Thursday, December 30, 2010
Tuesday, December 28, 2010
Monday, December 27, 2010
Another good research from WebSense and I wanna share it here.
Resource from: websense.com
As part of my research within Websense Security Labs, I collaborate with a group of researchers tasked with profiling exploit kits. This helps us refine the analytics used in ACE, our Advanced Classification Engine. In this post I want to cover the installation of Phoenix Exploit's Kit. I'm not going to tell you how to install and use it, but I will cover some of the more interesting aspects of installation. Specifically, I want to cover how the developers protect their code from being reverse engineered and how the developers have attempted to keep researchers from poking around in installed kits.
To begin, let's have a look at the installer for the kit. Like many exploit kits, this one is PHP-based but unlike most kits, the installer is actually obfuscated. This is probably an attempt by the developers to make it harder for security researchers to understand how to install the kits, especially if there is no 'readme.txt' file included in a kit. Typically, exploit kits come with some sort of installation and or revision documents which come in the form of a 'readme.txt' file or 'notes.txt'. Without the readme file, it can be difficult to install a kit unless you reverse engineer the installation process. Most of the time, the reverse engineering of kit installation is pretty easy because the PHP code is not obfuscated.
Here is a look at the obfuscated code in the PHP installer:
Looking at this code, we can see that it's Base64 encoded and a ZLIB compressed stream of data. The PHP script uses an 'eval' statement with 'gzuncompress' and 'base_64decode' functions to decode the stream of data. For us to get the clear text code, we can use a simple substitution trick along with the PHP CLI so that we can then analyze the installer's code. To do this, we simply need to replace the 'eval' with a 'print' and run the install.php script on the command line.
Here is a snippet of the deobfuscated install.php script:
Looking at this code, if you're like me, you might think that the interesting thing about it is the variable declarations with long base64 encoded streams. It actually turns out that each one of those variables is holding obfuscated PHP code for the page for which the variable is named. For example the '$config' variable holds the base64 encoded 'config.php' file and the '$activate' variable holds the 'activate.php' code, which we will get to in a bit. This is where things get interesting, as far as protection mechanisms go. The reason that the PHP code for each of these scripts is held in a variable is because the page names actually get randomized for each installation! This helps to prevent security researchers from easily finding and possibly viewing statistics about the site hosting a Phoenix Exploit's Kit. Prior to the version being analyzed here, Phoenix came with standard page names so once the exploit page was found, it was easy to find the statistics page and try to break in to view stats from that particular installation.
Here is what the install looks like when it's visited from the browser:
As you can see, when viewing the installer from the browser, there is really nothing special about it. You get to choose the language of the installation instructions, either English or Russian. And on the next page you have a form to fill out for various resources. I'm not going to show you this form for the reason that it contains sensitive information. However, I will show you the result after filling out the form so that you can see the randomized page names and what has to be done to activate the kit.
This is a look at my current working directory before the install of Phoenix Exploit's Kit:
Here is the same directory after the completion of the install script:
As you can see, the install script contains just about everything needed to install the kit. It extracts the necessary scripts and randomizes the file names, and thus the purpose of the file. If you have a look at the code in each file, you can begin to figure out the purpose of each file. The thing to notice and realize from here is that each installation creates unique names for each of the pages. Again, what this means is that a researcher can't find statistics for an installed kit after finding the page serving up the exploits. Rather, for any given kit installed in the wild, it's anybody's guess as to the names used for statistics and other pages used by that kit!
Regarding the installation we've been examining, at this point the kit isn't at all usable because it doesn't yet contain the exploits. To obtain the exploits, the purchaser of the kit must contact the developer to activate their kit. The "installation success" page explains this: "To activate this installed copy of Phoenix Exploits Kit please send the following activation string to the author."
Here is a screen shot of the installation success page:
In summary, we can see that the developers of Phoenix Exploit's Kit are working on not only protecting their exploit code from being recognized, but also their installations. This makes it difficult for researchers to further dissect and understand how the kit works, especially if a researcher comes across just the install script. It also makes things more difficult for others who want to study and report on the statistics found from individual installations of Phoenix by randomizing the page names used in the kit installations.
Resource from: websense.com
Thursday, December 23, 2010
Wednesday, December 22, 2010
Q: What is "social spam"?
A: Social spam is spam that uses social networking, media and news related websites to spread links.
Q: Links? You mean stuff like those links I see on Facebook saying something like "OMG! Father catches his daughter on webcam"?
A: Yes. Those links.
Q: And just how does spreading salacious links payoff for the social spammer?
A: First, let's discuss how e-mail spam works.
Q: Well… alright then, what about e-mail spam?
A: E-mail spam is similar to real world junk/bulk mail, the stuff that clogs up your mailbox at home. A product owner wants promotion, so he hires somebody to distribute advertising. The bulk mailer (spammer) offers prices/rates based on the number of ads to be distributed.
Q: Sounds rather straightforward. So how does an e-mail spammer get paid?
A: Could be a number of ways, but generally, you'll pay upfront for X amount of messages distributed. E-mail spammers compete with one another by attempting to offer better services. They also try to guarantee that their address lists are validated (live) accounts and thus a better quality than the other guys.
Q: So e-mail spam is a traditional product owner to advertiser relationship?
A: Right. The product owner wants advertising, so he pays an advertiser. The ad (spam) is sent to your Inbox and your antispam software filters the spam to a junk folder.
Q: Let's get back to social spam. How does spamming a link payoff for the spammer? There's no "advertising message" embedded in the link… it's just some tabloid style headline. Does the link open to an ad page?
A: No. (That's comment spam.) The social spam link is only the first step in the social spam process. And the greater the number of links spread, the greater the potential payoff for the spammer.
Q: What's the second step in the process?
A: Spreading the spam link.
Q: And how is that done?
A: By abusing the "social" nature of the website. So on Facebook for example, if you click a spam link, you'll be directed to a page that wants you to either like or allow.
Q: Like or allow?
A: Right. If the link takes you to a Facebook application (hosted by facebook.com) you'll have to allow the application access to your profile. If you do, the application will post its link to your profile, and thus share it with your friends.
Q: If it isn't an application?
A: If the link takes you to a "Page" (either on or offsite) you'll be requested to "Like" and "Share" the page to your profile. Spammers will use a various tricks to get you to like and share.
Q: What kind of tricks?
A: Clear click clickjacking attacks. Pages attempt to use invisible frames to get people to click on a "like button" without even realizing it.
Q: So liking and sharing the page spreads the links… you do the spammers work for them?
Q: But if it is an application instead of a page, you have to allow it access?
A: Correct. And Facebook does provide a clear warning beforehand.
Q: How about other websites?
A: Twitter applications also warn the user before they add an application. Twitter switched to OAuth at the end of August 2010 so that your password is no longer shared with third party applications.
Q: So applications can be controlled and/or limited, but external pages that mimic the social site, can they be prevented?
A: That's a challenge. Social sites are designed to share. That's why they're social. Far greater amounts of legitimate pages are liked/shared and tweeted every day. The only way to really prevent a spam page from being shared is to block all sharing or of course, to remove the page from the site.
Q: So what is done?
A: Filtering. Social sites rely on their communities to report spam. Both Twitter and Facebook have "report as spam" options. And they have antispam technologies on the back-end.
Q: Step 2 is spreading… why does that process sound kind of familiar?
A: Because it is similar to an e-mail worm.
Q: What? An e-mail worm?
A: Yeah. E-mail spam includes its advertising in the body of the message or in an attachment. E-mail worms are a bit different. They used to attach a binary payload to a message, but antivirus companies long ago learned to filter such attachments.
A: And so these days, because malicious attachments are filtered, e-mail worms use links as bait. Recipients click on the link within the message and are taken to a webpage offering a malicious payload. And part of that payload's mission may include stealing your e-mail contacts so they'll be exposed to the threat as well.
Q: So social spammers didn't invent this process?
A: No, far from it. This whole process of link baiting has evolved from e-mail.
Q: So social spam is spread via "link worms"?
A: Yeah, that's kind of the general idea…
Q: Okay. Step 1 and 2 spreads like an e-mail worm, but the goal is more similar to e-mail spam. What's step 3? Do you get to see the father/daughter webcam video?
A: That depends on whether step 2 was an application or a page (still using Facebook as our example).
Q: What if step 2 allowed an application?
A: Then spam application often provides the video (or whatever else) in return for harvesting your information.
Q: What kind of information?
A: That depends on what you allowed. It could be anything from basic public details to allowing the application to e-mail you, to managing your Facebook Pages. (Twitter applications will cause your account to follow others and to re-tweet their links.)
Q: Then what?
A: And then the social spammer has information that can be turned into a commodity for sale. Remember up above…
Q: That e-mail spammers compete with each other by offering better services and validated lists?
A: Right. What better way to create a validated list than a social networking site such as Facebook? Not only will you have live e-mail addresses, but the associated age, sex, gender, likes and interests. After all, there's very little point in sending Viagra spam to a 25 year old woman…
Q: That's sounds like an excellent commodity. What else can be done with the information?
A: Worst case scenario: it could be used for identity theft or blackmail.
Q: Is that likely?
A: It's possible, but probably not likely. From what we've read in spammer forums, these guys are more about making a quick buck pushing ads.
Q: Okay, so back to step 2 again… What if step 2 was a page, then what?
A: This part is a bit complicated.
Q: It is?
A: Yes. If the social spam links to a page, the page is typically utilizing some sort of Cost Per Action affiliate marketing network.
Q: What is a Cost Per Action affiliate marketing network?
A: First, let's discuss affiliate marketing… This is from Wikipedia's entry: Affiliate marketing is a marketing practice in which a business rewards one or more affiliates for each visitor or customer brought about by the affiliate's own marketing efforts.
Q: So affiliates don't get paid upfront to advertise?
A: Right. Affiliates aren't selling bulk advertising. But instead, they're driving traffic towards the product owner. And the more traffic that they can drive towards the product, the more they can earn. Product owners like this method of marketing as they don't have to commit to funds upfront before results are produced.
Q: And affiliate marketing models are used by spammers?
A: Yes. Unfortunately, affiliate marketing is easily abused by spammers.
Q: So why is it legal?
A: Because there are many legitimate ways to run affiliate marketing. Let's take Groupon (groupon.com) as an example. If a certain number of people sign up for a Groupon offer, the deal becomes available to all; if the predetermined minimum is not met, then no one gets the deal that day. Groupon users are acting as a kind of affiliate. If they do the marketing work and share the offer among their peers, and enough people sign up, the company authorizes the deal.
Q: So it is quite difficult to legislate good from bad affiliate marketing?
Q: Okay, so social spammers utilize a form of affiliate marketing. What are Cost Per Action affiliate networks?
A: An affiliate marketing network is kind of like a "super affiliate". Affiliate marketers earn a progressive percentage of payout based on the volume of leads produced. One individual typically cannot produce enough volume to reach a higher percentage tier. Affiliate marketing networks allow individuals to act as a collective affiliate, producing higher volumes, which passes the higher payouts down to the network members.
Q: And Cost Per Action (CPA)?
A: CPA is typically about acquiring something from potential leads.
Q: So what happens during step 3 after a page is liked and shared?
A: The spammer promises to show the video (or whatever) after a small "anti-bot" test (action) has been performed. They claim it is a form of CAPTCHA, or verification that you’re human.
Q: And this is when the spammer gets what he wants?
Q: What kind of special offers?
A: It could be something as simple as downloading a search toolbar for your browser or providing a valid e-mail address to receive a coupon. Or… it might be something as manipulative as getting you to sign up for expensive SMS-based subscription services.
Q: And is this when the spammer makes money?
A: Yes. For each person that completes an action, and offers the product owner a "lead", the affiliate/spammer can earn one dollar or more.
Q: One dollar or more? That's good money.
A: Yes. It takes very little effort to earn good money.
Q: So is all of this considered a scam?
A: Scam is a rather strong word.
Q: But there are some security vendors that call this stuff a scam. You don't think so?
A: Scam is a strong word to use… A scam is something such as an Advance Fee Fraud, i.e. "You have just won the UK lottery! Contact LottoUK at blah blah blah dot com."
Q: So what is this CPA spam stuff then?
A: It falls under the category of deceptive marketing.
Q: So why do some folks keep blogging about Facebook Scams? Is it hype?
A: You'll have to ask them.
Q: Well then, if it is deceptive marketing… what can be done about it?
A: Government regulators should get involved. Example: In Finland, a case of localized (Finnish language) Facebook spam was resolved by the Finnish Consumer Protection Agency. F-Secure provided details to the press, and either the press, and/or victims reported the SMS subscription vendor as being deceptive. The local company which provided the billing services for the SMS vendor reversed all charges associated with that spam run. (There hasn't been a second attempt.)
Q: What about the United States? Is there a way to fight deceptive affiliate marketing spam in the United States?
A: It's been done before. In 2006, Zango, an adware vendor (Hotbar) faced an FTC investigation that essentially put them out of business. A public advocacy group filed two official complaints charging Zango with engaging in unfair and deceptive business practices.
Q: So who are the companies that the FTC should probably look at in 2011?
A: The list includes CPAlead (cpalead.com), PeerFly (peerfly.com), and Adscend Media (adscendmedia.com) among others.
Q: What about the recent lawsuits that Facebook brought against three spammers.
A: Actually, one of those three lawsuits is focused on Jason Swan, the CTO of CPAlead. The CAN-SPAM act is being cited in the lawsuits and all three examples include cases in which fake or fraudulent services were offered. "Facebook Gold" accounts for example. There are no such thing, and so Facebook claims the defendants are guilty under the CAN-SPAM.
Q: But doesn't most social spam eventually open the promised video (or whatever)?
A: Yes. It's mostly just recycled content from YouTube but if all 3 steps are completed, the links delivers on its promise. So these three cases are interesting, but it seems more like a warning to spammers than a solution. We aren't sure if the CAN-SPAM act applies (but it's worth bringing before a judge).
Q: So summarize it again, what are the steps involved with social spam?
A: First the victim clicks on a link. Second, they like/share or allow the application or page. Third, they complete the Cost Per Action offer. And then they are "rewarded" with old content that they could have located on YouTube (or elsewhere) themselves.
Q: How effective is social spam.
A: Very good question. In 2009, social spam was generated by hacked/phished accounts. During 2010, other methods were developed by spammers to seed spam links. By the summer of 2010, spam links were generating hundreds of thousands of clicks.
Q: Do social spam links still get clicked?
A: Click rates have dropped as people become familiar with the process. There is an ever increasing decline in the effectiveness of any single link. However, the click rates and payouts are considerably higher for social spammers than e-mail spam.
Q: Will social spam ever be as big a problem as e-mail spam?
A: E-mail spam does not require interaction. Spammers can simply pump as much of it as possible in their attempts to bypass spam filters.
Social spam typically requires human interaction (except for occasional site vulnerabilities). Because social spam is interactive, there is something that can be done. Facebook and Twitter are constantly redesigning their UI to improve the user experience and to help their communities recognize and avoid spam. And because social media sites are constantly evolving, the nature of social spam is also evolving.
Social spam will probably always exist, taking advantage of one site feature or another, but it isn't as likely to abuse the system so completely as e-mail spam has. The only way to fix e-mail spam is to fix e-mail protocols. Facebook and Twitter spam can be addressed by the sites as needed.
Q: Finally, are there other types of spam being pushed via social media sites?
A: Yes. Fake profile spam pushing adult dating sites and services… but that's another Q&A. We'll get back to that once we're done sorting through all the images (somebody's got to do it).
Original Reference: Social Spam from F-Secure
Monday, December 20, 2010
Malaysiakini is a political news website published in English, Malay, Chinese and Tamil. Since its launch on November 20, 1999, it has been widely considered to be one of the leading non-government owned paid-news agencies in Malaysia. Compete.com estimates that Malaysiakini now attracts over 10,000 unique visitors in May 2009. Alexa ranked malaysiakini.com as the 16th most popular web site in Malaysia (ahead of Star) in 2008.
Unlike most news sources in Malaysia, Malaysiakini remains free from government regulation and thus widely considered to be the country's only credible, independent voice. Malaysiakini has gained both praise and notoriety by regularly covering subjects and viewpoints deemed taboo by the mainstream broadcast and print media; the fact that it is still allowed to operate is partly due to the Malaysian government's tolerance regarding internet censorship. The Malaysian government had pledged there would be no control and censorship of Internet content in line with efforts to create the Multimedia Super Corridor.
Wednesday, December 15, 2010
This security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update resolves several privately reported vulnerabilities in the Windows Open Type Font (OTF) driver that could allow remote code execution. An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This security update resolves a publicly disclosed vulnerability in Windows Task Scheduler. The vulnerability could allow elevation of privilege if an attacker logged on to an affected system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
This security update resolves a publicly disclosed vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Movie Maker file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
This security update resolves a publicly disclosed vulnerability in Windows Media Encoder. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate Windows Media Profile (.prx) file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file type such as .eml and .rss (Windows Live Mail) or .wpost (Microsoft Live Writer) located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
This security update resolves a publicly disclosed vulnerability in Windows Address Book. The vulnerability could allow remote code execution if a user opens a Windows Address Book file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
This security update resolves a publicly disclosed vulnerability in the Internet Connection Signup Wizard of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
The vulnerability could allow remote code execution if a user opens an .ins or .isp file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
This security update resolves one publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
This security update addresses a privately reported vulnerability in the Routing and Remote Access NDProxy component of Microsoft Windows. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
This security update resolves a privately reported vulnerability in the Consent User Interface (UI). The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and the SeImpersonatePrivilege and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
This security update resolves a privately reported vulnerability in the Netlogon RPC Service on affected versions of Windows Server that are configured to serve as domain controllers. The vulnerability could allow denial of service if an attacker sends a specially crafted RPC packet to the Netlogon RPC Service interface on an affected system. An attacker requires administrator privileges on a machine that is joined to the same domain as the affected domain controller in order to exploit this vulnerability.
This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a specially crafted packet is sent to the VMBus by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to send specially crafted content from a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
This security update resolves five privately reported vulnerabilities in Microsoft Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update resolves a privately reported vulnerability in Microsoft SharePoint. The vulnerability could allow remote code execution in the security context of a guest user if an attacker sent a specially crafted SOAP request to the Document Conversions Launcher Service in a SharePoint server environment that is using the Document Conversions Load Balancer Service. By default, the Document Conversions Load Balancer Service and Document Conversions Launcher Service are not enabled in Microsoft Office SharePoint Server 2007.
This security update resolves seven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update resolves a privately reported vulnerability in Microsoft Exchange Server. The vulnerability could allow denial of service if an authenticated attacker sent a specially crafted network message to a computer running the Exchange service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Monday, December 13, 2010
Thursday, December 2, 2010
Update 11/29/10: Added a short discussion about non-malware executables also.
Have you ever wondered how people writing reports about malware can say where the malware was likely developed?
Sometimes you get totally lucky and log files created by the malware will help answer the question. Given the following line from a log:
11/16/2009 6:41:48 PM –> Hook instalate lsass.exe
We can use Google Translate’s “language detect” feature to help up determine the language used (click to enlarge):
Of course, it’s not often we get THAT lucky!
A more interesting method is the examination of certain structures known as the Resource Directory within the executable file itself. For the purpose of this post, I will not be describing the Resource Directory structure. It’s a complicated beast, making it a topic I will save for later posts that actually warrant and/or require a low-level understanding of it. Suffice it to say, the Resource Directory is where embedded resources like bitmaps (used in GUI graphics), file icons, etc. are stored. The structure is frequently compared to the layout of files on a file system, although I think it’s insulting to file systems to say such a thing. For those more graphically inclined, I took the following image from http://www.devsource.com/images/stories/PEFigure2.jpg. (Click to enlarge.)
For the sake of example, here’s some images showing you just a few of the resources embedded inside of notepad.exe: (using CFF Explorer from: http://www.ntcore.com/exsuite.php)
Now it’s important to note that an executable may have only a few or even zero resources – especially in the case of malware. Consider the following example showing a recent piece of malware with only a single resource called “BINARY.” (Click to enlarge.)
Moving on, let’s look at another piece of malware… Below, we see this piece of malware has five resource directories.
We could pick any of the five for this analysis, but I’ll pick RCData – mostly because it’s typically an interesting directory to examine when reverse engineering malware. (This is because RCData defines a raw data resource for an application. Raw data resources permit the inclusion of any binary data directly in the executable file.) Under RCData, we see three separate entries:
The first one to catch my eye is the one called IE_PLUGIN. I’ll show a screenshot of it below, but am saving the subject of executables embedded within executables for a MUCH more technical post in the near future (when it’s not 1:30 am and I actually feel like writing more!). (Click to enlarge.)
Going back to the entry structure itself, the IE_PLUGIN entry will have at least one Directory Entry underneath it to describe the size(s) and offset(s) to the data contained within that resource. I have expanded it as shown next:
And that’s where things get interesting – as it relates to answering the question at the start of this post anyways. Notice the ID: 1055. That’s our money shot for helping to determine what country this binary was compiled in. Or, more specifically, the default locale codepage of the computer used to compile this binary. Those ID’s have very legitimate uses, for example, you can have the same dialog in English, French and German localized forms. The system will choose the dialog to load based on the thread’s locale. However, when resources are added to the binary without explicitly setting them to different locale IDs, those resources will be assigned the default locale ID of the compiler’s computer.
So in the example above, what does 1055 mean?
It means this piece of malware likely was developed (or at least compiled in) Turkey.
How do we know that one resource wasn’t added with a custom ID? Because we see the same ID when looking at almost all the other resources in the file (anything with an ID of zero just means “use the default locale”):
In this case, we are also lucky enough to have other strings in the binary (once unpacked) to help solidify the assertion this binary is from Turkey. One such string is “Aktif Pencere,” which Google’s Translation detection engine shows as: (Click to enlarge.)
However, as you can see, this technique is very useful even when no strings are present – in logs or the binary itself.
So is this how the default binary locale identification works normally (eg: non-malware executable files)?
Not exactly. The above techniques are generally used with malware (if the malware even has exposed resources), but not generally with normal/legitimate binaries. Consider the following legitimate binary. What is the source locale for the following example?
As you see in the green box, we have some cursor resources with the ID for the United States. (I’m including a lookup table at the bottom of this post.) In the orange box, there are additional cursor resources with the ID for Germany. In the red box is RCData, like we examined before, but all of these resources have the ID specifying the default language of the computer executing the application.
As it turns out, the normal value to examine is the ID for the Version Information Table resource (in the blue box). In the case above, it’s the Czech Republic. The Version Information Table contains the “metadata” you normally see depicted in locations like this:
In the above screenshot, Windows is identifying the source/target local as English, and specifically, United States English (as opposed to UK English, Australian English, etc…). That information is not stored within the Version Information table, but rather is determined by the ID of the Version Information Table.
However, in malware, the Version Information table is almost always stripped or mangled, as is the case with our original example from earlier:
Because of that, the earlier techniques are more applicable to malware.
Below, I’m including a table to help you translate Resource Entry IDs to locales (sorted by decimal ID number).
|Arabic – Saudi Arabia||ar||ar-sa||1025||1256|
|Chinese – Taiwan||zh||zh-tw||1028|
|German – Germany||de||de-de||1031||1252|
|English – United States||en||en-us||1033||1252|
|Spanish – Spain (Traditional)||es||es-es||1034||1252|
|French – France||fr||fr-fr||1036||1252|
|Italian – Italy||it||it-it||1040||1252|
|Dutch – Netherlands||nl||nl-nl||1043||1252|
|Norwegian – Bokml||nb||no-no||1044||1252|
|Portuguese – Brazil||pt||pt-br||1046||1252|
|Romanian – Romania||ro||ro||1048||1250|
|Swedish – Sweden||sv||sv-se||1053||1252|
|Farsi – Persian||fa||fa||1065||1256|
|Azeri – Latin||az||az-az||1068||1254|
|Gaelic – Scotland||gd||gd||1084|
|Malay – Malaysia||ms||ms-my||1086||1252|
|Kyrgyz – Cyrillic||1088||1251|
|Uzbek – Latin||uz||uz-uz||1091||1254|
|Bengali – India||bn||bn||1093|
|Frisian – Netherlands||1122|
|Divehi; Dhivehi; Maldivian||dv||dv||1125|
|Igbo – Nigeria||1136|
|Guarani – Paraguay||gn||gn||1140|
|HID (Human Interface Device)||1279|
|Arabic – Iraq||ar||ar-iq||2049||1256|
|Chinese – China||zh||zh-cn||2052|
|German – Switzerland||de||de-ch||2055||1252|
|English – Great Britain||en||en-gb||2057||1252|
|Spanish – Mexico||es||es-mx||2058||1252|
|French – Belgium||fr||fr-be||2060||1252|
|Italian – Switzerland||it||it-ch||2064||1252|
|Dutch – Belgium||nl||nl-be||2067||1252|
|Norwegian – Nynorsk||nn||no-no||2068||1252|
|Portuguese – Portugal||pt||pt-pt||2070||1252|
|Romanian – Moldova||ro||ro-mo||2072|
|Russian – Moldova||ru||ru-mo||2073|
|Serbian – Latin||sr||sr-sp||2074||1250|
|Swedish – Finland||sv||sv-fi||2077||1252|
|Azeri – Cyrillic||az||az-az||2092||1251|
|Gaelic – Ireland||gd||gd-ie||2108|
|Malay – Brunei||ms||ms-bn||2110||1252|
|Uzbek – Cyrillic||uz||uz-uz||2115||1251|
|Bengali – Bangladesh||bn||bn||2117|
|Arabic – Egypt||ar||ar-eg||3073||1256|
|Chinese – Hong Kong SAR||zh||zh-hk||3076|
|German – Austria||de||de-at||3079||1252|
|English – Australia||en||en-au||3081||1252|
|French – Canada||fr||fr-ca||3084||1252|
|Serbian – Cyrillic||sr||sr-sp||3098||1251|
|Arabic – Libya||ar||ar-ly||4097||1256|
|Chinese – Singapore||zh||zh-sg||4100|
|German – Luxembourg||de||de-lu||4103||1252|
|English – Canada||en||en-ca||4105||1252|
|Spanish – Guatemala||es||es-gt||4106||1252|
|French – Switzerland||fr||fr-ch||4108||1252|
|Arabic – Algeria||ar||ar-dz||5121||1256|
|Chinese – Macau SAR||zh||zh-mo||5124|
|German – Liechtenstein||de||de-li||5127||1252|
|English – New Zealand||en||en-nz||5129||1252|
|Spanish – Costa Rica||es||es-cr||5130||1252|
|French – Luxembourg||fr||fr-lu||5132||1252|
|Arabic – Morocco||ar||ar-ma||6145||1256|
|English – Ireland||en||en-ie||6153||1252|
|Spanish – Panama||es||es-pa||6154||1252|
|French – Monaco||fr||6156||1252|
|Arabic – Tunisia||ar||ar-tn||7169||1256|
|English – Southern Africa||en||en-za||7177||1252|
|Spanish – Dominican Republic||es||es-do||7178||1252|
|French – West Indies||fr||7180|
|Arabic – Oman||ar||ar-om||8193||1256|
|English – Jamaica||en||en-jm||8201||1252|
|Spanish – Venezuela||es||es-ve||8202||1252|
|Arabic – Yemen||ar||ar-ye||9217||1256|
|English – Caribbean||en||en-cb||9225||1252|
|Spanish – Colombia||es||es-co||9226||1252|
|French – Congo||fr||9228|
|Arabic – Syria||ar||ar-sy||10241||1256|
|English – Belize||en||en-bz||10249||1252|
|Spanish – Peru||es||es-pe||10250||1252|
|French – Senegal||fr||10252|
|Arabic – Jordan||ar||ar-jo||11265||1256|
|English – Trinidad||en||en-tt||11273||1252|
|Spanish – Argentina||es||es-ar||11274||1252|
|French – Cameroon||fr||11276|
|Arabic – Lebanon||ar||ar-lb||12289||1256|
|English – Zimbabwe||en||12297||1252|
|Spanish – Ecuador||es||es-ec||12298||1252|
|French – Cote d’Ivoire||fr||12300|
|Arabic – Kuwait||ar||ar-kw||13313||1256|
|English – Phillippines||en||en-ph||13321||1252|
|Spanish – Chile||es||es-cl||13322||1252|
|French – Mali||fr||13324|
|Arabic – United Arab Emirates||ar||ar-ae||14337||1256|
|Spanish – Uruguay||es||es-uy||14346||1252|
|French – Morocco||fr||14348|
|Arabic – Bahrain||ar||ar-bh||15361||1256|
|Spanish – Paraguay||es||es-py||15370||1252|
|Arabic – Qatar||ar||ar-qa||16385||1256|
|English – India||en||en-in||16393|
|Spanish – Bolivia||es||es-bo||16394||1252|
|Spanish – El Salvador||es||es-sv||17418||1252|
|Spanish – Honduras||es||es-hn||18442||1252|
|Spanish – Nicaragua||es||es-ni||19466||1252|
|Spanish – Puerto Rico||es||es-pr||20490||1252|