cyberwart

I got this message on Skpe. I haven’t seen much phishing there before, but I guess phishing anywhere is trendy now:

[7:35:01 PM] Update ® says: WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT Server 4.0
Microsoft Windows Win98
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair
utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.registryservice.org/?q=scan

Today we executed another phishing attack as part of a pen test. We did the traditional network VA and Pen Test last week with limited results (well we did own their routers). Web apps were fairly tight, but nothing that stood out as a solid remote exploit. So the phishing excercise was important for me.

We sent out about 70 emails, had 100+ hits on the site and 10 credentials. About half the receipients were prompted with an ActiveX control. The activex excited me but didn’t work. I learned after the fact that there were two problems. First, the customer used an authenticated proxy. We have some tools to get around that, but unless we expect it we usually don’t set up for it. Generally speaking you need at least SYSTEM to inject a safe process like IE to get out. Beyond that, I discovered my ActiveX control was triggering some AV products. I grabed the implant (a PE) from the remote server but labeled it .JPG. Well that triggered alarms and killed the transfer. Not that it matters anymore, but I wrote a quick bit of code to XOR encode files.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define BUFSIZE 2

int main(int argc, char * argv[])
{
char * buf, * pwd, * b, *p;
FILE * IN, * OUT;

buf = (char *) malloc(BUFSIZE+1);
pwd = strdup(”XORKEY”);
p = pwd;
char t;

IN = fopen(argv[1], “r”);
while(fread(buf, 1, BUFSIZE, IN))
{
b = buf;

for(int c = 0; c < BUFSIZE; c++)
{
if(*p == ‘\0′)
p = pwd;

t = *b^*p;
printf(”%c”, t);
b++; p++;
}

}
fclose(IN);
return 0;
}

Nothing fancy, but it gets the job done.

Security Focus is running an article about businesses hit by cyber crime in 05. Their big point is that 2/3 of businesses reported some incident. Included in the “other incident” category though are phishing/DoS/Adware/etc. My concern is more about the 33% of businesses that DIDN’T see that.

I currently have a customer that, officially, has never had a computer security incident. A pen test and log analysis proved that isn’t true but my thought now is that the above suggests 33% of businesses have that same delusion.

You all know I love phishing so here is a good one I saw today:

Received: from pool-68-236-35-77.phil.east.verizon.net ([68.236.35.77] RDNS failed) by mail.cyberwart.com with XYZ ; Tue, 16 Sep 2008 12:21:56 -0400
Date: Tue, 16 Sep 2008 14:34:23 +0000 (10:34 EDT)
Message-ID: <15752.ragunath@leison>
From: Bank Of America Account Support <manager#5412@bankofamerica.com>
To: XYZ@cyberwart.com
Subject: Bank of America Alert: SERVER UPDATE.
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”=_5sGpXHhyTCKKwH”
Return-Path: manager#5412@bankofamerica.com

Attention All Bank of America Customers.
Security & Fraud Protection Update.

At Bank of America, were committed to keeping your information confidential and secure, and we take that responsibility very seriously.
Our Fraud detection solution helps to protect your business against the risk of fraudulent transactions alerting you to potential risks.
We have developed the following protection tools to insure you confidentiality.

You can download the latest security pack from our Customer Service Department>>

Sincerely, Juliana Ballard.
2008 Bank of America Corporation. All rights reserved.

The page is as follows:

It’s become apparent that the traditional Pen Test is dying out. The pen test is evolving and is still very relevant, but the nmap, nessus, metasploit days are passing. Most enterprises now run their own Nessus scans or have 3rd party scanning vendors so traditional network remotely exploitable vulns are becoming increasingly rare. One of the ways G2 compensates is by building phishing and/or web attacks.

I was recently tasked with building an ActiveX control that loads G2insider (our remote access trojan). Surprisingly, it’s very difficult to find documentation on how to write ActiveX controls. I found the following links helpful:

• http://msmvps.com/blogs/pauldomag/archive/2006/08/16/107758.aspx
• http://dotnetwithme.blogspot.com/2007/07/activex-programming-using-visual-studio.html

There were a couple caveats for VS2008, but nothing too troubling.

Initially, I planned to to move the code from G2insider to the ActiveX control. That would have been too painful though, so in the end I wrote a simple loader. The control creates a HTTP connection, pulls the file, writes it to disk, and runs CreateProcess(). Wham bam, remote access tool installed!

The next thing I want to do is find some old code I have to load a PE (executable) from a buffer into a loaded executable. That task is a little tricky, but for non-weird PEs my simple loader usually works. The benefit here is that you don’t have to write to disk.

This is embarassing:

http://www.purethenightclub.com/reserve/includes/contacts.csv

I’m into phishing attacks. I think they can be very clever and effective. So despite hating spam, when a particularly interesting attack makes it through my filters I’m interested. Here is a below message I recently received:

Received: from rrcs-70-61-41-118.central.biz.rr.com ([70.61.41.118]) by
XYZ.cyberwart.com with XYZ; Wed, 20 Aug 2008
16:46:16 -0400
Received: from [70.61.41.118] by vs.inext.co.jp; Wed, 20 Aug 2008 15:46:19
-0500
From: “Curtis Townsend” <xire@braintrust-art.com>
To: <XYZ@cyberwart.com>
Subject: Fedex Tracking N_ 6625268383
Date: Wed, 20 Aug 2008 15:46:19 -0500
Message-ID: <01c902db$e3389780$76293d46@xire>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=”—-=_NextPart_000_000E_01C902DB.E3389780″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
Importance: Normal
Return-Path: xire@braintrust-art.com
X-OriginalArrivalTime: 20 Aug 2008 20:46:24.0488 (UTC)
FILETIME=[CF540680:01C90305]
X-Evolution-Source: pop://XYZ@localhost/

This is a multi-part message in MIME format.

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: 7bit

Unfortunately we were not able to deliver postal package you sent on August the 1st in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your FEDEX

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: application/zip; name=”WD6128922.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”WD6128922.zip”

I’m waiting on a couple fedex packages so I almost opened it. The sad thing is that looking at it, the details aren’t really there. They should have spoofed the sender and made it look more like a real fedex message.

Not too long ago, I had a customer have some trouble with malicious email being sent to corporate users. The emails came from outside the network, but appeared to be coordinated by an accomplice on the inside. We wanted to see if we could discover who that accomplice was. So I wrote a quick little script using Python and SCAPY to monitor who is emailing who.

#!/usr/bin/python

import sys, signal, os, time

try:
from scapy import *
except:
print “scapy must be installed”
sys.exit()

def net_handler(p):
efrom = eto = esubj = ” ”

t = str(time.strftime(’%X %x’))
src = str(p[IP].src)
dst = str(p[IP].dst)
p = p.getlayer(”TCP”)
msg = str(p.payload).split(’\n’)

#print “–email detected–”

for line in msg:
line = line.upper()
if line.find(”FROM: ” ) == 0:
efrom = line[5:]
efrom = efrom.strip()
if line.find(”TO: ” ) == 0:
eto = line[3:]
eto = eto.strip()
if line.find(”SUBJECT: “) == 0:
esubj = line[8:]
esubj = esubj.strip()

if efrom != ” ” and eto != ” “:
print ‘%s, %s, %s, %s, %s, %s’ % (t, src, dst, efrom, eto, esubj)

def main():
sniff(count=0, store=0, iface=”eth0″, filter= “tcp port 25 or tcp port 110″, prn=net_handler)
print “finis”

main()

My company will be giving out Free Tshirts at Defcon during Bob Rick’s talk. Make sure to stop by to get one!

Despite being a hardcore linux guy, I like all the features Exchange provides. Sure they add additional attack surface, but on the whole the features make business a lot easier. Anyway, CyberWART moved our email server to Exchange and spam instantly increased. Setting up email filtering didn’t fully work out until I enabled it for SMTP — as opposed to the server in general. Since it was a bit of a pain, I thought I’d link the article:

http://technet.microsoft.com/en-us/library/bb914061.aspx

I just stumbled across an interesting article about an upcoming talk at BlackHat. They dub the technique “GIFAR” where they rename a java file as a gif but it still executes as a jar.

CyberWART and G2 have used similar techniques. One of my favorites is to create a html file and rename it to a .doc extension. The file will open, and if done correctly, will look exactly like a MS Word document. However, there are a couple nice perks.

First, some html commands will work. You can embed an hotlink to an image on the web. The computer will automatically pull it. This is useful for SPAM and such.

Additionally, you can embed ActiveX. The ActiveX will autoexecute in the context of the localhost — which is lovely. We’ve been fuzzing those controls.

Update to NOP certifications: they will be available first come
first served (sign up sheet) at the Immunity Inc. booth in the vendor
section of DEFCON. Participants can use their own tools if provided to
us on CD, or
Immunity tools will be provided. …..

….we can confirm that not only will certified NOPs at DEFCON receive
an invitation to the Sexy Hacking party, to be held in an as-yet
undisclosed location on Saturday August 9, but at the party certified
NOPS will also have the opportunity to play Hugh Jackman’s role from
the film Swordfish while sitting an advanced NOP certification test!
Select Sexy Hacking girls will be scene extras and the winners will
receive a job interview with Immunity.

#!/usr/bin/perl -w
use strict;
use MIME::Lite;

# SendTo email id
my $src_addr = $ARGV[0];
my $tgt_list = $ARGV[1];
my $msg_file = $ARGV[2];
my $dst_addr = “”;

my $msg_body = “”;

open(MSGFILE, $msg_file);
while(<MSGFILE>)
{
$msg_body = $msg_body . $_;
}
close(MSGFILE);

open(TFILE,  $tgt_list);
while (<TFILE>)
{
$dst_addr = $_;
#print localtime(time);

# create a new MIME Lite based email
my $msg = MIME::Lite->new
(
Subject => “subject here”,
From    => $src_addr,
To      => $dst_addr,
Type    => ‘text/html’,
Encoding =>’quoted-printable’,
Data    => $msg_body);
#    $msg->add(”Return-Path” => $src_addr);

#$msg->attach(Type        => ‘image/jpeg’,
#        Path        => ‘/Users/gnat/Photoshopped/nat.jpg’,
#        Filename    => ‘gnat-face.jpg’);

$msg->send();

}

close(TFILE);

I recently purchased a new Dell PowerEdge 2950 as a personal R&D box… hey fuzzing in VMs and testing malware is great and I needed more horsepower. Unfortunately, when I installed CentOS 5.2 (I tried RHEL 5.2 as well) the thing would throw an IERR — specifically e1410 the error bit on the CPU after POST/Grub. I couldn’t figure out what the deal was and Dell was no help. It turned out to be the Radeon device driver. If you don’t boot into X11 or if you replace the radeon driver with generic vesa driver you’re set.

Anyone going out to Blackhat/Defcon this year? I know a few of the G2 guys are. Bob Ricks is giving a talk at Defcon and George Saylor may be going. You should definitely check out his talk and send me an email if you’re going to be there.