WordPress Prior to 4.7.3 Security Bypass Vulnerability
 
WordPress Prior to 4.7.3 URL Redirection Vulnerability
 
Red Hat Dashbuilder CVE-2017-2658 Clickjacking Vulnerability
 
Ni LabVIEW CVE-2017-2775 Memory Corruption Vulnerability
 
Multiple Avira Products CVE-2017-6417 DLL Loading Local Code Injection Vulnerability
 
GNU Bash CVE-2016-0634 Local Code Execution Vulnerability
 
GNU Bash CVE-2016-9401 Local Security Bypass Vulnerability
 
[SECURITY] [DSA 3816-1] samba security update
 
NfSen CVE-2017-6972 Unspecified Security Bypass Vulnerability
 
Linux Kernel CVE-2017-7184 Local Privilege Escalation Vulnerability
 
Multiple Avast Products CVE-2017-5567 DLL Loading Local Code Injection Vulnerability
 
icoutils CVE-2017-5333 Local Integer Overflow Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

SSMA is handy tool for quickly getting an idea if a file is malicious.

Install

sudo apt-get install python3-pip

git clone https://github.com/secrary/SSMA

cd SSMA

sudo pip3 install -r requirements.txt


Usage

To use, just run the command along with your VirusTotal API key and the file to get the results. After each test, it will ask you if you want to continue analysis. In this example I used a version mebroot for testing.

python3 ssma.py -h

python3 /home/twebb/Downloads/SSMA/ssma.py -k VT_API_KEY 00000025.exe


Results

???????????????????? ???? ??????

????????????????????? ????????????? Simple

??????????????????????????????????? Static

??????????????????????????????????? Malware

??????????????????? ??? ?????? ??? Analyzer

??????????????????? ?????? ???

File Details:

File: /home/twebb/malware/2-mar-2010 torpig/00000025.exe

Size: 280960 bytes

Type: application/x-dosexec

MD5: ae26e139311e2cacef53cce6d8da09da

SHA1: b9942fd44e798073821dd4b1d9b21f1814d766ad

Date: Fri Nov 28 00:33:22 2003

PE file entropy: 7.618302492203651

Very high or very low entropy means that file is compressed or encrypted since truly random data is not common.

================================================================================

Continue? [Y/n] y

Number of Sections: 5

Section VirtualAddress VirtualSize SizeofRawData Entropy

.code 0x480 26965 27008 6.511691201650016

.rdata 0x6e00 152 256 2.401459977262458

.data 0x6f00 251148 251264 7.654305920976193

INIT 0x44480 306 384 4.063770965426124

.reloc 0x44600 854 896 1.656681300794013

Very high or very low entropy means that file/section is compressed or encrypted since truly random data is not common.

SUSPICIOUS section names: INIT

================================================================================

Continue? [Y/n] y

Virustotal:

F-Secure - Gen:Rootkit.Heur.ruW@CS!sLed

NOD32 - a variant of Win32/Mebroot.CK

Ikarus - Backdoor.Win32.Sinowal

McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen

Symantec - Suspicious.Insight

BitDefender - Gen:Rootkit.Heur.ruW@CS!sLed

AntiVir - TR/Crypt.ZPACK.Gen

GData - Gen:Rootkit.Heur.ruW@CS!sLed

nProtect - Gen:Rootkit.Heur.ruW@CS!sLed

a-squared - Backdoor.Win32.Sinowal!IK

================================================================================

Continue? [Y/n] y

Scan file using Yara-rules.

With Yara rules you can create a description of malware families to detect new samples.

For more information: https://virustotal.github.io/yara/

Downloading Yara-rules...


These Yara rules specialised on the identification of well-known malware.

Result:

QuarianCode - Quarian code features

Quarian - Quarian

================================================================================

Continue? [Y/n] y

These Yara Rules aimed to detect well-known software packages, that can be used by malware to hide itself.

Result:

Visual_Cpp_2003_DLL_Microsoft

================================================================================

Continue? [Y/n] y

These Yara rules aimed to detect the existence of cryptographic algorithms.

Detected cryptographic algorithms:

contentis_base64 - This rule finds for base64 strings

================================================================================

Continue? [Y/n] y



There are lots of tools like this, but this one is worth giving a try due to how quick and easy the install was. What yours favorite static analysis tool?


--

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
APPLE-SA-2017-03-22-1 iTunes for Windows 12.6
 
Cisco Application-Hosting Framework CVE-2017-3851 Directory Traversal Vulnerability
 
Multiple Cisco Products CVE-2017-3853 Stack Buffer Overflow Vulnerability
 
Cisco IOS and IOS XE Software CVE-2017-3864 Denial of Service Vulnerability
 
Cisco Application-Hosting Framework CVE-2017-3852 Arbitrary File Creation Vulnerability
 
Cisco IOS XE Software CVE-2017-3856 Denial of Service Vulnerability
 
libavcodec CVE-2017-7208 Out of Bounds Read Denial of Service Vulnerability
 
Microsoft Internet Explorer CVE-2016-0164 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2016-0162 Information Disclosure Vulnerability
 
imdbphp CVE-2017-7204 Cross Site Scripting Vulnerability
 
Rockwell Automation Connected Components Workbench DLL Loading Local Code Execution Vulnerability
 
D-Link DAP-1320 CVE-2015-2050 Remote Command Injection Vulnerability
 
Internet Storm Center Infocon Status