Hello and welcome to the Wednesday, April 22nd, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recorded today from Amsterdam, Netherlands.

And this episode is brought you by the sands.edu credit certificate program

in Purple Team Operations. The DEA today wrote up an interesting piece of malware that

arrived as an audio file. In this particular case, we didn't have sort of classic steganography.

Classic stachanography usually takes an existing

audio file that actually appears and actually is some music or some other recording, and then

it slightly modulates the existing audio file in order to encode a message. This particular

audio file that DDE analyzed was created differently.

The attacker here used a piece of malware, an executable, and Bay 64 encoded it,

then used a simple X or a cipher in order to encrypt it,

and essentially used the resulting data as the audio data

in a dot wave file.

This is fairly simple, and it works, because in particular, in a dot wave file, essentially, any byte

value will be represented by volume and with that as audio.

Now, when you're listening to this particular audio file that the DA looked at, all you sort of hear essentially noise, so there isn't like, you know, any melody or anything like that, but probably good enough in order to fool some people into believing that this is actually an audio file. And then, of course,

the malware on the receiving system is reversing the encryption and encoding and extracting

the actual executable. Of course, D.D.D. has some Python scripts here to help you with this,

including proofforcing the one-byte xR key using the

known plain text, which in this case is the PE header of the file, and then essentially

just extracting the executable for further analysis. If you want to learn more about this,

then refer to Dedi's diary from today, which walks you through this step-by-step

...