Category Archives: System

Dangerous version of the Dridex banking malware

 

Do you think Banks likely to remain top cyber crime targets. Looks back on 2016 the attackers using different methods which contain malicious attachments being sent to multiple banks. The most famous incident is US$81M Bangladesh Bank Heist on May 2016. We all known as a script kiddie is hard to create such storm. IT Dept especially financial institution they spend their man power and affords on end user computing area. Even though mobile phone, mobile computing devices and workstation are under IT governance.

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Earlier this year Symantec alerts the world that new malware is going to harvest the banking credentials of victims. And claimed that Dridex is now one of the most dangerous pieces of financial malware in the world.

Why does Dridex so dangerous?

As we know, tradition of malware operation relies on dropper file. A dropper is a program (malware component) that has been designed to “install” some sort of malware (virus, backdoor, etc.) to a target system. The earlier generation of dropper file package EXE file extension. As times go by anti-virus vendor has solutions quarantine malicious file. Whatever you receive on workstation anti-virus will isolate the file in sandbox for sterilization. The efficient way to identify malware do a comparison on malicious file checksum value. That is win or lost all depends on information of records (hash value) from antivirus vendor database.

Since the design goal of Dridex targets banking industry. The malware designer fully understand banking environment operation structure. The marco excel programming have large coverage of usage in banking environment. For instance FX (foreign exchange), Finanical, Dealing room, Trade financial…etc. Even though Bloomberg financial services, they have available solution collect the financial news data by microsoft DDE (dynamic data exchange) feature. Since DDE part of Excel spreadsheet function. See how critical of MS office application in banking operations.

Malware (Dridex) design enjoy the benefits of Microsoft marco language. The marco language like a auto robot assemble the malware body. The 1st phase of attack similar to classic email phishing technique which MS word document embedded (see above picture diagram point 1 – 6). The assemble of malware body incomplete and therefore may not trigger malware detector alarm. Dridex contains self replication feature driven by MS dot net mechanism on 2nd phase of process (see above picture diagram point 7 – 9). A dynamic link library will be assembled in the final phase (phase 3) of the process (see above picture diagram point 9 -11).

Malware detector can properly deny the growth of Dridex

Since classic UTM firewall and antivirus program might have function limitation against this type of malware. There are plenty of anti-malware products in the market have capabilities to reduce such malware infection storm. Friendly speaking, all depends right solution and right direction. No absolute definition. Below Yara rule can provide an idea to you in this regard.

rule Dridex_trojan_XML {
   meta:
      description = "Dridex Malware in XML Document"
      author = "    "
      date = "2016/09/09"
      hash1 = "666b2121cfb7871cd1354b08d51a36e4"
   strings:
      // can be ascii or wide formatted - therefore no restriction
      $c_xml      = "<?xml version="
      $C_word     = "<?mso-application progid=\"Word.Document\"?>"
      $C_macro    = "w:macrosPresent=\"yes\""
      $C_binary   = "<w:binData w:name="
      $C_0_chars  = "<o:Characters>0</o:Characters>"
      $c_1_line   = "<o:Lines>1</o:Lines>"
   condition:
      all of ($c*)
}

Malicious files contained Dridex footprint (assembly)

Recorded file names:

  • Dridex Malware.bin
  • 7f6c27356f9809eb7f1e7372dc1556ed76c43c47.doc
  • 2209_0C8D8115C2D2.doc
  • 34A7_FBD7E2BFD4.doc

Malicious site – Analysis date: 2016-10-25

URL: http://50.63.174.16/ (valid till now)

Comment:

Odinaff Malware – New enemy of SWIFT

SWIFT a global provider of secure financial messaging services. He is the big brother in the financial world which facilitates 24-hour secure international exchange of payment instructions between banks, central banks multinational corporations, and major securities firms. He meet his enemy in 21st century, everybody knew it is block chain technology, simple to say it is bit coins, right? However his enemy not limit to block chain technology, noticed that a new born malware was attacks swift member network last month (Oct 2016). The nick name is odinaff.

Technical specification:

malware checksum SHA256: fbede281f54108136a6c73fec7d45386a803793b2a92964ec5355babe6127eec
File name: odinaff_payload.exe [12.0 KB ( 12288 bytes )]

Oh! The payload only 12kb. Security guru you must pay extra attention. My personal comment is that this is a advance type malware, since 30 antivirus vendor can detect this payload. The malware authors will make minor changes or repackage their malware every few days to thwart detection via MD5 checksum or antivirus, and in some cases the malware is repackaged daily. Therefore, often times new samples may not be detected. To be honest, only 12Kb it is easy to repackage.

For correct detect this malware on your malware detector, below details is the pattern for your reference.

Reference: Yara rule

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

*/

import "pe"

rule Odinaff_swift : malware odinaff swift raw{
        meta:
                author = "_____"
                date = "2016/10/27"
                description = "Odinaff malware"
                reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99"
                filetype = "binary"

        strings:

                $s1 = "getapula.pdb"
                $i1 = "wtsapi32.dll"
                $i2 = "cmpbk32.dll"
                $i3 = "PostMessageA"
                $i4 = "PeekMessageW"
                $i5 = "DispatchMessageW"
                $i6 = "WTSEnumerateSessionsA"

        condition:
                ($s1 or pe.exports("Tyman32")) and (2 of ($i*))
}

 

News update on SWIFT:

It looks that SWIFT top management aware the criticality of risk.  To ensure adoption, SWIFT will start requiring customers to provide detailed self-attestation against the mandatory controls from Q2 2017

Begin Enforcing Mandatory Security Controls

1. Restrict Internet Access and Segregate Critical Systems from General IT Environment
1.1 SWIFT Environment Segregation A segregated secure zone safeguards the local SWIFT infrastructure from compromises and attacks from the broader enterprise and external environment.

1.2 Operating System Privileged Account Control

Access to local operating system accounts with system-level administrative rights is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, the accounts are restricted from being accessed.

2. Reduce Attack Surface and Vulnerabilities

2.1 Internal Data Flow Security
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT data flows within the secure zone, and its link to the user PCs.

2.2 Security Updates All hardware and software inside the secure zone and on user PCs are within the support lifecycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied.
2.3 System Hardening Security hardening is conducted on all systems and infrastructure within the secure zone and on user PCs.

3. Physically Secure the Environment
3.1 Physical Security Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage.

4. Prevent Compromise of Credentials
4.1 Password Policy All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts.
4.2 Multi-factor Authentication Multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts.

5. Manage Identities and Segregate Privileges
5.1 User Account Management Accounts are defined according to the security principles of need-to-know access, least privilege, and segregation of duties.
5.2 Token Management Authentication tokens are managed appropriately during issuance, revocation, use, and storage.

6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection Anti-malware software from a reputable vendor is installed and kept up-to-date on all systems.
6.2 Software Integrity A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related applications.

6.3 Database Integrity
A database integrity check is performed at regular intervals on databases that record SWIFT transactions.
6.4 Logging and Monitoring Capabilities to detect anomalous activity are implemented, and a process or tool is in place to frequently store and review logs.

7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning The organisation has a defined cyber incident response plan.
7.2 Security Training and Awareness Annual security awareness sessions are conducted for all staff members, including role-specific training for SWIFT roles with privileged access.
Advisory Security Controls
2. Reduce Attack Surface and Vulnerabilities
2.4A Back Office Data Flow Security Confidentiality, integrity, and authentication mechanisms are implemented to protect data flows between back office systems or middleware and the secure zone.

2.5A External Transmission Data Protection
Sensitive data leaving the secure zone is encrypted.

2.6A User Session Integrity
The integrity and confidentiality of interactive user sessions connecting to the secure zone are safeguarded.
2.7A Vulnerability Scanning
Vulnerability scanning is conducted within the secure zone and on user PCs using an up-to-date industry-standard scanning tool.

2.8A Critical Activity Outsourcing
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation.

2.9A Transaction Business Controls
Restrict transaction submission and receipt to the expected bounds of normal business.
5. Manage Identities and Segregate Privileges

5.3A Personnel Vetting Process
Staff operating the locally hosted SWIFT infrastructure are vetted prior to initial employment in that role and periodically thereafter.

5.4A Physical and Logical Password Storage
Any recorded passwords for privileged accounts are stored in a protected physical or logical location, with access restricted on a need-to-know basis.

6. Detect Anomalous Activity to Systems or Transaction Records
6.5A Intrusion Detection
Intrusion detection is implemented to detect unauthorised network access.

7. Plan for Incident Response and Information Sharing
7.3A Penetration Testing
Application, host, and network penetration testing is conducted at least annually within the secure zone and on user PCs.

7.4A Scenario Risk Assessment
Scenario-driven risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme.

Android bad luck this year! Do you think iPhone is Invulnerability?

Keep heard that vulnerability found on Android phone recently. For instance Dirty Cow attack, Drammer attack and Dangerous Pork Explosion backdoor. Do you think Linux operating system not secure anymore?

As far as I remember vulnerabilities found on Apple IOS not less than Android operation system. Can you imagine in what circumstance, XNU (X is Not Unix) can be compromised by hacker. iPhone architecture and its main components. The architecture uses the Darwin operating system, which includes the XNU kernel and system utilities.

What is XNU?

Darwin is an open source operating system released by Apple in 2000. Apple then built upon Darwin to create OS X and iOS. XNU is the computer operating system kernel developed at Apple Inc for use in OS X and iOS. XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. The components from 4.3BSD and an Objective-C API for writing drivers called Driver Kit. Up to 2016 iOS version details shown as below:

iOS has many similarities as Mac OSX on kernel components and functions. As mentioned, XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. In the kernel there are three important components. They are Mach, BSD and IOKit.

  •    Mach: Low level abstraction of kernel
  •    BSD: High level abstraction of kernel
  •    IOKit: Apple kernel extension framework

All the classes have a root object, called OS Object. OS Object mainly overwrite new operator to allocate memory, and declare init method to initialize the object self. Because of this fundamental design, few known vulnerabilities are happened in this area. An application may be able to execute arbitrary code with kernel privileges. Do you think iPhone is invulnerability? No, sure properly not. Found high level of risk vulnerabilities last few month (2016). Seems headline news not intent broadcast in high profile and therefore not to seriously shocks iPhone fans. For more details, please see below CVE for references:

  • CVE-2016-4778: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4777: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (invalid pointer dereference) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4738: libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Remark: Impact – Processing maliciously crafted web content may lead to arbitrary code execution

Xcode is a development environment which contains a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software

  • CVE-2016-2315: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
  • CVE-2016-2324: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow

Current summary:

Due to business requirement, life cycle of products become short and such a way shorten product development life cycle & test cycle. It is a joke!

Edward Snowden Heads up! Stranger, what do you want?

Enterprise firm execute data classification to protect corporate important data. Follow the code of practise, confidential data contained high level of sensitivity label requires encryption. The whistleblower Edward Snowden alerts the people in the world on 2013. But you might have question to ask till now, what sort of personal data we need to protect. Seems end user computing mostly ignore by users. The traditional idea is that we enforce the preventive control from server end. As times go by, mobile phone twisted the IT world. IT Renaissance, literally reborn. The usage of computer not limit to location and time zone. We can execute the remittance or payment on mobile phone. You do a backup or synchronize mobile data when go home. Sure you can upload everything on cloud.

In regards of global surveillance program by US government

It looks that surveillance program is a never ending story! Why? From official perspective domestic surveillance program can effectively monitoring terrorist attacks and criminal activities. NSA web page slogan have the following statement.

“Defending our nation. Securing the citizens.”

We have no objection that collection of internet data, mobile phone voice and data exchange as a weapon fright againts crime. To be honest we don’t have rights! But question raised how to identify the usage of this data?We are not the perpetrator, logically we might not afraid of this control?

Highlight the NSA data collection methoglogy:

  • Real-Time Yahoo Email Scanning
  • Domestic Intercept Stations
  • Bulk Collection of U.S. Citizens’ Phone Records
  • The PRISM Program: Source of Raw Intelligence
  • Google Cloud Exploitation
  • Cellphone Tracking
  • Spying Toolbox: Servers, routers, firewall devices, computers, USB, keyboard, wireless LAN, cell phone network & mobile phone
  • FBI Aviation Surveillance Operations (FBI Hawk Owl Project)
  • XKeyscore: Our Real-Time Internet Monitoring Capability

Above details not a confidential data, you can easy find this information. Please take a visit to NSA front page, for more details please see below:

https://nsa.gov1.info/surveillance/

US Government with high visibility statement let’s the citizens know they are under surveillance. A open method of NSA is use a tool so called “XKEYSCORE”. When an US speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/english” fingerprint (denoting language settings). When a browser visits a site that uses Yield Manager, a cookie will be set. This cookie is used to identify whether the browser has loaded an advert and when and where it loaded it (which detects Yahoo browser cookies).  Yield Manager also collects information such as:

– the date and time of your visit to the website.

– IP address.

– the type of browser you are using.

– the web page address you are visiting.

XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

XKEYSCORE features highlight:

  1. Tracking Bridge Users
  2. Tracking Tor Directory Authorities
  3. Tracking Torproject.org Visits

See below part of the XKEYSCORE sourcecode can bring you an idea XKEYSCORE focus on TOR routers.

 

Traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern.

But how about the hackers? Hacker also have interest of these data which NSA does. I believed that below checklist details lure hacker interest.

Internet application coding create a loophole make this cyber games become a never ending story.

Example:

  • Email accounts or passwords using session cookies
  • A common use for XSS is stealing cookies to hijack sessions and gain access to restrictedweb content
  • When cookie doesn’t have Secure flag set, then it can be sent over insecure HTTP (provided that HSTS is not used; HSTS is described in the next section). When this is a case, the attacker controlling the communication channel between a browser and a server can read this cookie. If the cookie stores session ID, then disclosure of this cookie over insecure HTTP leads to user impersonation.
  • When a cookie doesn’t have HttpOnly flag set, then JavaScript can read a value of this cookie. That’s why XSS attack leads to user impersonation if there is no HttpOnly flag set for a cookie with session ID. When a cookie has HttpOnly flag set, then attacker can’t read a value of the cookie in case of XSS attack. The problem is that access permissions are not clearly specified in RFC 6265. It turns out, that cookie with HttpOnly flag can be overwritten in Safari 8.

Short term conclusion:

No way because we are living on earth!

Reflections of memory resources management technique – Malware might say that his day is coming.

Few days ago, Linux world found potential vulnerability. A memory resources management , a technique so called COW (Copy-on-write) struggles IT world. The problem was that an unprivileged local user could use this bug to gain write access to additional read-only memory mappings. And thus execute a privilege escalation.

What is Copy-on-write memory structure?

Copy-on-write finds its main use in sharing the virtual memory of operating system processes.

Does it make whether apply to all computer OS system?

Typically the system structure involve fork system call are the Unix and Linux OS system – The fork() System Call .

Remark: In Linux, the key data structure is the struct task_struct. This contains pid (the thread ID), tgid (the process ID), and pointers to the parent process’s task_struct.

What is fork() system Call?

System call fork() is used to create processes. It takes no arguments and returns a process ID. The purpose of fork() is to create a new process, which becomes the child process of the caller. After a new child process is created, both processes will execute the next instruction following the fork() system call.

Major flaw of implicit sharing or shadowing (Copy-on-write)

The key to implementing direct I/O in the 2.6 kernel is a function called get_user_pages. But get_user_pages () do not check pte_dirty() bit properly.

Vulnerability found by Linus Torvalds. For more detail, please refer below url for reference.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

 

How about Cloud computing architecture? Does it impact by similar flaw?

Since the flaw found on Unix or Linux base machine, a Linux based hypervisor have inherent risk before patch. It looks that this flaw may lure of attacker interest especially on cloud computing server farm. From technical point of view, the key to implementing direct I/O in the 2.6 kernel is a function called get_user_pages. A pointer to the task performing the I/O; its main purpose is to tell the kernel who should be charged for any page faults incurred while setting up the buffer. However get_user_pages () do not check pte_dirty() bit properly. What if an unprivileged local user infected by malware. The attacker relies this bug to gain write access to additional read-only memory mappings. And thus execute a privilege escalation. It looks that even though you install the advance defense mechanism is hard to detect this type of suspicious activities.

Suggestion

Since this bug contains unpredictable potential risk, it is better to patch your Unix or Linux system with immediate action.

We can foresee that the impact of this bug struggle the IT world. Since web server, local balancer, security devices, even though malware detector are using linux OS. It looks like it is a tsunami.

Information Supplement on 25th Oct 2016

The XNU kernel is used widely on many Apple devices, ranging from the iMac, to the iPhone. List of system calls from iOS 6.0 GM – see below:

Entry point is 0x80085084....This appears to be XNU 2107.2.33
Syscall names are @2a70f0
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0

Suppressing enosys (0x800b3429)  T = Thumb
1. exit                  801d4a74 T
2. fork                  801d7980 T
3. read                  801eb584 T
4. write                 801eb958 T
5. open                  800b13a4 T
6. close                 801ccab4 T
7. wait4                 801d56bc T
9. link                  800b18e8 T

The purpose of fork() is to create a new process, which becomes the child process of the caller. After a new child process is created, both processes will execute the next instruction following the fork() system call. Therefore, we have to distinguish the parent from the child. XNU kernel derived on BSD Unix. Believed that iOS might have similar vulnerability but not discovered yet!

Status update 10th Nov 2016 – For dirtyCow yara rule

rule DirtyCow Unix-Linux only {

strings:
   $a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }

   $b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
   $b2 = { E8 ?? FC FF FF B8 00 00 00 00 }

   $source1 = "madvise(map,100,MADV_DONTNEED);"
   $source2 = "=open(\"/proc/self/mem\",O_RDWR);"

   $source3 = ",map,SEEK_SET);"

   $source_printf1 = "mmap %x"
   $source_printf2 = "procselfmem %d"
   $source_printf3 = "madvise %d"
   $source_printf4 = "[-] failed to patch payload"
   $source_printf5 = "[-] failed to win race condition..."
   $source_printf6 = "[*] waiting for reverse connect shell..."

   $s1 = "/proc/self/mem"
   $s2 = "/proc/%d/mem"
   $s3 = "/proc/self/map"
   $s4 = "/proc/%d/map"

   $p1 = "pthread_create" fullword ascii
   $p2 = "pthread_join" fullword ascii
condition:
   ( uint16(0) == 0x457f and $a1 ) or
   all of ($b*) or
   3 of ($source*) or
   ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )

}

 

 

 

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Stuxnet a famous malware to sabotage Iran’s nuclear program. From technical of view, malware change the shape of computers in the world convert to a cyber weapon. Who’s the team take responsibility? For sure that is not you and me.

Stunext attack scenario:

Heard that malware activities in South Korea run serious recently. Headline news were told the military defense of south Korea was hacked. Regarding to the articles the goal of such malware attack focus South Korean nuclear facility. We don’t have related information and not going to predict who is the attacker of this incident. But malware focus nuclear power facilities not only occurs today. Stuxnet, Duqu, and Flame are categories hardcore type malware. The hardcore type malware usually achieve the following actions.

Do you think SCADA system is the culprit of attack on nuclear power system?

What is SCADA?

SCADA is an acronym for Supervisory Control And Data Acquisition, which is a computer system for gathering and analyzing real-time data.

Where is SCADA used?

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant.

SCADA application:

WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries.

Historical incident record:

June 2010 – Stuxnet relies on MS zero day implant malware granted control and monitor functions in SCADA system.

Malware attack triggered by Microsoft Zero day (MS08-067, MS10-046 & MS10-061)

Malware relies on vulnerability (CVE-2010-2772) and execute privileges escalation on database of WinCC MSSQL server. As a result hacker allow to view information on SCADA system.

Oct 2011Duqu executables share injection code with the Stuxnet worm. The Duqu design was based on the same source code as Stuxnet. The similarity of features shown as below:

  • Duqu use XOR based encryption for strings (key: 0xAE1979DD)
  • Decrypted DLLs are directly injected into system processes instead of dropped to disk.
  • Rootkit to hide its activities

May 2012 Flame malware targeted cyber espionage in Middle Eastern countries.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

The number and geographical location of Flame infections detected by Kaspersky Lab on customer machines.

  • Iran = 189
  • Israel Palestine = 98
  • Sudan = 32
  • Syria = 30
  • Lebanon = 18
  • Sudi Arabia = 10
  • Egypt = 5

Apr 2016Virus:Win32/Ramnit.A, German nuclear plant infected with computer virus. As Reuters reports, viruses with names like “W32.Ramnit” and “Conficker” where found in a computer system that deals with data visualization.

The virusesWin32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

  • File MD5: 0x5CC31D49CAFC508238259616583332A2
  • File SHA-1: 0xC775A22B4B150989F57AB129591F4DA328F52B7C

Aug 2016Virus:Win32/Ramnit.A (checksum changed)

  • File MD5: 0x25C1DE8838ADBC0DCFF61E6B44458CF4
  • File SHA-1: 0xDF6B04BA2103B2EB43B51EBDFB705A37BE5F28A9

1st Oct 2016 – Headline News: Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command.

Interim summary:

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant. WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries. Since zero-day vulnerability found each week especially Miscrosoft products. Do you think SCADA system is the culprit of attack on nuclear power system?

The project development of Nuclear power budget huge amount of money and covered with disaster recovery plan. Do you think current disaster recovery plan will cover up Zero day attack on SCADA system? What do you think?

 

Part 1:Blockchain technology situation – A Tales of Two Cities

 

Quotes from A Tales of Two Cities

“It was the best of times, it was the worst of times,.. Charles Dicken

Read the fiction from my view point looks boring, however a famous quotes written by Charles Dicken can correctly describe the current situation of Blockchain technology.

It was the best of the times

Blockchain technology appear to the world cope with electronic currencies. The proprietary payment method covered up financial world long period of times. As a consumer you are not going to pay high rate of services fees for transfer payment method , right? The blockchain technology (crypto currency) appears like a sunrise to everybody.

Traditional payment transfer (SWIFT) vs Blockchain technology

The traditional payment transfer need for central authorities to certify ownership and clear transactions (see below diagram for reference)

Blockchain technology – decentral data storage

In a blockchain network the data is stored on many computers (miner). Each computer interconnect the other computers (nodes) in the blockchain network. The information on all these computers are constantly aligned.

Blockchain is a bitcoin wallet and block explorer service. From general point of view, it confer benefits on society. Transaction fees are voluntary on the part of the person making the bitcoin transaction, as the person attempting to make a transaction can include any fee or none at all in the transaction.

Economic Benefits: In the meantime bitcoin did not have high economic benefits.

Business development opportunities: Block chain concept lure entrepreneurship bring up new business idea. Their objective is going to break the ice. Make the electronic payment more open.

It was the worst of times!

Hacking looking for ransom not possible occurs since law enforcement team trace the finger prints can find out details. Bad guy aware that he will under arrest during money clearing process . Therefore they are not intend to ask for ransom until crypto currency (bitcoin) appears. It looks that bitcoin feature lure hacking activities in serious. For instance triggers ransomware infection scare IT world. Law enforcement team (FBI) did not have solution in this regard!

Observation: Why does bitcoin feature lure hacker interest?

The realistic were told that Bitcoin exchange operation and policy visible level are low. Yes, they are make use of blockchain technology, however the governance structure not equal to common financial institution. The incidents occurred so far look lack of visibility! See below historical incident records (thefts from Bitcoin exchange) might bring an idea to you.

Thefts from Bitcoin exchanges

Aug 2016 – Hong Kong base Bitcoin exchange (Bitfinex) hacked : drained 119,756 bitcoins from its customer accounts

June 2015 – Scrypt.CC (Bitcoin exchange): Undisclosed sum stolen

May 2015 – Bitfinex (Bitcoin exchange): incident of lost 1,500 bitcoins value US$330,000

Mar 2015 – Coinapult (Bitcoin exchange): incident of lost 150 bitcoins value $43,000

Remark: Hong Kong monetary authority enforce Hong kong financial institution includes bitcoin exchange business vendor mandatory execute their guideline. For more details, please refer to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2).

Level of Trustworthy – cryptocurrency (Bitcoin)

Aug 2016 – US Marshals to Sell US$1.6 Million in Bitcoin at Auction.

Regarding to the above auction by US government. Do you think it equivalent that US government gave blockchain technology as a untrust vote?

Cyber security viewpoint - Blockchain vs. SWIFT 

Famous quotes:

The guillotine, a machine designed to behead its victims, is one of the enduring symbols of the French Revolution. In Tale of Two Cities, the guillotine symbolizes how revolutionary chaos gets institutionalized.

Swift bangladesh heist cause a sensation. Let’s finance institution heads up. Bring their attention to end user computing. Whereby a continous information security program and policy announced. But you might have question? How SWIFT manage to fight it all? That is unknow system vulnerabilities on their system?

Blockchain technique – every transfer of funds from one account to another is recorded in a secure and verifiable form by using mathematical techniques borrowed from cryptography. From technical point of view, it is a tamper-proof technology. Why was bitcoin exchange Bitfinex hacked (Aug 2016)?

The cyber incidents encountered in blockchain and traditional payment (SWIFT) hints that a weakness of fundamental design (see below)

 

 

Refer to above diagrams, a common criteria occurs on both traditional payment and blockchain solution. No matter how secure on your payment method, a single point of failure on single element will crash your tamper-proof design. For instance, a vulnerability occurs in sender or receiver workstation OS level, malware can compromise the whole solution. Even though you are using advanced crypto solution.

Next topic we are going to investigate bitcoin malware. Coming soon!

 

The 2nd stricken region of cyber attack vector – Embedded malicious code applies to everywhere causes memory overflow

Headline news alert that malware embedded to picture file boil up hijack storm to android world. Sound horrible! No need involve phishing technique lure victim engage click url action and such a way compromise your android phone. No safe world! The vulnerability (CVE-2016-3862) fix immediately. Resolution is that enforce IPC Router to check if the port is a client port before binding it as a control port. Security Guru might alerts that critical vulnerabilities found this year are similar. The design ignore the verification check. Quote an example, a vulnerability (CVE-2016-0817) in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. Yes, the device allow anyone send SNMP packet (OSI 5 – 7 layers) is the fundamental design. But the design concept not including someone is going to fool him. Is it a flaw? But SNMP protocol contains technical weakness originally! SNMP design flaw not on our discussion this time. We jump to a more critical topic. Yes, it is the buffer overflow attack. I claimed that this is the 2nd stricken region of cyber attack vector.

Heads-up (Quick and Dirty):

Unsafe functions buffer overflow

Buffer overflows, both on the stack and on the heap, are a major source of security vulnerabilities in C, Objective-C, and C++ code.When the input data is longer than will fit in the reserved space, if you do not truncate it, that data will overwrite other data in memory. If the overwritten data includes the address of other code to be executed and the user has done this deliberately, the user can point to malicious code that your program will then execute.

Basic buffer overflow attack

NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. The attackers usually prepend their machine language code with a large amount of No Operation (NOP) instructions. Most CPUs have one or more NOP instruction types, which tell the processor to do nothing for a single clock cycle. The attacks consist on making the program jump into an specific address and continue running from there. By looking at the program and its output, attacker can write the address of bar into the return address. The step is that overwrite return address so that code execution jumps into the input given by attacker.

Heap-based overflow

The heap is the memory area where you can allocate memory during the execution of a binary. Heap attacks are typically harder to perform than a Stack based attack.

i. Overwrite pointer – A pointer points to valid executed code. But the attacker corrupting the pointer and put the malware function replace the valid executed code. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application.

Stack-based overflow

It affects any function that copies input to memory without doing bounds checking. If the source data size is larger than the destination buffer size. The data will go to high address and overflow previous data on stack. The attacker could use to execute arbitrary code with elevated privileges or cause a DoS condition.

Buffer overflow attack may appear everywhere in cyber world today. Any weakness of system and application design will lure the interest by hacker. IT Guru don’t ignore this channel.

Is this a hoax? Or it is National Security Agency?

I believed that hot topics this week for sure hacking tools available download online. Rumour was told that those tools may develop by NSA (National Security Agency). Since this news make Anti-virus vendors nervous. As of today, their virus repository contained those files and confirm that those so called hacking tools is a genuine hacking tools. The Korean base anti-virus vendor AhnLab also given a malware naming convention to that malicious file. For more details, please refer to below chart for reference.

Status update on 18th Aug 2016 (today)

Kaspersky Confirmed that the leaked Hacking Tools Belong to NSA-tied Group. A former NSA employee told the Washington Post that those tools is a genuine hacking tools from NSA (see below).

https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html

Interim Summary:

It looks that the files available download on internet looks outdated. The latest time-stamp of that files create from 2013. The earlier creation date of some files are 2010. To be honest, we can’t ignore the possibility that this files leaked by our Hero whistle blower!  Since the backdoor malicious programs found are the execution files. I was surprised that NSA is not going to use inline hooking technique. As we know, hackers looking for payment to release whole set of files. May be those not open to public files contains inline hooking technique. Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. Yes, we found the descendant of Da Vinci this time.

Remark: Da Vinci (Law enforcement sector deploy malware which supply by Italy-based Hacking Team).

https://www.linkedin.com/pulse/who-jeopardizing-world-information-leakage-picco

 

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D