12 Mayıs 2015 Salı


rule PoS_Malware_RawPOS2015_service : RawPOS2015_service
author = "Trend Micro, Inc."
date = "2015-03-10"
description = "Used to detect RawPOS RAM service, including 2015 sample set"
sample_filetype = "exe"
$string0 = "OpenService failed -%s"
$string1 = "OpenSCManager failed -%s"
$string2 = "Unable to install %s -%s"
$string3 = "File already exists"
$string4 = "Stopping %s."
$string5 = "This may take several seconds.  Please wait."
$string6 = "%s failed to stop."
$string7 = "%s removed."
$string8 = "Debugging %s."
$string9 = "Could not create registery key"
$string10 = "\\\\.\\pipe\\susrv"
$string11 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\%s"
all of ($string*)

7 Mayıs 2015 Perşembe

Sandbox Evasion

User interaction combo detection
In the latest Tinba sample, we found that it had adopted an evasion technique where it checks for mouse movement using the GetCursorPos API. Additionally, its author has also introduced a new way to detect sandbox using the GetForeGroundWindow API, which enables the malware to check on the active window which the user is currently working on.

An automated sandbox system typically stays in the same window, and this could be a desktop from the point where the malware was executed. The malware tries to take advantage of this situation by checking for the values returned by two consecutive calls of the GetForeGroundWindow API. There is a couple of seconds interval between the two calls to simulate a real user interaction with the window. If the sample was executed on a sandbox environment, the values returned by both GetForeGroundWindow API calls will always be the same. This indicates that the current active window remains the same since the sample was executed. In this case, the code will keep looping and will only execute the main routine until the active window has been changed and the mouse cursor has been moved. 

5 Mayıs 2015 Salı

Mumblehard YARA Rule

rule mumblehard_packer
description = "Mumblehard i386 assembly code responsible for decrypting Perl
author = "Marc-Etienne M.Léveillé"
date = "2015-04-07"
reference = "http://www.welivesecurity.com"
version = "1"
$decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-6] (56 5f | 89 F7)
39 d3 75 13 81 fa ?? 00 00 00 75 02 31 d2 81 c2 ?? 00 00
00 31 db 43 ac 30 d8 aa 43 e2 e2 }