's simply a work-in-progress that seemed to make sense to release in the wild, all names removed.

The other day a friend hit me up with a link to a video. That friend is someone I completely admire and he's one of the smartest guys I've ever met. I had a ton of meetings that day, so I couldn't immediately put on my Beats and check it out. A few hours later, he IM's me: "Check out that video yet?" "No, but I will." "Best presentation I've ever seen, I'm going to buy every single one of his books!" That was coming from someone who recommends at least one article or video a week, so for him to come back like that, I knew I had to stop what I was doing and make it a top priority. The video ended up being one of the best I’ve seen as well. Right up there with my two long-time favorites: "Lateral Movement" by Harlan Carvey and "Finding Unknown Malware" by Alissa Torres of "Malware can hide but it must run" fame - the audio on "Finding..." has some issues, but I've watched it so many times I've lost track, it's worth putting up with the less than perfect audio. Alissa actually did another presentation that's similar: "Detecting Persistence Mechanisms" but I digress. So, after watching the video that my friend recommended, I had a conversation with him. After our discussion, I began to think about some things... If organizations are only “watching” their netflow for the English language, could they miss something? In other words, if the Chinese, for example, have infiltrated your network, or are attempting to, they may be writing code or binaries that are in Mandarin and using UTF-16 encoded in 16-bits, which would be 2 bytes and currently not easily or (out of the box) detectable by most sensors.

So then I started to think about all the hundreds of malware samples I’ve looked at in the past year-and-a-half, and I can count on one hand the number of them that had a Chinese signature.

I've also seen artifacts of chats from unwanted guests already on networks, in English. So would it also make sense to hunt for very specific Chinese language characters or strings of characters?

Not having all of the answers, and again not being an authority on any of this, I “phoned a friend” and ended up sitting down with two of my favorite Mandarin character experts, which of course led to even more questions :( ...


(1) Speaking only about binaries (not isolated strings or chats), if the binaries are undetected wouldn't they eventually still need (in the end) to convert to Assembly to run, and if so, you'd see them then?

(2) Based on (1) above, should one perhaps just be filtering on binary headers and looking at just the signatures?

(3) Would another approach be to search the binary source code for Chinese language characters?

What I learned was that the language of the binary is “usually” defined by the resource section. You have the locale ID and/or language identifier which tells you the language. For example Locale 0x0409 is English, 0x0X04 is Chinese (as well 0x0004, 0x07C04, 0x0404, 0x0804). Or, for example, Lang ID 0x09 is English, 0x0A is Spanish etc. For YARA it would be something like pe.language(0x09) for English.
Other codes:

One challenge could be if you have employees who are Chinese, or offices in China, unless your searches are very specific, they could result in multiple false positives. And of course my inquiry isn't really just about China, that's merely one example. From there you could expand your character searches to Arabic, French, Korean, Portuguese, Russian etc.

Yet another one of my trusted contacts with whom I often bounce things off of had previously advised me that using a language scheme as an IOC is not going to generate meaningful data, period. So next I sat down with one more person to discuss all of the above, and quite frankly for a sanity check. My takeaways from that meeting were (a) I wasn't crazy, and (b) there's one more possible angle and it's regional based. For example, malware written in VB may be seen as elementary, and frowned upon by a high caliber of threat actor such as Russian, and that generally the more difficult programming languages are more respected among those circles. That doesn't mean that malware written in VB isn't from Russia, for example, but maybe it could help narrow your initial search.

Lastly, a little bird told me that if you're going to find any of the above proactively, before the headlines hit, your answer may lie in hunting for behavioral anomalies, machine learning,,,and a whole heck of a lot of luck! Because, I was reminded, we have to be lucky all the time, they only have to be lucky once.

Monday, April 11, 2016

Gone Phishing!

Is it just me, or has there been a recent uptick in articles on Phishing?  The following is a presentation I submitted about a year-and-a-half-ago in an attempt to be a speaker for one of my favorite consI wasn't picked :(  BUT, in the spirit of "turning lemons into lemonade", I'm going to put the paper out there in the off-chance that others might benefit.  The information is a bit dated, but for someone just learning how to triage a phishing campaign, perhaps it could help.  Enjoy!

Updating this post, cleaning it up a bit, and adding the paper in PDF format: - Also it's got a malware lab section that may be helpful if you are building your own.

Sunday, February 14, 2016

Got Tools?

I was recently approached about what tools might be good for use in a malware lab, so I created a directory listing of my "Tools" hard drive and then just added a little formatting.  Afterward, I decided that the list I had might be helpful to others who may be building a virtual lab analysis environment for the first time (malware or otherwise), so just in case it's useful to others, I figured I would post it.  The list is by no means exhaustive, and by its nature includes some duplicates, but it does (in my humble opinion) seem to represent a nice blend of both malware analysis and digital forensics tools. Enjoy!

Update: I had a long plane ride after I wrote the above post, and I wanted to address a follow-up question my friend had about building a malware lab.  I may devote an entire post to that down the road, however for now a couple of quick updatesI was asked which flavor of OS to use, and there are a couple thoughts I have about that... 

(1) If you're building the lab for your work environment, and most of your users have a standard image, there is an argument toward using that exact configuration.  That way, when testing a piece of malware, you may have a better sense of how it may behave in your environment.

(2) No matter which OS you choose, if you are using VMWare to detonate malware, make sure you turn OFF memory sharing...just to be safe!

Tuesday, March 11, 2014

Some Links I Follow

Update: I had a request to update my lists below to include links to malware sample repositories.  Just a word of caution to be very careful with any of the links in red.  I also think that one of Lenny Zelter's pages about malware research samples says it all, and would advise reading his page before using any of the links in red.  I have also added a few more sites to the list, and can continue to do that as I come across additional pages.  Lastly, the OPML file has also been updated, but doesn't include many of the malware sample sites because most of them didn't seem to offer a feed option.

I've been meaning to share the list of links that I follow for a while now.  Below is a link to a spreadsheet that I created which lists separately the HTML URL's from the RSS URL's for sites which I follow.  I also added a link to my Feedly OPML dump.  I figured it would be a nice update to the blog since I don't have very much time to post these days.  Feel free to download and import into your readers, bookmarks, etc.  I have quite a few more that I didn't add because they were links to online sandboxes and/or malware repositories, so they really weren't RSS type links, and I also was a little hesitant about posting links to malware.  I think for the most part the list has been de-duped, so if it looks like there are doubles, you might find that a site simply has more than one feed that it offers, but send me a heads-up if you believe otherwise.  Also, if you would like the full list, contact me and I can send it out or post it.  Enjoy!


Feedly OPML:

Friday, February 28, 2014

Vehicle Cyber Security and Forensics

Update:  Today I had the wonderful pleasure of presenting to some of New York's Finest - the International Association of Financial Crimes Investigators, hosted by the United States Postal Inspection Service.  I updated the slide-deck, and replaced the older one with today's version.  I've also added a few new reference links below.  And a huge shout-out to the gentleman in the audience who enlightened me about RFID tags embedded in tires. Enjoy!

Yesterday I had the great privilege of representing the company I work for, AccessData, and presenting on the topic of “Vehicle Cyber Security and Forensics” to an esteemed audience at the New York-New Jersey Electronic Crimes Task Force.  Afterward, I received some requests to share-out the presentation, which was in fact, the impetus behind my speaking – to contribute to the community.  I double-checked with my employer, and was given a green-light to post our slide deck.  I say “our” because as I mentioned during my talk, the deck would not have been possible without a large contribution from Gloria D’Anna (our partner at Tri-Kar), and Ben LeMere (our partner at Berla Corp).

Also of interest  to the group, may be this breaking news story involving thieves breaking into cars using a mysterious electronic device, sent to me from Sergeant Christopher Then of the Morris County Prosecutor's High Tech Crime Unit, thank you Sir!

My presentation was what I call a bit of a “CliffsNotes” version of what’s been happening in the past 1-2 years with regards to vehicle cyber security and forensics.  The supporting articles are quite numerous, so I have categorized them below, along with their corresponding links.  Additionally, I played three short video snippets during the presentation; they too are listed below with their links.

If you download the PowerPoint deck, I would advise that you view the deck with the “Notes” section turned on, those were my talking points, and otherwise the slides themselves might not make a ton of sense.  I purposely create my presentations that way, so as not to cause anyone “Death By PowerPoint!”  My thinking is that the fewer slides that contain nothing but bullet-points, the better.

Lastly I should add, that below are a ton of links which take you to other Web sites of which I do not necessarily share the same opinion, nor am I responsible for their content.  I believe all of the links below to be clean, but click at your own risk.  Also, you might find that the “Comments” section of the articles add even more information to the topic, albeit keeping in mind their source might not have been vetted.

Video Links:

  • DefCon Forbes Interview:

Video Only:

  • Lock and Unlock Remote Hack:
  • Senator Markey News Item:

DefCon Research Related Articles:

Opens to PDF:

Opens to PPTX:

WiFi Research Related Articles:

Police Cruiser Pen-Test:

Opens to PDF:

WebTech Plus Wireless Repo:

On-Board Intelligence Systems and GPS:

Opens to PDF:


Naval Jet Pen-Test:


Driverless Safety and Vehicles:

Opens to PDF:

Lock and Unlock Remotely:

Opens to PDF:

ODB-II Consumer Products:

University of California, San Diego Researchers:

Opens to PDF:

Opens to PDF:

Opens to PDF:

Opens to PDF:

Opens to PDF:

Black Boxes and Senator Markey:

AutoDownload Markey Full Letter: