Profile picture
Vess @VessOnSecurity
, 10 tweets, 21 min read Read on Twitter
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini No, the code isn't there, although there is something strange...

You are looking at the raw file with a hex editor and are seeing stuff that's in unallocated clusters that aren't part of the OLE2 stream structures at all. You need a more intelligent tool.

Take a look:
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini First, we have the OLE2 structure of the file. This is what you have to look at. The VBA structures are there. The module streams are:

Module1
UserForm1
ThisDocument
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini Now, let's inspect each one of them as a stream, not as raw sectors from the file. Again, you need a tool that understands this. The compressed source is at the end of the stream, with the p-code immediately preceding it.

Module1:
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini As you can see, the compressed source is very small, the module is empty of code. The small area of zeroes before that is where normally the p-code should be, again it is small and empty of code.
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini Next, UserForm1. Again, the source is small and contains only headers, no code. P-code area is small and empty.

See that FE CA marker? That's the line table, if I remember correctly. Also small and empty.
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini Now we're getting to ThisDocument and things are starting to get weird.

The source code is small and empty, alright (look at the second image). But it is preceded by a LARGE area of zeroes, where the p-code normally ought to be.
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini And see those FF FF FF FF things before that? That's the line table. This is how empty lines are marked.

However, if the thing contained empty lines naturally, it wouldn't have such a large area of zeroed-out p-code.

This is weird.
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini This (the large area of zeroed-out p-code) *could* be caused by an anti-virus. However, an AV would have definitely wiped the source code too; it wouldn't have replaced it with headers-only compressed source.
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini And it couldn't have been an inferior AV that wipes only the p-code, because then the original source code would have remained.

I don't know what has caused this. Don't think it's an AV, but it doesn't seem normal, either.
@siri_urz @Malwageddon @decalage2 @DissectMalware @James_inthe_box @ItsReallyNick @_devonkerr_ @likethecoins @angealbertini I mean, that's not how stuff looks when you normally delete the lines with the VBA editor; it would have compressed the p-code area just like it is small in the other modules.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Vess
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @VessOnSecurity see all

Profile picture
OK, folks, the month of October is over here, so it is time for my honeypot report. Let's start with our Telnet & SSH honeypot.
First, the big picture. As always, the USA is at the top of the list of countries where the attacks are coming from. Three TIMES more attacks from there than from the next contender, Germany. The latter is somewhat unusual, Germany is rarely near the top.
Next, a graph of the number of attacks per hour. The honeypot is being attacked nearly once every second on average!
Read 14 tweets
Profile picture
My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner...

First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file. (URL is still live.)
The script is quite sophisticated, unlike the usual Mirai crap. It eventually downloads the executable for the appropriate CPU architecture, like

http://104.237.218.85/0/DIGIT1/DIGIT2

where DIGIT1 and DIGIT2 are two decimal digits.
I downloaded one of the executables - zero detections in VirusTotal both for it and for the script.

virustotal.com/#/file/cf3bfd3…

virustotal.com/#/file/9ef5864…
Read 3 tweets
Profile picture
So, some time ago, the site of a customer of ours gets breached, because they used a version of Joomla that's older than my shoes.

Suddenly, all their visitors are forced to mine crypto currencies in their browsers, which tends to be a tad annoying for them.
But no problem, hey? Can happen to anyone. That's why you call a security team - to fix up your shit that's messed up.

Sysadmin doesn't give us full access to their system because "security". We're given access only to the webroot folder.
We clean up the crypto mining scripts but find something else.

Somebody has installed a web shell. Whoever could enter through that web shell has wider access to the system than is given to us for investigating it.
Read 15 tweets

Related threads

Profile picture
Something strange happened on the plane. As we boarded, an older woman asked me to put her suitcase up in the overhead bin. I did, no problem.

For most of my life, I couldn’t do this. (I have moderate cerebral palsy, and lifting heavy things was never something easy.)
In fact, as recently as when I was in college, I would have to people for help putting my own suitcase up in the bin.

But since graduating in May ‘17, I’ve put hundreds of hours into stretching, cycling, and generally becoming stronger.
No new treatment, no medical advance — just me committing to zero excuses and finding a way to exercise 3x a week, same as is prescribed for most everyone.
Read 5 tweets
Profile picture
Something strange is going on over at Fox. @FoxNews hasn't tweeted in 14 hours. Unheard of. @FoxBusiness hasn't tweeted in 18 hours. Extremely unusual. What's going on?
This is their last tweet 14 hrs ago.
It's been 23 hours, and still no tweet from Fox News. I don't need to see tweets from Fox News. I am only paying attention to this because it is uncanny. Something is going on.
Read 4 tweets
Profile picture
Something weird is happening in the woods outside my house and I don't know what to do.
I guess I should start at the beginning. This isn't really my house, it was my grandpa's, but I guess it's mine now. He died a couple months ago and because of some tricky paperwork I'm apparently responsible for it now.
He lived pretty far away, up in the mountains by the lake. There are a couple other houses down the road but they seem like they're empty for the season. I assume they're summer houses. I've been here for a few days and it's really pretty, but it's super quiet and chilly.
Read 41 tweets
Profile picture
Ready for a mystery? Something strange and bloody, that confuses archaeologists? Last night, as I researched something else entirely, a slip of the fingers brought to my attention a site in France that raises some disturbing questions about our ancestors. I call it… THREAD 1/
Our tale takes us to the area covered by the border b/w Germany & France. This was home to what has come to be known as the Michaelsberg Culture, who lived around 6,000 to 5,500 years ago. They’re one of the many neolithic (new stone age) cultures following the last Ice Age. /2
There have been a few Michaelsberg Culture sites found, most famously at Bruchsal-Aue, in the German state of Baden-Wuerttemberg. They constitute ramparts, some very simple dwelling & a series of ditches. Materially, they left behind lots of beakers that resemble a flower. /3
Read 21 tweets
Profile picture
Does AUSA Moira Kim Penza, prosecutor in the fed. #NXIVM #RICO criminal racketeering case, realize that her indictments of #NXIVM leader, Keith Raniere aka "Vanguard," last March, may have affected the outcome of the 2018 Mexican Presidential Election? #ArizonaMafia #Democrats
Moira Kim Penza is 1 of the main prosecutors in the federal #NXIVM #RICO criminal case. A #RICO case is very serious; it is 1 of the most complex types of prosecutions the U.S. Government can initiate. Moira's boss is Richard P. Donoghue, U.S. Atty for the Eastern District of NY.
Penza is a smart lawyer. According to publicly available information, she studied at Cornell Law School, a private Ivy League University located in Ithaca, New York. Cornell was ranked the #13 law school in America, out of 203 law schools, by U.S. News & World Report, in 2018.
Read 117 tweets
Profile picture
0s and 1s commonly create speech that courts use -- that means precedence is set. #Code is speech -- they're languages made of bits! Point being, ISPs shouldn't be allowed to deny computer speech from being seen by others. #NetNeutrality

Evidence in thread:
#NetNeutrality Evidence case 1: Bradley v. State: @Facebook evidence used to ID assailants and other witnesses. Its compelling because translated bits were used to ID people. It proves third party intermediary bits translated into media are used by courts. scholar.google.com/scholar_case?c…
#SaveNetNeutrality Evidence case 2: Homeland Security v. Twitter: @DHSgov seized data that was digitized and sent to intermediary @Twitter. Twitter sued its an ongoing investigation. Regardless, It appears consumer's translated bits were treated as speech? clearinghouse.net/detail.php?id=…
Read 11 tweets

Trending hashtags

#bioarchaeology #RICO #PodestaEmails #espionage #Bronfman #Disneyland #Manafort #USA #anthropology #qualitative #AfricanSTEM #DDoSecrets #neverpassive #SecretSocieties #NXIVM #PhiBetaKappa #MakeItRain #FOIA #MexicoCity #thematic #drones #BattleForTheNet #SaveNetNeutrality #PayAttention #discourseanalysis

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!