#badBIOS

Two days ago, I had an e-mail in my inbox with this link. It seemed to be something serious, especially coming from Dragos Ruiu (@dragosr), the creator of the pwn2own contest, as he doesn’t need this kind of thing in order to be famous or make a name for himself. After reading it, I was a little bit scared.

As there isn’t a lot of information or an “official” report about this, I will give you some facts about his research and his findings:

    • He found a malware that infects hardware.
    • He found it installed in some laptops with Windows systems installed, but it proved to be somehow platform independent as it can infect a BSD system and OSx is not immune.
    • It reflashes the system BIOS, and it is resilient: even after flashing the BIOS with a legit firmware, it will still be there. This forces the researcher to use a new machine for each test.
    • It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed.

      (https://plus.google.com/103470457057356043365/posts/exuXRz5C3L3)

 

 

    • It reflashes all USB drives plugged into an infected system, including external USB CD drives. It doesn’t affect the files in the USB, it directly infects the firmware.
    • Just plugging an infected memory stick in a clean system will infect it… without even needing to mount it!

      “I didn’t even mount the volume and it was infected.”
      (https://twitter.com/dragosr/status/393021493149302785)

 

 

    • In infected Windows systems, some extra .ttf and .fon files appear – three of them (meiryo, meiryob, and malgunnb) have a size that is bigger than expected.
    • When trying to extract those files, they disappear from the burnt CD.

(https://twitter.com/dragosr/status/393633641370112000) 

 

 

  • A list of the md5 of files was uploaded to this link.

Right now, I don’t know if this could be maximum trolling, or not. I personally don’t think Dragos would play with his reputation like this. If we are facing a new kind of threat, we will need to be prepared for it.

What’s worse, until today there’s no clue of what the malware purpose is. I’ll try to keep you posted, and I highly recommend you to follow @dragosr and the hashtag #badBIOS on twitter in order to be updated about this topic.

[NOTE] If you are interested in a sample, keep an eye on malware.lu. @xylit0l posted this in kernelmode.info:

Re: New Bios Malware
 by Xylitol » Sun Oct 13, 2013 9:23 pm
Talked to r00tbsd over irc, he have an image of the infected bios but got no time 
for the moment to add it on malware.lu.

Sources:

[1] https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
[2] https://plus.google.com/103470457057356043365/posts
[3] https://www.wilderssecurity.com/showthread.php?t=354463
[4] https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware
[5] https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/
[6] https://twitter.com/dragosr
[7] https://twitter.com/rich_addr
[8] http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998&p=21195&hilit=BIOS+malware#p21195

YARA 101

What is YARA?

When speaking about malware detection, there are mainly three ways of determining if a file is malicious: signatures, heuristics and string signatures.

The most widespread in the antivirus detection systems is the signature based detection, i.e. based in the HASH of a file, check it against a signature database and see if this file has previously been detected as malware. This kind of signature is useless for the detection of unknown malware, and to evade this system you just need to recompile the code in a different system or change a single bit.

In order to try to stop these evasion methods, the heuristic method is usually the chosen one. This method relies on the behaviour of the executable file and, according to the actions that it performs inside the system, it decides if it’s dealing with a malicious file. The main issue of this method is that, as many legit programs perform suspicious actions, it can generate a big amount of false positives.

Last but not least, there is the method which this article refers to: string signatures. This method is based in another kind of signatures, different from the aforementioned kind. Instead of using HASH signatures, it uses text or binary strings that uniquely identify a malware sample. That way, even if the file has been tampered with, if it still contains those string signatures, the analysts will be able to detect and classify the malware sample.

[Read more…]

Introduction to identification methods

Many things have changed in the Internet security in the last 10 years. Others have remained, however, with no change at all, like user identification by means of alphanumerical passwords. Nowadays, these passwords are still the most popular way of user authentication. Indeed, different studies show that 97% of the organizations use them. Despite its widely spread usage, the identification using alphanumerical passwords has some highlighted disadvantages: they are frequently forgotten and can be easily stolen.

Failures in user authentication can cause technical problems in addition to economic cost. In 2007 the losses due to phishing (user identity impersonation/theft) amounted to $3.2 billion. For all these reasons, research in alternative methods for user identification has come up. New designed methods try to avoid current problems of alphanumerical passwords in order to make the systems more secure in identification terms.

An alternative method for identification, based on passwords as well, is the use of graphical or audio passwords. In those, the user must recognize a set of images or sounds among the presented ones (recognizing methods). Click-based methods are another option for graphical (or audio) password. The user must click on some specific points previously selected of the image or audio track to get access to the system. Different alternatives based on the use of tokens have been recently presented as well. These are systems where the user possesses a personal device like a smart card with PIN, an USB memory with passwords, and so on.

Although some of the abovementioned methods are already used in some programs and applications, the alternative methods that are becoming more popular are the ones that use some user’s biometric to perform the identification. Biometrics is the science of recognizing a person by their personal features. There exist two main types: physical biometrics —the ones that refer to a physiological feature of the person— and behavioral biometrics —features related to the behavior of the user—.

There are several physical features that can be used to characterize a user. Among the most common ones we can find the fingerprint, the palmprint o palm-geometry, the face recognition and the iris recognition. On the other hand, the behavioral biometrics most frequently used for identification are: speech analysis, keystroke pattern, signature recognition and haptic pattern (movement/interaction with object).

The user authentication by means of biometrics has reached a good level of performance in the last few years, allowing its application in several systems. This improvement is due to the development of new biometric data acquisition devices along with the design of new algorithms for feature extraction and recognition.

The main reason for the popularity of the identification by biometrics is that copying them is very difficult, almost impossible. This, however, is also a drawback. In case they were copied, the fake user would have a lot of privileged information about the real user. This makes some users be reluctant of using biometrics for internet identification, as they are also used by many official organisms.

In spite of the large amount of alternative methods for identification designed in the last few years, none of them have shown to be superior, in general terms, to the so extended alphanumerical passwords. On the one hand, for accuracy reasons, and on the other hand for their usability and cost.

This has prompted the design of two-factor authentication methods, trying to solve the drawbacks associated to the different methods by combining two of them. The most popular two-factor method uses a user’s biometric in addition to an alphanumerical password. In this way, just copying the password or emulation the user’s biometric will not grant the fake user the access to the system.
Nonetheless, we cannot fully rely on these advanced methods. A more secure way of recognizing the users has prompted new advanced impersonation methods. Some examples are the MiTM (Man-in-the-middle) attacks or the Trojans attacks that instead of working in the identification phase, work on the phase were the data are sent. In this way, attackers obtain access to the system without impersonating the real user.

Thus, a more complex and secure method of authentication may only grant the security of the system for a period of time. Like in almost all security-related areas, the path of identification methods is a two-way road.

Uncle Sam

Snowden, PRISM, NSA… words, or buzzwords, that we’re used to listen in the media, specially during the last months. You know: when talking about technology, spying -of course, using “cyber” prefix- and some acronyms to get a slot in prime time :) I didn’t want to write about sensationalism, but at the end I could not resist: during holidays you have too spare time to read newspapers :)

Really, I don’t know where the news are… It’s a fact that USA, by NSA and other agencies, is spying us as much as they can… just like is a fact that dogs do bark. Yes, and? I have never understood the big surprise that everybody claims where talking about USA spying. Where is the surprise? Is really surprising that a country which a big technological capability uses it for its own good? Guys, I think in this world nobody is a charity nun… The problem is that here, in Spain, we don’t have a similar capability -and honestly, I don’t think we’ll be able to have one in short term-: we can snoop Tuenti :( And this is a big problem or, really, two big problems. The first one is that we rely on a third party to get information -information that is to be processed to get intelligence; yes, and the third party is obviously USA (what would you think, it was Andorra?) that today is our friend but tomorrow can be less friendly o, simply, cat have some interests that isn’t ours… And the second problem is that we are all vulnerable: in other words, we have to live with the fact that USA spy us when and how they want, and obviously this fact gives them an enviable advantage over us in any field. Spain is doubting about giving support to USA in, lets say, a military occupation of ACMECity? No problem: just before talking to us, US officials know all our points and can use this knowledge to convince us, in the best way, to get our support in almost anything… This is a problem for Spain, isn’t it? And worse: if we disagree we can unplug everything and go to plant potatoes, of course not using Microsoft products, not searching by Google, not sending information across Cisco routers and, finally, not touching anything that smells like American. Or much better, replacing the technology with Huawei and things like that… in this way we can involve in the spying game other countries that, of course, will respect our individual privacy and our global interests as a Nation… you know, don’t you? :)

IMHO the problem is not the fact that USA spy us to protect their interests: we can agree or we can’t, and lawyers, politicians, journalists… can talk for hours about ethics, international laws, privacy and things like that. But, being realistic, USA is doing the same that any country that can do that. It’s just so simple, and we, as I said before, can’t do that because we don’t have the required capabilities… If we had them, I hope we could do the same: to spy other countries. The real problem is a misuse of the information they get. A Service getting information to benefit its country (understanding “country” as government, companies, citizens…) is understandable, in spite of the fact that this can be bad for us, but if a Service do the same to defend the interests of an individual company, a particular or, worst, a politic party, this is, actors that can not be identified with a whole country, we are in front of a big and unjustified misuse of the information, IMHO. What did USA? I don’t know (somebody reading this who has more information about?) If USA is using the information for those particular interests, I don’t agree with them; if they use the information to defend their national interests or to get benefits over other countries, it’s OK for me. What do we complain about? About the fact that they *can* do that and we can’t? Let’s see, we are all in the security world and we all know that the war is harder than privacy laws, IT governance, compliance and so on. What we do think, that Google is giving us GMail in a free way, getting Gigabytes of free space to hold our mail? Gigabuytes, by the way, that as someone said, can only be stored in a SAN, a NAS or a NSA… :)

Now, the one million question: there is any light at the end of the tunnel? I think so, in spite that it’s only a single LED. Let’s assume that USA is spying us in its own benefit… what can we do? Two things, IMHO: to try to let them do it as less as possible -or to get more difficult to do- and to try that only USA spies us. In this blog we have said it before: let’s use national technology and services always that we can -and let’s make an effort to do it, because many times the comfortable way is to do just the opposite. And let’s use them always we are handling classified information. We can always find Spanish quality services, in almost any field I think… I doubt only when talking about products, in specific cases. In those cases, when we can’t use national technology, let’s use open technologies. And if we neither can use them, and we have to use products from other countries, let’s choose from countries that (at least today) are strategically close to us or that have interests as similar as possible with Spanish ones. In other words, I prefer to use Linksys just before of Huawei or Twitter before Weibo: as someone is going to spy to me, let’s USA to do it… they would do in any way… :)

Vulscan 1.0

Recently, Marc Ruef @mruef (Computec.ch) has released a new enhanced version of Vulscan, a Nmap script that he already presented in 2010, with basic Vulnerability Scanner capabilities.

Vulscan on the basis of the Nmap option -sV which shows us the versions of the services detected and interacting offline with various vulnerability databases, can alert us if any of those services is potentially vulnerable to any flaw included in any of those databases.

It brings the following pre-installed databases:


Vulnerability Database    URL
scipvuldb.csv             scip.ch/en/?vuldb
cve.csv                   cve.mitre.org
osvdb.csv                 osvdb.org (outdated, 02/03/2011)
securityfocus.csv         securityfocus.com/bid/
secunia.csv               secunia.com/advisories/historic/
securitytracker.csv       securitytracker.com

Therefore, a basic example of how this script works would be as follows. After adding the Vulscan folder to the scripts directory where we have our Nmap scripts directory (for testing I’ve used owaspbwa which I knew in advance that provides vulnerable services in port 22 and 80, among others), we run Nmap and this results in the following:

If neither is specified, it will interact with all the pre-installed databases. However, if we want, for example, to cross data with a single database, we’ll add the vulscandb option:

--script-args "vulscandb=basedatos.csv"

specifying the database that we want or even one of our own that we can easily create with the format:

<id>;<title>

One of the enhancements is the support for dynamic report templates using the vulscanoutput option which allows you to enforce your own report structure through the following argument:

--script-args "vulscanoutput='{id} - Title: {title} ({matches})\n'"

where:

A practical case of this script would be, for example, in an scenery where we are conducting a web audit, in which combining this and other NSE scripts for Web scanning of the many that Nmap added on its most significant last update launched one year ago, quickly create a first preliminary report about possible gaps found in that Website such as determining the default Web page title detected during the scanning process (http-title), displaying the directories most widely deployed as network servers or Web applications (http-enum), harvesting the e-mail addresses found during the scanning process (http-email-harvest) and finding the known vulnerabilities in accordance with the Web service service detected using vulscan:

nmap -sV --script=http-title,http-enum,http-email-harvest,vulscan -p80 172.16.94.128

The output report would resemble the following:

Note that, because of space limitations, I have handled the output report in order to avoid showing the full output and only some found vulnerabilities are displayed, not all of them.

Finally, we should take into account that this kind of vulnerability scanning depends to a large extent on Nmap capacity to obtain the version of the detected service, the amount of vulnerabilities documented in the databases and the accuracy of the pattern matching in cross-checking data.

I identified that Vulscan does only pick up the output versions of the nmap -sV option and interacts with them, however, i’d like it to take other outputs from Nse scripts such as html-cms.nse, that detects the scanned CMS version. It would be very useful to use both scripts so one of them detects the concrete CMS version and the other the potential vulnerabilities that could be found for that specific release. I’ve talked to @mruef and he told me that the problem is that it can not access other scripts information unless they provide them in any way such as an output file. The best solution would be that the other nse Scripts enter their identification data at the log output (see the Nmap API http://nmap.org/book/nse-api.html).

According to the Nmap API, the scripts can share information by storing values in a record (a special table available to all scripts). There is a global registry, nmap.registry, shared by all the scripts, whose information prevails during a full Nmap scan, in such a way that scripts can use it, for example, to store the values that later, sequentially, can be used by other script against the same machine within the same scanning, in a way that output of one script brings feedback to the other.

Marc Ruef is already working in a new version that will include new enhancements and features such as e.g. that vulscan 2.0 will support Exploit-DB and IBM X-Force.

References: http://www.scip.ch/?labs.20130625

NSA, digital walls and a few good men.

It has long been known that the NSA and some similar organizations have suirvellance systems deployed to ensure the safety and protection of us all from evil. However, the NSA always preferred to keep secret to avoid being forced to reject the Nobel Peace Prize. However, after the case of Snowden, Manning, Assange and other rebels, it is clear that the situation has become has become unsustainable.

Luckily, the certainty that the NSA listens to our conversations, reads our emails, spies our activity on social networks and basically knows everything we do has not generated any notable movement at the political or social level, because they do it for our own good (now that I write down it, I clearly remember hearing that in more than one time in my childhood). It would not be desirable that the lust of justice and freedom of a few (literally) we are doomed to hell and existential chaos.

Probably in short they will awarded with the Nobel Peace Prize.

A few good men. (Vía wikiquote).

Kaffee: Colonel Jessup, did you order the Code Red?!
Judge: You don’t have to answer that question!
Jessup: I’ll answer the question. You want answers?
Kaffee: I think I’m entitled!
Jessup: You want answers?!
Kaffee: I want the truth!
Jessup: You can’t handle the truth! Son, we live in a world that has walls, and those walls have to be guarded by men with guns. Who’s gonna do it? You? You, Lieutenant Weinberg? I have a greater responsibility than you can possibly fathom. You weep for Santiago and you curse the Marines. You have that luxury. You have the luxury of not knowing what I know, that Santiago’s death, while tragic, probably saved lives. And my existence, while grotesque and incomprehensible to you, saves lives! You don’t want the truth, because deep down in places you don’t talk about at parties, you want me on that wall. You need me on that wall. We use words like “honor”, “code”, “loyalty”. We use these words as the backbone of a life spent defending something. You use them as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom that I provide, and then questions the manner in which I provide it! I would rather you just said “thank you”, and went on your way. Otherwise, I suggest you pick up a weapon, and stand a post. Either way, I don’t give a damn what you think you are entitled to!
Kaffee: Did you order the Code Red?
Jessup: I did the job that—-
Kaffee: Did you order the Code Red?!!
Jessup: YOU’RE GODDAMN RIGHT I DID!!

Forget privacy

(Opinion article published by Manuel Benet in Valencia’s local newspaper on 2nd July 2013)

The documents leaked by Edward Snowden to The Guardian on a sophisticated global intelligence are, in essence, nothing new. For years has been known that the U.S. and some partners share the ECHELON spy network, involved in the past in several trade scandals. However, we should not underestimated Snowden contribution. While so far the details of the spy system of the National Security Agency (NSA, for short) were based on experts research, we know now not only that this program (PRISM) is larger, intelligent and more ambitious than anything we thought in the past, but that many countries have their own surveillance systems.

Perhaps due to films or literature we have always been accustomed to the fact that espionage is made between States, with objectives and specific actors under certain rules. However, it has now taken a step forward, with the monitoring and recording of any information that could be virtually recorded of millions of individuals around the planet: a system without control or limit that breaks with total impunity and the cooperation of the Internet corporations any idea of freedom, privacy and justice we might have. States have come to spy on its citizens in a move more typical of dictatorships than democracies.

However, despite the seriousness of the matter, no one seems very concerned; do not expect a massive desertion from social network and if we look at the press, Snowden is famous for not having disclosed a large number of documents classified about a global and massive surveillance program, but by the geopolitical tensions that his flight and persecution have created between the U.S. and China and Russia mostly.

Says one of the quotes attributed to Benjamin Franklin that those willing to sacrifice some of their essential liberty for some security deserve neither one nor the other. This seems to be our case. It’s been a long time ago since —despite the great efforts (maybe not always so great, ok) of the data protection agencies both national and transnational— we decided that our privacy had not, at last and after all, the importance they wanted us to think. Made that decision, the transition of our information to a digital world controlled by multinational corporations outside national and European requirements posed no trauma at all.

At first glance there is a big difference between your messages being scrutinized by a nest of spies like the NSA, an opaque entity key in the American intelligence, and knowing that Google scans your emails to position relevant ads. However, there is no such difference: (almost) no one cares about we being spied upon; that is a simple inconvenience that we have taken as inherent of the digital age and something makes me think that we do not even needed the Damocles Sword of terrorism. The saying that goes that if you have nothing to hide, you have nothing to fear, has been assumed almost by obligation with few complains.

We can draw one last thought. Edward Snowden was not 007; he had no license to kill and it was not (that we know) a double agent. It was ‘only’ a system administrator working for a NSA provider, one of the world’s safest organizations. From there he had access to a huge volume of classified documents that James Bond would not even have heard of. In light of this, do we really know who access our information?

Mimikatz extension for Metasploit

(Please note this post was published last 6th may 2013 in the Spanish version of this blog)

In the latest weekly Metasploit update, the outstanding feature has been the incorporation of a new extension dedicated to Mimikatz.

Mimikatz is a tool developed by @gentilkiwi that allows dumping passwords in plain text through lsass as well as obtaining hashes from SAM among other features, and about which we have already spoken in our previous post about Metasploit module, sdel.

Mimikatz is detected as a malicious tool by the major anti-virus. According to Virustotal, today, at least 21 out of 46 anti-virus detect it, therefore, its use complicates the task of the pentester.

Nevertheless, thanks to the extension made by Meatballs1 to Metasploit, it is possible  to use Mimikatz through a meterpreter without having the antivirus alerting us, by leaving the disk untouched and running it completely in memory (a more comfortable alternative to execute flag -m). An example of its use would be as follows. After having obtained a shell in a target host, we load the Mimikatz extension:

Once loaded the extension in our meterpreter session, let´s have a look at the options that it offers us:

By executing, for example the “Kerberos” command, we obtain the credentials of this kind in plain text in our owned host:

Another example of execution would be using the “mimikatz_command” as we can see below:

With the “logonPasswords” parameter we get it to show us the concurrent sessions of users who are logged in on the compromised machine.

For the reader who wishes to delve deeply into the issue of how Windows stores your credentials, weaknesses in this regard, and how Mimikatz is able to exploit those weaknesses, I recommend this article as well as presentations on the  Gentilkiwi blog.

The 10 usual errors of an SME in Information Security

There is no doubt that in the last years we have made great progress in Information Security. Gradually, business begin to perceive the idea that security is an area that requires special attention, beyond what many consider “the IT crowd”. However, if it is not good to fall into the doom and gloom, we should not be too lenient: there’s still a long way to go and progress does not always occur at the speed at which, fortunately for criminals, would be advisable or desirable. Every day we see security breaches in organizations with a strong investment in technological infrastructure and security controls, which should give us an idea of ​​the imbalance of forces.

In this line, there are still many errors and beliefs that we can identify as the ten usual errors of SMEs (Small and Medium Enterprises) in Information Security and that mark the way to go these next years.

1. To think that their information or systems do not interest anyone. This is, without a doubt, the main obstacle to the improvement of the information security in an organization: “who may want to attack us?“. There are several powerful arguments against this. First, any equipment is useful for “botnets” or networks of zombie PCs controlled remotely, either a corporate PC or a teenager laptop; if it can be controlled remotely then it can be used with to report spam or attack systems. Secondly, perhaps no one is really interested in those systems, but a worm doing a massive scan could detect by chance a vulnerable system. Finally, many organizations underestimate the value of their information, both for foreign and internal competition: accounting balances, rates of prices, margins, processes of production, innovations, etc.

2. To believe that security is just technical and therefore responsibility of the IT Dept.. To limit the security to its technical side, obviously necessary, leads to neglect controls such as the legal and organizational ones. To manage security incidents and events, perform education on security issues, define responsibilities or address legal requirements are vital aspects to prevent threats such as phishing or social engineering.

3. An antivirus and a firewall are just enough. This is primarily the progress that we talked about in the first paragraph. Few organizations do not have currently an antivirus or a firewall. However, this leads to a false sense of security that makes them to forget that there are many threats, both technical and non-technical, that require more specific measures.

4. To think that security is a product and not a process. This error comes from past times when security was just one thing more of the many tasks within the IT dept. staff. However, things have changed significantly and security has acquired a status of its own. Anyone working in an HR department, production, logistics or accounting performs a daily maintenance, either updating their knowledge, keeping the industrial systems running, implementing new processes or adapting its operation to new legal requirements. The departments adapt to changes constantly. However, security is still considered an area that does not require any maintenance. Nothing is further from reality.

5. Confidentiality is just something of spies and large corporations.. It is true that large corporations and spies sign confidentiality (non-disclosure) agreements. But although many companies still think of them in terms of science fiction, that does not make them unnecessary in the field of the small and medium companies. Suppliers, customers, employees, stakeholders and any natural or legal person with access to the company information must sign confidentiality agreements whose purpose is to protect the information of the organization. Very few times such a small effort brings such huge profits.

6. To forget the security in corporate contracts. Today a simple order form is still in many cases the procedure to contract services. No formal service contract, no confidentiality clauses, no legal requirements nor information about the security measures the provider must apply on the information we provide. Ultimately, security, in all its areas, is still absent in the contracts that many SMEs sign with suppliers and/or customers.

7. Privacy, the great unknown. Although privacy has been a critical issue for the last decade and there are legal requirements in many countries, many companies still ignore their duties in this area and some of those who know choose not to carry out any action. Whether to avoid economic sanctions or “just” social responsibility to the people who gives us their personal data, any company should take the necessary measures to ensure the security of the personal data of their customers, employees, suppliers … (please note this point was adapted from the Spanish Personal Data Protection Act to a more general view).

8. Just to look outside threats. Without the desire to criminalize and despite the mass media news , it is well known in the field of security that most of the security problems come from within the organizations. In some cases, malicious users. But in many other cases it is sheer ignorance: an employee who uses an infected USB, opens an attachment or clicks on a link in an email or simply throws confidential information to the recycle bin. It is essential to adopt a permanent strategy of awareness in information security, including managerial staff that handles sensitive information, to prevent and mitigate risky behaviors for both the organization and the employee.

9. To provide Internet services regardless of their safety. A service offered to the Internet is accessible virtually by billions of people, some of which will have not certainly good intentions. Without losing sight of the necessary legal requirements (in many cases very easy to fulfill) that we have seen, the story repeats again and again: services that contain web forms vulnerable to attacks that existed a decade ago, webservers misconfigured or directly not configured, etc.

10. To forget systems and network management. Last but not least, many companies still neglect the required security maintenance of their servers and networks, leading to vulnerable network devices, WiFi access points that allow a person on the street to access the corporate network, internal databases accessible from the Internet, or servers not updated in years. Without mentioning that this leads to the most absolute ignorance about what happens in the infrastructure of the organization, where an intruder can do whatever he wants. The rest is left to the imagination.

This decalogue of errors, more common than one would think, could certainly be completed with many other specific problems that SMEs commit daily. However, if in a few years we could cross off at least half of these errors, we would have made great strides in securing our companies.

Honeyspider 2.0 – Workflows

Some time ago we wrote about HoneySpider 2.0 and we made a quick look at its functionalities. Now let’s see one of the key pieces of this new version: workflows. We assume you have already installed HoneySpider 2.0 or that you are using the virtual machine provided by the project.

Given that we already have the application installed, first of all we have at hand the necessary documentation to define a workflow, which can be found here and here.

A workflow in HoneySpider 2.0 is composed of a series of processes, where each process is composed of services. These services contain input parameters and the ability to redirect its output to other processes. Let’s see a conceptual scheme of what is a workflow:

These workflows are defined in XML format. The following example will provide you with a very simple example workflow that performs a file analysis with rb-officecat (Nugget razorback) of the Office documents located in a set of web links:

<?xml version="1.0"?> 
<workflow> 
  <description> 
    Analyze files office files with officecat 
  </description> 
  <process id="main"> 
    <service name="feeder-list" id="feeder"> 
      <parameter name="uri">/tmp/file.txt</parameter> 
      <parameter name="domain_info">true</parameter> 
      <output process="process_url"/> 
    </service> 
  </process> 
  <process id="process_url"> 
    <service name="webclient" id="webclient0" ignore_errors="DEFUNCT"> 
      <parameter name="link_click_policy">0</parameter> 
      <parameter name="redirect_limit">20</parameter> 
      <parameter name="save_html">false</parameter> 
      <parameter name="save_images">false</parameter> 
      <parameter name="save_objects">true</parameter> 
      <parameter name="save_multimedia">false</parameter> 
      <parameter name="save_others">false</parameter> 
      <output process="report"/> 
    </service> 
    <service name="reporter" id="reporter0"> 
      <parameter name="serviceName">webclient</parameter> 
      <parameter name="template">webclient.jsont</parameter> 
    </service> 
    <!-- determine classification, taking into account propagation from child objects --> 
    <script>!findByValue("parent", #current). 
      {? #this.origin != "link" and #this.classification == "malicious"}.isEmpty 
       or rb_officecat_classification == "malicious" 
       ? (classification = "malicious") : 
         (classification = "benign")</script> 
    <service name="reporter" id="reporter1"> 
      <parameter name="serviceName"/> 
      <parameter name="template">url.jsont</parameter> 
    </service> 
  </process> 
  <process id="report"> 
    <service name="reporter" id="reporter4"> 
      <parameter name="serviceName">webclient</parameter> 
      <parameter name="template">webclient.jsont</parameter> 
    </service> 
    <service name="reporter" id="reporter5"> 
      <parameter name="serviceName">file</parameter> 
      <parameter name="template">file.jsont</parameter> 
    </service> 
    <conditional expr="content != null and (mime_type == 'application/msword' or 
         mime_type == 'application/vnd.ms-excel' or mime_type == 
		 'application/vnd.ms-powerpoint')"> 
      <true> 
        <service name="rb-officecat" id="office1"/> 
        <service name="reporter" id="reporter6" ignore_errors="INPUT"> 
          <parameter name="serviceName">rb-officecat</parameter> 
          <parameter name="template">rb-officecat.jsont</parameter> 
        </service> 
      </true> 
    </conditional> 
    <!-- determine classification, taking into account propagation from child objects --> 
    <script>!findByValue("parent", #current). 
    {? #this.origin != "link" and #this.classification == "malicious"}.isEmpty 
       or rb_officecat_classification == "malicious" 
? (classification = "malicious") : 
         (classification = "benign")</script> 
    <service name="reporter" id="reporter7"> 
      <parameter name="serviceName"/> 
      <parameter name="template">url.jsont</parameter> 
    </service> 
  </process> 
</workflow>

This workflow example should be interpreted as follows: we define a main process that uses the service “feeder-list“. It reads the links to be analyzed from a file located in /tmp/file.txt. The links are passed to the process_url process. This process uses the service “webclient” to visit those links, getting as a parameter some actions it should do or not to do, such as saving multimedia objects, and so on. The links collected for this service will be passed to the report process.

Besides webclient, the process process_url has several services that generate output information for the web interface. Finally, the report process is where the service that scans the Office files with the razorback nugget, “rb-officecat” is located, besides printing information using the service report. We want to emphasize the importance to set which content must activate the service. In this case it has been limited to start running only with contents that apply.

After loading the workflow in our tool, we input it with a file with links. In our scenario we have included a link to a malicious office document, resulting in:

If we click on the detected document we will see the vulnerability detected by rb-officecat:

This is just one example of the detection abilities of this tool. As seen, the definition is simple and as we discussed in the previous post (ES) it has great possibilities. At this moment it is in an early stage and certain aspects will require fighting to get them to work as we want, but you can also report the problems in the Google group of the tool.