New Version of McAfee FileInsight
Thursday September 10, 2009 at 6:52 am CST
Posted by Micha Pekrul
Today we released the new version 2.1 of McAfee FileInsight. You can download your free copy from the Avert Tools site. FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.
Let’s go through some stages of an exemplary malware attack to highlight some of its analysis features – but don’t try this stunt at home, unless you know what you’re doing; a safe, isolated lab environment is absolutely mandatory for any such research work.
The above screen shows the initial malicious web site, trying to determine your browser and redirect to one or more respective exploits of choice. One of them being an exploit for the Microsoft DirectShow Video ActiveX Control Vulnerability (MS09-032) (stopped as “Exploit-MSDirectShow.b” by McAfee Virus Scan and as “BehavesLike.Exploit.CodeExec.EBEO” by McAfee Gateway Anti-Malware).
Getting to the actual shellcode takes some JavaScript unpacking steps. The JavaScript code is spread over several script files and custom encoded. In the above screen, we take that malicious code into FileInsight’s Scripting window and let it deobfuscate there.
| Once we’re down to the shellcode level, we can directly look at the shellcode in the built-in disassembler. The Disassembler window also features recursive traversal to come up with branch labels automatically.
It CALLs-to-POP in order to determine actual memory location of the obfuscated payload, sets up and loops to decode the payload, and then executes that in order to download a XOR-obfuscated executable that turns out to be a UPX-packed backdoor (stopped by Artemis and by McAfee Gateway Anti-Malware as „LooksLike.Win32.Suspicious.C“). Advanced users may also want to look into FileInsight’s Python-based plugin system, but be warned: writing plugins at the overwhelming simplicity of the Python language has a certain addiction potential! |
 |
FileInsight is available here.
September 10th, 2009 at 07:54
good tool!!!
September 10th, 2009 at 08:55
Thanks Micha!
September 14th, 2009 at 12:33
[...] FileInsight screenshot above shows the JavaScript function “lololo(),” which deobfuscates a string [...]
September 15th, 2009 at 09:01
[...] Playing with the new (free) version of McAfee FileInsight: [...]
September 16th, 2009 at 06:51
[...] Playing with the new (free) version of McAfee FileInsight: [...]
September 19th, 2009 at 10:58
[...] [Yeni çıkan/güncellenen güvenlik yazılımları] -McAfee FileInsight 2.1 yayınlandı http://www.avertlabs.com/research/ [...]