 |
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2184 |
|
|
|
 Posted: Thu Jul 05, 2012 10:04 pm |
|
 |
 |
|
|
| bgavin wrote: |
I downloaded BSA v1.71 from the site after it was released today, July 5.
McAfee 8.7P4 finds the "bsa.sys" file infected with Generic BackDoor!1jd Trojan. |
There are some AVs having a false positive in that file.
Some time ago there were like 24 AVs detecting the file. I just checked in VirusTotal:
https://www.virustotal.com/file/fc3dec19ba7387874099565192fd3ec28aeb396fc33f18275ac9c3d306237a1e/analysis/1341525750/
and now they are 12/42.
McAfee has 2 entries there.
Could you contact McAfee and ask them to review the false positive? |
|
|
|
Scrapie
| Joined: 18 May 2011 |
| Posts: 49 |
|
|
|
| Posted: Fri Jul 06, 2012 6:50 am |
|
|
|
|
|
| Buster wrote: |
| Could you show an example of Event Log information related to a malware infection? |
No, sorry.
Will try to find a sample for Adobe or InternetExplorer and will let you know.
Oh, and Thanks for the new version 
Cheers,
Scrapie |
|
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2184 |
|
|
|
| Posted: Fri Jul 06, 2012 8:00 pm |
|
|
|
|
|
BSA 1.71 package has been reuploaded. It contains updated version of HexDive (3.0) and updated language files. I also fixed a bug.
|
|
|
|
bgavin
| Joined: 05 Jul 2012 |
| Posts: 3 |
|
|
|
| Posted: Fri Jul 06, 2012 9:00 pm |
|
|
|
|
|
I encourage you to change the file version for every action.
HP is notorious for using the same name and version, with multiple levels of "little fixes" installed.
|
|
|
 |
 | |  |
|
Scrapie
| Joined: 18 May 2011 |
| Posts: 49 |
|
|
|
| Posted: Sat Jul 07, 2012 8:34 am |
|
|
|
|
|
| Buster wrote: |
| I tested BSA_USER.DAT feature and works fine, but try it yourself and let me know, please. |
Works fine for me
Would it be possible to have always the uptodate MD5-Hash behind the DL here in the first posting? That way we can check that the downloaded file is original in case your server gets busted and the archive manipulated.
If a file crashes (damaged download / corrupted, ...) a report is generated for the windows file werfault.exe which is not really helpfull + the rating is kind of over the top for it:
Report generated with Buster Sandbox Analyzer 1.71 at 20:16:32 on 07/07/2012
Detailed report of suspicious malware actions:
Code injection in process: c:\windows\system32\werfault.exe
Created a mutex named: Global\24114ac1-c80c-22e1-a24e-114063df01f5
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer
Created a mutex named: Local\Shell.CMruPidlList
Created a mutex named: Local\WERReportingForProcess2952
Created an event named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterEvent
Created process: C:\Windows\system32\WerFault.exe,C:\Windows\system32\WerFault.exe -u -p 2952 -s 60,C:\Windows\system32
Defined Log_API entry: Looks for available Network Resources
Defined string contained: Possible File-Binder
Detected process privilege elevation
Enumerated running processes
Got computer name
Got system default language ID
Got user name information
Got volume information
Opened a service named: WinHttpAutoProxySvc
Query DNS: watson.microsoft.com
Slept over 2 minutes
Started a service
Risk evaluation result: High |
Is it possible to skip / abort the analyse if that happens to avoid confusion?
Cheers,
Scrapie |
|
|
|
| | |
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2184 |
|
|
|
| Posted: Sat Jul 07, 2012 9:19 am |
|
|
|
|
|
| bgavin wrote: |
I encourage you to change the file version for every action.
HP is notorious for using the same name and version, with multiple levels of "little fixes" installed. |
Sure, no problem. |
|
|
|
| | |
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2184 |
|
|
|
| Posted: Sat Jul 07, 2012 9:29 am |
|
|
|
|
|
| Scrapie wrote: |
| Would it be possible to have always the uptodate MD5-Hash behind the DL here in the first posting? That way we can check that the downloaded file is original in case your server gets busted and the archive manipulated. |
Done!
| Scrapie wrote: |
If a file crashes (damaged download / corrupted, ...) a report is generated for the windows file werfault.exe which is not really helpfull + the rating is kind of over the top for it:
Report generated with Buster Sandbox Analyzer 1.71 at 20:16:32 on 07/07/2012
Detailed report of suspicious malware actions:
Code injection in process: c:\windows\system32\werfault.exe
Created a mutex named: Global\24114ac1-c80c-22e1-a24e-114063df01f5
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit
Created a mutex named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer
Created a mutex named: Local\Shell.CMruPidlList
Created a mutex named: Local\WERReportingForProcess2952
Created an event named: Global\C::Users:Username:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterEvent
Created process: C:\Windows\system32\WerFault.exe,C:\Windows\system32\WerFault.exe -u -p 2952 -s 60,C:\Windows\system32
Defined Log_API entry: Looks for available Network Resources
Defined string contained: Possible File-Binder
Detected process privilege elevation
Enumerated running processes
Got computer name
Got system default language ID
Got user name information
Got volume information
Opened a service named: WinHttpAutoProxySvc
Query DNS: watson.microsoft.com
Slept over 2 minutes
Started a service
Risk evaluation result: High |
Is it possible to skip / abort the analyse if that happens to avoid confusion? |
The solution suggested is to disable error reporting:
In Windows XP:
Control Panel > System > Advanced > Startup and Recovery > Error Reporting > Disable error reporting |
|
|
|
| | |
|
| | |
|
Scrapie
| Joined: 18 May 2011 |
| Posts: 49 |
|
|
|
| Posted: Sun Jul 08, 2012 8:41 am |
|
|
|
|
|
Thanks for that
Now werfault.exe only pops up every now and then - much better.
Since we have a new feature with customer settings in USER_BSA.DAT I would like to share some of my entries:
[File_Strings]
Stub.vbp<->Possible File-Binder coded in VB
Binder.vbp<->Possible File-Binder coded in VB
Joiner.vbp<->Possible File-Binder coded in VB
Melt.bat<->Delets itselfe
regsvr32 /s<->Add's registry keys in silent mode
[Custom_LogAPI_Entries]
CreateMutex(((Mutex)))<->Trace of Backdoor.Win32.Xtreme!IK
NetShareEnum(127.0.0.1)<->Enables Local File Sharing
WNetOpenEnum<->Looks for available Network Resources
OutputDebugString<->Talks to debugger
RtlAdjustPrivilege(Enable SeDebugPrivilege)<->Opens any process (ACL Bypass)
RtlAdjustPrivilege(Enable SeLoadDriverPrivilege)<->Loads/Unloads drivers
RtlAdjustPrivilege(Enable RtlAdjustPrivilege)<->Create user account
RtlAdjustPrivilege(Enable SeSecurityPrivilege)<->Manipulates security log
OpenSCManager((null),(null))<->Opens list of all services
SetWindowsHookEx<->32-bit DLL injection into another process
VirtualQueryEx<->Reads memory blocks of other process
VirtualAllocEx<->Writes to other process memory (Step 1of3)
WriteProcessMemory<->Writes to other process memory (Step 2of3)
CreateRemoteThread<->Writes to other process memory (Step 3of3 |
Cheers,
Scrapie |
|
|
|
| | |
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2184 |
|
|
|
| Posted: Sun Jul 08, 2012 11:14 am |
|
|
|
|
|
| Scrapie wrote: |
Thanks for that
Now werfault.exe only pops up every now and then - much better. |
In what OS version are you analyzing?
In XP that solution works the 100% of the time: if the application crashes a window telling "Application Error" appears but BSA closes it automatically.
You can also apply a filter (APIExclude.TXT) and ignore all entries containing "c:\windows\system32\werfault.exe".
| Scrapie wrote: |
| Since we have a new feature with customer settings in USER_BSA.DAT I would like to share some of my entries |
Thank you very much! |
|
|
|
| | |
|
Scrapie
| Joined: 18 May 2011 |
| Posts: 49 |
|
|
|
| Posted: Tue Jul 10, 2012 9:34 am |
|
|
|
|
|
After analysing the generated results of over 100 different Filebinder / Joiners the following pattern stands out:
Code injection in process: bindedfile_01.exe
Code injection in process: bindedfile_02.exe
Created process: bindedfile_01.exe
Created process: bindedfile_02.exe
Defined file type created: bindedfile_01.exe
Defined file type created: bindedfile_02.exe
Defined Log_API entry: Writes to other process' memory (Step 1of3)
Defined Log_API entry: Writes to other process' memory (Step 2of3) |
So if you see this pattern you can be 99% sure it is a Binder / Joiner 
How do I exclude the following Mutex in the analysys?
| CreateMutex(Global\C::Users:User:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer) [c:\windows\explorer.exe] |
After "thumbcache_" there is random stuff so I tried to use the wildcard "*" but didn't work. Then I tried to replace the ":" with "\" for propper file path but didn't work either. Hmmmm ... ?
Cheers,
Scrapie |
|
|
|
| | |
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2184 |
|
|
|
| Posted: Wed Jul 11, 2012 9:31 am |
|
|
|
|
|
| Scrapie wrote: |
How do I exclude the following Mutex in the analysys?
| CreateMutex(Global\C::Users:User:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer) [c:\windows\explorer.exe] |
After "thumbcache_" there is random stuff so I tried to use the wildcard "*" but didn't work. Then I tried to replace the ":" with "\" for propper file path but didn't work either. Hmmmm ... ? |
I will include wildcard support for FileExclude.TXT and APIExclude.TXT. |
|
|
|
Scrapie
| Joined: 18 May 2011 |
| Posts: 49 |
|
|
|
| Posted: Sat Jul 14, 2012 11:02 pm |
|
|
|
|
|
A new API-Call I would like to share:
| CreateProcess((null),net stop SharedAccess,(null))<->Disable Windows Security Center |
Cheers,
Scrapie |
|
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2184 |
|
|
|
| Posted: Sun Jul 15, 2012 8:15 pm |
|
|
|
|
|
Released Buster Sandbox Analyzer 1.72.
Changes:
+ Added wildcard support for FileExclude.TXT and APIExclude.TXT
+ Updated Exeinfo
+ Fixed several bugs
|
|
|
You cannot post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 45 of 60
 Use the RSS feed to watch this topic for replies
|
|
|
|
| |
