Basic Malware Analysis: Malicious Data Mining E-Mail Attachment

Malicious E-mail Message

Oh look, an unsolicited incoming Fax Report. Odd it is a fax transmission, but our company doesn’t even have a fax server. But it is on 2013 Recruitment Planning – I better open it!

Corporate networks are being slammed with e-mails like the one above. Looks innocent enough, but if a user did indeed open it, the malicious attachment that anti-virus didn’t detect would scan the victim’s hard drive for data and upload it to a malicious server. All undetected by the unsuspecting user.

I have seen several versions of this same attack in the last week. So let’s take a closer look.

When these attacks first started, only 2 anti-virus engines would detect the attachment as a malicious file. AV engines are catching on to it now and are detecting it as a generic Trojan. As a matter of fact, if I try to open this message today, I get a message from Microsoft Mail that the attachment is malicious:

Infected with unknown virus

So let’s take a closer look at one of these “Incoming Fax Report” attachments.

*** WARNING: Never open suspected malware on a live, network connected system. In this example I use a sandboxed virtual memory system running with very limited network capabilities. ***

The attachment, once unzipped, shows a PDF icon, but this is no PDF file. The file has an .exe extension meaning that the file is an executable and not a text file. So how can we take a closer look at the program to see what it does?

The program Dependency Walker will show us what functions that the program uses and will give us a clue as to what the program actually does. If we run Dependency Walker we can see the .dll files that the program calls and what main functions it uses:

Kernel32 Functions

Okay, it may not be very clear from the Kernel32 side, but you can see this program uses functions like CreateFile, DeleteFile, GetCurrentDirectory, GetEnvironmentVariable. It is definitely poking around the file system.

And if you look at the functions under Wininet.dll you see a whole bunch of FTP commands:

Wininet32 Functions

Any guesses on where this is going?

Now that we have a general idea of what it could do, let’s execute it in a controlled environment so we can see what it actually does. We will want to know what registry settings it touches, what network communication is attempted and as much about the running processes as we can obtain.

For this we will use the following programs:


Regshot is very easy to use, just download and run it. You then have three options. 1st Shot, 2nd Shot and Compare. Simply select 1st Shot to get a baseline look at your registry. Then Run the suspicious program. Next hit 2nd Shot to capture any changes made to your registry.


Finally select Compare to get a report of any changes made:

Registry Modifications


Process Monitor is a bit more involved. Basically after you run it, you need to turn off capturing (File, then uncheck Capture Events) and clear the cache (Edit, then Clear Display). Leave the capturing off until you are ready to fire up the malware. Then turn capturing on and execute the malware.

Process Monitor

Let it run for a few minutes then you can turn off capturing so you don’t fill your system memory up with process captures.

Then finally we need to Filter for our suspicious file. So select Filter, then Filter again. Then select Process Name from the first drop down box, Leave “is” in the second box, then pick the filename of the file you want to monitor in the third box:

Process Name

Then just click “Add” and “OK”.

You can now view all the process information that is related to the malicious file.

You can further filter the data available for the file in question by using the 5 select boxes on the menu:

Process Monitor filters

With these you can view just registry activity, processes, file use activity , network use, etc.

If we look at our malicious file with Process Monitor you will see that the program searches your entire drive for user files, installed programs, security programs and patches, Installed FTP programs, file manager programs and even remote storage clients (like Dropbox).

Process Monitor Scrrenshot 1 Process Monitor Scrrenshot 2 Process Monitor Scrrenshot


Finally we want to see what network activity the virus initiates. Simply have Wireshark running before you execute the program.

Wireshark Malware Traffic

As you can see, as soon as the malware was executed, it immediately tries to connect out to a malicious server.


As you can see if a user is duped into allowing the malicious e-mail attachment to run, a basic analysis of the file shows that it is a data miner trojan. It searches your hard drive for all data that could be of interest then tries to send it out to a malicious server.

Of the three different samples obtained. All were similar in that they claimed to be a fax report from an internal fax server. Some looked much more believable than others. All three had an executable attachment that was masked to look like a .pdf file.

All three searched the hard drive and registry for pertinent information. And all three connected out to a suspicious server address. The funny thing is that when all three were run through the Who-is Database, all three domains pointed to the same server!

Lastly the e-mail addresses in all three seemed to be in a somewhat alphabetical order. This seems to point to a botnet type control system going through a list of e-mail addresses, breaking them down into a groups and sending them one of the malicious e-mails.


These type of automated phishing attacks are becoming very common. The best line of defense against these attacks are vigilant users who question unsolicited e-mails, especially ones with attachments. Blocking incoming and outgoing IPs from unneeded locations and ingress and egress filtering is paramount in stopping these attacks.

Network Security Monitoring with full packet capture will also help to find what, if any, data was actually compromised if the attack is a success.

This was just a very basic analysis of this malicious attachment. Want to take a closer look at these techniques and learn a whole lot more about malware analysis including advanced techniques? Check out Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig.

China Hacking Tool captured on Chinese Military Propaganda Ad

A Chinese military propaganda video released mid-July shows what many have accused the Chinese of all along. Being responsible for numerous cyber attacks on different nations.

According to an article on The Epoch Times:

The documentary itself was otherwise meant as praise to the wisdom and judgment of Chinese military strategists, and a typical condemnation of the United States as an implacable aggressor in the cyber-realm. But the fleeting shots of an apparent China-based cyber-attack somehow made their way into the final cut.

The Chinese made attack tool can be seen in the above Youtube video starting at 39 seconds. And in case there are any questions on who made it, “Electrical Engineering University of China’s People’s Liberation Army” is displayed on the tool. It seems that this tool was specifically made to attack Falun Gong websites.

The software window says “Choose Attack Target.” The computer operator selects an IP address from a list—it happens to be—and then selects a target. Encoded in the software are the words “Falun Gong website list,” showing that attacking Falun Gong websites was built into the software.

A drop-down list of dozens of Falun Gong websites appears. The computer operator chooses, the main website of the Falun Gong spiritual practice.

The IP addressed listed on the screen belongs to the University of Alabama at Birmingham – University Computer Center. This proves that the Chinese military has in fact been attacking not only Chinese spiritual groups but systems in America.

According to the Washington Post, the original video has since been removed and an e-mail from China’s Defense Ministry said that “the scene was the “pure action of the producer,” and that “the content and opinion of the program do not represent the policy and stance of the government.

Well, nothing new here, they are denying that they are behind it, but as the saying goes, a picture is worth a thousand words.

Defend Against Next Generation Network Attacks with FireEye

FireEye (from Rsignia’s Website):

Security-conscious organizations choose FireEye for industry-leading protection against the next generation of threats that cross vectors and attack with advanced malware, zero-day, targeted APT attacks. FireEye’s Malware Protection Systems (MPS) supplement traditional and next-generation firewalls, IPS, AV and Web gateways, whose signatures and heuristics cannot stop this next generation of threats.

Today’s defenses–even next-generation firewalls–leave significant security holes in the majority of corporate networks. These traditional tools were designed for the known–not the increasingly predominant unknown threats specifically devised to evade detection. By combining signature and signature-less detection, and integrating inbound and outbound protection, FireEye combats today’s stealthy Web and email threats with near-zero false positive rates.

Correctional Facilities could be Vulnerable to Stuxnet style Attacks

The appearance of Stuxnet opened many eyes to the vulnerabilities of SCADA Systems and Programmable Logic Controllers (PLCs). In 2010, Stuxnet was used to attack 5 Iranian organizations but most notably was the damage that was caused to Iran’s Uranium Enrichment process.

PLC’s are used in many different organizations for numerous systems and processes. It begs one to wonder, what else could be vulnerable to attacks?

How about prisons?

Well, according to a white paper released last week, jails and prisons could contain SCADA and PLC vulnerabilities. SCADA & PLC VULNERABILITIES IN CORRECTIONAL FACILITIES (pdf) written by Teague Newman, Tiffany Rad and John Strauchs explains how PLC’s are used in prisons and why they could be vulnerable to attack.

Prison systems have become very sophisticated. According to the paper, a single pneumatic sliding door could have up to 34 points to monitor. Add to that the sheer number of doors and throw in security and video systems (let’s not forget reduced staffing) and you can see why electronic monitoring and control is imperative.

If a prison PLC system could be exploited, prison doors could be opened allowing prisoners to escape, or doors could be forced closed creating safety issues. Also, all of the doors could be opened or closed at the same time damaging the control systems with an influx of a large amount of current.

But wouldn’t these systems be protected? Certainly, they would not be connected to the internet, and prisoners would not be able to access them.

Not necessarily so, according to the report:

A location our team surveyed, indeed, had connections to the Internet from in the Control Room. During our survey, a Control Room guard was accessing Gmail and commenting that there are problems with viruses and worm from guards accessing online images and movies. Additionally, many federal prisons use a ―security through obscurity‖ method by obscuring a data port under the legs of the control panel console.


We have found some points where prison Commissaries connect to network segments on which the PLCs are located. Some correctional facilities also provide Internet access for inmates. Granted, they are not connected to prison control and monitoring systems, but they are a point at which a vulnerability can be exploited, albeit difficult.

Finally, the authors were able to create exploits that worked in a few hours in a workshop lab that only cost $2500 dollars. With the danger and the relatively low cost of exploit development, it is imperative that these systems get checked out and hardened.

Re-evaluating security procedures and enforcing security policies should limit the chances that an attack would succeed. This also stresses the importance of non-energy based PLC users to take a good hard look at securing their systems.