Skip to main content

IMP Scanner

The project is comprised of 3 modules:


  1. The embedding Module which is written in Ruby
  2. The Execution/ exploiting stage
  3. The IMP Scanner, to scan for Images with Malicious Programs (IMP)
For the embedding the following are the stages:

  1. Generate malicious program (malp.exe) using msfpayload from metasploit
  2. encode the generated program (malp.exe) using msfencode from metasploit
  3. obfuscate malp.exe using UPX or any other suitable packer like Themida to make sure it is not detected by antivirus.
  4. embed malip.exe into selected stegoimage (stegoimg.jpg) using F5 algorithm (for transform domain steganography) or Jsteg (for spatial domain steganography). the size of the image should be more than double the size of malp.exe to be safe and to ensure no distortion occurs.

Deploy the image to the target machine. Many possible ways of doing this including keydrops with manipulated autorun.inf file to extract malp from stego or passive propagation via FTP shared folder and then later activation/triggering.

Scanning tool was developed using Python. The IDE was PyDev in Eclipse Helios (for C and C++ by default) after adding on the needed files from the Eclipse Marketplace. GUI design was done using QtDesigner which saved the files as .ui extensioned files. QtDesigner came with PyQt4. To convert the .ui files to .py, use the pyuic4 command to do this.

For the scanning procedure:

  1. Opt to scan either an entire directory or a single image
  2. steganography algorithms to be targeted are JSteg and F5
  3. Opt for quick scan or slow scan (in-depth)
Quick Scan:
  1. Load list of images into QListWidgetItem and create a list object for them also
  2. Check the EXIF headers of the images for markers regarding the steganography algorithm used. In some cases, the developer may add their name to the first few bytes of the stegoimage as a signature of sorts.
  3. Run the Chi-Square attack on the images one by one to see if it has had data embedded into it using steganography. Eliminate the ones without the steganography markers/artefacts from the QListWidgetItem.
  4. If the stegoimage is found to have used JSteg from EXIF header analysis, use the Jsteg tool to extract the data from the image since no password is used. If it's F5, the best option would be to run a dictionary attack on the image using the F5 tool and common default passwords.
  5. submit the image hash to Virustotal as well as the hash for the extracted program/tool. Get the results and display.
  6. display results of the scan and allow the user to see individual details for each scanned image.
Slow Scan:
  1. Run the stages of quick scan
  2. Submit each image to cuckoo sandbox
  3. run/execute all image viewing programs in the sandbox to try and see if any activity occurs besides simple opening of the file. this is to check if any of the programs can be exploited into extracting the malicious program from the image.
  4. do the same tests for any extracted data from the images.
  5. Display results and allow printing of report of all the findings.


Comments

Post a Comment

Popular posts from this blog

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm sp...
Post a Comment
Read more

Forensics: Extraction of email evidence using Wireshark and NetworkMiner

The video at the end of this post is a demo of a solution to a forensic challenge from this site .   The goal of the challenge is to extract necessary information for an investigation from a pcap file. the site, forensicscontest.com, has a number of similar challenges that you can try out as well. Obviously, there is more than one way to skin a pcap (the other methods can be found among the solutions/walkthroughs on the site itself) and in this case 2 tools were used: Wireshark NetworkMiner Just to cover a few "mysterious" sections of the video, there is a point where I sorted the packets in wireshark in alphabetical order then looked for the first SMTP packet. The reason is that since we are investigating email evidence, the common protocols we should search for include IMAP, SMTP etc. In this case, the criminal used SMTP. Next, there is a point where we highlight the stream index in the detailed section of the packet. This is because each stream refers ...
Post a Comment
Read more

Malware Analysis: A Python Malware on campus 1

So a few weeks back after a class I'd taken with them,  a number of my students told me of a particular malware that was affecting students' computers, in particular, computers running Windows OS. According to them, if you tried to open a folder that was residing on the USB stick with the malware, the malware would delete some of your files and convert folders into executable files. Granted, the likelihood of a random folder miraculously transforming into a single executable file was kinda "out there" but I figured I'd check it out and use that as a teaching moment for those interested in venturing into malware analysis. So I tasked them to bring me a sample of the malware so I could take a look at it and maybe figure it out. I advised one of them to download DumpIt  and then extract the memory dump from an infected computer using a clean flash disk and then bring it to me. How do you do this exactly? here's how: Download DumpIt . It's a portable...
Post a Comment
Read more