Monday, November 23, 2015

New Banking Phishing Campaign hits Australia

There is a new phishing campaign that is currently targeting Australia and New Zealand. This is coming through email and SMS media. The message asks the user to the click on a link and update their details. Please make sure that your end-users are aware of this and DO NOT click on these links. Bad actors behind this campaign grab various details (credit cards, DOB, License, Address etc) and the data is then saved into a database (PHP framework being used in the backgroud to facilitate this).
The domain being used is not flagged by any vendor at this moment (checked virustotal and all major security vendor sites).
Please BLOCK this domain at GW for added security. Depending on your organization’s policies – you can use wildcards.

Block these additional URLs as well:

Thursday, November 12, 2015

GIAC Certification - GREM Exam Tips

If you look at my LinkedIn profile, you'll see that I have passed more certification exams than I can remember! The reason I bring that up is to let you know that GIAC GREM exam was by far the toughest.

Thought I'd share my journey with you!

The Start.

I sat the class-room course SANS FOR610 and our instructor (Jake Williams) was awesome - highly entertaining and super-knowledgeable. Cant get any better than that, as the course really is hardcore and can get a bit tiring at times.

If you get a chance to sit the class-room course, I'd always suggest you do it over the on-demand version. Access to a SANS instructor is unmatched by any advantages the Online course might offer. You can ask questions as they come up in your mind, the real-world examples and stories the instructors share with you, the labs, interaction with fellow attendees and networking with people while you're doing the course is invaluable. I made a few good connections while I was there. Also, you get to meet other instructors (I was at the cyber-defense event, so there were community nights etc., which were really informative and fun).

The Test. 
I took my time to sit the test. With a full time job and family, its hard to find time to study as much as I would like to. And study you need to, if you want to pass this exam. Like Jake told us on the first day, there's a reason the word 'engineering' is in the course title - it is a tough one.

I took nearly four months to sit the exam after taking the course (three work-overseas trips and two other certifications in between!). Last few weeks I really stepped it up - stayed up late and went through the course books back to front.

One of the biggest help I had (and you should too), was the mp3 audio files by Lenny Zeltzer - the ones you get as part of self-study after you take the course. I listened to these every chance I could get. I had them on my phone and played them in the car. I listened to Lenny go through the course until I knew what he was going to say next! REAL BIG help, trust me on this one.

The Preparation.
I did quite a bit. I did grab malware samples whenever I could and tried to reverse them as best as I could. In hindsight, I think this really helped. When you're working on malware not from the labs, you're dealing with stuff you dont know about. You end up learning a lot. I was not successful most of the times but kept getting better. All of this starts to make sense as you gain more and more experience. It was a slow process for me but I did get better at reversing and analyzing.

When you look around the web for tips on GIAC exams, indexing is big. Everyone tells you to make an index for your books and most people tell you their indices are quite big.
Make what you will of this, but I didnt really end up with a huge index. It was a few pages. I did not rely on it too much during the test and I didnt really think a bigger index would have helped. Keep in mind though, I'm talking specifically about the GREM exam. Not sure if the other exams require bigger indices. Also, I knew my books really well by the time I took the exam and I knew where to look. I did label my books with colored tabs. That, I believe was more helpful than the index.

The Index and labels. 
As I mentioned above, I relied a lot on the labels through-out my study and also the exam. I labeled everything with a sticky tab that I felt was important. Also, while reading through the books, I highlighted all the keywords and important bits. While labeling and indexing, I went through the books again and looked for the highlighted bits and put them either on the index or labeled them.

The Exam. 
Keep in mind that you only get less than 2 minutes per questions. I tried to be at a level where I could answer a few questions without having to look at the books. Some questions I knew but had to confirm by looking at the books - but this is a lot faster than looking for the complete answer. Some questions I had to lookup.

You get a 15 minute break during the exam - I didnt bother. Once you're in the zone, I guess its better to get it done with in one hit.

The Result.
I passed quite easily with more than 80% (70.7% is the pass percentage). Would've loved to get 90% - which is what I was really aiming for but didnt get there.

One more thing I want to share with you is that I found the exam to be a lot harder than the practice exams. Maybe it's just me and I got a bit unlucky in that sense.

The biggest tip I can give you is this - go through the course material back to front, reverse ALL samples that were provided to you during the course and try to get some more. I did go through some other books but I dont think they are really required for the exam. I read through Practical Malware and MAC. One book I can really recommend is Windows Internals - this book really helped me in learning more details about things that are relevant to this course (good to know).

Last thing, enjoy learning everything as your're studying for the exam - it really makes it easier and you learn more.

The Impact.
Getting certified - does it make a difference? YES, it does.
You feel  a lot more confident - people around you (esp. the ones who know how hard it is) respect you a lot more.
As soon as I updated my LinkedIn profile (added the GREM badge) the number of recruitment agent emails went up overnight!

Are GIAC certifications and SANS courses worth the hype - YES. I will definitely be doing more with SANS, not just for the career opps but primarily to learn more. I really did learn a great deal and plan keep learning more.

Any questions, let me know!


Tuesday, November 10, 2015

Sunday, November 8, 2015

Reverse Engineering: Rebuilding the IAT

Malware is somtimes packed in order to make it harder to analyse. Some times, the author deliberately changes the IAT so that the malware does not behave as expected and becomes really hard to disassemble.

Follow this process to rebuild the IAT -

Load the malware into a disassembler (Olly or IDA)

Locate the OEP (Original Entry Point)

Dump the process (eg. use OllyDumpEx)

Attach the process to a tool like Scylla while it's paused in the debugger

Hit the search function to find the IAT

Fix Dump in order to dump the process with the fixed IAT.

Now you can reload the fixed process into the debugger/disassembler and continue to reverse.

If Scylla does not find the IAT, use other tools.

Memory Forensics: Volatility Usage Sequence

This is just my way of using Volatility for memory forensics. I find this sequence to be the best in order to get the most out of the exercise and it also allows me to make sure that I dont miss any of the basics.

Here we go:

As soon as you have the memory image, copy it on to your forensics machine and start analyzing it using volatility. 

1. Specify the --profile if needed


2. Run both of these modules: 
  • pslist
  • psscan

Run just this module:
  • psxview

3. Run connscan - this will give you all the connections that are being attempted

4. Run sockscan - this will give you all the ports that are being used

5. Run procdump (or procexedump) - this will let you 'dump' the process (get an 'exe' for the process that you are after, out of the mem image)

6. Run dlllist - this will give you a list of all the DLLs (analyzing DLL-injections)

7. Run malfind - this will find the suspicious sections of code for you. This module combines 'pefile' and 'pydasm' both. Very useful. 

8. Run printkey - this will extract the registry keys for you, again, very helpful. 

Virtual Memory

9. Run pslist - this will give you the process list, which you can use for finding virtual memory space for the desired processes

10. Run memdump - this will dump the memory of the process

11. Run driverscan - gives you all the drivers that are on the system memory

12. Run modules and modscan - gives you all modules and drivers loaded on to the system memory

13. Run consoles - give you all the commands that have been used. 

14. Run cmdscan - again, gives you all the commands, only without  the output.

15. Run apihooks -  run this to get a list of all in-line hooks in user and kernel mode. 

16. Run vaddump - finally, this will give you an extraction of mem regions from the VAD tree.

This is the sequence that I always use for any mem analysis job and it works for me. There are other modules that come handy time to time but that is mostly on an ad-hoc basis, as required. 

Hope this helps you in your analysis tasks!