CERT.at Downloads

(Summary) - Downloads

2009-09-24T10:13:22Z

Downloads

In this area of our homepage we offer you material for free download. Please read the related licence agreements.

Downloads which are only available in German language will be shortly mentioned in the English area as well, but the full description and the download-link itself will only be found in the German area.

These are the available categories for downloads:

Data

Here you'll find files that contain information for the purpose of being read by machines (i.e.: configuration files).

Papers

This area contains all papers that have been published by CERT.at so far.

Press

This is the place for all material that are of typical use for the public press (i.e.: CERT.at's logo).

Software

"Open" software with its root in CERT.at's daily work will be found here, including descriptions.

(Papers) - An Analysis of the Skype IMBot Logic and Functionality

2010-03-08T13:12:20Z

An Analysis of the Skype IMBot Logic and Functionality

2010/03/08

An Analysis of the Skype IMBot Logic and Functionality.

Download

Publication Date

March, 08th 2010

Author

Christian Wojner, L. Aaron Kaplan

Language

English

History

You can download the full document in pdf format here.

Content

The following report analyzes the Skype Instant Messenger Bot ("Skype IMBot", a variation of the W32.Nytemare trojan) and reports our reverse engineering efforts. One peculiar aspect of Skype IMBot was the way it controlled Skype (and other Instant Messengers) - simulating user input and user keystrokes. This reminded us of a limited Turing Test: did the malware or a true user send the URL? The report covers the reverse engineering of the Skype IMbot, network logic and recommendations to CERTs, users and Skype. It closed with an outlook on further instant messenger bots.

(Papers) - Mass Malware Analysis: A Do-It-Yourself Kit

2009-10-14T15:29:37Z

Mass Malware Analysis: A Do-It-Yourself Kit

2009/10/14

Theory, practice and a construction manual for an automated analysis station for malware using trivial and free instruments.

Download

Publication Date

October, 14th 2009

Author

Christian Wojner

Language

English

History

You can download the full document in pdf format here.

Content

This paper outlines the relevant steps to build up a customizable automated malware analysis station by using only freely available components with the exception of the target OS (Windows XP) itself. Further a special focus lies in handling a huge amount of malware samples and the actual implementation at CERT.at. As primary goal the reader of this paper should be able to build up her own specific installation and configuration while being free in her decision which components to use.

The first part of this document will cover all the theoretical, strategic and methodological aspects. The second part is focusing on the practical aspects by diving into CERT.at's automated malware analysis station closing with an easy to follow step-by-step tutorial, how to build up CERT.at's implementation for your own use. So feel free to skip parts.

(Papers) - Detecting Conficker in your Network

2009-09-17T13:18:01Z

Detecting Conficker in your Network

2009/02/11

Description of a method to detect earlystate Conficker worm infections through blocklists fitting the needs of small and medium enterprises.

Download

Publication Date

2009/02/11

Author

Adi Kriegisch

Language

English

Download

You can download the full document in pdf format here.

Content

Conficker is a computer worm spreading on Windows operating system by mainly using a buffer overflow or the Windows Autorun feature. The worm itself does not contain malware functions but contains a routine to load such code after infection. The purpose of this article is to sketch a way to detect such a worm in a small to medium business network as early as possible so that the effects of the worm can be minimized.

(Papers) - Patching Nameservers: Austria reacts to VU#800113

2009-09-24T10:04:43Z

Patching Nameservers: Austria reacts to VU#800113

2008/07/24

A report on the patch-rate of Austrian nameservers following announcement of the DNS cache poisoning vulnerabilty.

Download Original

Download Update

Publication Date

July, 24th 2008

Authors

Otmar Lendl and L. Aaron Kaplan

Language

English

History

You can download the full document in pdf format here.

We also published a short update on July 28th.

Content

This paper analyses the impact of the coordinated efforts to patch Austria's recursive DNS server infrastructure following the revealings of Dan Kaminsky (US-CERT VU#800113) which showed that almost all DNS servers on the Internet are vulnerable to DNS cache poisoning. CERT.at -- being run by nic.at, the Austrian domain registry -- is in a special position to be able to assess the reaction of the Austrian nameserver operators to the discovered DNS vulnerability. We analyzed the rate at which DNS servers were patched from an insecure to more secure state. The paper discusses a methodology to measure the patch level "score" of a recursive DNS server. We believe that this score methodology can be applied to cleanly discern patched from unpatched DNS servers.

We describe a methodology how a TLD operator can use his query logs to check which operators have patched their DNS resolvers according to the published advisories.

The conclusions are rather grim so far -- more than two thirds of the Austrian Internet's recursive DNS servers are unpatched while at the same time the upgrade adoption rate seems rather slow. Our findings are matched by the observations of Alexander Klink of Cynops GmbH who analyzed the results of the online vulnerability test on Dan Kaminsky's doxpara site.

We hereby present the information to the concerned public in the hope that DNS -- a central and crucial part of the Internet -- remains secure.

Our recommendation to IT system administrators is to update their recursive DNS servers immediately and check that their upgrades were successful.

(Software) - Bytehist

2009-10-12T10:22:43Z

Bytehist

A tool for generating byte-usage-histograms for all types of files with a special focus on binary executables in PE-format (Windows).

Download latest Windows version

Download latest Linux version

Author

Christian Wojner

Language

English

License

ISCL

Releases	Changes
1.0 beta 1	-			x

Features

Makes byte-usage-histograms of any file of any size
Histograms are generated as sorted and unsorted diagrams
Sub-histograms for each section of binary executables (PE)
Quick overview with GUI navigation in case of sub-histograms
Percentage for the share in the total filesize for sub-histograms
Sourcerelated names for sub-histograms (= section-names in case of PEs)
Results can be saved as .jpg, .bmp and .png files
Works as GUI and also as commandline tool (for scripting purposes)

Syntax

bytehist [options file]

Executing bytehist without any parameters activates full GUI-mode.

options:	-nogui	... don't bring up any GUI
	-save file	... save histogram to given file (bmp, png or jpg)
	-h	... show a short help

Description

Statistics can be a very good method if you want to detect encrypted or packed data. Data that has been manipulated in such a way usually comes up with a very even distribution of bytes being used. In contrast normal data typically has some bytes that are used constantly, which is caused by any kind of structures. So the byte-distribution of unencrypted and unpacked clear text, database-files, ... and even executable binaries differ massevily from the encrypted and/or packed ones. By putting this "phenomenon" into a picture this difference can be easily visualized by histograms.

Examples:

The first example shows an unpacked file. In fact the source of this histogram was a log-file - so that's human readable information.
The second example roots in an usual ZIP-archive.
So as formerly said, to see the difference between them is an easy one.

Let's take a closer look at these examples. Both of them have a green and a red section. In the green section every pixel-column complies to it's positional matching bytecode and visualizes the number of occurrences in a vertical bar. In other words, a tall green bar on the most left side tells us that the byte-code 0h had lots of occurrences. And on the most right side you'll find byte-code FFh.
The red section has the same roots like the green section but this time we got all the possible byte-codes in a descending order regarding their occurrences. This makes it much easier to see the evenness.
Besides that two sections you'll also find the filename being shown on the top right corner and a percentage.

To get an understanding for what this percentage is trying to tell, let's take a look at what more bytehist can do for us. bytehist can split up histograms in sub-histograms. At the moment the most senseful situation of providing sub-histograms is when you have to deal with binary executables. Binary executables are usually internally split up in a number of sections. There are sections for containing data, code, and so on. It is a common approach that executables are being packed or/and even encrypted before they get publicly rolled out. Especially in the malware-sector encryption and packing is massively used as a kind of hurdle to hinder deep analysis through reversing (i.e.). So, in the case of a binary executable in PE format - that's the one Microsoft Windows uses - bytehist will come up with an overall-histogram as well as providing one histogram per section it found and even one for possible rest behind the last section. Regarding the percentage the overall-histogram will still say "100%" but all the others will tell the percentage of their specific share in the total filesize.

Examples:

Both of the examples have a scrollarea on the right side showing thumbs of the relating (sub-)histogram. By clicking them with the left mouse-button they can be zoomed. Once again we have firstly an unpacked and secondly a packed file, but this time, binary executables.

This feature gives a reverser the possibility to instantly find out the section that's containing (if so) packed/encrypted data.

Full examples ...

Packed data behind sections:

An UPX packed executable:

bytehist itself - unpacked:

(Software) - Minibis

2010-08-17T21:02:30Z

Minibis

Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper "Mass Malware Analysis: A Do-It-Yourself Kit".

Download latest version

Author

Christian Wojner

Language

English

License

ISCL

Releases	Changes	Download
2.0 (29/29)	Release 2.0
2.0 beta (28/29)	Forceable quit / Recovers from crashes
2.0 beta (27/29)	Check Internet connectivity / Exit only if analysis paused
2.0 beta (25/29)	-

Stay Informed!

If you are interested in the actual state and the progress of upcoming features you might want to take a look at Minibis' Twitter channel: https://twitter.com/CERTat_Minibis.

Background
Installation Guide
Configuration Guide
One Loop-Cycle
Scripting of Common Tools and Tasks
Screenshots

Background

For detailed information on the underlying concept we recommend you read our paper "Mass Malware Analysis: A Do-It-Yourself Kit".

Installation Guide

As a Minibis installations includes commercial software it is not possible for us to provide a complete installation-package. The following step-by-step guide will lead you through the configuration of a typical Minibis environment.

Select the (physical) machine you like to be the home of your Minibis environment.
Install the latest version of Ubuntu (32 bit) on it.
Install proftpd (via "apt-get install proftpd").
Install zip (via "apt-get install zip").
Create a user "minibis" and do not forget to give it a password.
Give your own user (the one you will start "minibis-cpr" from) full permissions to the home of "minibis" and verify that you can write to it.
Download Minibis and extract it to your desired folder.
Install SUN's VirtualBox (via "apt-get install virtualbox").
Create a new virtual machine (VM) in it using Windows XP as operating-system. All default settings for the machine and the OS are fine. Decline Autoupdate features when you get asked.
Add "minibis" as entry to Windows' hosts-file resolving it to your FTP-server's IP address.
Disconnect any (virtual) volumes from the VM (this is necessary to prevent eventual popups like autoplay, new hardware found etc.).
Transfer "minibis-cpp.exe" to the VM's Windows desktop.
Download your desired monitoring-tools to Linux. (Note: Download the ones that need "real" installation - so do not just copy - directly to Windows and install them.)
Disconnect from the network, i.e. by unplugging the network cable!
Check out if you can connect to the host ftp-daemon by using the Windows ftp-client.
Execute "minibis-cpp.exe" in the VM and answer the firewall question to NOT BLOCK this application.
You will be now asked to enter a password. This is the one of the user "minibis".
Create a VM-snapshot of this state.
Close the VM, using the option to revert to the last taken snapshot.
Bring your samples into Linux's filesystem (i.e. by mounting a CD-Rom).
Set "minibis-cpr" as executable (chmod +x minibis-cpr) and execute and configure it.

Configuration Guide

The download package includes an example configuration. To use this copy it to Minibis' folder and rename it to "minibis.pref". Note: Do never alter this file in an editor use Minibis for that. Just click on the "Config"-button in the lower left corner in the main-window.

Buttons behind fields

As usual a click on such a button brings up a tiny wizard that provides support in finding the proper value.

The "check"-button

By clicking this button the actual configuration is going to be checked for consistency. Note that in case of multiple errors each click will always come up with just one error. So make sure to re-check if you solved a problem.

Area "Samples"

By using the directory- or the file-entry you can configure a run for multiple samples or just one sample. In case of directory-mode sub-directories are included as well.

Area "General"

"FTP-Directory" is the path where the log-files will be transferred to. "Samplename" is the name that will be used for the sample at the proband. Some malware reacts to specific names, so this is the place where you can change it. Regarding "Virtual Machine" you can switch between the actually supported solutions (currently only VirtualBox) and choose the right virtual machine instance.

Area "Timeouts"

These are the timeouts from the underlying concept. The extra field for cpp, which holds "10" (seconds) by default specifies some additional time to wait before quitting monitoring if the sample exited on its own. This enables continuation of monitoring i.e. if the sample injects itself in another process before doing something evil.

Area "Solutions for VBox bugs"

These are settings that help to prevent processes of VirtualBox from getting stuck. If you already have other (VBox) virtual machines running you might want to uncheck those. The first checkbox addresses stopping and the second reverting the VM.

Area "VM Management"

Here you can specify the commands that will be used for the corresponding VM activities. The id of the VM is addressed by the replacement token %vmid%. Besides that, any of them has a timeout for hangup-prevention.

Tab "Researcher Scripting"

To let you customize the researcher side there are three events (therefore three editor-fields) that can be scripted using shell-scripting (Linux). Use the replacement token %md5% to specify the actual sample.

For further details when those events exactly happen, see "One Loop-Cycle".
You'll find tutorials and examples regarding scripting under "Scripting of Common Tools and Tasks".

Tab "Proband Scripting"

To let you customize the Proband's side there are two events (the two lower editor-fields) that can be scripted using batch-scripting (Windows).
The actions scripted for these two events are tied to the two editor-fields above called "Tools to transfer" and "Results to transfer ([...] to ZIP)". The first ("Tools...") is used to define (name) the tools (files) that will be copied to the Proband for use in later activities. The second ("Results...") is used to define (name) the files that will be transferred back from the Proband. If the filename is enclosed in square brackets "[...]" the file will get ZIPped into an archive after it arrives on Researcher.

For further details when those events exactly happen and how the "Tools..." and the "Results..." are handled see "One Loop-Cycle".
More Tutorials and examples regarding scripting can be found under "Scripting of Common Tools and Tasks".

One Loop-Cycle

Assuming that the sample can be executed, this is a chronological list of all actions that can (some of them are optional) happen. It is important to understand that in this list the two components of Minibis - CPR and CPP - are described as what they really are: one logical entity. The tags (R) and (P) specify the location ((R)esearcher or (P)roband) of the action:

(R) Copy sample to FTP-path (config) as samplename (config) with the apropriate suffix according to the result of Linux' "file"-command.
(R) Execute the actions tied to event "Actions BEFORE Proband gets started" (config).
(R) Execute the command declared under "VM Management Start" (config) and wait until the triggerfile "%md5%_start.rdy" exists or the timeout for "VM Management Start" occurs. In case of the latter do the steps 14, 15, 17, 19 and return to step 3.
(P) Fetch the preference file "minibis.pref" via FTP.
(P) Fetch all tools (files) according to "Tools to transfer" (config) via FTP.
(P) Transfer back the triggerfile "%md5%_start.rdy" via FTP.
(R) Wait until a triggerfile "%md5%_ready.rdy" exists or the timeout for "CPR" (config) occurs.
Meanwhile (optionally) execute the actions tied to event "Actions WHILE Proband runs" and optionally repeat this every N seconds (see config field "every").
If the timeout occurred then continue with step 14.
(P) Execute the actions tied to event "Actions BEFORE sample gets executed" (config).
(P) Execute the sample and wait until it exits or the timeout for "CPP" (config) occurs. If the sample exited wait until the timeout for "CPP +" occurs.
(P) Execute the actions tied to event "Actions AFTER sample exited or time's up" (config).
(P) Transfer back all files according to "Results to transfer ([...] to ZIP)" (config) via FTP.
(P) Transfer back the triggerfile "%md5%_ready.rdy" via FTP.
(P) Exit.
(R) Execute the command declared under "VM Management Stop" (config) and wait until it exits or the timeout for "VM Management Stop" occurs.
(R) Optionally execute "Solutions for VBox bugs" column 1 (config).
(R) Execute the actions tied to event "Actions AFTER Proband got stopped" (config).
(R) Execute the command declared under "VM Management Revert" (config) and wait until it exits or the timeout for "VM Management Revert" occurs.
(R) ZIP all files surrounded with [...] according to "Results to transfer ([...] to ZIP)" (config) into the archive "%md5%.zip".
(R) Optionally execute "Solutions for VBox bugs" column 2 (config).
(R) Delete "minibis.pref" and the sample from FTP-folder.

Scripting of Common Tools and Tasks

This section gives you example configurations for the integration of widely used monitoring tools into Minibis.

Sysinternals Process Monitor

You can download the latest version of Process Monitor from here.
Extract the ZIP-file and copy "Procmon.exe" to Minibis' FTP-folder (config).

Proband Scripting

Tools to transfer:

Procmon.exe
Results to transfer ([...] to ZIP):

[procmon.pml]
procmon.csv
Actions BEFORE sample gets executed:

start Procmon.exe /AcceptEula /quiet /minimized /Backingfile procmon.pml
Procmon.exe /AcceptEula /WaitForIdle
Actions AFTER sample exited or time's up:

Procmon.exe /AcceptEula /terminate
Procmon.exe /AcceptEula /saveas procmon.csv /openlog procmon.pml

WinDump: tcpdump for Windows

You can download the latest version of WinDump from here.
You also need to install WinPcap in the Proband for WinDump to work properly. You can download the latest version of WinDump from here.
Copy "WinDump.exe" to Minibis' FTP-folder (config).
Copy "sleep.exe" (a tool of the Minibis download-package) to Minibis' FTP-folder (config).

Proband Scripting

Tools to transfer:

WinDump.exe sleep.exe
Results to transfer ([...] to ZIP):

[windump.pcap]
windump.txt
Actions BEFORE sample gets executed:

start WinDump.exe -i 1 -w windump.pcap -U -s 0
sleep.exe 1
Actions AFTER sample exited or time's up:

taskkill /f /im WinDump.exe
WinDump.exe -n -p -r windump.pcap > windump.txt

Creating a Screenshot

Copy "screenshot.exe" (a tool of the Minibis download-package) to Minibis' FTP-folder (config).

Proband Scripting

Tools to transfer:

screenshot.exe
Results to transfer ([...] to ZIP):

screenshot.png
Actions AFTER sample exited or time's up:

screenshot.exe screenshot.png

Screenshots

(Data) - Conficker Worm

2009-10-12T10:19:30Z

Conficker Worm

2009/02/09

Various files regarding the worm "Conficker".

all domains	... suitable for block lists (in proxies etc)
DNS named.conf file	... Bind named.conf file with all conficker domain names
sample bind zone file	... suitable for the named.conf file above.