Ethical-Hacker.net Blog - A Security Driven Knowledge

Cuando escuchas el término Crimeware en que piensas…?

noreply@blogger.com (Rafael Maita) — Sat, 07 Apr 2012 21:08:00 +0000

El Crimeware es un tipo de malware diseñado específicamente para automatizar la ciberdelincuencia, esta es una definición creada por Peter Cassidy, Secretario General del Anti-Phishing Working Group.

La delincuencia organizada contrata a hackers y los va llevando hacia sus redes, prometiéndoles recompensas y beneficios que serían muy difíciles de alcanzar en una vida profesional “honesta”; al entrar en mundo de la delincuencia organizada los hackers se convierten en: “Black Hats”, y la Delincuencia organizada se convierte en “Ciberdelincuencia Organizada”.

Si deseamos buscar los orígenes de la Ciberdelincuencia Organizada podemos remontarnos a mediados del 2001 donde un grupo de Black Hats ucranianos creó el sitio CarderPlanet.com

Hackers reconocidos han terminado trabajando para la Ciberdelincuencia Organizada, en el negocio del Crimeware, sucumbiendo a los muy grandes incentivos ante un trabajo que naturalmente les gusta hacer.

Hackers como Max Vision de EEUU, Cagatay Evyapan de Turquía y otros, relatan historias similares cuando les preguntas como entraron en el mundo de la Ciberdelincuencia Organizada.

Quien pensaría que por crear un Crimeware, te pagaran entre 3000$US y 5000$US?; mucho más aun si hablamos de vender tarjetas de crédito robadas…

Cuanto tenemos que trabajar nosotros para ganar la misma cantidad de dinero?

De los muchos tipos de Crimeware que hay en el mercado, vamos a dedicar esta edición a hablar de uno en particular que les aseguro deben haber visto en alguna PC. Este es el escenario: Estás navegado por internet y de repente en una web recibes un mensaje que dice: “tu computadora está infectada”, si deseas solucionar el problema instala este programa o antivirus “gratuito”. Al momento de instalarlo, tu computador empieza a mostrarte mensajes de que se está realizando un escaneo, cuando lo que está ocurriendo es que ya tu equipo está infectado, y la infección simplemente se está propagando; algunos iconos de tu computador cambian y empiezas a recibir mensajes que dicen que para remover el malware (o virus, como desees llamarle) debes de adquirir la licencia del programa, alertándote a cada rato de la infección, casi de forma molesta. Si han notado un comportamiento similar en su computador o en el de algún conocido, ya conocen este Crimeware; esto es lo que los expertos llaman: Rogue Antivirus.
Este tipo de Crimeware se fundamenta en el temor generalizado de las personas a las infecciones de virus, y recurre a constantes alertas que dicen que tu computador está infectado y que necesitas adquirir una licencia para limpiar la infección.

Lo que persigue la Ciberdelincuencia Organizada con esto, es conseguir tu información financiera. Esto lo logra “forzándote” a adquirir una licencia; al intentar hacerlo, estarás entregándoles directamente la información de tu tarjeta de crédito. Con esta información a la mano, la ciberdelincuencia puede realizar otra cantidad de acciones ilegales. Las páginas web diseñadas para este tipo de “scam” pueden parecer muy reales, la de una compañía de antivirus seria que contiene todos los iconos y certificados que te daría seguridad a ti para proceder con la compra.

También, dependiendo del diseño del Crimeware, puede que ocurra el caso en el que este incluya algunas subrutinas adicionales que graben toda la información que introduces en tu PC, y en las páginas web que visitas; entregándole así al dueño del Crimeware toda la información que necesita para realizar el fin que persigue.

Ya con tus datos en su poder, los ciberdelincuentes pueden hacer lo que deseen: robo de identidad, compras con tu dinero, o pueden incluso vender tus datos a terceros.

Puedes infectarte con un Rogue Antivirus desde muchos destinos en internet; no necesariamente tienes que estar navegando en sitios de dudosa procedencia, como piensa la mayoría de las personas (páginas de adultos, buscando programas licenciados en sitios de descargas gratuitos, etc.).

La compañía Websense ha detectado un ataque donde fueron unos 200.000 sitios web legítimos, “infectados”. La ciberdelincuencia se ha aprovechado de vulnerabilidades (grietas de seguridad) en estos sitios, y ha podido “sembrar” un código malicioso en esas páginas web para que cuando una persona las visite se descargue e instale el Rogue Antivirus.

Así que si notas este tipo de programa y comportamiento en tu computador, ya sabes que estás ante un tipo de Crimeware; toma las medidas necesarias pronto!.

En la siguiente entrega hablaremos de una herramienta que utiliza mucho la Ciberdelincuencia: Las Botnets…

True Identity vs Anonymous: Evaluating real-life examples

noreply@blogger.com (S. Ali) — Fri, 29 Jul 2011 00:29:00 +0000

The privacy and dignity of our citizens are being whittled away by sometimes imperceptible steps. Taken individually, each step may be of little consequence. But when viewed as a whole, there begins to emerge a society quite unlike any we have seen, "a society in which government may intrude into the secret regions of a person's life".

Why be Anonymous?
"The right to be let alone is indeed the beginning of all freedom".
1.Everyone has the right to privacy.
2.Anonymous NOT EQUALS Law-breaker.
3.Requires intellect, desire, diligence, and dedication.

Cloak
-Minimally anonymous
-The FBI will find you

Dagger
-Moderately anonymous
-More difficult
-Potentially illegal
-The FBI can find you

Hermit
-Off the grid
-Completely invisible
-Up to you who finds you

Awareness
-Must develop new habits, gets easier over time
-Be discreet when talking to others
-Say as little as possible
-Identity awareness
-Use social engineering
-Look Around!
-Situational awareness
-Look for and avoid surveillance
-Blend in, do not stand out
-Ongoing process

Getting Started In Real Life
-Cancel All Subscriptions
-Forward Mail to a Secondary Address (Third-Party, Scanned Mail Service)
-Expunge legal and credit histories
-Place locks on credit files
-Shred everything

Getting Started Online
-Eliminate online profiles (Friendster, MySpace, Facebook, etc)
-Clean Up Search History
-Nothing in the Cloud (Host Your Own, Encrypt Everything)
-Everything in the Cloud (Host Nothing, Encrypt Everything)
-Format and Reinstall
-Create All New Accounts

Becoming Anonymous
-Change your name
-Alternative ID
-Alter fingerprints
-Sell registered properties
-Terminate all contracts
-Disposable email addresses (Dodgit, Guerilla Mail, Gmail, Hotmail, Yahoo)
-Mail box rentals (Mailboxes, Scanned Mail Service)
-Fake your own death

Shelter
-Single Room Occupancy (Cash rent, Long-term sublet, Shared utilities)
-Unregistered RV
-Commune (Kibbutz, Nudist Colony, Don’t Drink the Kool-Aid)
-Travel Continuously (Couch Surfing, Hostels, Shelters, Public Parks, Squatting)

Making Money
-Jobs that pay cash
-The world's oldest profession (e.g. Porn)
-Day labor
-Service industry
-Graphics and web design

Using Money
-Use Cash
-Classifieds, Cash Auctions
-Gift Cards, use as CCs
-Check Cashing Services
-Digital Money (E-Gold, Paypal Corporate, Internet Bartering)
-Money Orders
-Offshore Accounts
-Sugar Daddy

Transportation
-Public (Buses, Trains)
-Metro
-Cabs & Gypsy Cabs
-Greyhound
-Carpool / Rideshare
-Vehicles w/o Registration (Bicycles, 50cc Scooters)
-Travel in Disguise (Wear hats and glasses, Pre-determine camera locations)
-Avoid frequent mass-transit

Tracking
-Disable GPS devices
-Disable bluetooth
-Turn cell phone off when not in use
-RFID tags (RFID Zapper, Use a shielded wallet)
-Harden computers and smart phones
-Tinfoil hat

Communications
-Telecom (Pay phones, burners, Prepaid LD)
-Internet (Use email lightly, Internet Relay Chat, Usenet / classifieds)
-Encryption (Off the Record, Steganography)
-Phreaking
-Voice over IP (Hosted VoIP, BYO VoIP)

Online
-Public kiosks, local wifi
-Prepaid SIMs for data
-Use a Live CD
-Use tor, anonymous proxies
-Enable safe browsing
-Anonymous searching (startpage, googlesharing, customize google)
-Anonymous remailers
-Netbook + Truecrypt encrypted SSD, USB

Social Interaction
-Use disguises in public
-No long term communities
-Use a proxy
-Avoid people
-Avoid all social networking
-Avoid all publicity

The Rules
-Do not be your identity
-Get rid of your paper trail
-Use cash
-Constantly improve your situational awareness
-Blend in
-Encrypt everything

Internet Explorer: Your personal computer is public property

noreply@blogger.com (S. Ali) — Thu, 07 Jul 2011 00:09:00 +0000

A successful compromise will result in an attacker being able to blindly read every single file in the local drive.
–Either text and binary files (thanks MSXML2.DOMDocument.3.0!)
–Cross-domain information (Navigation history, Cookies)
–SAM backup files
–Recently opened files
–Personal pictures
–Other files, depending on the computer compromised (wwwroot in IIS, Configuration files for other applications)

Internet Explorer Internals
-Every browser has its own idiosyncrasies
-For the purposes of this presentation, it is convenient to review some design features of Internet Explorer
1.Security Zones
2.Zone Elevation
3.MIME type detection

Security Zones
-Enable administrators to divide URL namespaces according to their respective levels of trust and to manage each level with an appropriate URL policy Different treatment for web content depending on its source
-Five different sets of privileges (zones)
1.Restricted Sites
2.Internet
3.Trusted Sites
4.Local Intranet
5.Local Machine

Zone Elevation
-It occurs when a Web page in a given security zone loads a page from a less restrictive zone in a frame or a new window
-Internet Explorer behaves different based on which is the less restrictive zone up to which is trying to elevate
1.to the Local Machine zone is blocked
2.to the Intranet or Trusted Sites zones prompts for a confirmation
3.from the Restricted Sites zone to the Internet zone is allowed

MIME type detection
-Tests URL monikers through the FindMimeFromData method
-Determining the MIME type proceeds as follows:
1.If the suggested MIME type is unknown, FindMimeFromData immediately returns this MIME type as the final determination
2.If the server-provided MIME type is either known or ambiguous, the buffer is scanned in an attempt to verify or obtain a MIME type
3.If no positive match is obtained, and if the server-provided MIME type is known
4.If no conflict exists, the server-provided MIME type is returned. If conflict exist, the file extension is tried.
5.Otherwise defaults to text/plain or application/octet-stream

Features (vulnerabilities) enumeration
-Hiding the key under the doormat
-A chip off the old block
-Two zones, the same place
-How to put HTML/script code in remote computers
-Everything that glitters is not gold

Hiding the key under the doormat
-Internet Explorer cookies and history files are stored in different files and folders under %USERPROFILE%
-As a security measure, these files are stored inside randomly named folders with random file names
-These random names and locations are logged inside different mapping files named index.dat

%USERPROFILE%\Local settings\History\History.IE5\index.dat
%USERPROFILE%\Local settings\IECompatCache\index.dat
%USERPROFILE%\Cookies\index.dat

-These files are not entirely text formatted
-As these files work as maps to other files, access to these files would reveal the actual locations of mapped files and folders

A chip off the old block
-Internet Explorer resembles Windows Explorer in many aspects (both of them implement the Trident layout engine and both of them support UNC paths for SMB access)
-This way, Internet Explorer allows to access special files and folders, same as Windows Explorer does

Any web page in the Internet zone or above can include an HTML tag as follows:

-It will trigger an SMB request against 208.77.188.166
-As part of the challenge-response negotiation, the client sends to the server the following information about itself:
1.Windows user name
2.Windows domain name
3.Windows computer name
4.A challenge value chosen by the web server ciphered with the LM/NTLM hash of this user’s password

Two zones, the same place
-Internet Explorer will determine the security zone of a given UNC address as belonging to:
1.The Internet security zone if this path contains the IP address of the target machine
2.The Local Intranet security zone if this path contains the NetBIOS name of the target machine

-It makes sense, as SMB names just can be resolved in the same network segment
-\\NEGRITA is in the Local Intranet zone
-\\127.0.0.1 is in the Internet zone
-This is one of the root causes of the problems the Microsoft staff has into closing the attack vectors exposed here
-After several discussions with MSRC team members, they stated this issue is kind of a dead end, and cannot be fixed
-According to the Security Zones scheme, a page in a given zone can not redirect its navigation to a more privileged zone
-This behavior is known as Zone Elevation
-Now, consider the following dialog:

-In this case Internet Explorer will erroneously (due to this ambiguity) apply Zone Elevation restrictions and the redirection will effectively occur
-There is another way to bypass Security Zone restrictions
-Suppose that example.com (10.1.1.1) was explicitly added to the Restricted Sites Security Zone
-Then this URI will be treated with the privileges of that zone
-However, if the same resource is requested using the UNC notation, it will be treated as belonging to the Internet Security Zone (e.g. \\10.1.1.1\index.html)
-Restricted Sites restrictions to a given resource are bypassed if it can be accessed using a different protocol [file: | https: | ...]

How to put HTML/script code in remote computers
-There are different ways for remote servers to write HTML/script code in clients hard drives
1.Navigation history files
2.Cookies
3.Mapping files (Internet Explorer index.dat)

-Problems in the design/implementation of these feature
1.Contents are saved as they were received, with little or no sanitization/overhead, into these files
2.Internet Explorer allows rendering the contents of non-pure HTML files skipping the parts that can not be rendered

Everything that glitters is not gold
-The way Internet Explorer decides how to treat a given file is known as MIME type detection
-It basically uses an algorithm to find and launch the correct object server/application to handle the requested content
-Is based on information obtained from
1.The server-supplied MIME type, if available
2.An examination of the actual contents associated with a downloaded URL (FindMimeFromData)
3.The file name associated with the downloaded content (assumed to be derived from the associated URL)
4.Registry settings (file extension/MIME type associations or registered applications) in effect during the download

-Problems in the design/implementation of this feature:
1.The server-provided MIME type is returned when the following conditions are true:
-no positive match is obtained from the FindMimeFromData() buffer scan
-server-provided MIME type is known
-no conflict exists (format is either text or binary)

2.Has been probed (more than once) not to behave deterministically when accessing the same resource through different methods
-direct navigation
-redirection
-frame/iframe reference
-scripting

Turning features into vulnerabilities to build an attack
-In and of itself each of these bugs may not seem like something you should be concerned about
-The combined use of them by an attacker may lead to some interesting attacks

Case 1: Attacking local networks with shared folders

Case 2: Attacking the Internet user

Overall Impact
-By chaining the exploitation of a series of weak features an attacker is able to store HTML and scripting code in the victim’s computer and force the victim’s browser to load and render it
-127.0.0.1 is in the Internet Zone, but as the code is actually stored in the victim’s computer, it can access other files in the same computer (in this case, the victim’s computer)
1.SAM backup files
2.All of the victim’s HTTP cookies and history files
3.Source files in Inetpub\wwwroot
4.Recent files, personal pictures (thumbs.db maps these files)
5.Any other file on the local system (system events, configurations)

These attack scenarios have been proven to work:
1.CORE-2008-01035
2.CORE-2008-0826
3.CORE-2009-06256

-The only difference is in the way Internet Explorer is tricked into rendering its internal tracking files as HTML
-That is the only thing Microsoft is fixing. This is a design problem. They are just blocking our proof of concept
-That is why we are breaking it over and over again

Solutions and Workarounds
-Internet Explorer Network Protocol Lockdown
-Set the Security Level setting for the Internet and Intranet zones to High
-Disable Active Scripting for the Internet and Intranet zone with a custom setting
-Only run Internet Explorer in Protected Mode
-Use a different web browser to navigate untrusted web sites

Attacking VMWare Guest Machines

noreply@blogger.com (S. Ali) — Thu, 30 Jun 2011 23:25:00 +0000

Vulnerability Discovery
-Vulnerability identified on 5/14/09
-Reported to VMware on 5/15/09
-VMware responded on 5/21/09
-CVE-2009-3733 reserved on 10/20/09
-VMSA-2009-0015 released on 10/27/09
-"Directory Traversal vulnerability"

Identification
-Originally identified on VMware Server 2.0.1 build 156745 (on Ubuntu 8.04)
-Thought to be localized to inside of NAT interface of Host (8307/tcp)
-Can steal VMs from within other VMs... if NAT.

Description
-Web Access web servers also vulnerable
-Server (default ports 8222/8333) - ../ x 6
-ESX/ESXi (default ports 80/443) - %2E%2E/ x 6
-No longer requires NAT mode / Remotely exploitable
-Not as straightforward as originally thought
-Still trivial to exploit because...

Root Access Is Easy

How it works?

-Web server on 8308/tcp is vulnerable, but will only serve certain filetypes (xml, html, images, etc.)
-Web server on 8307/tcp is also vulnerable, but serves ALL filetypes
-Simply append /sdk to our URL request and we’ve got complete access to Host filesystem (including other Virtual Machines)
-ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)

Vulnerable Versions
Server
-VMware Server 2.x < 2.0.2 build 203138 (Linux)
-VMware Server 1.x < 1.0.10 build 203137 (Linux)

ESX/ESXi
-ESX 3.5 w/o ESX350-200901401-SG
-ESX 3.0.3 w/o ESX303-200812406-BG
-ESXi 3.5 w/o ESXe350-200901401-I-SG

Guest Stealer
-Perl script remotely ‘steals’ virtual machines from vulnerable hosts
-Supports Server, ESX, ESXi
-Allows attacker to select which Guest to ‘steal’
-Utilizes VMware configuration files to identify available Guests and determine associated files

VMINVENTORY.XML
-/etc/vmware/hostd/vmInventory.xml (default location)
-Gives us Guest inventory & location information

Mitigation
-Patch, patch, patch
-Hosts are an attractive target (compromise one = access many)
-Better yet...Segment, segment, segment
-Segment management interfaces
-Segment systems of different security levels
-Don’t share physical NICs between different security levels
-Virtualization is not always the "best answer"

Credits: Justin Morehouse @ ShmooCon

Broad View of Cloud Security

noreply@blogger.com (S. Ali) — Tue, 28 Jun 2011 23:55:00 +0000

Cloud Computing in the security industry has multiple definitions and several approaches:

-URL scanning
-AV scanning
-Spam scanning
-RBL
-and more...

Cloud Paradigm
-Pro Cloud
-Against Cloud
-A hybrid approach is better

Strenghts
-No versioning (no large product updates)
-Low resource consumption
-Higher speed
-Not OS dependant
-Not hardware dependant
-Instant access to updates
-New technologies available like outbreak detection or statistics based algorithms
-Sometimes...It is also cheaper

Weaknesses
-No internet connection means no cloud
-Susceptible to DDOS attacks
-Resource Consumption just moved in the cloud. It didn’t vanished!
-Connection spikes can cause false negatives (or, even self-DDOS)
-Instant updates can also mean instant faulty updates
-Data center failure means no detection

What Else Can Cloud Offer?
Opens the door to a new set of:
-Applications
-Devices
-Operating systems

Size Does Matter
-Several sources of URLs means an extremely large number of URLs
-Several clients that query the cloud means a massive number of links that have to be analyzed
-Links have various statuses (clean, infected, phishing, fraud) which change dynamically
-So, one has to move fast...

Lies, Damned Lies and Statistics
-Targeted attacks stay under the radar
-Slow spreading malware too

Not everybody likes us
-Website owners
-ISPs
-Maybe even social networks?
-And hopefully the bad guys (i.e. Hackers)

Conclusion
-We believe that a hybrid approach is best
-The cloud should be used as another filtering method and not as a universal solution
-Not only there should be a hybrid approach, but also these techniques have to be interconnected
-Although it looks quite easy in theory, creating and maintaining a cloud architecture is not an easy process

Advanced Mobile Spyware

noreply@blogger.com (S. Ali) — Thu, 16 Jun 2011 00:44:00 +0000

Mobile Spyware

-Often includes modifications to legitimate programs designed to compromise the device or device data
-Often inserted by those who have legitimate access to source code or distribution binaries
-May be intentional or inadvertent
-Not specific to any particular programming language
-Not specific to any particular mobile Operating System

Attacker Motivation
Practical method of compromise for many systems
–Let the users install your backdoor on systems you have no access to
–Looks like legitimate software so may bypass mobile AV

Retrieve and manipulate valuable private data
–Looks like legitimate application traffic so little risk of detection

For high value targets such as financial services and government it becomes cost effective and more reliable
–High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation
–Think "Aurora" for Mobile Devices

FlexiSpy
http://www.flexispy.com
$149 -$350 PER YEAR depending on features
Features:
–Remote Listening
–C&C Over SMS
–SMS and Email Logging
–Call History Logging
–Location Tracking
–Call Interception
–GPS Tracking
–Symbian, Blackberry, Windows Mobile Supported

Mobile Spy
http://www.mobile-spy.com
$49.97 PER QUARTER or $99.97 PER YEAR
Features:
–SMS Logging
–Call Logging
–GPS Logging
–Web URL Logging
–BlackBerry, iPhone(JailbrokenOnly), Android, Windows Mobile or Symbian

Etisalat (SS8)
-Cell carrier in United Arab Emirates (UAE)
-Pushed via SMS as "software patch" for Blackberry smartphones
-Upgrade urged to "enhance performance" of Blackberry service
-Blackberry PIN messaging as C&C
-Sets FLAG_HIDDEN bit to true
-Interception of outbound email / SMS only
-Discovered due to flooded listener server cause retries that drained batteries of affected devices
-Accidentally released the .jar as well as the .cod (ooopsie?!)

Bugs & Phonesnoop
–Exfiltration of inbound and outbound email
–Hidden
–Remotely turn on a Blackberry phone microphone
–Listen in on target ambient conversation

Storm8 Phone Number Farming
–iMobstersand Vampires Live (and others)
–"Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhoneuser who downloads any Storm8 game," the suit alleges. "... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed."
–"Storm8 says that this code was used in development tests, only inadvertently remained in production builds, and removed as soon as it was alerted to the issue."

Symbian Sexy Space
–Poses as legitimate server ACSServer.exe
–Calls itself 'Sexy Space'
–Steals phone and network information
–Exfiltrates data via hacker owned web site connection
–Can SPAM contact list members
–Basically a "botnet" for mobile phones
–Signing process: Anti-virus scan using F-Secure (Approx 43% proactive detection rate (PCWorld))
-Random selection of inbound manually assessed
–Symbiansigned this binary as safe!

09Droid –Banking Applications Attack
–Droid app that masquerades as any number of different target banking applications
–Target banks included: Royal Bank of Canada, Chase, BB&T, SunTrust, Over 50 total financial institutions were affected
–May steal and exfiltrate banking credentials
–Approved and downloaded from Google’s Android Marketplace!
–http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps-market
–http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3209953

Blackberry Takes Security Seriously
-KB05499: Protecting the BlackBerry smartphoneand BlackBerry Enterprise Server against malware: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB05499
-Protecting the BlackBerry device platform against malware: http://docs.blackberry.com/en/admin/deliverables/1835/Protectingthe BlackBerry device platform against malware.pdf
-Placing the BlackBerry Enterprise Solution in a segmented network: http://docs.blackberry.com/en/admin/deliverables/1460/Placing_the_BlackBerry_Enterprise_Solution_in_a_Segmented_Network.pdf
-BlackBerry Enterprise Server Policy Reference Guide: http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Reference_Guide.pdf

Does It Really Matter?
-Only 23% of smartphone owners use the security software installed on the devices.
(Source: Trend Micro Inc. survey of 1,016 U.S. smartphoneusers, June 2009)
-13% of organizations currently protect from mobile viruses
(Mobile Security 2009 Survey by Goode Intelligence)

Code Signing
-Subset of Blackberry API considered "controlled"
-Use of controlled package, class, or method requires appropriate code signature
-Blackberry Signature Tool comes with the Blackberry JDE
-Acquire signing keys by filling out a web form and paying $20
–This not is a high barrier to entry
–48 hours later you receive signing keys
-Install keys into signature tool
-Hash of code sent to RIM for API tracking purposes only
-RIM does not get source code
-COD file is signed based on required keys
-Application ready to be deployed
-Easy to acquire anonymous keys

IT Policies
-Requires connection to Blackberry Enterprise Server (BES)
-Supersedes lower levels of security restrictions
-Prevent devices from downloading third-party applications over wireless
-Prevent installation of specific third-party applications
-Control permissions of third party applications
–Allow Internal Connections
–Allow Third-Party Apps to Use Serial Port
–Allow External Connections
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Application Policies
-Can be controlled at the BES
-If no BES present, controls are set on the handheld itself
-Can only be MORE restrictive than the IT policy, never less
-Control individual resource access per application
-Control individual connection access per application
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Installation Files
-.COD files:A COD file is a proprietary file format developed by RIM that contains compiled and packaged application code.
-.JAD files:An application descriptor that stores information about the application itself and the location of .COD files
-.JAR files:a JAR file (or Java ARchive) is used for aggregating many files into one. It is generally used to distribute Java classes and associated metadata.
-.ALX files:Similar to the .JAD file, in that it holds information about where the installation files for the application are located

txsBBSpy Logging and Dumping
-Monitor connected / disconnected calls
-Monitor PIM added / removed / updated
-Monitor inboundSMS
-Monitor outbound SMS
-Real Time trackGPS coordinates
-Dump all contacts
-Dump current location
-Dump phone logs
-Dumpemail
-Dump microphone capture (security prompted)

txsBBSpy Exfiltration and C&C Methods
-SMS (No CDMA)
-SMS Datagrams(Supports CDMA)
-Email
-HTTP GET
-HTTP POST
-TCP Socket
-UDP Socket
-Command and control hard codedto inbound SMS

Future Work (Offensive AND Defensive)
-Reverse engineer .cod file format
-Continued research into unobstructed installation methods (requires exploitation)
-Infect PC with virus that acts as distribution hub
-Research additional exfiltration methods for tunneling without prompting

Automated Independent Gadget Search

noreply@blogger.com (S. Ali) — Wed, 15 Jun 2011 00:39:00 +0000

Goal
The goal of this research is to be able to use return-oriented programming platform independently across multiple platforms.

Motivation
-CPU Architecture diversity is increasing.
-We want to execute code on machines despite the presence of non-executable memory, but we do not aim for ASLR.

History

Strategy
-Use only already present code
-No single instruction / return like approach
-Use REIL to be platform independent
-Use "free-branch" instructions rather than ret only
-"Find all first, then filter useful ones" approach
-Keep an eye on side-effects and minimize them

Small RISC instruction set:
-17 instructions for arithmetic, control flow and misc functionality
-Instructions are always side-effect free

Interpreter:
-Virtually unlimited memory and temporary registers
-Implemented as a register machine

No support for:
-Exceptions, floating point instructions, 64Bit instructions yet

Algorithms

Algorithms stage I
Collect data from the binary:
1.Extract expression trees from native instructions
-Handlers for each possible REIL instruction
-Most of the handlers are simple transformations
-Memory store and conditional execution need special treatment

2.Extract path information
-Path is extracted in reverse control flow order
-We want to have all possible outcomes for a conditional execution in a single expression tree

Algorithms stage II
Merge the collected data from stage I:
1.Combine the expression trees for single native instructions along a path

1:  0x00000001 ADD R0, R1, R2  
2:  0x00000002 STR R0, R4  
3:  0x00000003 LDMFD SP! {R4,LR}  
4:  0x00000004 BX LR

2.Determine jump conditions on the path
3.Simplify the result

Algorithms stage III
Goal of the stage III algorithms:
-Search for useful gadgets in the merged data. Use a tree match handler for each operation.
-Select the simplest gadget for each operation. Use a complexity value to determine the gadget which is least complex (side-effects).

Results
-Algorithms for platform independent return-oriented programming are possible
-We are able to find all necessary gadgets for return-oriented programming using our tool
-Searching for gadgets is not only platform but also very compiler dependent
-Minimizing side-effects is possible if the right approach is chosen

Future work
-Abstract gadget description language
-Automatic gadget compiler for all platforms
-Bring more platforms to REIL
-Better understand the implications of different compilers

Office Documents: New Cyber Weapons

noreply@blogger.com (S. Ali) — Mon, 25 Apr 2011 00:48:00 +0000

Reallity of cyberwarfare
-August 2007: Espionage case of China against German chancelery. 163 Gb of Gouvernemental data stolen through a Trojan-infected Office document.
-2009 to 2010: Chinese hackers succeeded in stealing economic and financial data from European Banks, through malicious PDFs.

Document as cyberweapons
-(Open)Office document are good vectors
-PDF documents are also used nowadays

The Cyberwarfare Show
-PWN2KILL, May 2010 Paris, challenge has proved the risk is real and high.
http://www.esiea-recherche.eu/iawacs2010.html
-Huge technical possibilities on one side, quite no protection and detection capability on the other side.
-Many critical systems are rather secure with a strong security policy enforced.
-Classical approaches are less and less possible, not say impossible.

Which applications are concerned?
-Office 2010
-OpenOffice 3.x
-All other office applications

What is the Purpose?
-To install malicious payload into the operating system, whithout being detected by any AV.
-We do not want to exploit any vulnerability (target = secure sensitive systems e.g. combat systems).

Macro Security in MSO
Possible level of security:
Level 4 (0x00000004): Disable all macros without notification.
Level 3 (0x00000002): Disable all macros with notifiation.
Level 2 (0x00000003): Disable all macros except digitally signed macros.
Level 1 (0x00000001): Enable all macros.

Location of settings:
Registery key : HKEY_CURRENT_USER\Software\Microsoft\Office\ 12.0\ \Security
Application = {Word, Excel, Powerpoint, Access}

Trusted location:
A trusted location is a directory where macros of documents stored inside are allowed to be executed automatically.

Macro Security in OpenOffice
Security settings:
Both Macro security level and trusted location are defined in "Common.xcu" file at:
Openoffice.org\3\user\registery\data\org\openoffice\Office

Example:

1:  <node oor:name="Security">  
2:  <node oor:name="Scripting">  
3:  <prop oor:name="MacroSecurityLevel" oor:type="xs:int">  
4:  <value>0</value></prop></node></node>

Trusted Location:
Set the root directory as Trusted location

1:  <node oor:name="Security">  
2:  <node oor:name="Scripting">  
3:  <prop oor:name="SecureURL" oor:type="oor:string-list">  
4:  <value>file:///C:/</value></prop></node></node>

The use of 'AutoExec' event with MSO:
-Able to naturally bypass the level 2 of execution.
-Several events are available: AutoNew, Open, Close, Exit, Exec
-Applied on template named Normal.dotm and stored inside MSO's users settings file.
-Execute the macro at opening event even if any macro are not allowed to be executed (Level 2).

MSO and OO: The integration
-Both are based on the W3C specification. But the integration is totally different.

MSO’s integration:
-Office makes it easier to create signatures.
-It is possible to create self-signed certificates.
-They are stored inside _rel\.rel file within the document.

Openoffice’s integration:
No significant change about signature since 2006, the first study.
Black Hat 2009, Amstersdam, E.Filiol J.-P. Fizaine, Openoffice v3.x Security Design Weaknesses.

MSO Case
+Change to the lowest level: 0
Interesting Keys: HKEY_CURRENT_USER
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security
Windows API: RegOpenKeyEx, RegSetValueEx, RegCreateKeyEx, RegCloseKey

+Set the directory c:\Users as a Trusted Location.
KEY: HKEY_CURRENT_USER
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations
Path2: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations\\Location3

OpenOffice Case
+Change the Macro security level to the lowest: 0
-Settings are stored in only one file! No use of specific library is needed, the C Standard Library is sufficient.
-Forge the Path
-Locate the position inside the file
-Insert the value:

1:  <node oor:name="Security"> <node oor:name="Scripting">  
2:  <prop oor:name="MacroSecurityLevel" oor:type="xs:int">  
3:  <value>0</value> </prop> </node> </node>

-Update by restart the application

+Trusted Locations
-Insert the value:

1:  <node oor:name="Security"> <node oor:name="Scripting">  
2:  <prop oor:name="SecureURL" oor:type="oor:string-list">  
3:  <value>file:///C:/</value> </prop> </node> </node>

K-ary Malware
Malware made of k-different, innocent-looking (from the AV point of view). Each of them can (inter)act independently or not and can either be executed in parallel or in sequential. Not all the parts are necessarily executable. The cumulative action of each part defines the malware action.

Proof of Concept (PoC):
E. Filiol, Journal in Computer Virology, 2007.
Hack.lu 2009, A. Desnos, Implementation of K-ary viruses in Python.

Two waves of attack: The use of 2-ary malware
Suppose the security level is set to the paranoid mode, it is impossible to change the level from inside the macro.

Journal in Computer Virology, 2006, D. de Drézigué, J.- P. Fizaine, N. Hansma, In-depth Analysis of the Viral Threats with OpenOffice.org Documents

Why this approach?
-Attacking (secure) systems becomes really complex. Just exploiting one or more vulnerability does no longer suffice. Installing a functionnally sophisticated program is less and less easy. The solution is to split the viral information into many pieces!
-Real case: secure systems generally filter and forbid packed binaries/shellcodes.
-Using 2-ary malware is a powerful alternative.
-The first executable performs a innocent, generally legitimate simple action.
-The office document then installs more complex malware transparently and silently.

Protection and Countermeasures
-Use of Public Key Infrastructure
-Whenever self-signed certificates are used. Check the serial number, timestamp and validity systematically. The serial number is supposed to be unique.

The Black Market of your Digital Data Illustrated

noreply@blogger.com (S. Ali) — Wed, 06 Apr 2011 23:59:00 +0000

Ineffectiveness of AntiVirus Solutions

noreply@blogger.com (S. Ali) — Fri, 11 Feb 2011 23:12:00 +0000

Many recent high profile attacks into major software companies, public sector institutions and international organizations.
–Aurora attack on Google and 32 other companies last year
–In all cases: malicious email was sent to victim

Email-borne threats fall into two general categories:
–Mass email attacks
–Targeted attacks
Traditional AV increasingly ineffective and heuristic engine is necessary.

Typical Bredolab/Trojan.Sasfis
Most prolific family of mass-mailed threats using executable attachment.
Social engineering lures:
–Social Media website password reset
–Western Union or UPS invoice
–"You have received an E-Card!"
–Spammed out in very large numbers (Cutwail botnet)
–Many different payloads
–13.3% of all Malware stopped by Skeptic
–Between June 2009 and June 2010 (excluding Phish and links)
–Typically low AV detection (< 10 on VT)
–Good social engineering tactics
–Use of Word or Excel icons
–Spoof prolific companies (Facebook, UPS, Fedex)
–Heavy use of server-side polymorphism (SSP) to evade signature-based AV

Signature-based AV
–Create a "signature" for a piece of Malware
–String(s) of bytes
–Checksum(s)
–Very specific
–Evidence of increased use of SSP
–In 2008, Symantec created 1,691,323 new malicious code signatures
–In 2009, 2,895,802 new signatures were created (71% increase)
–139% increase from 2007 to 2008
–Not sustainable!
–Solution: heuristic-based approach

Signature Development Process

Heuristic-based Approach
–Generic detection
–Features known to exist in Malware
–Decision based on extracted features
–Weighted
–Cloud based
–no reactive signature deployment delays

Polymorphic Viruses
–Big problem for AV
–Many different variants
–Functionally equivalent
–Signatures required for each variant
–Solution: "emulation"
–Emulate past decryptor stub
–Sig the static virus body

Server-side polymorphism (SSP)
–Custom encryption routine
–Decrypt at runtime
–Generated by a polymorphic engine
–Hundreds or perhaps thousands of unique variants
–Random junk instructions
–API calls
–Arithmetic
–EP

Use in mass-email attacks
–Attackers generate a number of unique binaries
–Change the binary being spammed throughout the attack
–Problem for any vendor without proactive protection in place

Bredolab Case Study - 30 March 2010
–Standard Bredolab run:
–Subject: variation of 'UPS Delivery Problem NR 18800'
–Attachment: similarly named 'UPS_invoice_1845.exe'
–relatively small (only 56 observed copies)
–Started at 19:08:33 GMT (time 0)
–Last observed sample at 19:36:31
–Total of 27 min 59s

Case Study - AV Detection & Response Time
–At time 0, AV detection was 0
–Average response time?
–661 minutes (11 hours and 1 minute)
–Remember that the attack only lasted 28 mins
–This is the average response time
–INEFFECTIVE

Aurora and Targeted Attacks (Spear-Phishing)
–Aurora/Hydraq
–Up to 34 different companies compromised in same period using similar techniques
–Email links to malicious web pages
–Flaws in Adobe Acrobat Reader
–Google hackers are back?
–CVE-2010-2883

According to US Department of Defense Cyber Crime Center:
"102 breaches of the Pentagon’s agencies, partners and contractors in a two-year period ending August 2009"

Targeted Attack Case Study - 24 March 2010
–Targeted attack blocked attempting to exploit CVE-2010-0188 (libTiff)
–Single copy sent to an individual in a major international organization
–Co-ordinates governments from around the world
–Trojanized a clean PDF from a World Cup travel site

Case Study - AV Detection & Response Time
–AV detection was 0
–One week later, AV detection at 33%
–Sample sharing, blogged
–Average response time?
–3631 minutes (two and a half days)
–Only takes into account the 33% of vendors that were actually detecting the threat
–INEFFECTIVE

Targeting SAP Platform Using Trojans and Rootkits

noreply@blogger.com (S. Ali) — Mon, 31 Jan 2011 22:10:00 +0000

Typical Enterprise Environment
-Has more than a thousand of employees
-Is a circus of IT Systems
–Mixture of operating systems, databases, applications and their different versions
-Decision makers care more about their bonus than the interest of the company
-Is a political battlefield

Enterprise Security
Even a medium level of IT security is too expensive to achieve
–Missing asset management (how many Oracle DBs, Windows servers, etc)
–Tons of security scanning, to few remediation chasing
–Many of the vulnerabilities cannot be mitigated
-Obsessed by Cross Site Scripting
-IT security departments cannot influence security decisions of business applications much, because of political reasons.
-Nobody cares about the hacked UNIX machine, SQL DB, or others.
-Defacement and similar security incidents are budget approvers

SAP Systems
-Business specific
-Industry solutions
-Hold the Crown Jewels
-Are usually extensively customized
-Less exposure to typical hackers (ABAP)

SAP Security
-Security mostly focuses on authorizations and segregation of duties
-Intrusion prevention is still a baby
-Risks are underestimated/general IT Security efforts are typically unbalanced at companies
-Unlike e.g Active Directory, SAP systems belong to the business, not the IT
-Security departments usually fail when they are challenged

RFC (Remote Function Call) protocol lets you run functions remotely
–To run; use Java, C, etc. with RFC-SDK or simply execute the test program "startrfc". Following
creates a new user with god rights:

startrfc -3 -h 10.1.5.4 -s 05 -c 010 -u ERTUNGA -p CCC42 -F SUSR_RFC_USER_INTERFACE
-E USER=SATRIANI -E ACTIVITY=01 -E PASSWORD=RUBINA -E USER_TYPE=A -T USER_PROFILES,
12,r=-SAP_ALL

There is no exploit involved. Everything is intended functionality.
–Beats "RFC users are not a threat because they cannot login via SAPGUI"
–Time to recheck company’s shared folders and eliminate hardcoded passwords.

RFC (a.k.a communication) users are thus very very important!
–Secure their passwords and make them part of the password change process
–Don’t forget: GUI (dialog) users which have S_RFC rights can also execute remotely
–SAP_ALL FOR COMMUNICATION USERS IS A NO GO!

RFC_READ_TABLE
Reads the contents of any table (Including ones with sensitive data e.g salary information)
Has bugs in converting e.g binary fields

SUSR_RFC_USER_INTERFACE
Can be used for creating/modifying users

RFC_ABAP_INSTALL_AND_RUN
-Takes ABAP source lines and executes them
-Widely known! tighten user authorizations to prevent abuse
-More restricted in latest NetWeaver Systems

RFC can be encapsulated in SOAP messages (SOAP RFC)
-Company’s internal proxy suddenly opens the doors to all SAP systems
-Disable it if not used!

Single Sign-on (SSO2)
-Is a convenient feature, not a security feature
-RTFM: Secure Store and Forward [SSF] documentation
-Personal Security Environment files hold the private key data
-If an attacker obtains it, it can create authentication tickets for the victim system. Accepting these tickets is enabled per default. Attacker can logon as any user.
-The private key container (PSE) can be pin-protected
-Advice: Disable accepting tickets using relevant profile parameters!

SQL Injection-ABAP typically uses parametrized queries (Developers can still specify parts of sql statements dynamically by parentheses)
-Not dynamic: SELECT ColumnA FROM TableA INTO[...]
-Dynamic: SELECT(var_ColumName)FROM(var_TableName) INTO[...]WHERE(var_WhereClause)
-Avoid dynamic statements where possible!

Cross Site Scripting
-Proper sanitization/encoding of the input data is the key for self developed web code such as BSPs.
-If not done, an attacker can do everything related to XSS, plus steal e.g the SSO2 (Authentication) cookies from the clients SSO2 cookies are stateless so client impersonation is a breeze. Avoid using this mechanism without proper controls.
-If you have F5's or similar devices, encrypt cookies based on origin IP.

ABAP Executable Manipulation
-Statement: INSERT REPORT
-Writes custom code to any ABAP program
-It's even possible to call an editor to make it more user friendly
-Very suspicious if found in self-developed code

RS_REPAIR_SOURCE Executable
-Unpatched version does not have authorization checking.
-People with e.g SE38 rights can execute this and manipulate the system and data of it.
-Same as ABAP injection, only more convenient.
-SAP patched it via: SAP Note 1167258: Program RS_REPAIR_SOURCE

ABAP Rootkits
-It is possible to modify system executables (ABAPs)
-An attacker can easily infect important ones executables and install an ABAP rootkit
-SAP has RFC functions that do not require user authentication by default (SRFC Function Group). This could be one candidate.
-Installed rootkit can give anonymous access to the attacker with functionality such as: Installing
SAP_ALL users, Manipulating ABAP reports, Running OS commands, Stealing hashes or PSE files, Deleting Logs.

Triple-Penetration Attacks
Penetration 1: Attacker exploits the weakest system
-Typical enterprise setup: Testing/Development > Quality Assurance > Production
-Among them, most unprotected are test/development systems

Penetration 2: Attacker infects clients which connect to the weakest system
–Starts with modification/infection of the critical areas such as logon screen ABAP code
-When admins/developers successfully login, malicious payload is downloaded and executed on these users computers

Penetration 3: Victim infects all the systems it later connects to
-Modification of critical components of the newly accessed SAP systems (Internal production systems, Partner systems, critical systems)

How to stay secure
-Have proper "check-in" and "leavers process" that take the ABAP developer risks into consideration
-Audit the code against security vulnerabilities before transporting to production systems
-Syncing passwords to development systems means, possibility of developers to capture valid passwords for production systems. Avoid it!
-Get rid of insecure and/or default passwords
-Disable backwards compatiability of passwords
-Install the latest security patches

Wireless Reconnaissance in Practice

noreply@blogger.com (S. Ali) — Thu, 28 Oct 2010 03:20:00 +0000

Kismet (stable, devel and newcore)
Locate / Identify AP(s)
-BSSID, ESSID, Channel and Encryption
-GPS data
Locate / Identify Client(s)
-MAC Address
-Manufacturers
Perform Spectrum analysis
Drones / open-source WIPS

Aircrack-ng – Cracking WEP and WPA
-Suite of tools for wireless testing
-Mostly thought for wireless cracking
-Can also be used for wireless recon
-IE Airodump-ng

Netstumbler
-All for the Win32 geeks.

Types Reconnaissance Data
Kismet-(stable|devel) – Txt, CSV, XML, GPS and pcap
Kismet-newcore – Txt, NetXML, GPS and pcap
Aircrack-ng – CSV, pcap, XML

Wireless Recon Visualization Tools
-Gpsmap (ancient)
-Pykismet
-Kismet-earth
-kisgearth

Limitations of Visualization Tools
-None work with Kismet-newcore
-None work with Aircrack-ng
-Flexible representation of specific information (total flexibility in the generated graphs).

Analyzing Malware Through MS-Office Documents

noreply@blogger.com (S. Ali) — Tue, 12 Oct 2010 15:27:00 +0000

Key Highlights
-MS Office commonly exploited since 2006
-Existing exploits in the wild exploit unexceptional the older OLESS file format.
-Currently no known bugs in the newer XML based MS Office format.

Some MS Office exploits since 2006
-CVE-2006-0009 Powerpoint MS06-012 (March 2006)
-CVE-2006-0022 Powerpoint MS06-028 (June 2006)
-CVE-2006-2492 Word MS06-027 (June 2006)
-CVE-2006-3434 Powerpoint MS06-062 (October 2006)
-CVE-2006-3590 Powerpoint MS06-048 (August 2006)
-CVE-2006-4534 Word MS06-060 (October 2006)
-CVE-2006-4694 Powerpoint MS06-058 (October 2006)
-CVE-2006-5994 Word MS07-014 (February 2007)
-CVE-2006-6456 Word MS07-014 (February 2007)
-CVE-2007-0515 Word MS07-014 (February 2007)
-CVE-2007-0671 Excel MS07-015 (February 2007)
-CVE-2007-0870 Word MS07-024 (May 2007)
-CVE-2008-0081 Excel MS08-014 (March 2008)
-CVE-2008-4841 Word MS09-010 (April 2009)
-CVE-2009-0238 Excel MS09-009 (April 2009)
-CVE-2009-0556 Powerpoint MS09-017 (May 2009)

Generic OLESS Format
-OLESS Header
-FAT FS: SectorNumbers, OLESS directory entries
-Data is divided into directories (storages) and files (streams)
-Depending on the application streams may contain: Macros, Graphics, Tables, Sounds, Animations, etc.
-Parsing can be done using the Win32 COM API: StgOpenStorage(), IStoragemethods, IStreammethods.

Malicious Document Structure

Typical MS-Office Shellcode Behavior

When a bug in a MS Office application gets triggered:
-Shellcode executes
-Finds itself by open file handles enumeration and file size checking
-SetFilePointerto encrypted PE-File(s), decrypt, drop and execute
-Drop harmless embedded MS Office document and start to look innocent

More information:
-Not much public information about MS-Office malware analysis available
-Microsoft Office Binary File Format Specification (since Feb. 2008)
-Bruce Dang's talk "Methods for Understanding Targeted Attacks with Office Documents".

Available Tools For Analysis
-DFView (old school Microsoft OLE structure viewer)
-Officecat (signature based CLI utility)
-FlexHexEditor (OLE compound viewer)
-OffVis (office binary file format visualization tool)
-OfficeMalScanner (forensic tool for analysts to find malicious traces in MS Office documents)

Analyzing Side Channel Attacks on Embedded Systems

noreply@blogger.com (S. Ali) — Wed, 25 Aug 2010 22:58:00 +0000

General embedded systems based on micro-controller and complex processors:
-USB sticks
-Car locks
-Remote access tokens
-Mobile devices
-Game consoles
-Multi-media chipsets for pay-TV

Think of Security:
-What is the threat from side channel analysis to embedded systems?
-How does it compare with attacks on smart cards?
-What are the future developments?

Attacking Side Channels
-Time
-Power consumption
-Electro-Magnetic radiation
-Light
-Sound

Power/EM traces
-Signal leakage from busses, registers, ALUs, etc.

Statistical data detection
-Where is data processed in presence of noise?
-Collect many traces with different data (n > 1000)
-Assume data values are:
known (e.g. algorithm input or output)
uniformly random (typical for crypto)
-We focus on one bit of one variable in the process

Differential trace
-Input: n traces with known variable (e.g. input or output)
-Output: 1 trace with indication where bit causes trace differences

Purpose of Side Channel Attacks on Embedded Systems
-Retrieve secrets (Key, PIN, Unlock code)
-Reverse engineer (Program flow, Crypto protocol, Algorithm)

Why Side Channel Attacks are interesting? If side channel threats depends on:
-Physical access?
-Access time window?
-Interfacing and control?
-Exploitation equipment $?

A device becomes interesting when:
-It contains a secret
-It contains a feature that can be unlocked
-Logical or physical access to internals is hard

Typical Side Channel Attack Example

Typical Prerequisites
-Access to side channel
-Access to input or output data
-Minimize noise in side channel
-Time measurement of operation (trigger)
-Link data to operation

Processor comparison with Smart Card

Acquisition comparison with Smart Card

Test vs. Attack
-An attacker needs to turn a vulnerability into an exploit
-A tester needs to gain insight in attacker cost efficiently
-How to create the optimal environment to discover a vulnerability?

General aspects of testing
-Controlling the crypto
-Linking data with measurements
-Efficiency of acquisition
-Increased speed versus increased complexity

Timing analysis
-Peripheral outputs assist (example XBOX 360)
-Exploiting runtime access (cache)
-Increasing accuracy with EM and power
-Timing is a risk in many software implementations: both crypto and comparisons

XBOX 360 with Backdoor

-XBOX 360 has a secure boot chain
-First boot loader security implemented with a HMAC-SHA1
-Hash secret key + boot loader with SHA1
-Compare 16 bytes result with stored 16 bytes
-Comparison is per byte -> timing attack
-Implementation in this infectus board:
    It can modify stored HMAC-SHA1 value in NAND flash
    Observes timing of diagnostic POST byte on PCB
    Reset CPU with nTRST
-Brute forcing 16*128 = 2048 values on average takes about 2 hrs

Power analysis
-Tapping power or supplying it
-Reaching rails
-Identifying the correct supply rail
-Disabling power domains
-Disabling peripherals
-All require more detailed knowledge on target

EM (Electro Magnetic) Analysis
-EM signal adds dimension
-How to locate?
-When can EM be better?
-EMA is an active research topic
-EM seems to add most when target operation is small relative to overall chip

Threat and Impact
-Few countermeasures
-Significant leakage
-Fast acquisition
-Required level of control
-Attacks needed to achieve control
-High noise level, increased acquisition times

Countermeasures
Hardware
-Random Interrupts
-Data / Key masking
-Shielding
-Balancing

Software
-Randomizing flow
-Blinding / Masking
-Algorithm
-Protocol design

Scanning SS7 Networks and Telecom Backbones

noreply@blogger.com (S. Ali) — Tue, 10 Aug 2010 00:15:00 +0000

Historic View
-Phreaking is a term for the action of making a telephone system do something that it normally should not allow.
-Telecommunications security problems started in the 1960’s when the hackers of the time started to discover ways to abuse the telephone company.
-Discovery and exploration of features of telecommunications systems.
-Controlling Network Elements (NE) in a way that was not planned by its designers.
-Abusing weaknesses of protocols, systems and applications in telephone networks.

Fraud Implanted by
-Blue Box
-Internal Fraud

Reliability
-US: 911, Europe: 112
-How much lost revenue is one minute of downtime?

Today's View
-SIP account hacking, remind the "Calling Cards" fraud?
-VoIP GW hacking, remind the "PBX hacking"?
-Signaling hacking directly on SS7 – SIGTRAN level

SS7 Attacks Scenarios
-Theft of service, interception of calling cards numbers, privacy concerns
-Introduce harmful packets into the national and global SS7 networks
-Get control of call processing, get control of accounting reports
-Obtain credit card numbers, non-listed numbers, etc.
-Messages can be read, altered, injected or deleted
-Denial of service, security triplet replay to compromise authentication
-Annoyance calls, free calls, disruption of emergency services
-Capture of gateways, rerouting of call traffic
-Disruption of service to large parts of the network
-Call processing exposed through Signaling Control Protocol
-Announcement service exposed to IP through RTP
-Disclosure of bearer channel traffic

Telecom Backbone

Discovering The Backbone
Deregulation
-Europe / US: CLEC vs ILEC

New services and new business partners
-Premium numbers, SMS providers, etc.

Push toward an “All IP” infrastructure
-Management network
-Cost
-SIGTRAN (SS7 over IP)

SS7 & SIGTRAN
-Core
-Formerly, the walled garden

VoIP
-Edge
-Hard to make it reliable (QoS, SBCs)

SS7 and IP
-There is also exponential growth in the use of interconnection between the telecommunication networks and the Internet, for example with VoIP protocols (e.g. SIP, SCTP, M3UA, etc.)
-The IT community now has many protocol converters for conversion of SS7 data to IP, primarily for the transportation of voice and data over the IP networks. In addition new services such as those based on IN will lead to a growing use of the SS7 network for general data transfers.
-There have been a number of incidents from accidental action on SS7, which have damaged a network. To date, there have been very few deliberate actions. Far from VoIP here.

Attacking SIGTRAN with SCTPscan (http://sctp.tstf.net/)
Where implementation diverge from RFCs
-RFC says "hosts should never answer to INIT packets on non-existings ports".
-Syn scanning is slow when no RST

Below the IDS
-How many firewall logs dropped SCTP packets?
-How many IDS(s) watch for SCTP socket evil content?
-Example: Dshield.org - Real life distributed IDS, Hundreds of thousands of IP scanned, nor detected neither reported as scanner.

INIT vs SHUTDOWN_ACK Packet Scanning
From RFC 2960
-8.4 Handle "Out of the blue" Packets
-An SCTP packet is called an "out of the blue" (OOTB) packet if it is correctly formed, i.e., passed the receiver's Adler-32 / CRC-32 check (see Section 6.8), but the receiver is not able to identify the association to which this packet belongs.
-The receiver of an OOTB packet MUST do the following:
"If the packet contains a SHUTDOWN ACK chunk, the receiver should respond to the sender of the OOTB packet with a SHUTDOWN COMPLETE."

-New way to elicit answers even if not answering ABORTs to INITs targeted at not-opened port.

SCTP ports (-sS) Stealth Scanning
root@bt:~/sctp# ./sctpscan-v11 --scan --autoportscan -r
203.151.1
Netscanning with Crc32 checksumed packet
203.151.1.4 SCTP present on port 2905
203.151.1.4 SCTP present on port 7102
203.151.1.4 SCTP present on port 7103
203.151.1.4 SCTP present on port 7105
203.151.1.4 SCTP present on port 7551
203.151.1.4 SCTP present on port 7701
203.151.1.4 SCTP present on port 7800
203.151.1.4 SCTP present on port 8001
203.151.1.4 SCTP present on port 2905
root@bt:~/sctp#

SCTP Stack Fingerprinting
-SCTP stack reliability
-Robustness testing (stress testing)
-QA of a few stacks
-Fuzzing built-in SCTPscan
-Discrepancies in SCTP answer packets
-Different stack behaviours
-Much more states than TCP=opportunities
-Cookie randomness

Credits: Philippe Langlois, P1 Security (p1security.com)

Using DAVIX For Security Visualization (revised)

noreply@blogger.com (S. Ali) — Mon, 02 Aug 2010 17:58:00 +0000

Information visualization
-Visualize large collections of abstract data

Scientific visualization
-Representation of data with geometric structure

Visualization Concept
-Analyzing floods of data in tabular or textual form is tedious
-Humans must sequentially scan such data
-Visualization exploits the human's visual perceptive capabilities and parallel processing Size, Shape, Distance, and Color
-Easy to spot patterns and irregularities

Data types supported
-Ordinal
Has a sequence e.g. day of week
-Nominal
Has no sequence e.g. types of fishes
-Quantitative
Can be measured e.g. length, time, weight, temperature, speed

Visualization Effectiveness
-Each data type has its most effective way of visualization

Information Visualization Process

DAVIX Linux Distribution (http://davix.secviz.org/)
-Provide the audience with a workable and integrated tools set
-Enable them to immediately start with security visualization
-Motivate them to contribute to the security visualization community

Tools Available
Capture
-Network Tools (Argus, Snort, Wireshark)
-Logging (syslog-ng)
-Fetching Data (wget, ftp, scp)

Processing
-Shell Tools (awk, grep, sed)
-Visualization Preprocessing (AfterGlow, LGL)
-Extraction (Chaosreader)
-Data Enrichment (geoiplookup, whois, gwhois)

Visualization
-Network Traffic (EtherApe, InetVis, tnv)
-Generic (AfterGlow, Cytoscape, Graphviz, LGL Viewer, Mondrian, R Project, Treemap)

Interface Transport
-Each visualization tool has its own file format interfaces
-Data must be converted to match the import interfaces
-These adapters are mostly self-written snippets of code

Important Note:
All the images presented in this post are intellectual property of the copyright owner (www.secviz.org)

Defending BGP MITM (Man-In-The-Middle) Attacks

noreply@blogger.com (S. Ali) — Tue, 22 Jun 2010 21:19:00 +0000

Every organization owes its Internet connectivity to one protocol: BGP4. There are no alternatives. BGP4 has longstanding vulnerabilities that cannot be fixed, and can only be monitored carefully.

Two key points:
1. Everyone who connects to the Internet is currently exposed to various routing risks: downtime, hijacking and now even wholesale traffic interception.
2. Very few people understand these risks, so they are not being measured or managed appropriately.

Basics of routing and the inherent threats:
-Prefixes
-ASNs
-Routing updates
-Route attributes
-Vulnerabilities & typical historical attacks

Internet Routing – Prefixes
-Internet routing is orchestrated via blocks of IP addresses.
-A network prefix is a block of contiguous IP addresses.
-IP addresses in the same prefix are routed in the same way.

Internet Routing – ASNs
Global Internet routing relies on the Border Gateway Protocol. Each organization participating in BGP is assigned:
-A unique Autonomous System Number or ASN (integer)
-One or more prefixes (range of IP addresses)
-All routing decisions are local

BGP Update Messages
-An UPDATE message announces a new route or withdraws a previously announced route. UPDATE = prefix + route attributes
-Adjacent routers chatter constantly with each other as routes come and go. Globally, Renesys observes 45,000+ updates per minute when things are quiet!

BGP Attributes
Routing announcements have attributes and many possibilities but the (hopefully valid) "AS" path to the announced prefix is always present.

Routing Vulnerabilities
1. No single authoritative source of who should be doing what.
-If there were, you could filter out the errors / hijacks.
-As a result, filtering by ISPs is not common or easy.

2. All of Internet routing is based on trust.
-Anyone can announce any IP space they want.
-Anyone can prepend any ASN to any path that they want.

3. No mechanism in place to handle ASNs who go rogue. There are no Internet police!

Two typical types of hijacks:

No operational impact
-Hijack unused (but maybe assigned) IP space
-Potentially harms the reputation of the owner
-But does not disrupt any legitimate traffic on the Internet
-DoD owns but does not announce 7.0.0.0/8, 11.0.0.0/8, 30.0.0.0/8 and others. These networks
are “free for the taking” without any impact on DoD. Every announcement in this space is a hijack.

Obvious operational impact
-Hijack currently used IP space
-Legitimate traffic diverted to the hijacker
-Victim can be effectively taken off the Internet
-Very disruptive and very obvious
-YouTube owns 208.65.152.0/22 (Feb 2008)
This contains the more-specific 208.65.153.0/24
The above /24 used to contain all of YouTube’s
DNS Servers (have since moved)
Web Servers (have since added additional IP space)
YouTube announced only the /22
-Pakistan Telecom announces the /24
In BGP, most specific route to an IP address wins!
Pakistan Telecom gets all traffic intended for YouTube
YouTube is globally unreachable for 2 hours

Both types of hijack allow an attacker to attract all traffic bound for the hijacked space.

Final Evaluation
-Hijacking has been going on for over 10 years!
-No incremental or comprehensive solutions
-Solutions lack economic drivers
-Doesn’t happen daily and universally
-Avoiding negative publicity is not necessarily compelling
-Impact poorly understood by management
-Miscreants are actively hijacking now
-To send spam from “clean” IP blocks
-To cover their other nefarious activities
-What good are your firewall/IDS logs now?
-Need historical global routing data to identify hijackers

Man-In-The-Middle Attack
-Review the MITM exploit presented at DEFCON 16 (August 10, 2008)
-AS path attribute
-AS loop prevention
-MITM attack technique
-Obscuring the MITM attack with TTL adjustment

How can the victim observe this?
-Victim’s routes and those of at least one provider will look normal
-Traceroute from a public looking glass to the victim’s IPs will show the hijacker
(assuming the looking glass hasn’t been blinded to the attack).
-Traceroute depends on incrementally increasing TTLs
-Hijacker can hide his presence by silently increasing TTLs for packets intended for the victim
-Hides hijacker’s routers
-Hides hijacker’s outbound routes to victim

Detecting the Attack
-Is this generally visible?
-Attacker profile
-Difficulties with detection
-You know the correct routing policies (easy)
-Generally limited to networks under your control
-Review of available alarm services
-Can you attack the alarm services?
-You don’t know the routing policies (hard)
-A proposed global detection technique

Difficulties in observing the MITM attack
-Most Internet routers will see and prefer the hijacked routes. Won’t be obvious among their
270,000+ routes.
-Traceroutes won’t show the hijacking (with TTL adjustments). Independent of source location.
-Latency to the victim will increase. Could be slight if the hijacker isn’t far from the victim.
-Route alarming services might see this if AS loop detection is disabled.

Two simple questions:
Can I detect MITM for my network?
-Easy: Routing policy is presumably known or at least knowable.

Can I detect MITM for the Internet at large?
-Much harder: Routing policies are not known and probably unknowable for all 270,000+ prefixes

Breaking Into SharePoint Portal

noreply@blogger.com (S. Ali) — Mon, 31 May 2010 22:25:00 +0000

Windows SharePoint Services (WSS)
- Base technology
- Free (with Windows Server)
- Consists of an ASP.NET web site and ISAPI filter

Microsoft Office SharePoint Server (MOSS)
- Built on top of WSS
- Not free
- Supports collaboration on MS Office documents

Security Aware?
- Gartner predicts SharePoint will replace network file shares
- Default security model: all site users have read access to all documents
- Big target – single repository for sensitive corporate data – salaries, phone numbers, customer lists, passwords, strategic plans, etc.

Hacking the SharePoint ISAPI Registry
A potential EoP, but not interesting:
- Requires Terminal Services to be enabled with “NT4 compat mode”
- In that scenario, several Windows components have the same bug
- See “Web Server Extensions”, referenced in HKLM
- Check out usage of “Terminal Server User” SID throughout Windows

Hacking SharePoint with Google
- Thousands of public, internet-facing SharePoint sites have been created
- Use Google to identify configuration mistakes
- More info: http://tinyurl.com/4dccn9

Hacking SharePoint with NMap
- SharePoint servers have a distinctive network port signature
- Depends on firewall config, of course
- More info: http://tinyurl.com/3oykwp

Hacking SharePoint with RegEx
SharePoint RegEx Search
- http://www.codeplex.com/MossRegExSearch
- See blog post – http://tinyurl.com/4s49p3
- Avoid limitations of built-in SharePoint search (i.e., SQL ‘LIKE’ and ‘CONTAINS’ keywords)
- Instead, harness the power of regular expressions!
- Search for: strong passwords, credit card info, phone numbers, SSNs, etc.

Defeating OS Fingerprinting Using IpMorph

noreply@blogger.com (S. Ali) — Fri, 30 Apr 2010 06:57:00 +0000

IpMorph is an Open Source project used to disguise OS-detection process performed using various techniques, such as, banner grabbing, ICMP replies, ISN profile, TCP headers, timeouts and other similar trends. These techniques are usually available in number of tools like Nmap, Xprobe2, SinFP, Ring2, p0f, Ettercap, etc.

Active Stack Fingerprinting

Passive Stack Fingerprinting

How IpMorph Works

Spoofing States

Filtering
– Stealth patch : Unmaintained as of 2002, GNU/Linux kernel 2.2-2.4
– Blackhole : FreeBSD, kernel options
– IPlog : Unmaintained as of 2001, *BSD
– Packet filter : OpenBSD
Host TCP/IP stack tweaking
– Ip Personality
– Fingerprint opt
– Fingerprint scrubber
– OSfuscate
Host TCP/IP stack replacement (proxy behaviour)
– Honeyd
– Packet purgatory / Morph
Integrated Tools
–IpMorph (Core)
–IpMorph Controller
–IpMorph Personality Manager
–IpView (IpMorph GUI)
Portability
–GNU/Linux
–BSD, Mac OS

IpMorph General Architecture

Insights of the CyberCrime World

noreply@blogger.com (S. Ali) — Sun, 18 Apr 2010 22:02:00 +0000

Malware Trends
-High complexity of technology introduces higher number of fault (Hardware, Software)
-Proof of Concept, Exploit Codes, Vulnerabilities (Finding exploits in order to misuse them, making money!)
-Today's Malware (Organized in botnets, uses human vulnerabilities)
-Botnets (Money making operation by selling stolen credentials, renting out botnet services like DDoS, Adware installations, etc)

Anti-Malware Solutions

The decision about the detection of malware (adware, spyware, trojan, etc) can be troublesome. It can be difficult to give a reason why any software is malicious, unwanted or not useful. However, implementing detection mechanism can be rather easy but there is an exception to this rule. Additionally, there is always a need for the cooperation between AV companies to avoid ambiguous decisions. This can be established by introducing standards and best practices such as AVPD, ASC, AMTSO, etc.

Detection vs Decision in Terms of Malware

Malware Distribution Channels

Trojan or Normal Application?

Trojan
-Uncompromising infection
-Make use of exploits
-Unattended, unsolicited installation
-Perform stealth activities
-Invasiveness
-Impact on system stability, security and integrity
-Obfuscated data
-Detection evasion mechanism

Normal Application
-The application itself isn't causing any harm
-EULA, the installation take place with user's consent
-The vendors disclaim involvement with the distribution channels

Vendors doesn't want their application to be detected

Final Outlook of the Malware

Legal and Problematic Issues

-Applications developed by well-established companies roll out with different affiliate distribution
model. Now, typically with botnet era?
-Mutual customers: those who want to use software and be protected at the same time.
-Other customers: those who never agree to install anything without their trustful consent.
-Uncontrolled open affiliate distribution model is unfeasible.
-Direct sponsorship for cybercrime activities.
-Once detected, these criminal groups are ready to fight even for the price of lawsuit.

Over the Past 4-years (according to Eset AV Press)
-20+ cases where the legal department has been involved
-Over 1150 hours and 530 employee interactions
-2006: 16 hours/month, 6 total interactions
-2009: 46 hours/month, 21 total interactions

Dissecting Malicious Office Documents

noreply@blogger.com (S. Ali) — Thu, 01 Apr 2010 06:27:00 +0000

In the past, malware was only appearing as an executable file but this threat has changed its landscape to skew through the application data files which includes, pdf, doc, xls, etc. In order to combat this threat, MalOffice has introduced a combination of both "static" and "dynamic" analysis techniques to inspect the application data files. The static analysis uses general and filetype-dependable scanning while the dynamic analysis uses the approach of CWSandbox and other test analysis techniques.

Static Analyzers
General:
-AV Scanner
-PE-Detector

Specialized:
-Detect embedded javascript in PDF document
-Heuristics for malicious javascript
-Detect shellcode in Office documents

PDFScanner
Specialized scanner for PDF files
-Decompose PDF stream into objects (pdftoolkit)
-Detect javascript objects
-Use heuristics to detect malicious javascript
-Extract Variable names
-Find code obfuscation
-Usage of known vulnerable functions

OfficeMalScanner
Specialized scanner for MS Word files
-Uses OfficeMalScanner, by Frank Boldewin (http://www.reconstructer.org)
-Forensic tool for Office documents
-Scans for shellcode pattern
-Dumps OLE structures and VB-macros
-Generates a malicious index value

Limitations
Static analyis can be circumvented by attacker
-different kinds of obfuscation are possible
-general drawbacks of static malware analysis
-exploit might trigger only on certain events
-Exploit might require specific version

Dynamic Analyzers

CWSandbox
-Tool for automated behavior analysis
-PE-executables or arbitrary data files
-Creates XML analysis report: operations executed by the monitored processes
-Filesystem, registry, network, user management,services, protected storage, etc
-Each file type has associated host application e.g. Acrobat Reader, Foxit Reader, MS Word, etc
-Some exploits only trigger in specific app versions e.g. Acrobat Reader 8.0, 8.1.0, 8.1.1, 9.0
-Task: decide from analysis report, if executed data file is malicious based on "Policies"
-consist of white and blacklisted operations
-created in a semi-automated way
-One policy per host application version
-What operations are usually perfomed when running this application with a (benign) data file?

Static Analysis Result (suspicious points)

Dynamic Analysis Result (malicious points)

Other Tools
SPARSE - focus only on Word documents
OfficeCat - static scanner for office documents
OfficeMalScanner - MS office forensic tool
Wepawet - powerful tool to analyze PDF and Flash files

Reverse Engineering Through Inline Hooking

noreply@blogger.com (S. Ali) — Tue, 23 Mar 2010 11:36:00 +0000

Reverse Engineering techniques are generally divided into two broad categories:
1. Static Analysis
2. Dynamic Analysis

Static Analysis
-Techniques which do not involve running the code
-Disassembly, file structure analysis, strings, etc.

Dynamic Analysis
-Techniques which involve running the code
-Behavioral analysis

Approaches to Dynamic analysis involve:
-Network Monitoring
    Isolated Physical Networks
    Virtual Networks
-Hardware Emulation
    Norman Sandbox, etc.
-Kernel-Level Monitoring (SSDT hooks)
    Sysinternal Process Monitor
-Debuggers

Kernel-Level Monitoring

Advantages
      Captures every system call
    Can’t be avoided from userland
Disadvantages
    Only captures functions implemented as system calls
    Not every important function call in the Win32 API is implemented as a system call
    Tools don’t differentiate between process housekeeping and calls from usercode
    Calls to internal DLL’s cannot be observed

Process Monitoring via Debugging

Advantages
    Debugger can trap any function call, not just system calls
    Trapped calls are more likely to be highly relevant to the program’s operation
Disadvantages
    Have to act as a debugger
    Susceptible to countless anti-debugging techniques

Inline Hooks

Advantages
    Can trap any function call, not just system calls
    Trapped calls are more likely to be highly relevant to the program’s operation
    Not operating as a debugger
    No device driver required

Disadvantages
Hard to implement

Implementing Inline Hooks

1. Find a function of interest
2. Disassemble the beginning of the function
3. If possible, overwrite the beginning bytes of the function with a jump or call instruction
4. Implement a handler for the hooked function

What to do with hooked functions?

Observe and Report
    Collect data about the current function call by gathering data from stack and report to console
    Execute any instructions overwritten from the hook
    Jump back to the next instruction in the hooked function
Intercept and Emulate
    Perform a specified action instead of calling the intended function

Running your own Sandbox

-Trap gethostbyname() to always return a fixed IP address.
-A pseudo-handle interface to allow fake reads and writes to files and netwok sockets. Trap connect() to connection to a pseudo-socket. CreateFile(), ReadFile(), WriteFile(), etc.

API Thief Tool (by mandiant.com)

-Launches target process in a suspended state
-Injects a DLL into the process.
-The Injected DLL hooks all Win32 API functions before the target process is resumed
-API Call monitoring can be used simply with a process monitor-style console
-Embedded python can be used to write custom handlers for specific hooked functions

Network Intrusion: The Advanced IPS Evasion Techniques

noreply@blogger.com (S. Ali) — Sat, 27 Feb 2010 18:31:00 +0000

As most of you may know that the Intrusion Prevention Systems (IPS) should protect vulnerable hosts from remote exploits. However, there are occassions where exploits can apply multiple evasion methods to bypass these detection mechanisms and break into the system. There are many hacking tools which apply multiple IDS/IPS evasion techniques but these tools are more exploit oriented rather than evasion oriented.

Known Evasion Techniques

-IP Fragmentation with manipulated fragment size and order
-IP Random Options
-TCP segmentation with manipulated segment size and order
-TCP Time Wait
-TCP Urgent Pointer
-SMB Fragmentation
-SMB Transaction Write Method
-SMB Write/Read Padding
-SMB Transaction Method fragmentation
-SMB Session Mixing
-MSRPC Multibind (bind to multiple unnecessary or non-existent context + the vulnerable context)
-MSRPC fragmentation
-MSRPC encryption
-MSRPC Alter Context
-MSRPC Object Reference
-MSRPC Endian Manipulation

Evasion Method

IPS signatures can be evaded completely if the protocol stacks do not understand the evasions and normalize the traffic over the network. For example, SMB and MSRPC signatures should not worry about fragmentation, padding, extra methods or other randomizations. More of these examples are discussed below.

IP Random Options

-Fill IP Packet with random Options
-If the target host and the IPS device disagree about the validity of the packet, the target host may see different data than the IPS.

TCP Time Wait

-Open and close a TCP connection. Open a new TCP-connection to the same service using the same TCP-source port. According the TCP RFC, the TCP client MUST wait "TIME-Wait Delay" amount of seconds before reusing a port.

-If the attacker uses his own TCP/IP Stack, he can open and close a TCP-connection and immediately open a new TCP connection using the same source port.

TCP Urgent Pointer

-Insert one byte into a TCP-stream.
-TCP-Server chooses whether to use or discard the added byte.
-An IPS device inspection can be evaded by clever use of the urgent pointer.
-Example: TCP Stream: GETP / (P is urgent data)
IPS looks: GETP /
Apache looks: GET /

SMB Session Mixing

It is possible to use multiple resources over the same SMB-session within the single TCP-connection at same time. Simultaneously read and write into multiple files.

SMB Write/Read Padding

-The write and read commands have an offset pointer that can be used for padding.
-All data after the SMB header till the pointed byte should be discarded.

MSRPC Alter Context

The client may change the current context using the Alter Context Method. All subsequent requests then go to the new context.
Example: The client binds to non vulnerable context and then changes into a vulnerable context and sends the exploit.

MSRPC Object Reference

Adding an Object Reference (UUID) to an MSRPC Request Header enlarges the header by 16 bytes, and thus moves the MSRPC payload 16 bytes forward.

IPS Evasion Tool - Predator (IPForge)

-Evasions for attack "CVE-2008-4250"

-IP fragmentation, --ip_frag:
8byte: Fragment IP payload into 8 byte fragments
16byte: Fragment IP payload into 16 byte fragments
24byte Fragment IP payload into 24 byte fragments
256byte Fragment IP payload into 256 byte fragments
random_order: Send fragments in a random order
out_of_order: Send one fragment out of order
fwd_overwrite Perform forward overwriting with fragments
last_first Send last fragment first
one_duplicate Send one duplicate fragment

-IP evasion, --ip_evasion:
random_options: Send random IP options

-TCP fragmentation, --tcp_frag:
1byte Fragment TCP payload into 1 byte segments

-TCP evasion, --tcp_evasion:
time_wait Open a decoy connection and attack from same ip:port while in time-wait
urgent_ptr Insert meaningless data into 1 byte urgent segments

-SMB fragmentation, --smb_frag:
16byte Fragment SMB payload into 16 byte fragments
256byte Fragment SMB payload into 256 byte fragments

-SMB evasion, --smb_evasion:
andx_connect Negotiate SMB session and connect to a tree connect an AndX message
decoy_trees Open decoy SMB tree connects in the same TCP stream as the attack
read_offset Use random offsets in SMB read operations
pad_write_random Pad SMB write commands with a random sized block of random data
pad_write_static Pad SMB write commands with a static sized block of random data
random_write_method Use a random SMB write method ( TRANSACT / WRITE )
write_offset Use random offsets in SMB write operation

-MSRPC fragmentation, --msrpc_
frag: 16byte Fragment MSRPC payload into 16 byte fragments
256byte Fragment MSRPC payload into 256 byte fragments

-MSRPC evasion, --msrpc_evasion:
big_endian Communicate in big endian format
random_object: Add a random object reference to MSRPC requests
alter_context: Bind to a random context and then alter to the correct ip

Analyzing Malware Using Advanced Inspection Procedures

noreply@blogger.com (S. Ali) — Fri, 19 Feb 2010 11:03:00 +0000

Why you want to analyze the malware? What could be the possible reasons?

-Better understanding of threats to protect network
-To write software that detects malware (anti-virus vendor)
-Admiration of new techniques
-Financial Gain (malware writer)
-Political agenda
-Used to be for the challenge and pranks

Characteristics of the good Malware Analyst

-Meticulous data collection
-Thinks outside the box
-Logical processes interaction
-Tenacious
-Good understanding of systems/network
-Reverse engineering skills

Attack Vectors

-Via portable devices
-Downloads from FTP or BBS
-Exploitation of remote services, worms
-System is only as strong as its weakest link

Human Factors

-In the past, humans not involved in the attack cycle
-Attackers searched for network or systems level vulnerabilities
-Automatic exploitation and spread
-In the present, exploit human (Spam email, compromise a legitimate site, advertising attacks)

Attacking through Social Networks

-All social networks have their history (Flickr, Facebook, Twitter, Myspace, Orkut)
-File sharing (Torrents, warez stuff, p2p)
-Massive information sharing networks
-Rich media content (web 2.0)

Attack Lifecycle

-Initial payload is small
-Initial checks (Mutex, OS Version, Keyboard, location)
-Payload is downloaded
-Contacts command and control server for tasks
-May fall back to secondary C&C
-Dynamically generate rendezvous point

Basic Obfuscation Techniques

-Polymorphism and Packers (UPX, Armadillo or custom packers)
-Simple Debugger checks
-Jumping into data/ middle of instructions
-Encoding strings/values
-Manipulating imports
-Corrupting PE Header
-Overlapping Section Header
-Junk code
-SEH (exception handler patches memory)

Advanced Obfuscation Techniques

-Metamorphic nature
-Custom virtual machines (Polymorphic instruction sets)
-Encryption
-Instruction Timing (Model Specific Register (MSR), RDTSC instruction)
-Debugging register tricks
-Breakpoint detection
-VMWare detection

Malware Lab

-Virtualization Platform (VMware, Xensource, Qemu)
-Must not be on any network but its own
-Dynamic Internet Connection

Virtualization Techniques

-Serial Debugging
-Copy on Write
-Memory Image
-Fast reversion of images

Logging Activities

-Needed to store data from automatic and manual analysis.
-Malware analysis is far more useful with a corpus to compare against.
-The more data we have on characteristics, the more we are able to do a determination of whether it is malware.
-Reverse engineering is expensive in terms of man-power to do.
-Identify characteristics and understand malware to allocate reverse engineering where it is worthwhile to.
-Store actual malware sample
-Store network traces
-Store static forensics information

Obtaining Malware

-Be an anti-virus or anti-malware software vendor
-Join an existing antimalware intelligence groups (Honeynet Project, Sandnet)
-Build your own honeynet
-Beg, borrow or steal

Advanced Tools

-Debuggers (WinDBG, IDA, Ollydbg)
-Tracers (regmon, filemon, detours, apimonitor, strace)
-Unpackers (PEiD)
For more information: Practical Toolkit for Reverse Engineering

Conclusions

-Simple tracing/monitoring can give lots of information
-Static analysis of Malware can also yield many clues
-Storing all bits of data and characteristics in a database can yield large dividends
-Trend is toward decentralized botnets (p2p)
-New coordination efforts in botnet takedowns

Social Engineering: A science behind major Corporate Attacks

noreply@blogger.com (S. Ali) — Sun, 07 Feb 2010 06:08:00 +0000

All social engineering techniques are usually based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called "bugs in the human hardware," which can be exploited in various combinations to create attack techniques. Source: "Wikipedia".

Social Engineering misdirection takes advantage of the limits of the human mind in order to give the wrong picture and memory. The mind can concentrate on only one thing at a time. The magician uses this to manipulate the "victim's" idea of how the world is supposed to be.

Common Risks From Social Engineering
–Direct users to malware attack
–Trick users into executing malware
–Persuade users into handing the information (data leakage)

Past Recaps:
Nigeria 419 scams, since 1980s
Phishing at AOL users

-AOL's chat rooms have been awash in password-stealing since at least 1994.
-In one three-month period in 1996, AOL cancelled 370,000 accounts for "creditcard fraud, hacking, etc "Washington post".

Other Email Scams Since 90s
Changes In The Social Engineering Attacks

Internet Statistics (1990-2008)
-Online presence1,463,632,361 –Internet users worldwide (June 2008).
-1.3 billion–email users worldwide. 210 billion emails sent per day (2008).
-Web Sites: 186,727,854–in December 2008. 31.5 million added during 2008.

Targeting Users for your Attack?
Using Popular Search Terms
Using celebrities popularity
Cyber attackers use Terrorist tactics
Terrorist cells are increasingly looking at less well-protected "soft" targets where Westerners can be found, such as social and retailvenues, tourist sites and transport networks (rail, road and airports), as illustrated by the attacks in Bali in October 2002,Madrid in March 2004 and Egypt in July 2005.

Business Strategies?

77% of employees have a Facebook account.
2/3rd access during working hours for average 15mins per day.
87% couldn’t define a clear business reason.
1 in 33 built and manage their entire profile at work.
1.47% total lost productivity across entire employee population.

Common issues with social networking

Who are you really communicating with?
–Has their account been compromised?
–Has the provider of the tool/service been compromised?
–Has the content been tampered?
–Does it have an abbreviated URL?

Stopping users getting to the compromised sites
–Content filtering: Needs real time intelligence.

Ensuring users don’t self infect
–Anti-malware solution
–Control what users can execute: User Access Control (Microsoft), Whitelistingtools (apple model - Digitally signed applications, 3rd party whitelisting tools) -Behavioural controls (IPS, FW, etc): Harden OS, Control what can be installed, used, interacted with other resources.
-Data leakage: Education, Data Loss Prevention controls (DRM).

Digital Reputation - Risk Management
Monitoring and controlling Social Networking Usage
-56% of employers admit to monitoring employees to see if accessing on-line social networking sites, amongst others things.
-38% block employees from accessing such websites.
-1/3rd of employers have adopted policies limiting or prohibiting use of such sites during work time.
-6% have terminated employees for utilizing online social networking sites during work.