Headline news yesterday (20th Dec 2016) report Ukraine Suffers Power Outage. It was the 2nd time of power disruption this year. As far as I remember the 1st incident occurred on Jan 2016. The motivation of this news lets information security experts re-think about BlackEnergy DDos tools.The Blackenergy soft tools found 2007, a notorious powerful distributed denial of services soft tool conducted cyber attacks suspended Georgian Soviet Socialist Republic communication facilities. Sum up the cyber attack in nuclear power facilities, it gives people to feel those incidents looks like a political fights. Sounds like naughty boy intend to turn off neighbor main water tap to create troubles.

Analyze of nuclear power facility of attacks

Hardcore type malware: Stuxnet, Duqu, and Flame are categories hardcore type malware. The hardcore type malware usually achieve the following actions.

Incident historical records:

1. June 2010 – Stuxnet malware to sabotage Iran’s nuclear program.
2. May 2012 – Flame malware targeted cyber espionage in Middle Eastern countries.
3. Dec 2014 – South Korean nuclear operator hacked amid cyber-attack fears.
4. Mar 2015 – South Korea claims North hacked nuclear data.
5. Apr 2016 – A malware infected systems at the Gundremmingen nuclear plant in Germany.
6. Oct 2016 – Headline News: Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command.

Weaponize types of malware: contains sabotage, interfere, traffic monitoring function and remote control functions.

The original goal of design for BlackEnergy is provides powerful distributed denial of service function. To meet attacker functional requirement, BlackEnergy began supporting plugins in 2007. This is the second generation of BlackEnergy. The malware plugin feature make use of mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host (see below diagram for reference). To evade virus and malware detection, malware avoids using a hardcoded name for its mutex.

The third generation of BlackEnergy take advantage of OLE object (CVE-2014-6352). Embedded mailicous code to MS office xls format of document gained remote code execution. Since the blackenergy hash exposed to the world (see below details for reference). More than 90% of above antivirus program can detected. It looks that the severity level of risk dropped.

SHA256: f5785842682bc49a69b2cbc3fded56b8b4a73c8fd93e35860ecd1b9a88b9d3d8

Target windows component: Win32 DLL

Attack scenario: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Malware implant target destination:

• Win32 Executable MS Visual C++ (generic) (67.4%)
• Win32 Dynamic Link Library (generic) (14.2%)
• Win32 Executable (generic) (9.7%)
• Generic Win/DOS Executable (4.3%)
• DOS Executable Generic (4.3%)

Status update on 21st Dec 2016

Ukraine Suffers Power Outage Possibly Due to Energy Plant Hack on 17th Dec 2016 Sat. What do you think? Do you think a new shape of blackenergy was born? My speculation is that the cyber attacks in nuclear power facilities will going to increase coming months.

For reference:

https://www.linkedin.com/pulse/malware-vs-nuclear-power-do-you-think-scada-system-picco?trk=mp-author-card

Whenever Windows OS or applications execute syntax action, check the registry, read or write a file, launch or close a process, etc. It result in Windows calling a service in the System Service Descriptor Table (SSDT).

Hooking SSDT technique exploits found on 2010. The problem was that attacker might fool the security check especially antivirus program. Attacker benefits on behavior of an electronic, software or other system output design limitation. A specific kind of bug given by race condition. This is so called time-of-check-to-time-of-use (TOCTTOU or TOCTOU), a vulnerability in security-conscious code. Microsoft suggest antivirus vendor use microsoft offical API, whereas the official API does not support all the required functions. Therefore antivirus vendor was still forced to use SSDT hooks to implement behavior detection.

CWE-367 – The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

How the code (TOCTTOU) does?

The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations. The program uses the access() system call to check if the person running the program has permission to access the specified file. If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges.

functionreadFile($filename){
$user = getCurrentUser();

//resolve file if its a symbolic linkif(is_link($filename)){
$filename = readlink($filename);
}

if)fileowner($filename)==$usr){
echo file_get_contents($realFile);
return;
}
else{
echo'Access denied';
returnfalse;
}
}

In real world attacker change above file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files.

Hooked with inline, IAT or EAT hooks

Reference: System Service Descriptor Table (SSDT) is an internal dispatch table within Microsoft Windows. Hooking SSDT calls is often used as a technique in both Windows rootkits and antivirus software.

Why Anti-viruses not check the library modules of exe to detect hook?

Avoid false positive mainly! Antivirus detect the (SetWindowsHookEx) API call is not sufficient since it is also used by many authorized applications. For instance the fundamental design of hooking calls such as SetWindowsHookEx is for debugging.

Security expert know the weakness of anti virus program and therefore develop additional scan tool. Yes, it is a Ring 3 hook scanner. The scanner can do the following functions.

(Ring3) Scan every running process:

(Ring3) Scan only the running process with PID 

To be honest, IT guy might feel that malware running on Ring 3 is easy to figure out compare with Ring 1 and Ring 0. But properly not.

Conclusion:

As of today, it is hard to judge behavior base malware detection method is outdated. We known that malware detector especially FireEye can arrest over 99% of malware. The reason is that the detective control of Fire-eye looks great. The device stand parallel with layer 3 core switch. The gateway type infrastructure which enhance the detection level of malware activities. It is because malware require communicate with C&C server.

Next topic we discuss Ring 1 and Ring 0 concept. Stay tuned.

The subject matter looks bring mystery feel to reader? People who like to pop music might heard a famous song by Pink Floyd. Yes, it is Dark side of the moon. Rumors told that dark side of the earth (Moon) have another civilization living there? Is it true?

In computer world, memory leaks issues happened not a new topics. Hacker relies on this error can implant malware. The Google Chrome browser found a memory leak issue on Nov 2014. User found that some elements of the DOM (Document Object Model), or handlers, are not being released properly. Below 3 items of memory leak criteria can bring an idea to you what is the definition of memory leak.

1. Applications stay in memory when not in use
2. System run–time is expected to be unlimited
3. Systems typically have lower total available system memory

Hottest target lure the hackers

Svchost.exe is the important process of your Windows 7/8/8.1/10 operating system that contains the group of individual services. Windows uses these services for the various system functions. There can be multiple svchost.exe instances, and one instance may include several services. In most cases the Svchost.exe (netsvcs) encounter high CPU and high usage problem. This symptom might infected by a virus or a malware program.

How malware do this job?

Malware relies on system process design limitation, creates another section in its own address space and copies the svchost.exe content into the created section and then patches the svchost.exe. For more detail, please see below:

So called Process Hollowing

1. Malware starts the svchost.exe process in suspended mode which gets loaded into the address.
2. Malware determines the base address of the legitimate process by reading PEB+8 (PEB.ImageBaseAddress) and then deallocates the executable section of the legitimate process. Afterwards allocates the memory in the legitimate process with read, write and execute permission at a different address.
3. Copy and inject executable to allocate memory address.
4. Malware then overwrites the PEB.ImageBaseAdress of the legitimate process with the newly allocated address.
5. Changes the start address of the suspended thread to the address of entry point of the injected executable by setting CONTEXT._Eax and using SetThreadContext api and resumes the thread.

Conclusion:

Above scenario is one of the example of memory leak vulnerability. If you are interested of this issue. It is not difficult to find out by yourself!

2016 Supercomputer magazine

Traditionally, supercomputers have been used for scientific and engineering applications that must handle very large databases or do a great amount of computation (or both). Supercomputer have capability to handles multi task and graphics processes. Bear in our mind that computer brand name likes Cray, IBM and Fujitsu are the top of the range computer products. The mainframe system so called supercomputer because of their system architecture and handling power. Their CPU units, memories and I/O are controlled by crossbars. To measure their system performance will be measured in a technical term so called Floating point (FLOPS). It is an important specification of a computer system, especially for applications that involve intensive mathematical calculations.

Non traditional design vs traditional concept

Do you remember the Parallel Capacity Resource (PCR) clusters? The mature technology found in 2002. The success of the PCR clusters was followed by the purchase of the Multiprogrammatic Capability Resource (MCR) cluster in July, 2002 from Linux NetworX. The PCR cluster debuted as the Top 500 Supercomputers list in November, 2002.

Parallel Capacity Resource (PCR) cluster architecture create the mystery power!

The differences between China supercomputer and traditional mainframe supercomputer.

I speculated that China supercomputer architecture established by Parallel Capacity Resources Cluster concept for system development. Some technical details as finger print to proof of concept. Detail is shown as below:

1. Sunway TaihuLight, with 10,649,600 computing cores comprising 40,960 nodes.

2. System OS not mentioned on technical report, however I believed that the OS kernel development on top of System V (Unix/Linux).

2016 Supercomputer magazine

Top 1 -10 Winners

Top 1 – 10 Supercomputers geographic location

11 – 20 winners

11 – 20 Supercomputers geographic location

Can we say, hackers and malware do not have capability attacks supercomputer?

The electronic world nowadays popular ARM processor architecture. An ARM processor is one of a family of CPUs based on the RISC. ARM processors are extensively used in consumer electronic devices such as smartphones, tablets, multimedia players and other mobile devices. Supercomputer would not use low cost ARM processor. Traditional supercomputer framework build up by an array of mainframe computers. Mainframe computer CPUs especially IBM S390 CPU make use of crossbar architecture. Since mainframe CPU memory structure not disclose to public. Even though the LPAR running Window server or Linux OS, malware no idea how to jump into the kernel memory whereby it is hard to compromise the whole system. No matter how excellent performance of PCR (parallel capacity resource) cluster built by modern server, an solid concern is bring to our consideration. For instance, model Intel i686 CPU or Xeon server group PCR cluster security bottle neck happens on Core OS (Linux, Unix system V, custom build system-V(vmware))! The fact is that Intel CPU memory address cookbook you can find on market. In the sense that even though PCR cluster build by modern server provides great speed performance (floating point) but the overall security is part of the concern! To be honest, the highest floating point (Tflops) looks like a reference parameter in my personal view point. It looks that such parameter does not reflect the actual reality of usage.