Taking apart office automation documents with OfficeMalScanner

One of the main routes of malware infection is through office automation documents. They represent a very potent vector of infection, specially in directed attacks and phishing campaigns.

These documents are crafted to carry hidden macros, OLE objects, executables, etc., which, once the user opens the document, conduct a series of malicious actions to obtain information with the idea of profiting from it or simply damaging the system. Generally, this type of generic malware downloads other malware for the Internet (droppers), exploits system vulnerabilities, duplicates itself to assure its lifespan in the system, exfilters user information, etc.

A very useful tool for analyzing and detecting anomalous patterns in office automation documents is the “OfficeMalScanner” suite, which you can download from the author’s web, http://www.reconstructer.org/.

[Read more…]

Avoiding Dionaea service identification

(Please note this post has been translated, so some strings may appear in Spanish, mainly services names)

In previous posts we have already talked about Dionaea (Spanish), a low-interaction honeypot that offers a variety of network services. The main problem we face when deploying a honeypot is how to customize its services to make them undetectable by scanning tools. The more an attacker takes to detect its interacting with a honeypot, the more likely we will be able analyze its methodology, capture exploits, binaries, etc.

We will install Dionaea and modify some of its services to avoid identification by the network scanner most popular: Nmap.

We can get Dionaea from its project page, with the steps for its installation. In our case we used Ubuntu 12.04 as the base operating system. Active services by default are:

[Read more…]