Yesterday I published a post on the 2008 malware challenge that I helped put together and how I felt it was being mis-represented in another security company's (pay for) CTF.
The person responsible for that CTF posted a comment on the blog and asked me to contact him, stating it was really a mistake and no ill-intent was involved. I believe him.
The security industry we work in is very small. If your integrity is besmirched* then that can have negative effects on your career or company. I would not want to be responsible for that in the case of a simple oversight.
That is why I removed the blog post. In all fairness, I should have contacted them first before posting anything.
I am still posting the malware challenge and will do so later today.
* Woohoo! I got to use besmirched in a blog post!
Friday, November 9, 2012
Friday, November 2, 2012
NEOISF Puzzle Solution
A few people emailed me with the solution to the puzzle I posted, but I figured I'd post the solution for those that wanted it.
In the puzzle, Van Helsing is attempting to break the crypto that Dracula is using to try and find him. Fortunately for Van Helsing, the program is free and he can download it to see if he can crack it. He ran the program and typed in "vampire_vampire_vampire" and got back "R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw=".
Anyone who has done any type of network analysis, or looked at a raw SMTP message, should recognize the output as base64 encoded. Base64 is an algorithm that converts binary data to ASCII so it can be transferred over protocols that do not natively allow binary (e.g. SMTP). It does this by converting every 3 bytes of data to 4 bytes of ASCII. The "=" character is used as padding in case more characters are needed and is often a give-away.
Base64 can be converted using many methods, but since Van Helsing is awesome he is using Linux and uses the base64 command to do so.
NOTE: Van Helsing really should have redirected the output to a file since the characters could have been binary.
The base64 decoding produced a string that has 2 interesting qualities.
First, the base64 decoded string is the same length as the string he entered. This means that whatever algorithm the encryption program is using may be doing a 1-for-1 character encryption. In other words, the characters in his plaintext is being encrypted one at a time.
Second, there is a pattern of "GYTGXJ\h". The pattern is 8 characters long, which just happens to be the length of "vampire_". Coincidence? Probably not.
The type of encryption that immediately popped into Van Helsing's head that can have these properties is XOR encryption. XOR is a boolean logic function that can be applied in encryption. This is done by taking a key and XOR'ing each of its bytes against the characters in the plaintext.
One property of XOR encryption is that if you take the plaintext and XOR it with the ciphertext, it will reveal the key! Van Helsing knew this and XOR'd his plaintext against the ciphertext he got. (He wrote a quick Python script to do so):
Taking that as the key, he then base64 decoded Dracula's message and applied the key of 1897 to get:
Now Van Helsing knew where he would be and could destroy the fiend!
For those in the know, the key does have some significance. :)
In the puzzle, Van Helsing is attempting to break the crypto that Dracula is using to try and find him. Fortunately for Van Helsing, the program is free and he can download it to see if he can crack it. He ran the program and typed in "vampire_vampire_vampire" and got back "R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw=".
Anyone who has done any type of network analysis, or looked at a raw SMTP message, should recognize the output as base64 encoded. Base64 is an algorithm that converts binary data to ASCII so it can be transferred over protocols that do not natively allow binary (e.g. SMTP). It does this by converting every 3 bytes of data to 4 bytes of ASCII. The "=" character is used as padding in case more characters are needed and is often a give-away.
Base64 can be converted using many methods, but since Van Helsing is awesome he is using Linux and uses the base64 command to do so.
$ echo -n R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw= | base64 -d -
GYTGXJ\hGYTGXJ\hGYTGXJ\
NOTE: Van Helsing really should have redirected the output to a file since the characters could have been binary.
The base64 decoding produced a string that has 2 interesting qualities.
First, the base64 decoded string is the same length as the string he entered. This means that whatever algorithm the encryption program is using may be doing a 1-for-1 character encryption. In other words, the characters in his plaintext is being encrypted one at a time.
Second, there is a pattern of "GYTGXJ\h". The pattern is 8 characters long, which just happens to be the length of "vampire_". Coincidence? Probably not.
The type of encryption that immediately popped into Van Helsing's head that can have these properties is XOR encryption. XOR is a boolean logic function that can be applied in encryption. This is done by taking a key and XOR'ing each of its bytes against the characters in the plaintext.
One property of XOR encryption is that if you take the plaintext and XOR it with the ciphertext, it will reveal the key! Van Helsing knew this and XOR'd his plaintext against the ciphertext he got. (He wrote a quick Python script to do so):
$ python xordecode.py GYTGXJ\hGYTGXJ\hGYTGXJ\ vampire_vampire_vampireVoila! XOR'ing each byte of his plaintext with the ciphertext he received returned a pattern of "1897", which must be the key!
18971897189718971897189
Taking that as the key, he then base64 decoded Dracula's message and applied the key of 1897 to get:
I will be at the Ohio Information Security Summit.
Now Van Helsing knew where he would be and could destroy the fiend!
For those in the know, the key does have some significance. :)
Monday, October 29, 2012
NEOISF Puzzle
This year, I designed a crypto puzzle for the Northeast Ohio Information Security Forum to use at the Ohio Information Security Summit (which I unfortunately was unable to attend). I found out that no one got the answer to it, although a number of people tried.
I decided to put the puzzle up here for everyone to check out and try to solve. I don't have any prizes to give away so this is just for fun. The solution will be posted on November 1.
Also, while I'd love to hear if you solved it, please don't post the answer in the comments so others have a chance.
Good luck!
I decided to put the puzzle up here for everyone to check out and try to solve. I don't have any prizes to give away so this is just for fun. The solution will be posted on November 1.
Also, while I'd love to hear if you solved it, please don't post the answer in the comments so others have a chance.
Dr. Van Helsing is tracking Dracula again. Using his brilliant hacking skills, he was able to break into Dracula's email account and obtained the following encrypted message.
---------------------------------------------------------------------
From: dracula@bloodbank.ro
To: renfield@sanitarium.edu
Subject: My Itinerary
eBhOXl1UGVVUGFhDEUxRUhF3UV5eGHBZV1dLWlBMUFhfGGpSUk1LXkVBGWREVVReRRY=
---------------------------------------------------------------------
Through his previous interactions, Van Helsing knows that Dracula uses an encryption program called "31337 Crypt", that utilizes a proprietary encryption protocol. He downloaded the program and typed the following into the program to be encrypted:
vampire_vampire_vampire
The result was the encrypted line of:
R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw=
Within moments Van Helsing knew what the "proprietary" encryption was and had decrypted Dracula's message. What was Dracula's message?
Good luck!
Monday, December 19, 2011
Tools and News
So first an announcement. At the beginning of December (or close to that) I left my previous position and went back to KoreLogic Security, where I will be working to start up their malware services group, amongst other things. While I am definitely missing my old co-workers, this is a good move for me. Look for some interesting posts here.
A few weeks ago I tweeted: Want to find out how good someone is? Take away all their tools and say, "Now do it.". I wanted to make expand upon that because I got into a good discussion with @jwgoerlich and @rogueclown concerning it, and its hard to really explain what you mean in 140 characters or less.
A few years ago, Harlan Carvey posted about "Nintendo forensics". This was a statement that the forensic industry was becoming more "point and click" and analysts were understanding less and less of what the tools were doing. While some signs have pointed that this is starting to become less prevalent, I believe there are still niches in security where this is either in full-force or starting to become more so.
Fast forward to the present. In the last few weeks I've been building my new work computer while analyzing malware as I get the time. Unfortunately, I do not have all the tools I am used to since I'm waiting for things to be purchased, arrive, etc. This got me thinking - how much do I rely on tools? Could I perform the analysis I needed using that I know?
Now I realize that in information security, or IT in general, its almost impossible to do anything without having tools. Thats not my point - I'm not suggesting that we take away everyone's tools and tell them to analyze malware or perform a pen-test with nothing but a blank OS. Is it possible? I'm sure it is. Would anyone want to? Hell no!
My point was that you never really know how good you are, until you are faced with a situation when you are taken out of your comfort zone and have to rely upon your knowledge and the tools available to you at the moment. I don't always have access to a commercial version of IDA Pro. Does that mean I can't disassemble malware and analyze it? No - I just need to be flexible, use tools that I'm not as used to and use my brain just a little bit more.
I think its a useful exercise in anyone's career to do this. Imagine for a moment that you didn't have the tool(s) you use most in your job - how would you perform your job? What alternatives are available to you and how familiar you are with them? I'm as guilty as anyone else for relying upon specific tools, but this little exercise has helped me look and see where my weak areas are and how I can supplement them.
Perhaps I should have instead tweeted "Want to find out how good you are? Take away all your tools and say, Now do it." That seems to fit my point better.
A few weeks ago I tweeted: Want to find out how good someone is? Take away all their tools and say, "Now do it.". I wanted to make expand upon that because I got into a good discussion with @jwgoerlich and @rogueclown concerning it, and its hard to really explain what you mean in 140 characters or less.
A few years ago, Harlan Carvey posted about "Nintendo forensics". This was a statement that the forensic industry was becoming more "point and click" and analysts were understanding less and less of what the tools were doing. While some signs have pointed that this is starting to become less prevalent, I believe there are still niches in security where this is either in full-force or starting to become more so.
Fast forward to the present. In the last few weeks I've been building my new work computer while analyzing malware as I get the time. Unfortunately, I do not have all the tools I am used to since I'm waiting for things to be purchased, arrive, etc. This got me thinking - how much do I rely on tools? Could I perform the analysis I needed using that I know?
Now I realize that in information security, or IT in general, its almost impossible to do anything without having tools. Thats not my point - I'm not suggesting that we take away everyone's tools and tell them to analyze malware or perform a pen-test with nothing but a blank OS. Is it possible? I'm sure it is. Would anyone want to? Hell no!
My point was that you never really know how good you are, until you are faced with a situation when you are taken out of your comfort zone and have to rely upon your knowledge and the tools available to you at the moment. I don't always have access to a commercial version of IDA Pro. Does that mean I can't disassemble malware and analyze it? No - I just need to be flexible, use tools that I'm not as used to and use my brain just a little bit more.
I think its a useful exercise in anyone's career to do this. Imagine for a moment that you didn't have the tool(s) you use most in your job - how would you perform your job? What alternatives are available to you and how familiar you are with them? I'm as guilty as anyone else for relying upon specific tools, but this little exercise has helped me look and see where my weak areas are and how I can supplement them.
Perhaps I should have instead tweeted "Want to find out how good you are? Take away all your tools and say, Now do it." That seems to fit my point better.
Wednesday, November 2, 2011
Answers to the NEOISF Crypto Challenge
If you were at the 2011 Information Security Summit last week, you may have come across the Northeast Ohio Information Security Forum's booth and saw the crypto challenge I created for it.
The challenge was a series of three encoded messages, each more difficult than the last. It seemed to be popular as I had printed off 50 copies of the challenge and they were all gone by Friday morning. Only 2 people, that I know of, finished it (although more may have and just not told me).
The first encoded message was:
To make it a little easier, a hint was given to use the first letter of every word from the first solution as the key. This was actually another hint that a key was even required to decode the message. The original message had been encrypted using a Vignere Cipher. Decrypting the message, using the key "BEALE" would produce the following message:
If anyone searched for BEALE, they would have eventually come across the Beale Ciphers, encoded messages that supposedly point to buried treasure. The only message successfully decoded thus far used the Declaration of Independence as a key. To decode it, you find the word corresponding to the number you are given and take its first letter. IE. If you have a 10, find the 10th word and use its first letter. When you put all of these together you get the decoded message.
This is what you would have to do in order to solve the third puzzle. But what book do you use to decipher it? That is where the answer to the second message comes in. The solutions tells you to use the welcome page in the information security summit booklet. By taking the first letter of each word of the corresponding number, you would eventually get the following message:
I hope that those who did this found it fun. I'd love to do another next year, but on a bigger scale. If anyone has any suggestions, I'd love to hear them!
The challenge was a series of three encoded messages, each more difficult than the last. It seemed to be popular as I had printed off 50 copies of the challenge and they were all gone by Friday morning. Only 2 people, that I know of, finished it (although more may have and just not told me).
The first encoded message was:
Olgrf Rapelcgrq Ner Yrff Rnfl!This was a ROT13 message that when decoded changed to:
Bytes Encrypted Are Less Easy!The second message was a bit harder.
Tymxmu Svpvwmeh sg xhp fpskwiu ms elf oej
To make it a little easier, a hint was given to use the first letter of every word from the first solution as the key. This was actually another hint that a key was even required to decode the message. The original message had been encrypted using a Vignere Cipher. Decrypting the message, using the key "BEALE" would produce the following message:
Summit Overview of the booklet is the keyThe final puzzle was the hardest of all. The encoded message was:
10 11 32 35 177 42 50 54 44 50 42 82 132 71 100 157 54 60 147 66 50 193 3 60 81 100 157 75 36 106The hint for this puzzle was "Items from the first two solutions will help you figure this one out!" Each of the first two solutions gave some type of clue as to the cipher used for the last one. The first puzzle's hint was the key for the second puzzle: BEALE.
If anyone searched for BEALE, they would have eventually come across the Beale Ciphers, encoded messages that supposedly point to buried treasure. The only message successfully decoded thus far used the Declaration of Independence as a key. To decode it, you find the word corresponding to the number you are given and take its first letter. IE. If you have a 10, find the 10th word and use its first letter. When you put all of these together you get the decoded message.
This is what you would have to do in order to solve the third puzzle. But what book do you use to decipher it? That is where the answer to the second message comes in. The solutions tells you to use the welcome page in the information security summit booklet. By taking the first letter of each word of the corresponding number, you would eventually get the following message:
now there are no more secrets for you
I hope that those who did this found it fun. I'd love to do another next year, but on a bigger scale. If anyone has any suggestions, I'd love to hear them!
Friday, August 19, 2011
Malware Analysis and Malicious Document Analysis Training Courses
This is a totally self-serving, marketing post. Feel free to click that little X in the upper right corner of your browser.
The Ohio Information Security Summit is coming up again from October 27-28 The conference agenda is starting to fill in and lots of great talks look to be scheduled! I will be speaking there with Greg Feezel and the NE Ohio Honeynet Project.
There will also be pre-conference training from October 24-26. There are more classes this year than last year, many of which look great!
I will be giving my 2-day hands-on Malware Analysis training course again this year. It is a 2-day course that covers the basics of malware analysis. The training is geared towards those who have never done, or performed very little, malware analysis. Plus, if you take the 2-day course, you'll get into my new 1-day Malicious Document course for free!
The Malicious Document training course I am doing for the first time this year will cover how to analyze malicious documents (duh). Specifically, I will cover malicious JavaScript, PDFs and touch on malicious Word documents. This is a 1 day course where the students will be very hands-on - analyzing malicious documents from the wild.
If you have any questions on the courses, please feel free to contact me!
The Ohio Information Security Summit is coming up again from October 27-28 The conference agenda is starting to fill in and lots of great talks look to be scheduled! I will be speaking there with Greg Feezel and the NE Ohio Honeynet Project.
There will also be pre-conference training from October 24-26. There are more classes this year than last year, many of which look great!
I will be giving my 2-day hands-on Malware Analysis training course again this year. It is a 2-day course that covers the basics of malware analysis. The training is geared towards those who have never done, or performed very little, malware analysis. Plus, if you take the 2-day course, you'll get into my new 1-day Malicious Document course for free!
The Malicious Document training course I am doing for the first time this year will cover how to analyze malicious documents (duh). Specifically, I will cover malicious JavaScript, PDFs and touch on malicious Word documents. This is a 1 day course where the students will be very hands-on - analyzing malicious documents from the wild.
If you have any questions on the courses, please feel free to contact me!
Thursday, May 12, 2011
Proactive Incident Response
A little while ago Harlan Carvey posted on Proactive Incident Response. I've been thinking about this for a while, but have a different perspective on Proactive IR than he does. (I agree with his take on it, I just look at Proactive IR differently.)
Computer Incident Response Teams (CIRTs) are often referred to as fire fighters. This analogy is very true - most of the time CIRTs are fighting fires; the fire being a hacked server, a malware outbreak or a targeted phishing campaign. We're often jumping from one problem to the next, determining who got in, how they did it, what damage they caused and how to prevent it in the future. However, is that all CIRTs should be doing?
The CERT Handbook for Computer Incident Response Teams states that CIRTs should offer three different services: reactive, proactive and security quality management services. Reactive services are the fire fighting done on a daily basis. Security quality management services include project and security consulting for other business units; you know, those meetings you get pulled into where they ask you what you think. What about proactive services?
If we look back at actual fire fighters, we see that they don't just spend their time putting out fires. One of their duties is to help fire prevention through education and fire inspections. In the security world, this is analogous to doing user education, vulnerability scanning and penetration tests. This is what proactive services are. But I believe these is another aspect of proactive services that CIRTs tend to miss.
One of my co-workers has coined a term: hunting trips. This basically boils down to proactively looking around the interwebs for attackers you've seen in the past. Since attackers tend to use the same, or similar tools and tactics, indicators of their compromises in other organizations appear if you know where to look. You can then use the new indicators you've just found to check for signs of compromise in your network.
Where can you look? Anywhere that information on security analysis can be found. This includes blogs, twitter, forums, online sandboxes, AV signature descriptions, etc. All of these places (and more) have information you can use to tie attackers to new attacks and malware they are using.
Of course, I wouldn't recommend hand-searching each of these places for information. Google is the obvious place to start, but be prepared to get back hundreds of results (at best) that are not of interest to you. I would recommend using the Google Malware Analysis Search, created by those behind the Hooked on Mnemonics Worked for Me blog, that narrows Google's search to 75 different security sites and feeds.
So, an example so this might actually make sense. In the last few days there has been an uptick in spammed emails that contain a link to a zip file named order.zip. Within this file is a SpyEye trojan. Analysis of the trojan shows that it drops itself as c:\recycle.bin\recycle.bin.exe (which to my knowledge is not a default location for SpyEye). This location is fairly unusual and can be a good indicator to use on a hunting trip.
Using the Google Malware Analysis custom search to look for "recycle.bin.exe", we come across a ThreatExpert report from March 2011 for the same filename being dropped for a SpyEye trojan. The TE report also shows that it attempts to contact zweor.com for its C&C server. We now have a new indicator to search our network for and to go hunting with.
This is a very simple scenario, but demonstrates the usefulness of performing information gathering to find additional indicators. I have a feeling most CIRTs are not doing this and would benefit greatly from setting aside time to make sure this is done.
Computer Incident Response Teams (CIRTs) are often referred to as fire fighters. This analogy is very true - most of the time CIRTs are fighting fires; the fire being a hacked server, a malware outbreak or a targeted phishing campaign. We're often jumping from one problem to the next, determining who got in, how they did it, what damage they caused and how to prevent it in the future. However, is that all CIRTs should be doing?
The CERT Handbook for Computer Incident Response Teams states that CIRTs should offer three different services: reactive, proactive and security quality management services. Reactive services are the fire fighting done on a daily basis. Security quality management services include project and security consulting for other business units; you know, those meetings you get pulled into where they ask you what you think. What about proactive services?
If we look back at actual fire fighters, we see that they don't just spend their time putting out fires. One of their duties is to help fire prevention through education and fire inspections. In the security world, this is analogous to doing user education, vulnerability scanning and penetration tests. This is what proactive services are. But I believe these is another aspect of proactive services that CIRTs tend to miss.
One of my co-workers has coined a term: hunting trips. This basically boils down to proactively looking around the interwebs for attackers you've seen in the past. Since attackers tend to use the same, or similar tools and tactics, indicators of their compromises in other organizations appear if you know where to look. You can then use the new indicators you've just found to check for signs of compromise in your network.
Where can you look? Anywhere that information on security analysis can be found. This includes blogs, twitter, forums, online sandboxes, AV signature descriptions, etc. All of these places (and more) have information you can use to tie attackers to new attacks and malware they are using.
Of course, I wouldn't recommend hand-searching each of these places for information. Google is the obvious place to start, but be prepared to get back hundreds of results (at best) that are not of interest to you. I would recommend using the Google Malware Analysis Search, created by those behind the Hooked on Mnemonics Worked for Me blog, that narrows Google's search to 75 different security sites and feeds.
So, an example so this might actually make sense. In the last few days there has been an uptick in spammed emails that contain a link to a zip file named order.zip. Within this file is a SpyEye trojan. Analysis of the trojan shows that it drops itself as c:\recycle.bin\recycle.bin.exe (which to my knowledge is not a default location for SpyEye). This location is fairly unusual and can be a good indicator to use on a hunting trip.
Using the Google Malware Analysis custom search to look for "recycle.bin.exe", we come across a ThreatExpert report from March 2011 for the same filename being dropped for a SpyEye trojan. The TE report also shows that it attempts to contact zweor.com for its C&C server. We now have a new indicator to search our network for and to go hunting with.
This is a very simple scenario, but demonstrates the usefulness of performing information gathering to find additional indicators. I have a feeling most CIRTs are not doing this and would benefit greatly from setting aside time to make sure this is done.
Subscribe to:
Posts (Atom)