For those interested in RE, F-Secure announced their 08 Reverse Engineering Challenge will start tommorow and end Sunday. Details can be found at
http://www.assembly.org/summer08/news/compos/f-secure_khallenge3
Do the citizens of the U.S not care, or are other’s just fanatical? An article this morning popped up about hacktivism and I started thinking how you rarely read any articles about American’s getting mixed up in it. Are groups in the U.S dying out, or are people more focused on playing Xbox?
The last thing I know about was Project Mayhem and the fight against the white hats, that was a world wide thing and I know a few people who got theirs. But when was the last time any one grouped together for something? 300+ years ago we rallied support for a civil war, today you can barely coordinate something with a small group of 20. Yet, The Chinese have been coming out in large numbers, their hacktivism impresses me. They still have quite a few hacker groups in China, and we wonder why they are so good. The U.S Hackers tend to work for companies, tend to work separately. Yet, you hardly hear anything come from china. Most of the security industry is driven by Americans working for companies, even going to Blackhat overseas often has many U.S Presenters and familiar names. Do tight nit groups working together make a difference? I’ve been trying to coordinate a small group of people on silc that I regularly hang out with, the problem becomes everyone is too busy.
The Chinese hacker groups from what I’ve read over at The Dark Visitor seem to be quiet large, and quiet intelligent. There are Also groups in Iran, Israel, Germany. Just look at the compromised site mirror’s and you will see most of the defacements are some type of foreign group, or person and they are mostly Hactivists spreading their message. It’s just interesting, I wish I would have spent less time chasing tail in high school and got in on the scene before it died out :/
Lately I haven’t been very attentive to this blog. Since I actually formed a business and am blogging somewhat professionally I’ve been working my ass off on my financial blog. In the process I’ve optimized Hamsterswheel quite a bit in terms of SEO, Wordpress, plugins et cetera. It’s amazing how much there is to blogging beyond just writing up some words. Currently Hamsterswheel get’s about 60 hits per day, and has roughly 36 subscribers according to google reader but hardly any according to feedburner. I’d really like to get back on track with both blogs but at the moment my Chief Operating Officer duties for Twenties Money Magazine, LLC have taken a slightly higher order.
I will be out at Blackhat and Defcon Next week in Vegas. Thursday evening I will be attending the Ethical Hacker party over at the hofbrauhaus. I went last year with a few people I knew and ended up running into about a dozen people I used to work with.
When: Thurs evening, Aug 7, 2008 from 8:00 – 11:00
Where: Hofbrauhaus Las Vegas
Why: FREE BEER!! That’s why. First $500 on the beer tab is on us! Oh yeah, and there’ll be some pretty cool folks from the security community there as well. They also serve food, so bring cash to make splitting the food bill easier.
If you’d like to say hi hit me up there, or at the Core Party.
After Vegas I will be getting back on to some things. I was discussing with Tebo some of my idea’s, he pointed me towards an upcoming publication from Wrox titled Grey Hat Python. I had a similar idea about a series “Python for Pen testers/Hackers.” Apparently someone beat me to it! Either way, If you’ve got any idea’s for posts, research, or projects let me know I’m glad to investigate idea’s!
An Opaque predicate is a line of code, or lines of code that are basically useless. They actually do something, but in terms of usefulness they don’t do anything. Does that even make sense? Anyway they are designed to make it appear as if the code was doing something to divert the attention of an analyst. The purpose of an opaque predicate is to add a layer of obfuscation into code that makes reversing the code more time consuming. As you sift through useless instruction you realize the code is more of a distraction than anything else. Opaque Predicates make static analysis more time consuming because they are often difficult to discover. You stumble upon a code block only to find after a few minutes that it’s dead.
So what does an opaque predicate look like?
In a high level language such as C/C++ we can have the most basic opaque predicate as a simple IF Insertion. Inserting IF statements to always come back true will surely not be effective on performance but in terms of static analysis it can throw off an analyst for a few minutes as they chase down a rabbit hole.
So we have something similar to this:
1 2 3 4 5 6 7 8 9 | if(true) { Dosomething</code> } else { Dosomething } |
True will always come back as true. The first branch will always be the one chosen in actual execution. However, the code in the first branch and the second branch will be the same. This adds an additional branch to a graph in IDA, and adds more code the analyst must sort through. Just two are manageable, imagine if you had multiple if else’s in the code!
And here is the deadlist
You can add an additional level of complexity to the code with math operations. An opaque predicate such as:
1 2 3 4 5 6 | int add,q = 2;</code> if(((q+q^2)%2)==0) printf("here"); else add = 2+8; |
Utilizes Dead code insertions. The else operation can be anything you want, for simplicity sake I chose the addition of two numbers and the assignment into a variable. However in real examples the code should be more complex. It should be dead code so that it may be functional but does not truly serve a purpose to the program. This will often lead the analyst down a path where they may spend anywhere from 10 minutes to an hour with their attention diverted from the real path. This type of predicate has the general layout of
1 2 3 4 | if(math expression that always resolved) Real work Else Dead code |
In IDA this would graph similar to:
Graph
The dead listing would look like the following:
Dead List
These examples are rather simple, but adding complex junk code to them can often divert an analyst’s attention for a period of time. Especially if you make the junk or dead code seems more interesting then the code behind the real work!
Something new I’m going to try on both of my blogs. At the end of each week I will do a weekly roundup of links to posts and articles I found interesting.
Hack Yourself- How much sleep do you need?
Sans – Obfuscated Javascript Redux
50+ Personal Development sites you’ve never even heard of
The Black Market Code Industry
What I’ve been Doing on My Summer Vacation
Patching third party applications is something that is often overlooked in the enterprise. I’m sure most administrators would love to patch all their third party applications but many of them have a difficult time accounting for all of them. You have situations where for one reason or another many users have local administrator privileges which grants them the ability to install software without an administrator present. This of course presents plenty of problems for the system, the network and eventually the help desk / Administrator when the user calls complaining his computer is too slow to get anything accomplished. It’s all to often where I have been on a network and have seen many systems where entire department administrators place their user group in the local administrator group for all their systems. After all, it is easier to just let them have the privileges than it is to constantly get up from reading fark.com and go help them install a printer.
My EMH account for hamsterswheel has been inundated with Spam as of late. It used to be that i would just highlight everything and send it to the junk folder, create some type of filter and press on. Eventually the Spam gets so bad that you have to delete the email account so the Spam can bounce a few times. I’ve found that by deleting the account for 48 hours eliminates the problem for a few months. Recently I started taking an interest in the Spam that I was getting. What caught my eye was an email titled “Angelina Jolie Free Videos.” The email popped up on my blackberry and I noticed the link inside was http://ip.ip.ip.ip/free.exe. I thought oh, cute I’ll have to look at that closer when I get home. As it turned out they were using html based email to cover the ip address of the URL. The email itself made absolutely no sense. The title was about Angelina Jolie, the Body was about some News headline, and then the footer contained stuff about MSN Messenger. Yet, people fall for these all the time!
As I started taking a close look at the Spam hitting my in box I realized that I no longer had viagra offers. Instead I was getting links with random headlines from the news. The individuals responsible are pretty damn quick too because there were a few headlines that came up only seconds before I received the email. Most the links were to compromised sites and were either main.html or about.html. Out of the few dozen that I grabbed I only encountered one that had Javascript obfuscation on it which made analysis somewhat difficult. However, an on line deobfuscator helped clear things up quite a bit. What I find truly amazing is, all of the sites were using some type of client side exploitation to get the dropper (normally named video,view or free.exe) onto the system. This in and of itself isn’t astonishing but the fact that most of the CSLID’s turned up to be from 2-3 year old Active X controls is somewhat amazing. The people responsible for owning these systems and putting up all the malware pages are putting a lot of faith into single, 2 year old client sides to compromise clients. What’s more amazing… They still work!
EvilCry did a nice write up on a new Italian Strand of malware running around. This one uses the Yahoo Webcam client side. Most of the ones I found were using an MDAC ActiveX control from 06.
http://evilcry.altervista.org/tuts/Mw/CartellaUnicaTasse.pdf
Security4All had a post on the security bloggers network about hacking your sleep. Like Benny I’ve always been told and read that the proper amount of sleep was 8 hours. Honestly I could never rationalize wasting a third of my day sleeping. I average about 5 hours per sleep a night during the week and sleeping in on the weekends is about 6 hours. Occasionally my son wakes up later and I will get 7 hours of sleep. I think it’s largely dependent upon the person how much sleep they get. Just look at Donald Trump he claims to get only 4 hours of sleep per night.
My factors for sleeping so little are multi faceted. First I enjoy getting on the computer and working problems, most of the work I do at home has some type of correlation to my day job. If I were documenting hours as working at home I’d fill in my 80 hours every two weeks within one week pretty quickly. Secondly, between work, consulting, running a new blog about personal finance, being married, trying to keep up with my fitness and having a child who is becoming more and more interactive I don’t have much time to sleep. My friend and business partner Kristin claims I have high ambitions which fuel me throughout the day.
My wife will sleep from 11 p.m to 9 or 10 a.m and still be tired. Partially understandable since she watches my son all day and gets up in the evening when he wakes up hungry or sick. However, she just can not fathom how I function with such high energy with only sleeping 5 hours a night. Well, I guess I owe it partially to the military which reprogrammed my body to accept any sleep it can, whenever it can get it. My body is somewhat screwed up. I had a sleep study done last year and the oddity they saw was that I can fall into REM sleep cycles within 20 minutes whereas the normal person takes 4 hours to fall into REM. You don’t dream unless you are in REM and I can have a dream within a 20-30 minute nap when I do take them. During basic training I got a decent amount of sleep per night, yet in technical training between socializing, study and other military responsibilities I averaged 3-4 hours of sleep per night. I suppose between the military reprogramming and my high determination to succeed and know everything my mind just push’s through sleep. What’s really crazy is through my diet I’ve almost eliminated caffeine from intake. I have one or two cups of coffee in the morning depending on how busy I am then one cup in the evening. My coffee intake on the weekends is a little more but that’s mostly a socialization factor since I don’t drink much.
A while back dean sent me some malware that he had been collecting off client systems. He didn’t ask me to do an analysis on them but I started doing it anyway. The first aspect of this malware was a delivery system that actually got some type of client side execution on the system.
The delivery has three aspects of it and is served via javascript.
First in the event javascript is disabled the visited page displays a link for the user to click. The title simply says “Please download”. If javascript works, it attempts to a function in MDAC by creating and ADODB stream and downloading the file. The file downloaded is then named svchosts.exe, and the shellexecute function is called with the svchosts.exe file name passed to it. On a Linux machine, an automatic save box is displayed within about 10 seconds. An example of the javascript decoded by dean can be found here. WARNING – It is set up to automatically download and launch a file called video.exe. I have copied a safe version of calc.exe to the web root so don’t get your pants in a bunch when it either launches, or attempts to downoad… If it does launch, you need to 1) stop using windows/internet explorer and 2) patch your system.
Dean was able to pull a copy of video1.exe from the server hosting this piece of malware. I took a look at it for analysis a few day’s ago. Initial tests for packing came up empty, but it would seem there is slight obfuscation in the code. There are many places where analysis fails, there are absolutely no strings, and some of the code seems to jump around to non existent addresses. I am still attempting to identify what type of encryption/packer was used on the code to optimize my disassembly. Until then I have barely any strings and only a few imports.
The few imports I do have lead me to recreate the file video1.exe. All of the imports came from Wininet which is the windows API for internet data. I set about researching a few of the api’s and pieceing together the logic and code behind video1.exe. I’ve concluded that it downloads and executes a file from another place using the functions in Wininet. Further preparing my infrastructure for penetration testing I wanted to create my own dropper for custom trojans and thinks beyond meterpreter.exe. I wanted something that would not be flagged by Anti Virus and that I can keep relatively small.
What I did was create Droplet. I finished the code last night and It’s pretty light weight. I did not encorporate any of the ftpGetFile, or Gopher functions from Wininet. I simply wanted a file dropper that would download code, copy it to a file and then execute it.
The basic flow of the program is
InternetOpen
InternetConnect
HttpOpenRequest
HttpAddRequestHeaders
HttpQueryInfo
HttpSendRequest
Either InternetReadFile or URLDownloadToFile
From this point if you are using InternetReadFile you can use the Windows API to create the file and copy the data too. I’m still working bugs out with this method.
URLDownloadToFile seems to be the better choice since it is designed to copy the data to a file instead of to a buffer. I think I might head out to the river this weekend but I’m hoping to have some time that I can play with the FTP Functions inside WinInet.
Anyway, Malware Analysis is pretty cool because you can learn how people smarter than you carry out nefarious biddings. Hopefully you learn from it and you can either apply it to your penetration testing, or for your own biddings!
-E
As many of the readers here know I’ve been on my grind lately in an effort to become really proficient in reverse engineering. Two of my associates have made comments regarding a skill gap they have in the field of reverse engineering. Everyone has a different learning curve, and everyone certainly has a different skill set. Some skill sets are more advanced than others but when you work in a team effort one skill set can often complement another. Groups from back in the day used to be pretty bad ass. Personally I was never part of a group, I guess I just never found my way into one. I really wish I had been part of one because I’d probably be bad ass right now instead of losing sleep at night in an effort to walk in the presence of some of the top guys in Austin and around the world. There are a lot of dude’s I look up to and often read their material. Indirectly, they are teaching me lots and I appreciate it!
I’ve been holding onto a book I picked up a while back from Wrox publishing titled “Professional Assembly.” The book is part of their programmer to programmer series. I originally found it two years ago when I was doing penetration testing and I figured it would help me out in my efforts to master exploitation. It really did give me a great understanding of functions, and the stack but beyond that I just could not wrap my attention around the book. I’ve finally got into the book and have been walking through many of the examples and creating my own in an effort to really nail down assembly language. I think I received a third rate education in Computer Science because assembly was never on our list of things taught, hell I don’t even think it was mentioned which is pretty sad.
How many times have you opened up a tutorial for reverse engineering or exploitation and saw something along the lines of “Basics of assembly language is assumed” or “No assembly knowledge necessary.” For many they browse over those lines and get lost somewhere in the second or third page. I’ll be honest I was one of them. I found myself referencing instructions far too often it was impeding my process. Now that I’ve read through the book and worked the examples not only do I find myself having the ability to optimize assembly (not that I need to in many cases) but I’ve also found I can breeze through disassembly in binaries a lot faster as I go after relevant code sections.
The morale of the story is don’t be like me and try to learn to reverse without learning assembly first. Get your assembly down packed, and many MANY concepts in reversing and exploitation will come together faster than you realize. As you read the book many concepts will click and you will go “ohhhhhh.”
Anyway, just wanted to mention the book, I found it awesome. The only con I found with it is the lack of exercises at the end of the chapters. I found myself googling for exercises and stealing many from colleges that offered assembly courses. Either way, I learned a lot from this book even recognizing certain code optimizations such as memcpy and strlen type functions. Check it out if you want to learn. Just make sure you do the exercises/examples.
Havlar Flake made a post last week which I’ve been eagerly waiting on a response from Matasano Chargen. Two posts later and I still haven’t seen the post I’ve been waiting for! I’ve been checking out the commends on Havlar’s blog but many of the responses seem to be insignificant commands such as “rm -rf” and the like. Of course, if your part of project Mayhem then that’s all you need but what if you want to stay awhile, kick off your shows and get comfortable.
One of the comments was an advertisement for his own blog post. I checked it out and he had a few insightful commands. One thing I did notice, and talking with Tebo he said clearly distinguished the Ethical versus Unethical hackers is the absence of any anti forensics, or any attempt at covering themselves up. The Grudge in a presentation on “Hash” said that Unsetting the Histfile was a common trait of highly successful hackers, yet it is somewhat old school.
First command:
unset HISTFILE
Secondly, chances are you obtained access through an exploit and there may be a core file laying around. In an effort to not be caught you want to clean that up right away while it’s still fresh on your mind.
Start by searching in the current directory
find . -type f -name “core”
Then move on to searching the whole machine. (I’m sure this is largely inefficient in terms of hard drive spinning up et cetera, anyone have a better idea)
find / -type f -name “core”
Next up is log files. I see many papers, scripts talk about deleting the entire log file. Think about that for a minute. If you were the system administrator and you check your log every day, every three day’s or weekly and suddenly your entire log was missing… Wouldn’t that arouse some suspicions?
Now that we’ve cleaned up a bit, Let’s address that one blog’s first command issuances. These commands are really just recon. We are looking for servers, other hosts, ssh keys, passwords et cetera.
We start off with
w, netstat -an, ps auxww, mount, cat /etc/resolve.conf, ls /home
One reason you want to start off with w is to determine if anyone else is logged on and active. You don’t want to slow down the system and start spinning up the hard drive if others may notice it.
Netstat gives us not only ip’s we are connected to, but also what ip’s are connected to us and possibly what services are listening on the system. We may not have noticed a mysql server during the port scan because it was setup to only listen on the local interface.
Ps auxww is a great command from the other blog because like he said, you may get passwords in the output from a command line process start up.
Mount shows what is currently mounted, Today is not uncommon for even a PC to have more than one hard drive. Perhaps there is nothing on the /, but a secondary hard drive that is mounted in a weird place has a ton of data we want/ desire.
Cat /etc/resolve.conf identifies at least our dns server, we can start querying the dns server further asking who else she knows.
Ls -la /home allows us to see who has established profiles on the system and when their last activity was. Of course, this may not be entirely accurate since an administrator can login, and just leave the terminal locked.
To wrap this post up, uptime!
The uptime command is important because it gives you an indication of how long the box has… well been up. You can take this information and apply it towards your rootkit. If you’ve got a box that’s been up for a quite a while you don’t have to worry about reboots and the one aspect of rootkits on startup. Furthermore, you can determine whether the system is going to be a reliable hop.
Those are just a few, of course there are ton’s more. Any of the Old school Unix hackers got any more tidbits? MC? Tebo?
