The Security Shoggoth

Tuesday, March 3, 2009

Odd SQL Injection Attack

Updated 3/9/09.

Last night, from 21:21 EST to 21:41 EST a website I help run received over 1300 SQL injection attempts from less than a dozen IP addresses. This is a pretty popular site so its not uncommon for us to get hit with injection attacks, but its rare for us to get this hard.

Normally I would brush it off as an unsuccessful botnet attack, but the SQL injection is bugging me as I can't figure out what the purpose is. The query we recieved was as follows:

/modules.php?name=news&new_topic=9\' and 1=2 union select
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c) and \'1\'=\'1

The user-agent was "NV32ts".

This is an attack on PostNuke, which the site does run. However, the number of CONCAT's are what I'm stumped on (as well as some others I've asked).

The CONCAT(0x27,0x7c,0x5f,0x7c) statement decodes to:

'|_|

When you combine them all together, you get the following statement:

/modules.php?name=news&new_topic=9\' and 1=2 union select
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_| and \'1\'=\'1

The underscore in MySQL can be used as a single-character wildcard, which could further decode the injection to:

/modules.php?name=news&new_topic=9\' and 1=2 union select
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'|| and \'1\'=\'1

In reading that, its potentially a bunch of logical OR statements (the double pipes) with some single quotes. But to me it still looks like it will generate at error.

I've googled the CONCAT statement and the user-agent and there are a bunch of hits, but nothing which gives me any information. In fact, it looks like there have been a number of attacks using this string. But, that doesn't give me the purpose of the injection string above. This is what I (and some others) have come up with:

This was meant to generate a SQL error to see if a site is vulnerable. If thats the case, why so many hits in such a short period of time?
The attacker was trying to evade IDS/IPS/protections, but made a mistake.
The attacker just doesn't know what they are doing at all.

I'm open to any ideas.

UPDATE

I received alot of responses on my previous SQL Injection. Thanks to everyone who did. For the most part, most came to the same conclusion as I did that the injection was either to generate an error or it was a mistake on the attacker's part.

As for the user agent, NV32ts, I've confirmed that it is a known signature of a botnet. I am currently trying to dig up any samples on it.

Wednesday, February 11, 2009

InetSim Installation

For a project I'm working on*, I've been looking at network simulation software to use in malware analysis. The most common one out there is Truman, written by Joe Stewart. However, Truman has some shortcomings - the biggest being it doesn't have an HTTP server and it hasn't been updated since it was released. So, I wanted to try a different one and that let me to InetSim.

InetSim has a number of software packages that need to be installed before it works. For my benefit, and I guess others as well, I'm documenting the process I took to install it on my Gentoo Linux system.

InetSim has the capability to do connection redirection, but some options have to be compiled into the kernel first. Specifically, the Netfilter NQUEUE over NFNETLINK interface (CONFIG_NETFILTER_NETLINK_QUEUE) and IP Userspace queueing via NETLINK (CONFIG_IP_NF_QUEUE) need to be compiled in. I compiled them directly into the kernel, but they could be modules as well.

Obviously, after re-compiling and installing your kernel (if needed), you should make sure that iptables is installed.
A number of Perl modules need to be installed. Fortunately, most of these are in the Portage repository and can just be emerged:
# emerge -av perl-Getopt-Long perl-libnet perl-Digest-SHA perl-digest-base perl-Digest-MD5 MIME-Base64 Net-DNS net-server
There were two Perl libraries which were not in Portage that needed to be installed from source. The first was IPC::Sharable which is located in CPAN here. Once downloaded, installation was easy:
# tar zxvf IPC-Shareable-0.60.tar.gz
# cd IPC-Shareable-0.60
# perl Makefile.PL
# make
# make test
# make install
The next required Perl library, Perlipq, took a little longer. This is a library used to interface with the packet queueing on the system for redirection. Initially, it could not find the libipq.h file in the correct location but a manual edit of the Makefile (shown below) fixed that. Perlipq is downloaded from here.
# tar zxvf perlipq-1.25.tar.gz
# cd perlipq-1.25
# perl Makefile.PL
At this point, the Makefile.PL prompts you for the location of the iptables development components. Specifically, its looking for libipq.h. It doesn't matter what we enter here as the Makefile will not find it in the correct place. Enter in some text and let the script finish.

Once the script is finished, edit the Makefile. On line 145 is the following include line:
INC = -I
This is the directory which will find libipq.h. Change it to the following:
INC = -I/usr/include/libipq
/usr/include/libipq is where libipq.h should be located. If you are unsure, run 'locate libipq.h' to see where its at. After saving the Makefile, installation can continue.
# make
# make install
Optional: If you want to make sure you have all of the necessary Perl modules loaded, run the following Perl script:
use Getopt::Long;
use Net::Server;
use Net::DNS;
use IO::Socket;
use IO::Select;
use IPC::Shareable;
use Digest::SHA1;
If there are no failures, you're good to go.
At this point, all of the pre-requisites should be installed and InetSim installation can proceed. The latest version of InetSim at the time of this writing is 1.1 and is located here. Download it an untar it into a central location - I chose /usr/local.
# tar zxvf inetsim-1.1.tar.gz
# mv inetsim-1.1 inetsim
# cd inetsim
Note: I renamed the default directory for my own benefit, this is not necessary.
InetSim uses the nobody user to run its servers. Nobody should be installed by default - but you better make sure.
A group named inetsim is also required by InetSim to run. This should be created as follows:
# groupadd inetsim
InetSim comes with a setup.sh script which modifies permissions of all the files as needed.
# sh setup.sh
If you plan on running InetSim from a script, chances are you will need to modify a small piece of the inetsim program. On line 12 of the inetsim script is the use lib Perl code which tells the script where to find the InetSim modules. In its original form, it is a relative path to the lib directory. It should be changed to an absolute path similar to the following:
use lib "/usr/local/inetsim/lib";

At this point, InetSim should be installed and ready to run. The default configuation file is located in conf/inetsim.conf and I highly recommend reading and modifying it to fit your environment. However, you should be able to use the default configuration file to test out your installation.

# /usr/local/inetsim/inetsim --session test

A number of messages of servers starting will stream by. If you don't see any errors, you are good to go!

* My new project - thanks ax0n!:

Thursday, February 5, 2009

Strings and update

Its been a while since I posted anything so I wanted to get something up here.

First, in my last post I mentioned how I use the strings utility when analyzing binaries. The utility will allow you to view embedded strings within a binary. By default, it only shows ASCII strings. The problem with this is that in Windows binaries, there are usually embedded strings encoded in UNICODE, and by default, strings will not show them. To get around this, I was using SysInternal's strings utility with wine on my Linux system.

However, in a comment craigb stated that you can change the encoding strings looks for with the -e option. Here is a snippet from the strings man page:

-e encoding
--encoding=encoding
Select the character encoding of the strings that are to be found.
Possible values for encoding are: s = single-7-bit-byte characters
(ASCII, ISO 8859, etc., default), S = single-8-bit-byte characters,
b = 16-bit bigendian, l = 16-bit littleendian, B = 32-bit bigen-
dian, L = 32-bit littleendian. Useful for finding wide character
strings.

By running strings using different encodings both ASCII and UNICODE strings in a Windows binary can be found. To do so, I whipped up a little Bash script which I now use whenever I want to pull strings from a binary:

#!/bin/bash

(strings -a -t x $1; strings -a -e l -t x $1) | sort

The script, which I named mystrings, takes the file to scan as a command line option. It then runs strings against it two times - the first time looking for ASCII strings and the second looking for UNICODE (16-bit little endian actually) strings. The -t x options prints the hex offset of the string within the file. After the strings commands run, they are run through the sort program and displayed.

My concern with this was the Linux strings would miss something that the SysInternal's strings would pick up. So, I ran a test where both programs were run against the same file. The output was the same! Woohoo!

In other news, I'd like to announce I got a new job starting at the beginning of the year (which is pretty much the reason I have not been posting). Those who know me know where I went to, so I won't go into details here. However, I've gotten into my groove and should be posting more soon.

Friday, December 12, 2008

Internal Laughs

Most malware that I look at these days is packed, sometimes double-packed, in order to hide whats inside. When they aren't packed, many times the strings inside the binary are encoded or encrypted so a strings program can't see what is going on.

Sometimes, however, if you wish REALLY hard and REALLY believe, you come across a gem like the one I looked at last night. I was notified of a piece of malware sitting on a server from one of my many sources I have. After downloading it, one of the first things I did was run the Sysinternals strings* utility against it. I found some interesting things:

C:\Documents and Settings\James\Desktop\MSN Pass Stealer\Stub\Project1.vbp

Hello AV Companies, Please Call Me

Hello AV Companies, Please Call Me Win32.MSNPassSteal.VB Thank You!

Its so nice to see things like this at times. While I'm pretty sure James didn't write this particular piece of malware, he probably did modify the source (MSN password stealer source code is easy to find) and compiled it.

James - if you are reading this let me give you some advice. First, learn how to use your compiler and how to turn off the debugging features that are turned on by default. Second, AV companies are not going to name your malware something you want. None of them did.

And finally, if you are going to use a user ID to post the results under, don't make it unique. Our intrepid fellow put the website the stolen credentials would post to as well as the user ID to use. While I'm not 100% sure it's James' ID (whh is why I didn't show it), it is very unique and can be traced back to a single user.

Then again, James, don't follow my advice. It'll be easier to catch you that way. :)

* Even though I do 99% of my static analysis on Linux, I prefer the Sysinternals strings program because it can grab unicode strings and to my knowledge the Linux strings cannot. It works just great under wine. If anyone knows of a Linux strings program that can grab unicode strings, let me know.

Monday, November 24, 2008

Enhancing Your Skillz...

I remember one of the questions I was asked in my first security job interview was "Why do you want to work in information security?" My response: because it changes on a daily basis and you have to stay on your toes. (This was also my response for "why don't you like security?")

Since then, I have always been searching for ways in which I could increase the security skills I have. Training courses, reading blogs/articles/books and networking are a great way to increase your security skills but I have always thought that there is more to security than knowing how to read a TCP packet, how a buffer overflow works or how to perform a SQL Injection attack.

If you work in Information Security you also have to have great analytical skills. You need to be able to "think outside the box", attack problems from a point of view or look at a log file and discern a pattern which someone else might not see. IMO, you can't learn these skills from reading an article or taking a training course.

However, I have found that playing games is an excellent way to increase your security analytical skills. How? A lot of games focus on strategy or pattern discernment and can help train your mind for these tasks. The following are games that I've personally played and found helpful in these areas.

Note: While I am a geek and love video games, I have specifically excluded these types of games from the following list. There are a number of reasons, but mostly because when it comes down to it, most video games are about reflexes not strategy (there are, of course, exceptions).

Set - Set is a card game where 12 cards are laid out on the table and you have to be the first person to find a set of three cards. A set consists of three cards that are either all alike or all different in each attribute (quantity, shape, shading and color). Sound easy? Not really. Set teaches your mind to attempt to focus on a number of different areas at once and discern a pattern. Great addictive game. Play it online too.

MindTrap - I love logic puzzles. To me, they are the ultimate in causing myself to "think outside the box" since most solutions aren't the obvious ones and require some thinking. Mindtrap takes logic puzzles and puts them into game form.

Puzzles for Hackers - Not a game per say, this book contains lots of puzzles designed for hackers and security professionals. It features encryption puzzles, reverse engineering and logic puzzles. I highly recommend it.

Hacker - OK, this probably isn't the best example for games in these categories...but I think this is a must have for all info sec professionals, given the history behind it.

Granted, these are only a small number of the games with potential to help us security folk. My point to all of this is that you don't just need to read a book or take a class to train yourself for your job...there are alternatives out there. And fun ones at that.

Anyone have any good games they want to share?

Thursday, November 20, 2008

Malware Challenge Results

After longer than I would have liked, the malware challenge results are in and posted!

There were alot of great submissions but unfortunately, we could only choose so many to receive prizes. In the end, we looked at the ones we felt gave the most information, presented it the best and would allow someone to learn from their paper.

Some quick stats on the challenge, we had over 900 downloads of the malware sample. Fortunately, we didn't have that many submissions. Most of the hits on the site came from the US, followed by Romania and Russia. Also, over 50% of the hits on the site were from Firefox!

I'd like to send a thank you to all the sponsors who donated prizes. Without them, we would not have been able to have such a great turnout. We're already thinking about the 2009 Challenge!

Any suggestions on how we could have done better? Send them our way!

Tuesday, November 4, 2008

Quick Update

Hello all - I haven't posted in a while and for good reason. I've been busy with a very interesting job at work that I hope to be able to talk about some day. Right now I can't (client privacy and such) but I can guarantee it will make an amazing story some day.

It is because of this job that I was unable to make it to the NE Ohio Information Security Summit. I apologize to everyone who thought I would be there and I have to commend and profusely thank Greg for taking over our presentations by himself and coming up with one at the last minute. Greg is an amazing speaker and friend and I'm glad he had packed crowds in both sessions.

As for the malware challenge, we were supposed to announce the winners at the summit. However, due to my being absent we decided to (wisely I think) postpone announcements until the next NE Ohio Information Security Forum meeting on November 19th. I invite everyone to come out as we will be giving out prizes there and announcing the winners (and will announce them on the site shortly after).

I will have some interesting news in the next couple weeks and am starting on a few projects I will be blogging about. For those who have stuck with my blog, thanks. I hope not to disappoint you. :)