Friday, April 29, 2016

I Heart Malware!

I love malware, I really do.  And let’s face it, malware gets a really bad rap!  After all, it’s evil, it’s vicious, and no one wants it, right?  Hmmm…that’s funny, cuz I download as much of it as I can!  It fascinates me, almost to the point of getting me in trouble with one of my Supervisors.  Yup.  As it was so delicately explained to me, “Mary Ellen, malware to you is like a needle to an addict.  I can remove the drug but the needle is still stuck in your vein.”  There’s a back-story to that which I won’t bore you with, but it was all in good fun mind you, he was absolutely right-on with his assessment and here's why.  I was way too focused on commodity malware, meanwhile behavioral hunt-work such as lateral movement and looking for good-tools (#Goodware) being used for bad was taking too much of a backseat.  But, I digress.

So why do I enjoy looking at malware so much anyway?  Well, it’s smart enough to sneak through a ton of sensors (like a good pen-tester), and occasionally it’s very well written.  OK, so where am I going with all of this?

I was recently discussing a custom piece of “malware” that a co-worker had written, and as he was describing it to me, my mind was racing to a million different places.  What a cool piece of code!  Most of the a/v engines were calling it malware, but it was really just a cleverly crafted program that wasn’t evil at all. Yes, it stopped a process to inject something then started it back up again, but it didn't do anything malicious per se.

OK, OK, so the hardcore malware entomologists amongst the group could argue that in fact that’s actually not malware to begin with, it’s #goodware…but the end-point solutions are all whacking it due to its “malcode”, so doesn’t that make it malware?  If malware was strictly defined by heuristics, maybe, but that could lead to too many false positives.

What’s my point?  Whatever you want it to be.  If your take-away is simply to think about “good code” vs. “malcode” then maybe that’s beneficial to you.  If you’re now wondering about or reevaluating your current security controls and why those solutions are allowing grayware or adware into your enterprise, then maybe that’s helpful also.  And BTW, what files does your organization currently allow or block?  Do you allow zips?  If so, do you block zips if they're encrypted?  Or, maybe you filter zips by file-type content, like .exe, .js or .scr inside of a zip (of course one could manually change the file extensions to bypass)?  Additionally, are there files that you block as attachments straight-up such as .doc, .docm, .rtf or .xls?

I wrote the above blurb earlier in the week but didn't have a chance to post it, and just today a friend sent me a link to a FAR BETTER post, so check that one out too!

Saturday, April 23, 2016

Nanny Scam

A friend recently told me about a Nanny scam which someone on our block fell prey to.  It was quite scary and could have ended very, very badly but fortunately the person was arrested.  The way it was explained to me, a local female had set up a FaceBook page advertising her services as a nanny.  Then, she set up a few fake pages of supposed "happy" and satisfied clients.  Her fake profiles would display raving reviews about her nanny skills, and she set the whole ring up to look good enough to fool some pretty savvy parents.  Upon being hired, the “nanny” would steal jewelry and cash from the unsuspecting parents.  And let’s be clear here, who really cares about any of the material items this scammer hoisted, SHE WAS IN CHARGE OF THEIR CHILDREN!

Where do I come in?  My friend asked me if I might be able to put together a one-sheet on tips and tricks that parents can do when they are vetting potential nannies.  I have worked in Cyber Security for over ten years and I have also performed Physical Penetration Testing as a contractor for the U.S. government.  Additionally I have presented for the Secret Service and the U.S. Postal Inspection Service.

Feel free to share this document, it’s labeled as TLP:WHITE.

To find out a bit about someone's background there are some free services that may be helpful.  The free versions yield limited amounts of information but you may be able to glean enough to satisfy your questions about someone.  Below are a few:




Sex offenders are required to register where they live:


Do you live in a high-crime area?


Crime Reports - you can peruse these:


A lot of local Police Departments maintain a "blotter" that they post publicly on a community Web site, here's an example:  Also the hyper-local Web site covers a lot of local crime as well as 911 calls.

Search for the photos used in their online profile elsewhere on the Web, which can bring up multiple (fake) persona's and you may even find it's part of other scams.


To find versions of a Website which are no longer active:

o caches a ton of Web sites and freezes certain pages.  For a historical view, check them out:

o    From there, you can view random snapshots back in time:

o    Google caches certain URL's and you can sometimes find an older version of a page that you missed by selecting the "Cached" page from a Google search:

o    Also, and have archives of older Web pages.

In researching this topic, I came across an interesting link from the FTC, warning about a different type of nanny scam.

Plessas Experts Network, Inc. publishes an amazing one-sheet on gathering information for security research purposes.  They also offer professional services which I have heard really great things about.

Lastly, Michael Bazzell is one of the best resources for background information or privacy concerns.  If you think you have a situation on your hands that needs expert attention, Michael Bazzell is at:  If you need help, reach out, you are not alone!

Friday, April 22, 2016

What Language Does Malware Dream In?

PREFACE: I am not an expert on any of the following, I'm merely sharing my ideas and questions, almost stream of conscious style, cuz sometimes when you ask wacky questions, you glean actionable intel. The following is a learn-as-I-go exercise and not definitive data or even perhaps 100% correct, it's simply a work-in-progress that seemed to make sense to release in the wild, all names removed.

The other day a friend hit me up with a link to a video. That friend is someone I completely admire and he's one of the smartest guys I've ever met. I had a ton of meetings that day, so I couldn't immediately put on my Beats and check it out. A few hours later, he IM's me: "Check out that video yet?" "No, but I will." "Best presentation I've ever seen, I'm going to buy every single one of his books!" That was coming from someone who recommends at least one article or video a week, so for him to come back like that, I knew I had to stop what I was doing and make it a top priority. The video ended up being one of the best I’ve seen as well. Right up there with my two long-time favorites: "Lateral Movement" by Harlan Carvey and "Finding Unknown Malware" by Alissa Torres of "Malware can hide but it must run" fame - the audio on "Finding..." has some issues, but I've watched it so many times I've lost track, it's worth putting up with the less than perfect audio. Alissa actually did another presentation that's similar: "Detecting Persistence Mechanisms" but I digress. So, after watching the video that my friend recommended, I had a conversation with him. After our discussion, I began to think about some things... If organizations are only “watching” their netflow for the English language, could they miss something? In other words, if the Chinese, for example, have infiltrated your network, or are attempting to, they may be writing code or binaries that are in Mandarin and using UTF-16 encoded in 16-bits, which would be 2 bytes and currently not easily or (out of the box) detectable by most sensors.

So then I started to think about all the hundreds of malware samples I’ve looked at in the past year-and-a-half, and I can count on one hand the number of them that had a Chinese signature.

I've also seen artifacts of chats from unwanted guests already on networks, in English. So would it also make sense to hunt for very specific Chinese language characters or strings of characters?

Not having all of the answers, and again not being an authority on any of this, I “phoned a friend” and ended up sitting down with two of my favorite Mandarin character experts, which of course led to even more questions :( ...


(1) Speaking only about binaries (not isolated strings or chats), if the binaries are undetected wouldn't they eventually still need (in the end) to convert to Assembly to run, and if so, you'd see them then?

(2) Based on (1) above, should one perhaps just be filtering on binary headers and looking at just the signatures?

(3) Would another approach be to search the binary source code for Chinese language characters?

What I learned was that the language of the binary is “usually” defined by the resource section. You have the locale ID and/or language identifier which tells you the language. For example Locale 0x0409 is English, 0x0X04 is Chinese (as well 0x0004, 0x07C04, 0x0404, 0x0804). Or, for example, Lang ID 0x09 is English, 0x0A is Spanish etc. For YARA it would be something like pe.language(0x09) for English.
Other codes:

One challenge could be if you have employees who are Chinese, or offices in China, unless your searches are very specific, they could result in multiple false positives. And of course my inquiry isn't really just about China, that's merely one example. From there you could expand your character searches to Arabic, French, Korean, Portuguese, Russian etc.

Yet another one of my trusted contacts with whom I often bounce things off of had previously advised me that using a language scheme as an IOC is not going to generate meaningful data, period. So next I sat down with one more person to discuss all of the above, and quite frankly for a sanity check. My takeaways from that meeting were (a) I wasn't crazy, and (b) there's one more possible angle and it's regional based. For example, malware written in VB may be seen as elementary, and frowned upon by a high caliber of threat actor such as Russian, and that generally the more difficult programming languages are more respected among those circles. That doesn't mean that malware written in VB isn't from Russia, for example, but maybe it could help narrow your initial search.

Lastly, a little bird told me that if you're going to find any of the above proactively, before the headlines hit, your answer may lie in hunting for behavioral anomalies, machine learning,,,and a whole heck of a lot of luck! Because, I was reminded, we have to be lucky all the time, they only have to be lucky once.

Monday, April 11, 2016

Gone Phishing!

Is it just me, or has there been a recent uptick in articles on Phishing?  The following is a presentation I submitted about a year-and-a-half-ago in an attempt to be a speaker for one of my favorite consI wasn't picked :(  BUT, in the spirit of "turning lemons into lemonade", I'm going to put the paper out there in the off-chance that others might benefit.  The information is a bit dated, but for someone just learning how to triage a phishing campaign, perhaps it could help.  Enjoy!

Updating this post, cleaning it up a bit, and adding the paper in PDF format: - Also it's got a malware lab section that may be helpful if you are building your own.