If you’ve ever encountered the following dialog – you know that an application has crashed in Windows. As the dialog indicates, Microsoft is checking for a solution to the problem – which means it’s communicating back to Microsoft servers. While this may not be a problem for your enterprise environment, it’s additional noise that you typically don’t want/need in your malware sandbox. The following screenshot shows example HTTP traffic reporting the error. If you’re running an IDS such as Suricata – Emerging Threats also has a couple of signatures that can help you identify this traffic/behavior. You can disable this…
Read moreCategory: malware
Disabling Network Connectivity Status Indicator (NCSI)
According to this article on MSDN, Microsoft introduced the Network Connectivity Status Indicator in Windows Vista. While there may be a number of reasons to investigate this service, my motivation is in eliminating the resulting network traffic from my malware sandbox. This service performs an HTTP GET request for a text document, ncsi.txt, from any number of Microsoft hosts. While it would be easy enough to filter this traffic based off of the user-agent (Microsoft NCSI) or similar, in this scenario I find it even better to simply eliminate the behavior all together. To accomplish this, there is only a…
Read moreAnti-Analysis in an Office Document
Please note: This was a blog post I originally authored for Bromium. Due to changes in how they host their blog content, it has fallen into the archives and become somewhat difficult to find. I’m posting this content here mainly as an archive. Office documents have been a favorite method of distribution for malware authors for several years. While most malware authors go to great lengths to hide the intention of their macros through obfuscation, it is seldom that I’ve encountered macros that also exhibit anti-analysis techniques. I recently examined an office document that contained such capabilities. You can find…
Read moreIdentifying a User Form in an Office Document
In this post, we will be looking into ways to identify and analyze the presence of a user form in an office document. As I discussed in a previous post, user forms are often used to store resources needed by the malware author such as scripts (PowerShell, VBS), shellcode and strings. We will be using OLEDUMP to assist in our analysis and by the end of this post, you will be able to identify and trace the usage of user forms and their objects throughout macro code. For this analysis, we will be looking at the following malicious office document….
Read moreAnalyzing Malicious Office Documents with OLEDUMP
Microsoft office documents are a common vehicle used by malware authors to deliver malware. These documents, used for malicious purposes, are commonly referred to as maldocs. While there has been a variety of ways in which they have been used, one of the more prevalent is through the use of macros. Macros are written in Visual Basic for Applications (VBA), which is well documented on the Microsoft Developer Network (MSDN). This API allows malware authors to hook into life-cycle events of a document, such as AutoOpen, AutoClose and AutoExit (MSDN) in order to achieve code execution with minimal interaction from…
Read more