Monthly Archives: November 2016

Hack Naked News #102 – November 29, 2016

WordPress security gets another black mark, free transit rides for all in San Francisco, routers are hacked again, NTP is vulnerable, why buy when you can rent....a botnet, that is, backdooring Android, and a popular porn site is the victim of a data breach. Stay tuned!

Take the Security Weekly Survey:

Full Show Notes:


Toolsmith – GSE Edition: Scapy vs CozyDuke

In continuation of observations from my GIAC Security Expert re-certification process, I'll focus here on a GCIA-centric topic: Scapy. Scapy is essential to the packet analyst skill set on so many levels. For your convenience, the Packetrix VM comes preconfigured with Scapy and Snort, so you're ready to go out of the gate if you'd like to follow along for a quick introduction.
Scapy is "a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more." This includes the ability to handle most tasks such as scanning, tracerouting, probing, unit tests, attacks or network discovery, thus replacing functionality expected from hping, 85% of nmap, arpspoof, tcpdump, and others.
If you'd really like to dig in, grab TJ O'Connor's  Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (you should already have it), as first discussed here in January 2013. TJ loves him some Scapy: Detecting and Responding to Data Link Layer Attacks is another reference. :-)
You can also familiarize yourself with Scapy's syntax in short order with the SANS Scapy Cheat Sheet as well.
Judy Novak's SANS GIAC Certified Intrusion Analyst Day 5 content offers a nice set of walk-throughs using Scapy, and given that it is copyrighted and private material, I won't share them here, but will follow a similar path so you have something to play along with at home. We'll use a real-world APT scenario given recent and unprecedented Russian meddling in American politics. According to SC Magazine, "Russian government hackers apparently broke into the Democratic National Committee (DNC) computer systems" in infiltrations believed to be the work of two different Russian groups, namely Cozy Bear/ CozyDuke/APT 29 and Fancy Bear/Sofacy/APT 28, working separately. As is often the case, ironically and consistently, one the best overviews of CozyDuke behaviors comes via Kaspersky's Securelist. This article is cited as the reference in a number of Emerging Threats Snort/Suricata rules for CozyDuke. Among them, 2020962 - ET TROJAN CozyDuke APT HTTP Checkin, found in the trojan.rules file, serves as a fine exemplar.
I took serious liberties with the principles of these rules and oversimplified things significantly with a rule as added to my local.rules file on my Packetrix VM. I then took a few quick steps with Scapy to ensure that the rule would fire as expected. Of the IOCs derived from the Securelist article, we know a few things that, if built into a PCAP with Scapy, should cause the rule to fire when the PCAP is read via Snort.
  1. CozyDuke client to C2 calls were over HTTP
  2. Requests for C2 often included a .php reference, URLs included the likes of /ajax/index.php
  3. was one of the C2 IPs, can be used as an example destination IP address
The resulting simpleton Snort rule appears in Figure 1.

Figure 1: Simple rule
To quickly craft a PCAP to trigger this rule, at a bash prompt, I ran scapy, followed by syn = IP(src="", dst="")/TCP(sport=1337, dport=80, flags="S")/"GET /ajax/index.php HTTP/1.1", then wrote the results out with wrpcap("/tmp/CozyDukeC2GET.pcap", syn), as seen in Figure 2.

Figure 2: Simple Scapy
Then a quick run of the resulting file through Snort with snort -A console -q -K none -r /tmp/CozyDukeC2GET.pcap -c ../etc/snort.conf, and we have a hit as seen in Figure 3.

Figure 3: Simple result

Scapy is ridiculously powerful and is given no justice here, hopefully just enough information to entice you to explore further. With just the principles established here, you can see the likes of options to craft and manipulate with ls(TCP) and ls(IP).
Figure 4: ls()

If you're studying for the likes of GCIA or just looking to improve your understanding of TCP/IP and NSM, no better way to do so than with Scapy.
Cheers...until next time.

VirusTotal += WhiteArmor

We welcome WhiteArmor scanner to VirusTotal. This is a machine learning engine from China. In the words of the company:

"WhiteArmor is mobile antivirus engine armed with artificial intelligence and machine learning. WhiteArmor offers enterprise Mobile Threat Defense (MTD) solutions as complementary to EMM for securing enterprise mobility."

WhiteArmor has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by an AMTSO-member tester.

Winner at the Great British Entrepreneur Awards 2016

I am thrilled to have won the Great British Entrepreneur of the Year Award for cyber security at a gala event at the Lancaster Hotel in London last night. Thanks to the judges for selecting us ahead of finalists from companies such as Sophos, DarkTrace, Becrypt and others.

Cybercrime Surges in Q3

young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

The Quarter at a Glance

Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

The post Cybercrime Surges in Q3 appeared first on

Hacking WPA Enterprise with Kali Linux

Admittedly, somewhat of a click-bait blog post title - but bear with us, it's for a good reason. Lots of work goes on behind the scenes of Kali Linux, tools get updated every day and interesting new features are added constantly. Most of these tool updates and feature additions go unannounced, and are then discovered by inquisitive users - however this time, we had to make an exception.

Windows 10 Cannot Protect Insecure Applications Like EMET Can

Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft EMET will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities.

EMET Protections and How They Are Applied

To compare protections of a Windows-with-EMET system against a stock Windows 10 system, it's important to first enumerate the protections that EMET 5.51 provides:

System-Wide Protection

  • Data Execution Prevention (DEP)
  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Address Space Layout Randomization (ASLR)
  • Certificate Trust (Pinning)
  • Block Untrusted Fonts (Fonts)

The system-wide DEP, SEHOP, and ASLR settings in EMET are provided by the Windows operating system itself. That is, the benefit of EMET for these settings is simply that it acts as a unified GUI application to make these changes in your system.

Application-Specific Protection

  • Data Execution Prevention (DEP)
  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Null Page Allocation (NullPage)
  • Heapspray Allocations (HeapSpray)
  • Export Address Table Access Filtering (EAF)
  • Export Address Table Access Filtering Plus (EAF+)
  • Mandatory Address Space Layout Randomization (ASLR)
  • Bottom-Up Randomization (BottomUpASLR)
  • ROP Mitigations
    • LoadLib
    • MemProt
    • Caller
    • SimExecFlow
    • StackPivot
  • Attack Surface Reduction (ASR)
  • Block Untrusted Fonts (Fonts)

Application-specific EMET mitigations are applied by loading the EMET library into the process space of each protected application when it is launched. Here, the EMET library can modify the behavior of the target application by providing additional protections. The application-specific-protection capability provided by EMET is where EMET really adds value. Because we cannot rely on all software vendors to produce code that uses all of the exploit mitigations available, EMET puts this control back in our hands.

Detailed descriptions of these protections can be found in the EMET 5.5 User's Guide.

Visualizing Protections With and Without EMET

To help visualize what EMET can do for us, it is useful to enumerate the exploit mitigations for various Windows versions, both with and without EMET.

When it comes to system-wide mitigations, there's not much of a difference between a Windows system that has EMET installed and a stock Windows system that has had the mitigations enabled manually. This comparison, illustrated in the figure below, makes the true benefit of EMET clear: application-specific mitigations.

Update: December 7, 2016

The purpose of the table below is to draw attention to the application-specific mitigations that EMET provides, but Windows 10 does not provide. Windows 10 includes a number of extra system-level mitigations that Windows 7 with EMET cannot provide. However, as with the recent Firefox vulnerability, application-specific mitigations add protections against exploitation, but the general Windows 10 mitigations may not help. Upgrading to Windows 10 is indeed a good idea from an exploit mitigation perspective, but simply upgrading may not provide enough protection by itself.


It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured. Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system.

Analyzing Microsoft's Statement

The Microsoft Blog entry Moving Beyond EMET makes the following statement:

Windows 10 includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser.

Let's look at the language used and analyze what Microsoft is actually saying and how people may interpret the sentence.

Fact: Windows 10 supports DEP, ASLR, and Control Flow Guard (CFG).
Fiction: Windows 10 makes EMET irrelevant.

In Defense of EMET

Microsoft's statement above overlooks the primary reason for someone to run EMET. In particular, users running EMET to protect applications that do not opt in to all of the exploit mitigations that it should. Even though the underlying Windows operating system supports a mitigation, doing so does not necessarily mean that it will be applied to an application.

Developer adoption of exploit mitigations takes place at a slower rate than we'd like to see. For example, even Microsoft does not compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR. What is the impact? An attacker may be able to work around ASLR by causing a non-DYNAMICBASE library to be loaded into the process space of the vulnerable application, potentially resulting in successful exploitation of a memory corruption vulnerability. What do we do to protect ourselves against this situation? We run EMET with application-specific mitigations enabled!

The Windows 10 EMET Fallacy

Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does.

Windows 10 does indeed provide some nice exploit mitigations. The problem is that the software that you are running needs to be specifically compiled to take advantage of them. Control Flow Guard (CFG) looks to provide similar protections to the ROP application-specific mitigations in EMET. The problem is that the application needs to be specifically compiled to take advantage of CFG. Out of all of the applications you run in your enterprise, do you know which ones are built with CFG support? If an application is not built to use CFG, it doesn't matter if your underlying operating system supports CFG or not.

Update (November 21, 2016)

Windows 10, version 1607 and Windows Server 2016 do support some application-specific mitigations. In particular, DEP, SEHOP, ASLR, and BottomupASLR. The table above has been updated to reflect this information. Setting these application-specific mitigations requires calculating and setting a bit field value in the Windows registry for each process name that you would like to protect. Please see Override Process Mitigation Options to help enforce app-related security policies for more details.

EMET and Its End of Life

Microsoft has announced that they will no longer support EMET beyond July 31, 2018. Some may use this end-of-life (EOL) statement as an excuse for not deploying EMET. If this is the case, it would be wise to investigate all of the software that is currently outside of the support window before July 31, 2018.

If you are lucky enough that all of your applications are within their support cycle, EMET provides protections against exploitation of new and unknown memory-corruption vulnerabilities, known as "zero-days."

Microsoft applications that will lose support a year before EMET are listed in Products Reaching End of Support for 2017. Office 2007 is in this list, for example. With such out-of-support applications, it is even more important to provide additional exploit protection with a product like EMET. When a vulnerability is discovered in a product outside of its support cycle, this vulnerability is referred to as a "forever-day." That is, the vulnerability will never be fixed.

Just because Microsoft will stop supporting EMET after July 31, 2018 does not mean that the application will stop working beyond that date. It will likely continue to operate in the same way that it has been working all along. This EOL date simply means that you will not be able to get assistance from Microsoft after that date.

Mitigations Without EMET

As mentioned earlier, many of the system-wide mitigations exposed by EMET are actually provided by the underlying Windows operating system. The primary mitigations that can be enabled globally are DEP and ASLR.


System-wide DEP can be configured using the BCDEdit utility. Microsoft indicates, "Before setting BCDEdit options you might need to disable or suspend BitLocker and Secure Boot on the computer." To change the DEP setting to AlwaysOn, in a CMD prompt with administrative privileges run

bcdedit.exe /set {current} nx AlwaysOn


System-wide ASLR can be configured by importing the following registry value:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

Notes for System-Wide Settings

EMET is not required for setting the above system-wide mitigations for DEP and ASLR. Enabling these features will make Windows more secure than the default configuration. However, the system-wide mitigations are less granular than what is available with EMET. In particular, if an application that you need to run is incompatible with a particular mitigation, it may not be possible to allow that application to run when the system-wide mitigations are in place. On a system with EMET, however, the system-wide mitigations can be relaxed, and compatible application-specific mitigations can be applied on a program-by-program basis.

Conclusions and Recommendations

While EMET itself is a free tool, successful deployment of it takes some work. But there are rewards to be reaped from this work.

  • From an exploit mitigation perspective, upgrading to Windows 10 is a good idea.
  • Installing EMET with application-specific mitigations configured is also a good idea.
  • EMET provides some protection against zero-day vulnerabilities in supported software, as well as forever-day vulnerabilities in unsupported software.
  • If the use of EMET is not possible, then the system-wide mitigations of DEP and ASLR can be applied without EMET.
  • Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on.

VirusTotal += Trustlook

We welcome Trustlook scanner to VirusTotal. This is a machine learning engine from the USA. In the words of the company:

“Trustlook is a global leader in next-generation mobile device security. Using advanced machine learning and behavioral analysis solutions, Trustlook finds more vulnerabilities sooner than any other to provide the industry's smallest vulnerability window. The innovative Trustlook Mobile Security-as-a-Service (MSaaS) cloud platform and Sentinel on-device platform deliver the performance and scalability needed to provide total threat protection against viruses, spyware, phishing, ID theft, data loss, snooping and other forms of attack. Trustlook's solutions protect users from both known and zero-day threats by examining over 20,000 new and updated applications every day for malware and malicious behavior. Trustlook's technology protects more than 300M users globally through its integration with leading apps and downloadable security offerings.”

Trustlook has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by an AMTSO-member tester.

Hack Naked News #100 – November 16, 2016

Chinese company installed secret backdoor on hundreds of thousands of phones, hacking team back for your Android, major linux holes gapes open, and much more, here on Hack Naked News!

Full Show Notes:

Take the Security Weekly Survey:

Visit to get all the latest episodes!

Startup Security Weekly #16 – I’m Not Paul

Michael is joined by Joshua Marpet and Scott Lyons to talk about their experience building and supporting security startups. In the news, Owler's Cryptzone profile, Illumio releases new templates that offer better security, and why the top entrepreneurs are seeking corporate venture money. Stay tuned!

Kronos Banking Trojan and Geo-Targeting from Kelihos

Kronos Banking Trojan and Geo-targeted attacks to Australia, Italy, United Kingdom and United States by Kelihos

I'm happy to welcome back guest-blogger Arsh Arora for another blog about the Kelihos botnet. This research is being conducted in our malware research lab at UAB by Arsh (PhD student) and Max Gannon, a malware researcher at UAB, who is about to graduate at the end of this semester and is looking for a job (hint to employers!)

Let’s start the story of the things happening with Kelihos botnet over the past couple of days. After laying low for past couple of weeks, it strikes back with authority. As observed previously, Kelihos continue to geo-target different locations. First and foremost, it started by sending Money Mule spam to users in Italy, Australia, and the United Kingdom, if their email addresses ended with .it, .au, or .uk.  Second, it targeted users in the United States to download a social media management tool “”  Because this was based on country-code targeted of ".us" it is more likely to impact people in education and local government, who are the main users of .us email addresses.  As all these things were happening, it sneaked a malicious word document from a website and uploaded it on the desktop without any indication to the user of the download. The malicious document eventually delivers Kronos malware which is considered to be same as Zeus malware which was sent by Kelihos in August This behavior was bizarre and never observed before this event.

Money Mule Spam

A brief report of the various geo-targeted spam is provided below.

1. Australia - Spam for email addresses ending with ".au" 

Email text is as follows:
Subject: Available Position

The Successful Company is hiring full/part-time employee for an Administrative Assistant position
(Customer Care Team) who can take a part oversee development projects in AU and NZ. This
opportunity is smart for everybody who ready to work as little as a several hours per weekday,
however you will apply for a full time position as well. Competent training programs are accessible
for the applicants. Work experience isn't required at all.
Please send your confirmation to this email cargoinvestmentmiltonlogistics@gmail[dot]com to get more
details concerning a vacancy.
Best Regards


An interesting thing to observe in the body of the text is the special reference to development projects in AU and NZ. To infer, the email body and addresses are not random, but specifically targeted towards the Australian users.

Some of the email subjects being used include:

Subject:  Available Position
Subject: Employment
Subject: Job Offer
Subject: Open Vacancy

2. Italy - Spam for email addresses ending with ".it"

<== Italian Money Mule spam || Google Translate ==>
Original text of the email being spammed is as follows:

Subject: Assunzione al lavoro

Cari Saluti,
Impresa europeo specializzata nella mezzi di trasporto merci per estensione proprio organico
sta ricercando le persone per i nuovi ruoli nella vostra provincia! Stipendio e' da 3002 Euro
al mese piu' bonus. Formazione e' a carico della azienda!
Se hai bisogno di fondi in piu', se sei onesto e coscienzioso dipendente che ha 22 anni
compiuti, ti invitiamo ad inviare il vostro curriculum nel nostro ufficio personale

Distinti saluti
Sandra Trevor,
Responsabile del personale

Some of the email subjects being used include

Subject: Assunzione - collocamento al lavoro
Subject: Assunzione al lavoro
Subject: Cerchiamo collaboratori in vostra area
Subject: Cerchiamo collaboratori in vostra citta
Subject: Cerchiamo collaboratori in vostra provincia
Subject: Cerchiamo collaboratori in vostra regione
Subject: Lavoro part-time
Subject: Ricerchiamo collaboratori in gruppo operante a livello globale

3. UK - Spam for email addresses ending with".uk"

Subject: Wow amazing girl..Read that article

Hey, what's up? Actually, for that long time we haven't been reaching each other, I've discovered a brilliant 
reading stuff. By now, 5 days I am stuck to it have already brought about 2,350 pound for me! I am talking about 
the soft trading market - it doesn't require any specific skills at it, all is automated.
Flick the article through and write me something as you are in. By the way, get a chance to know how the stuff 
works with a demo!
Take the best out of it!
P.s. The article itself: hxxp://newsdep3-telegraph[dot]co/


Interesting observation here is the fake url for The Telegraph newspaper. The spammers are trying to trick the user to visit the following link in disguise of telegraph newspaper.

Following Domain name is hosted on 162[.]255[.]119[.]249 and has been dominantly hosting various phishing websites Information found on Domain Tools is mentioned below.

Information from Domain Tools
Information about the registrant.

Domain Name:                              NEWSDEP3-TELEGRAPH.CO
Domain ID:                                   D153329223-CO
Sponsoring Registrar:                   NAMECHEAP, INC.
Sponsoring Registrar IANA ID:   1068
Registrar URL (registration services):
Domain Status:                             clientTransferProhibited
Registrant ID:                               70G0X0PHDOIUNYLZ
Registrant Name:                          WhoisGuard Protected
Registrant Organization:               WhoisGuard, Inc.
Registrant Address1:                     P.O. Box 0823-03411
Registrant City:                             Panama
Registrant State/Province:             Panama
Registrant Postal Code:                 0
Registrant Country:                       Panama
Registrant Country Code:              PA
Registrant Phone Number:            +507.8365503
Registrant Facsimile Number:       +51.17057182
Registrant Email:                 

Some of the email subjects being used include

Subject - Look what i found
Subject - Why work for your money when your money can work for you?
Subject - Wow amazing girl.. Read that article

When visited the URL it redirected to
As it can be observed it redirects to talegraph[dot]co[dot]uk, not telegraph, which is hosted in Netherlands.

Whois & Quick Stats
Dates Created on 2016-09-27 - Expires on 2017-09-27 - Updated on 2016-09-27  
IP Address is hosted on a dedicated server  
IP Location Netherlands - Zuid-holland - Papendrecht - It-ernity Internet Services Bv
ASN         Netherlands AS21155 ASN-PROSERVE Amsterdam,, NL (registered Sep 11, 2001)
Whois History 4 records have been archived since 2016-10-01  
Whois Server

Webpage of talegraph

As it can be viewed, following is a fake website portraying telegraph newspaper.

Social Media Management Tool It is well-known that people of United States are crazy about social media and get super excited whenever a new app or a tool gets launched. Recently, everyone went crazy after the launch of Pokemon Go. This reaction forced the threat actors to change their way of attacks by focusing on the social media market. There were different malware being developed to exploit this weakness of the users. in a recent blog post, I mentioned how scammers were fooling people to buy cheat codes that never existed In continuation to these attacks, the Kelihos spammers are now inviting users to download, a social media management tool. The following spam is explicitly targeting email addresses ending with ".us," because of the popularity and use of social media in the United States.

Email being spammed is as follows:
Subject: Need your opinion

I'm with, it's a social media management tool the key characteristic of which is to schedule and create
content on various networks at the same time. What's more you also encourage your clients to share, like and
follow your posts.
Since we are connected in LinkedIn I thought it would be a good idea if I asked for your views on our product.
Check us out at: hxxps://kuku[dot]io/a/ms
I appreciate your time. I'm looking forward to receiving any of your comments!


Some of the email subjects being used include:

Subject: Need your opinion
Subject: Need your feeback
Subject: Please let me know if this is of any interest

When visited the webpage mentioned.
Webpage of Kuku[.]io

Kronos Banking Trojan

Now let's get to the sneaky part performed by Kelihos, which is dropping a malicious word document on the desktop. While doing his daily chores of running Kelihos malware and collecting the spam sent, Max  found that a document named 'oldversion' was placed on the desktop. It was strange and we have never seen this behavior previously.
Pictorial view of the document icon on the Desktop

On further scrutiny, we found that during the capture, Kelihos did a GET request to download the document.

hxxp://topswingusa[dot]top/qivi/oldversion[dot]doc - Get request

IP address of topwingsusa[dot]top -
Virus total result of topswingusa[dot]top

An interesting string found in the process hacker was "  UPLD save to: C:\Users\malware\Desktop\oldversion.doc"

Out of curiosity and to do more in-depth research, I decided to click the document. The document did not disappoint and asked for two of my favorite things when viewing a word document.

Enable Editing
 The document was opened in Protected view and after clicking 'Enable Editing,' it asked to "Enable Content.

Enable Content
After clicking 'Enable Content,' It spawns a child process with the name '24580.exe' and then another child process was launched with the name of "svchost.exe". The process killed itself and did not run properly.

Hence, I have to put it into OLLYDBG to get the malware working. On further observations in the debugger, I found that it was checking for virtual machine. Hence, it was vmware aware and killed itself instantaneously. But before it killed itself, I found the following string in the "svchost.exe" in the debugger, which mentioned the malware to be Kronos.

Hence, it can inferred that the following malware is Kronos. In order to be double sure, I repeated the process by downloading the malicious document and running it again.

This time I was able to gather more information, once the document is activated by 'Enable Content,' it grabs the downloader from the following url:
which is hosted on the same IP 167[.]88[.]160[.]146. Once the file "mswords2k8[dot]exe was obtained, it spawned a third process named as "MSOSQM", which was Kronos malware. 

On further scrutiny, I found that both the downloaders "24580.exe" and "mswords2k8[dot]exe" have the same MD5 hash, 547890EA5FD8374383E0663223B5A26F.

Downloader and Kronos malware

 Another interesting observation found in the debugger is presence of a string named "BOTID"


Researchers are still working on trying to find more about the significance of BOTID. Hopefully, everyone will be updated soon with the findings.

On Nation States and Sophistication

Thomas Ptacek made an interesting tweet today about Nation States, and if the term has any meaning, which got me thinking. In light of the numerous breaches that have been occurring, affecting both commerce, government, and potentially even elections, I decided to take some time to write down my thoughts on some of the subjects that come up when these events occur.

First lets talk about victim psychology. When a person or an organization is hacked, they go through similar emotions to victims of any crime. There is shame and guilt, anger, a desire to "do something about it" and to make sure "this can never happen again".

There is also a feeling of need to justify why the breach occurred; "How could this have happened?". Also important to take into consideration is the mindset of investigators. They like catching the bad guy, uncovering the mystery, beating the attacker at their own game. However, its not exciting to investigate or report on a dumb or simple attacker, who did nothing exceptional.  Because of this, people are highly incentivized to look for indicators or confirmation that the attacker was some how exceptional. This makes it more ok that they lost and were compromised and it makes investigator's jobs more exciting. (I know, I've been there.)

Lets talk about a word that gets thrown around a lot by media, government, and intrusion investigators: Sophisticated. This term seems to imply a sort of evil genius, someone who did such outlandishly amazing feats of hacking that there is no way your average organization could have stopped or detected them.
    "We got broken into!"
    "How could this have happened? Didn't you do your job? Didn't we spend all that money on defenses?"
    "Well they were VERY sophisticated"
    "Oh well ok then, nothing we could have done"
This is both true and not true. Defenders really have little hope of keeping attackers out (sophisticated or not), even if they do most everything right. Worse, what it takes to do everything "right" is very expensive, the talent to do so is scarce and hard to find, and the technology involved changes rapidly. In actuality, most breaches aren't really that sophisticated, depending on how you define the term.

In the interest of giving you background let me say I've personally investigated a large number of breaches, and my team even more. I've conducted an even larger number of attacks myself for the purposes of security, even some I would label as sophisticated, so I've worked on both sides of the issue. We have seen breaches which have been verified government attacks (verified by direct human means among a number of other things, giving me high confidence, not just by an IP address or a foreign word in code), organized crime, talented blackhats, vandalizing kids, corporate competitors, and malicious insiders. In all of these investigations, very few did anything that I would personally classify as sophisticated.

Its probably time to define what I mean when I say sophisticated. To me an attack requires a number of elements in order to be considered sophisticated:
  • Is targeted rather than opportunistic. This means someone set out with intent to attack the organization rather than stumbling across a random vulnerability they could take advantage of while looking for anything random to break in to.
  • Is planed. This means someone didn't just say "Let me throw a bunch of attacks at this organization I don't like", but rather put together a plan for getting in, staying in, targeting data or capabilities, getting information out, and hiding their identify. There are clues during an investigation that help you see the difference between a planned attack and a haphazard one.
  • Uses unique technology or technology in a unique way. Unless there is an intentional deception going on, sophisticated attacks don't use off the shelf hacker / auditor tools. They typically use high quality (reliable) custom tools, or tools available as a part of operating systems in unusual or unintended ways.
  • Involves malware that obviously took a team to write. There are very talented individuals who can write custom tools, but most often sophisticated tools are written by teams of specialists who break up and take on different features or capabilities of the tool. If you are looking at code, you can often tell this.
  • May involve anti-analysis or anti-investigation techniques, or target investigators directly.
  • Long term persistence. Random hackers usually want to get in and get out. Sophisticated hackers have more confidence in their tools and abilities, have more resources, and tend to stay a while to extract all the value from the compromise they can.
  • Involves data theft beyond purely financial (not just Credit Card numbers) or impact on critical business functionality.
You may not agree with all of my criteria, but hopefully we can agree on the fact that there must be SOME criteria for classifying an attack as sophisticated. I should note that I have seen sophisticated attacks violate any number of the above requirements. Individually none of them certify that an attack is sophisticated, but if taken all together or in majority, they typically do.

Now lets tackle this term "Nation State". As it turns out, this is much trickier than you might suppose. In the context of computer attacks, most people might define this as an attack carried out purposefully by a government against an organization, individual, or other government. People like very clean, clear cut, black and white definitions so that we know who the bad guy is and who the good guy is. Unfortunately the world doesn't work so simply. I would like to propose that a Nation State attack could be one which incorporates any of the following:

  • A highly talented individual hacker, hacking mostly alone. This person may be monitored by a government, either passively or actively, who benefit from their non-directed actions.
  • A private, non-government employed, hacker group, whose activities get co-opted by a government.
  • Defense contractors and other private business who supply tools and talent, knowingly or unknowingly, to a government and it's interests.
  • Military staff whose purpose is typically more one of disruptive capability, but may collaborate with any of these other groups.
  • Civilian government staff, comprised of intelligence professionals and others, who leverage cyber attacks for intelligence purposes.
  • Any of the above who are acting for other purposes, such as personal financial benefit, not under the direction of a government, but perhaps using government tools and resources.

In light of the above, an attack may use known Nation State tools, but could be carried out by someone who either captured or stole these tools, or is using them on the side, without permission, for personal gain. Imagine, for example, a country where you don't have to be a government or military employee to hack for the government. You are given access to the best tools and training, covert networks, and target lists. You see a lot, you know where money and secrets lie. Then government polices change and your services are no longer needed, or are less needed. Maybe you took copies of the tools home. Maybe you still have accounts or access to jump stations and command and control servers. It might be tempting to leverage this to make a little money on the side. Many investigators will see the IPs you are coming from, the tools you are using, your language preferences, and make the Nation State determination, even though this is clearly not the case. I would venture to say that unless you have the following, attribution is shaky at best:

  • Initial entry vector
  • Copies of the tools used and high end reverse engineering capabilities
  • Full packet capture and netflow of the attack
  • Comprehensive logs
  • Forensic images of compromised hosts
  • Threat Intelligence sharing across multiple organizations or even countries
  • Human intelligence (ex. confessions from the attacker, group infiltrators and spies, people assets in law enforcement or other investigatory organizations)
  • Hack back. Access to attacker systems and infrastructure, or even national network infrastructure in order to monitor the actual sources of attacks.

Now for most private companies, the above is fantastically too expensive to maintain, the talent too scarce, and national laws too unfriendly, and from a business standpoint it doesn't make sense to bother. There are of course exceptions, and multiple companies working in an industry and cooperating with government or law enforcement might get close.

It is also important to say that Sophisticated attacks aren't necessarily Nation States, and Nation State attacks aren't necessarily Sophisticated. Let me give some examples.

I know the story of an individual, who when they were around 14 years old, researched and developed a suite of what I could call sophisticated tools, including hardware firmware persistence, air-gap jumping, and ex-filtrated data analytics. This person then extensively planned out an attack against a government in a country other than their own, and conducted it over the course of around a year. They did this primarily for the intellectual pursuit, and to gain access to specific technologies to help them in further attacks down the road. This attack was eventually discovered, and classified as a Sophisticated Nation State attack by the investigators, when in fact it was a talented kid, acting alone.

I have personally investigated attacks verified to be directed, executed, and managed by a foreign government, which used straight up off the shelf and publicly available hacker tools, in very obvious and even clumsy ways. The attack was successful, but was caught and stopped pretty quickly and was only determined to be Nation State because an outside organization had proof obtained by other investigatory means.

I have also seen (and performed) attacks where a couple of US based blackhats will create or purchase a 0day, modify it, build a suite of custom tools developed with foreign language packs, anonymously purchase or compromise hosts in a foreign country, and conduct a campaign against an organization in the US which has all the hallmarks of being a Sophisticated Nation State attack. But it was actually just us performing an attack simulation for a client, or a group of non-government affiliated blackhats using deception to hide who they are.

A sophisticated attack can be an expensive one (although in the case of the 14 year old maybe not so much). High end attack tools, 0day, etc. are very valuable and take time to produce. You don't want to burn these tools for no reason. This means there is incentive to use the least sophisticated and cheapest means to accomplish the following goals:

    - Gain access to a target.
    - Move freely in the target environment.
    - Maintain access as long as desired.
    - Avoid detection.
    - Transfer data at will.
    - Frustrate investigations if detected.

In many cases, the detection aspects in the list above don't matter, even for nation states. Sometimes if you can get in and get what you need with little to no repercussions, you don't care if you are detected a month later.

If you think about it this way, then the ideal situation might be to watch while a non-affiliated 3rd party performs the attack, using their own tools, and you simply reap the access or data rewards without getting your hands dirty.

The goal of this post was to point out that when you hear the terms Nation State or Sophisticated attack thrown around by the media, or companies who sell investigation / threat intelligence services and tools, you might hesitate before taking it at face value. I'm not saying these organizations are being intentionally or maliciously misleading, just that their criteria for making those statements may be too lose and ill defined.

Val Smith

Hack Naked News #99 – November 3, 2016

A popular cloud based website hosting company could become the next myspace, more powerful IoT botnet, browser vendors lack trust in 2CAs, and some, including myself about an election day hack. All that and more, so stay tuned!

Full Show Notes:

Take the Security Weekly Survey:

Visit to get all the latest episodes!

NullCrew’s Orbit, AKA Timothy French gets 45 months

This week, NullCrew hacker "Orbit" who is known to his jailers as Timothy French, was sentenced to 45 months for his role in several high profile hacking cases, including the University of Hawaii, the University of Virginia, the State Department, and Bell Canada.  The Criminal Complaint released by the Department of Justice has many more details.

For some reason, despite the criminal prosecution, one of the two official Twitter accounts of NullCrew is still live as of this writing.  The founders of NullCrew loved to depict themselves as ASCII Art aliens in their old-school-style ezine, FTS (Fuck The System), which made it to issue #5 before they began being arrested. (FTS Issue #5 is available at )

Time Warner - March 6, 2013

FTS2014 will give you a sense of the way these guys think.  By the way, all of the Twitter accounts they claimed to be using in this magazine are still live today. ( @NullCrew_FTS, @siph0n_NC, and @zer0pwn)
A few days later they tweeted this post:

15 Jan 2014
Just had a talk with , this is going to be fun.

The 40,000+ userids and passwords, dumped from a database server, are still available online. 

Catching Orbit

Orbit was primarily caught because there was a snitch within NullCrew.  The snitch, described as a "CW" in the criminal complaint, or "Collaborating Witness", wanted to be able to tweet "officially" for NullCrew, and was granted permission to the shared Twitter account.  Once the CW had access, they checked the login history and found an IP address in Morristown, TN.   Charter Communications was able to provide a subscriber street address for the IP  This IP came up repeatedly in the course of the investigation, being used to plant a hacked .php page on a University server, regular accessing a shared hacking platform in Chicago and more in hacked business accesses.

My favorite story, however, was of the auto accident.

(Updated: the admins of contacted me to make clear that their site has no association with siph0n the NullCrew member.  We've removed that portion of this article at their request.)

Getting to the Sentence

Part of the defendant's problem as sentencing approached was that Mr. French, who goes by the name "TJ" for "Timothy Justen", boasted over much about his association with many truly evil hackers over the years.  TJ claimed, according to his pre-sentencing memo, did claim to be a member of Team Poison, but denied emphatically that he had been involved with the TeamPoison April 2012 hacks against NATO and the United Nations, and the August 2011 hacks against NASA.  TeamPoison was run by Trick, aka Junaid Hussain, who was recently killed by a Hellfire Missile strike after becoming the leader of ISIS's hacking forces, and repeatedly hacking the Department of Defense.

Zer0pwn, one of the other arrested members of NullCrew, updated his Twitter profile to give as his description  "victim of sabu's wrath" implying that perhaps Sabu was involved with their arrests.

Facing a possible seven year sentence, one of the things the defendant appealed to was the relatively lenient sentences for people who had performed similar crimes.  TJ's attorney appeals to cases such as Nicholas Knight (from Team Digi7al) who confessed to hacking DHS, the National Geospatial Intelligence Agency, and assorted universities and businesses but was only sentenced to 24 months.  He lists several other cases, but comes back to a 17-year old hacker who also received only 24 months, concluding:

"This 24-month sentence alone compels a sentence for TJ far below the government's asserted guideline range in order to avoid unwarranted disparities."  (We wrote previously about how these "slap on the wrist" sentences were leading to others charging "unwarranted disparities" on behalf of their clients.   See: "Hacking, Carding, SWATting and OCD: The Case of Mir Islam

Several of my professional colleagues have commented that this sentence seems to hefty, but they were unaware of the extent of the damages to Bell Canada.  While Null (the Quebec citizen) identified the breach potential, it was Mr. French that took that information and used it to rampage through the files of  "According to prosecutors, million of files were exfiltrated and 300,000 of them contained client information. At the time of the hack, Bell Canada said 22,421 login and password combinations along with five credit card numbers were exposed, but court documents indicate the number was smaller. Orbit later allegedly posted approximately 12,700 logins and passwords online and Tweeted a link to the data."