Wednesday, September 21, 2011

Analyzing Malicious Documents

Analyzing MAlicious Documents

This cheat sheet outlines tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files.

General Approach

·         Locate potentially malicious embedded code, such as shellcode, VBA macros, or JavaScript.
·         Extract suspicious code from the file.
·         If relevant, disassemble and/or debug shellcode.
·         If relevant, deobfuscate and examine JavaScript, ActionScript, or VB macro code.
·         Understand next steps in the infection chain.

Microsoft Office Binary File Format Notes

Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file.
Data can be “storage” (folder) and “stream” (file).
Excel stores data inside the “workbook” stream.
PowerPoint stores data inside the “PowerPoint Document” stream.
Word stores data inside various streams.

Tools for Analyzing Microsoft Office Files

·         OfficeMalScanner locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files.
·         DisView disassembles bytes at a given offset of an MS Office file. (Part of OfficeMalScanner)
·         MalHost-Setup extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. (Part of OfficeMalScanner)
·         Offvis shows raw contents and structure of an MS Office file, and identifies some common exploits.
·         Office Binary Translator converts DOC, PPT, and XLS files into Open XML files (includes BiffView tool).
·         OfficeCat scans MS Office files for embedded exploits that target several known vulnerabilities.
·         FileHex (not free) and FileInsight hex editors can parse and edit OLE structures.

Useful MS Office Analysis Commands

OfficeMalScanner file.doc scan brute
Locate shellcode, OLE data, PE files in file.doc
OfficeMalScanner file.doc info
Locate VB macro code in file.doc (no XML files)
OfficeMalScanner file.docx inflate
Decompress file.docx to locate VB code (XML files)
DisView file.doc 0x4500
Disassemble shellcode at 0x4500 in file.doc
MalHost-Setup file.doc out.exe 0x4500
Extract shellcode from file.doc’s offset 0x4500 and create it as out.exe

Adobe PDF File Format Notes

·         A PDF File is comprised of header, objects, cross-reference table (to locate objects), and trailer.
·         “/OpenAction” and “/AA” (Additional Action) specifies the script or action to run automatically.
·         “/Names”, “/AcroForm”, “/Action” can also specify and launch scripts or actions.
·         “/JavaScript” specifies JavaScript to run.
·         “/GoTo*” changes the view to a specified destination within the PDF or in another PDF file.
·         “/Launch” launches a program or opens a document.
·         “/URI” accesses a resource by its URL.
·         “/SubmitForm” and “/GoToR” can send data to URL.
·         “/RichMedia” can be used to embed Flash in PDF.
·         “/ObjStm” can hide objects inside an Object Stream.

Tools for Analyzing Adobe PDF Files

·         PDFiD identifies PDFs that contain strings associated with scripts and actions. (Part of PDF Tools)
·         PDF-parser identifies key elements of the PDF file without rendering it (Part of PDF Tools)
·         Origami Walker examines the structure of PDF files.
·         Origami pdfscan identifies PDFs that contain strings associated with scripts and actions.
·         Origami extractjs and Jsunpack-n’s extract JavaScript from PDF files.
·         Sumatra PDF and MuPDF are lightweight and free viewers that may be used in place of Adobe Acrobat.
·         Malzilla can extract and decompress zlib streams from PDFs, and can help deobfuscate JavaScript.
·         CWSandbox, Wepawet and Jsunpack can analyze some aspects of malicious PDF files.

Useful PDF Analysis Commands file.pdf
Locate script and action-related strings in file.pdf file.pdf
Show file.pdf’s structure to identify suspect elements
pdfscan.rb file.pdf
Examine and display file.pdf’s structure (Usage)
extractjs.rb file.pdf
Extract JavaScript embedded in file.pdf file.pdf
Extract JavaScript embedded in file.pdf

Additional Malicious File Analysis Tools

·         ExeFilter can filter scripts from Office and PDF files.
· automatically examines malicious Office and PDF files.
·         VirusTotal can scan files with multiple anti-virus tools to identify some malicious documents.


Tuesday, September 20, 2011

Acronyms widely used in Cryptography

Accelerated RevocationA key revocation performed on a date sooner than the published key expiry date.
ApplicationThe application protocol between the card and the terminal and its related set of data
Application Authentication CryptogramAn Application Cryptogram generated by the card when declining a transaction
Application CryptogramA cryptogram generated by the card in response to a GENERATE AC command
Authorisation Request CryptogramAn Application Cryptogram generated by the card when requesting online authorisation
Authorisation Response CryptogramA cryptogram generated by the issuer in response to an Authorisation Request Cryptogram
Asymmetric Cryptographic TechniqueA cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (defined by the private key). The two transformations have the property that, given the public transformation, it is computationally infeasible to derive the private transformation.
AuthenticationThe provision of assurance of the claimed identity of an entity or of data origin.
BlockA succession of characters comprising two or three fields defined as prologue field, information field, and epilogue field.
Byte8 bits.
CardA payment card as defined by a payment system
CertificateThe public key and identity of an entity together with some other information, rendered unforgeable by signing with the private key of the certification authority which issued that certificate.
Certification AuthorityTrusted third party that establishes a proof that links a public key and other relevant information to its owner.
CiphertextEnciphered information
Cold ResetThe reset of the ICC that occurs when the supply voltage (VCC) and other signals to the ICC are raised from the inactive state and the reset (RST) signal is applied.
Combined DDA/Application Cryptogram GenerationA form of offline dynamic data authentication
CommandA message sent by the terminal to the ICC that initiates an action and solicits a response from the ICC.
CompromiseThe breaching of secrecy or security
ConcatenationTwo elements are concatenated by appending the bytes from the second element to the end of the first. Bytes from each element are represented in the resulting string in the same sequence in which they were presented to the terminal by the ICC, that is, most significant byte first. Within each byte bits are ordered from most significant bit to least significant. A list of elements or objects may be concatenated by concatenating the first pair to form a new element, using that as the first element to concatenate with the next in the list, and so on.
ContactA conducting element ensuring galvanic continuity between integrated circuit(s) and external interfacing equipment.
CryptogramResult of a cryptographic operation
Cryptographic AlgorithmAn algorithm that transforms data in order to hide or reveal its information content
Data IntegrityThe property that data has not been altered or destroyed in an unauthorised manner.
Deactivation SequenceThe deactivation sequence defined in section 6.1.5 of Book 1.
DeciphermentThe reversal of a corresponding encipherment
Digital SignatureAn asymmetric cryptographic transformation of data that allows the recipient of the data to prove the origin and integrity of the data, and protect the sender and the recipient of the data against forgery by third parties, and the sender against forgery by the recipient.
Dynamic Data AuthenticationA form of offline dynamic data authentication
EmbossingCharacters raised in relief from the front surface of a card.
EnciphermentThe reversible transformation of data by a cryptographic algorithm to produce ciphertext.
Epilogue FieldThe final field of a block. It contains the error detection code (EDC) byte(s).
Exclusive-ORBinary addition with no carry, giving the following values
Financial TransactionThe act between a cardholder and a merchant or acquirer that results in the exchange of goods or services against payment.
FunctionA process accomplished by one or more commands and resultant actions that are used to perform all or part of a transaction.
GuardtimeThe minimum time between the trailing edge of the parity bit of a character and the leading edge of the start bit of the following character sent in the same direction.
Hash FunctionA function that maps strings of bits to fixed-length strings of bits, satisfying the following two properties It is computationally infeasible to find for a given output an input which maps to this output It is computationally nfeasible to find for a given input a second input that maps to the same output.
Hash ResultThe string of bits that is the output of a hash function.
Integrated Circuit ModuleThe sub-assembly embedded into the ICC comprising the IC, the IC carrier, bonding wires, and contacts
Integrated Circuit(s)Electronic component(s) designed to perform processing and/or memory functions.
Interface DeviceThat part of a terminal into which the ICC is inserted, including such mechanical and electrical devices as may be considered part of it.
KernelThe set of functions required to be present on every terminal implementing a specific interpreter. The kernel contains device drivers, interface routines, security and control functions, and the software for translating from the virtual machine language to the language used by the real machine. In other words, the kernel is the implementation of the virtual machine on a specific real machine
KeyA sequence of symbols that controls the operation of a cryptographic transformation.
Key Expiry DateThe date after which a signature made with a particular key is no longer valid. Issuer certificates signed by the key must expire on or before this date. Keys may be removed from terminals after this date has passed.
Key IntroductionThe process of generating, distributing, and beginning use of a key pair
Key Life CycleAll phases of key management, from planning and generation, through revocation, destruction, and archiving
Key ReplacementThe simultaneous revocation of a key and introduction of a key to replaced the revoked one.
Key RevocationThe key management process of withdrawing a key from service and dealing with the legacy of its use. Key revocation can be as scheduled or accelerated
Key Revocation DateThe date after which no legitimate cards still in use should contain certificates signed by this key, and therefore the date after which this key can be deleted from terminals. For a planned revocation the Key Revocation Date is the same as the key expiry date.
Key WithdrawalThe process of removing a key from service as part of its revocation.
KeypadArrangement of numeric, command, and, where required, function and/or alphanumeric keys laid out in a specific manner.
LibraryA set of high-level software functions with a published interface, providing general support for terminal programs and/or applications
Logical CompromiseThe compromise of a key through application of improved cryptanalytic techniques, increases in computing power, or combination of the two.
Magnetic StripeThe stripe containing magnetically encoded information
MessageA string of bytes sent by the terminal to the card or vice versa, excluding transmission-control characters.
Message Authentication CodeA symmetric cryptographic transformation of data that protects the sender and the recipient of the data against forgery by third parties.
NibbleThe four most significant or least significant bits of a byte.
PaddingAppending extra bits to either side of a data string.
PathConcatenation of file identifiers without delimitation
Payment System EnvironmentThe set of logical conditions established within the ICC when a payment system application conforming to this specification has been selected, or when a Directory Definition File (DDF) used for payment system application purposes has been selected.
Physical CompromiseThe compromise of a key resulting from the fact that it has not been securely guarded, or a hardware security module has been stolen or accessed by unauthorised persons.
PIN PadArrangement of numeric and command keys to be used for personal identification number (PIN) entry
PlaintextUnenciphered information
Planned RevocationA key revocation performed as scheduled by the published key expiry date.
Potential CompromiseA condition where cryptanalytic techniques and/or computing power has advanced to the point that compromise of a key of a certain length is feasible or even likely
Private KeyThat key of an entity‘s asymmetric key pair that should only be used by that entity. In the case of a digital signature scheme, the private key defines the signature function.
Prologue FieldThe first field of a block. It contains subfields for node address (NAD), protocol control byte (PCB), and length (LEN).
Public KeyThat key of an entity‘s asymmetric key pair that can be made public. In the case of a digital signature scheme, the public key defines the verification function.
Public Key CertificateThe public key information of an entity signed by the certification authority and thereby rendered unforgeable.
ScriptA command or a string of commands transmitted by the issuer to the terminal for the purpose of being sent serially to the ICC as commands.
Static Data AuthenticationOffline static data authentication
Symmetric Cryptographic TechniqueA cryptographic technique that uses the same secret key for both the originator‘s and recipient‘s transformation. Without knowledge of the secret key, it is computationally infeasible to compute either the originator‘s or the recipient‘s transformation.
TerminalThe device used in conjunction with the ICC at the point of transaction to perform a financial transaction. The terminal incorporates the interface device and may also include other components and interfaces such as host communications.
Terminate Card SessionEnd the card session by deactivating the IFD contacts according to section 6.1.5 of Book 1 and displaying a message indicating that the ICC cannot be used to complete the transaction
Transaction CertificateAn Application Cryptogram generated by the card when accepting a transaction
Virtual MachineA theoretical microprocessor architecture that forms the basis for writing application programs in a specific interpreter software implementation
Warm ResetThe reset that occurs when the reset (RST) signal is applied to the ICC while the clock (CLK) and supply voltage (VCC) lines are maintained in their active state