Whenever Windows OS or applications execute syntax action, check the registry, read or write a file, launch or close a process, etc. It result in Windows calling a service in the System Service Descriptor Table (SSDT).

Hooking SSDT technique exploits found on 2010. The problem was that attacker might fool the security check especially antivirus program. Attacker benefits on behavior of an electronic, software or other system output design limitation. A specific kind of bug given by race condition. This is so called time-of-check-to-time-of-use (TOCTTOU or TOCTOU), a vulnerability in security-conscious code. Microsoft suggest antivirus vendor use microsoft offical API, whereas the official API does not support all the required functions. Therefore antivirus vendor was still forced to use SSDT hooks to implement behavior detection.

CWE-367 – The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

How the code (TOCTTOU) does?

The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations. The program uses the access() system call to check if the person running the program has permission to access the specified file. If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges.

functionreadFile($filename){
$user = getCurrentUser();

//resolve file if its a symbolic linkif(is_link($filename)){
$filename = readlink($filename);
}

if)fileowner($filename)==$usr){
echo file_get_contents($realFile);
return;
}
else{
echo'Access denied';
returnfalse;
}
}

In real world attacker change above file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files.

Hooked with inline, IAT or EAT hooks

Reference: System Service Descriptor Table (SSDT) is an internal dispatch table within Microsoft Windows. Hooking SSDT calls is often used as a technique in both Windows rootkits and antivirus software.

Why Anti-viruses not check the library modules of exe to detect hook?

Avoid false positive mainly! Antivirus detect the (SetWindowsHookEx) API call is not sufficient since it is also used by many authorized applications. For instance the fundamental design of hooking calls such as SetWindowsHookEx is for debugging.

Security expert know the weakness of anti virus program and therefore develop additional scan tool. Yes, it is a Ring 3 hook scanner. The scanner can do the following functions.

(Ring3) Scan every running process:

(Ring3) Scan only the running process with PID 

To be honest, IT guy might feel that malware running on Ring 3 is easy to figure out compare with Ring 1 and Ring 0. But properly not.

Conclusion:

As of today, it is hard to judge behavior base malware detection method is outdated. We known that malware detector especially FireEye can arrest over 99% of malware. The reason is that the detective control of Fire-eye looks great. The device stand parallel with layer 3 core switch. The gateway type infrastructure which enhance the detection level of malware activities. It is because malware require communicate with C&C server.

Next topic we discuss Ring 1 and Ring 0 concept. Stay tuned.

 

The subject matter looks bring mystery feel to reader? People who like to pop music might heard a famous song by Pink Floyd. Yes, it is Dark side of the moon. Rumors told that dark side of the earth (Moon) have another civilization living there? Is it true?

In computer world, memory leaks issues happened not a new topics. Hacker relies on this error can implant malware. The Google Chrome browser found a memory leak issue on Nov 2014. User found that some elements of the DOM (Document Object Model), or handlers, are not being released properly. Below 3 items of memory leak criteria can bring an idea to you what is the definition of memory leak.

1. Applications stay in memory when not in use
2. System run–time is expected to be unlimited
3. Systems typically have lower total available system memory

Hottest target lure the hackers

Svchost.exe is the important process of your Windows 7/8/8.1/10 operating system that contains the group of individual services. Windows uses these services for the various system functions. There can be multiple svchost.exe instances, and one instance may include several services. In most cases the Svchost.exe (netsvcs) encounter high CPU and high usage problem. This symptom might infected by a virus or a malware program.

How malware do this job?

Malware relies on system process design limitation, creates another section in its own address space and copies the svchost.exe content into the created section and then patches the svchost.exe. For more detail, please see below:

So called Process Hollowing

1. Malware starts the svchost.exe process in suspended mode which gets loaded into the address.
2. Malware determines the base address of the legitimate process by reading PEB+8 (PEB.ImageBaseAddress) and then deallocates the executable section of the legitimate process. Afterwards allocates the memory in the legitimate process with read, write and execute permission at a different address.
3. Copy and inject executable to allocate memory address.
4. Malware then overwrites the PEB.ImageBaseAdress of the legitimate process with the newly allocated address.
5. Changes the start address of the suspended thread to the address of entry point of the injected executable by setting CONTEXT._Eax and using SetThreadContext api and resumes the thread.

Conclusion:

Above scenario is one of the example of memory leak vulnerability. If you are interested of this issue. It is not difficult to find out by yourself!

 

2016 Supercomputer magazine

Traditionally, supercomputers have been used for scientific and engineering applications that must handle very large databases or do a great amount of computation (or both). Supercomputer have capability to handles multi task and graphics processes. Bear in our mind that computer brand name likes Cray, IBM and Fujitsu are the top of the range computer products. The mainframe system so called supercomputer because of their system architecture and handling power. Their CPU units, memories and I/O are controlled by crossbars. To measure their system performance will be measured in a technical term so called Floating point (FLOPS). It is an important specification of a computer system, especially for applications that involve intensive mathematical calculations.

Non traditional design vs traditional concept

Do you remember the Parallel Capacity Resource (PCR) clusters? The mature technology found in 2002. The success of the PCR clusters was followed by the purchase of the Multiprogrammatic Capability Resource (MCR) cluster in July, 2002 from Linux NetworX. The PCR cluster debuted as the Top 500 Supercomputers list in November, 2002.

Parallel Capacity Resource (PCR) cluster architecture create the mystery power!

The differences between China supercomputer and traditional mainframe supercomputer.

I speculated that China supercomputer architecture established by Parallel Capacity Resources Cluster concept for system development. Some technical details as finger print to proof of concept. Detail is shown as below:

1. Sunway TaihuLight, with 10,649,600 computing cores comprising 40,960 nodes.

2. System OS not mentioned on technical report, however I believed that the OS kernel development on top of System V (Unix/Linux).

2016 Supercomputer magazine

Top 1 -10 Winners

	Model	Location	Total cores	Rmax (Tflops/s)	Rpeak (Tflops/s)	Memory
1	Sunway TaihuLight	China (Wuxi)	10649600	93014.6	135435.9	1310720 GB
2	Tianhe-2	China (Guangzhou)	3120000	33862.7	54902.4	1024000 GB
3	Titan	Tennessee USA	560640	17590	27112.5	710144 GB
4	Sequoia	Livermore CA	1572864	17173.2	20132.7	1572864 GB
5	Cori	Berkeley CA	622336	14014.7	27880.7	878592 GB
6	Oakforest-PACS	Kashiwa Japan	556104	13554.6	24913.5	919296 GB
7	K computer	Kobe Japan	705024	10510	11280.4	1410048 GB
8	Piz Daint	Swiss Lugano	206720	9779	15988	194560 GB
9	Mira – BlueGene	Lemont IL USA	786432	8586.6	10066.3	unknown
10	Trinity	New Mexico	301056	8100.9	11078.9	unknown

 

Top 1 – 10 Supercomputers geographic location

11 – 20 winners

	Model	Location	Total cores	Rmax (Tflops/s)	Rpeak (Tflops/s)	Memory
11	Cray XC40	UK	241920	6765.2	8128.5	430080 GB
12	Marconi	Italy (Bologna)	241920	6765.2	8128.5	430080 GB
13	Pieiades	Mountain View USA	241108	5951.6	7107.1	917344 GB
14	Hazel Hen	Germany Stuttgart	185088	5640.2	7403.5	unknown
15	Shaheen II	Saudi Arabia	196608	5537	7235.2	unknown
16	Pangea	France	220800	5283.1	6712.3	54000 GB
17	Stampede	USA Texas	462462	5168.1	8520.1	192192 GB
18	Theta	Argonne-USA	207360	5095.8	8626.2	207360 GB
19	JUQUEEN	Juelich Germany	207360	5095.8	8626.2	207360 GB
20	Cheyenne	Boulder USA	144900	4788.2	5332.3	202752 GB

 

11 – 20 Supercomputers geographic location

Can we say, hackers and malware do not have capability attacks supercomputer?

The electronic world nowadays popular ARM processor architecture. An ARM processor is one of a family of CPUs based on the RISC. ARM processors are extensively used in consumer electronic devices such as smartphones, tablets, multimedia players and other mobile devices. Supercomputer would not use low cost ARM processor. Traditional supercomputer framework build up by an array of mainframe computers. Mainframe computer CPUs especially IBM S390 CPU make use of crossbar architecture. Since mainframe CPU memory structure not disclose to public. Even though the LPAR running Window server or Linux OS, malware no idea how to jump into the kernel memory whereby it is hard to compromise the whole system. No matter how excellent performance of PCR (parallel capacity resource) cluster built by modern server, an solid concern is bring to our consideration. For instance, model Intel i686 CPU or Xeon server group PCR cluster security bottle neck happens on Core OS (Linux, Unix system V, custom build system-V(vmware))! The fact is that Intel CPU memory address cookbook you can find on market. In the sense that even though PCR cluster build by modern server provides great speed performance (floating point) but the overall security is part of the concern! To be honest, the highest floating point (Tflops) looks like a reference parameter in my personal view point. It looks that such parameter does not reflect the actual reality of usage.

 

 

Do you think Banks likely to remain top cyber crime targets. Looks back on 2016 the attackers using different methods which contain malicious attachments being sent to multiple banks. The most famous incident is US$81M Bangladesh Bank Heist on May 2016. We all known as a script kiddie is hard to create such storm. IT Dept especially financial institution they spend their man power and affords on end user computing area. Even though mobile phone, mobile computing devices and workstation are under IT governance.

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Earlier this year Symantec alerts the world that new malware is going to harvest the banking credentials of victims. And claimed that Dridex is now one of the most dangerous pieces of financial malware in the world.

Why does Dridex so dangerous?

As we know, tradition of malware operation relies on dropper file. A dropper is a program (malware component) that has been designed to “install” some sort of malware (virus, backdoor, etc.) to a target system. The earlier generation of dropper file package EXE file extension. As times go by anti-virus vendor has solutions quarantine malicious file. Whatever you receive on workstation anti-virus will isolate the file in sandbox for sterilization. The efficient way to identify malware do a comparison on malicious file checksum value. That is win or lost all depends on information of records (hash value) from antivirus vendor database.

Since the design goal of Dridex targets banking industry. The malware designer fully understand banking environment operation structure. The marco excel programming have large coverage of usage in banking environment. For instance FX (foreign exchange), Finanical, Dealing room, Trade financial…etc. Even though Bloomberg financial services, they have available solution collect the financial news data by microsoft DDE (dynamic data exchange) feature. Since DDE part of Excel spreadsheet function. See how critical of MS office application in banking operations.

Malware (Dridex) design enjoy the benefits of Microsoft marco language. The marco language like a auto robot assemble the malware body. The 1st phase of attack similar to classic email phishing technique which MS word document embedded (see above picture diagram point 1 – 6). The assemble of malware body incomplete and therefore may not trigger malware detector alarm. Dridex contains self replication feature driven by MS dot net mechanism on 2nd phase of process (see above picture diagram point 7 – 9). A dynamic link library will be assembled in the final phase (phase 3) of the process (see above picture diagram point 9 -11).

Malware detector can properly deny the growth of Dridex

Since classic UTM firewall and antivirus program might have function limitation against this type of malware. There are plenty of anti-malware products in the market have capabilities to reduce such malware infection storm. Friendly speaking, all depends right solution and right direction. No absolute definition. Below Yara rule can provide an idea to you in this regard.

rule Dridex_trojan_XML {
   meta:
      description = "Dridex Malware in XML Document"
      author = "    "
      date = "2016/09/09"
      hash1 = "666b2121cfb7871cd1354b08d51a36e4"
   strings:
      // can be ascii or wide formatted - therefore no restriction
      $c_xml      = "<?xml version="
      $C_word     = "<?mso-application progid=\"Word.Document\"?>"
      $C_macro    = "w:macrosPresent=\"yes\""
      $C_binary   = "<w:binData w:name="
      $C_0_chars  = "<o:Characters>0</o:Characters>"
      $c_1_line   = "<o:Lines>1</o:Lines>"
   condition:
      all of ($c*)
}

Malicious files contained Dridex footprint (assembly)

Recorded file names:

• Dridex Malware.bin
• 7f6c27356f9809eb7f1e7372dc1556ed76c43c47.doc
• 2209_0C8D8115C2D2.doc
• 34A7_FBD7E2BFD4.doc

Malicious site – Analysis date: 2016-10-25

URL: http://50.63.174.16/ (valid till now)

Comment:

SWIFT a global provider of secure financial messaging services. He is the big brother in the financial world which facilitates 24-hour secure international exchange of payment instructions between banks, central banks multinational corporations, and major securities firms. He meet his enemy in 21st century, everybody knew it is block chain technology, simple to say it is bit coins, right? However his enemy not limit to block chain technology, noticed that a new born malware was attacks swift member network last month (Oct 2016). The nick name is odinaff.

Technical specification:

malware checksum SHA256: fbede281f54108136a6c73fec7d45386a803793b2a92964ec5355babe6127eec
File name: odinaff_payload.exe [12.0 KB ( 12288 bytes )]

Oh! The payload only 12kb. Security guru you must pay extra attention. My personal comment is that this is a advance type malware, since 30 antivirus vendor can detect this payload. The malware authors will make minor changes or repackage their malware every few days to thwart detection via MD5 checksum or antivirus, and in some cases the malware is repackaged daily. Therefore, often times new samples may not be detected. To be honest, only 12Kb it is easy to repackage.

For correct detect this malware on your malware detector, below details is the pattern for your reference.

Reference: Yara rule

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

*/

import "pe"

rule Odinaff_swift : malware odinaff swift raw{
        meta:
                author = "_____"
                date = "2016/10/27"
                description = "Odinaff malware"
                reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99"
                filetype = "binary"

        strings:

                $s1 = "getapula.pdb"
                $i1 = "wtsapi32.dll"
                $i2 = "cmpbk32.dll"
                $i3 = "PostMessageA"
                $i4 = "PeekMessageW"
                $i5 = "DispatchMessageW"
                $i6 = "WTSEnumerateSessionsA"

        condition:
                ($s1 or pe.exports("Tyman32")) and (2 of ($i*))
}

 

News update on SWIFT:

It looks that SWIFT top management aware the criticality of risk.  To ensure adoption, SWIFT will start requiring customers to provide detailed self-attestation against the mandatory controls from Q2 2017

Begin Enforcing Mandatory Security Controls

1. Restrict Internet Access and Segregate Critical Systems from General IT Environment
1.1 SWIFT Environment Segregation A segregated secure zone safeguards the local SWIFT infrastructure from compromises and attacks from the broader enterprise and external environment.

1.2 Operating System Privileged Account Control

Access to local operating system accounts with system-level administrative rights is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, the accounts are restricted from being accessed.

2. Reduce Attack Surface and Vulnerabilities

2.1 Internal Data Flow Security
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT data flows within the secure zone, and its link to the user PCs.

2.2 Security Updates All hardware and software inside the secure zone and on user PCs are within the support lifecycle of the vendor, have been upgraded with mandatory software updates, and have had security updates promptly applied.
2.3 System Hardening Security hardening is conducted on all systems and infrastructure within the secure zone and on user PCs.

3. Physically Secure the Environment
3.1 Physical Security Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage.

4. Prevent Compromise of Credentials
4.1 Password Policy All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts.
4.2 Multi-factor Authentication Multi-factor authentication is used for interactive user access to SWIFT-related applications and operating system accounts.

5. Manage Identities and Segregate Privileges
5.1 User Account Management Accounts are defined according to the security principles of need-to-know access, least privilege, and segregation of duties.
5.2 Token Management Authentication tokens are managed appropriately during issuance, revocation, use, and storage.

6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection Anti-malware software from a reputable vendor is installed and kept up-to-date on all systems.
6.2 Software Integrity A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related applications.

6.3 Database Integrity
A database integrity check is performed at regular intervals on databases that record SWIFT transactions.
6.4 Logging and Monitoring Capabilities to detect anomalous activity are implemented, and a process or tool is in place to frequently store and review logs.

7. Plan for Incident Response and Information Sharing
7.1 Cyber Incident Response Planning The organisation has a defined cyber incident response plan.
7.2 Security Training and Awareness Annual security awareness sessions are conducted for all staff members, including role-specific training for SWIFT roles with privileged access.
Advisory Security Controls
2. Reduce Attack Surface and Vulnerabilities
2.4A Back Office Data Flow Security Confidentiality, integrity, and authentication mechanisms are implemented to protect data flows between back office systems or middleware and the secure zone.

2.5A External Transmission Data Protection
Sensitive data leaving the secure zone is encrypted.

2.6A User Session Integrity
The integrity and confidentiality of interactive user sessions connecting to the secure zone are safeguarded.
2.7A Vulnerability Scanning
Vulnerability scanning is conducted within the secure zone and on user PCs using an up-to-date industry-standard scanning tool.

2.8A Critical Activity Outsourcing
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation.

2.9A Transaction Business Controls
Restrict transaction submission and receipt to the expected bounds of normal business.
5. Manage Identities and Segregate Privileges

5.3A Personnel Vetting Process
Staff operating the locally hosted SWIFT infrastructure are vetted prior to initial employment in that role and periodically thereafter.

5.4A Physical and Logical Password Storage
Any recorded passwords for privileged accounts are stored in a protected physical or logical location, with access restricted on a need-to-know basis.

6. Detect Anomalous Activity to Systems or Transaction Records
6.5A Intrusion Detection
Intrusion detection is implemented to detect unauthorised network access.

7. Plan for Incident Response and Information Sharing
7.3A Penetration Testing
Application, host, and network penetration testing is conducted at least annually within the secure zone and on user PCs.

7.4A Scenario Risk Assessment
Scenario-driven risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme.