««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

:: Malware Hunting Guide - Version 1::

««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
««««««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ok , this is my basic setup for hunting malware hijack sites for harvesting their IP addresses. It's a work in evolution so expect some changes...

When dealing with live hijack sites/exploits VMWare is probably one of the best ways to safely investigate malicious sites, protecting the physical host computer from any potential damage.

Basically VMWare allows you to run a virtual operating sytem , enabling you to install various linux distros and almost all windows operating systems.

-

I use the workstation version , but you can find the VMWare GSX server free here:
http://www.vmware.com/products/server/

Very detailed GSX Setup guide by Wng_z3r0 :
http://spyware-free.us/tutorials/vmware/


Free VMWare Player:
http://www.vmware.com/download/player/


You can also get a free copy of the Browser Appliance Virtual Machine -
http://www.vmware.com/vmtn/vm/browserapp.html

Download via Bittorrent:
http://torrent.vmware.com/

Download pre built virtual machines:
http://www.vmware.com/vmtn/vm/
http://www.vmware.com/vmtn/vm/community.html


-

I have used nLiteOS to build my own custom XP pro installation CD to run as an .iso image in VMWare. With nLiteOS you can remove most things from windows that are not needed , services / programs and files especially to reduce your installation cd / .iso size dramatically.

http://www.nliteos.com/

http://www.msfn.org/board/index.php?s=&showtopic=28005

I find that this way the test system will run a lot smoother and lighter for getting hijacked than my regular system and this is also very helpful if you have limited ram in your host OS.

-

For security , It's a good idea to check that drag and drop & shared folders are disabled in your VMWare guest OS preferences.

Please read the Vmware sticky! [for links to install guides and info ]
http://www.bluetack.co.uk/forums/index.php?showtopic=7749

-

Older versions of VMWare have a vulnerability in the vmnat [ network address translation ] , which could alllow exploit code to be executed on the host computer. So use the current version or dont use nat if you are going to use an older version. Or just try to make sure your host computer is very well protected..

-

:: Virtual Options ::

You could also use Virtual PC instead of VMWare if you prefer.

Software such as Faronics Deepfreeze / Shadowstor's ShadowUser can create virtual disks to protect your physical operating system if you cannot run a virtual operating system in VMWare/VirtualPC.

Shadowuser uses up your harddrive space but works very well and allows you to save changes to disk that you approve.

Deepfreeze allows you to freeze a copy of your harddrive and you can revert your hardrive back to original clean state on reboot unless you are in thaw mode , which means your computer is not protected. To save any data whille in freeze mode you need to set up a thawed partition to store that data.

Shadowsurfer http://www.shadowstor.com/download.html is freeware and will alllow you to surf protected but it does not allow you to save any data so you would have to write down any information you need for evidence.

You could even use a knoppix bootdisk or whatever else you prefer that will protect you.

If you happen to do spyware hunting in your normal computer anyway, without any of those protections listed above and put your system at risk of infection from trojans ,viruses ,various spyware , keyloggers and rootkits, you may need to at least have a disk image for restoring a backup when your system gets toasted beyond repair. Not if but when.

You should at least back up your registry beforehand. Make copies of all the system files that will probably get infected , and implement various system monitors so you can detect and remove anything malicious/unwanted after the hijack.

I have added a list of tools I use and recommend further below that might help.

-----------------------------------------------------------------------------------

There are a many ways of getting IPs , maybe start your search with a site picked from a spyware blacklist / hosts file and see where it leads.. researching peoples hijack this logs for hijack links or go to your local bad crack site , trojanised pornsite farm or wherever you think you might find this junk.. shouldnt be too hard.. start with the small stuff [ if you want ] and work up to the nasty suff..

------------------------------------------------------------------------------------

Gathering Information on the site:

------------------------------------------------------------------------------------

The first step is to identify your target.

Learn to develop your own network of finding new sites that need investigating or blocking. The first post in this thread should help give you some ideas.

Next , gather any information about the site without actually visiting it , you can grab it's source code without needing to visit the site.

A quick google search , whois and retrieve the source code shouldnt take more than a few minutes and you will have the basic information of the site to work with.

Information digging.

At Bluetack you can use the BIMS database to whois sites and see if they are listed already or not in the Hosts file and blocklists.

If you only have an IP address to start with , use Centralops to get more info through the domain dossier page:

http://centralops.net/co/

If you have the domain name of the site , use whois.sc to get a list of all domains listed on the same IP.

http://www.whois.sc/

I recommend joining up to whois.sc so you can use the reverse whois page for extra details on the sites..

More good whois sites:

http://whois.webhosting.info
http://www.samspade.org/
http://www.dnsstuff.com/
http://www.completewhois.com/
http://www.all-nettools.com/toolbox
http://www.demon.net/external/

http://ws.arin.net/cgi-bin/whois.pl - wildcard search
http://ripe.net/cgi-bin/search/gdquery.cgi?
http://www.apnic.net/apnic-bin/whois.pl

Good search page:
http://www.fixedorbit.com/search.htm

Look up IP's in the spam db here :
http://spews.org/

Tracing Tools:
http://www.spamhuntress.com/wiki/Tracing_tools

Tutorials:
http://www.spamhuntress.com/wiki/Tutorials

Spam Tracking Page:
http://www.rahul.net/falk/index.html#howtos

IP Hunting Guide:
http://www.bluetack.co.uk/forums/index.php?showtopic=52

--------------------------------------------------------
::Protected Browsing:
--------------------------------------------------------

The freeware program sam spade 1.14 has a source grabber :

http://www.samspade.org/ssw/
http://www.samspade.org/ssw/download.html
http://www.samspade.org/ssw/screenshot.html



--
--
HTTP VIEW PAGES :
--

Web Sniffer :
http://web-sniffer.net/

--

The online http viewer page by Rex Swain , can grab most pages source codes, it will not work on all sites though..

http://www.rexswain.com/httpview.html

Other tools:
http://www.rexswain.com/cgi-bin/cookie.cgi
http://www.rexswain.com/ssidemo.shtml

Another similar and good site is this:
http://python.morp.org/harpy/

--

You may come across sites with encoded links that load the hijacks , and at first glance they may not look like much but these are hidden for a reason.

http://webhelper4u.net/writings/cws_vladzoneexploits.html

Here is a small list of javascript decoders and tools that may help:

http://www.samspade.org/t/js.cgi - not working ?
http://www.netdemon.net/tools.html
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
http://www.opinionatedgeek.com/dotnet/tool...IP/default.aspx
http://gosu.pl/dhtml/JavascriptDecoder.html
http://gosu.pl/demo/JavascriptDecoder/JavascriptDecoder.html
http://scriptasylum.com/tutorials/encdec/encode-decode.html
http://spamlinks.net/track-trace-decode.htm

http://www.gooby.ca/decrypt/ - javascript decoder -
http://www.gooby.ca/decrypt/decoders/ord2char.php
http://www.saltstorm.net/lib-soya/examples...oder.wbm?pod=js
http://www.greymagic.com/security/tools/decoder/
http://javascript.internet.com/equivalents/url-revealer.html
http://www.monetizers.com/encoder-decoder.php

---------------------------------------------------------------------------------
::The Hijack::
---------------------------------------------------------------------------------

There are no rules as to how you should go about recording a hijack , everyone has their own tools and techniques , you will need to work on your own methods for harvesting malware sites safely.

This part may take a long time , as bundled hijacks can keep downloading more malware until your system practically dies.

The main thing you need to do is take the steps to ensure you are not also a victim , and your computer doesnt end up a spambot or worse rendered unusable.[ ie: use vmware ]

You can load up the hijack site and let it go and do whatever it has to do to infest your computer while you log it all with such things as a registry monitor , file monitor and firewall logs.

A sniffer is also a very good idea so you can get a detailed view of any information being sent , including the packet contents which will be useful when dealing with stealth keyloggers or any other stealth transmissions.

I will sometimes run a sniffer inside the guest os and on the outside host os as well for comparison , depending on what I think I will be dealing with. Sometimes you can never know so just try to be prepared.

One thing I use is filemap bootlog to log all the new exe files that will show up on reboot and sometimes dirmon to log file changes in C drive , windows and system32 folder. There are many free file monitors available.

Regrun anti file replacement will also help keep track of your important files and let you know which ones have been attacked and let you make backups , as well as detecting changes to the registry and allowing you to backup the registry keys.


Load up the hijack site -


On the first run of the site sometimes I will use SSM to block each file as it loads , to freeze each of the hijack exe's dll injections/api calls while I make a rar copy of the file in the folder directory its located in. I use a dual paned windows explorer to be able to move around and track where the files are executing from.

You could also just start the hijack and just sit back and wait for it to finish then collect your logs and files.

I use SSM's alert window or outpost component control [ if it pops up] to find the location/path of the file. This works good for collecting any .bat and .tmp files before they can be self deleted. I want to get everything they use to run the hijack , not just the files they leave behind.


let the hijack run and fill up your logs ..


The filemon and regmon logs will fill up very fast , so its a good idea to set up the filters to not log any of your other programs. I log explorer and exclude as much else thats running as I can.. there is a limit though to how many programs you can exclude from the logging.


Collect logs [ Inctrl, filemon, regmon , outpost, sniffer logs ] + all malware files

I rename any files that are collected , change the file extension from file.exe to file.exe.old for example , so they arent able to execute and then rar/zip them.

-

Scan the files you have collected at following online submission sites, where you can upload files from your computer:

http://virusscan.jotti.org/

http://www.virustotal.com/

http://www.kaspersky.com/scanforvirus

-

Norman Sandbox allows you to upload potential malicious files and they wil run the file in their sandbox environment to determine if the file has been programmed with malicious intentions:

"Submit sample for analysis"
http://sandbox.norman.no/live_4.html

-

Also you could use various host based scanners on your own computer such as Kaspersky anti-virus , Nod-32, Ewido anti-malware, TrojanHunter , Outpost Firewall Spyware scan etc [ whatever you prefer] for further evidence

You should rar or zip the files and password protect them if you plan on submitting the malware files to anyone , so they do not get eaten by the spam filters/antivirus.


Now maybe restore your computers snapshot / image .. or live with the junk on your computer for a bit and slowly tear it to bits and learn a bit more about how they breed .. leaving just one tmp file behind for instance may result in the fullblown infection re-occuring soon after your clean up ... so you get to do it all over again

You can use this point to practice your malware removal skills and tools without breaking someone else's computer if you make a few mistakes.

--


The next step is to unpack/disassemble each of the files collected on the test computer. You should not try to take apart or analyse files on your host sytem , it's best to make use of your virtual environment.

My aim is to search for any url strings or IPs that may be used and record them into the log for submission and for addition to the blocklists.


Packed/Compressed/Crypted files

From the Viruslist's Watershed in malicious code evolution page ,
http://www.viruslist.com/en/analysis?pubid=167798878



Not all files will be packed , but the more deadly files will usually be packed and crypted to try to evade detection and "attempt" to stop people from inspecting the code.

An example of the various protection tools available:
http://www.softpedia.com/get/Programming/P...ers-Protectors/

Sometimes I'll use the view option inside winrar to read a file just to see if there's anything identifiable. You can usually tell what kind of file you are dealing with by looking for simple things like "this program cannot be run in dos mode" etc , which would mean its a win32 program and has a PE header.

PE file format:
http://msdn.microsoft.com/msdnmag/issues/0...PE/default.aspx
http://msdn.microsoft.com/library/default....n_peeringpe.asp
http://win32assembly.online.fr/pe-tut1.html

So you could try scanning it with peid to find out if the file has been packed or not -



http://peid.has.it/

-

If you have spybot you could also try this:
http://www.safer-networking.org/en/filealyzer/


-

UPX is a very popular file compression to pack files , probably because it's freeware , http://upx.sourceforge.net/ - which can be easily upacked using upx -d

http://www.pe-explorer.com/
- PE-explorer has a built in upx unpacker plugin.

Resource Hacker can help view unpacked files :
http://www.angusj.com/resourcehacker/

-

Some interesting scenarios to get you thinking

http://www.counterhack.net/0x10_first_place.html
http://www.counterhack.net/0x10_second_place.html
http://www.counterhack.net/0x10_third_place.html

Use a program to extract the strings [ any readable letters / characters ] :

Deeper look into Malware:
http://searchlores.org/malware.htm

From Foundstones forensics toolkit ,
BinText : Finds Ascii, Unicode and Resource strings in a file.

http://www.foundstone.com/resources/freetools.htm
http://www.foundstone.com/resources/proddesc/bintext.htm

Sysinternals strings extractor:
http://www.sysinternals.com/Utilities/Strings.html

You could also try using urlsearch* to extract IPs and domains from most files [.html, .exe files etc etc] a lot quicker than you ever could by hand.

--

Here's a sample file xxxx.exe , programmed in delphi , unpacked , which holds the following urls to load even more files from .loadcash.biz hijack site , disassembled with IDA free.





You can get a free version of IDA pro which works ok or Ollydbg etc .. [ see tools list below ]

For more info see:

http://www.openrce.org/
http://www.securityfocus.com/infocus/1637
http://www.securityfocus.com/infocus/1605
http://www.zeltser.com/reverse-malware-paper/

Good info:
http://www.securitywarrior.com/

Reverse Engineering Hostile Code
http://www.lurhq.com/reverseengineering.pdf

IDA Forum:
http://www.datarescue.com/cgi-local/ultimatebb.cgi


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

:: MALWARE HUNTING TOOLS :: [work in progress] ::

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

The setup :

//////////////////////////////////////////////////////////////////////////////////////


XP sp1 Host computer running VMWare :

- Router
- Outpost 2.5 in block most mode + HTTP log [ blockpost disabled ]
- Sniffer [ commview or whats transferring ] -
- Usual security apps

-

XP sp1 VMWare guest OS

- VMWare settings: NAT mode

- Outpost 3.0 in rules wizard mode
- spyware plugin disabled - component control on normal - HTTP logger plugin for recording urls/IPs -

Rules wizard mode prompt - Helpful if you want a controlled infestation and screenshots like this :



- System Safety Monitor application monitor enabled only -

I use it for monitoring what files are being executed/hijacked and preventing file execution:



- Regrun
+ registry backup/restore utililty/watchdog/registry tracer + registry/services monitor..

Registry Tracer watches [ custom] registry keys for modifications.
Customisable anti-replacement/file protection list for any system/program files.

Helps to detect and remove spyware/trojans/viruses , internal weekly updated database of malicious files , detects wide range of system modifications [ and lots lots lots more ]

+ anti file replacement - on shutdown this will catch any protected files being replaced like wininet.dll and let you make a copy of both files before shutting down.




Inctrl

Make before and after shots of your system/drive for comparison , to determine what files were modified or added.

Run this before the hijack and then again after its all installed to get a log of the changes in registry. Also take a before and after hijack this log for comparison ..

http://www.devhood.com/tools/tool_details.aspx?tool_id=432

-

Regshot is free alternative to Inctrl..



http://www.snapfiles.com/get/regshot.html
http://www.snapfiles.com/screenshots/regshot.htm

-

Filemap by BB

Logs all new files in your system after reboot and allows you to compare with previous alerts/logs.

Filemon - monitors file activity
Regmon - monitors registry activity
ProcessXP - monitors running processes
TCPview - monitors active internet connections


Port explorer - may be useful in detecting hidden transmissions also has a packet spy feature.

SmartWhois - Blocklist Manager Whois / any whois site etc
Tracking down those responsible through their domain / network info.

I use a default Hosts file [ or disable it ] during the hijack , so nothing gets blocked - always check the Hosts file to see if it's been replaced by redirections to more hijack sites and save them as evidence too.


When I run a hijack harvest I want to be able to monitor as much as possible without restricting the infection too much. Sometimes when I feel I have enough data to go through I'll switch on Blockpost/Outpost[blockmost] and processguard to block everything malicious and start collecting.


##################################
:: Tools List ::
##################################

Blue = shareware - Green = Freeware

##################################

Outpost Firewall Pro 3.0 --

[ With HTTP logger plugin ]

The leading software firewall available , offers real time spyware protection and catches infections in it's database immediately. Hidden Process control on prompt alerts when unauthorised programs seek internet access. Component control alerts when changes to [.exe/.dll etc] files have been detected.

Extensive logging of all internet connections / Domain-IPs / HTTP transmissions including all files used..

Outpost 3.51 & HTTP Logger:

Outpost 3.51 download :
http://www.agnitum.com

Free HTTP logger - Download Page:
http://www.outpostfirewall.com/forum/showthread.php?t=17139

-

Regrun
http://www.greatis.com

SSM - System Safety Monitor - [Still free for now]
- Stops malware in its tracks.
http://syssafety.com/product.html

Sysinternals-
http://www.sysinternals.com/

Filemon - monitors file activity in realtime
http://www.sysinternals.com/Utilities/Filemon.html
Regmon - monitors registry activity in realtime
http://www.sysinternals.com/Utilities/Regmon.html
ProcessXP - monitors running processes
http://www.sysinternals.com/Utilities/ProcessExplorer.html
TCPview - monitors active internet connections
http://www.sysinternals.com/Utilities/TcpView.html
Autoruns - comprehensive auto startup manager
http://www.sysinternals.com/Utilities/Autoruns.html
Rootkit scanner
http://www.sysinternals.com/Utilities/RootkitRevealer.html

ProcessGuard:
http://www.diamondcs.com.au/processguard/
Advanced Process Termination :
http://www.diamondcs.com.au/index.php?page=apt
Advanced Process Manipulation :
http://www.diamondcs.com.au/index.php?page=apm

[ IDA freeware version download ]
.http://www.datarescue.be/idafreeware/freeida43.exe

LordPE
http://www.softpedia.com/get/Programming/F...rs/LordPE.shtml
http://mitglied.lycos.de/yoda2k/LordPE/info.htm

OllyDbg:
http://www.ollydbg.de/
http://www.ollydbg.de/quickst.htm

Graphical Interface to RegSvr32 1.0
http://www.softpedia.com/progDownload/Grap...nload-2899.html

Dependency Walker 2.1
http://www.dependencywalker.com/




Filemap
http://www.dogkennels.net/filemap/

Monidir:
http://www.contactplus.com/products/freestuff/monidir.htm

Dirmonitor:
http://www.snapfiles.com/get/dirmonitor.html

Cachemonitor:
http://www.enigmaticsoftware.com/cachemonitor/

ApiMonitor:
http://www.rohitab.com/apimonitor/

*Urlsearch:
http://people.freenet.de/h.ulbrich/
http://people.freenet.de/h.ulbrich/urlsscr.png

Sam Spade 1.14
http://www.samspade.org/ssw/download.html

Belarc Advisor:
http://www.belarc.com/free_download.html

Fingerprint [ install monitor ] :
http://www.snapfiles.com/get/fingerprint.html

What Is Transferring :
Freeware sniffer
http://www.wfshome.com/wit.htm

Attribute changer
Lazy way to change file attributes , handy for resetting malware files that are set as hidden /system files.
http://www.snapfiles.com/get/achanger.html


==

More tools:
http://programmerstools.org/taxonomy/term/58
http://www.insecure.org/tools.html
http://www.softpedia.com/get/Programming/
http://invisiblethings.org/tools.html
http://www.snort.org/docs/snort-win2k.htm

===

------------------------------------------
Recovery Console:
------------------------------------------

http://www.computerhope.com/issues/ch000627.htm
http://www.iamnotageek.com/a/52-p1.php

------------------------------------------
Command-line reference A-Z
------------------------------------------

http://www.microsoft.com/resources/documen...-us/ntcmds.mspx
http://www.microsoft.com/resources/documen...us/percent.mspx


##################################


Post any file harvest logs here:
http://www.bluetack.co.uk/forums/index.php?showforum=192


Submit IPs here:
http://www.bluetack.co.uk/forums/index.php?showforum=83


##################################


Bluetack guide to Sniffers:
http://www.bluetack.co.uk/forums/index.php?showtopic=1384

Anti-trojan Guide:
http://gladiator-antivirus.com/forum/index...showtopic=22041

More on file monitors:
http://kareldjag.over-blog.com/categorie-69557.html


///////////////////////////////////////////////////////


Report sites/companies:

Register Your Complaint About Malware That Has Infected You
http://www.malwarecomplaints.info/


//////////////////////////////////////////////////////


Submit Malware files here:




####################################

Feel free to post any comments , questions or additions that may be useful here:
http://www.bluetack.co.uk/forums/index.php?showforum=11

Good hunting !


####################################
© Moore - www.bluetack.co.uk ®
####################################

If anyone is interested in joining our Spyware Hunters team [ this is not something for new IP Hunters ] , or you can help in any way to provide information , please contact me via PM.

#############################################

Spyware tracking Guide

#############################################

If you are interested in helping us to track down new Spyware/Adware/Crapware IPs but you have no idea where or how to start , or you are curious how people go about it , this post might offer some useful ideas.

When I started collecting and hunting IP addresses in 2002 there were already many people actively working on fighting spyware , building blocklists and Hosts files.

Researchers such as Eric L. Howes , The Webhelper , Paperghost , Sponge , Andrew Clover , and many other experts spend a great deal of their time to provide extensive information and methods of protection for people to use.

I hope that more people will get involved in helping to spread the same kind of information , and participate in hunting down and putting a stop to threats that people will face while using the internet , so we can all have a much safer experience..

#############################################

Top anti-spyware resources:

The Webhelper
http://www.webhelper4u.com/index.html
http://webhelper4u.com/blog1/

SpywareWarrior (Suzi)
http://www.netrn.net/spywareblog/
http://www.spywarewarrior.com

Ben Edelman
http://www.benedelman.org/

VitalSecurity (Paperghost)
http://www.vitalsecurity.org/

Malware Advisor ( TeMerc)
http://temerc.blogspot.com/

ReveNews (Wayne Porter)
http://www.revenews.com/wayneporter/

Sunbelt (Alex Eckelberry)
http://sunbeltblog.blogspot.com/

Roger Karlsson
http://www.kephyr.com/

Doxdesk (Andrew Clover) [ research pages currently closed ]
http://www.doxdesk.com

Eric Howes Security Center
http://www.spywarewarrior.com/uiuc/main-nf.htm

The Rogue Anti Spyware List
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Bluetack Spyware Blocklist
http://www.bluetack.co.uk/config/spyware.txt

Sponge`s Anti Spyware Site / Spyware IP blocklist:
http://www.geocities.com/yosponge


###########################################

SPYWARE TRACKING THREADS & IP RESEARCH THREADS:

Kephyr.com malware research page:
http://www.kephyr.com/spywarescanner/pus-p...ces/index.phtml

Expert Hijack Discussion threads :
http://www.wilderssecurity.com/showthread.php?t=28658
http://boards.cexx.org/viewtopic.php?t=4493

Spyware Discussion thread:
http://www.dslreports.com/forum/remark,10399574~mode=flat

Bluetack IP Discussion threads :
http://www.bluetack.co.uk/forums/index.php?showtopic=1096

http://www.bluetack.co.uk/forums/index.php?showtopic=1069

Bluetack ANTI-SPYWARE GUIDE :
http://www.bluetack.co.uk/forums/index.php?showtopic=1538


#############################################

A great insight into the amount of work Eric Howes puts into his blocklists:


FAQ: Where does info for IE-SPYAD/AGNIS come from?

By ERIC HOWES

http://www.dslreports.com/forum/remark,641...ity,1~mode=flat



#############################################