Wednesday, December 14, 2016

QuickSand.io Open Source version released

Today we are officially launching an open source licensed version of QuickSand.io - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo https://github.com/tylabs/quicksand_lite


In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection


  • Word
  • Excel
  • Powerpoint
  • RTF
  • Mime MSO xml
  • Emails


XOR + ROL/ROR/NOT/ADD/SUB Embedded Executable Detection

  • Word
  • Excel
  • Powerpoint
  • RTF
  • Mime MSO xml
  • Emails
  • PDF
  • TCP Streams data
  • Any non-executable file which may contain an XOR obfuscated exe

Executable Detection Target OS

  • Windows
  • Mac
  • Linux
  • VBS

XOR DB Cryptanalysis Attack


The XOR-DB functionality uses a dictionary of common XOR keys up to 256 bytes long - ascending, descending, algorithmic, cafebabe variants.


Web version

Our quicksand.io site runs the full version with up to the minute exploit signatures and additional trojan signatures.


Dependencies

Yara 3+ (searching via libyara)
zlib (deflate/uncompress)
libzip (unzip)


OS Compatibility

Designed for Linux and Mac command line. Windows is untested and not recommended for safe malware handling.


Download quicksand_lite Package

https://github.com/tylabs/quicksand_lite/releases/latest


Install Script - Dependencies for Mac/Linux

https://raw.githubusercontent.com/tylabs/quicksand_lite/master/INSTALL.txt

Build

cd quicksand_lite-1.01.001
chmod 777 ./build.sh
./build.sh

Coming soon


  • Python integration
  • More exploit and trojan signatures


Full Version and Commercial Licensing

Contact TyLabs.com


Demo


mac:quicksand_lite tylabs$ ./build.sh 

[sample with active content and shell execution]
mac:quicksand_lite tylabs$ ./quicksand.out AELM\ Entertainment\ budget\ and\ Attendance\ allowance.xls 
 -0> root {9}
  md5:97da0784fddfef932d7d31884f088b40
  sha1:da3a8d1ea5b245f612da17ec7b252c45fd75adae
  sha256:b0de26080a84ba0b15ea3f471fe6be5392efe770c53dbe5c0a8ed439b05731c6
  sha512:5ebdb3d9970ec301af369198afa3a98b74e67455e19997cce59a75fff9b849da4c9eb4fcf528b307dcb92497ffa2f8c2473dd66ba4823300ae63247867e2461d
  head:d0cf11e0a1b11ae1
  size:114688
  yara:exploits:warning_vb_macro
  yara:exploits:exploit_vb_execute_shell
  yara:exploits:warning_vb_autoopen
  yara:exploits:warning_vb_fileio
  structhash:z
  qsversion:01.01.001
  qstime:2016:12:14 17:52:32
  score:13
  is_malware:2

[sample with 4 byte xor key]
mac:quicksand_lite tylabs$ ./quicksand.out cafebafe.rtf 
 -0> root {6}
  md5:9725ebae48dd461f7a735c521dad2810
  sha1:6971b204485d6930aa791c3a79285f12e3764b49
  sha256:170a3e92343977a7463d2a60cb6625f53aeb0e6a68aee0805df0599f794bcd8e
  sha512:369e7f86a6d8f48e72f9edc883a21a8fcf1fcaa802fd272688f8d7eb0446888dd8870864ba9e87746c85a8addebae1bd083e027d519957d2dc0a3a20828e0088
  head:7b5c727420202020
  size:1298407
  yara:exploits:warning_rtf_embedded_file
  structhash:7wh9sJ0nLTfjJ45n6LU0rgOlK0fAafocfTCBt3POUO0VZaUnzDDiLhXphX4mCZUxN0UN9w1I2T
  qsversion:01.01.001
  qstime:2016:12:14 17:52:50
  score:12
  is_malware:2

  -1> xor {3}
   md5:0e3ae1ec3673a8b64e3b52eca0a7211d
   sha1:990a3401ed3fa122ec25324d7c1c8ad2a6e7d7a0
   sha256:281adc83803543b91d58be7bd374947b1b65dc9ae8b44db1014704adbd22b057
   sha512:4951a28d3016b6ef610bccae094e06eb530f1870751f7387599cd4ccc74c39bb1dc7d6d4e27f8a2405ac4d5c03fbb48e2152332c8dd0acbab6b53e6558ed9726
   head:b1e2c88aea9e9ade
   parentsha256:170a3e92343977a7463d2a60cb6625f53aeb0e6a68aee0805df0599f794bcd8e
   size:1298407
   yara:executable:executable_win_pe
   xortkey:cabebafe
   xorlen:4

[sample with 256 byte xor key + rol 5]
mac:quicksand_lite tylabs$ ./quicksand.out test2.doc 
 -0> root {7}
  md5:5fecc4c4479c32e31da84939ae9be618
  sha1:0582e3f991cd2c5340caf9263c1fa52037903ea9
  sha256:ae7b64f301a1281e71c261531cd7dc279240e6c4b1d2d5cccd4b2d03aebb3d1e
  sha512:009bd4dd17fde834a93993f9178c59107134ca6cc0c232e9f36c5255f05863e2ae78c3ab7bb2321e4b759bd240a412fb7cddf0db03b765586ebd7564f3bd8cc3
  head:d0cf11e0a1b11ae1
  size:343040
  yara:exploits:exploit_cve_2012_0158
  yara:exploits:warning_vb_macro
  structhash:zPj
  qsversion:01.01.001
  qstime:2016:12:14 17:53:14
  score:23
  is_malware:2

  -1> xor {2}
   md5:ca1a8b2c459e65a5acd1d27325641ce9
   sha1:c70f343c69b707f98ca947edc8f1098a3f0f7f77
   sha256:eaa2a02d5c7e89ba19055a1a7b2a53bec0fc2062b256ee050fbeb051e6e8986b
   sha512:2ab8172b11807e40c567517b6d7d464586d4006c209f6e48cf49ceb0222a649ccff47fb7de473600d4ca2e2f8d275a5f54705a09b5f7ca88fab208bf4bf18519
   head:d030ef1d5d4ae018
   parentsha256:ae7b64f301a1281e71c261531cd7dc279240e6c4b1d2d5cccd4b2d03aebb3d1e
   size:343040
   xortkey:00fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a090807060504030201
   xorlen:256

   -2> rol {2}
    md5:25324b386571448ac1cb50cc73e016cd
    sha1:94c173f3c676b0d398b2be6b1b94fb6038c33c02
    sha256:5ddab6dee79478389d7c06d31fc238ba7b01d6d08dd181dea7e99a816ed38e30
    sha512:abc932d09df4abd7c9b62a78a2beb78f19cd7920568f9e7dc14a7f4e1ec4516e2ae108495d8d9257591a903dc6bc19f7b256637598d6b0373b7a2aac9a394f59
    head:1a06fda3ab491c03
    parentsha256:eaa2a02d5c7e89ba19055a1a7b2a53bec0fc2062b256ee050fbeb051e6e8986b
    size:343040
    yara:executable:executable_win_pe
    rol:5

mac:quicksand_lite tylabs$ 



No comments:

Post a Comment