Labgeek's Bl0g

Computer Incident Responders Course (CIRC)

2009-07-07T00:53:07Z

Down at DC3 (dc3.mil) taking the CIRC course for two weeks in Linthicum, MD - ugggg. Class is full of Fort Bragg Army MI peeps who are barely old enough to drink beer. Apparently, after this class we are classified as Certified Digital Media Collector (CDMC), but we all know what certs really mean, nada - but I am not complaining...

Analysis of Conficker worm

2009-04-15T00:14:18Z

Saw this on the Arbor networks blog and thought I would post it as a link, excellent analysis of the conficker worm.

http://mtc.sri.com/Conficker/

Below is the abstract....

]]> Introduction

Conficker is one of a new interesting breed of self-updating worms that has drawn much attention recently from those who track malware. In fact, if you have been operating Internet honeynets recently, Conficker has been one very difficult malware to avoid. In the last few months this worm has relentlessly pushed all other infection agents out of the way, as it has infiltrated nearly every Windows 2K and XP honeypot that we have placed out on the Internet. From late November through December 2008 we recorded more than 13,000 Conficker infections within our honeynet, and surveyed more than 1.5 million infected IP addresses from 206 countries. More recently, our cumulative census of Conficker.A indicates that it has affected more than 4.7 million IP addresses, while its successor, Conficker.B, has affected 6.7M IP addresses (see SRI Appendix I: Conficker Census). Our analysis finds that the two worms are comparable in size (within a factor of 3) and the active infection size of Conficker A and B are under 1M and 3M hosts, respectively. The numbers reported in the press are most likely overestimates. That said, as scan and infect worms go, we have not seen such a dominating infection outbreak since Sasser [6] in 2004. Nor have we seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants since the Storm [4] outbreak of 2007.
Early accounts of the exploit used by Conficker arose in September of 2008. Chinese hackers were reportedly the first to produce a commercial package to sell this exploit (for $37.80) [5]. The exploit employs a specially crafted remote procedure call (RPC) over port 445/TCP, which can cause Windows 2000, XP, 2003 servers, and Vista to execute an arbitrary code segment without authentication. The exploit can affect systems with firewalls enabled, but which operate with print and file sharing enabled. The patch for this exploit was released by Microsoft on October 23 2008 [3], and those Windows PCs that receive automated security updates have not been vulnerable to this exploit. Nevertheless, nearly a month later, in mid-November, Conficker would utilize this exploit to scan and infect millions of unpatched PCs worldwide.

Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches [2]. Some reports, such as the case of the Conficker outbreak within Sheffield Hospital's operating ward, suggest that even security-conscious environments may elect to forgo automated software patching, choosing to trade off vulnerability exposure for some perceived notion of platform stability [8]. On the other hand, the uneven concentration of where the vast bulk of Conficker infections have occurred suggest other reasons. For example, regions with dense Conficker populations also appear to correspond to areas where the use of unregistered (pirated) Windows releases are widespread, and the regular application of available security patches [9] are rare.

In this paper, we crack open the Conficker A and B binaries, and analyze many aspects of their internal logic. Some important aspects of this logic include its mechanisms for computing a daily list of new domains, a function that in both Conficker variants, laid dormant during their early propagation stages until November 26 and January 1, respectively. Conficker drones use these daily computed domain names to seek out Internet rendezvous points that may be established by the malware authors whenever they wish to census their drones or upload new binary payloads to them. This binary update service essentially replaces the classic command and control functions that allow botnets to operate as a collective. It also provides us with a unique means to measure the prevalence and impact of Conficker A and B. The contributions of this paper include the following:
* A static analysis of Conficker A and B. We dissect its top level control flow, capabilities, and timers.
* A description of the domain generation algorithm and the rendezvous protocol.
* An empirical analysis of infected hosts observed through honeynets and rendezvous points.
* Exploration of Conficker's Ukrainian evidence trail.
* A first look at a variant of Conficker B (which we call B++) and the implications of its binary flash mechanism.

Cell phone forensics training at DC3

2009-03-15T17:57:47Z

I am at Cell phone forensics training this week at DC3 in Linthicum, MD. The class looks really interesting and will be focusing on the operating systems associated with the main PDA devices - Palm, Windows, CE, RIM Blackberry, common cellular handsets, and a basic understanding of SIM cards. In addition, they will be talking about the hybrid versions of these devices for acquisitions and analysis. Should be a fun week....

Create statically linked dc3dd for linux

2009-02-13T02:46:03Z

Dowload dc3dd from HERE and to your /tmp dir or whatever dir you want.
cd /tmp/dc3dd-6.12.2
env CFLAGS=-static
./configure
make clean
make
cd src
ls -la
(You should see a dc3dd file in green along with the object files that were created during the compiling process)
strip dc3dd (this removes the debugging information that was created during the compilation process
file ./dc3dd - just tells you that the exe is statically linked

DoD CyberCrime Conference 2009

2009-01-25T18:19:30Z

Just got to St. Louis, MO a few hours ago ready for the DoD CyberCrime Conference. The talks look to be pretty interesting, we will see how the week goes though. The conference will be held at the St. Louis Renaissance Grand Hotel this week. Tomorrow is the classified briefings at Scott AFB so that should be interesting, supposed to have lunch with my old office-mate Dan, hopefully that will be able to happen.

Microsoft® Malware Protection Center : The new IE exploits for Advisory 961051, now hosted on pornography sites

2008-12-17T00:28:25Z

The new IE exploits for Advisory 961051, now hosted on pornography sites

Two days ago, we blogged about attacks that involve exploits of the recently discovered vulnerability in Internet Explorer. We would like to give you a quick update about these attacks.

Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50% in the number of reports today compared to yesterday.

How are the attackers managing to affect more users now? First, some legitimate web sites were maliciously modified to include the exploits. For example a popular search engine in Taiwan was found to be hosting the exploit. Luckily, that site was quickly cleaned. Secondly, we've noticed some pornography sites have started hosting these exploits too: We recently found a web site in Hong Kong that serves various content including adult entertainment. Users who hoped to watch that content, became target of those attacks: specifically, the exploit dropped trojans that we detect as Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ.

MSRC keeps their advisory updated with possible workarounds. Read carefully, see what applies to you and in the meantime, you should always exercise caution when browsing and try to go to sites that you trust.

-- Ziv Mador & Tareq Saade

Forensic tool detects pornography in the workplace | Latest Security News - CNET News

2008-11-09T22:55:42Z

Pornography in the workplace can pose a serious problem for employers because a significant amount of material is downloaded by employees during business hours.

The viewing of porn at work can result in lost time, creativity, productivity, and employer profitability. More importantly, it can help create a hostile work environment and can be considered sexual harassment, in violation of Title VII of the Civil Rights Act of 1964. Naturally, corporations want to avoid the potentially serious legal consequences and protect their bottom line.

On Sunday, Orem, Utah-based forensic-software maker Paraben plans to introduce a unique piece of enterprise software developed to detect and analyze images on workplace networks and computers for suspect content. The system looks for a number of sophisticated parameters and grades images at three levels, based upon their correlation with criteria that have been programmed into the system.

http://news.cnet.com/8301-1009_3-10084938-83.html?tag=mncol;title

BotHunter Software Distribution Page

2008-11-09T18:41:45Z

BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter. Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

Link to Bothunter software

OpenSSL vulnerability

2008-05-14T17:29:26Z

Just the other day, CERT announced an OpenSSL vulnerability in the random number generator used by OpenSSL and Debian and Ubuntu systems. According to the vulnerability:

A weakness has been discovered in the random number generator used
by OpenSSL on Debian and Ubuntu systems.  As a result of this
weakness, certain encryption keys are much more common than they
should be, such that an attacker could guess the key through a
brute-force attack given minimal knowledge of the system.  This
particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates.  This vulnerability only affects operating systems which (like
Ubuntu) are based on Debian.  However, other systems can be
indirectly affected if weak keys are imported into them.

So for those who are using ubuntu like myself, you might want to update libssl and then 
regen those keys/certs.  More information can be found here.

Net Flow tool list

2008-05-14T17:25:28Z

I thought I would post a create site that keeps net flow tools up to date - http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

Some examples of the tools are the following:

FlowScan

A Perl-based system to analyze and report on flows collected by flow-tools, lfapd or cflowd, by Dave Plonka. Sample output graphs are available too, as well as Majordomo-driven mailing lists for announcements and general discussion (archive). It is currently built on Cflow.pm. User-contributed tools based on FlowScan include:

CarrierIn from Stanislav Sinyagin: which claims to be more suitable for larger ISP/Carriers
CUFlow from Matt Selsky and Johan M. Andersen at Columbia University: which is an alternative graphing tool "designed to combine the features of CampusIO and SubNetIO". Robert S. Galloway has contributed a nice howto-style document describing how it can be used.
FlowMonitor from Johan M. Andersen at Columbia University: monitors individual users' network usage against a bandwidth usage policy.
JKFlow by Jurgen Kobierczynski: A new reporting module which is highly configurable using an XML configuration file.
FlowScan+: An extension to FlowScan developed by KISTI/KAIST. Adds servlet-based visualization and support for queries for top user, AS, port, protocol, etc. This is supposed to be available under http://flowscan.kreonet2.net/, but that site doesn't seem to be responsive.

flow-tools

Similar to cflowd but implemented as a set of smaller tools, with the addition of compression of the recorded data, thus capable of recording many more flows in a given amount of disk space. See paper about its application for Intrusion Detection. There is also a mailing list for the package.
There is a short presentation called Ohio Gigapop Traffic Measurements that shows some examples on how flow-tools can be used.
The package is widely used, and there are quite a few user contributions, such as

FlowViewer: Web-interface to flow-tools. Consists of three tools: FlowViewer provides the user with web access to many of the textual and statistical flow-tools reports. FlowGrapher provides a web page with a graph of the selected flow data. These web pages can be saved. FlowTracker (introduced in FlowViewer 3.0, released in July 2006) allows the user to maintain this information long-term by creating four MRTG-like graphs. Filtered flow data is collected every five minutes and the graphs are updated. FlowTracker requires Tobi Oetiker's RRDtool package. Screenshots are available.
flow-extract: which can be used to filter flow-tools-recorded flows through user-specified tests
a set of "Inter.netPH contribs": by Horatio B. Bogbindero
some patches and a Python module: by Robin Sommer.
flow-pairs: A script that extracts lists of the highest bandwidth consumers by host and by port. Installed at UCB. Seems to have similar uses as the older MATHE system.

Net::Flow

Perl module for de- and encoding Netflow (v5/v9) and IPFIX packets.

jflow

A set of Java classes for collecting and analyzing NetFlow data. Supports Netflow versions 5 and 6, multithreaded implementation to facilitate real-time traffic accounting and analysis.

Autofocus

A traffic analysis and visualization tool that describes the traffic mix of a link through textual reports and time series plots. The underlying research is documented in a SIGCOMM 2003 paper, Automatically Inferring Patterns of Resource Consumption in Network Traffic, C. Estan, S. Savage, G. Varghese (PDF paper, PPT slides).

Wisconsin Netpy

Netpy is a network traffic analysis and visualization package developed at University of Wisconsin-Madison. This application is intended for the use of network administrators and it can help understand usage trends in your network as well as support interactive analysis of specific network events of interest. Netpy is distributed under GPL and a BDS-like license. Netpy stores NetFlow records in a local database after applying some sampling to reduce the size of the data. The analysis engine supports interactive analyses on this data where the user chooses the time interval of interest, the filtering rules to apply to the traffic and the type of analysis. The netpy console allows the user to manage the database, and perform analyses interactively or through scripts. The graphical user interface visualizes the results of the analyses accessing the database locally or remotely through a netpy server that is also part of the package.

using Digest::MD5/SHA - OO style

2008-05-04T22:07:01Z

Took this from another, larger project that I worked on and wrote something small but modular to get me the MD5, SHA1, and SHA256 values for any file I want...nothing novel (and extremely limited) here but more efficient for me and now I can have all my private functions in one customized perl module. Here are the files: filehash.tar.gz.

The package is EncryptTypes::Hash, thus your driver program called getfilehash.pl must be located in the same directory where your EncryptTypes directory sits. Within your EncryptTypes directory, Hash.pm must be located.

Something like:
...
getfilehash.pl
EncryptTypes/
Hash.pm
...
...
...

storm resources and pdfs

2008-05-02T17:24:28Z

For my documentation, here are some good sites relative to storm and its analysis:

1. http://offensivecomputing.net/
2. http://trustedsource.net/
3. http://asert.arbornetworks.com/
4. http://asert.arbornetworks.com/
5. http://honeyblog.org/
6. http://www.darkreading.com/document.asp?doc_id=151862&f_src=drdaily
7. http://www.usenix.org/events/leet08/tech/full_papers/holz/holz_html/
8. http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt
9. http://noh.ucsd.edu/~bmenrigh/storm_data.tar.bz2
10. http://www.cs.ucsd.edu/~voelker/pubs/stormspam-leet08.pdf
11. http://sudosecure.net/storm.php
12. http://www.eecs.harvard.edu/~mema/courses/cs264/papers/eclipse-infocom06.pdf
13. http://dsd.lbl.gov/Net-Mon/TALKS/SCNM1-17-02.pdf
14. https://opensvn.csie.org/mlnet/trunk/docs/overnet.txt
15. http://www.tml.tkk.fi/Publications/C/25/papers/Nummipuro_final.pdf
16. http://planete.inrialpes.fr/~perito/
17. http://www.offensivecomputing.net/papers/js-StormWorm-3-23-2008.pdf
18. http://mtc.sri.com/
19. http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf
20. http://www.secureworks.com/research/threats/view.html?threat=storm-worm
21. http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx
22. http://spamtrackers.eu/wiki/index.php?title=Storm
23. http://malwaredomains.com/
24. http://www.honeynet.org/papers/ff/fast-flux.html
25. http://spamtrackers.eu/wiki/index.php?title=Fast-flux

- just to name a few....I am sure there have been many more but thought I would list a few I have been to...

whoa, lemme at those spam templates

2008-04-30T21:16:26Z

Captured about an hours worth of pcap traffic and decided to pull out those notorious spam templates being sent to and from my infected bot. Will write a quick parser to pick through based on From, To, subject, User-agent, message-id - all of which are assembled within the spam template and then spoofed out using your infected bot as the spamming engine. Listed below are those spam templates from my infected vm bot, here is just one to give you an idea of what it looks like:
template1.txt

Here are the rest if you are interested in seeing all the data:
spamtemplates.tar.gz

MITRE Honeyclient project - CPAN

2008-04-29T17:25:46Z

I noticed a project I worked on published their code in CPAN located at: http://search.cpan.org/~mitrehc/HoneyClient-Manager-0.99/. To my knowledge the project integrated with Caputre-HPC to handle their real-time integrity check functionality. Additionally, if you want to find our more with the status of the project, you can visit their main site at: http://honeyclient.org/trac. If you are curious and don't know what a honeyclient is, it is " a dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner. Specifically, honeyclients can proactively detect exploits against client applications without known signatures.". Some of my work can be found here as well: http://search.cpan.org/src/MITREHC/HoneyClient-Manager-0.99/lib/HoneyClient/Manager/FW.pm
or
http://honeyclient.org/trac/browser/honeyclient/trunk/lib/HoneyClient/Manager/FW.pm

pcaplistener-v0.2.pl

2008-04-29T01:24:15Z

I added some more functionality to my homemade sniffer which now grabs all the outbound DNS packets from my infected bot. The variant I am running I grabbed from sudosecure.net, 681554faf60a96ad2fcebcee4a8e0b53 StormCodec8.exe. Some quick stats, in thirty minutes of sniffing, I grabbed 6781 unique DNS hostnames and 12383 ip address ( unique 6748 unique) going across the wire. Here is a file with the latest printout of IPs => GeoIP lookup:
042808_latest_run.txt

Here is a snippet of what hostnames I found coming from my box once infected, the file lists the hostname => # of ips it resolves to and all the IP addresses:
dnsoutputfile.txt

I have some more data but will put it up later...