The Security Shoggoth

Tracking the Defenders

2009-10-22T08:30:00.002-04:00

I've been working hard the last few weeks to get my malware analysis class ready, but something popped up that got me thinking. In the last few days a number of blogs have reported about avtracker.info, a site which is tracking the IP addresses that AV companies use to research malware.

According to the supposed author*, the reason this site is in existence is:

If you DDoS them, then you will lame down the whole AV business, then there won’t be any new detections for the time you cut them from the internet. The IP list is also useful for software that downloads something from the internet, in order to hide it from automatic analyzers like Anubis. You can simply exit the program when the IP matches with one of the AV list – and then your program stays secure from automatic analysis.

I have to admit that I'm not surprised at these reasons, or even that this is happening. In fact, I suspect its been happening a long time and this is just the first time a public list has been made.

Think about it - we watch where the attackers are coming from. We have honeypots, block lists, and share information amongst each other - why should we think the attackers are doing any differently?

This does illustrate a good point, however. In my class I teach that you should never allow malware you are analyzing to contact its home servers from your organization. When you do, the attackers can figure out where you are coming from and, in the best case, block your access. In the worst case you would be on the receiving end of a DDoS attack.

* I say supposed because I have no proof one way or another.

Quick Backup Script

2009-09-18T11:20:00.003-04:00

I often create scripts and programs (Perl mostly) to help me do things. When I'm developing these scripts, I will typically write a chunk of code, test it, add more functionality, test it, rinse, repeat.

However, there are times where I'll delete a chunk of code to try something different and end up breaking my entire script. Of course, when this happens I don't have a backup of the old code available to go back to.

To help me, I made this small script which will backup a file given to it to a directory. All it does is copy the file to a backup directory and tack on a date string to the end of it so every backup copy is unique. Yes, this is a simple copy, but it makes it nice to have to do things quickly.

#!/bin/bash

# quick script to backup files

DEFAULTDIR=${HOME}/backup
DATE=`date +%s`
if [ $# -lt 1 ] ; then
echo $0 file-to-backup [path to backup dir]
exit
fi

# set the backup dir location
BACKUPDIR=${2:-$DEFAULTDIR}

if [ ! -d ${BACKUPDIR} ] ; then
echo ${BACKUPDIR} did not exist. Creating.
mkdir -p ${BACKUPDIR}
fi

# make sure the file exists
if [ ! -f $1 ] ; then
echo $1 does not exist.
exit
fi

cp $1 $BACKUPDIR/${1}-${DATE}
if [ $? -eq 0 ] ; then
echo Successfully copied $1 to $BACKUPDIR/${1}-${DATE}
else
echo Error copying $1 to $BACKUPDIR/${1}-${DATE}
fi

I just copied it to /usr/local/bin, called it myback, and chmod +x'd it. Now, whenever I want to backup a script quickly I just run "myback script".

Introduction to Malware Dissection

2009-08-20T17:11:00.003-04:00

This October 29-30th the annual Ohio Information Security Summit will be held. I highly recommend attending it if you can. The conference features two days of great talks, keynotes, labs and networking. It has been going on for a few years now and never fails to disappoint anyone who attends, especially for the price ($275 until Oct 1, $350 after). In addition to the normal talks, the summit is offering a number of pre-conference training courses.

I will be teaching a 2 day introduction to malware analysis class as one of the pre-conference training courses. The course is geared to those who want to learn malware analysis or are just starting out. We'll cover all of the basics for malware analysis including setting up your analysis lab, static analysis and dynamic analysis. In the end, you'll walk out of the class with the knowledge of how to take a malware sample and determine what it does, who it contacts and what risk it poses.

In the courses I have taken, I've found that I learn alot more by actually doing things rather than watching a powerpoint presentation for 8 hours. Because of this, the class will be structured around a number of labs which have you do the analysis using various tools on actual malware. I've collected a number of cool malware samples which will be analyzed in the course in various ways and I'm really excited about it. At the end of the class they'll also be an analysis contest where prizes will be given out.

Since we will be handling live malware there are some laptop requirements listed in the course description.

If anyone has any questions on the course or the laptop requirements, please contact me. I look forward to seeing you there!

Its Not Always A Security Issue

2009-08-16T16:15:00.005-04:00

I've been spending this weekend fixing my in-laws computer. Like most of you, I'm the family "tech support" for anything that goes wrong with a computer. This past week I received a call from my mother-in-law that she was getting pop ups on her computer stating that it was infected and that the program would remove it if they paid for the full version. Classic sign of fake anti-virus.

After some quick research, we were able to determine that it was Advanced Virus Remover. It appeared to be pretty simple to get off (delete some files, clear out some of the registry, etc) but since I was not there I decided the best way was to have her reboot into safe mode and perform a system restore. (Unlike some of my relatives, my m-i-l can actually do things like that without me hand-holding.) Of course, when she tried to go into safe mode, it blue screened.

The next day I went over to see if I could figure out what was going on. I was able to remove the malware (and two others) fairly quickly, but we were still getting errors. In short time I realized that part of the hard drive had gotten corrupted and was causing the BSODs - not the original malware.

This made me remember another story from a job in a previous life. I had been called down to another department by a friend. The entire department were having some odd problems. Whenever they tried to print their machines would BSOD. Since I was the resident "malware guy", they decided to call me in to see if I could find anything. When I got there, some Windows admins were also there looking at some of the systems. My friend took me to the system with the original problem and I started to examine it.

After a few minutes I couldn't find anything indicative of malware on the sytem. I even booted with a Helix CD just in case there was a rootkit on the system. Nothing. After a few minutes the Windows admins came over and asked me what I thought. I replied I didn't see anything but there were reports of a 0-day attack against the Windows printer system that day which were indicative of what we were seeing. However, I stressed, I didn't know and didn't think this was related.

Of course, within minutes the Windows admins had me on a call where they were explaining how I thought we had been hacked using a Windows 0-day attack against the printers. It took at least 45 minutes for me to sort through everything that was being said and to finally point out that I had not found any proof of any attack and that I didn't think this was the problem. When the Windows admins finally went back to troubleshooting the problem, they found that a corrupt Windows printer driver had gotten pushed to these systems and thats what was causing the issue.

I learned two things that day:

1. Never say that you think something has been compromised (or even could be compromised) until you have some type of proof. People love to over-react in a situation like that and that just provides fuel for the fire.

2. Not everything is a security incident. Just like my in-laws computer, the presence of malware may not be the reason for the overall problem. A corrupt hard drive could just be a corrupt hard drive. If you start reading compromises into everything you see, you may miss what is actually there.

Automating Malware Analysis Part 2

2009-08-07T09:47:00.003-04:00

I've heard rumors that the latest issue of Hakin9 is on stands now. This issue contains the second part of my article on automating malware analysis and adds memory analysis and sandnet capabilities to the analysis script.

In the script, memory analysis is performed by suspending the virtual machine (as opposed to shutting it down as the first script did). When a VMWare VM is suspended, the memory for the machine is dumped into a file which can then be analyzed. This file is analyzed using the Volatility Framework.

Volatility is an amazing tool which can extract information from Windows XP SP2 & SP3 memory images. The analysis script in the article uses Volatility to extract the process list, network connections, list of loaded DLLs and list of loaded modules of the VM memory. However, Volatility can do so much more that I highly recommend extended what is in the article.

In addition to memory analysis, the article adds sandnet capabilities to the script. In the original script, the VM was set up in host-only networking mode which prevented the malware from communicating to anything over the network. This really limited the analyst in what they could see. For example, if the malware wanted to download additional files from a web server, the analyst would never see it.

To allow network connectivity, and still keep the network the analyst was on safe from infection, the script uses a tool set called InetSim to create a fake Internet for the malware to interact with. InetSim loads a number of localized servers (DNS, HTTP, etc) and logs any data sent to it. Now, when malware attempts to connect to a web server it will be able to and the analyst will see what it is attempted to download. I blogged about InetSim and how to install InetSim back in February.

I hope everyone enjoys the article. Please send me any feedback on the article or enhancements to the script. It does not appear that Hakin9 has posted the code listing for it yet, but as soon as they do I'll link to it from here. Of course, feel free to contact me to get the code if you want.

Black Hat Recap

2009-08-04T12:02:00.005-04:00

Wow...its been a few months since I've last posted. Sorry about that! Things have been nuts IRL which has kept me away from posting, but if you actually read my blog you'll be happy to know I have some things lined up.

Last week I had the opportunity to attend Black Hat USA in Las Vegas. While I won't go over every single talk I attended, the highlights are below.

Advanced Malware Deobfuscation - This was actually a training course written by Scott Lambert and Jason Geffner. The course is essentially about the different techniques used to unpack malware, an area I needed some training on. If you know how to RE and are comfortable in a debugger, I highly recommend this course.

Win at Reversing - This talk was given by Nick Harbour from Mandiant on a new tool called API Thief. When performing behavioral analysis of a malware sample, the analyst typically wants to see what calls the malware is making and uses a program like Process Monitor to do so. The problem with this only system calls are grabbed and misses some potentially important API calls. Nick's tool uses inline hooking to record API calls instead of system calls. This allows the analyst to get more information and potentially do some tricks to unpack the software. I'm going to be checking out the tool more to see how I can utilize it. Currently it can be downloaded at http://rnicrosoft.net.

Reverse Engineering by Crayon - The next talk was on performing hypervisor based malware analysis and visualization. Essentially, the presenters used a software called Ether which integrates with a Xen VM in order to perform malware analysis. To be honest, I had not looked into using Xen for sandnets, but after this presentation I think it has alot of promise and will be doing some more research into it. All of the slides and notes are posted on http://offensivecomputing.net.

Fast & Furious Reverse Engineering with TitanEngine - This was the last talk of the con I attended and it really didn't get the attention it deserved. TitanEngine is an open-source SDK and framework the authors are releasing which is used to perform and automate a large number of tasks needed when unpacking malware. The framework is very impressive in what it can do and how mature it is for something that is just being released. The presenters gave a number of live demos of programs written with the framework being used to unpack programs. The last demo they gave was done using TheMida, a packer which is notoriously difficult to unpack. They packed a sample program during the presentation turning on all capabilities of the packer and then unpacked it in a few seconds with a program they made with TitanEngine. This is definitely a program I will be looking into. http://titan.reversinglabs.com

I had a great time at Black Hat and met alot of people. Unfortunately, I wasn't able to stay for Defcon but maybe another year.

Detecting Malicious PDFs

2009-05-21T10:36:00.003-04:00

Last night at the NE Ohio Information Security Forum I gave a presentation on Detecting Malicious PDFs. I'm still not sure if I'm going to release the presentation, but I am going to release a Snort signature that I've found useful for detecting evil PDFs.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential Malicious PDF (OpenAction JavaScript)"; flow:from_server,established; content:"%PDF-"; content:"<</OpenAction <</JS"; within:128; nocase; classtype:trojan-activity;)

This signature looks for the PDF header (indicating we're dealing with a PDF) then an /OpenAction followed by /JS. This indicates that JavaScript will be executed as soon as the document is open.

Yes, I realize this signature can be easily bypassed with PDF obfuscation. However, I've found that attackers are not yet using this very much. Let me know if this is useful to you.

Automating Malware Analysis article

2009-05-07T09:13:00.004-04:00

In the latest Hakin9 issue (3/2009), I have an article on automating malware analysis. The article discusses how one can set up their own malware analysis automation system using VMWare, some analysis tools and two scripts. The article uses a Linux system as the base system and a Windows XP Pro as the guest/analysis OS, but I don't see why one couldn't use Cygwin on Windows for a base system with a few tweaks.

The scripts I created for the article are meant to be used as a base for your own automated analysis system - they are meant to be expanded upon. I encourage others to add other tools and capabilities to the scripts and share them here on the blog. The scripts used are available on Hakin9's site. However, if anyone wants the actual files let me know and I'll send them out.

I should point out that the system and scripts in this article assume you are in VMWare's host-only network mode. This is to prevent malware from accidentally infecting other systems on your network, the Internet, etc. However, since the system is set up host-only mode your malware will not be able to communicate with any hosts. The only network traffic you will see are DNS requests and probes to systems that go unanswered.

I encourage others to implement this into their automation system using software such as Truman, fakedns, or InetSim to create a virtual network. Don't want to take the time? Then you'll have to wait for the next issue of Hakin9 where I have part 2 to this article and show how to set this up (along with some other cool things).

I'd love to hear any feedback on the scripts, tools, or the article...including anything you use to expand upon it.

The more things change, the more they stay the same

2009-04-24T13:57:00.002-04:00

A few weeks ago, the library at my daughter's school had a sale to get rid of some of their old books. That day, my daughter came home with a computer book published in 1984 entitled Computer Kids. The book is essentially interviews with children of various ages who use computers in school and at home. Its a very interesting read as it shows how computers were thought of back then.

One chapter in particular caught my eye because it was about computer security. The chapter focuses on a boy, who at the time was a senior in high school. In the chapter, the boy talks about copying games with his Vic20 and wardialing into other computers. At the end of the chapter, the author asks him what advice he would give to companies:

If someone were to ask me what else companies can do to protect their computer systems, I'd tell them to use passwords that are as long as possible. Most passwords are made up of eight-digit numbers. A ten-, twelve-, or even a thirty-digit number would be better. More secure. And companies shouldn't use individual words for their passwords. It's better to use a combination of words that are unlikely together.

Companies can also change passwords often, or they require the approval of one of more persons to gain access to the computer.

Interesting how advice 25 years ago is still valid today.

PHP Anti-analysis Technique

2009-03-27T14:54:00.003-04:00

I was looking through a PHP web attack toolkit yesterday and found one of the scripts was obfuscated in an attempt to prevent others from figuring out what the code does. In short, the obfuscation worked by decoded a long base64 encoded string, applying some modifications to each letter based on where it was, and then executing the final output (thru an eval command).

No problem, I thought. There are three options to decode this:

1. Figure out what the code is doing and write a translation program. Nah, too long.
2. Modify the source for PHP itself to print any eval statements to a file. Hmmmm...maybe, but not now.
3. Add a print statement to the obfuscated script to print out the unobfuscated code instead of eval'ing it. Yep...easy.

So I changed the eval statement to a print and ran the PHP code. Nothing.

After ensuring my PHP wasn't borked I decided something was going on and I needed to look at the code. After a few minutes, I found the following:

$file = __FILE__;
$file = file_get_contents($file);
$var8 = 0;
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $file, $var8);

for (;$interator_1<$enc_str_len;) {
if (count($var8)) exit;

Note that the for loop is the loop to decode each character of the PHP code.

This is a nice little anti-analysis function. First, it grabs the contents of itself in the first two lines. Then, it initializes $var8 to 0. Next, it looks for a regular expression in the contents of the current file, setting $var8 to the number of occurences found. The regular expression is a base64 encoded string. What does it decode to?

/(print|sprint|echo)/

So, its looking for any occurence of print, sprint or echo within the file. Then, in the decoding loop, if any occurences ($var8 > 0) are present the program exits. Simple technique to make analysis more difficult.

Of course, its pretty easy to bypass as well. :)

Another Odd SQL Injection Attack

2009-03-09T21:48:00.003-04:00

In my last post, I talked about a large SQL injection attacked launched against a site I help run. Well, last night it happened again.

On 3/8/09 from 10:56 GMT to 11:40 GMT, the website I help run received over 3100 SQL injection attacks from close to 2 dozen IP addresses. The query received this time was:

/modules.php?name=-1+AND+2=2+UNION+ALL+SELECT+0x3065376332613738353864303833656636636535323337343330636466343033,
0x3a3a7865512d312d7465643a3a,0x3a3a7865512d322d7465643a3a,0x3a3a7865512d332d7465643a3a,0x3a3a7865512d342d7465643a3a,
0x3a3a7865512d352d7465643a3a,0x3a3a7865512d362d7465643a3a,0x3a3a7865512d372d7465643a3a,0x3a3a7865512d382d7465643a3a,
0x3a3a7865512d392d7465643a3a,0x3a3a7865512d31302d7465643a3a,0x3a3a7865512d31312d7465643a3a,0x3a3a7865512d31322d7465643a3a,
0x3a3a7865512d31332d7465643a3a,0x3a3a7865512d31342d7465643a3a,0x3a3a7865512d31352d7465643a3a,0x3a3a7865512d31362d7465643a3a,
0x3a3a7865512d31372d7465643a3a,0x3a3a7865512d31382d7465643a3a,0x3a3a7865512d31392d7465643a3a,0x3a3a7865512d32302d7465643a3a,
0x3a3a7865512d32312d7465643a3a,0x3a3a7865512d32322d7465643a3a,0x3a3a7865512d32332d7465643a3a,0x3a3a7865512d32342d7465643a3a,
0x3a3a7865512d32352d7465643a3a,0x3a3a7865512d32362d7465643a3a,0x3a3a7865512d32372d7465643a3a,0x3a3a7865512d32382d7465643a3a,
0x3a3a7865512d32392d7465643a3a,0x3a3a7865512d33302d7465643a3a,0x3a3a7865512d33312d7465643a3a,0x3a3a7865512d33322d7465643a3a,
0x3a3a7865512d33332d7465643a3a,0x3a3a7865512d33342d7465643a3a,0x3a3a7865512d33352d7465643a3a,0x3a3a7865512d33362d7465643a3a,
0x3a3a7865512d33372d7465643a3a,0x3a3a7865512d33382d7465643a3a,0x3a3a7865512d33392d7465643a3a,0x3a3a7865512d34302d7465643a3a,
0x3a3a7865512d34312d7465643a3a,0x3a3a7865512d34322d7465643a3a,0x3a3a7865512d34332d7465643a3a,0x3a3a7865512d34342d7465643a3a,
0x3a3a7865512d34352d7465643a3a,0x3a3a7865512d34362d7465643a3a,0x3a3a7865512d34372d7465643a3a--

The User-Agent this time was Mozilla/5.0.

There are a couple interesting things to note on this attack. First is the use of the double-dashes at the end of the SQL injection. Double-dashes are used in MySQL and SQL Server queries to comment out and ignore the rest of the line.

Next, if we assume that the hex values decode into the attack then the database being attacked must decode them somehow. Since the SQL does not use a CAST operator, which SQL Server requires to convert hex into characters, and only has the hex values, then we can infer the database being attacked is MySQL. (Note that I'm basing some of this on my knowledge and previous use of SQL injection attacks from my job - I could very well be wrong on this.)

The hex encoded values are interesting. If we decode them from hex into ASCII characters, we get the following query:

/modules.php?name=-1+AND+2=2+UNION+ALL+SELECT+0e7c2a7858d083ef6ce5237430cdf403,
::xeQ-1-ted::,::xeQ-2-ted::,::xeQ-3-ted::,::xeQ-4-ted::,::xeQ-5-ted::,::xeQ-6-ted::,
::xeQ-7-ted::,::xeQ-8-ted::,::xeQ-9-ted::,::xeQ-10-ted::,::xeQ-11-ted::,::xeQ-12-ted::,
::xeQ-13-ted::,::xeQ-14-ted::,::xeQ-15-ted::,::xeQ-16-ted::,::xeQ-17-ted::,::xeQ-18-ted::,::xeQ-19-ted::,::xeQ-20-ted::,::xeQ-21-ted::,
::xeQ-22-ted::,::xeQ-23-ted::,::xeQ-24-ted::,::xeQ-25-ted::,::xeQ-26-ted::,::xeQ-27-ted::,::xeQ-28-ted::,
::xeQ-29-ted::,::xeQ-30-ted::,::xeQ-31-ted::,::xeQ-32-ted::,::xeQ-33-ted::,::xeQ-34-ted::,::xeQ-35-ted::,
::xeQ-36-ted::,::xeQ-37-ted::,::xeQ-38-ted::,::xeQ-39-ted::,::xeQ-40-ted::,::xeQ-41-ted::,::xeQ-42-ted::,
::xeQ-43-ted::,::xeQ-44-ted::,::xeQ-45-ted::,::xeQ-46-ted::,::xeQ-47-ted::--

I'll admit that this has me stumped. Due to the pattern, the hex appears to be decoded correctly. However, I cannot make heads or tails of what is being attempted here. Interestingly, googling for "::xeQ-1-ted::" brings up a number of entries which look like an attack similiar to this one may have succeeded on other sites.

So, anyone have any ideas for this one?

Odd SQL Injection Attack

2009-03-03T21:09:00.009-05:00

Updated 3/9/09.

Last night, from 21:21 EST to 21:41 EST a website I help run received over 1300 SQL injection attempts from less than a dozen IP addresses. This is a pretty popular site so its not uncommon for us to get hit with injection attacks, but its rare for us to get this hard.

Normally I would brush it off as an unsuccessful botnet attack, but the SQL injection is bugging me as I can't figure out what the purpose is. The query we recieved was as follows:

/modules.php?name=news&new_topic=9\' and 1=2 union select
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c) and \'1\'=\'1

The user-agent was "NV32ts".

This is an attack on PostNuke, which the site does run. However, the number of CONCAT's are what I'm stumped on (as well as some others I've asked).

The CONCAT(0x27,0x7c,0x5f,0x7c) statement decodes to:

'|_|

When you combine them all together, you get the following statement:

/modules.php?name=news&new_topic=9\' and 1=2 union select
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_| and \'1\'=\'1

The underscore in MySQL can be used as a single-character wildcard, which could further decode the injection to:

/modules.php?name=news&new_topic=9\' and 1=2 union select
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'|| and \'1\'=\'1

In reading that, its potentially a bunch of logical OR statements (the double pipes) with some single quotes. But to me it still looks like it will generate at error.

I've googled the CONCAT statement and the user-agent and there are a bunch of hits, but nothing which gives me any information. In fact, it looks like there have been a number of attacks using this string. But, that doesn't give me the purpose of the injection string above. This is what I (and some others) have come up with:

This was meant to generate a SQL error to see if a site is vulnerable. If thats the case, why so many hits in such a short period of time?
The attacker was trying to evade IDS/IPS/protections, but made a mistake.
The attacker just doesn't know what they are doing at all.

I'm open to any ideas.

UPDATE

I received alot of responses on my previous SQL Injection. Thanks to everyone who did. For the most part, most came to the same conclusion as I did that the injection was either to generate an error or it was a mistake on the attacker's part.

As for the user agent, NV32ts, I've confirmed that it is a known signature of a botnet. I am currently trying to dig up any samples on it.

InetSim Installation

2009-02-11T09:22:00.013-05:00

For a project I'm working on*, I've been looking at network simulation software to use in malware analysis. The most common one out there is Truman, written by Joe Stewart. However, Truman has some shortcomings - the biggest being it doesn't have an HTTP server and it hasn't been updated since it was released. So, I wanted to try a different one and that let me to InetSim.

InetSim has a number of software packages that need to be installed before it works. For my benefit, and I guess others as well, I'm documenting the process I took to install it on my Gentoo Linux system.

InetSim has the capability to do connection redirection, but some options have to be compiled into the kernel first. Specifically, the Netfilter NQUEUE over NFNETLINK interface (CONFIG_NETFILTER_NETLINK_QUEUE) and IP Userspace queueing via NETLINK (CONFIG_IP_NF_QUEUE) need to be compiled in. I compiled them directly into the kernel, but they could be modules as well.

Obviously, after re-compiling and installing your kernel (if needed), you should make sure that iptables is installed.
A number of Perl modules need to be installed. Fortunately, most of these are in the Portage repository and can just be emerged:
# emerge -av perl-Getopt-Long perl-libnet perl-Digest-SHA perl-digest-base perl-Digest-MD5 MIME-Base64 Net-DNS net-server
There were two Perl libraries which were not in Portage that needed to be installed from source. The first was IPC::Sharable which is located in CPAN here. Once downloaded, installation was easy:
# tar zxvf IPC-Shareable-0.60.tar.gz
# cd IPC-Shareable-0.60
# perl Makefile.PL
# make
# make test
# make install
The next required Perl library, Perlipq, took a little longer. This is a library used to interface with the packet queueing on the system for redirection. Initially, it could not find the libipq.h file in the correct location but a manual edit of the Makefile (shown below) fixed that. Perlipq is downloaded from here.
# tar zxvf perlipq-1.25.tar.gz
# cd perlipq-1.25
# perl Makefile.PL
At this point, the Makefile.PL prompts you for the location of the iptables development components. Specifically, its looking for libipq.h. It doesn't matter what we enter here as the Makefile will not find it in the correct place. Enter in some text and let the script finish.

Once the script is finished, edit the Makefile. On line 145 is the following include line:
INC = -I
This is the directory which will find libipq.h. Change it to the following:
INC = -I/usr/include/libipq
/usr/include/libipq is where libipq.h should be located. If you are unsure, run 'locate libipq.h' to see where its at. After saving the Makefile, installation can continue.
# make
# make install
Optional: If you want to make sure you have all of the necessary Perl modules loaded, run the following Perl script:
use Getopt::Long;
use Net::Server;
use Net::DNS;
use IO::Socket;
use IO::Select;
use IPC::Shareable;
use Digest::SHA1;
If there are no failures, you're good to go.
At this point, all of the pre-requisites should be installed and InetSim installation can proceed. The latest version of InetSim at the time of this writing is 1.1 and is located here. Download it an untar it into a central location - I chose /usr/local.
# tar zxvf inetsim-1.1.tar.gz
# mv inetsim-1.1 inetsim
# cd inetsim
Note: I renamed the default directory for my own benefit, this is not necessary.
InetSim uses the nobody user to run its servers. Nobody should be installed by default - but you better make sure.
A group named inetsim is also required by InetSim to run. This should be created as follows:
# groupadd inetsim
InetSim comes with a setup.sh script which modifies permissions of all the files as needed.
# sh setup.sh
If you plan on running InetSim from a script, chances are you will need to modify a small piece of the inetsim program. On line 12 of the inetsim script is the use lib Perl code which tells the script where to find the InetSim modules. In its original form, it is a relative path to the lib directory. It should be changed to an absolute path similar to the following:
use lib "/usr/local/inetsim/lib";

At this point, InetSim should be installed and ready to run. The default configuation file is located in conf/inetsim.conf and I highly recommend reading and modifying it to fit your environment. However, you should be able to use the default configuration file to test out your installation.

# /usr/local/inetsim/inetsim --session test

A number of messages of servers starting will stream by. If you don't see any errors, you are good to go!

* My new project - thanks ax0n!:

Strings and update

2009-02-05T14:54:00.004-05:00

Its been a while since I posted anything so I wanted to get something up here.

First, in my last post I mentioned how I use the strings utility when analyzing binaries. The utility will allow you to view embedded strings within a binary. By default, it only shows ASCII strings. The problem with this is that in Windows binaries, there are usually embedded strings encoded in UNICODE, and by default, strings will not show them. To get around this, I was using SysInternal's strings utility with wine on my Linux system.

However, in a comment craigb stated that you can change the encoding strings looks for with the -e option. Here is a snippet from the strings man page:

-e encoding
--encoding=encoding
Select the character encoding of the strings that are to be found.
Possible values for encoding are: s = single-7-bit-byte characters
(ASCII, ISO 8859, etc., default), S = single-8-bit-byte characters,
b = 16-bit bigendian, l = 16-bit littleendian, B = 32-bit bigen-
dian, L = 32-bit littleendian. Useful for finding wide character
strings.

By running strings using different encodings both ASCII and UNICODE strings in a Windows binary can be found. To do so, I whipped up a little Bash script which I now use whenever I want to pull strings from a binary:

#!/bin/bash

(strings -a -t x $1; strings -a -e l -t x $1) | sort

The script, which I named mystrings, takes the file to scan as a command line option. It then runs strings against it two times - the first time looking for ASCII strings and the second looking for UNICODE (16-bit little endian actually) strings. The -t x options prints the hex offset of the string within the file. After the strings commands run, they are run through the sort program and displayed.

My concern with this was the Linux strings would miss something that the SysInternal's strings would pick up. So, I ran a test where both programs were run against the same file. The output was the same! Woohoo!

In other news, I'd like to announce I got a new job starting at the beginning of the year (which is pretty much the reason I have not been posting). Those who know me know where I went to, so I won't go into details here. However, I've gotten into my groove and should be posting more soon.

Internal Laughs

2008-12-12T09:22:00.003-05:00

Most malware that I look at these days is packed, sometimes double-packed, in order to hide whats inside. When they aren't packed, many times the strings inside the binary are encoded or encrypted so a strings program can't see what is going on.

Sometimes, however, if you wish REALLY hard and REALLY believe, you come across a gem like the one I looked at last night. I was notified of a piece of malware sitting on a server from one of my many sources I have. After downloading it, one of the first things I did was run the Sysinternals strings* utility against it. I found some interesting things:

C:\Documents and Settings\James\Desktop\MSN Pass Stealer\Stub\Project1.vbp

Hello AV Companies, Please Call Me

Hello AV Companies, Please Call Me Win32.MSNPassSteal.VB Thank You!

Its so nice to see things like this at times. While I'm pretty sure James didn't write this particular piece of malware, he probably did modify the source (MSN password stealer source code is easy to find) and compiled it.

James - if you are reading this let me give you some advice. First, learn how to use your compiler and how to turn off the debugging features that are turned on by default. Second, AV companies are not going to name your malware something you want. None of them did.

And finally, if you are going to use a user ID to post the results under, don't make it unique. Our intrepid fellow put the website the stolen credentials would post to as well as the user ID to use. While I'm not 100% sure it's James' ID (whh is why I didn't show it), it is very unique and can be traced back to a single user.

Then again, James, don't follow my advice. It'll be easier to catch you that way. :)

* Even though I do 99% of my static analysis on Linux, I prefer the Sysinternals strings program because it can grab unicode strings and to my knowledge the Linux strings cannot. It works just great under wine. If anyone knows of a Linux strings program that can grab unicode strings, let me know.

Enhancing Your Skillz...

2008-11-24T14:55:00.006-05:00

I remember one of the questions I was asked in my first security job interview was "Why do you want to work in information security?" My response: because it changes on a daily basis and you have to stay on your toes. (This was also my response for "why don't you like security?")

Since then, I have always been searching for ways in which I could increase the security skills I have. Training courses, reading blogs/articles/books and networking are a great way to increase your security skills but I have always thought that there is more to security than knowing how to read a TCP packet, how a buffer overflow works or how to perform a SQL Injection attack.

If you work in Information Security you also have to have great analytical skills. You need to be able to "think outside the box", attack problems from a point of view or look at a log file and discern a pattern which someone else might not see. IMO, you can't learn these skills from reading an article or taking a training course.

However, I have found that playing games is an excellent way to increase your security analytical skills. How? A lot of games focus on strategy or pattern discernment and can help train your mind for these tasks. The following are games that I've personally played and found helpful in these areas.

Note: While I am a geek and love video games, I have specifically excluded these types of games from the following list. There are a number of reasons, but mostly because when it comes down to it, most video games are about reflexes not strategy (there are, of course, exceptions).

Set - Set is a card game where 12 cards are laid out on the table and you have to be the first person to find a set of three cards. A set consists of three cards that are either all alike or all different in each attribute (quantity, shape, shading and color). Sound easy? Not really. Set teaches your mind to attempt to focus on a number of different areas at once and discern a pattern. Great addictive game. Play it online too.

MindTrap - I love logic puzzles. To me, they are the ultimate in causing myself to "think outside the box" since most solutions aren't the obvious ones and require some thinking. Mindtrap takes logic puzzles and puts them into game form.

Puzzles for Hackers - Not a game per say, this book contains lots of puzzles designed for hackers and security professionals. It features encryption puzzles, reverse engineering and logic puzzles. I highly recommend it.

Hacker - OK, this probably isn't the best example for games in these categories...but I think this is a must have for all info sec professionals, given the history behind it.

Granted, these are only a small number of the games with potential to help us security folk. My point to all of this is that you don't just need to read a book or take a class to train yourself for your job...there are alternatives out there. And fun ones at that.

Anyone have any good games they want to share?

Malware Challenge Results

2008-11-20T16:01:00.002-05:00

After longer than I would have liked, the malware challenge results are in and posted!

There were alot of great submissions but unfortunately, we could only choose so many to receive prizes. In the end, we looked at the ones we felt gave the most information, presented it the best and would allow someone to learn from their paper.

Some quick stats on the challenge, we had over 900 downloads of the malware sample. Fortunately, we didn't have that many submissions. Most of the hits on the site came from the US, followed by Romania and Russia. Also, over 50% of the hits on the site were from Firefox!

I'd like to send a thank you to all the sponsors who donated prizes. Without them, we would not have been able to have such a great turnout. We're already thinking about the 2009 Challenge!

Any suggestions on how we could have done better? Send them our way!

Quick Update

2008-11-04T21:29:00.002-05:00

Hello all - I haven't posted in a while and for good reason. I've been busy with a very interesting job at work that I hope to be able to talk about some day. Right now I can't (client privacy and such) but I can guarantee it will make an amazing story some day.

It is because of this job that I was unable to make it to the NE Ohio Information Security Summit. I apologize to everyone who thought I would be there and I have to commend and profusely thank Greg for taking over our presentations by himself and coming up with one at the last minute. Greg is an amazing speaker and friend and I'm glad he had packed crowds in both sessions.

As for the malware challenge, we were supposed to announce the winners at the summit. However, due to my being absent we decided to (wisely I think) postpone announcements until the next NE Ohio Information Security Forum meeting on November 19th. I invite everyone to come out as we will be giving out prizes there and announcing the winners (and will announce them on the site shortly after).

I will have some interesting news in the next couple weeks and am starting on a few projects I will be blogging about. For those who have stuck with my blog, thanks. I hope not to disappoint you. :)

Phishing with Malware

2008-10-15T14:35:00.007-04:00

I've been pretty busy lately with work and the malware challenge (only 11 days left!) but I figured I'd post something which came across my inbox today. Wachovia has been getting alot of phishing attempts against it which lead to a page trying to get you to install a security update, which is actually malware. I guess the bad guys decided that Wachovia had enough and decided to turn their sites on Key Bank.

I received the following email supposedly from Key Bank asking that I update my system now.

Clicking on the link took me to the following page, which is NOT located on Key Bank's website.

If you wait long enough it will refresh itself to the executable, but by clicking on the link the page will attempt to download and run (with user acceptance) the malware and will open up another browser window to the actual Key Bank login page. This page IS on Key Bank's website, but note that Key Bank is NOT compromised.

What has happened is when the user installs the "update" the initial malware loaded downloads another one which installs itself as a service on the system. This new service then watches for any credentials sent. What happens when it gets one?

This isn't a new method for doing things - its been around for a while. However, this is the first time I've seen this specific attack (from this group) directed at Key Bank. Trend Micro has a posting about the same attack against a German bank.

Malware Challenge Contest In Full Swing!

2008-10-02T09:48:00.003-04:00

The malware challenge contest began yesterday and from what we can tell its very popular. According to our logs, we had over 100 downloads of the malware for the challenge from over a dozen countries.

For those who don't know yet, the malware challenge is a contest to analyze a piece of malware and find out what it does. The contest runs from October 1 to October 26 and the results will be presented at the Ohio Information Security Summit. Of course, we have lots of cool prizes to give away!

We have made the contest so that if you are new to malware analysis you'll still have a great shot at winning prizes. We're going to be looking more at the way people analyze the malware as opposed to if they get the right answers. In other words, if you unsure about it still participate. The worst that can happen is you learn something in the process and win a cool prize!

Also, thanks to all who have been helping advertise it! Without you no one would know about the contest.

I look forward to seeing everyone's submission!

OWASP NYC AppSec Recap

2008-09-29T10:48:00.002-04:00

The OWASP NYC AppSec conference was this past week and I was lucky enough to be one of the speakers there. Overall, the conference was great and OWASP did a tremendous job doing everything they could to make the conference go as smoothly as possible. The organizers should be commended for the job they did.

In the opening keynote, the organizers stated that this was the largest web app security conference in the world and I could see why. I believe there were over 800 people at the conference and every talk I went to was packed. While I went to many talks, there are a few that really stood out. They are:

Malspam - Garth Bruen, knujon.com - Garth talked about what knujon has been able to accomplish over the last few months and its been quite impressive. He has been gathering alot of data on illicit networks and has found a clear link between porn, drugs and malware on the Internet. He gave one example of where an illegal pharma site was shut down and two days later it was serving up porn and malware.

Security Assessing Java RMI - Adam Boulton, Corsaire - This was an excellent talk on how to assess the Java Remote Method Invocation (RMI) APIs/tools/whatever from Sun. Basically, RMI is a distributed computing API for Java and has been part of the core JDK since 1.1 (java.rmi package). Its analogous to .NET, RPC or CORBA. Adam went over some methods for attacking RMI apps and previewed a tool of his named "RMI Spy" which (I believe) he'll be releasing.

Flash Parameter Injection - Ayal Yogev & Adi Sharabani, IBM - This talk was about how to inject your own data into flash applications, the result being XSS, XSRF, or anything you can think of to attack the client. Basically, Flash applications have global variables which can be assigned as parameters when loading the flash movie in a web page. If the global variables are not initialized properly (and they usually aren't) then attackers can load their own flash apps and own the client.

APPSEC Red/Tiger Team Projects, Chris Nickerson - The next talk was probably one of the best I attended at the conference. Chris Nickerson was one of the guys on the ill-fated Tiger Team show and is a really cool guy - I talked to him for some time at the OWASP party the night before. He stated in his talk that pen testing applications does not show how a "real world attack" would happen. By performing a red/tiger team approach to an application test, you are able to show the client how an attack would occur and how their app would be broken into. In other words, if someone wants the data in an app they're not just going to bang on it from the Internet - they're going to go to the client site and try to get information from there through various methods.

Of course, those are brief descriptions of the talks. The conference will be releasing all talks on video so I recommend watching the videos - they will be worth it.

Malware Analysis Contest

2008-09-18T09:38:00.005-04:00

Last night at the NE Ohio Information Security Forum and the Security Justice podcast, I made an announcement about a malware analysis contest that Greg and I are putting on.

Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.

We have some great prizes donated by some very cool companies. To only name some, Hex-Rays is donating a copy of IDA Pro and No Starch Press is donating a copy of Chris Eagle's IDA Pro book. Addison-Wesley and KoreLogic Security are also donating prizes (yet to be announced).

I want to emphasize that you don't need to be a malware analysis expert in order to have a chance to win. The challenge is about learning. You don't need to get the answers 100% correct in order to win a prize. The goal is to learn malware analysis skills, try out new tools and have some fun in the process.

We're also looking for more companies to donate prizes. If you think your company would like to donate something for the contest, please contact me.

Please spread the word about the challenge. I'll be posting again once the challenge goes live to remind everyone!

Upcoming Appearances

2008-09-15T10:26:00.002-04:00

As some know, I will be speaking at the OWASP NYC AppSec conference next week on "Automated Web-based Malware Behavioral Analysis". Unfortunately, I'll be presenting over lunch so I'm limiting it to about 20 minutes of talking so people can eat and not listen to me. If anyone wants to get together wile at the conference, let me know.

As always, the NE Ohio Information Security Forum is this Wednesday and I will be in attendance. I encourage anyone to come out and join us. We'll be having lots of great speakers as well as free food and drink. Afterwards, we'll be going to Mavis Winkles to record the next episode of the Security Justice podcast. I'll also be making a special announcement at the forum and the podcast concerning something Greg and I are doing at this year's Ohio Information Security Summit.

Finally, I'd like to thank mubix for having me as a guest poster concerning packers on his blog. Very cool.

Flux Agent Geographic Distribution

2008-09-11T11:26:00.005-04:00

I've been looking into a fast flux botnet for the past day which came in the form of some banking malspam. If you don't know what fast flux networks are, check out the Honeynet Project's Know Your Enemy paper on them - its one of the best resources out there.

I set up a script to resolve the DNS name of the website which held the malware on it. The DNS record expired every 1500 seconds (25 minutes) so my script would perform the lookup, wait 25 minutes. perform another lookup, rinse, repeat. I did this for about 24 hours. The purpose was to see where the flux agents for the botnet were residing.

In the end, I had 88 unique IP addresses acting as flux agents residing in 21 different countries.

Interestingly, while the most were coming from Romania (18), the second largest was from Israel (15) and there were no .edu's in the mix. Remember, these are the flux agents, not the members of the botnet.

I love getting spam, redux

2008-09-10T22:08:00.007-04:00

Back in May I blogged about a site named Knujon, run by Garth Bruen, which was attempting to fight the good fight against spam not by attempting to shut down the spammers themselves, but by attempting to shut down the domains for the sites spam is advertising. His theory is sound, but how effective was it? I signed up for the Knujon service, downloaded a Thunderbird extension to send the spam I received to Knujon and have been watching the reports.

Before I go on, let me just say that with the email accounts that I use Thunderbird to check I probably receive close to 500-1000 spam a day. Thunderbird does a fairly good job of recognizing them as junk and putting them in my Junk folder. When I run my Knujon extension it attaches them to an email and sends it to Knujon to process.

By logging into the site you receive status reports on the emails you have sent them. From the statistics available, you can see how many domains they have received, how many are pending suspension and how many have been suspended.

As of 9/9/08, Knujon has received 7,115 sites from me that were being advertised in spam. So far, 291 domains are pending suspension and 270 domains have been completely removed. Not bad for only 5 months of sending emails.

For the amount of effort that I have had to put in to Knujon (almost none), I am very impressed with the results. Garth Bruen is making alot of progress in his work - according to the site they have shut down 79,500 domains with another 33,671 pending.

I highly encourage everyone to sign up on Knujon.