Tuesday, June 26, 2012

APT and Incident Response

State sponsored cyber espionage attacks are both the least understood and most difficult issues to deal with within an enterprise. We've dealt with several situations where internal IT or even externally contracted security companies failed to mitigate an APT compromise situation. Fighting an APT actor is an ongoing intelligence game, simply playing whack-a-mole removing compromised systems from a network is like treating the symptoms of the problem, but not the root cause, persistence.

Phases of state sponsored intrusions:

  • Stage 0 - Initial attacks - email attachments or links - PDF/MS Office, disguised executables (password protected archives, right to left shift etc), SQLI, web apps, seeded websites/ads
  • Stage 1 - Basic implants - initial recon and assessment
  • Stage 2 - Better implants - exfiltration, multiple backdoors, remote shell, RDP, domain controllers/password hashes exfiltrated
  • Stage 3 - Network persistence - legitimate access as admin, passive backdoors usually not resolving to an external IP, extra accounts added or limited users granted admin


  • User education - do not click links or open attachments that were unexpected, report them.
  • Patching - Apps like Reader, Flash Player, Office as well as OS.
  • Compartmentalization - isolate servers such as domain controllers from the internet except for updates. Outsource external apps and web sites outside the trusted network. Don't reuse local admin passwords on multiple machines.
  • Log everything. Successful DNS, outgoing web activity, workstation RDP login username and remote IP/system name. 
  • Limit damage. Review logs and audit internal administrative use, keep sensitive data offline.


  • Detect stage 1 attacks in email attachments, run malware samples in a sandbox and extract malware domains to feed into DNS monitoring, gather signatures for the beacon format.
  • Monitor DNS for unusual activity - like domains resolving to localhost or placeholder IPs like,, Gmail, Hotmail, Microsoft etc. 
  • Monitor network activity for malware beacon formats from the attacks you're receiving or flag any unusual user-agent string that is not your corporate standard.
  • Don't react to stage 2 compromises immediately. If you can't find the malware entry point on a system, do not react too early.


Once a state threat actor has administrative control of a network, options become limited. Simply detecting infected systems and removing them will quickly become a costly time consuming losing battle. Remediation must be an enterprise wide initiative, a coordinated password reset, and rebuild of domain controllers, and compromised servers or workstations. Local administrative passwords need to be unique if used. Logging of all remote access, logins, DNS queries, web activity, and net flow will allow a better understanding in future events.

How Malware Tracker Supports Fighting State Threats:

  • Use PDFExaminer and Cryptam to detect the initial signs of APT threats in email attachments. Commercial AV will normally detect less than 20% of document format malware.
  • Use Cryptam to extract encrypted embedded executables from the attachments to run in a Sandbox to extract domain names, IPs, and beacon characteristics rather than needing a complex set of Sandboxes with different vulnerable application versions.
  • Dectect the root cause, the initial malware attachment vector when your organization detects a threat, or after receiving an external victim notification - batch scan email attachments as part of the incident investigation quickly and accurately with our tools.

Wednesday, May 23, 2012

CVE-2012-0754 exploitability in PDF

Just a short blog post in follow up to the 9bplus and Xecure Lab posts on targeted attacks using the CVE-2012-0754 Flash calling malformed MP4 exploit in PDF. Adobe reports that Reader 10+ sandbox mitigates this threat, and Acrobat Reader 9.5.1 now uses the separate Flash player which was patched in February.

We've received samples of CVE-2012-0754 as early at April 20 2012 used in attacks prior to that date. Adobe's Acrobat Reader 9.5.1 was released April 10, 2012. Prior to April 10, Acrobat Reader 9.5 and earlier used a built in Flash player which was vulnerable to the CVE-2012-0754 exploit which was publicly known since February 15 2012 when it was patched in the Flash player. Attacks using the PDF version of CVE-2012-0754 may have been occurring prior to April 10, though we have no confirmation of this, and could have been successful against Acrobat Reader 9.5 at that time, we suggest that Adobe should have patched Reader for CVE-2012-0754 in February at the same time as Flash player but also applaud them for taking a big step forward to mitigate Flash in PDF threats with the removal of the built-in Flash player in Acrobat with the release of 9.5.1.

PDF Current Threats

Scan a PDF with PDFExaminer

Friday, April 6, 2012

CCITTFaxDecode support added to PDFExaminer

With the recent Sophos report of a CCITTFaxDecode filter being used to obfuscate malware, we decided it was time to add CCITT support for Group 3 1D to PDFExaminer.

We've been aware of one malware PDF using CCITTFaxDecode being used previously, however, the use of Javascript was not obfuscated, just the content, so we still flagged the file as suspicious. After implementing the Group 3 1D protocol [pdf] in PDFExaminer and testing our previously known sample appears to have led us to having found the same file as Sophos, but from 2010-11-07 - MD5: 863f99103941a33fbbe722f0deb3afa5, so there's not a lot of these going around, and they do not appear to be current.

View the full PDFExaminer report here and the 6 / 43 Virustotal.com report from 2010-10-09.

Thursday, March 29, 2012

XLS CVE-2009-3129 and countering cryptanalysis technique

We've recently come across a new technique to evade cryptographic analysis of malware documents by avoiding XOR key leakage by not encrypting any zero-blocks of the malware payload.

The method does take more complicated shellcode and can be tricky, we've previously only seen this technique used with one byte XOR keys, in this case we have a 8 byte XOR key used to encrypt an executable and clean dropped .doc file.

Sample: MAP forecast template_2012.xls / f2e17c8954569ca2b20428f4c3112a30

Looking at the original XLS file, we can see that the embedded malware's zero space is not encrypted, the actual XOR key does not appear anywhere in the file:

In the image above, we can see that fragments of the inverse XOR key are left when a block of FF characters is encrypted with the 8 byte key. We can see the pattern b181826c015bd079 appears to repeat, since FF in binary is 11111111, XORing FF will leak the bitwise NOT of the key (compared to the full key when XORing 00000000). Using the inverse key and calculating the NOT gets us the actual key 4E7E7D93FEA42F86. Which shows the FF space as suspected:

And the malware in encrypted form:

And decrypted we can see the MZ Header:

We've added the above as a feature to our Cryptam document malware anaylysis system, this is the report for this XLS trojan:

And we've added a new "zero space not replaced" field to the cryptanalysis section. We'll add proper decoding for this in our public tools soon.

Other new features in the latest release of Cryptam :
  • Enhanced Max OSX malware embedded in documents' detection.
  • Retina resolution images in all reports.
  • More accurate CVE-2010-3333 RTF exploit signature
  • Open XML document format scanning - docx, pptx, xlsx.

Monday, March 19, 2012

Cryptam Multi tool - automatic extraction of encrypted exe's and dropped files

We've added a bunch of new features and special case handling to the Cryptam malware document analysis system. Here's a few highlights:

- MS Office Open XML .docx handling
- RTF Datastore embedded file detection
- bitwise not ciphers
- Automatic extraction of encrypted embedded executables, dropped clean PDFs and documents

Executable and dropped clean document extraction:
While we won't be serving up malware exe files for download after processing on Cryptam, we are releasing this free script to extract embedded executables yourself from a document or PDF file. We've seen a increase in malware MS Office documents targeting Tibetan groups using subjects related to self-immolation.

The Cryptam Multi tool - standalone malware extractor from documents:

Extract executables using a known xor key, rol, ror, transposition full/512 byte headers and bitwise not ciphers. Submit a malware document to Cryptam via our API to get the XOR and any ciphers needed for decoding, or query the Cryptam API for decoding parameters of previously submitted documents. All from a single script.


Support for Windows and Mac embedded executables.

Example usage:

$ ls Action\ Plan\ for\ March\ 10th.doc
Action Plan for March 10th.doc

Submit a document from the command line (-submit):
$ php cryptam_multi.php Action\ Plan\ for\ March\ 10th.doc -submit
Submitting Action Plan for March 10th.doc to remote server
using XOR key 100f0e0d0c0b0a09080706050403020100fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211
wrote 51880 bytes at 60688 as type exe abb7d6371e8b389184802667fbc9a1ac
wrote 76120 bytes at 112568 as type exe aa88ea7d5a2ebdba4755e2e22a98778e

$ ls Action\ Plan\ for\ March\ 10th.doc*
Action Plan for March 10th.doc
Action Plan for March 10th.doc-112568.exe
Action Plan for March 10th.doc-60688.exe
Action Plan for March 10th.doc.out

$ php cryptam_multi.php Iran\'s\ Oil\ and\ Nuclear\ Situation.doc -api
Accessing remote API for decoding params for e92a4fc283eb2802ad6d0e24c7fcc857
using ROR 2
wrote 49160 bytes at 57444 as type exe 0bd8671cc6b6f7ae94bb5c04c12699d3

$ php cryptam_multi.php CVE-2012-0744-xls.xls -apiAccessing remote API for decoding params for 198de4a1ebf05f7f44faf76f167b0233
using XOR key 9a
using ROR 1
wrote 33888 bytes at 66124 as type exe 0decc2ec261bb2cb56456a8173355079
wrote 141224 bytes at 100012 as type exe 68c62ae7a28c2ccca3892b1926ed958f

Extract executables and documents from documents in plaintext:
$ php cryptam_multi.php macmalware.doc
wrote 42556 bytes at 26162 as type macho XXX8786a4887a763d8f3e5243724XXXX
wrote 37376 bytes at 68718 as type doc XXXf81de9f7d53c7e584bc15b1fdXXXX

Extract executables by downloading decode params from the api (-api):
$ php cryptam_multi.php 0353449f52f30d46aa425895f39acd39.virus -api
Accessing remote API for decoding params for 0353449f52f30d46aa425895f39acd39
using XOR key c9
using ROR 7
wrote 33800 bytes at 57420 as type exe 3cd745d8245aeec4c98a9317a7863f70

Extract executables from the command line using known xor key and rol/rol/not:
$ php cryptam_multi.php 0353449f52f30d46aa425895f39acd39.virus -xor c9 -ror 7
using XOR key c9
using ROR 7
wrote 33800 bytes at 57420 as type exe 3cd745d8245aeec4c98a9317a7863f70

Automatically untranspose MZ headers if needed:
$ php cryptam_multi.php TWA\ mourns\ the\ self\ immolation\ deaths\ of\ two\ female\ protesters.doc -api
Accessing remote API for decoding params for 4c689a4dbff1cf735fa44322800ebfe8
using XOR key 9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c
wrote 86016 bytes at 37230 as type exe d1690cb9c36fff1b8f27c20d0784a686
wrote 27648 bytes at 123246 as type doc e4e6dce8b7a59663b5f4888848e4fb0f

$ php cryptam_multi.php
Cryptam Multi Tool - Decode and extract embedded executables from documents
php cryptam_unxor.php virus.doc -xor fe85aa -rol 3 -not -out file.out
php cryptam_unxor.php virus.doc -api [gets decoding params from malwaretracker.com]
php cryptam_unxor.php virus.doc -submit [upload file to malwaretracker.com, download params]
-xor XOR key to decode document with
-rol bitwise left shift places
-ror bitwise right shift places
-not use a bitwise not fiter
-tp transposition cipher filter on file
-tph transposition cipher filter on EXE 512 byte header
-submit upload file to malwaretracker.com Cryptam analyzer, captures decoding params
and extracts EXE/docs/pdfs from file
-api queries malwaretracker.com Cryptam api with MD5 hash only, captures decoding params
and extracts EXE/docs/pdfs from file

Monday, March 5, 2012

Flash in Doc CVE-2012-0754 detection added to Cryptam

We've added to support to our Cryptam document analysis system detect the embedded flash in Office document exploit CVE-2012-0754, which is a recently patched with a new Flash Player update, yet increasingly used in attacks since at least Feb 27.

Cryptam will detect compressed Flash (CWS) files, decompress them and search for signatures of CVE-2012-0754 as well as conduct a cryptographic analysis to detect XOR encrypted executables as well as ROL encoding to detect new emerging or unknown threats in document format files.

We've noted a small number of samples of CVE-2012-0754 with 2 separate URLs for the remote mp4 file. The embedded executables have used a 1 byte XOR+ROL or just ROL 2 encoded.

View Cryptam Document Analysis System reporting of sample e92a4fc283eb2802ad6d0e24c7fcc857 reported on Contagiodump.

Monday, February 20, 2012

Decrypting embedded encrypted executables

In addition to the detection of embedded executables in documents, you will probably want to run the malware in your dynamic analysis sandbox or do a static analysis in IDA. To decrypt the executable or embedded clean documents etc that are obfuscated/encrypted, we have the following simple script. First you'll need the XOR key and ROL decode shift from a Cryptam report:

Download our cryptam_unxor.php script.

Sample usage:
dev:cryptam_test dev$ strings 34eba128caa21df52b7cec6ea1c80a91.virus|egrep This.program
dev:cryptam_test dev$ php cryptam_unxor.php 34eba128caa21df52b7cec6ea1c80a91.virus -xor 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -rol 5
dev:cryptam_test dev$ strings 34eba128caa21df52b7cec6ea1c80a91.virus.out|egrep This.program
This program cannot be run in DOS mode.
This program cannot be run in DOS mode.
dev:cryptam_test dev$

Then use your favorite hex editor to grab the content from the MZ header onward.

The script (spacing removed by blog editor, use the link above for a clean copy):
* v0.1
* cryptam_unxor.php: MalwareTracker.com Cryptam - command line script
* unxor and unrol

$key = '';
$rol = 0;
$outfile = '';

//accept a file as input
if (is_file($argv[1]) && $argc % 2 == 0) {
$outfile = $argv[1].".out";
for ($i = 2; $i < $argc; $i+=2) {
if ($argv[$i] == "-xor" && is_file($argv[$i+1]) )
$key = file_get_contents($argv[$i+1]);
else if ($argv[$i] == "-xor" || $argv[$i] == "-key")
$key = $argv[$i+1];
else if ($argv[$i] == "-rol")
$rol = $argv[$i+1];
else if ($argv[$i] == "-out")
$outfile = $argv[$i+1];
} else {
echo "invalid number of arguments:\n";
echo "php cryptam_unxor.php virus.doc -xor fe85aa -rol 3 -out file.out\n";

$data = file_get_contents($argv[1]);

if ($key != '') {
$data = xorString($data, hex2str($key));

if ($rol != '') {
$data = cipherRol($data, $rol);

file_put_contents($outfile, $data);

function hex2str($hex) {
$str = '';
for($i = 0; $i<strlen($hex); $i += 2) {
$str .= chr(hexdec(substr($hex,$i,2)));
return $str;

function cipherRol($string, $x) {
$newstring = '';
for ($i = 0; $i < strlen($string); $i++){
$bin = str_pad(decbin(ord($string[$i])), 8,'0', STR_PAD_LEFT);
$ro = substr($bin, $x).substr($bin, 0, $x);
$newstring .= chr(bindec($ro));
return $newstring;

function xorString($data, $key) {
$key_len = strlen($key);
$newdata = '';

for ($i = 0; $i < strlen($data); $i++) {
$rPos = $i % $key_len;
$r = '';
if ($key_len == 1)
$r = ord($data[$i]) ^ ord($key);
$r = ord($data[$i]) ^ ord($key[$rPos]);

$newdata .= chr($r);

return $newdata;


Obfuscation and detection of embedded executables

We're going to talk a little bit more about how our new Cryptam system detects malware documents based on identification of the encrypted executables. A document exploit needs to install an executable, those executables are usually either obfuscated and embedded in the document, or downloaded from a remote site.

APT type targeted email attacks, or "spear phishing" attacks, in our experience, most commonly embed the executable trojan within the document exploit. From plaintext, to obfuscation using 1-1024 byte XOR keys, counters, and Rol/Ror bit shifting are all commonly seen.

Common AV typically fails with detecting malware documents, as the exploit shellcode is usually heavily packed, and the XOR encryption creates a huge number of variants of potential signatures, so usually AV detection ends up being hash based and lags behind the attacks with new attacks getting only 10-20% detection on Virustotal.

Our Cryptam system uses the entropy of the file content to ignore legitimate content and focus on the higher entropy sections to statistically calculate the key used based on the position in the document and occurrences at that position, all in a single read pass, unlike brute force like other systems use, this method is extremely fast.

Cryptam can also be customized for both exploit/shellcode signatures in regex, as well as embedded executable signatures - Windows/Mac/Linux executable traits or library references (which are scanned for using the calculated XOR key and variations of ROL).

Example dispersion and key detection of 256 byte key, 00-FF:

Example dispersion and key detection of 256 byte key, FF-00:

Example dispersion and key detection of 256 byte key, algorithmic:

The above graphs show the highest occurrence characters over 1024 bytes in red, and the key, which is 256 bytes overlayed in black. In most cases the highest occurrences when there is a 256 byte key will be obvious with the key pattern repeating 4 times over 1024 bytes.

A clean document will appear as a lot of noise, randomly:

Wednesday, February 15, 2012

New malware document scanner tool released

We've recently released our malware document scanner tool called Cryptam (which stands for cryptanalysis of malware) . This system scans document files such as MS Office (.doc/.ppt/.xls), PDF and other document formats for embedded executables whether encrypted or not. As most embedded malware executables use varying lengths of XOR and ROL/ROR obfuscation to evade traditional A/V detection, we focus on the detection of the embedded executable rather than the exploit itself.

A typical Cryptam report visually shows three critical pieces of the cryptanalysis done. The first graph shows the count for each ascii character in the file, obvious single byte XOR keys can be seen here. The second graph is the entropy of the file, most documents other than PDFs are very light entropy on legitimate content, and only images or the embedded executables showing as red high entropy sections. The third and final graphic is the XOR dispersion over 1024 bytes with the calculated key overlayed. We define the XOR dispersion as the highest occurrence character per position in the 1024 byte blocks in the file. So a 256 byte XOR key used on an embedded executable will have a pattern which repeats 4 times over the 1024 bytes. If the dispersion graphic looks random, it's probably data and not an embedded executable. Sloping lines are typical of algorithmically generated encryption keys - the typical exploit shellcode is very small, and simple counters are commonly used as the XOR key.

The main areas to check in the cryptam report is the summary, for embedded executable signatures - such as an XORed version of This Program cannot be run in MSDOS etc. And the key length - which is typically anywhere from 1 to 1024 bytes, but most commonly 256 bytes with typical APT type attacks. The system is also available as a command line scanner and private web versions like our PDFExaminer product.

Use the Cryptam document malware scanner online at https://malwaretracker.com/doc.php. Upcoming posts will release a few useful tools to unxor and unrol the executables using the keys Cryptam detects.