If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\Shell\BagMRU
It appears each time a folder is accessed in a Windows operating system, it records that folder in the BagMRU registry
For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_AppData_Local_Microsoft_Windows_UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\14
And was able to read the following values
login_scripts
Which would seem to me to indicate that a folder named login_scripts was accessed.
NirSoft has a nice utility called ShellBagsView that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Tuesday, October 27, 2015
Registry Explorer\UserAssist Key
If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\
It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key
HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS
And was able to read the following values
mstsc.exe , Microsoft.Windows.RemoteDesktop
Which would seem to me to indicate that Remote Desktop was launched.
In another example I saw this text
TaskBar\Google Chrome.lnk
Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.
Didier Stevens has a nice utility called UserAssist that allows you to view these values.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Monday, October 26, 2015
Walking Thru a Phishing Email Attachment
Here's a walk-thru of how I look at a Phishing Email Attachment.
There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.
Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.
The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.
I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.
After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
There was a McAfee alert 'HTML/Phishing.b' on a file called 'form.html'. This likely came from a user opening/clicking on an attachment in an email.
Since McAfee marked as Infected and deleted it, the file was no longer in the original folder that the alert had triggered. But it was in the McAfee Quarantine folder as a .bup so I was able to extract it like this.
The file that came back was this ugly javascript, obfuscated and hard to read. Just at a high level, if you look at this document it contains this massively long Base64 encoded variable which is then decoded and de-obfuscated by the ugly javascript into some working HTML code that the user's browser or email client would then display.
I know this because I see at the bottom the javascript command 'document.write' which is used to write raw HTML to a page. Now to be safe, I didn't want to run this javascript directly, so I re-saved this javascript and changed 'document.write' to 'console.log'. What this does is allow me to see the HTML without actually having the browser render it (much safer). Then I hit F12 to see my firefox developer tools, re-load the javascript, and see in the console tab that the HTML is now outputted for me.
After the javascript runs, the HTML displayed is this. It's an HTML form styled nicely to phish Paypal credentials and send them to an .ru (russian) website.
Monday, October 19, 2015
Exploit Kits 101
This Trend Micro White paper on Exploit kits was a good read. It gives an easy to understand explanation of how exploit kits are currently working. Here's some highlights I took from the paper.
Exploit Kits appear to be the script-kiddie method to infect victims with malware at a mass scale. It requires no skill or expertise, it's simply a pay-to-play software as a service. The newbie bad guy wants to distribute malware to unsuspecting users, but he doesn't know how or doesn't have enough resources to get the job done. So he goes to the underground and purchases an exploit kit. With that purchase he gets an online management console, he's able to choose the vulnerabilities he wants to attack (windows, flash, etc.), the type of victims he wants to attack (certain country, certain types of sites, etc.), and the payload of malware to distribute.
All the while there is only 1 or a handful of actual smart bad guys sitting in the background, writing the code for the exploit kit, and making this software as a service operate successfully by adding new vulnerablities, new add-ons, etc. to the kits.
Now how does an exploit kit work?
1.) Newbie Bad Guy purchases exploit kit and is given a URL from the smart bad guy
2.) Newbie Bad Guy finds ways to get people to browse the URL (spam, malvertisments, hack a website)
3.) The smart guy URL uses the logic setup by the Newbie Bad Guy on the management console to decide who to infect or not
4.) If the victim should be infected the smart guy URL redirects the victim to the actual exploit
5.) The smart guy URL determine which exploit to use based on the browser/OS and uses it
6.) The smart guy exploit determines which payload/malware to deliver based on the Newbie bad guy's choices on the management console and then does so
Why do they work?
1.) People (especially slow moving enterprises) don't patch fast enough so known exploits still work for quite a while
2.) The smart bad guy is constantly adding new exploits (including 0-days or those that haven't been patched)
3.) The smart bad guy incorporates many exploit types/browsers (Internet Explorer, Flash, silverlight, Adobe Reader, Java, ActiveX) so if one doesn't work another might
4.) The smart bad guy adds evasion techniques like auto-disabling if it detects an anti-virus
5.) The smart bad guy is constantly updating/changing the URL and exploit behavior such that old Detection Signatures no longer match
6.) The smart bad guy heavily obfuscates the payload so that they're encrypted, compressed, etc. and very difficult to detect
7.) There are plenty of Newbie Bad Guy's forking out money to the smart bad guy thus making it worthwhile for the smart bad guy to continue his evil operations
How can it be stopped?
- It seems the smart bad guy will always have the upper-hand in terms of evading static signatures and developing new obfuscation techniques. So to me it seems that defense will rely heavily on Behavior based solutions for the near-future. Behavior based solutions need to understand what is normal and abnormal and be able to alert on such without actually knowing anything about the malware or attack.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Exploit Kits appear to be the script-kiddie method to infect victims with malware at a mass scale. It requires no skill or expertise, it's simply a pay-to-play software as a service. The newbie bad guy wants to distribute malware to unsuspecting users, but he doesn't know how or doesn't have enough resources to get the job done. So he goes to the underground and purchases an exploit kit. With that purchase he gets an online management console, he's able to choose the vulnerabilities he wants to attack (windows, flash, etc.), the type of victims he wants to attack (certain country, certain types of sites, etc.), and the payload of malware to distribute.
All the while there is only 1 or a handful of actual smart bad guys sitting in the background, writing the code for the exploit kit, and making this software as a service operate successfully by adding new vulnerablities, new add-ons, etc. to the kits.
Now how does an exploit kit work?
1.) Newbie Bad Guy purchases exploit kit and is given a URL from the smart bad guy
2.) Newbie Bad Guy finds ways to get people to browse the URL (spam, malvertisments, hack a website)
3.) The smart guy URL uses the logic setup by the Newbie Bad Guy on the management console to decide who to infect or not
4.) If the victim should be infected the smart guy URL redirects the victim to the actual exploit
5.) The smart guy URL determine which exploit to use based on the browser/OS and uses it
6.) The smart guy exploit determines which payload/malware to deliver based on the Newbie bad guy's choices on the management console and then does so
Why do they work?
1.) People (especially slow moving enterprises) don't patch fast enough so known exploits still work for quite a while
2.) The smart bad guy is constantly adding new exploits (including 0-days or those that haven't been patched)
3.) The smart bad guy incorporates many exploit types/browsers (Internet Explorer, Flash, silverlight, Adobe Reader, Java, ActiveX) so if one doesn't work another might
4.) The smart bad guy adds evasion techniques like auto-disabling if it detects an anti-virus
5.) The smart bad guy is constantly updating/changing the URL and exploit behavior such that old Detection Signatures no longer match
6.) The smart bad guy heavily obfuscates the payload so that they're encrypted, compressed, etc. and very difficult to detect
7.) There are plenty of Newbie Bad Guy's forking out money to the smart bad guy thus making it worthwhile for the smart bad guy to continue his evil operations
How can it be stopped?
- It seems the smart bad guy will always have the upper-hand in terms of evading static signatures and developing new obfuscation techniques. So to me it seems that defense will rely heavily on Behavior based solutions for the near-future. Behavior based solutions need to understand what is normal and abnormal and be able to alert on such without actually knowing anything about the malware or attack.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Monday, October 12, 2015
SIP (VoIP) Packets from sipvicious
Have you ever seen traffic looking like this against your networK?
The protocol is SIP, the Destination Port is 5060, UDP, it's a Request. From what?
If you look at the UDP Stream you'll see more details.
In the stream you see key information like 'From: "sipvicious"', User-Agent: friendly-scanner, etc
My understanding is that this is essentially the script-kiddie version of VoIP hacking. sipvicious is a tool (watch this video) where you can scan a network for VoIP servers and then try to brute-force authenticate into them and wreak havoc. If SIP is setup poorly or insecurely, you could have big problems from sipvicious.
Why care? If you're the good guy then you need to know about tools like this if you're supporting VoIP / SIP so that you can protect against it and secure it.
General reminder that this demonstration was for educational and awareness purposes and should not be used for malicious activities.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
The protocol is SIP, the Destination Port is 5060, UDP, it's a Request. From what?
If you look at the UDP Stream you'll see more details.
In the stream you see key information like 'From: "sipvicious"', User-Agent: friendly-scanner, etc
My understanding is that this is essentially the script-kiddie version of VoIP hacking. sipvicious is a tool (watch this video) where you can scan a network for VoIP servers and then try to brute-force authenticate into them and wreak havoc. If SIP is setup poorly or insecurely, you could have big problems from sipvicious.
Why care? If you're the good guy then you need to know about tools like this if you're supporting VoIP / SIP so that you can protect against it and secure it.
General reminder that this demonstration was for educational and awareness purposes and should not be used for malicious activities.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Finding Windows Files that Changed
Many times in the information security world it's necessary to see what files changed on a system. One possible way to do that is comparing the hashes of files (SHA1, MD5, etc.) before and after the incident. One tool that could accomplish this is the free Microsoft File Checksum Integrity Verifier
It starts with a baseline. So you'll need to have run this against a clean image originally. To do so run it against a folder of your choosing (or the entire C:\ drive for that matter). Notice in the command below you choose what file types you want to look for (instead of just doing every file).
fciv.exe -xml hashdb-original.xml -r c:\windows\temp\SuspiciousFiles -type *.dll -type *.zip -type *.png
Let's say in this folder there were originally 3 untouched files
Now the malware touched 1 of them and compromised it's integrity
Let's say in this folder there were originally 3 untouched files Then after an incident run this command to compare the original hashdb against the current state of the system. As you see below it identified the change, original hash and new hash.
fciv.exe -xml hashdb-original.xml -v -bp c:\windows\temp\SuspiciousFiles
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
It starts with a baseline. So you'll need to have run this against a clean image originally. To do so run it against a folder of your choosing (or the entire C:\ drive for that matter). Notice in the command below you choose what file types you want to look for (instead of just doing every file).
fciv.exe -xml hashdb-original.xml -r c:\windows\temp\SuspiciousFiles -type *.dll -type *.zip -type *.png
Let's say in this folder there were originally 3 untouched files
Now the malware touched 1 of them and compromised it's integrity
Let's say in this folder there were originally 3 untouched files Then after an incident run this command to compare the original hashdb against the current state of the system. As you see below it identified the change, original hash and new hash.
fciv.exe -xml hashdb-original.xml -v -bp c:\windows\temp\SuspiciousFiles
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Find Hidden Website Folders
Here's a simple tool that can find Hidden/Common Website Folders that might not have a link directly to them from the main page.
Download a brute force website scanner like dirs3arch
Run it against an ASP website
python.exe dirs3arch.py -u mywebsitethatiownandcontrol.com -e asp
Or Run it against a PHP website
python.exe dirs3arch.py -u mywebsitethatiownandcontrol.com -e php
Watch as it discovers several pages that may or may not be of interest
Why might this be useful? Well, if you're a bad guy you probably want to know if there's administrator pages hidden, or you can use this to determine based on the existance of certain folders what Operating System, Web Environment, Programming Service, Version, etc. it's running so you know how to target it. If you're a good guy (like us) then you want to know what the bad guy's going to find so you can secure it and properly protect your website.
General reminder that this demonstration was for educational and awareness purposes and should not be used for malicious activities.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Download a brute force website scanner like dirs3arch
Run it against an ASP website
python.exe dirs3arch.py -u mywebsitethatiownandcontrol.com -e asp
Or Run it against a PHP website
python.exe dirs3arch.py -u mywebsitethatiownandcontrol.com -e php
Watch as it discovers several pages that may or may not be of interest
Why might this be useful? Well, if you're a bad guy you probably want to know if there's administrator pages hidden, or you can use this to determine based on the existance of certain folders what Operating System, Web Environment, Programming Service, Version, etc. it's running so you know how to target it. If you're a good guy (like us) then you want to know what the bad guy's going to find so you can secure it and properly protect your website.
General reminder that this demonstration was for educational and awareness purposes and should not be used for malicious activities.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)