Security Art Work

I’m sure we all have sketched a smile when seeing photographs or videos of strange artifacts powered by steam or internal combustion engines. Most of these inventions failed because the technology used didn’t fit the purpose they were meant for. Seen with modern eyes it’s just so naïve to try to fly a plane fitted with a steam engine. However, those inventors were not as dumb as their failure suggests. They were intelligent people (or, let’s say, not less intelligent than average) trying to solve the problems of their time with the technology available.

Steam powered the beginning of industrialization, granting people access to energy at a scale never seen before. This brand new technology lead to an engineering and cultural revolution that paved the way to our modern society. The Industrial Revolution beginnings were times of faith in progress, of unleashed collective optimism. Steam-powered machines were regarded as the key to all kind of engineering problems that remained unsolved so far.

[Read more…]

A few days ago, following the well-known Mandiant Report “APT1”, we published a small post where we made some assessments about the alleged Chinese attacks on various public and private organizations. We made public a set of Snort rules that could be used to detect —provided that the information from the report Mandiant is true— if an organization had been infected. Obviously, if you receive an alert that should raise some suspicions, but the opposite should not make you assume you are not infected. The resources used for infection are certainly very dynamic and after the report many of them may have been replaced or eliminated.

But this is not what I wanted to talk about. The truth is that I wrote the post with some urgency because we wanted to publish the rules the same day, and I didn’t had the time to think about the complexity of the Chinese attack, its implications, origins and specificities. So I was surprised that none of our readers (you) pointed to some obvious errors in the post that I thought after a while, but I resisted to correct. The entry stated:

The question here is, as pointed accurately by Securosis in their blog, that the difference is not that China has a cyber espionage program, but that its objectives and beneficiaries are both the public and private sectors. From an economic standpoint it makes sense. In an economy largely state-operated and conducted as China, it seems normal that such government “initiatives” benefit economic areas that are in many cases and at least partially, also state. At the end everything remains at home.

The fact is that this is not cyber espionage is not in the sense in which we are accustomed to think about it. This is “something else” and the reason why many people should start to be concerned. Not “classic” or industrial espionage. There is no one to prosecute or to send to the WTO. This is not a criminal action as we understand it. Because it’s more than “simple” military information or technology what is at stake. Is the entire Western economic and social model. It is said that China is a giant that is waking up, but in the light of such reports, may be the Western powers who are sleeping.

One last note. It is true that there is something called Echelon and occasionally this or that power get into suspicious activity (industrial espionage, bribery, etc.) through which they try to favor their national companies in contracts worth millions (see eg , vs. Boeing case. Airbus), but it is conceivable that the volume and size of these bad practices is not even remotely the same as the Chinese (although that is something that we really do not know). There isn’t, to our knowledge, anything like a program of intellectual property stealing coordinated and led by the states (in the political sense, not the U.S.). Such practices belong, in any case, to the private sector, which is subject to the laws and legislations of such states.

This is an approach somewhat underdeveloped and certainly simplistic, but the actions contained in the Mandiant report are not actions of espionage or data theft. These are actions of a political nature that are part of a much broader geopolitical strategy. Carl Von Clausewitz said that war is the continuation of politics by other means. The updated version of the XXI century is clear: cyberwar is nothing more than a tool of politics, with the difference that while the war is legally illegal, there is no such consideration for cyberwar.

Summarizing. This is not about computers anymore. It’s politics. We can “play” hackers meanwhile.

Recently a blog user asked why in in the Snort malware detection rules, when you want to detect the DNS query to certain suspicious domains, certain characters such as “byte_test:1, !&, 0xF8, 2;” are used as testing conditions. To explain let’s take as an example the following VRT rule for Gauss malware detection:

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 
bestcomputeradvisor.com - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; 
content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767

[Read more…]

(Please note this post was published last 12th sept. 2012 in the Spanish version of this blog)

Recently we used a very interesting tool to analyze Java applets: JavaSnoop, developed for BlackHat USA 2010 by Arshan Dabirsiaghi. Broadly speaking, the tool allows us to adhere (attach) to a Java process or start it and intercept the calls made. In addition to intercept these calls and view its contents, we can change the arguments of the methods we are intercepting and modify the return value of the function.

Let’s see how to intercept a Java applet method:

1. Download the latest version of the application: http://code.google.com/p/javasnoop/downloads/list

Note: It is recommended to install the application in a directory that does not contain spaces on Windows (eg C:\JavaSnoop).

2. Download the latest version of Java SDK (requires restart after installation).

3. Set the location of the JAD binary in ““Settings > Manage JAD > Set jad path””. Download from the author website. This will allow us to decompile the classes.

4. We make sure that the JAVA_HOME environment variable for our user is set.

5. To avoid problems with permissions when injecting, JavaSnoop contains in the Resources folder the file unsafe.policy. We copy this file to %USERPROFILE%\.java.policy. This directory should contain a file .java.policy. After our analysis is recommended to restore the initial configuration.

6. It is advisable to activate the Debug Console in Java and keep it active for messages.

7. It is very important the order in which JavaSnoop and the java application are started. With some applets is strictly necessary that JavaSnoop is running before launching the browser.

8. Once started JavaSnoop we use the feature “An existing process“. In this case we see the PID 184 which is an applet that we started in Internet Explorer. Then hit the Attach button to adhere to process 184:

9. Once we have adhered to the process, we will set a “New hook“. To do so, click on the “Add new hook“. If you still do not know what class and method you want to hook, go to Browse, what will open a new window where you can select the class you want.

Now we select the method we are interested in:

Once selected the class and the method, we go back to the main window:

In this window, if we have selected the method (point 1) we will be able to set the actions to be undertaken by JavaSnoop: print the parameters when the method is invoked, print the contents of the stack, modify the parameters that are passed to the function and the return values​​. (points 2 and 3).

10. We can also see features of the process that we have attached to in the Actions menu.

With these steps, you are ready to intercept any Java application in a simple and fast way.

(Update 20/feb/2013: New signatures added)

As many of you probably know, Mandiant has issued a report accusing the Chinese People’s Liberation Army of being behind the attacks that different companies, both American and other nationalities, have been suffering in recent years.

The report, which is accessible from its website, provides a variety of technical details and the body of evidence supporting the theory that the Chinese government is actually behind the attacks, as has been advocating for the past years. Although some security experts point to analytical flaws in the study by Mandiant (Mandiant APT1 Report Has Critical Analytic Flaws), I think that there is no doubt that China has cyber espionage programs via the Internet. Does that surprise you? Just as no one should be surprised, as pointed out by @antoniosanzalc on Twitter, that other militar powers such as Israel and U.S. have in place cyber espionage programs. Indeed, one might almost say that it would be unwise not to.

Returning to Mandiant report, annexes show information that could help identify infected systems or organizations, either by connecting to DNS systems, use of SSL certificates or other. Although it is possible that after the publication of the report —provided that the information and conclusions of Mandiant are true— the systems and resources used in the attacks are reduced drastically, based on the information of the annexes we have created a set of Snort signatures that can help identify circumstances and suspicious connection destinations, which can be downloaded from the link below.

Snort signatures from the Mandiant report: apt1-unit68398.rar

The signatures are based in the Mandiant Report annexes, and have been developed by S2 Grupo Security Area and more specifically by Roberto Amado and Raúl Rodriguez. To send any comments, questions, information or requests, use the comments or contact us at admin@securityartwork.es.

Please note that we are not responsible for any undesirable consequences (increased alerts, etc.) that may cause the signatures provided. Your use of the signatures is at your sole risk.

A few days ago we published a new challenge in this blog. We need to get the exact point where the gang was going to meet, using one file that had been sent by one of the gang’s member and two SMS saved in the mobile phone of another gangster recently arrested. In this post we are going to explain the solution :)

If we analyse the captured file, we can see it is an encoded text in base64, but if we do the decoding, we get a new encoded file in base64. To solve this, we have to focus on the first SMS, that said: “Recuerda, la quinta es la importante.”, that translates to: “Remember, the fifth is the important.”, what means we have to decode five times to get the original file. So, the only thing we have to do is decode the files until the fifth decoding.

With previous steps we get the following GIF image: a Barcelona street map (city what can be easily identified because of the “Sagrada Familia”).

Now, if we try “Barcelona” in the first validator we see that we open the file and get the solution for the first part of the challenge.

If we analyse a little bit more this image, the only thing we can find is a comment what says there is nothing more around here, what means we have to keep searching in other place ;)

The next part of the challenge focuses in the content of the second SMS. It said: “Te esperamos en:uÖ%äFeM!”, that translates to: “We will wait you in:uÖ%äFeM!”. It seems to point us to the exact address of the meeting. The problem lies in the text “uÖ%äFeM!”, because it does not look like a usual codification.

The clue in this case is the fact that we are working with an SMS text message. This messages use the GSM 3.40 specification, that establishes that the text messages will be encoded using PDU format.

Studying this format, we see the text characters are encoded with 7 bits instead of 8 in order to send longer messages. In the next image we can see how this codification works.

On the Internet, there are some sites which allow encode/decode PDU messages, thus using one of these (for example http://twit88.com/home/utility/sms-pdu-encode-decode) and getting the PDU codification of the second message, we get the hexadecimal chain “756E696F2C3743” (extracting the parts we don’t need: SMSC number, receiver’s number, length message, etc.). Decoding it to ASCII we get “unio,7C”. Now trying this result as a password in the second validator we can open it and check out the name of the address and the number where the meeting will be, getting the challenge solution :D

In this point concludes the solution for the challenge. Like always, congratulations to those people who solved the challenge and those who did not, I hope you have had a great time trying it ;)

During a recent audit I wanted to try the strongness of the passwords used and I tried a simple dictionary attack against the login form of Joomla! just in case there was any account with one of those weak passwords. The form was as follows:

The method pointed by Rafa in is post: THC-Hydra: Obtaining user credentials by brute-force is fully valid for simple forms but in this case we can’t use it. If you look at the form HTML code we see that in addition to the parameters username and passwd, it has a hidden field that changes in each session. Let’s see the code:

We can see that the last field, which has a value of 1, consists of 32 hexadecimal digits that are generated every time, so we can not know a priori its value and include it the request for THC-Hydra. The petition using the above tool would be something (security parameter remarked in bold):

$ hydra -l admin -p admin1234 <server> http-post-form "/index.php:username=^USER^&
passwd=^PASS^&lang=&option=com_login&task=login&d0da78038c5132dcd84f11a4ddc83ed3=1:no 
encontrados"

However, it will not work because the generated code is different every time, so the result will be a message “Invalid Token“. Because of this, and after several unsuccessful attempts trying to retrieve and include unsuccessfully that value in the THC-Hydra request, I jumped to nmap to see if there was any script that could help me in this situation.

Indeed, after searching for information on Google I found a script that seemed to do what I wanted: http-joomla-brute. I checked código“>the code and I saw that it was using the parameter “security token” to build the request, so I figured it would work in this situation.

[...]
if response.body then 
	_, _, security_token = string.find(response.body, '<input type="hidden" 
                                           name="(%w+)" value="1" />') 
end 
if security_token then 
	stdnse.print_debug(2, "Security Token found:%s", security_token) 
else 
	stdnse.print_debug(2, "The security token was not found.") 
	return false 
end 
[...]

The above code searches the token in the form returned by the server and stores it in security_token, that will be used later to send the POST. Therefore, in case that the form includes this kind of safety mechanism we could use nmap as follows:

$ nmap -p80 --script http-joomla-brute --script-args 'userdb=user.txt,passdb=~/john-1.7.9/run/
password.lst,http-joomla-brute.hostname=,http-joomla-brute.threads=3,
brute.firstonly=true' <server>

Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-30 14:49 CET 
Stats: 0:07:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Stats: 0:09:06 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Nmap scan report for <server> (192.168.XXX.XXX) 
Host is up (0.0038s latency). 
PORT   STATE SERVICE 
80/tcp open  http 
| http-joomla-brute: 
|   Accounts 
|     No valid accounts found 
|   Statistics 
|_    Performed 3546 guesses in 605 seconds, average tps: 5 

Nmap done: 1 IP address (1 host up) scanned in 604.97 seconds 

I hope it helps you and saves some time since I spent some time with THC-Hydra trying the tool to take that parameter automatically. However, if anyone knows another way to do this please say it in the comments.

After a while without proposing any challenge, we return with our research team, which believes to be really close to know the next gang’s meeting point that they have been investigating for the last few months.

Thanks to the last actions performed, our team got the following file: captured_file, which despite being coded, seems to provide the location about the place where the next exchange will be carried. In addition, in the arrest of one of the members who was going to participate in the exchange, the team got a mobile phone that had only two SMS in its memory.

[Read more…]

(Please note this post was published last 4th february 2013 in the Spanish version of Security Art Work. See original post: THC-Hydra: Obtener credenciales de usuario por fuerza bruta)

THC-Hydra is a software used to crack login systems of different services such as HTTP, FTP, TELNET, IMAP, SMB, SSH, etc. in a very easy and fast way. Its latest version (7.4.2) was released last 7th January.

This tool has earned a great reputation thanks to its console mode both in Linux and Windows systems (also offering Linux users the option to use a graphical interface) and the possibility to execute the attacks using threads, giving the user the option to choose the number of threads used to perform the attack.

[Read more…]

A Darknet is a portion of network, a certain routed space of IP Addresses in which there are no active servers o services. I.e., externally no packet should be directed to that address space.

Therefore, any packet entering a Darknet should not be legitimate. It could reach it due to errors such as poor security policies or poor configuration (such as broadcast messages sent to a segment to which the issuer doesn’t belong). However, most of these packages would be associated to some action by a suspicious malware (see Responding to Zero Day Threats) or attacker who is in our network actively searching vulnerable devices.

If we install within our Darknet a server that collects, analyzes and processes the traffic entering it, it would help us to gather more information on the anomalous traffic / malware that may be circulating in the network infrastructure of our organization. This will allow us to reduce the number of false positives, detect attacks in real time and new attack trends making use of forensic analysis of the Darknet traffic.

We can monitor, among others, some strange behaviours, such as (see Aprendiendo del enemigo – Spanish) :

• Suspicious traffic grouped by ports (TCP, UDP, ICMP, etc.) or related to certain services (SSH, FTP, WEB, etc), brute force attacks against services, scanning, DoS attacks, etc..
• Specific attacks that use spoofing techniques.
• IP addresses and domains blacklisted.
• Certain patterns generated by malware (scans, increased traffic, unavailability of service, spread of worms, bots, etc.).
• Botnet identification patterns inside and outside of P2 networks.
• Possible malicious traffic to external networks
• New attack trends.

From the project “The Darknet Project” by Team Cymru, we have a couple of practical examples of anomaly detection thru monitoring traffic from a Darknet. For example, we know that there are bots that exploit open shares of Microsoft Windows 2000. A common feature of such bots is the scanning of systems listening on port 445/TCP, and looking at the monitoring tools integrated in the collector server of the Darknet we can detect whether there has been a scan to the 445/TCP. Be this confirmed, it would be a warning as packets detected within the Darknet are not legitimate.

Another practical example is about the Slammer, which performs a DoS attack to SQL servers by sending multiple files with the worm code to port 1434. One symptom of the presence of Slammer is the significant increase in network traffic through UDP port 1434 (SQL Server Resolution Service Port). Detecting this in our Darknet would be a warning about the possible presence of the worm in our network.

In short, collecting data on all traffic will allow us to analyze patterns of interest and subsequently automate the entire process through an IDS installed (e.g.) on our collector server.

Before creating a Darknet in our organization it is important to consider, among others, these two aspects:

• Define the characteristics of the network (topology, scope, visibility).
• Define hardware and software to install, taking into account what type of data we want to collect, how we want to process it (traffic capture tools, traffic analysis tools, possibility of implementing honeypots, etc.) and the financial budget we have.

Creating a Darknet

• The first step in the deployment of a Darknet is to place it in a right place, so you should choose a segment(s) of network IP addresses that will be routed to it. We recommend using an address space of at least /24 (the higher the reserved space the higher the visibility achieved).
• The next step is to reserve physical and logical space for the Darknet. As Team Cymru points, you should not put a Darknet in the same collision domain or VLAN than other subnets; the objective of the Darknet is to supply us with reliable data, so it is important to avoid “poisoning” the Darknet with legitimate traffic nor is recommended to put the IP of the Darknet publicly visible on our DNS.

The CLCERT brings a darknet proposal would be similar to the following architecture (see Diseño e implementación de una Darknet para monitoreo de la red en Chile – CLCERT – Spanish):

• Darknet Router : configured to forward all content that enters the Darknet. It will forward incoming traffic to the server collector of the Darknet. The router must be configured to accept only inbound traffic (traffic input) directed to Darknet, but not the inverse (output traffic). It must alert when it detects outgoing traffic from the Darknet (in this case, we have a ‘black hole’-type Darknet) since all traffic in the Darknet, as mentioned, is not legitimate. The router also must be configured for SNMP to provide traffic statistics —using tools such as MRTG— because new malware can be easily detected solely on the traffic statistics of the interface darknet.
• Collector Server: This server will be connected to the Darknet and will analyze the traffic received. It would be interesting to install an IDS, a protocol analyzer, log analysis tools, and you can even think about implementing some type of honeypot, depending the installation of these tools on the type of analysis and processing that you want to perform.
• Administrative Network: Network especially secured since it will continuously receive malicious traffic. It will also process the data received from the collector server, and generate statistics and reports on detected traffic.

In short, and since all traffic on the Darknet is potentially suspicious, it can be very useful to detect malicious traffic or device configuration anomalies in our organization.

If you are interested to pursue the subject, there are several projects related to darknets (also known as network telescopes; see Darknet y telescopios de red – Spanish) at a big scale whose main objectives are the monitoring of network traffic activity and detection of new trends in Internet:

• Internet Motion Sensor (IMS)
• CAIDA
• The Darknet Project (Team Cymru), previously mentioned
• ISINK (Internet Sink)
• The IUCC/IDC Internet Telescope
• IBN (Internet Background Noise)
• Shadowserver