Sunday, February 28, 2010

MWDB Nepenthes Auto-Submission Script

The Malaysia Honeynet Project was founded in Year 2007 as a volunteer not-for-profit research organisation. The members of the project consists several Malaysia local security expert: mel, takizo, geek00l,xwing, red dragon.

I impressed with the Malware Database (MWDB) by the project. The link as http://mwdb.my-honeynet.org/. I just submit a new ticket about the Nepenthess Auto-Submission Script based on the Symfony + MySQL of the current MWDB setup.

The script has stayed long time enough with me since last year .It has tested in my local machine for few weeks, and it running smoothly with the latest update submission entry.

The simple script can download from here.

Dionaea v0.1.0 segfault error

My Dionaea sensor has run for quite some time. When i try to check the log this morning,I found that the sensor has stop running.

Error message :
dionaea[1810]: segfault at 4 ip b7af93d0 sp b69310d0 error 4 in libemu.so.2.0.0[b7ab0000+6a000]

The sensor will stop after meet with this segfault.This happen twice per day to my sensor. My Dioneae version is v0.1.0. Is this a libemu bug? Is it related to MS04-12 exploit? I will check on it later.

First error

Same error happen again after 4 hours.

Thursday, February 25, 2010

Difference of UPX packed binaries

During my analysis on a UPX packed binaries, I loaded it to LordPE and tried to study the difference of original and packed binaries.

After the UPX packed process, 4 chances has made to the PE format :

OEP - for sure this will change!
SizeofImage
BaseofCode
BaseofData
FileAlignment
NumberofSections - The original binaries has 4 sections. But now it only contain UPX0,UPX1 and .rloc section only.

Wednesday, February 10, 2010

About Email Spam Analysis

Note on a .eml file simple analysis :

1.check on the Received: sequence, we may know if the email is forged or not.

2.some spam the Date: and the Received: is totally different.

3. "Received:" headers should be read from the bottom upwards, since they are added to the top of the message by each MTA that the message passed through. They should be analysed from the top down, in case there are any fakes in there.

4. Some Intermediate email gateway will add in X-Spam-Status, X-Spam-Level and X-Spam-Flag to the email header. Example of the intermediate is SpamAssasin

5. normal email header spam header

Tuesday, February 9, 2010

Solution for VMWare snapshots in different CPU

When I tried to run my VMWare image after copying from a Pentium4 machine to Intel Atom Processor netbook, the image may run smoothly in VMWare Workstation. Nightmare begin when i starts revert to the previous snapshot, error happened and the image totally hang with Suspend mode. All snapshots wont be loaded as this Error message shown :

"Error encountered while trying to restore the state of group monitorLate from file..."


Some advices from the net are remove the snapshots by using vmware cmd. But no one can afford to lose the needed snapshot.

Solution :

1. Remove the VM images from VMWare Workstation
2. Edit the VM setting by Notedpad or Vi:

* .vmx file to remove lines starting with:

checkpoint.vmState ...
* .vmsd file to change your snapshot type to "0":

.type = "0"

where is the name of the snapshot we want to revert to.

3. Reload and run the image.

It loads perfectly!

Credit to the post.