Monthly Archives: February 2018

Importing Pcap into Security Onion

Within the last week, Doug Burks of Security Onion (SO) added a new script that revolutionizes the use case for his amazing open source network security monitoring platform.

I have always used SO in a live production mode, meaning I deploy a SO sensor sniffing a live network interface. As the multitude of SO components observe network traffic, they generate, store, and display various forms of NSM data for use by analysts.

The problem with this model is that it could not be used for processing stored network traffic. If one simply replayed the traffic from a .pcap file, the new traffic would be assigned contemporary timestamps by the various tools observing the traffic.

While all of the NSM tools in SO have the independent capability to read stored .pcap files, there was no unified way to integrate their output into the SO platform.

Therefore, for years, there has not been a way to import .pcap files into SO -- until last week!

Here is how I tested the new so-import-pcap script. First, I made sure I was running Security Onion Elastic Stack Release Candidate 2 (14.04.5.8 ISO) or later. Next I downloaded the script using wget from https://github.com/Security-Onion-Solutions/securityonion-elastic/blob/master/usr/sbin/so-import-pcap.

I continued as follows:

richard@so1:~$ sudo cp so-import-pcap /usr/sbin/

richard@so1:~$ sudo chmod 755 /usr/sbin/so-import-pcap

I tried running the script against two of the sample files packaged with SO, but ran into issues with both.

richard@so1:~$ sudo so-import-pcap /opt/samples/10k.pcap

so-import-pcap

Please wait while...
...creating temp pcap for processing.
mergecap: Error reading /opt/samples/10k.pcap: The file appears to be damaged or corrupt
(pcap: File has 263718464-byte packet, bigger than maximum of 262144)
Error while merging!

I checked the file with capinfos.

richard@so1:~$ capinfos /opt/samples/10k.pcap
capinfos: An error occurred after reading 17046 packets from "/opt/samples/10k.pcap": The file appears to be damaged or corrupt.
(pcap: File has 263718464-byte packet, bigger than maximum of 262144)

Capinfos confirmed the problem. Let's try another!

richard@so1:~$ sudo so-import-pcap /opt/samples/zeus-sample-1.pcap

so-import-pcap

Please wait while...
...creating temp pcap for processing.
mergecap: Error reading /opt/samples/zeus-sample-1.pcap: The file appears to be damaged or corrupt
(pcap: File has 1984391168-byte packet, bigger than maximum of 262144)
Error while merging!

Another bad file. Trying a third!

richard@so1:~$ sudo so-import-pcap /opt/samples/evidence03.pcap

so-import-pcap

Please wait while...
...creating temp pcap for processing.
...setting sguild debug to 2 and restarting sguild.
...configuring syslog-ng to pick up sguild logs.
...disabling syslog output in barnyard.
...configuring logstash to parse sguild logs (this may take a few minutes, but should only need to be done once)...done.
...stopping curator.
...disabling curator.
...stopping ossec_agent.
...disabling ossec_agent.
...stopping Bro sniffing process.
...disabling Bro sniffing process.
...stopping IDS sniffing process.
...disabling IDS sniffing process.
...stopping netsniff-ng.
...disabling netsniff-ng.
...adjusting CapMe to allow pcaps up to 50 years old.
...analyzing traffic with Snort.
...analyzing traffic with Bro.
...writing /nsm/sensor_data/so1-eth1/dailylogs/2009-12-28/snort.log.1261958400

Import complete!

You can use this hyperlink to view data in the time range of your import:
https://localhost/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'2009-12-28T00:00:00.000Z',mode:absolute,to:'2009-12-29T00:00:00.000Z'))

or you can manually set your Time Range to be:
From: 2009-12-28    To: 2009-12-29


Incidentally here is the capinfos output for this trace.

richard@so1:~$ capinfos /opt/samples/evidence03.pcap
File name:           /opt/samples/evidence03.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 65535 bytes
Number of packets:   1778
File size:           1537 kB
Data size:           1508 kB
Capture duration:    171 seconds
Start time:          Mon Dec 28 04:08:01 2009
End time:            Mon Dec 28 04:10:52 2009
Data byte rate:      8814 bytes/s
Data bit rate:       70 kbps
Average packet size: 848.57 bytes
Average packet rate: 10 packets/sec
SHA1:                34e5369c8151cf11a48732fed82f690c79d2b253
RIPEMD160:           afb2a911b4b3e38bc2967a9129f0a11639ebe97f
MD5:                 f8a01fbe84ef960d7cbd793e0c52a6c9
Strict time order:   True

That worked! Now to see what I can find in the SO interface.

I accessed the Kibana application and changed the timeframe to include those in the trace.


Here's another screenshot. Again I had to adjust for the proper time range.


Very cool! However, I did not find any IDS alerts. This made me wonder if there was a problem with alert processing. I decided to run the script on a new .pcap:

richard@so1:~$ sudo so-import-pcap /opt/samples/emerging-all.pcap

so-import-pcap

Please wait while...
...creating temp pcap for processing.
...analyzing traffic with Snort.
...analyzing traffic with Bro.
...writing /nsm/sensor_data/so1-eth1/dailylogs/2010-01-27/snort.log.1264550400

Import complete!

You can use this hyperlink to view data in the time range of your import:
https://localhost/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:'2010-01-27T00:00:00.000Z',mode:absolute,to:'2010-01-28T00:00:00.000Z'))

or you can manually set your Time Range to be:
From: 2010-01-27    To: 2010-01-28

When I searched the interface for NIDS alerts (after adjusting the time range), I found results:


The alerts show up in Sguil, too!



This is a wonderful development for the Security Onion community. Being able to import .pcap files and analyze them with the standard SO tools and processes, while preserving timestamps, makes SO a viable network forensics platform.

This thread in the mailing list is covering the new script.

I suggest running on an evaluation system, probably in a virtual machine. I did all my testing on Virtual Box. Check it out! 

Control Flow Integrity: a Javascript Evasion Technique

Understanding the real code behind a Malware is a great opportunity for Malware analysts, it would increase the chances to understand what the sample really does. Unfortunately it is not always possible figuring out the "real code", sometimes the Malware analyst needs to use tools like disassemblers or debuggers in order to guess the real Malware actions. However when the Sample is implemented by "interpreted code" such as (but not limited to): Java, Javascript, VBS and .NET there are several ways to get a closed look to the "code”.

Unfortunately attackers know what the analysis techniques are and often they implement evasive actions in order to reduce the analyst understanding or to make the overall analysis harder and harder. An evasive technique could be implemented to detect if the code runs over a VM or it could be implemented in order to run the code only on given environments or it could be implemented to avoid debugging connectors or again to evade reverse-engineering operations such as de-obfuscations techniques. Today "post" is about that, I'd like to focus my readers attention on a fun and innovative way to evade reverse-engineering techniques based on Javascript technology.

Javascript is getting day-by-day more important in term of attack vector, it is often used as a dropper stage and its implementation is widely influenced by many flavours and coding styles but as a bottom line, almost every Javascript Malware is obfuscated. The following image shows an example of obfuscated javascript payload (taken from one analysis of mine).

Example: Obfuscated Javascript


As a first step the Malware analyst would try to de-obfuscate such a code by getting into it. Starting from simple "cut and paste" to more powerful "substitution scripts" the analyst would try to rename functions and variables in order to split complexity and to make clear what code sections do. But in Javascript there is a nice way to get the callee function name which could be used to understand if a function name changed over the time. That function is the arguments.callee.caller. By using that function the attacker can create a stack trace where it saves the executed function chaining name list. The attacker would grab function names and use them as the key to dynamically decrypt specific and crafted Javascript code. Using this technique the Attacker would have an implicit control flow integrity because if a function is renamed or if the function order is slightly different from the designed one, the resulting "hash" would be different. If the hash is different the generated key would be different as well and it wont be able to decrypt and to launch specific encrypted code.

But lets take a closer look to what I meant. The following snip shows a clear (not obfuscated) example explaining this technique. I decided to show not obfuscated code up here just to make it simple.



Each internal stage evaluates ( eval() ) a content. On row 21 and 25 the function cow001 and pyth001 evaluates xor decrypted contents. The xor_decrypt function takes two arguments: decoding_key and the payload to be decrypted. Each internal stage function uses as decryption key the name of callee by using the arguments.callee.name function. If the function name is the "designed one" (the one that the attacker used to encrypt the payload) the encrypted content would be executed with no exceptions. On the other side if the function name is renamed (by meaning has been changed by the analyst for his convenience) the evaluation function would fail and potentially the attacker could trigger a different code path (by using a simple try and catch statement). 

Before launching the Sample in the wild the attacker needs to prepare the "attack path" by developing the malicious Javascript and by obfuscating it. Once the obfuscation took place the attacker needs to use an additional script (such as the following one) to encrypt the payloads according to the obfuscated function names and to replace the newly encrypted payload to the final and encrypted Javascipt file replacing the encrypted payloads with the one encrypted having as a key the encrypted function names.

The attacker is now able to write a Javascript code owning its own control flow. If the attacker iterates such a concept over and over again,  he would block or control the code execution by hitting a complete reverse-engineering evasion technique.
  
Watch it out and be safe !

INVESTIGATION ON WINTER OLYMPICS CYBER-ATTACK HAS BEGUN



IN BRIEF: Following the cyber-attack on Winter Olympics, security teams and experts from South Korea's defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown.
----------------------------
The official Winter Olympics website was taken down after being hit by a cyber-attack (Denial Of Service attack, DOS), officials have confirmed.

The site was affected just before the beginning of the opening ceremony in Pyeongchang, South Korea.

Internal internet and Wi-Fi systems crashed at about 7:15 pm (1015 GMT) on Friday, though operations were restored about 12 hours later - Games organisers said.

However, a spokesman said that the International Olympic Committee would not be commenting on who might have been behind the incident.


"Maintaining secure operations is our purpose," said Mark Adams.
He added that the issue was being dealt with but that he was not aware who had carried out the attack.


Cyber-security teams and experts from South Korea's defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown.

RUSSIA RESPONDS

Prior to the Games, some cyber-security experts had expressed concern that countries like Russia and North Korea might try to target the event.


But the Russian Foreign Ministry has denied rumours that Russian hackers were involved.

"We know that Western media are planning pseudo-investigations on the theme of 'Russian fingerprints' in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea," the foreign ministry said.
"Of course, no evidence will be presented to the world."

There have been concerns for months that the Games and spectators could be targeted by cyber-attacks.

Earlier this month, the US Department of Homeland Security published a warning to travellers.

"At high-profile events, cyber-activists may take advantage of the large audience to spread their message," it said.

"There is also the possibility that mobile or other communications will be monitored."
The Pyeongchang Games are certainly not the first to be targeted by hackers.


In January, Konstantinos Karagiannis, BT's chief technology officer for security consulting, tweeted that during the 2012 London Olympics he and his team, "fought back quite a cyber-onslaught".

ANGALIZO KWA MABENKI DHIDI YA UHALIFU WA ATM JACKPOTING


KWA UFUPI: ATM jackpotting imgonga Hodi Nchini Marekani ambapo imesababisha upotevu mkubwa wa fedha zinazo kadiriwa kuzidi kiasi cha Dola milioni moja hadi sasa.
----------
Kumekua na aina nyingi za uhalifu mtandao unaolenga mashine za ATM ambao umekua ukiathiri mabenki mengi maeneo mengi duniani.


Mataifa ya Afrika yamesha kumbwa na changamoto za uhalifu katika mashine za ATM kama vile “card skimming” ambapo wahalifu mtandao mara kadhaa wamekua wakiripotiwa kughushi kadi za ATM zilizopelekea upotevu wa fedha kupitia mashine za ATM.


Toka mwaka 2014, Kumeendelea kuibuka aina nyingine za uhalifu unao athiri Mashine za ATM maeneo mbali mbali – Itakumbukwa Niliwahi kutoa taarifa inayosemaka hapa: TYUPKINYATIKISA MASHINE ZA ATM

Ilipo gundulika chanzo cha uhalifu huo kulipelekea kutolewa maelekezo ya namana ya kujilinda ambapo Mabenki mengi hayakuzingatia – Kitu kilichopelekea kuibuka kwa uhalifu mwingine aina ya ATM Jackpotting, Ambapo mwaka 2015 Nchi za bara la Asia, Ulaya na marekeani ya Kusini walikumbwa na Uhalifu aina ya Remote ATM Jackpotting (RAJ)

Maelekezo Zaidi yalitolewa na baadhi ya Nchi zikachukulia uzito ulinzi mtandao katika mashine za ATM ikiwa ni pamoja na kufanyia kazi maelekezo yaliyotolewa.

Toka mwaka Jana ATM jackpotting imeendelea kukumba mataifa ya Marekani kusini ingawa sio kwa kiasi kikubwa.

Na Mwaka Huu wa 2018, ATM jackpotting ikagonga Hodi Nchini Marekani ambapo imesababisha upotevu mkubwa wa fedha zinazo kadiriwa kuzidi kiasi cha Dola milioni moja hadi sasa.



Natumia nafasi hii kukumbusha mabenki yetu mambo makuu ma tatu kwa sasa.

Moja, ELIMU YA UELEWA (Awareness) – Tumehimiza elimu kubwa ya uelewa ifanyike katika taasisi za kifedha ikiwa ni pamoja na kuwaelimisha wafanyakazi wa taasisi hizo juu ya kutambua na kujilinda dhidi ya uhalifu kama Social engineering, Key loggers, Phishing na aina nyingine zozote zinazoweza kupelekea benki husika kukumbwa na uhalifu wa ATM Jackpotting pamoja na aina nyingine za kihalifu.

Aidha, Elimu kwa watumiaji wa Mashine na mifumo mingine ya kibenki inapaswa kufanyika pia.


Mbili, MIFUMO YA UFATILIAJI (Implementation of Monitoring tools) – Kampuni nyingi zinazojihusisha na usalama mitandao zimekua zikiwekeza kwenye uzalishaji wa mifumo inayo saidia kufuatilia na kubaini aina yoyote ya viashiria vinavyoweza kupelekea uhalifu wowote wa kimtandao katika taasisi zetu.

Naziasa taasisi za fedha kuhakiki zinachukua hatua za muhimu kuweka na kuimarisha mifumo iyo ili iwe ni usaidizi wa kubaini viashiria vyovyote vya uhalifu mtandao.


Tatu, KUONDOKANA NA MATUMIZI YA WINDOW XP KATIKA MASHINE ZA ATM – Hili tumekua tukizungumza toka kuonekana ya kua uhalifu wa Tyupkin uliathiri Zaidi mashine za ATM ambazo zilikua na Window XP. Wito ni kua kuna kila sababu wa Taasisi za kifedha kufanya operation ya haraka kuhakiki ina angazia mashine zake zote za ATM na kuziboresha kwa kuweka mifumo iliyo juu ya window XP.


Ni moja ya mafunzo ambayo mataifa tumeyahimiza ya jifunze ili kuweza kubaini, kuzuia na kujilinda na uhalifu mtandao - Mafunzo haya yameanza kutolewa katika mataifa mengi ikiwa ni pamoja na mataifa ya Bara la Afrika.