Attacker Mindset

An unfortunate necessity of working in the security industry, and particularly in analysing malware / hacking attacks everyday is that you quite often need to put yourself in the mind of a criminal in order to properly understand the motives behind an attack. The downside is that it can be hard to turn this off. Its often been said that the only difference between a hacker and a penetration tester is "permission", as in permission to access the target you are testing. Well the only difference between a security professional and a hacker are "ethics". Both have very similar skillsets, and both are very good at spotting scams and flaws in systems - the difference is that hackers act on this information for financial gain, wheras security professionals generally try to fix the problem, or at the very least do not act on it (we'd all be making MUCH more money if we did :P )

So it was in this frame of mind that I visited one of Ireland biggest hardware stores at the weekend to drop back a couple of items that we did not need. While waiting for about 15 minutes at the customer service desk an idea hit me. I'd love to hear others feedback on this situation:

• A scammer can walk into a store (in this case a hardware store but other stores would work). He goes around the shop and spends a couple of hundred (not too much or this would probably not work) on a variety of items.
• Scammer comes back the following day, walks around the store and takes several of the same items of the shelves. They bring these items to customer service, along with their reciept, to "drop them back".
• End result scammer spends a couple of hundred, gets the majority of it back, and keeps all the goods (which can then be sold on for a tidy profit.
  

There are couple of conditions for this attack to work:

• Needs to be big busy store, otherwise it is easier to see the attacker is simply dropping back good from the shelves
• Item must not have an electronic tag which indicates that they have been sold already (for example the tags you see in a lot of clothes stores).
• Barcodes must not be individual. In other word all copys of product X should have the exact same barcode (otherwise the customer service can uniquely identify each item). TV Shops tend to have individualised codes.

Having said that there are a lot of stores that fall into this category (particually Hardware stores, where individual items can be quite expensive). I very much doubt that this is an old scam, but would love to hear peoples thoughts on it (or if you have worked in / ran a store, how did they address this issue)?

All feedback is good feedback

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to “Screw you my friend Aver” (well its actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean “AVer” (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden message that are only revealed during reverse engineering. My personal favorite was from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

The Rinbot authors where particulary well known for getting frustrated at AV companies for detecting their creations (ironically made easier by all of those nice messages they included for us to use in malware signatures). They were fairly generous in distributing their pent up annoyance with everyone from SANS to CNN included. In particular they really disliked people refusing to name their malware as they had intended.

Rinbot is not the only malware to include such strings, recently the TSPY_ZBOT family also started with messages giving out about blog articles by Avira and Microsoft. In fact these messages have been going on for years, another one from a WORM_MYDOOM variant back in 2004 read:

we will attack f-secure,symantec,trendmicro,mcafee , etc.
The 11th of march is the skynet day lol .

Its always nice to get feedback on your work, even more so when its the bad guys complaining that we are doing too good of a job.

5 Must Have Tools (from ISSA Talk)

On Tuesday I attended the very interesting talk held by the ISSA in Dublin, where several Microsoft employees spoke about Windows 7, their own internal IT security setup, and a good overview of the Conficker Worm by Elda Dimakiling and Francis Ten Seng. This was followed by 2 short presentations - Paul Collins, head of IT with Hypo Real Estate Group showed the capabilities of the very useful MSAT tool, and I demoed some useful malware analysis tools. Overall really enjoyed the event, and will continue to attend the ISSA events in the future.

I thought that I may as well stick up the tools in question on this blog post so that they are all linked in one location. I often get asked to fix friends computers, and always carry around a copy of these tools on a USB key - if you know what you are doing you can clean about 90% of all Windows malware with them. I'd advise any security professional to download all 5 and play around with them for 30 minutes, you'll be happy you did.

Ice Sword (Mirrored Download - Use This)
Ice Sword is a fantastic tool for Rootkit detection. It will allow you to see hidden processes, registry keys, services etc on the infected machine. In addition to this it will actually let you directly read and write areas of process memory, and includes a basic dissassembler. It also has another host of features such as inspection the systems SSDT and looking at Layered Service Providers. In any malware analysis Icesword is my first port of call, remove any rootkits from the system so that you can continue your analsis.

GMER
Gmer is another Rootkit removal tool, again with many other features built in. Personally I prefer Ice Sword, but you really should have both at hand - sometimes malware will successfully hide, or kill one or the other.

Autoruns
Now that you have removed the rootkits from the PC, Autoruns is Step 2. It is a fantastic tool which shows every singles system load point (i.e. All of the executable which will be started during Windows startup). As it returns quite a large amount of information, here are some tips on where to start looking (as you get more used to the tool, this will become 2nd nature):

• Check the following Tabs first - Logon, Internet Explorer, Scheduled Task, Services, Image Hijacks, Winlogon.
  
• Pay particular attention to any entries that do not have an associated Publisher or Description, especially anything in the System32 or Windows folders. There is a very nice Right-Click-> Verify function that will test the digital signature of the executable.
• For executables you are unfamiliar with try the Right-Click->Search Online feature. Interestingly this uses Yahoo search - but I would not be surprised to see a Bing version in future.
• Delete any suspicious load points and then refresh. If the value is being recreated thats normally a sure sign that its bad.
  

Process Explorer
Think Task Manager on steroids. Some tips:

• Pay particular attention to Packed Images (highlighted in Purple)
• As well as killing processes, you can also suspend them. This can sometimes be better as some malware will have a 2nd process or dll watching the first, and if it is removed from memory will automatically restart it - suspending the process means that it is still in memory, but not doing anything.
• Most of the really cool stuff is in the Right-Click->Properties menu. The Thread tab is very powerful - allowing you to kill/suspend individual threads within a process. Malware likes to create remote threads in processes so if you are having difficulties removing it pay close attention to any threads injected into Winlogon, Explorer or IExplore.
• The TCP/IP tab will show you any network activity of the process.
• Strings is another excellent tab - showing human readable strings in a file. Note that you can look for strings in the Image (the file) or in Memory. Memory is normally more useful especially if the file is packed.

Process Monitor
A very simple, yet incredibly powerful tool. Every single File, Registry, Process and Network access performed on the system is intercepted and logged. You can use Filters to only see the details you are interested in. This is particulary useful if you are noticing certain registry keys, files or processes being recreated by a threat - as it will show you the process responsible for recreating them (quite often Explorer or Winlogon, which indiciates an injected malicious thread).

Oh and if you have spent the suggested 30 minutes mucking about with these and want to know where next to go on your quest to become a security tool guru - all of the Microsoft Sysinternals tools are now available in single download - http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx .

I know that I've lost all my street cred by actually praising a Microsoft product (none of the cool kids are returning my calls), but sometimes they really do get it 100% right

Pushdo Pushdo we all push for Pushdo

Part 2 to 5 of the Pushdo articles are now on the web.

Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)
Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)
Pushdo/Cutwail – Traditional AV is Useless (Part 5 of 5)

More Importantly our paper is now online, I know no one actually reads this blog (*Tumbleweed drifts by*), but if anyone has any comments (both good and bad) I'd love to hear them

Paper: A Study of Pushdo / Cutwail

Pushdo Blog Series

WAY too long since I've updated this :(

Myself and my teammate David Sancho have created a series of 5 blog articles on the Pushdo malware family, which we've been researching for the last 2 months. They will be released today, Wednesday, Friday and the following Monday and Wednesday - culminating in the release of an indepth white paper. If you are interested in reading part 1, you can read it here.

I've also been informed that I got name dropped in one of PDP's latest blogs over on Gnucitizen, from a talk I did at Risk 2008 in Oslo (shockingly expensive city). Really good article talking about the underground exploit selling economy.

And lastly I was at ISSA's security event last week in Dublin. Very impressed by the speakers and interesting attendees, plus it was good to put some faces to names. They have a nice lightning presentation to wrap things off (5-10 minute presenations), that I'd be interested in giving a go next time - need to think of something interesting and snappy :) Was also great to see all the Symantec crowd.

Anyhow - hope people find the Pushdo series interesting - and feel free to post any questions here as it is not possible to comment on the Trend Micro blog itself

Largest Bulletin Board providers compromised

I regularly contibute and help run a couple of Internet Bulletin Boards in my spare time, and it was while running one of these this morning that something quite interesting popped up. On this particular site I had installed PHPBB (which holds the largest Market Share for internet boards), and my version was a bit out of date so I thought it was time to wander over to http://www.phpbb.com and grab the latest update. To my surprise I came across:

Hmm - that can't be good was my knee jerk reaction, and judging from the waves of comments on other sites, everyone elses as well. Cries of "Oh Noes! De Interwebz is broken" or their equivalent where fairly widespread. Unfortunately a large chunk of todays internet users spend a very short amount of time reading a page before deciding to move on or read the rest. In the case of phpbb.com - its looks like this attention span lasted about 2 lines, as line number 3 clearly reads (in bold):

No vulnerabilities have been found in the phpBB software itself.

Excellent! It appears the internet has not come to a grinding halt after all (unlike last Sunday). Some further reading on the PHPBB support forums shows that the vulnerability is in an entirely different piece of software running on the site, PHPList - A newsletter manager which allows you to add and manage users along with creating and email newsletters. According to the Support Forums:

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

This database is from PHPBB3 which contains a much better form of encryption for password protection that PHPBB2 (MD5). Unfortunately any users who signed up to the support site back when it was still running PHPBB2, and have not signed in since the upgrade will still have their passwords in the older format - which is trivial to crack with freely available Rainbow Tables. Users have been advised to reset their passwords on all other sites that they also use it for.

Password Policy

I've already refered to Password Policy in a previous post, but heres another little tip - Pick and remember 3 different passwords (more on chosing strong passwords in the previous blog post).

1) Use the 1st one for all public sites that you sign up to - bulletin boards, social networks, and the vast array of other web sites that seem to need you to give them passwords details

2) Have another different password for your laptop/desktop itself, to protect against physical access to your system

3) Lastly pick a seperate password for your email account - the holy grail for password theives. Have a search through your emails for the words "Password" or "New Account" - scary the amount that will turn up. Compromise someones email and you compromise their entire online web activity.

Lastly - change these passwords every 6 months. If you do this you will have gone a LONG way to keeping your information secure online. Having seperate levels of passwords is key - the amount of people who blindly sign up for sites and provide both their email, and the password which is also used for their email account, as login details is scary. If you are not used to remembering seperate passwords, try and pick some have something in common. I'll end this with a simple easy to remember example (Note: Don't bother trying to access my email account with these :) )

Level-1 Password: aFiFuOf$$$
Level-2 Password: 4aF$$$Mo
Level-3 Password: ThGoThBa&ThUg

Clue: Spaghetti Westerns

NOTE: The Hacker who carried out the attack has posted a very interesting step by step here - http://hackedphpbb.blogspot.com/2009/01/place-holder.html

Security Policy 101

Quite a few Security Websites and Media outlets have reported on the current wave of WORM_DOWNAD.AD detections over the last few weeks. Whats noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected machines), but also the propagation techniques - a 3 pronged attack designed to exploit weak Company Security Policys.

Firstly DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and effects just about every version of Windows since Windows 2000.

For its next trick DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives. Next it creates an obfuscated Autorun.inf file on these drives, so that the Worm is executed simply by browsing to the network folder or removable drive (the user does not need to actually click on the file).

And then comes the icing on the cake - It first enumerates the available servers on the Network and then, using this information, it gathers a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and uses a scheduled task, also known as an AT job, to execute the worm.


So why is this Worm so successful? Simple - poor security policies.

The first propagation technique is really exploiting Poor Patch Management. A patch for this vulnerability has been available since late last year, but still some companies have not properly rolled this out to all machines on their network. Remember even one unpatched machine is enough to have this Worm spread through the entire network. Patch Management is a critical component of any IT departments jobs today, and it is vitally important that it is applied in a timely fashion across ALL of the companies machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network (e.g. Partner Companies, Contractors, etc). Like so many aspects of Security, it only takes one hole to bring down an entire network.

Autorun malware has been a big problem over the last 6 months, and to be honest, it really should be a non-issue. Quick grab a piece of paper and a pencil. Got them? Great, ok - now in 30 seconds try to write down a single reason why your company NEEDS to have the ability for all Removable Drives and Network Shares to automatically execute code just by viewing them. Its ok I'll wait till you are done...didn't come up with one did you. Let me save you the pain of figuring out the next step - How to disable Autorun (more details here)

Lastly we have the old classic - using weak passwords. You could write a book on how to ensure users use strong passwords (in fact people already have), but to help save your hard earned money during this economic downturn, we've kindly made one available as part of our Safe Computing Guide . Go have a read. After all it would be nice to not have to explain to your boss that every machine in the company is infected because you had picked "123456" as the default password on all of your machines and shared drives.

To quote my favourite sportsperson Roy Keane - "Failure to Prepare, Prepare to Fail"