Monthly Archives: May 2016

Enterprise Security Weekly #3 – Vulnerability Management

Pwnie Express secures a $12.9 million funding round, Palo Alto forms strategic partnership with HardwareSolutions, Sophos introduces a new tool to combat ransomeware, webroot introduces a new IoT Security Gateway and Paul and John discuss some of the latest topics around vulnerability management.

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode3

Transistioning

I'll be moving to a new position over the next few months, from intrusion analyst to penetration tester. As I make the transition to Red Team, I'll be posting articles and some of what I'm learning (but NetSec is ALWAYS learning something new) as well as Blue Team/intrusion analyst content.

BlackHat 2016 Classes

BlackHat 2016 is quickly approaching!  Early registration ends on Friday.  So can save a few bucks and use that to go to Defcon 2016.

This year we have decided to split our Tactical Exploitation class into the two major platforms that are covered; Windows and UNIX.  The classes are scheduled back to back.  So if you sign up for both classes you will get the same Tactical Exploitation course.

This decision came from feedback of the students who only seemed to care about one platform or another.  We believe this is a mistake since almost any enterprise environment will have both.  So for those that only want one platform, you can certainly do that.  Or if you want the original multi-platform class on our simulated enterprise environment, you can do that also.

All of our classes have a large hands-on component that we feel is essential to the learning experience and material retention.  Students must bring their own laptop, but we provide a simulated enterprise infrastructure for the class exercises and additional challenges for the more advanced students.  Many of our advanced students just love the opportunity to "play" in a fully functioning environment.

We would love for you to join us!  These classes have already sold out twice requiring us to move to bigger rooms.  But at some point we cannot grow anymore.  So sign up NOW!  Save some money and reserve your spot!




The Day the Earth Stood Still for CryptoWall

It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the next level. Early ransomware used file sharing sites to upload infected files disguised as a normal file that could be downloaded by anyone. Once downloaded, it would run through the user’s machines and start encrypting the user’s data or locking their machines. So how did the CryptoWall evade our traditional defender – antivirus? We’ll break down just how CryptoWall did it:

ACT I: Setting the Stage

Communication is the most common tool in any business today. CryptoWall authors have been scraping the Internet for any published company email addresses (usually available via marketing sites) to use as the entry point of the attack. These sourced email addresses are then blasted with phishing emails. These phishing emails are crafted in a way that makes the receiver think it’s an important email and should be read and understood properly. They usually contain a link to a direct download or a file attachment of CryptoWall – unbeknownst to the user. The encryption starts when the user clicks.

Here is the sample of a ransomware-laced email disguised as a booking.com email:

Booking.com email example

Booking.com email example

ACT II: The Latest CryptoWall 4.0 Disassembled

CryptoWall  4.0

Md5: e73806e3f41f61e7c7a364625cd58f65

On the initial infection, the sample resolves the addresses of all the API functions that it needs to call later. This is done by means of a list of hashes, one for the name of every API call. This way the malware does not have to use an import table or store API names directly as strings.

Next, the malware gathers the following system information:

  • ComputerName
  • UserName
  • SystemDrive serial number
  • CPU INFO (using PROCESSOR_IDENTIFIER)
  • Number of CPUs (using PROCESSOR_Level)
  • Revision Number of CPU (using PROCESSOR_REVISION)
  • OS Major version
  • OS Minor version
  • IsWow64
  • Keyboard Layout

Among the loaded modules are DLLs related to Windows Crypto API (CRYPTSP), Windows 7 Enhanced Cryptographic Provider (RSAENH). This suggests that the malware is going to perform some cryptographic operations.

Figure 2

 

It will create the md5 hash of the victims PC using the above system information by using the following API sequence:

  • CryptAcquireContext
  • CryptCreateHash ; Algorithm ID = CALG_MD5 0x00008003, hash key: nonkeyed algorithm (0)
  • CryptHashData
  • CryptGetHashParam

Example:

Example 1

Example 2

Example 3

The malware will inject code in a newly spawned child process – Explorer.exe – using the following APIs:

  • ZwCreateSection
  • ZwMapViewOfSection
  • ZwAllocateVirtualMemory
  • ZwWriteVirtualMemory
  • ZwProtectVirtualMemory
  • ZwQueueApcThread
  • ZwResumeThread

It will create a copy of the original file in the %APPDATA% folder and create AutoStart Registry entry.

The injected code will be responsible for disabling system protection, as well as deleting all the system shadow copy and injecting code in a newly spawned process, svchost.exe.

Deleting shadow copies

Deleting shadow copies, allowing the malware to disable file recovery services.

 AV Limitations:

– Emulation TimeOut

Disable system restore

Disable system restore

Execution continues in the svchost.exe process.  This process formulates the commands needed to communicate with the C&C server. It will also gather the above system information and generate an md5 hash of the victims PC that will be used in communicating with the C&C server.

Some of the C&C servers:

C&C servers

C&C servers

The network communication is using HTTP, but with an encrypted payload. It will try to establish a connection in one of the following I2P proxy through I2P URLs. Once it succeeds, it will send a POST request with the encoded string request.

Figure 3

CryptoWall stores the following information inside a configuration file:

  • Received public key binary data
  • TXT
  • HTML
  • PNG

The last three files will be written in each folder of the victim’s system after the file-encryption process.

  • Normal file behavior
  • Payload after multiple layers of encryption

ACT III: “It’s like I left my keys inside my car”

If you’ve ever locked your keys inside your car, you know how irritating it feels. You know where they are, but you can’t do anything about it and you have to pay a locksmith to open it for you – or get real crafty with a wire coat hanger. Ransomware is a lot like that: Your most precious information and data has been held for ransom, and there is a chance that it could be released to the public – and you have no way to stop it.

HELP_YOUR_FILES.HTML

HELP_YOUR_FILES.HTML

Once CryptoWall has finished encrypting your files, it will launch the ransom notes that explain what happened and how to purchase the decrypter.

For an even deeper dive into CryptoWall, check out our analysis of CryptoWall 4 here.

ACT IV: Finding Solutions to Guard Against Ransomware

The bright spot in all this is that, if you can see the trend of the infection, there are lots of points where we can actually stop CryptoWall.

The first stop is via email. Advanced email defense solutions designed to catch malware that evades traditional defenses is a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop CryptoWall from encrypting and taking the data from you.

The next defense is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.

The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.

Heavy Obfuscation != Malicious

Malicious actors use obfuscation to evade detection, but programmers use it also for various reasons, like restricting reuse or bypassing ad blockers. Obfuscation should increase your attention to an alert, but it's not always indicative of hostile activity.

Here's an example.

IDS triggered on a rule for a common exploit kit, specifically on an eval statement. The code was:
(function(){var z="";var b="2866756e6374696f6e28297b66756e6374696f6e20682865297b7472797b636f6f6b696541727261793d5b5d3b666f722876617220623d2f5e5c733f696e6361705f7365735f2f2c643d646f63756d656e742e636f6f6b69652e73706c697428225c78336222292c633d303b633c642e6c656e6774683b632b2b296b65793d645b635d2e73756273747228302c645b635d2e696e6465784f6628225c7833642229292c76616c75653d645b635d2e73756273747228645b635d2e696e6465784f6628225c78336422292b312c645b635d2e6c656e677468292c622e74657374286b657929262628636f6f6b696541727261795b636f6f6b696541727261792e6c656e6774685d3d76616c7565293b636f6f6b6965733d636f6f6b696541727261793b646967657374733d417272617928636f6f6b6965732e6c656e677468293b666f7228623d303b623c636f6f6b6965732e6c656e6774683b622b2b297b666f722876617220673d652b636f6f6b6965735b625d2c633d643d303b633c672e6c656e6774683b632b2b29642b3d672e63686172436f646541742863293b646967657374735b625d3d647d7265733d652b225c7832635c7836345c7836395c7836375c7836355

;for(var i=0;ieval(eval('String.fromCharCode('+z+')'));})();


Changing the eval to print, and running it through Rhino, we get this:

[jstebelton@bwyissrv05 ~]$ rhino 10
(function(){function h(e){try{cookieArray=[];for(var b=/^\s?incap_ses_/,d=document.cookie.split("\x3b"),c=0;cres;g=new Date;g.setTime(g.getTime()+2E4);document.cookie="\x5f\x5f\x5f\x75\x74\x6d\x76\x63\x3d"+e+("\x3b\x20\x65\x78\x70\x69\x72\x65\x73\x3d"+g.toGMTString())+"\x3b\x20\x70\x61\x74\x68\x3d\x2f"}function l(e){for(var b=[],d=0;d"\x3d"+k)}break;case "\x76\x61\x6c\x75\x65":try{b[b.length]=encodeURIComponent(c+"\x3d"+eval(c).toString())}catch(h){b[b.length]=encodeURIComponent(c+"\x3d"+h)}break;case "\x70\x6c\x75\x67\x69\x6e\x73":try{p=navigator.plugins;pres="";for(a in p)pres+=(p[a].description+"\x20").substring(0,20);b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+pres)}catch(l){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+l)}break;case "\x70\x6c\x75\x67\x69\x6e":try{for(i in a=navigator.plugins,a)if(f=a[i].filename.split("\x2e"),2==f.length){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+f[1]);break}}catch(m){b[b.length]=
encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+m)}}}return b=b.join()}var m=[["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x76\x65\x6e\x64\x6f\x72","\x76\x61\x6c\x75\x65"],["\x6f\x70\x65\x72\x61","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x61\x70\x70\x4e\x61\x6d\x65","\x76\x61\x6c\x75\x65"],["\x70\x6c\x61\x74\x66\x6f\x72\x6d","\x70\x6c\x75\x67\x69\x6e"],["\x77\x65\x62\x6b\x69\x74\x55\x52\x4c","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x70\x6c\x75\x67\x69\x6e\x73\x2e\x6c\x65\x6e\x67\x74\x68\x3d\x3d\x30","\x76\x61\x6c\x75\x65"],["\x5f\x70\x68\x61\x6e\x74\x6f\x6d","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"]];try{h(l(m)),document.createElement("\x69\x6d\x67").src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+Math.random()}catch(n){img=document.createElement("\x69\x6d\x67"),img.src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+
n}})();

We have hex encoding as the output of the function, so we can use a hex decoder to get the final output:

encodeURIComponent("plugin="+m)}}}return b=b.join()}var m=[["navigator","exists_boolean"],["navigator.vendor","value"],["opera","exists_boolean"],["ActiveXObject","exists_boolean"],["navigator.appName","value"],["platform","plugin"],["webkitURL","exists_boolean"],["navigator.plugins.length==0","value"],["_phantom","exists_boolean"]];try{h(l(m)),document.createElement("img").src="/_Incapsula_Resource?SWKMTFSR=1&e="+Math.random()}catch(n){img=document.createElement("img"),img.src="/_Incapsula_Resource?SWKMTFSR=1&e="+
n}})();

Incapsula is a DDoS protection security vendor.

Enterprise Security Weekly #1 – Threat Hunting

Paul and John Strand begin a new series here on Security Weekly. They delve into Threat Hunting, FireEye, Tripwire IP360, and much more. Check this prime OG Episode of Enterprise Security Weekly!

Security Weekly Web Site: http://securityweekly.com Follow us on Twitter: @securityweekly

Leaping Forward – Telling the Story of How InfoSec Has Matured into Cyber Risks

Readers of this blog know that I've spent nearly the past decade curating some of the best quotes about information security and related topics. What started as a self-serving repository of good material for my own use eventually grew into this blog. I owe a big thank you to all of those who, over the course of the years, have shared this site with others around them.

However, in the past year, I have to admit that I've been much more active on a different blog, that of the IBM sponsored SecurityIntelligence blog. Which brings me to this post.

Just this week, the IBM site published my 30th article, "Five Signs the CISO Who Got You Here Isn’t the Best One to Get You There," whose topic relates nicely to the evolution of the field of information security -- let's admit, security was never really just an IT issue -- and the evolution of the role of CISO.

Just as businesses have had to evolve in order to thrive, or even just to survive, so must we evolve, as information security professionals, in the face of a changing reality. We now have the attention that we've been asking C-Suite executives and board directors for. We must now step up to fulfill this new role, to meet these new expectations. The stakes are high -- businesses everywhere are getting hammered by attackers, some after a quick buck, others after the company's crown jewels.

In pitching and developing these 30 articles, I've always sought to bring value to the reader, primarily aimed at CISOs or aspiring CISOs. I'm including below the full set of links to these 30 articles (in ascending chronological order). And since IBM's blog doesn't allow for comments, I'm inviting readers everywhere to leave comments on this post instead.

Again, thank you for your support, and for your readership.


As an Information Security Professional, Are You Having the Right Conversations?
Improving Your Security Awareness Campaigns: Examples From Behavioral Science
Cyber Risks: From the Trenches to the Boardroom
CISO Influence: The Role of the Power Distance Index and the Uncertainty Avoidance Dimensions
How Helping Educators Is Good for the Cybersecurity Industry
Addressing the Information Security Skills Gap in Partnership With Academia
Why Is Your Board of Directors Finally Asking About Cyber Risks?
What Cybersecurity Questions Are Boards Asking CISOs?
Five Must-Read Articles on the Cybersecurity Skills Gap
What Can CISOs Take From the New NYSE Cybersecurity Guide?
How Are US Armed Forces Closing the Cyber Skills Gap?
How Should CISOs Report Cyber Risks to Boards?
Beyond Tech Skills: Leadership Qualities for CISOs
Get the Most Out of Your Recent Security Hires With Soft Skills
Get the Most Out of Your Recent Security Hires: The Value of Professional Development
New Year’s Resolutions for the Effective CISO
Cyber Risks: Three Areas of Concern for 2016
Highlights From the World Economic Forum’s Global Risks Report 2016
2015: The Year Feds Warned About Cyber Risks
Is Your CISO Ready to Be a Risk Leader?
Is Your CISO Out Of Place?
FTC Studying Practices of Nine PCI Companies
C-Suite Dynamics Can Impact The Organization's Cybersecurity
It's Not Too Late to Correct Your Security Posture
Securing the C-Suite, Part 1: Lessons for Your CIO and CISO
Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs
Securing the C-Suite, Part 3: All Eyes on the CEO
Engaging Conversations Key to Improving Cyber Risk Decisions
How to Make the Most of Your Pen Test
Five Signs the CISO Who Got You Here Isn't The Best One To Get You There

CVE-2016-4117 (Flash up to 21.0.0.213) and Exploit Kits




Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.

Magnitude :
CVE confirmed by FireEye - Thanks !
On 2016-05-21 Magnitude is firing an exploit to Flash up to 21.0.0.213.

Magnitude firing exploit to Flash 21.0.0.213 - 2016-05-21
For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports :

 import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;

Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperation

Spotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0a
Fiddler sent here.
Updates to come as it appears to be a work in progress.

Neutrino :
2016-05-23
Spotted by Eset.

2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash 21.0.0.213 and drop here CryptXXX
Sample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8
Fiddler sent here (Password is malware)
Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXX

Angler EK:
2016-05-23
CVE identification by Henri Nurmi from F-Secure. Thanks !
Angler EK successfully exploit Flash 21.0.0.213 on 2016-05-23 dropping Dridex

Sample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2
Fiddler sent here
Out of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902
Most likely Dridex 123 targeting Germany based on distribution path.

Sundown :  [3]
2016-08-27

Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 

Fiddler sent here  (password : malware)

Read More:
[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye
[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro
[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs

Understanding the Latest Version of Locky Ransomware

It is one of the most prevalent spam malware in the wild today: Locky ransomware. The Locky malware authors started their campaign last year but didn’t become very active until January 2016 – and they haven’t slowed down since.

Locky e-mails usually come in with an attached zip archive and once extracted may contain a document or JavaScript. The Locky ransomware we discovered included a JavaScript that will potentially download and run an executable. The executable is the focal point of this analysis and the latest version of the Locky ransomware.

Locky spam email

The spam email sent by the malware authors.


Basic Infection Flow and File Hashes:

  • 1582A0B6A04854C39F8392B061C52A7A – The .zip attachment
  • 59D2E5827F0EFFE7569B2DAE633AFD1F – The JavaScript extracted from the .zip
  • F79C950FA3EFC3BB29A4F15AE05448F2The Locky executable downloaded by the Javascript
Basic infection and file hashes

Basic infection and file hashes

Indications of Compromise:

It is fairly easy to find out if a machine is infected by Locky. The image below shows the desktop background of a compromised Windows XP machine.

Desktop of a Locky-infected computer

Desktop of a Locky-infected computer

 

The files that have been encrypted by the ransomware are named with the extension “.locky” and their names start with the personal ID for the infected user – in this case “8B74B4AA40D51F4A,” an MD5 hash. There is also a text file named “_HELP_instructions.txt” that contains the same message displayed in the desktop background.

Locky files

Locky files

Locky creates an encrypted user-specific registry key at HKCU\Software. The details about the registry values will be discussed later on in this post. The key created was “8W21gQe9WZ3tc.

 

Encrypted user-specific key

Encrypted user-specific key

 

Payment Instructions

The user is instructed to install TOR browser to access the payment webpage – shown below. The victim must have a bitcoin wallet to send 1.5 bitcoin to the specified bitcoin address.

Payment page for Locky ransomware

Payment page for Locky ransomware 

A Look at the JavaScript 59D2E5827F0EFFE7569B2DAE633AFD1F

The JavaScript is straightforward. The following lines are visible once opened in a text editor:

JavaScript 1

JavaScript 1

The Javascript downloads via GET command from http://goldish[dot]dk/o2pds and executes it in %Temp%. The executable will not run properly if not located in a %Temp% folder.

In-Depth Analysis of the Executable F79C950FA3EFC3BB29A4F15AE05448F2

Just like other malware families such as Upatre, Dridex and Crypto, the real Locky executable is wrapped by some encryption routines to avoid signature-based detections. The last step of the unwrapping process is to decompress the executable by using RTLDecompressBuffer API. We’ve seen this same method before from Upatre and Necurs rootkit downloaders.

RTLDecompressBuffer API

RTLDecompressBuffer API

 

The MD5 of the unwrapped Locky executable analyzed is F35D01F835FC637E0D9E66CD7E571C06.

The first step of the executable is to decrypt the following CnC Server IP addresses.

CnC Server IP addresses

CnC Server IP addresses

 

The executable retrieves the Windows directory by the API GetWindowsDirectoryA. Then it will be used as a parameter for the API GetVolumeNameForVolumeMountPointA. This Function retrieves the volume GUID path associated with the machine’s Windows folder.

Windows directory

Windows directory 

This GUID will serve as the initial basis of the Locky ransomware for the unique ID of the user.

First, GUID be used by the executable for the API CryptHashData.

API CryptHashData

API CryptHashData

For The executable to obtain the unique ID – “8B74B4AA40D51F4A” – for the machine, it will use the API CryptGetHashParam to get the unique ID associated with the GUID. It is visible at the first 8 Bytes at the hex dump.

API CryptGetHashParam

API CryptGetHashParam

 

This unique ID is correlated with the new registry key of this version of Locky. The ID will be converted by a checksum to string routine implemented by the executable to obtain a string that will be used as its registry key.

For this new version, these particular set of instructions explain why the new registry key is “8W21gQe9WZ3tc” instead of “Locky,” used before in the older versions.

New registry key

New registry key 

CnC Communication

The Locky executable sends a “POST” request to “http://<IP/Domain>/submit.php” by the following commands and parameters:

Commands Parameters (Remove the <>)
&act=getkey&affid= id=<>,&lang=<>,&corp=<>,&serv=<>,&os=<>,&sp=<>,&x64=<>
&act=gettext&lang= id=<>
&act=stats&path= id=<>,&encrypted=<>,&failed=<>,&length=<>

An example of parameters for Command &act=getkey&affid=: (Not Encrypted Form)

id=8B74B4AA40D51F4A&act=getkey&affid=1&lang=en&corp=0&serv=0&os=Windows+XP&sp=3&x64=0

These commands will be sent to the CnC server in encrypted form via the API HttpSendRequestA. The executable also receives an encrypted reply via the API InternetReadFile.

CnC server commands

CnC server commands

 

After sending the getkey command to the CnC, the executable will decrypt the encrypted message and getkey command it received the public RSA key. The image below shows a part of the decryption routine. The public RSA key is at the ASCII dump.

Decryption routine

Decryption routine 

Saving The Public Key in the User’s Machine

The executable will encrypt the public RSA key and its checksum will be converted to a string equivalent – just like how the registry key was created. It will be stored as a binary value in its registry key at HKCU\Software. The value name is “270CwQa9XuPIc7.”

Encrypting public RSA key

Encrypting public RSA key

A Message to the User

Then it will send the CnC command “&act=gettext&lang=.” This will retrieve the Locky ransomware message equivalent to the desktop background image.

Locky ransomware message

Locky ransomware message

 

Once again, just like the public RSA key, this message will be encrypted, stored to a binary value in the HKCU\software registry key created by the executable. The message is equivalent to the registry value “7CaY397p5R.”

Gathering the Drives, Network Resources and Files to Encrypt

Network Shares and Resources:

The executable used a routine consisting of APIs WNetOpenEnumW, WNetEnumResourcesW, WNetAddConnection2 and WNetCloseEnum to parse through these three types of resources:

  • #define RESOURCE_CONNECTED 1
  • #define RESOURCE_GLOBALNET 2
  • #define RESOURCE_REMEMBERED 3

The usage of NetResource Parsing Routine for different types of resources:

NetResource Parsing Routine

NetResource Parsing Routine

Upon enabling a shared folder for the machine under analysis, the image shows that the executable will connect to the shared folder so it can encrypt the files in the shared folder later on.

Encrypting files in the shared folder

Encrypting files in the shared folder

The executable then uses the APIs GetLogicalDrives and GetDriveTypeW to gather the possible drives to encrypt. In this case, it obtained the “C:\” drive.

Encrypting the C:/ drive

Encrypting the C:/ drive 

The last step is to spawn the thread that will encrypt the files per folder in the drives and resources that were gathered.

Final step in the Locky ransomware process

Final step in the Locky ransomware process

 

Deleting the Shadow Copies to Prevent Data Restoration

The next step for the executable is to delete the shadow copies by running this command:

“vssadmin.exe Delete Shadows /All /Quiet”

Other Ransomwares, including Crypto, has used this same command.

The File Encryption Process – the Thread Spawned

The first step in this phase is to parse the directories and files of the machine. The executable allocates a memory space as a structured reference for the files to be encrypted.

White List Check

While parsing the directories of the machine, it will check the file name of each file against the following set of white list strings. File names that have one of the “ff.” strings will not be encrypted.

  • @_HELP_instructions.bmp, _HELP_instructions.txt, _Locky_recover_instructions.bmp, _Locky_recover_instructions.txt, tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

Black List Check

The Locky executable also checks the extension of the file to be encrypted. If the file has one of the “ff.” extensions, it will be encrypted.

  • .001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aes, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .db, .dbf, .dch, .dif, .dip, .djv, .djvu, .docb, .docm, .docx, .dotm, .dotx, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .js, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .ms11 (Security copy), .n64, .odb, .odg, .odp, .ods, .odt, .onetoc2, .otg, .otp, .ots, .ott, .p12, .pas, .pdf, .pem, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .pptx, .psd, .pst, .qcow2, .rar, .raw, .rb, .sch, .sh, .sldm, .sldx, .slk, .sql, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .zip, wallet.dat (filename specific)

API and Function-Level Overview of the File Encryption Process:

The Locky ransomware’s claim that it uses AES and RSA is basically true. It used Crypto APIs during the encryption process, including CryptGenRandom and CryptEncrypt. It also had two functions in this process that used the instructions “aesenc” and “aeskeygenassisst.

API overview

API overview

Dissecting the Last 0x344 Bytes of an Encrypted Locky File

In the image below, the last 0x344 bytes are being written at the end of file. The first four bytes are hard coded by the executable. We believe this is some sort of an identifier for the Locky ransomware authors for the version that encrypted the user’s files.

Hard-coded 0x8956FE93

Hard-coded 0x8956FE93

 

Writing to the file

Writing to the file 

The Next 0x10 bytes are obviously the unique ID of the user. The next 0x100 bytes are the output of the CryptEncrypt API. The last 0x230 bytes are from the AESENC function mentioned from the encryption flow before.

Finalizing the Infection

The executable will generate the “_HELP_instructions.txt” file for every folder path where it encrypted a file. It will also generate an equivalent Bitmap image for the instructions and store it so it becomes the user’s desktop background.

The executable will then send another actioncalled “stats” – to the CnC server:                  id=8B74B4AA40D51F4A&act=stats&path=c%3A&encrypted=1&failed=0&length=5912

Path = the infected Drive “C:\”

Encrypted = True

Failed = false

Length = number of files

The last step is to create the last encrypted registry value. It is equivalent to the previous version “Completed = Yes.” This completes the details about the three encrypted registry values.

Last step of the encryption process

Last step of the encryption process

 

The analyzed executable also had the domain generation algorithm, which has been known to exist for the Locky ransomware since its existence last year. It will be used by the executable if it cannot receive a response from the initially decrypted IP addresses.

How to Mitigate

Using ThreatSecure products, it is possible to block the ransomware executable from downloading. The image below shows ThreatSecure Network detecting the malicious download via the GET procedure.

 

ThreatSecure in action

ThreatSecure in action 

Prior to opening an e-mail attachment, the customer can use ThreatTrack’s dynamic malware analysis sandbox product – ThreatAnalyzer – to determine if the file is malicious. ThreatAnalyzer logs its output in a file named “analysis.xml.” By looking at this output, you can tell it has seen the executable’s ransomware behaviors (IoCs).

Stored and Encrypted Files to .locky:

The sandbox detects that the files were encrypted, and the “Help Instructions” text file was also generated.

Help instructions text file

Help instructions text file 

Network capture of Communication to CnC via post command to the CnC Server IP:

An outgoing connection is being initiated by Locky.

Network capture of communication to CnC

Network capture of communication to CnC

 

Process capture of Vssadmin.exe execution, deleting all backups:

Process capture of Vssadmin.exe execution

Process capture of Vssadmin.exe execution

Setting an encrypted registry value “4Y0743Ngl” at HKCU\software:

Prior to file encryption, Locky enumerates the network resources of the machine, which can also be encrypted. ThreatAnalyzer was also able to see this behavior:

Locky enumerating network resources

Locky enumerating network resources

 

As shown here, advanced threat defense products like those used here help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.

What’s more, the sandbox capabilities of ThreatAnalyzer also showed that it can log indications of compromise and potential malicious activities once a user accidentally opens the attachment – one more way users are guarded against increasingly popular ransomware attacks.

The post Understanding the Latest Version of Locky Ransomware appeared first on ThreatTrack Security Labs Blog.

Read My Lips: Let’s Kill 0Day

0day is cool.  Killing 0day, sight unseen, at scale — that’s cooler.

If you agree with me, you might be my kind of defender, and the upcoming O’Reilly Security Conference(s) might be your kind of cons.

Don’t get me wrong.  Offense is critical.  Defense without Offense is after all just Compliance.  But Defense could use a home.  The Blue Team does not always have to be the away team.

So for quite some time, I’ve been asking Tim O’Reilly to throw a highly technical defensive security event.  Well, be careful what you wish for.  I actually keynoted his Velocity event with Zane Lackey a while back, and was struck by the openness of the environment, and the technical competence of the attendees.  This is a thing that would be good for Defense, and so I’ve taken the rare step of actually joining the Program Committee for this one,  CFP’s for NYC & Amsterdam are still open (but not for much longer!).  How would you know if this is your sort of party?

NIST’s SAMATE project has been assembling this enormous collection of minimized vulnerability cases.  They’re just trying to feed static analyzers, but if you’re filled with ideas of what else is possible with these terabytes of goodies – this is your con.

Researchers at Stanford instrumented the IDE’s of students, and watched how early failures predicted later ones.  Can we predict the future authorship of security vulnerabilities?  In what ways do languages themselves predict failures, independent of authors?  If this interests you, this is your con.

If you’re in operations, don’t feel left out.  You’re actually under attack, and you’re actively doing things to keep the lights on.  We want to know how you’re fighting off the hordes.

We live in a golden age of compilers actually trying to help us (this was not always the case).  Technologies like Address Sanitizer, Undefined Behavior Sanitizer, Stack Protection / /GS along with the Microsoft universe of Control Flow Guard and the post-Boehm-ish MemGC suggest a future of much faster bug discovery and much better runtime protections.  Think you’ve got better?  Think you can measure better?  Cool, show us.

Or show us we’re wrong.  Offensive researchers, there are better places for you to demonstrate the TLS attack of the hour, but if you haven’t noticed, a lot of defensive techniques have gotten a “free pass”, E for effort, that sort of thing.  There’s a reason we call ‘em sandboxes; they’re things kids step into and out of pretty freely.  Mitigations not living up to their hype?  Security technologies actually hosting insecurity?  Talk to a bunch of people who’d care.

We’re not going to fix the world just by blowing things up.  Come, show us your most devious hacks, let’s redefine how we’re going to defend and fix the Internet.

Subtee regsvr32 sct with metasploit web delivery

So I put this out on twitter but failed to document it for historical reasons/find it when I need it.

I was able to replace the PoC payload with the payload from Metasploit's web delivery and it worked just fine.

original PoC here: https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302#file-backdoor-sct

Below we can see the replaced payload:

...and receiving the shell after running the command from the command line:


Excellent Manual Javascript Deobfuscation Walk through

Security Researcher Aditya K Sood posted an excellent walk through of manual Javascript Obfuscation on his log, Malware At Stake (http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html).

Saturday, April 7, 2012

JavaScript Obfuscation - Manual Armor (1)

Recently, we came across a similar set of obfuscated JavaScripts that are being used continuously in conjunction with automate Browser Exploits Packs (BEPs) such as BlackHole etc. There are several variations of this type of obfuscated JavaScript. Our team prefer to do obfuscation manually because sometimes automated tools are not good enough to perform the deobfuscation. In this post, we are going to discuss about the methodology that  we prefer to follow at SecNiche labs. Let's take a look at the obfuscated JavaScript shown below



















The methodology  goes like this:

Step1: Beautify Your JavaScript: 
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the
code such as appropriate indentation makes it very easy to decipher the initial structures in the JavaScript. 
Always do this step before proceeding further.

Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to a
analyze the code in small snippet for better grasp.

Applying step 1 and step 2 to the given JavaScript code,  we get part 1 of the code as follows


and part 2 of the code as follows


In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing 
automated analysis, these parameters are required to be tuned so that appropriate interpretation of the string 
can be done. Check the string passed to variable "n".

Step 3: Extract the Logic 
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we
compute the value of "h" we get : h=-2*Math.log(Math.E);   //     h = -2      //

The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have 
to split the string. By default, split function actually dissects the string n by a delimiter ",". We tweak the code
a bit as presented below:

On executing this code in JavaScript interpreter we get the output as follows,

At this point, we successfully unwraps some part of code by having the value of h and n. Now, we have to 
dissect the loop present in the part 2 as follows

for(i=0;-n.length<-i br="" i="">        {
            j=i;
            ss=ss+s[f](-h*(1+1*n[j]));
        }

   
    if(1)q=ss;
    if(s)e(q);

To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of 
the code.

Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we
write a following python script to compute the loop


The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the 
end. So we need to build up the final code as presented below


So here we have the final script as follows
A good methodology always  helps to attain the target.

Security Weekly #463 – Interview with Ferruh Mavituna, CEO of Netsparker

Do you want to know the inside scoop of Netsparker? Listen to us interview Ferruh Mavituna, who has been in the security industry for well over a decade and his ambition to ease the process of automatically detecting web application vulnerabilities led him to build Netsparker, and pursued it to the point of commercial reality. Ferruh is also Netsparker’s Product Architect.

The Cryptographically Provable Con Man

It’s not actually surprising that somebody would claim to be the creator of Bitcoin.  Whoever “Satoshi Nakamoto” is, is worth several hundred million dollars.  What is surprising is that credible people were backing Craig Wright’s increasingly bizarre claims.  I could speculate why, or I could just ask.  So I mailed Gavin Andresen, Chief Scientist of the Bitcoin Foundation, “What the heck?”:

What is going on here?

There’s clear unambiguous cryptographic evidence of fraud and you’re lending credibility to the idea that a public key operation could should or must remain private?

He replied as follows, quoted with permission:

Yeah, what the heck?

I was as surprised by the ‘proof’ as anyone, and don’t yet know exactly what is going on.

It was a mistake to agree to publish my post before I saw his– I assumed his post would simply be a signed message anybody could easily verify.

And it was probably a mistake to even start to play the Find Satoshi game, but I DO feel grateful to Satoshi.

If I’m lending credibility to the idea that a public key operation should remain private, that is entirely accidental. OF COURSE he should just publish a signed message or (equivalently) move some btc through the key associated with an early block.

Feel free to quote or republish this email.

Good on Gavin for his entirely reasonable reaction to this genuinely strange situation.

Craig Wright seems to be doubling down on his fraud, again, and I don’t care.  The guy took an old Satoshi signature from 2009 and pretended it was fresh and new and applied to Sartre.  It’s like Wright took the final page of a signed contract and stapled it to something else, then proclaimed to the world “See?  I signed it!”.

That’s not how it works.

Say what you will about Bitcoin, it’s given us the world’s first cryptographically provable con artist.  Scammers always have more to say, but all that matters now is math.  He can actually sign “Craig Wright is Satoshi Nakamoto” with Satoshi’s keys, openly and publicly.  Or he can’t, because he doesn’t have those keys, because he’s not actually Satoshi.

A Glimpse at Petya Ransomware

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them.

Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but to pay for the ransom, and it will encrypt filesystem’s Master File Table, which leaves the operating system unable to load. MFT is an essential file in NTFS file system. It contains every file record and directory on NTFS logical volume. Each record contains all the particulars that the operating system need to boot properly.

Like any other malware, Petya is widely distributed via a job application spear-phishing email that comes with a Dropbox link luring the victim by claiming the link contains self-extracting CV; in fact, it contains self-extracting executable that would later unleash its malicious behavior.

Petya dropper

Petya’s dropper

Petya's infection behavior

Petya’s infection behavior

 Petya ransomware has two infection stages. The first stage is MBR infection and encryption key generation, including the decryption code used in ransom messages. The second stage is MFT encryption.

First Stage of Encryption

First infection stage behavior

First infection stage behavior

An MBR infection is made through straightforward \\.\PhysicalDrive0 manipulation with the help of DeviceIOControl API. It first retrieves the physical location of the root drive \\.\c by sending IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code to the device driver.  Then it sends the extended disk partition info of \\.\PhysicalDrive0 through IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code.

GET_VOLUME_Data

The dropper will encrypt the original MBR using XOR opcode and 0x37 and save it for later use. It will also create 34 disk sectors containing 0x37. Right after the 34 sectors are Petya’s MFT infecting code. Located on Sector 56 is the original encrypted MBR.

Infected disk view

Infected disk view

Infected disk view

Infected disk view

Original Encrypted MBR

Original Encrypted MBR

After the MBR infection, it will intentionally crash the system by triggering NTRaiseHardError. This will trigger BSOD and the system will start, which will cause the machine to load using the infected MBR.

Code snippet triggering BSOD

Code snippet in triggering BSOD

BSOD

BSOD

Once we inspected the dumped image of the disk, we discovered it was showing a fake CHKDSK screen. We will also see the ransom message and ASCII skull art.

Dumped disk image

Dumped disk image

Second Infection Stage

The stage 2 infection code is written in 16-bit architecture, which uses BIOS interrupt calls.

Upon system boot up, it will load into memory Petya’s malicious code, which is located at sector 34. It will first determine if the system is already infected by checking the first byte at sector is 0x0. If not infected, it will display fake CHKDSK.

Fake CHKDSK

Fake CHKDSK

When someone sees the Figure 8, it means that the MFT table is already encrypted using salsa20 algorithm.

Figure 8

The victim will see this screen upon boot.

The victim will see this screen upon boot.

Ransom message and instructions

Ransom message and instructions

Petya Ransomware Page

The webpage for the victim to access their personal decryption key is protected against bots and contains information about when the Petya ransomware project was launched, warnings on what not to do when recovering files and an FAQ page. The page is surprisingly very user friendly and shows the days left before the ransom price will be doubled.

Ransom page captcha

Ransom page captcha

 Petya’s homepage

Petya’s homepage

It also contains news feeds, including different blogs and news from AV companies warning about Petya.

News 1 Figure 13

News 2

They also provide a step-by-step process on how to pay the ransom, including instructions on how to purchase bitcoin. Support via web is included too in case the victim encounters problems in the transaction they’ve made. Petya’s ransom is a lot cheaper compared to other ransomware, too.

Petya web page 1

Petya web page 2

Petya web page 3

Petya web page 4

On Step 4 of the payment procedure, the “next” button is disabled until they’ve confirmed that they already received the payment.

Petya support page

Petya’s support page

Below is a shot of ThreatTrack’s ThreatSecure Network dashboard catching Petya. Tools like ThreatSecure can detect and disrupt attacks in real time.

ThreatSecure Network catching Petya ransomware

ThreatSecure Network catching Petya ransomware

 

The post A Glimpse at Petya Ransomware appeared first on ThreatTrack Security Labs Blog.

A Decade of Exploit Database Data

Managing the Exploit Database is one of those ongoing tasks that ends up taking a significant amount of time and often, we don't take the time to step back and look at the trends as they occur over time. Have there been more exploits over the years? Perhaps fewer? Is there a shift in platforms being targeted? Has the bar for exploits indeed been raised with the increase in more secure operating system protections?

Validating Satoshi (Or Not)

SUMMARY:

  1. Yes, this is a scam.  Not maybe.  Not possibly.
  2. Wright is pretending he has Satoshi’s signature on Sartre’s writing.  That would mean he has the private key, and is likely to be Satoshi.  What he actually has is Satoshi’s signature on parts of the public Blockchain, which of course means he doesn’t need the private key and he doesn’t  need to be Satoshi.  He just needs to make you think Satoshi signed something else besides the Blockchain — like Sartre.  He doesn’t publish Sartre.  He publishes 14% of one document.  He then shows you a hash that’s supposed to summarize the entire document.  This is a lie.  It’s a hash extracted from the Blockchain itself.  Ryan Castellucci (my engineer at White Ops and master of Bitcoin Fu) put an extractor here.  Of course the Blockchain is totally public and of course has signatures from Satoshi, so Wright being able to lift a signature from here isn’t surprising at all.
  3. He probably would have gotten away with it if the signature itself wasn’t googlable by Redditors.
  4. I think Gavin et al are victims of another scam, and Wright’s done classic misdirection by generating different scams for different audiences.

===

UPDATE:  This signature does actually validate, you just have to use a different version of OpenSSL than I did originally.

2016-05-02_06h35_02

Of course, if this is the signature that already went out with that block, it doesn’t matter.  So I’m looking into that right now.

Update 2:

OK, yes, this is intentional scammery.  This is the 2009 transaction.  See this:

2016-05-02_06h50_27

And then, that hex is of course this hex, as in the zip below:

2016-05-02_06h51_09

Of course that’s exactly what Uptrenda on Reddit posted.  Gotta give Wright very small props, that’s a mildly clever replay attack, foiled by total lack of QA.

====

So Craig Wright is claiming to be Satoshi, and importantly, Gavin Andreson believes him.  I say importantly because normally I wouldn’t even give this document a second thought, it’s obviously scam style.  But Gavin.  Yet, the procedure that’s supposed to prove Dr. Wright is Satoshi is aggressively, almost-but-not-quite maliciously resistant to actual validation.  OK, anyone can take screenshots of their terminal, but sha256sums of everything but the one file you actually would like a hash of?  More importantly, lots of discussion of how cryptography works, but not why we should consider this particular public key interesting.

But it could actually be interesting.  This public key claimed is indeed from a very early block, which was the constraint I myself declared.

But for those with an open mind, moving a few chunks of the so-called “bitcoin billion” should be proof enough, says Dan Kaminsky, a well-known security researcher with a history of bitcoin analysis. Even the theory that Wright might have somehow hacked Nakamoto’s computer hardly discounts that proof, Kaminsky argues. “Every computer can be hacked. But if he hacked Satoshi, then this guy knew who the real Satoshi was, and that’s more than what the rest of us can say,” Kaminsky points out. “If Wright does a transaction with one of these keys, he’s done something no other wannabe-Satoshi has done, and we should recognize that.”

OK, it’s not a key attached to the Bitcoin billion, but Block 9 is close enough for me.  The bigger issue is that I can’t actually get the process to yield a valid signature.  I’ve gone over the data a few times, and the signature isn’t actually validating.  I’m not going to read too much into this because Dr. Wright didn’t actually post an OpenSSL version, and who knows if something changed.  But it is important to realize — anyone can claim a public key, that’s why they’re called public keys.  The signature actually does need to validate and I haven’t gotten it to work.2016-05-02_02h15_23.png

I could have missed something, it’s pretty late.  So here’s the binary blobs — nobody should have to try to hand transcribe and validate hex like this.  If I had to speculate, it’s just some serious fat fingering, where the signature is actually across some other message (like that Sartre text we see 14% of).  Alternate explanations have to be … unlikely.

UPDATE:

*facepalm*

2016-05-02_02h31_47