home ... me ... pictures ... email ... rss feed ... rust chronicles ... twitter

May 31, 2010

shannon entropy toy

This last semester I found myself with a final two electives to get my concentration done: the Math version of Cryptography, and Forensics. Aside from the scary math of AES (finite field GF256 can go to hell) and the bizarre world of quantum cryptography (intro to quantum mechanics just about killed the entire CS department contingent in the class) it was cool. AES was even cool, just painful.

And how this applies to entropy is that we got told "Go do something neat for 40% of your grade, either write a paper or write some code." So I decided to write up a little piece of code to calculate shannon entropy, figuring I could use it later to distinguish packed from unpacked where it refers to binaries.

Code: shannon.c under a don't steal this for your homework license.

I hesitate to put a link to the web frontend up, because it was hastily written, but I got extra credit for it, which was cool. I had to make a powerpoint presentation full of background and results as well.

Values go from 0 to 8 in theory, but I've not seen more than 5.5. UPX packed malware looks almost as high entropy as encrypting a text file with AES. Hand-rolled packing is a little bit lower entropy. First two samples come from Forensics Puzzle Contest #5, the rest are from email.

UPX packed:
skirt% ../shannon file.exe\[1\].octet-stream
filename: file.exe[1].octet-stream
bytes in file: 68097.000000
entropy: 5.3945613760

Same file, unpacked, second layer less obfuscated:
skirt% ../shannon file.exe.octet-stream
filename: file.exe.octet-stream
bytes in file: 82433.000000
entropy: 5.0533276137

Random file AES encrypted:
filename: test2.bin
bytes in file: 4100801.000000
entropy: 5.5451381195

Partly encrypted of what is likely a bredolab trojan:
filename: officexp-KB910721-FullFile-ENU.exe
bytes in file: 23553.000000
entropy: 3.3439501448

Another variant of the same family is much higher:
filename: DHL_invoice _2345.exe
bytes in file: 74241.000000
entropy: 4.1100030304

Plain text is predictably around 3.0, which the stuff I remember from information theory backs up. Things that are lower than plain text in the 1.0 range are IDApro save file databases and blank goat files, and the binary for the old virus Murkry.390 (it was homework in reverse engineering class last year.) Some of the malware I collect out of email attachments actually doesn't appear to be completely encrypted which is odd, but I haven't broken this down to work on sections, which is really the next step here.

candice at 15:59 | link to post

May 21, 2010

crepes for breakfast

breakfast crepes., originally uploaded by candice quates.

Back to food for a few. A few weeks ago I got a hankering for my mom's strawberry crepes. She used to make them on rare occasions on weekend mornings.

She hasn't made them in forever, so I called her up to ask how she made the filling (easy, cook down strawberries with sugar) and looked up julia child's dessert crepe recipe to make them. I like 5-6" super-thin see-through crepes, and that recipe seems to work very well. Here's a picture of the crepe-making setup, too.

Nice thing about these is they keep in the fridge for a day or two, so you don't have to eat them all at once, you can use the leftovers for breakfast, like here.

candice at 21:38 | link to post

May 19, 2010

Running viruses for fun and profit

That's the title of a presentation I put together about the network logging sandbox I made for school last fall. It, like the shannon entropy project I wrote this semester for cryptography class was the result of being asked: "Go do something interesting and write about it for 40% of your grade." So I decided to work on reproducible run-time malware analysis. It was fun. I had a presentation in class, a handout to go with it, and a paper. The paper I am not feeling like revising for public consumption yet, but the presentation and the handout are ready. The core part of the sandbox, minibis, just had a new version released, here at cert.at, which I haven't had a chance to try out yet.

Check out the presentation here.

Handout is reproduced and slightly edited below, it's just a description and a list of tools, but since I bothered to clean up the html to make it presentable, I might as well add it.

Automated Malware Analysis tools and papers.
CSCI 4621 Presentation 11/24/2009

So, basically, to set this up, I had a Linux machine (ubuntu on netbook), installed VirtualBox, installed an XP image into it, then set up the minibis client and server programs. Made a minibis ftp account and turned on an ftp daemon. Went into Virtualbox, put the client program on it, started it, took a snapshot. Started server minibis program with some binaries, and went to go get some more coffee. Looked at procmon logs when it was done.

To add the network, I used a host-only network, so that it shows up as a linux device, and can be very easily sniffed. I also set up a second IP on the host-only network to run INetSim on. INetSim was easy to set up, so I just set the DNS server to always point to the host. InetSim creates nice, detailed logs. Packet sniffers weren't as useful as I initially thought - I expected more programs to call home. Static analysis comes later.

Tools for the virus-runner I built:
CERT.at: Mass Malware Analysis: A Do-It-Yourself Kit http://cert.at/downloads/papers/mass_malware_analysis_en.html
Sun's VirtualBox http://www.virtualbox.org/
Sysinternals Toolkit - for procmon and many other useful things http://www.sysinternals.com/
INetSim: Internet Services Simulation Suite. http://www.inetsim.org/about.html

Other reference material about virus runners:
Building an Automated Behavioral Malware Analysis Environment using Open Source Software http://www.giac.org/certified_professionals/practicals/grem/48.php
Truman - The Reusable Unknown Malware Analysis Net http://www.secureworks.com/research/tools/truman.html

Web based analysis services:
Anubis - service for analyzing malware http://anubis.iseclab.org/
Norman Sandbox http://www.norman.com/security_center/security_tools/en
VirusTotal - runs samples against a pile of antivirus tools http://www.virustotal.com/

General reference:
MSDN -for all you ever need to know about the windows API. http://www.msdn.com
Internet Storm Center http://isc.sans.org/
Offensive Computing is a nice sample source as well as being useful. http://www.offensivecomputing.net/

More tools:
HT Editor - small terminal-based disassembler, for unix, can handle PE files, I use it to check out binaries if they happen to be unpacked. http://hte.sourceforge.net/
Memoryze - memory dump analyzer. really nifty.http://www.mandiant.com/software/memoryze.htm

candice at 22:57 | link to post

May 09, 2010


(image courtesy Tiffany Coker)

I got the rest of the images on disk back from the photographer today. I hope to have a small gallery up with some of them soon so that people can dig through it.

candice at 0:09 | link to post

May 01, 2010

now there are three

us and my grandparents
(picture courtesy Tiffany Coker)

So, for the wedding I was lucky enough to have all four
of my grandparents there. But, Monday we lost my Grandpa,
the one seated here. It's been a long week, but
it's starting to get better.

administrative note: there is a chance this site is going
to go down soon and I will have to bring it back up on a new

candice at 22:15 | link to post

« April 2010 ... Current ... June 2010 »