Tag Archives: security

Mails with FAX attachment

I’ve been receiving a lot of mails with Fax attachment lately. The attachment is a zip file with a virus. I’ve been analysing the binary a little bit and came up with the following interesting info.

Size and hash

rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.zip
-rw-rw-r-- 1 rivy rivy 12790 Feb 27 19:47 FAX_20150226_1424989043_176.zip
rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.zip
c3a277e79afedb9538f4759e62bb3c64  FAX_20150226_1424989043_176.zip
rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.zip
72f7cfa43c61e2d9bb21a92ad60bc955f4c20b20997bb0ad204da6c6d2c464cd  FAX_20150226_1424989043_176.zip
rivy@spdy:~/Downloads/FAX$

As you can see the zip file is around 12k in size. Unzipping resulted in 1 executable with the same filename.

Archive:  FAX_20150226_1424989043_176.zip
  inflating: FAX_20150226_1424989043_176.exe

Md5 and sha256 for this executable are:

rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.exe
-rw-r--r-- 1 rivy rivy 39168 Feb 27 15:35 FAX_20150226_1424989043_176.exe
rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.exe
c2e9e728576d5f230d97cfc6960361fc  FAX_20150226_1424989043_176.exe
rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.exe
de32206ccde1b20a944c5ac4c49a565d9d65ba4786bacc37aa18c2ca7d83b39f  FAX_20150226_1424989043_176.exe
rivy@spdy:~/Downloads/FAX$

Looking for strings

Looking for plaintext strings in the binary is a quick and easy way to determine if software is harmfull. You can print all strings. Strings is one of the many usefull tools which are part of the binutils package on most Linux distributions.

rivy@spdy:~/Downloads/FAX$ strings FAX_20150226_1424989043_176.exe
`tD<m=
8j	Y
/dln
RRhqcap
X[YZa
ReplaceFileA
GetACP
IsBadWritePtr
SetComputerNameW
QueryDosDeviceW
CreateJobObjectA
ReadConsoleOutputA
IsDebuggerPresent
Beep
_lopen
GetProfileIntW
TerminateProcess

The list was longer but I removed everything else. So what did we find until now.

  • Mail with attachment from unknown person
  • Attachment is a zip file which contains an executable
  • Executable calls functions like SetComputerName and IsDebuggerPresent

This means that we can clearly conclude that this mail with FAX attachment is malware.

Virustotal results

We are already sure that this attachment is malware. I queried Virustotal also for this binary. One can either upload a suspicious file or paste the hash to use Virustotal. Pasting the hash can be a good idea if the file can contains confidential information. These are the results.
Mail with fax attachment
As you can see, the last analysis happened 16 minutes ago. The malware is still very new. According to the “Additional Information” tab, the first upload happened 3 hours ago. Also, only 3 out of 57 AV vendors would detect this binary as malware.
This is a direct link to the analysis page of this malware.

Detecting this malware on your network

Clicking the “behavioural information” tab reveals even more interesting info. It lists which files are opened en written to. Take note of the “c:/autoexec.bat”!
We also see that the malware tries to make http GET requests with a User Agent string of “Mazilla/5.0”. Obviously this should be “Mozilla/5.0”. This typo makes it very easy to create IPS signatures to detect this malware on the network.

Enable OCSP stapling on Apache2

This posts explains howto enable OCSP stapling on Apache2 webserver. By adding the signed revocation status of your certificate in the TLS handshake, the browser immediately knows if you certificate is revoked or not. Without this info, the browser would have to make an OCSP request to an OCSP responder to obtain this info.

OCSP stapling is defined in chapter 3.6 of RFC 4366.

Implementing OCSP stapling increases browser speed by decreasing the number of outbound connections. OCSP responses are generally valid for a couple of days, so your webserver will have to refresh the OCSP response before the validity date expires. If you have a firewall that filters outbound traffic from your Apache2 server, please make sure that traffic to the OCSP responder is allowed.

Changing your apache2 vhost definition

In the <VirtualHost *:443> of your ssl website add the following lines.

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

In the ssl config file add this line between the <IfModule> tags.

SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(512000)

And now restart apache.

# service apache2 restart

Make sure this command doesn’t return any errors. If it does, correct them before proceeding.

Testing OCSP stapling

You can adapt the below command to your own webserver.

openssl s_client -connect www.rivy.org:443 -status -servername www.rivy.org

Look for this:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

Alternatively you can also run a SSL Labs scan and look for this output.

SSL Labs result with OCSP Stapling on Apache2

SSL Labs result with OCSP Stapling on Apache2

Enable HSTS in Apache2 SSL vhost

This tutorial explains how to enable HTTP Strict Transport Security (HSTS) in a Apache2 SSL vhost. HSTS is a method to instruct browsers that they always have to contact a certain website over https. It’s described in RFC 6797.

Enable HSTS header

As explained in the previous post, I was able to increase my SSL Labs rating from C to A by carefully instructing Apache2 which ciphers to use. We can increase the rating from A to A+ by adding the following configuration to the <VirtualHost> section of the vhost config.

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

Please note that this header will force browsers to use the https version for all your subdomains as well. Feel free to remove the last word if that’s not what you want.

SSL Labs result

This is the new result of a SSL Labs scan.

SSL Labs result with HSTS in Apache2 SSL vhost

SSL Labs result with HSTS