Tuesday, April 29, 2008

The Hack without a Hack - Part 3

Yes, I've finally started to update my story. If you've forgotten what has happened, check out part 1 and part 2.

With a few quick Google searches Bill was able to find a few programs which would reveal any passwords which were hidden behind asterisks in Windows programs. More often than not, these "hidden" passwords were just being hidden from view and were decoded behind the scenes within the program. A number of programs are available which will reveal the hidden passwords and Bill found one he liked - Password Spectator (http://www.refog.com/passwordrecovery/).

A quick install and one click later and the password was revealed: "banklogin". Lame, Bill thought. It almost deserves to be broken into.


Bill opened up a telnet session to the trading machine, logged in as "trader" and began exploring the server. The server was a Debian Linux 4.0 server. From the routing tables on the machine it appeared to have a direct connection to the third party service, probably through a frame relay connection. This allowed for real-time trading to take place.

Bill couldn't tell if the third party service had access into this server, but running the "last" command, which displayed the last users to have logged on and where they came from, he did not see any connections from the other company.

Bill was logged in as user "trader". There were two other user accounts on the system: "admin" which was probably used to administrate the application and "root", the super-user account for the system. Bill's account appeared to have very little access on the system which meant he would not be able to install a sniffer unless he obtained root access.

However, since this was a 3rd party system the administrative passwords the bank normally used did not work for root. Bill tried a couple of common passwords with no luck. Quickly, though, he cursed himself for trying. Upon examining /etc/syslog.conf, the UNIX file which dictates what log messages go where, he found that any error messages were sent back to the 3rd party and to a system which he did not have access to. This meant that all of the failed password attempts he just tried were logged on another system - if anyone was watching those logs then he was sure to be discovered. Bill had to get root access quickly so he could cover his tracks.

Having administered various UNIX and Linux systems in the past, Bill knew where to look in order to find system weaknesses. After a few minutes of searching, Bill found his path to root in /var/spool/crontabs.

So, if anyone is reading this, what else could Bill have done to get the trader password? Any thoughts on how he'll get root access?

Kraken Botnet Infiltration

When the Kraken botnet was "exposed" at the RSA conference this year, alot of controversy surrounded it within the MA community. Was this really a new botnet? Was it really as big as the speakers were saying it was? Why weren't samples shared before hand? And so on.

Despite this controversy, there has been alot of interesting information about it. One of the most interesting pieces I've read is from two analysts at TippingPoint who infiltrated the Kraken botnet. Yesterday, they posted two blog entries which discuss how they did it - from both a high level and a technical level.

They are very good reads and I recommend reading them.

Kraken Botnet Infiltration
(high level)
Owning Kraken Zombies, a Detailed Discussion (technical)

Sunday, April 27, 2008

GFIRST

Speaking of conferences, Greg and I will be speaking at GFIRST, a conference put on by US-CERT in Orlando, Florida. The conference takes place from June 1-6. We will have two presentations:

Malware Analysis: The Forgotten Forensics Skill
Latest Malware Techniques

The best part about this conference is its free! We were at it last year and I highly recommend going to the conference. Its a great place to network and see security from a different point of view.

Saturday, April 26, 2008

Collaboration Technology and Engaging the Campus

Securi-D posted this on his blog at http://securid.wordpress.com/. Looks like a pretty good seminar if you can make it.

Thursday, May 8, 2008
Case Western Reserve University
Thwing Center
Cleveland, Ohio

9am - 4 pm

To the Cleveland 2.0 Community:

This is an outstanding opportunity for the entire community to learn and participant in the emerging world of collaboration technology. In addition to workshops, panels, and keynotes, there are big raffle drawings for computer systems and more (must be present to win). The website is open for registration at http://www.case.edu/its/collabtech08/collabtech08.html
Case Western Reserve University will highlight new technologies and how they enhance research and discovery during its campus Collaboration Technologies Summit 2008 from 9 a.m. to 4 p.m. May 8 in Thwing Center. In addition, the keynote and panels will be streamed in ClevelandPlus in SecondLife .

All university faculty, staff, students, alumni, neighborhood and community partners are invited to attend the symposium and demonstration event—that will be conducted simultaneously at collaborative sites throughout world.

The event will feature a keynote address by Anthony D. Williams. An author, researcher and consultant, Williams’s latest project is the bestselling book (co-authored with Don Tapscott) called Wikinomics: How Mass Collaboration Changes Everything.

Two panels at the summit will be anchored by Campus Computing Project Director, Dr. Kenneth Green, Visiting Scholar at Claremont Colleges. The first panel is titled Making Sense of the explosion of Web 2.0 tools and their relevance and consequence in Higher Education. Panelists include educators and faculty leaders from Case Western Reserve University, University of Southern California, Bradley University, and Researchers from IBM. At the end of the day-long event Green will host a panel called Collaboration Technology—What’s Next?: Bold Predictions, Cautionary Notes and Take Away Lessons. Panelists include leaders from Case Western Reserve University, Tri-C, MIT, and the co-founder of SecondLife, Cory Ondrejka.

Friday, April 25, 2008

Obfuscating Malware for Fun and Prizes

I just found out about a new contest happening this year at Defcon, called The Race to Zero. Contestants will be given a set of malware in which they have to modify and upload through a portal. In the portal, a large number of AV programs will be run against the sample. Once the files have been obfuscated enough such that no AV programs detect it, the contestant will move to the next round. Obfuscated viruses must work the same as the original.

There are positive and negative things which can come out of this. Hopefully the obfuscation techniques used in the content will be analyzed by AV vendors to increase their capabilities in detecting malware - because they most certainly will be analyzed by malware authors! I can almost guarantee that whoever wins this will have their technique studied by various organized groups around the world.

I have to admit I'm tempted on entering this. I've used some techniques to bypass AV during my tests in the past and have had good success. Now, if only I can get my work to pay for me to go. :)

Thursday, April 24, 2008

Tracking malware

I've been following the certificate phish I posted about the other night for the last couple days. There have been a few more iterations of it using the same certificate scam, only for different banks. The interesting thing is while the domain names keep changing, the IP address of one of the name servers has been staying the same. This is a fast flux network, but I have to wonder if this name server is at some bullet proof hosting provider. If I find out more I'll post.

This got me thinking - how can we track the site which malware uses? The big AV/MA companies have databases and huge repositories of information from their customer base which allows them to track the websites and groups which are sending out malware. However, I don't work for a huge AV/MA company and neither to my MA buddies. We don't have access to the resources these big companies do, but is our research any less important?

I came to the conclusion that I'm going to start my own tracking database. I've only begun to formulate the idea on how to set it up in my head. I'm curious if anyone knows of anything like this, that is publicly accessible, which already exists? I know the ISC has their DShield database but this is more of any attacks and not specific to malware.

Wednesday, April 23, 2008

LinkedIn for Targets

Often times the company I work for is hired to do "open source reconnaissance" on a network or company. Basically this means seeing what information you can get about the company or its employees from public sources. Knowing how to use WHOIS, how to query DNS and especially how to use Google is a must in this area.

You'd be surprised what you're able to find. From the obvious things like DNS zone transfers to resumes of employees describing EXACTLY how they built the ASP-based web infrastructure for the company. This information can be a dream come true for a pen tester or an attacker.

But you really need to look beyond the things Google and other search engines give you when you do this. Checking out MySpace, Facebook, and other "social networking" sites can yield a gold mine of information. My biggest fave these days when doing these types of tests: LinkedIn.

IMO, LinkedIn is essentially a toned-down "corporate" MySpace. A virtual bar where everyone can see who everyone else knows and how they know them. With the latest features, you can even get profiles on a company, see who their other employees are and what they do. Great stuff for a pen tester or an attacker.

Thats why I was really interested when I saw a post from the CSIS Security Group about an experiment they did on LinkedIn and presented about at the Europe Fraud Conference. Essentially, they created a fake person, named John Smith, gave him some fictional work history and started sending invites to everyone they could. Anytime someone sent an invite to them, they
accepted. In the end, they had over 3600 contacts - 1115 of which had contacted them!

Now, imagine what a bad guy could do on a site like LinkedIn. After having established a valid-looking profile, which according to CSIS is pretty easy to do, they would look trustworthy to anyone who saw their profile. It would be relatively easy to create a company contact list for your target company at that point and begin a targeted campaign against those people. Given the malware targeting we've been seeing lately, I have to wonder if thats not already being done.

The presentation is located at http://www.csis.dk/dk/media/LinkedIn-Threats.pdf and a technical paper on it is located at http://www.csis.dk/dk/media/LinkedIn-V2.pdf. The technical paper was released in January so it may not be news to some people, but I think its worth a read nonetheless.

Tuesday, April 22, 2008

Certificate Phish

I received an interesting phish email the other day. The email contained a notice, supposedly from a bank, which said my "personal certificate" was about to expire and in order to renew it, and keep the security of account up to date, I needed to click on the link, install the update and then log into my account. Of course, the link led to some malware.

What I find interesting about this is that it throws enough security jargon out to the recipient to make it sound believable. While most people don't know what a certificate is or what its used for, they have probably heard about it at some point and know it has to do with security.

The email also takes a different approach than most phishes - instead of telling the victim there is something wrong with their account and they need to sign in immediately to fix it, it tells them they have to update to keep secure. I think this is going to be a shift in phishing tactics - phishers will start new methods to entice users to click on their links and inadvertently reveal their credentials. Of course, this may already be happening - I am in no way a phishing expert.

In any case, it just means we need to keep vigilant and stay aware as always.

Monday, April 21, 2008

Ohio HTCIA Conference

The NE Ohio chapter of the HTCIA will be holding their annual conference on May 12-14 and registration is only $225. This is an excellent opportunity to get great training locally and at an affordable price.

The conference will be held in Kirtland, Ohio at the Lakeland Community College campus, just off Interstate 90, and only 30 minutes from downtown Cleveland. I recommend anyone who can to go.

Greg and I will be speaking on Monday and Tuesday. On Monday we will be talking about tools and techniques in analyzing malware and on Tuesday we will be discussing rootkits.

More information can be found at http://www.ohiohtcia.org/conference.html.

A list of speakers can be found at http://www.ohiohtcia.org/speakers.html.

Hope to see you there!

Sunday, April 20, 2008

The Universal Language of Computer Viruses

I do alot of malware research in my spare time. As pointed out by one of the latest posts on spylogic.net, I'm somewhat known for it in the area (although legendary may be pushing it a little.) :)
However, it occurred to me last night how much malware has tied me into other people. For example, last night I was out getting a new phone. I was talking to the guy selling me the phone and ended up telling him I worked in computer security. He asked if I did anything with computer viruses. (I should have seen where this was going.)

When I told him I did, he said that he was using LimeWire to download a new Kevin Bacon movie (oops), but inadvertently installed a virus instead. He said his computer kept flashing on and off making it almost inoperable. I gave him a few suggestions and my card and told him that if those didn't work to email me.

I just think its funny how computer viruses have become a tying factor for me to others. :)

BTW, I'm going to try something new. For the next 30 days, I will be posting an entry every day. Don't expect these to be earth-shattering, but it will at least get me in the habit to keep this thing alive, which is what I intended it to be.