MalwareMutexChecker
This project is on a hiatus of indeterminate length.
I am currently working on an application that, at this time, I have uncreatively named MalwareMutexChecker. Basically, I am building it with the following 2 functions in mind:
1). A Yara-like scanner. Not sure if I will be adding the "definitions" in a definition file that can be manually/automatically updated, or hardcoding them into each version, but basically the application will run, try to create various mutexes on a system and, if it is unable to do so because the mutex already exists, an error will be thrown stating just so and listing the malware families that are known to create said mutex. Would be helpful as a quick addition to a toolkit, though probably wouldn't find anything another scanner hasn't already found. I am not aware of how various anti-bad things engines handle mutexes.
2.) A more precise tool that allows for a mutex name to be specified by the user. The application will try to create said mutex and, if it can't because it is already opened, it will let the user know. Could be used if you already suspect a certain family of malware on your system, and you want to quickly check for known mutexes created by the malware.
The functionality part is easy. The .NET framework makes opening mutexes in C# easy. See the demo:
1.) As a random example, the article here details that KRIPTOVOR checks for a mutex named gordon to see if it has already infected a machine. Let's check for that mutex, shall we?
2.) First, just running the application without any prior modification of the system; here are the results:
3.) Clearly, there is no mutex named gordon on this machine. But that doesn't help our test, so read on!
4.) I wrote a small application that creates a mutex and holds it until the process is forcefully terminated. This way, I don't have to infect my machine with KRIPTOVOR just for this demo. After running it, let's see what MalwareMutexChecker says:
5.) Now we can see that the mutex gordon exists on this system. Based upon that discovery, we may safely assume that KRIPTOVOR has infected this system (assuming no other families also use that same mutex name). If you don't believe the application and want to check yourself manually, you can run Winobj or Objdir and check "Sessions">"{Session_No}">"BaseNamedObjects". You should see a listing for a mutant named gordon.
Right now, the actual application part works and is easy to code. I have two main concerns on my end:
1.) Would remediators see themselves using this? Is it something they would ask a user to run on a system and then provide them with the output? For anybody interested in forensic analysis, could they see themselves using this tool to quickly enumerate through obviously malicious mutexes on a system?
2.) How to source mutexes? I have been manually going through each family that I encounter at a time and pulling the mutexes from Malwr/VirusTotal. That is obviously inefficient. The MAEC project looks promising, but is still in development stages.
This is by no means something I intend to replace any tool/be heralded as the savior of malware cleaning. It is mainly a personal project of mine that I became interested in after reading some articles online, which I have linked below.
Note: I am aware that some malware uses system mutexes, like ShimCacheMutex and RasPbFile. I would not include these in any definitions. I am also aware that some malware, like the CryptoWall family, uses 32-bit serialized mutexes, and thus can't really be checked for, unless I code the application to be suspicious of any mutex of a certain length. Definitely a possibility.
Links:
Contemplating Malware Immunization via Infection Markers
Looking at Mutex Objects for Malware Discovery and Indicators of Compromise
Mutexes, part one: The Canary in the Coal Mine and Discovering New Families of Malware
Mutexes, part two: Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory
Faudis
This project is on a hiatus of indeterminate length.
Faudis is a personal project of mine. It is infostealing malware. I am attempting to write a piece of malware that will only ever be used in my lab and in select participants' labs. The only purpose of this lab is to get a feel of what it is like to write malware, from planning, to selecting a language, performing obfuscation and packing, testing it against different AV engines, deployment, etc., etc., etc. I am still in the planning stages at the moment, but I plan to begin actual coding work very soon. Once it is finished, I may ask for participants in testing. We'll address that when the time comes. Check back for updates!
NePrEnEx
NePrEnEx (Network Printer Enumeration & Exploitation) is a project of mine that I conceived after working at a major printer manufacturer. It is inspired by many different penetration testing tools, and the work of researchers such as Foofus; see some of their work here and here.
I intend for this tool to combine subnet scanning, fingerprinting, and vulnerability scanning into one helpful interface. From there, script-based or automated exploitation should be able to take place.
This project is still very much in the planning stage. I haven't selected a language yet, but I am leaning towards Ruby for possible submission to Metasploit. Check back for updates, but note that this is not my highest priority project.
Rules, IOCs, etc., etc., etc.
I intend to upload any Snort/Yara rules and IOCs (Indicators of Compromise) that I craft during my research to this section. I firmly believe in intelligence sharing, and I want to do my part to contribute. Expect this section to grow in the coming days.
Yara Rules
Snort Rules
Come back soon!
No comments:
Post a Comment