Security Art Work

Sometimes when we have an incident, it involves too many domains to check them by hand. In order to deal with them and discriminate as a first instance, I’ve developed a small script that checks the reputation of each domain using the API of Web of Trust.

Web of Trust is a service used to mark websites depending on their reputation. Reputation is based in different factors. One of them depends on malware presence, but there are some others, such as a rating based in the users’ votes.

One thing that I really like about the WoT API is that it returns different codes according to the reason why a website’s reputation is bad, i.e. if the reason of the bad reputation is that the website contains adult material, WoT API will return the code 401, and if it contains malware, WoT API will return 101. This is very good to handle some incidents because, in most cases, if a domain has a bad reputation because it is an adult website, and for that reason only, in a first examination, we would leave it as a legit domain.

In order to use this script you just need to register in the WoT, get an API key, and introduce it in the line:

WOT_API_KEY = "YOUR_OWN_API_KEY!!!"

You can find the script in my github repo.

Finally, let’s try the script. First, we’ll need a file with the list of domains we want to check. In the example we will use a file that I called domains.txt and that contains the following domains:

4chan.org
silurian.cn
securityartwork.es
mtgmadness.com

In order to run the script, we just need to feed it with a file containing the domain list to be checked:

xgusix@ender:~$ python repcrawler.py domains.txt 
[*] mtgmadness.com
	Target: mtgmadness.com
[*] 4chan.org
	Target: 4chan.org
	Trustworthiness: Excellent [59]
	Child safety: Very Poor [53]
	[*] Categories:
		[403] Questionable Gruesome or shocking [14]
		[401] Negative Adult content [73]
		[501] Positive Good site [59]
[*] securityartwork.es
	Trustworthiness: Good [7]
	Target: securityartwork.es
	[*] Categories:
		[501] Positive Good site [7]
[*] silurian.cn
	Target: silurian.cn
	Trustworthiness: Very Poor [12]
	[*] Categories:
		[101] Negative Malware or viruses [30]

As you can see, in the beginning of the investigation, we can discard 4chan.org and securityartwork.es, as they are labeled as “Good site”, and its trustworthiness is at least Good. Mtgmadness.com is not labeled, so we should have to go further on the investigation. In the last case, silurian.cn, it’s already labeled as a malicious domain, “Malware or viruses”, so it would be a good starting point for the investigation.

Right now, the script shows all the results, but with a very simple modification you can add some logic into it and automate the process a bit more. I am also planning to add more reputation engines to the script. With more sources, the initial discrimination will be more accurate and save time in the incident handling process.

Any feedback or comments are welcome.

In the wake of all the uproar that there are these days around the metadata in Spain, I have been reviewing various tools of PDF metadata deletion. In principle, the tools analyzed work on GNU/Linux systems, but that does not mean that some may not work on other systems.

I started from a PDF created by myself. As you can see in the following image, it contains metadata (screenshot in Spanish, but I guess you get the idea):

[Read more…]

Today’s post is a challenge for reverse engineering lovers.

To play, download this binary. It’s a Windows 32-bit PE executable containing a serial number validation algorithm:

Hope you enjoy the challenge. See you!

Useful links:

• IDA Freeware
• OllyDbg

Snort’s reputation preprocessor is not something new; in fact, it appeared in August 2011 in version 2.9.1. Up to that moment, the only way to manage blacklists was to create a rule with the list of IP addresses blacklisted, such as BotCC rules (emerging-botcc.rules).

alert tcp $HOME_NET any -> [103.6.207.37,106.187.42.91,106.187.48.236,107.20.73.183,
108.170.20.73,108.170.56.211,108.61.240.240,108.61.26.189,109.109.228.186,109.111.79.4,
109.163.233.16,109.163.233.22,109.196.130.50,109.228.25.175,109.234.106.53, 109.74.194.110,
112.175.124.170] any (msg:"ET CNC Shadowserver Reported CnC Server TCP (group 1)"; flags:S; 
reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; 
threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; 
flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404000; rev:3259;)

However, this method has a length restriction and you end up with tens of backlisted IP rules with names such as “ET CNC Shadowserver Reported CnC Server UDP (group 49)” or “ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (group 43)”.

However, that’s not the main problem of this method: the main issue is performance. Taking into account that they are detection rules, packet processing is much more expensive and global performance worsens. When packet throughput is very high and there are many blacklist entries such as Shadowserver, Abuse.ch, Malwaredomains… and our own lists, Snort performance becomes a problem and it is necessary to find a better way to manage blacklists. Then it’s time to use this preprocessor.

[Read more…]

In this post I would like to talk about a technique that I read this summer and had not been able to practice until recently in a penetration test.

The technique involves obtaining passwords in clear text from a server without running “malicious” code in it. In this way we avoid having to deal with antivirus evasion techniques and other headaches.

Tools required:

• Mimikatz: http://blog.gentilkiwi.com/securite/mimikatz/minidump
• Procdump: http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

To know what Mimikatz does I recommend @mmorenog’s post that describes its purpose and operation. In summary, Mimikatz “attacks” the lsass process and takes advantage of a type of reversible encryption that Windows implements to obtain plaintext passwords.

On the other hand, Procdump is a tool developed by Mark Russinovich that will allow us to dump the memory space of a process to a file.

[Read more…]

Two days ago, I had an e-mail in my inbox with this link. It seemed to be something serious, especially coming from Dragos Ruiu (@dragosr), the creator of the pwn2own contest, as he doesn’t need this kind of thing in order to be famous or make a name for himself. After reading it, I was a little bit scared.

As there isn’t a lot of information or an “official” report about this, I will give you some facts about his research and his findings:

• He found a malware that infects hardware.
• He found it installed in some laptops with Windows systems installed, but it proved to be somehow platform independent as it can infect a BSD system and OSx is not immune.
• It reflashes the system BIOS, and it is resilient: even after flashing the BIOS with a legit firmware, it will still be there. This forces the researcher to use a new machine for each test.
• It uses communication via SDR (Sotftware Defined Radio) to bridge air gaps (computers out of the network). It works even if the wireless and Bluetooth cards are physically removed.
  (https://plus.google.com/103470457057356043365/posts/exuXRz5C3L3)

• It loads a Hypervisor.
• When the BIOS is infected, it doesn’t let you boot from external devices regardless of settings. Most of the times, it goes for internal disk.
  (https://twitter.com/dragosr/status/388632113496350721)

• It reflashes all USB drives plugged into an infected system, including external USB CD drives. It doesn’t affect the files in the USB, it directly infects the firmware.
• Just plugging an infected memory stick in a clean system will infect it… without even needing to mount it!
  “I didn’t even mount the volume and it was infected.”(https://twitter.com/dragosr/status/393021493149302785)

• It bricks the USB drives if you eject them unsafely, but they come back to life when you plug them in an infected system.
  https://twitter.com/dragosr/status/393026712197279746)

• In infected Windows systems, some extra .ttf and .fon files appear – three of them (meiryo, meiryob, and malgunnb) have a size that is bigger than expected.
• When trying to extract those files, they disappear from the burnt CD.

• People are pointing to Russia as an origin of this malware as they are the only known developers of reset flash controllers’ software. The malware also blocks the reflashing Russian software sites.
  (https://twitter.com/dragosr/status/393023050750234624)

• The first symptoms were found in a Macbook, 3 years ago.
  (https://twitter.com/dragosr/status/394223528813146112)

• A list of the md5 of files was uploaded to this link.

Right now, I don’t know if this could be maximum trolling, or not. I personally don’t think Dragos would play with his reputation like this. If we are facing a new kind of threat, we will need to be prepared for it.

What’s worse, until today there’s no clue of what the malware purpose is. I’ll try to keep you posted, and I highly recommend you to follow @dragosr and the hashtag #badBIOS on twitter in order to be updated about this topic.

[NOTE] If you are interested in a sample, keep an eye on malware.lu. @xylit0l posted this in kernelmode.info:

Re: New Bios Malware
 by Xylitol » Sun Oct 13, 2013 9:23 pm
Talked to r00tbsd over irc, he have an image of the infected bios but got no time 
for the moment to add it on malware.lu.

Sources:

[1] https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga
[2] https://plus.google.com/103470457057356043365/posts
[3] https://www.wilderssecurity.com/showthread.php?t=354463
[4] https://www.security.nl/posting/366329/Onderzoeker+ontdekt+mysterieuze+BIOS-malware
[5] https://kabelmast.wordpress.com/2013/10/23/badbios-and-lotsa-paranoia-plus-fireworks/
[6] https://twitter.com/dragosr
[7] https://twitter.com/rich_addr
[8] http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2998&p=21195&hilit=BIOS+malware#p21195

What is YARA?

When speaking about malware detection, there are mainly three ways of determining if a file is malicious: signatures, heuristics and string signatures.

The most widespread in the antivirus detection systems is the signature based detection, i.e. based in the HASH of a file, check it against a signature database and see if this file has previously been detected as malware. This kind of signature is useless for the detection of unknown malware, and to evade this system you just need to recompile the code in a different system or change a single bit.

In order to try to stop these evasion methods, the heuristic method is usually the chosen one. This method relies on the behaviour of the executable file and, according to the actions that it performs inside the system, it decides if it’s dealing with a malicious file. The main issue of this method is that, as many legit programs perform suspicious actions, it can generate a big amount of false positives.

Last but not least, there is the method which this article refers to: string signatures. This method is based in another kind of signatures, different from the aforementioned kind. Instead of using HASH signatures, it uses text or binary strings that uniquely identify a malware sample. That way, even if the file has been tampered with, if it still contains those string signatures, the analysts will be able to detect and classify the malware sample.

[Read more…]

Many things have changed in the Internet security in the last 10 years. Others have remained, however, with no change at all, like user identification by means of alphanumerical passwords. Nowadays, these passwords are still the most popular way of user authentication. Indeed, different studies show that 97% of the organizations use them. Despite its widely spread usage, the identification using alphanumerical passwords has some highlighted disadvantages: they are frequently forgotten and can be easily stolen.

Failures in user authentication can cause technical problems in addition to economic cost. In 2007 the losses due to phishing (user identity impersonation/theft) amounted to $3.2 billion. For all these reasons, research in alternative methods for user identification has come up. New designed methods try to avoid current problems of alphanumerical passwords in order to make the systems more secure in identification terms.

An alternative method for identification, based on passwords as well, is the use of graphical or audio passwords. In those, the user must recognize a set of images or sounds among the presented ones (recognizing methods). Click-based methods are another option for graphical (or audio) password. The user must click on some specific points previously selected of the image or audio track to get access to the system. Different alternatives based on the use of tokens have been recently presented as well. These are systems where the user possesses a personal device like a smart card with PIN, an USB memory with passwords, and so on.

Although some of the abovementioned methods are already used in some programs and applications, the alternative methods that are becoming more popular are the ones that use some user’s biometric to perform the identification. Biometrics is the science of recognizing a person by their personal features. There exist two main types: physical biometrics —the ones that refer to a physiological feature of the person— and behavioral biometrics —features related to the behavior of the user—.

There are several physical features that can be used to characterize a user. Among the most common ones we can find the fingerprint, the palmprint o palm-geometry, the face recognition and the iris recognition. On the other hand, the behavioral biometrics most frequently used for identification are: speech analysis, keystroke pattern, signature recognition and haptic pattern (movement/interaction with object).

The user authentication by means of biometrics has reached a good level of performance in the last few years, allowing its application in several systems. This improvement is due to the development of new biometric data acquisition devices along with the design of new algorithms for feature extraction and recognition.

The main reason for the popularity of the identification by biometrics is that copying them is very difficult, almost impossible. This, however, is also a drawback. In case they were copied, the fake user would have a lot of privileged information about the real user. This makes some users be reluctant of using biometrics for internet identification, as they are also used by many official organisms.

In spite of the large amount of alternative methods for identification designed in the last few years, none of them have shown to be superior, in general terms, to the so extended alphanumerical passwords. On the one hand, for accuracy reasons, and on the other hand for their usability and cost.

This has prompted the design of two-factor authentication methods, trying to solve the drawbacks associated to the different methods by combining two of them. The most popular two-factor method uses a user’s biometric in addition to an alphanumerical password. In this way, just copying the password or emulation the user’s biometric will not grant the fake user the access to the system.
Nonetheless, we cannot fully rely on these advanced methods. A more secure way of recognizing the users has prompted new advanced impersonation methods. Some examples are the MiTM (Man-in-the-middle) attacks or the Trojans attacks that instead of working in the identification phase, work on the phase were the data are sent. In this way, attackers obtain access to the system without impersonating the real user.

Thus, a more complex and secure method of authentication may only grant the security of the system for a period of time. Like in almost all security-related areas, the path of identification methods is a two-way road.

Snowden, PRISM, NSA… words, or buzzwords, that we’re used to listen in the media, specially during the last months. You know: when talking about technology, spying -of course, using “cyber” prefix- and some acronyms to get a slot in prime time :) I didn’t want to write about sensationalism, but at the end I could not resist: during holidays you have too spare time to read newspapers :)

Really, I don’t know where the news are… It’s a fact that USA, by NSA and other agencies, is spying us as much as they can… just like is a fact that dogs do bark. Yes, and? I have never understood the big surprise that everybody claims where talking about USA spying. Where is the surprise? Is really surprising that a country which a big technological capability uses it for its own good? Guys, I think in this world nobody is a charity nun… The problem is that here, in Spain, we don’t have a similar capability -and honestly, I don’t think we’ll be able to have one in short term-: we can snoop Tuenti :( And this is a big problem or, really, two big problems. The first one is that we rely on a third party to get information -information that is to be processed to get intelligence; yes, and the third party is obviously USA (what would you think, it was Andorra?) that today is our friend but tomorrow can be less friendly o, simply, cat have some interests that isn’t ours… And the second problem is that we are all vulnerable: in other words, we have to live with the fact that USA spy us when and how they want, and obviously this fact gives them an enviable advantage over us in any field. Spain is doubting about giving support to USA in, lets say, a military occupation of ACMECity? No problem: just before talking to us, US officials know all our points and can use this knowledge to convince us, in the best way, to get our support in almost anything… This is a problem for Spain, isn’t it? And worse: if we disagree we can unplug everything and go to plant potatoes, of course not using Microsoft products, not searching by Google, not sending information across Cisco routers and, finally, not touching anything that smells like American. Or much better, replacing the technology with Huawei and things like that… in this way we can involve in the spying game other countries that, of course, will respect our individual privacy and our global interests as a Nation… you know, don’t you? :)

IMHO the problem is not the fact that USA spy us to protect their interests: we can agree or we can’t, and lawyers, politicians, journalists… can talk for hours about ethics, international laws, privacy and things like that. But, being realistic, USA is doing the same that any country that can do that. It’s just so simple, and we, as I said before, can’t do that because we don’t have the required capabilities… If we had them, I hope we could do the same: to spy other countries. The real problem is a misuse of the information they get. A Service getting information to benefit its country (understanding “country” as government, companies, citizens…) is understandable, in spite of the fact that this can be bad for us, but if a Service do the same to defend the interests of an individual company, a particular or, worst, a politic party, this is, actors that can not be identified with a whole country, we are in front of a big and unjustified misuse of the information, IMHO. What did USA? I don’t know (somebody reading this who has more information about?) If USA is using the information for those particular interests, I don’t agree with them; if they use the information to defend their national interests or to get benefits over other countries, it’s OK for me. What do we complain about? About the fact that they *can* do that and we can’t? Let’s see, we are all in the security world and we all know that the war is harder than privacy laws, IT governance, compliance and so on. What we do think, that Google is giving us GMail in a free way, getting Gigabytes of free space to hold our mail? Gigabuytes, by the way, that as someone said, can only be stored in a SAN, a NAS or a NSA… :)

Now, the one million question: there is any light at the end of the tunnel? I think so, in spite that it’s only a single LED. Let’s assume that USA is spying us in its own benefit… what can we do? Two things, IMHO: to try to let them do it as less as possible -or to get more difficult to do- and to try that only USA spies us. In this blog we have said it before: let’s use national technology and services always that we can -and let’s make an effort to do it, because many times the comfortable way is to do just the opposite. And let’s use them always we are handling classified information. We can always find Spanish quality services, in almost any field I think… I doubt only when talking about products, in specific cases. In those cases, when we can’t use national technology, let’s use open technologies. And if we neither can use them, and we have to use products from other countries, let’s choose from countries that (at least today) are strategically close to us or that have interests as similar as possible with Spanish ones. In other words, I prefer to use Linksys just before of Huawei or Twitter before Weibo: as someone is going to spy to me, let’s USA to do it… they would do in any way… :)

Recently, Marc Ruef @mruef (Computec.ch) has released a new enhanced version of Vulscan, a Nmap script that he already presented in 2010, with basic Vulnerability Scanner capabilities.

Vulscan on the basis of the Nmap option -sV which shows us the versions of the services detected and interacting offline with various vulnerability databases, can alert us if any of those services is potentially vulnerable to any flaw included in any of those databases.

It brings the following pre-installed databases:

Vulnerability Database    URL
scipvuldb.csv             scip.ch/en/?vuldb
cve.csv                   cve.mitre.org
osvdb.csv                 osvdb.org (outdated, 02/03/2011)
securityfocus.csv         securityfocus.com/bid/
secunia.csv               secunia.com/advisories/historic/
securitytracker.csv       securitytracker.com

Therefore, a basic example of how this script works would be as follows. After adding the Vulscan folder to the scripts directory where we have our Nmap scripts directory (for testing I’ve used owaspbwa which I knew in advance that provides vulnerable services in port 22 and 80, among others), we run Nmap and this results in the following:

If neither is specified, it will interact with all the pre-installed databases. However, if we want, for example, to cross data with a single database, we’ll add the vulscandb option:

--script-args "vulscandb=basedatos.csv"

specifying the database that we want or even one of our own that we can easily create with the format:

<id>;<title>

One of the enhancements is the support for dynamic report templates using the vulscanoutput option which allows you to enforce your own report structure through the following argument:

--script-args "vulscanoutput='{id} - Title: {title} ({matches})\n'"

where:

A practical case of this script would be, for example, in an scenery where we are conducting a web audit, in which combining this and other NSE scripts for Web scanning of the many that Nmap added on its most significant last update launched one year ago, quickly create a first preliminary report about possible gaps found in that Website such as determining the default Web page title detected during the scanning process (http-title), displaying the directories most widely deployed as network servers or Web applications (http-enum), harvesting the e-mail addresses found during the scanning process (http-email-harvest) and finding the known vulnerabilities in accordance with the Web service service detected using vulscan:

nmap -sV --script=http-title,http-enum,http-email-harvest,vulscan -p80 172.16.94.128

The output report would resemble the following:

Note that, because of space limitations, I have handled the output report in order to avoid showing the full output and only some found vulnerabilities are displayed, not all of them.

Finally, we should take into account that this kind of vulnerability scanning depends to a large extent on Nmap capacity to obtain the version of the detected service, the amount of vulnerabilities documented in the databases and the accuracy of the pattern matching in cross-checking data.

I identified that Vulscan does only pick up the output versions of the nmap -sV option and interacts with them, however, i’d like it to take other outputs from Nse scripts such as html-cms.nse, that detects the scanned CMS version. It would be very useful to use both scripts so one of them detects the concrete CMS version and the other the potential vulnerabilities that could be found for that specific release. I’ve talked to @mruef and he told me that the problem is that it can not access other scripts information unless they provide them in any way such as an output file. The best solution would be that the other nse Scripts enter their identification data at the log output (see the Nmap API http://nmap.org/book/nse-api.html).

According to the Nmap API, the scripts can share information by storing values in a record (a special table available to all scripts). There is a global registry, nmap.registry, shared by all the scripts, whose information prevails during a full Nmap scan, in such a way that scripts can use it, for example, to store the values that later, sequentially, can be used by other script against the same machine within the same scanning, in a way that output of one script brings feedback to the other.

Marc Ruef is already working in a new version that will include new enhancements and features such as e.g. that vulscan 2.0 will support Exploit-DB and IBM X-Force.

References: http://www.scip.ch/?labs.20130625