The blackout…revisited

This year has started with some frights for all of us who have responsibilities in secure operations in electric power grids. There is, on one hand, the Israel Electric Authority event. On January 27th we find headlines like these, from Fox News:

img5

Apparently the day came when someone had activated, at last, the Doomsday button and sent Israel, or was close to, to the middle ages. However, reality ended up being more prosaic and Apocalypse prophets had to sheathe again their keyboards once it was confirmed that, in the end, it was a case of ransomware in equipment belonging to a typical IT network, infected by the not-so-elegant phishing technique. Furthermore, as I am reading, the partial loss of electric supply on some clients could be attributed to the deliberate decision of personnel in charge of the grid operations who would have preferred to disconnect some load, instead of facing a complete network collapse. Moreover, it has been stated that operators reacted that way under the conviction they were under attack in a moment when the demand was growing at a high rate because of the low temperatures.

[Read more…]

Malcom: Practical exercise on traffic analysis

Malcom (Malware Communication Analyzer) is a tool I have been using for quite some time now and, even though it is quite well documented in several sites, I thought convenient to dedicate an article because on its latest actualizations it has become more stable and consistent.

Its main objective is to analyze the network traffic connections in a graphic way while simultaneously crossing data with public or private malware feeds in order to identify malicious nodes (C&C servers, for example); how the malware tries to communicate with them and analyze possible behavior patterns, understand P2P networks or to observe DNS Fast-Flux type infrastructures.

image06

[Read more…]

Wearables, the family grows

Captura-1bWearables have landed into our life to entertain us, making some actions easy and even to control parts of it.

It is called wearable any accesory we wear that interacts with us and our devices in order to carry on any task (be it either related to health, sports, entertainment…).

Even though they have been around the markets several years, is this year 2016 when the real boom is being awaited. The proof of it is that in the recently celebrated Mobile World Congress, a whole area was dedicated to wearables and the Internet of Things. Furthermore, in this same event it was more than confirmed that wearable technology is rebounding quite strongly and, consequently, it will stay trendy for several years.

[Read more…]

The NSA needs your updates

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

[Read more…]

Solving ‘heap’ from defcon 2014 qualifier with r2

This article will introduce r2 to resolve a simple CTF from Defcon ’14 using Linux. For those who do not know radare2 is a unix-like reverse engineering framework and commandline tools and the most important thing about it is that it is open source thus we can play with it.

Radare2 gives us the possibility to do reverse engineering and more by free as we will look on this post though we are not going too deeply into the commands. I leave it as an exercise for the reader.

Most people complain about the lack of doc that r2 has but that is far from the truth. Radare has:

  • Open source Book in which anyone can contribute.
  • Talks.
  • Asciinema showing usage examples.
  • If you append ? in each command in r2’s console you will get a little help.
  • There is a blog.
  • IRC channel on freenode.net #radare.
  • Last but not least we have the source code.

[Read more…]

Unveiling Nuclear EK (IV)

(See parts I, II and III of this serie)

In the previous post we managed to obtain the original SWF, but discovered that the exploit is embedded in a ByteArray. Will we be able to obtain it?

First of all, we must extract the contents stored in the ByteArray. To do this, we need a Flash decompiler desktop: Adobe SWF Investigator (It’s free!). Once installed we open the last file obtained: uncompressed_exploit.swf. We go to “Tag Viewer” and select “DefineBinaryData” among all the tags. Then we save it by clicking in “Dump to file” and naming it as “dump_exploit.bin”, for example.

[Read more…]

Unveiling Nuclear EK (III)

(See parts I and II of this serie)

In the previous post we were about to find out why the proxy does not identify the Flash object as application/x-shockwave-flash. Let’s see.

(4) Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs

We extract the object Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs from Wireshark and check what type of file it is:

$ file Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs 
Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs: data

$ file --mime Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs 
Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs: application/octet-stream; charset=binary

$ hexdump Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs -n128 -C
00000000  5a 57 53 17 ad 23 00 00  3a 21 00 00 5d 00 00 20  |ZWS..#..:!..].. |
00000010  00 00 3b ff fc 8e 19 fa  df e7 66 08 a0 3d 3e 85  |..;.......f..=>.|
00000020  f5 75 6f d0 7e 61 35 1b  1a 8b 16 4d df 05 32 fe  |.uo.~a5....M..2.|
00000030  a4 4c 46 49 b7 7b 6b 75  f9 2b 5c 37 29 0b 91 37  |.LFI.{ku.+\7)..7|
00000040  01 37 0e e9 f2 e1 fc 9e  64 da 6c 11 21 33 ed a0  |.7......d.l.!3..|
00000050  0e 76 70 a0 cd 98 2e 76  80 f0 e0 59 56 06 08 e9  |.vp....v...YV...|
00000060  ca eb a2 c6 db 5a 86 7b  47 de 99 5d 68 76 38 16  |.....Z.{G..]hv8.|
00000070  bd 93 3c d3 d0 9e d3 55  63 5a da b0 db 27 e6 7c  |..<....UcZ...'.||
00000080

[Read more...]

Unveiling Nuclear EK (II)

In the first part, we got an example of the case we want to analyze. Having the HTML files extracted with Wireshark, we can start the analysis.

(1) index.php

imagen_1

Simple; redirects to (2) http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/watch.php?kcppp=MTE3NzU5ODg2Nzk3NjRlY2M0MmJiNDk3M2NmZGVkM2Fl.

[Read more…]

Unveiling Nuclear EK (I)

When analyzing network traffic, we can often find patterns belonging to the already known Angler EK, Nuclear EK and Magnitude EK.

Normally sold in the black market, an Exploit Kit (EK) is a toolset that automates the exploitation of vulnerabilities on the client, aimed at browsers and plugins that a website can invoke as Adobe Flash Player, Microsoft Silverlight, Adobe Reader, Java, etc., to infect computers while surfing the Internet in what is called drive-by download attacks.

These patterns can be detected by snort rules such as:

ET CURRENT_EVENTS Cushion Redirection
ET CURRENT_EVENTS Possible Nuclear EK Landing URI Struct T1
ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014
ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014

[Read more…]

Yara for Incident Handling: a practical case

Yara is an initiative that’s become more and more popular for incident handling, especially over the last year. This project has been widely spoken about on this and other blogs.

Here I’m going to show you a practical example for using incident handling triggered by ransomware. Over the last months there has been an increase in this type of malware that, in spite of the many warnings from those of us working in security and incident handling, is still having quite a big impact. Fortunately, the most recent incidents of ransomware where I have been involved, the compromise has only affected one user each time, which allowed us to focus more on the scope of the encrypted archives than on identifying the equipment that may have been compromised.

Extension identification

One of the first cases we were involved in was an incident with CTB-Locker. On this occasion, a user reported a message appearing on his desktop informing him that his archives had been encrypted and asking for a ransom to recover them. Once part of the incident had been contained by disconnecting the equipment from the network and identifying it as the only one affected (let’s not go into this here) we went on to determine which archives had been encrypted and which ones could be recovered (we would never recommend paying the ransom).

[Read more…]