1. Hi, Guest,

    Currently we have three official hacks running. CSGO, Battlefield Hardline and Audition America. Be sure to check them out!

    CSGO - "50 Shades of Gaben" - CSGO Cheat

    Battlefield Hardline Cheat - FREE

    Audition Redbana Hack [ARH Modz]

    More to Come!
    Dismiss Notice
Dismiss Notice
CSGO VIP Cheats now available!! Click here to get a copy!
Dismiss Notice
Want to Shorten Your Long URL? Check out our sister website Tiniurl to solve your needs!

[How To] Scanning for Malware

Discussion in 'GzP Help Files' started by r2k, Dec 13, 2009.

Thread Status:
Not open for further replies.
  1. r2k

    r2k Retired Staff Member GzP Underground

    Messages:
    5,086
    Likes Received:
    166
    Joined:
    Nov 23, 2005
    Want to keep your PC safe? Then, unfortunately, running an AV (even one with a solid heuristics scan) is simply not enough when running questionable content - e.g. game hacks, cracks, etc.

    This thread will give you a very basic outline of reverse engineering, only to determine if a file is valid or invalid.

    Table of Contents:
    Post #2 - CampStaff's Guide to Malware detection.
    Post #3 - A good arsenal against malware (compiled by XTZGZorex)

    Extra reading:
    http://www.gamerzplanet.net/forums/...-x86-assembly-and-debugging-windows-apps.html
    http://www.gamerzplanet.net/forums/c-c-c/321658-game-cheats-102-a.html

    Notes:
    You don't need to be a genius to recognize malware. A great starting point (and the route I always take) is to throw the file in IDA and flick through the imports and then the strings (shift+f12). If you have (even mediocre) understanding of programming (and the win32 api), you'll be able to spot suspicious files fairly easily. Feel free to add any additional information here. I will remove any unnecessary posts.
     
    Last edited: Dec 13, 2009
  2. r2k

    r2k Retired Staff Member GzP Underground

    Messages:
    5,086
    Likes Received:
    166
    Joined:
    Nov 23, 2005
    We will need:
    1. MSDN knowledge. This is essential. Simply use MSDN knowledge base to see what functions do what.
    2. Browser. Firefox is best used.
    3. Wireshark. Google it and download, it will help later.
    4. Antivirus program. AntiVir is best to use, and its free.
    5. FTP Program. With firefox, we have a built in FTP if we use FireFTP plugin.
    We will use our browser to access three sites to start w/ our trojan analysis.
    http://www.novirusthanks.org/ -Provides excellent Antivirus detections, but also allows ascii strings of what each file contains ( Function knowledge is required to know what does what )
    http://www.sunbeltsecurity.com/ -Provides a good online sandbox
    http://www.joebox.org/ -Provides and unprecedented online sandbox

    We download our cheat, being careful not to click on it or doing anything to activate it.
    Uploading to joebox we get the following TCP/UDP/ICMP/DNS information.
    ftp://data:joebox@analysis.joebox.org/2688/temp/comp/

    Looking below we see a portion of that info.
    Code:
    Aug 27, 2009 04:17:18              192.168.0.255:1052     66.40.52.62:21     tcp
     Aug 27, 2009 04:17:18              66.40.52.62:21     192.168.0.255:1052      tcp
    The above information is as follows: Date, Time, IP (192.168.0.255 is my ip ), protocol.

    We see on the first line that my pc is sending data to 66.40.52.62 on port 21 ( usually FTP ) using the TCP Protocol. The next line shows that that same IP is sending data back on the same FTP port to my pc on port 1052 using TCP Protocol.
    We need to find what the other ip is. If we put it in a browser we get a blank page. So we need something called a PCAP to show us the DNS information. Joebox gives us this DNS information directly, on the analysis.
    ftp://data:joebox@analysis.joebox.org/2688/run0/pcap/

    Open the pcap file in wireshark ( alternately, run wireshark to see what data flows from your pc to other computers/servers ). Learn network data streams online, learn what protocols do what. I.E. TCP protocol using port 21 usually means its utilizing FTP.
    Our first two lines shows the DNS information. Infected computer askes name server what/where is 66.40.52.62. The response is:
    Code:
     Standard query A deadverb.freehostia.com
    Using FireFTP ( or any FTP program ) we know can add the first piece of the puzzle, the hostname. Going down the pcap file, we look at line 7:
    Code:
    7    1.182661    192.168.0.255    66.40.52.62    FTP    Request: USER vispet
    We've found the trojanners FTP username. Add that info to our FTP program. One more piece left. Check line 10.
    Code:
    10    1.364978    192.168.0.255      66.40.52.62    FTP    Request: PASS 2629342
    Well, we now have all the necessary information to access the trojanners server and see what he's collected. But for this tutorial, I will move onto the second link, for educational sandboxpurposes.
    http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9646121&cs=E0179E8DCFDA3729340822D9F4818E11

    We begin our analysis using the above link. The exe spawns three processes, which in turn spawn yet another three processes.
    The second of the first set of processes spawned begins the stolen information gathering.
    Code:
     
    [LIST]
    [*]               [URL="javascript:toggle('createfile2')"]Created Files...[/URL]                                                   
    [LIST]
    [*]             File: C:\Documents and Settings\Jim\Local Settings\Temp\program.exe
    [*]             File Type: file
    [*]             Source File Hash: 1419D3AB0044BBA7C2F611206DAB880094716CC7
    [*]             Creation/Distribution: CREATE_ALWAYS
    [*]             Desired Access: FILE_ANY_ACCESS
    [*]             Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
    [*]             Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
    [*]             Stored as: 3125d7f49da6394922e6d6001b25901f.exe
    [/LIST]
                     
                                        
    [LIST]
    [*]             File: C:\Documents and Settings\Jim\Local Settings\Temp\u16event.dat
    [*]             File Type: file
    [*]             Source File Hash: hash_error
    [*]             Creation/Distribution: CREATE_ALWAYS
    [*]             Desired Access: FILE_ANY_ACCESS
    [*]             Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
    [*]             Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
    [*]             Stored as: 9543eebb06ce76c048a0243635e47dc9.dat
    [/LIST]
                     
                   
    [/LIST]
      
    A dat file is created.
    Code:
     
    [LIST]
    [*][URL="javascript:toggle('deletefile2')"]Deleted Files...[/URL]                                                   
    [LIST]
    [*]             File: C:\Documents and Settings\Jim\Local Settings\Temp\u16event.dat
    [*]             File Type: file
    [*]             Source File Hash: hash_error
    [*]             Desired Access: FILE_ANY_ACCESS
    [*]             Flags: SECURITY_ANONYMOUS
    [/LIST]
                     
                   
    [/LIST]
      
    It then gets deleted so to not add new files and alert the infected user of its activity.
    Code:
    <li id="comsub2_bullet" class="open_folder">[URL="javascript:toggle('comsub2')"]Com Section...[/URL]                        
    [LIST]
    [*]Create Instance:                 
    [LIST]
    [*]                             InProcServer32: C:\WINDOWS\system32\ieframe.dll
    [*]                             Interface ID: {000214E6-0000-0000-C000-000000000046}
    [/LIST]
                   
    [/LIST]
                 
    [LIST]
    [*]Com Get Class Object
    [LIST]
    [*]                           InProcServer32: C:\WINDOWS\system32\urlmon.dll
    [*]                           Interface ID: {00000001-0000-0000-C000-000000000046}
    [/LIST]
    [/LIST]
    
     [INDENT]
    An InprocServer32 is then registered, allowing the data collected to begin to move from infected computer to the trojanners server/home pc.
    [/INDENT]
    Code:
    Connections                      
    [LIST]
    [*]                             Server: deadverb.freehostia.com
    [*]                             Service: INTERNET_SERVICE_FTP
    [*]                             Successful: 1
    [*]                             Api-Function: InternetConnectA
    [/LIST]
     [INDENT] 
    This Trojan then connects to a free host.
    [/INDENT]
    Code:
    Outgoing Connections
    
    [LIST]
    [*]FTP Data
    [LIST]
    [*]                 User Name vispet
    [*]                 Password 2629342
    [*]                 Passive Mode 1
    [*]                 Remote Data Port 53860
    [*]                 Login Successful 1
    [/LIST]
    [*]Plain Communication Data
    [/LIST]
     [INDENT]
    And passes the proper information to the free FTP server. Username and password is needed for this trojan to finish transfering the collected data from the infected computer to the trojanners server/home pc.
    [/INDENT]
    Code:
    Transport Protocol: TCP
               Remote Address: 66.40.52.62
               Remote Port: 21
               Protocol: FTP
               Connection Established: 1
               Socket: 1940
    
    Here we show that its making a TCP connection from the trojanners server IP on which port and what protocol; FTP.
    We will now delete the collected data from this particular trojanner.
    Here is the Virus Scan information.
    Reason we use novirusthanks.org is because of this:
    Clicking the link shows what strings this file contains. Many will be jibberish. But others will be complete words you will be able to understand. Many of those will be what we call functions. This is where the MSDN library comes to play. Without knowledge of what each function does, it will be like looking at a foreign language; computer language. Take time and go thru trojan files, locate the ascii strings and follow the names into the MSDN Library.​
    Theres alot more that I could/would write... but its late and I must get up early tomorrow. I may show in another post how to disassemble without websites, and how to check what files are valid using a standalone sandbox ( such as sandboxie or VMware )

     
  3. r2k

    r2k Retired Staff Member GzP Underground

    Messages:
    5,086
    Likes Received:
    166
    Joined:
    Nov 23, 2005
    The following is a list of programs useful for reverse engineering (and, in turn, useful for detecting malware better than your AV can):

    * .NET DeObfuscator
    * BlackMagic
    * Bochs
    * Cain & Abel
    * Cavaj
    * CFF Explorer
    * Cheat Engine
    * CHimpREC
    * Detours Express
    * Dile
    * GUnPacker
    * Hash & Crypto Detector
    * Hex Workshop
    * IDA Plugins
    * IDA Pro Advanced
    * IDA Scripts
    * ImpREC
    * JDO
    * OllyDbg (1.10 and 2.00k)
    * oSpy
    * PE Explorer
    * PEBrowse
    * PEiD (with plugins)
    * Protection ID (PiD)
    * radare
    * RebelDotNET
    * RecStudio
    * Reflector .NET
    * ResHacker
    * RTA
    * Sandboxie
    * SnD Reverser Tool
    * SoftICE
    * The aPE
    * VirtualBox
    * WinDbg
    * Wireshark
    * XN Resource Editor

    Some of these are free/shareware, others are not. I'm sure you can find them in a corner of the internet.
     
    2 people like this.
  4. Coded

    Coded

    Messages:
    634
    Likes Received:
    49
    Joined:
    Jan 27, 2010
    was I suppose to connect to joebox's ftp or just use the web's submit function?
     
  5. azrielvon

    azrielvon Retired Staff Member

    Messages:
    2,226
    Likes Received:
    108
    Joined:
    Jan 13, 2007
    Can someone explain how can you find malware with CE when you don't even know what hit you?
     
    2 people like this.
  6. viryoulent

    viryoulent

    Messages:
    24
    Likes Received:
    0
    Joined:
    Jan 7, 2010
    Great post, fixed my laptop thanks!
     
Thread Status:
Not open for further replies.

Share This Page