Tuesday, August 11, 2015

Exploit Kits on August 2015

Often people, including students and security professionals asks me about Exploit kits (EK). EKs play a foundamental role in todays malware propagation because developed to deliver content through vulnerabilities. Aims of the EK is to exploit a target client machine through well known or sometimes "less known" vulnerabilities which usually target browsers, Java Runtime Environment, Adobe products and commonly used applications including (but not limited to): Media Players, Visualisation utilities, Microsoft Office documents and so on. A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign. Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

The following table (from contagiodump ) keeps trace of most of the known exploit kits out there within relatives exploited vulnerabilities.

Click to Enlarge, credits to Contagio Data

As you might appreciate from the Sally's work many vulnerabilities are covered by most of the exploit kits but not all, so depending on the administration console (which almost every EK gives to attackers) and, most important, on the target system, the attacker could choose between several EKs. While several exploits kits are available nowadays only a subset of them are mostly used. As described in this post from from MalwareBytes the most used EKs are represented in the following picture.

Exploit Kits from MalwareBytes analysis.

Now you would probably know how the EK infection process works, well a nice work made by TrendMicro explains in a simple view the 4 stage infection chain.

4 stage EKs infection chain by TrendMicro

Contact is the beginning of infection, where an attacker attempts to make people access the link of an exploit kit server. Contact is often done through spammed email, wherein recipients are tricked into clicking a link through social engineering lures. 

Traffic redirection system refers to the capacity with which the exploit kit operator can screen through victims based on certain condition sets. This is done through a traffic direct system, such as SutraTDS or KeitaroTDS, for aggregating and filtering redirect traffic before accessing the exploit kit server.

Once users are successfully tricked into clicking the link of an exploit kit server in the contact stage and filtered in the redirect stage, they will be directed to the exploit kit’s landing page. The landing page is responsible for profiling client environment and in determining which vulnerabilities should be used in the ensuing attack.

According to TrendMicro research (except for SweetOrange)  I do observe the following EK in almost the same score position in my current Cyber Attack detections

Most used Exploit Kits
As Malware does, ExploitKits are in continuous development conditions and day by day we observe different variants and improved evasion techniques as well as exploits integrations. Be aware that  those kits made really simple (well, I didn't say easy) Malware propagation so watch out your apps !

Monday, June 22, 2015

Static Analysis Malware Statistics

During the past month I've been dedicated some of my free time in building a Malware static analysis pipeline. Goal of this work is to give to Malware analists usefull statistics on what evasion techniques current Malware are implementing. If you are interested on Malware evasion techniques please have a look to my previous post on that topic ( here ). As my readers know one of my favorite Cyber Security topic is Malware and thier creation, if you are new about it, I suggest you to take a look to the following "blog posts": 

The following image shows the MalwareStats.org as appears nowaday. Besides the "romantic algebraic sums" (of the analyzed samples),  the number of xor encrypted detections, the Malicious DLL found over the total amount of detections and the average file size, more graphs showing out  more "evasion techniques" are represented.


One of the most interesting information I wanted to give was about the used evasive techniques to detect the virtualized environment the sample might be in. These information have been collected and represented in the "Used  Evasion Technique" graph. 

As a today (please refer to the "blog post" date) the most common Virtual Environment evasion technique is the VMCheck.dll (Red Pill) followed by QEMU CPUID Trick and VirtualBox Detection.

From http://www.malwarestats.org

The second most important information given is about Packers. Whate ater the most used packer Malware implements to evade signature detection? The following pie chart shows represents the most used packers among others.

From http://www.malwarestats.org

Active analysts (and IDA Pros) will agree to me when I say that one of the most time consuming avtivity is to debug a given sample. Figuring out what is the most used Anti-Debugging technique, could be time saving especially when the analyst is at the beginning of his analysis. The following graph shows my statistics on 21k malware (confirmed malware and not just sample).

From http://www.malwarestats.org
 More stats will be available on the web site: www.malwarestats.org, please have a look ! 

How To Contribute:
Day by day I'll add more and more samples but actually the pushing pipeline is not available online and is not available for free submiting. If you wish to contribute (and please do!) you should share with me your malware (GoogleDrive, DropBox, MegaTransfer, etc... might help the sharing process) I'll add them to my simple importing pipeline and I'll put your name on contributor page.

 The data is hosted for free on keen.io who accepted to get me a free license for that project.

Thank you Keen.io !

Sunday, May 10, 2015

Volatility on Darkcomet

Let's assume you've got a friend who asked you to have a look to his computer because he feels like something wrong is happening. What would you do? 

Option 1: "I have no idea about how to investigate on 'computer stuff', please contact your reseller "
Option 2: "Ok, Let me access to your computer, I will see what I can do"

I's raining a lot and my friend was pretty serious about it so I decided to choose the option number 2... :O

I've been starting by downloading DumpIT by MoonSols which is a "single click" Windows memory dumping tool. After a few command line answers I've got a fully dumped memory in one file. I downloaded it on my MAC and started the volatility analysis hunting the "something wrong".  By running imageinfo, volatility analyses the memory layout getting back the memory profile used by identify the analyzed machine.

Volatility imageinfo
Understanding what are the processes running on the analyzed machine is a foundamental step to grab the eventually "unwanted software". The following image shows the volatility psxview. Few processes are suspicious to me but the most weird is the one named runddl32.exe. It 's suspicious (at least to me) because the name mispelling and because it tries to evade "deskthrd" detection (not common at all). Psxview is a nice volatility plugin which compares the following different proces' searches in order figure out hiding techniques. The implemented process searche techniques follows:
  •  PsActiveProcessHead linked list 
  •  EPROCESS pool scanning
  •  ETHREAD pool scanning (then it references the owning EPROCESS) 
  •  PspCidTable 
  •  Csrss.exe handle table 
  •  Csrss.exe internal linked list

Volatility Psxview
Let's have a deep look into runddl32.exe by running a dlllist on such a pid. Dlllist returns the memory location and the location path of each used DLL. This information is useful to recognazie malicious patterns in file locations. Malicious files are used to be located into TEMP directories due to dir rights. QED (See the following image) !

Volatility dlllist
Volatility dumpfiles helps researchers to dump pieces of memory and saving them into files. The following image shows how I used dumpfiles to obtain the physical supicious files. Having them means to be able to perform static analysis (It wont run... no dyno) on the samples figuring out what they do and if they might be the cause of the "weird behavior".

Volatility dumpfiles

Just few steps into static analysis to discover the sample is actually doing something very bad such as: keylogging, selfupdate, drop and download,  shllcoding etc etc...

AntiDebug functions
Looking into the sample's memory page -- for sure -- something strange is happening ! Page EXECUTE_READWRITE is found. VAD Tree (ref: here) is used to check for injections with a super positive result! We can know assert tha the PC was infected.

VAD Tree search on volatility
Let me try to search the file on Virustotal to se if I get more on it.... Here it goes, VirusTotal identifies the sample as Darkcomet... a simple opensource Remote Aadministration Tool (RAT).

VirusTotal DarkComet

Weird things were happening to my friend's PC and he was right. Actually Darkcomet is only one of the suspicuous file indentified on the psxview, for example I saw a notepad.exe child of explorer.exe and an cmd.exe child of explorer.exe as well. It was a nice hunting saturday night !

Tuesday, April 7, 2015

GitHub and the Man On The Side Attack

Recently most of the people used to collaborate through GitHub experienced a new kind of Denial Of Service Attack widly recognized as Main-On-The-Side Attack. The Github DDOS attack was driven by the State of China (NewYorkTime) with the intent to alert GitHub company about the violation of the Chinese censorship policies.
"Because GitHub is fully encrypted, China’s domestic web filters cannot distinguish between pages that host code useful to programmers and code that circumvents censorship." (Source: NewYorkTime)
The cyber attack has made possible because the Chinese Government poisoned web traffic throuugh its "great firewall" (Golden Shield Project) injetting a malicious javascript payload into specific http requests.  Chinese Government sacrified a local analytics company named Baidu injecting into its analytics scripts a malicious content able to load multiple times the tergeted github pages. A simple attack flow follows:
  1. A unaware user is browsing from outside China
  2. The website the user visits loads a javascript from a server located in China, for example Baidu Analytics script (much like Google Analytics)
  3. The user web broswet requests for Baidu javascript
  4. The requested javascript is intercepted by Chinese passive infrastructures as it enter in China perimeter
  5. A compromised response is sent out from China instead of the actual Baidu Analytics script
  6. The compromised response tells to the user browser to contnuosly load specific pages on GitHub.com.
Finding the original malicious code in order to analyze it,  was actually the real challenge (at least for me). I've tried to execute tons of Baidu urls GET requests but no malicious payloads were found. Fortunately Urlquery.net saw the code and stored it (here). The following image shows one of the used payloads (that report proves tha multiple payloads were involved).

Script From Baidu during the Chinese Github Attack

After a couple of deobfuscation "raunds" (JDetox would help you out) the piece of javascript coming out the analysis owned two specific URLs: github.com/greatfire and github.com/cn-nytimes . Both of the URLs are mirror sites for GreatFire.org and the Chinese New York Times. GreatFire and NYT both use GitHub to circumvent the online censorship performed by the Great Firewall of China (GFW).

Decripted "Malcode"
The connections path captured by urlquery is shown in the following picture where is almost evident the query to cloudfront comming after having loaded a fake baidu script.

Connection Flows

Getting little bit deeper -- a malicious payload downloaded from --
HTTP/1.0 200 OK

Content-Type: text/html
Server: nginx
Date: Wed, 18 Mar 2015 09:56:57 GMT
Content-Length: 114
Last-Modified: Wed, 18 Mar 2015 05:43:55 GMT
Etag: "5509109b-72"
Expires: Wed, 18 Mar 2015 09:56:57 GMT
Cache-Control: max-age=0
Accept-Ranges: bytes
Connection: keep-alive
forced the user browser to load content from:  d18yee9du95yb4.cloudfront.net

GET /?1425380212 HTTP/1.1

Host: d18yee9du95yb4.cloudfront.net

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Accept: text/plain, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://pos.baidu.com/wh/o.htm?ltr=&cf=u
Origin: http://pos.baidu.com
Currently the host has been blocked down due to the described attack as follows:
Blocked host because the "Chinese Attack"
I decided to write a little bit about this attack since it is one of the most "dramatic"  examples on how "states" might perform wide attacks using unware services and state infrastructures...

Friday, March 6, 2015

Angler and the new threats

What I am writing is not a "news" anymore, but it is like a "consciousness raising" about the incredible job the guys behind Angler Exploit kit did.

But, let me start from the beginning. For everybody out there do not know what an Exploit Kit is I found out a clear and nice description from McAfee Labs:
An exploit kit is an off-the-shelf software package containing easy-to-use packaged attacks on known and unknown (zero-day) vulnerabilities. These toolkits exploit client-side vulnerabilities, typically targeting the web browser and applications that can be accessed by the web browser. Exploit kits can also track infection metrics and have robust control capabilities
Angler is one of several Exploit Kits available for attackers. Actually Angler Exploit Kit has become the most advanced, much more powerful and the best exploit kit available in the market so far, beating the infamous BlackHole exploit kit, with a host of exploits including zero-days and new techniques added to it. 

What makes Angler so great are the following two characteristics: Domain Shadowing (”DSH“) and Filess Infection "Filess".

One of the newest techniques bheind Angnler Exploit Kit is the so called “Domain Shadowing”. Domain Shadowing, first appeared in 2011, is the process of using "users domain registration logins" to create subdomains used to spread the malware content. Nik Biasini from the Cisco Talos Group did a great job in describing the differences between the classic Fast Flux DNS Techniques and the Domain Shadowing technique implemented in Angler Exploit Kit. The following image (taken from Talos Description) shows the difference between the most common Fast Flux Versus the recent Domain Shadowing.

Fast Flux VS Domain Shadogin (from Talos Description)

While fast flux is continuously changing the DNS record value (well there are plenty variants of it, so please forgive my generalization) in order to confuse analysis, domain shadowing makes use af many real dns stolen account to make them redirect to malicious content. This techniques is "a way more complex" to be realized since the bot maker needs to compromise DNS records and/or DNS credentials.

Filess Infection is another great new feature introduced into the Angler ExploitKit. The obvious difference between Filess injection and File injection is in the way the Exploitkit drops and loads the new payloads. The following image clearly shows the difference between the two techniques. On the left side a file injection in which the Exploit kit saves the malicious .ddl into a temp directory and later on it loads the malicious .dll from the disk (This approach preserves easy persistance but it mostly subjected to AV discovery).

File injection VS Filess injection
On the right side of the image the process directly loads into memory the downloaded stream running it through a new thread. This method makes it harder the persistence and makes it easier the network detection but it makes almost impossible the host detection by AV engines.  The following screenshot shows a piece of code that makes this happen by (I did follow the steps in here):

  1.  Read first page of the file which includes DOS header, PE header, section headers etc. 
  2. Fetch Image Base address from PE header and determine if that address is available else allocate another area. (Case of relocation) 
  3. Map the sections into the allocated area 
  4. Read information from import table and load the DLLs 
  5. Resolve the function addresses and create Import Address Table (IAT). 
  6. Create initial heap and stack using values from PE header.
  7. Create main thread and start the process.
Filess Execution Example. Code goes from left to right (it's the sam file)

Nowadays we are even experiences Powelinks (CVE-2012-0158, which makes storing payloads into registry) and Filess Combo, which makes Angler even more undetectable.

Following a McAfee graph showing the variance of several Exploit kits during 2014. Angler got 14 variances in few months,  Amusing !

Exploit Kits in 2014 (McAfee)

Friday, February 13, 2015

Notorious Hacking Groups.

Knowing your "enemies" is always a good exercise before developing every protection. Different attackers have different techniques and belong to different groups. Each group owns strict beliefs and attacks in a well known way. In this post I want to examine some of the most notorious hacking groups in the history until now (February 2015) in order to show how attackers "attack" and how they live in community.

The following list wont be a complete and / or an exhaustive list of cyber attackers groups, it is mainly based on my memories and public available informations.

I'd like to start with 414s hacking group (1980). For what I know it's not an active hacking group anymore. It broke into dozens of high-profile computer systems, including Los Alamos National Laboratory, Sloan-Kettering Cancer Center, and Security Pacific Bank. It has been one of the first group to be organized over IRC and to act together in order to reach the common goal.

Another hacking group born in 80s was the PHIRM. In 1985 a Phrack magazine article brought the group into the public eye, and they began to take on new members. In 1987 two of the founders, Archangel and Stingray, co-authored a report on Cleveland's Freenet. In 1989 the group published a definitive guide to breaking security on Bank of America home banking systems. 

The Cult Of Dead Cow (cDc) is probably the biggest hacking group of late 80s. Its famous logo still appear in some of the underground tools out there. The group is the maker of the term "Hacktivism" and became famous to fight with the Hong Kong Blondes (a Chineese Hacking Group).
cDc Logo                                 
In the late 1990s, the cDc worked with a group of Chinese dissidents called "The Hong Kong Blondes." The goal of the Hong Kong Blondes was to disrupt computer networks within the People's Republic of China in order to allow PRC citizens to access censored content online. The Hong Kong Blondes were, arguably, one of the first hacktivist groups. The cDc advised the group on strong encryption techniques, among other things.[17][18][19][20] The cDc formally severed ties with the Hong Kong Blondes in December 1998.
Chaos Computer Club (CCC) is a Germany based hacking group. The CCC describes itself as "a galactic community of life forms, independent of age, sex, race or societal orientation, which strives across borders for freedom of information...." In general, the CCC advocates more transparency in government, freedom of information, and the human right to communication.
Level Seven was a hacking group during the mid to late 90's. Eventually dispersing in early 2000 when nominal head 'vent' was raided by the FBI on February 25, 2000. They became famous after the attack to NASA and Sharaton Hotels.

Milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Mumbai. The group conducted hacks for political reasons,[3] including the largest mass hack up to that time, inserting an anti-nuclear weapons agenda and peace message on its hacked websites.

NCPH Network Crack Program Hacker Group is one of the first Chinese hacker group based out of Zigong in Sichuan Province. While the group first gained notoriety after hacking 40% of the hacker association websites in China,[2] their attacks grew in sophistication and notoriety through 2006 and received international media attention in early 2007. iDefense linked the GinWui rootkit, developed by their leader Tan Dailin (Wicked Rose) with attacks on the US Department of Defense in May and June 2006. iDefense linked the group with many of the 35 zero-day attack and proof-of-concept codes used in attacks with over a period of 90 days during the summer of 2006. They are also known for the remote-network-control programs they offer for download.

Lizard Squad is the hacking group known for targeting the PlayStation Network and Xbox Live services. It mainly acts as a black hat group and it has been pubblically revealed on August 2014. It is a very discussed hacking group since many parties say they claim fake attacks.

LulzSec is another group of hackers originating in 2011 and quite famous in the underground community. Organized by Sabu, LulzSec have been accused to compromised user accounts of Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline several times.
Lulz Sec Logo
TeslaTeam is a group of black-hat computer hackers from Serbia established 2011. The group was mainly famous for their defacements techniques (tools). They mainly targeted political groups, Albanian websites and including news organizations and human rights groups. TeslaTeam is currently the only virtual army in Serbia to openly launch cyber attacks.

SEA (Sirian Electronic Army) is a group of computer hackers who support the government of Syrian President Bashar al-Assad. Using spamming, defacement, malware (including the Blackworm tool), phishing, and denial of service attacks, it mainly targets political opposition groups and western websites including news organizations and human rights groups. The Syrian Electronic Army is the first public, virtual army in the Arab world.

Anonymous, is maybe the most discussed and famous (right now) a group of hacktivist originating in 2003. A website nominally associated with the group describes it as "an internet gathering" with "a very loose and decentralized command structure that operates on ideas rather than directives". The group became known for a series of well-publicized publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites.

Anonymous Logo
 Beginning in June 2011, hackers from Anonymous and LulzSec collaborated on a series of cyber attacks known as "Operation AntiSec". On June 23, in retaliation for the passage of the immigration enforcement bill Arizona SB 1070, LulzSec released a cache of documents from the Arizona Department of Public Safety, including the personal information and home addresses of many law enforcement officers.

Wednesday, January 28, 2015

Romantic Cyber Attack Process

From time to time, even if we are now in 2015, I find people that do not truly believe in cyber attacks having confused ideas on how cyber attackers do their job. So, even if what I am writing is wellknown for most of you, I want to briefly describe a romantic process behind current cyber attacks to public and/or private infrastructures (Not SCADA based).

The following image, borrowed from CERT-EU-SWP, shows a tipycal atack flow in 2014/2015. The attacker performs the designed initial attack phase (step 1) by compromising the victim's machine (nowadays the most frequent "phase one" are implemented through: Exploiting, Spear-Phishing or Watering hole, etc..).

From: CERT-EU-SWP Protection from Kerberos Golden Ticket
Once the attacker has succesfuly compromised the victim's machine (which often, but not always, means to have direct access to that machine) he/she needs to escalate local privileges (2) in order to proceed with horizontal propagation (phase 4). Several known techniques are available to escalate local privileges such as: Expoiting local vulnerabilityes, 0Days, Dumping SAM File, Hidden Passwords, Weak Permissions on Processes, DLL Preloading, Writing permission on Win32, Windows Services running as system, Window AT commands, etc... 
Horizontal propagation is one of the most exiting phase for the attacker since he/she can explore, for the first time ever (assuming a complete black box attack),  the victim network trying to tamper with horizontal attack tecniques the entire targeted network.
Note: some attackers prefer to penetrate neighbors machines through a generic exploiting process, other attackers prefer to use network tricks to compromise the attacked network comunication and some other attackers prefer to own network infrastructures (such as: router, smart switch, dns, dhcps, etcs)  before end point machines.
Based on my personal experience the most expedient way to perform horizontal propagation is through the "pass-the-hash" technique (or "pass-the-tickets" in case of Kerberos)  [here, here]. In order to reach the horizontal propagation (phase 4) the attacker needs to harvest hashes or Tickets (deending on targeted infrastructure). Harvesting hashes is a relative simple phase that could be reached by searching for logged in user accounts, looking for services (applications) hosting a password or to wait/force a remote user to log in. Thanks to the pass-the-hash technique attackers could assure persistent access to target network having a continuos and unlimited access to target enviroment. The described process is by far the most used attacking process implemented so far but is not the only one. No contermeasures will be discussed on this "blog post", only the romantic cyber attack proces. :]