Security Art Work

(Please note this post was originally published past 10th January in the Spanish version of SAW but we find it relevant —and couldn’t find time to translate until now— ;)

Lately, we are detecting a significant increase of Remote File Inclusion [1] attacks in which the same pattern is repeated in the payload of the attack. In these, the URL of injection used is always the same: http://www.google.es/humans.txt. Although the content of this file is not malicious, the amount and frequency of alerts that are detected show that there is a reconnaissance attacks campaign underway.

The attacking IP addresses are located worldwide (up to 10 countries have been detected, including Spain), which may indicate that one or more botnets are behind this attack. On average, over a period of 10 days, each one of these IP has attacked about 12 targets, generating between 2000 and 5000 alerts each one.

[Read more…]

A few days ago, we had a new challenge where we should find out what techniques or tips were being used lastly to install malware. To get this information, we only had a compressed file that had been captured.

When we open the file attachment.rar we see that there are three images of Roman ruins: “0.jpeg”, “1.png” y “3.jpg”.

Paying attention on these pictures, the only strange thing we observe it is that there are some Roman numeral in the bottom right corner of two of the pictures (“II” y “IV”) and also that it seems there is one picture missing (number “2”), because after number “1” we only have number “3”.

[Read more…]

After some time without any challenge, we come back with a new case where we should put in practice some techniques that could be used to get hidden information from apparently “normal” files .

In this case, we have captured an e-mail (with the attachment attachment.rar) belonging to a gang who is accused of vulnerabilities exploitation in different systems in order to install malware and spy everything that users do in their machines.

Although at first glance the captured file (attachment.rar) only appears to have three images, we believe that inside of it, some instructions or tips are given to know how they are installing the malware.

As usual, we have provided two rar files that require a password to be opened. The first one (validator1.rar) will be opened with the solution of part 1 of the challenge, and the second one (validator2.rar) with the solution for the second part. Please note that the challenge is not to try to crack these two files, since they only allow you to see if you have reached the right solution or not. In this occasion, to resolve the second part you should have solved the first one previously.

As always, the solution will be published in a few days on the blog. Anyway, if we see that there are questions about the challenge, we will publish some tips before the solution.

I hope you enjoy this challenge ;)

Between the 25th and the 27th of November, some public institutions in Europe were affected by a wave of targeted attacks (TAs). These attacks, which were made through e-mail, were very interesting: they made use of an infrastructure which had already been used in the past, in other malware campaigns.

Infection
As in most of these attacks, the infection vector was a spearphishing campaign. The e-mail messages had a MS Word document attached to them, and this document contained an embedded exploit that takes advantage of a vulnerability which has been known since 2012, more specifically, CVE-2012-0158.

The domain in the “FROM” field of the e-mails belongs to one of the most well-known humanitarian organizations, which made the e-mail messages look completely reliable.

The subjects in the different e-mails made reference to dates close to those of the attacks, except for one of them, which advertised the “Top 10 Cities with the Most Beautiful Women”… quite appealing.

Fw: 2013-11-27
Fw: Top 10 Cities with the Most Beautiful Women
RV: Teheran 2013-11-25

The same references appeared in the names of the attached files.

27-11-2013.doc
20131125.doc
Top 10 Cities with the Most Beautiful Women.doc

Thanks to the existing patching and updating policies, the attack’s impact was null: the MS Word document took advantage of an old vulnerability that affects ActiveX controls and allows remote code execution, butthis vulnerability had already been patched in April 2012.

Hashes
Alter calculating the hash function for each file, it became obvious that we were dealing with only two different documents.

1598f39b5d670eb0149141df7bbcc483
60fd6b6bcf73586284ab8c403c043c6e

After checking these MD5 at Virustotal, we could see that someone had already uploaded them before. Therefore, from that moment onwards, the samples were processed as public information.

I will now briefly break down the analysis. This is not a complete analysis of the samples. I will only show the useful information that we have used to solve the incident.

The following files were dropped after the execution of each of the two documents.

Even though, cross-referencing these with previous tables, some identical files can be found.

If you want to take an in-depth look at the analyses, you can find them in the following links at malwr.com:
1598f39b5d670eb0149141df7bbcc483 @ malwr.com
60fd6b6bcf73586284ab8c403c043c6e @ malwr.com

Domains
After executing the files in a cuckoo box and infecting a virtual machine by manually executing the files named “kav.exe”, we were able to see that each one of the samples would connect to a different domain:

yahoo.offlinewebpage.com
link.antivirusbar.org 

This explains why, even if the behavior is equal in both files, the MD5 signature is different for each of them.

In addition, thanks to some information received from external sources, the following domain can also be added to thislist:

ks.pluginfacebook.com

When requesting one of these domains, we always have the same response:

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Date: Wed, 27 Dec 2013 15:23:45 GMT
Accept-Ranges: bytes
Content-Length: 362
X-Cache: MISS from ta-prx21
X-Cache-Lookup: MISS from ta-prx21:3128
Via: 1.0 ta-prx21 (squid/3.1.20)
Connection: keep-alive

.
.
..
.
...U.n.d.e.r. .C.o.n.s.t.r.u.c.t.i.o.n.<./.s.p.a.n.>.<./.d.i.v.>.
.
...w.w.w...m.i.c.r.o.s.o.f.t...c.o.m.<./.s.p.a.n.>.<./.d.i.v.>.
.
.<./.b.o.d.y.>.
.
.<./.h.t.m.l.>.
.
.

By accessing the domain through an outdated browser, we cannot see any kind of odd behavior and we obtain the expected response:

Atribution

By doing whois to the domains, the following email addresses and domain name registers appeared:

qingwa20112011[at]163[dot]com
dnsjacks[at]yahoo[dot]com 
usa87654310[at]126[dot]com

All the domains, as well as the e-mail addresses of the domain registers, point to China, as it can be seen in this list of e-mails related to TAs originated in China.

A quick search on Google about de involved e-mailsis enough to see that the address dnsjacks[at]yahoo[dot]com is related to a Mirage campaign originating from China.

Analyzing the requests that appeared in the Mirage campaign and comparing them with the ones found in the attack, we can find some similarities.

In addition, if we analyze the receivers of the e-mails, we can see that this attack didn’t have only one target, but rather that several public institutions in Europe were targeted.

The fact that an infrastructure from the past was being used, together with the sending of e-mails with a lot of receivers and the nature of Mirage malware, allows us to conclude that this was not a stealthy attack.This makes us think that this attack was just an attempt to steal very specific information (probably financial information) in a quick way.

This kind of attack is quite common in public institutions and it is very common to use spearphising as the infection vector. The use of trusted domains such as a well-known humanitarian organization makes this e-mail seem legit,which turns its detection into a very hard task.

Either way, the prevention of these attacks is usually simple and it comes hand in hand with a quick implementation of the software updates and security patches. This is because most of these attacks do not use 0days, but, instead, they use well-known vulnerabilities which are already patched. For example, in this case, they were using a vulnerability that was more than one year old.

In order to detect if your organization has been affected by this wave of TAs, just search for the domains listed above in the navigation logs.

I hope this article has been useful or that, at least, it has been interesting to read.

Sometimes when we have an incident, it involves too many domains to check them by hand. In order to deal with them and discriminate as a first instance, I’ve developed a small script that checks the reputation of each domain using the API of Web of Trust.

Web of Trust is a service used to mark websites depending on their reputation. Reputation is based in different factors. One of them depends on malware presence, but there are some others, such as a rating based in the users’ votes.

One thing that I really like about the WoT API is that it returns different codes according to the reason why a website’s reputation is bad, i.e. if the reason of the bad reputation is that the website contains adult material, WoT API will return the code 401, and if it contains malware, WoT API will return 101. This is very good to handle some incidents because, in most cases, if a domain has a bad reputation because it is an adult website, and for that reason only, in a first examination, we would leave it as a legit domain.

In order to use this script you just need to register in the WoT, get an API key, and introduce it in the line:

WOT_API_KEY = "YOUR_OWN_API_KEY!!!"

You can find the script in my github repo.

Finally, let’s try the script. First, we’ll need a file with the list of domains we want to check. In the example we will use a file that I called domains.txt and that contains the following domains:

4chan.org
silurian.cn
securityartwork.es
mtgmadness.com

In order to run the script, we just need to feed it with a file containing the domain list to be checked:

xgusix@ender:~$ python repcrawler.py domains.txt 
[*] mtgmadness.com
	Target: mtgmadness.com
[*] 4chan.org
	Target: 4chan.org
	Trustworthiness: Excellent [59]
	Child safety: Very Poor [53]
	[*] Categories:
		[403] Questionable Gruesome or shocking [14]
		[401] Negative Adult content [73]
		[501] Positive Good site [59]
[*] securityartwork.es
	Trustworthiness: Good [7]
	Target: securityartwork.es
	[*] Categories:
		[501] Positive Good site [7]
[*] silurian.cn
	Target: silurian.cn
	Trustworthiness: Very Poor [12]
	[*] Categories:
		[101] Negative Malware or viruses [30]

As you can see, in the beginning of the investigation, we can discard 4chan.org and securityartwork.es, as they are labeled as “Good site”, and its trustworthiness is at least Good. Mtgmadness.com is not labeled, so we should have to go further on the investigation. In the last case, silurian.cn, it’s already labeled as a malicious domain, “Malware or viruses”, so it would be a good starting point for the investigation.

Right now, the script shows all the results, but with a very simple modification you can add some logic into it and automate the process a bit more. I am also planning to add more reputation engines to the script. With more sources, the initial discrimination will be more accurate and save time in the incident handling process.

Any feedback or comments are welcome.

In the wake of all the uproar that there are these days around the metadata in Spain, I have been reviewing various tools of PDF metadata deletion. In principle, the tools analyzed work on GNU/Linux systems, but that does not mean that some may not work on other systems.

I started from a PDF created by myself. As you can see in the following image, it contains metadata (screenshot in Spanish, but I guess you get the idea):

[Read more…]

Today’s post is a challenge for reverse engineering lovers.

To play, download this binary. It’s a Windows 32-bit PE executable containing a serial number validation algorithm:

Hope you enjoy the challenge. See you!

Useful links:

• IDA Freeware
• OllyDbg

Snort’s reputation preprocessor is not something new; in fact, it appeared in August 2011 in version 2.9.1. Up to that moment, the only way to manage blacklists was to create a rule with the list of IP addresses blacklisted, such as BotCC rules (emerging-botcc.rules).

alert tcp $HOME_NET any -> [103.6.207.37,106.187.42.91,106.187.48.236,107.20.73.183,
108.170.20.73,108.170.56.211,108.61.240.240,108.61.26.189,109.109.228.186,109.111.79.4,
109.163.233.16,109.163.233.22,109.196.130.50,109.228.25.175,109.234.106.53, 109.74.194.110,
112.175.124.170] any (msg:"ET CNC Shadowserver Reported CnC Server TCP (group 1)"; flags:S; 
reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; 
threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; 
flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404000; rev:3259;)

However, this method has a length restriction and you end up with tens of backlisted IP rules with names such as “ET CNC Shadowserver Reported CnC Server UDP (group 49)” or “ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (group 43)”.

However, that’s not the main problem of this method: the main issue is performance. Taking into account that they are detection rules, packet processing is much more expensive and global performance worsens. When packet throughput is very high and there are many blacklist entries such as Shadowserver, Abuse.ch, Malwaredomains… and our own lists, Snort performance becomes a problem and it is necessary to find a better way to manage blacklists. Then it’s time to use this preprocessor.

[Read more…]

In this post I would like to talk about a technique that I read this summer and had not been able to practice until recently in a penetration test.

The technique involves obtaining passwords in clear text from a server without running “malicious” code in it. In this way we avoid having to deal with antivirus evasion techniques and other headaches.

Tools required:

• Mimikatz: http://blog.gentilkiwi.com/securite/mimikatz/minidump
• Procdump: http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

To know what Mimikatz does I recommend @mmorenog’s post that describes its purpose and operation. In summary, Mimikatz “attacks” the lsass process and takes advantage of a type of reversible encryption that Windows implements to obtain plaintext passwords.

On the other hand, Procdump is a tool developed by Mark Russinovich that will allow us to dump the memory space of a process to a file.

[Read more…]

Two days ago, I had an e-mail in my inbox with this link. It seemed to be something serious, especially coming from Dragos Ruiu (@dragosr), the creator of the pwn2own contest, as he doesn’t need this kind of thing in order to be famous or make a name for himself. After reading it, I was a little bit scared.

As there isn’t a lot of information or an “official” report about this, I will give you some facts about his research and his findings:

• He found a malware that infects hardware.
• He found it installed in some laptops with Windows systems installed, but it proved to be somehow platform independent as it can infect a BSD system and OSx is not immune.
• It reflashes the system BIOS, and it is resilient: even after flashing the BIOS with a legit firmware, it will still be there. This forces the researcher to use a new machine for each test.
• It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed.
  (https://plus.google.com/103470457057356043365/posts/exuXRz5C3L3)

• It loads a Hypervisor.
• When the BIOS is infected, it doesn’t let you boot from external devices regardless of settings. Most of the times, it goes for internal disk.
  (https://twitter.com/dragosr/status/388632113496350721)

• It reflashes all USB drives plugged into an infected system, including external USB CD drives. It doesn’t affect the files in the USB, it directly infects the firmware.
• Just plugging an infected memory stick in a clean system will infect it… without even needing to mount it!
  “I didn’t even mount the volume and it was infected.”(https://twitter.com/dragosr/status/393021493149302785)

• It bricks the USB drives if you eject them unsafely, but they come back to life when you plug them in an infected system.
  https://twitter.com/dragosr/status/393026712197279746)

• In infected Windows systems, some extra .ttf and .fon files appear – three of them (meiryo, meiryob, and malgunnb) have a size that is bigger than expected.
• When trying to extract those files, they disappear from the burnt CD.

• People are pointing to Russia as an origin of this malware as they are the only known developers of reset flash controllers’ software. The malware also blocks the reflashing Russian software sites.
  (https://twitter.com/dragosr/status/393023050750234624)

• The first symptoms were found in a Macbook, 3 years ago.
  (https://twitter.com/dragosr/status/394223528813146112)

• A list of the md5 of files was uploaded to this link.

Right now, I don’t know if this could be maximum trolling, or not. I personally don’t think Dragos would play with his reputation like this. If we are facing a new kind of threat, we will need to be prepared for it.

What’s worse, until today there’s no clue of what the malware purpose is. I’ll try to keep you posted, and I highly recommend you to follow @dragosr and the hashtag #badBIOS on twitter in order to be updated about this topic.

[NOTE] If you are interested in a sample, keep an eye on malware.lu. @xylit0l posted this in kernelmode.info:

Re: New Bios Malware
 by Xylitol » Sun Oct 13, 2013 9:23 pm
Talked to r00tbsd over irc, he have an image of the infected bios but got no time 
for the moment to add it on malware.lu.

Sources:

[1] https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
[2] https://plus.google.com/103470457057356043365/posts
[3] https://www.wilderssecurity.com/showthread.php?t=354463
[4] https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware
[5] https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/
[6] https://twitter.com/dragosr
[7] https://twitter.com/rich_addr
[8] http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998&p=21195&hilit=BIOS+malware#p21195