Monday, August 27, 2012
System Updates
We also have an alternate domain in the event of an outage vicheck.com.
Thursday, August 12, 2010
Support for detecting ROR and ROL ciphers in documents
Wednesday, July 28, 2010
CVE-2010-1297 Flash exploit variants
Friday, July 23, 2010
XOR Key normalizing and hashing
for ($i = 0; $i < strlen($key) - 1; $i+=2) {
$sum += hexdec($key[$i].$key[$i+1]);
}
function normalizeKey($key) {
$values = hex2str($key).hex2str($key);
$size= strlen($values) / 2;
$high = chr(0x00);
$highest = '';
$highestLoc = 0;
for ($j = 0; $j < $size; $j++) {
for ($i = 0; $i < $size; $i++) {
if (strlen($highest) > 0) {
$check = substr($values,$i,strlen($highest));
//echo "Compare [".dechex(ord($highest))."] and [".dechex(ord($check))."]\n";
if ($highest == $check) {
//echo "Found partial [".dechex(ord($high))."]\n";
$pos = $i+strlen($highest);
if ($values[$pos] > $high) {
//echo strhex($highest)." ".strlen($highest)."\n";
$highestLoc = $i-1;
$high = $values[$pos];
//echo "found highest at $highestLoc [".strhex($highest).dechex(ord($high))."]\n";
}
}
} else {
if ($values[$i] > $high) {
$highestLoc = $i-1;
$high = $values[$i];
//echo "found highest at $highestLoc [".dechex(ord($high))."]\n";
}
}
}
$highest .= $high;
$high = chr(0x00);
$search = '';
for ($l = 0; $l < strlen($highest); $l++) {
$search .= "\x".dechex(ord($highest[$l]));
}
if (preg_match_all("/$search/s", $values, $matches, PREG_OFFSET_CAPTURE)) {
if (count($matches[0]) <= 2) {
break;
}
}
}
$new = '';
for($i = $highestLoc+1; $i < $highestLoc+$size+1; $i++) {
$new .= $values[$i];
}
return strhex($new);
}
Thursday, July 22, 2010
Email report enhancements
https://www.vicheck.ca/
RESULT: Embedded executable detected.
Encryption level: 256 byte key.
Confidence ranking: 100 (18 hits).
External hash searches:
VIRUS SCAN VirusTotal: 11/42 (26%) detected malware
REPORT http://www.virustotal.com/
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
SCAN: Suspicious file - Javascript obfuscation syncAnnotScan to hide blocks
REPORT: https://www.vicheck.ca/
Confidence ranking: 75 (2 hits).
External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
And lastly a sample executable file:
SCAN: skipped - see sandbox report - file format executable
REPORT: https://www.vicheck.ca/
Confidence ranking: 50 (1 hits).
External hash searches:
VIRUS SCAN VirusTotal: 11/41 (27%) detected malware
REPORT http://www.virustotal.com/
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
Wednesday, July 21, 2010
Report page enhancements
Embedded Executable:
XOR encryption: Yes
Replacement cipher: No
Mathematical substitution cipher: No
Matching: full
Key Length: 256 bytes
Key Unique Sum: 32640 More
Key Location: @5888 bytes
Key Accuracy: 100.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
XOR Key normalized hash: eb58ea3d9dfb335ddc5d064954bc0daf
XOR Key: 0x[d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9]
Tuesday, July 20, 2010
Thanks
It's probably a good time to introduce ourselves. ViCheck is a combination of cryptanalysis engine to detect encrypted executables embedded in documents, as well as multi-decoder for PDF to detect known exploits or Javascript obfuscation techniques. We also use a commercial sandbox to attempt to collect dynamic information from exploit documents, statically extracted and decrypted executables. We don't run our samples live on the internet, a honeynet captures requests for C2 domains internally.
Regarding our primary goal of detecting embedded executables in documents, we use an in house developed cryptanalysis engine to scan for and try leaked plaintext keys (a large amount of any executable file is zero-space which when encrypted with XOR algorithms leaks the key as plaintext), decrypt the executable and scan for imported libraries. We also detect mathematical substitutions and replacement ciphers, and combinations thereof.