Thursday, July 28, 2011

True Identity vs Anonymous: Evaluating real-life examples

The privacy and dignity of our citizens are being whittled away by sometimes imperceptible steps. Taken individually, each step may be of little consequence. But when viewed as a whole, there begins to emerge a society quite unlike any we have seen, "a society in which government may intrude into the secret regions of a person's life".

Why be Anonymous?
"The right to be let alone is indeed the beginning of all freedom".
1.Everyone has the right to privacy.
2.Anonymous NOT EQUALS Law-breaker.
3.Requires intellect, desire, diligence, and dedication.

-Minimally anonymous
-The FBI will find you

-Moderately anonymous
-More difficult
-Potentially illegal
-The FBI can find you

-Off the grid
-Completely invisible
-Up to you who finds you

-Must develop new habits, gets easier over time
-Be discreet when talking to others
-Say as little as possible
-Identity awareness
-Use social engineering
-Look Around!
-Situational awareness
-Look for and avoid surveillance
-Blend in, do not stand out
-Ongoing process

Getting Started In Real Life
-Cancel All Subscriptions
-Forward Mail to a Secondary Address (Third-Party, Scanned Mail Service)
-Expunge legal and credit histories
-Place locks on credit files
-Shred everything

Getting Started Online
-Eliminate online profiles (Friendster, MySpace, Facebook, etc)
-Clean Up Search History
-Nothing in the Cloud (Host Your Own, Encrypt Everything)
-Everything in the Cloud (Host Nothing, Encrypt Everything)
-Format and Reinstall
-Create All New Accounts

Becoming Anonymous
-Change your name
-Alternative ID
-Alter fingerprints
-Sell registered properties
-Terminate all contracts
-Disposable email addresses (Dodgit, Guerilla Mail, Gmail, Hotmail, Yahoo)
-Mail box rentals (Mailboxes, Scanned Mail Service)
-Fake your own death

-Single Room Occupancy (Cash rent, Long-term sublet, Shared utilities)
-Unregistered RV
-Commune (Kibbutz, Nudist Colony, Don’t Drink the Kool-Aid)
-Travel Continuously (Couch Surfing, Hostels, Shelters, Public Parks, Squatting)

Making Money
-Jobs that pay cash
-The world's oldest profession (e.g. Porn)
-Day labor
-Service industry
-Graphics and web design

Using Money

-Use Cash
-Classifieds, Cash Auctions
-Gift Cards, use as CCs
-Check Cashing Services
-Digital Money (E-Gold, Paypal Corporate, Internet Bartering)
-Money Orders
-Offshore Accounts
-Sugar Daddy

-Public (Buses, Trains)
-Cabs & Gypsy Cabs
-Carpool / Rideshare
-Vehicles w/o Registration (Bicycles, 50cc Scooters)
-Travel in Disguise (Wear hats and glasses, Pre-determine camera locations)
-Avoid frequent mass-transit

-Disable GPS devices
-Disable bluetooth
-Turn cell phone off when not in use
-RFID tags (RFID Zapper, Use a shielded wallet)
-Harden computers and smart phones
-Tinfoil hat


-Telecom (Pay phones, burners, Prepaid LD)
-Internet (Use email lightly, Internet Relay Chat, Usenet / classifieds)
-Encryption (Off the Record, Steganography)
-Voice over IP (Hosted VoIP, BYO VoIP)

-Public kiosks, local wifi
-Prepaid SIMs for data
-Use a Live CD
-Use tor, anonymous proxies
-Enable safe browsing
-Anonymous searching (startpage, googlesharing, customize google)
-Anonymous remailers
-Netbook + Truecrypt encrypted SSD, USB

Social Interaction
-Use disguises in public
-No long term communities
-Use a proxy
-Avoid people
-Avoid all social networking
-Avoid all publicity

The Rules
-Do not be your identity
-Get rid of your paper trail
-Use cash
-Constantly improve your situational awareness
-Blend in
-Encrypt everything

Wednesday, July 6, 2011

Internet Explorer: Your personal computer is public property

A successful compromise will result in an attacker being able to blindly read every single file in the local drive.
–Either text and binary files (thanks MSXML2.DOMDocument.3.0!)
–Cross-domain information (Navigation history, Cookies)
–SAM backup files
–Recently opened files
–Personal pictures
–Other files, depending on the computer compromised (wwwroot in IIS, Configuration files for other applications)

Internet Explorer Internals
-Every browser has its own idiosyncrasies
-For the purposes of this presentation, it is convenient to review some design features of Internet Explorer
1.Security Zones
2.Zone Elevation
3.MIME type detection

Security Zones
-Enable administrators to divide URL namespaces according to their respective levels of trust and to manage each level with an appropriate URL policy Different treatment for web content depending on its source
-Five different sets of privileges (zones)
1.Restricted Sites
3.Trusted Sites
4.Local Intranet
5.Local Machine

Zone Elevation
-It occurs when a Web page in a given security zone loads a page from a less restrictive zone in a frame or a new window
-Internet Explorer behaves different based on which is the less restrictive zone up to which is trying to elevate the Local Machine zone is blocked the Intranet or Trusted Sites zones prompts for a confirmation
3.from the Restricted Sites zone to the Internet zone is allowed

MIME type detection
-Tests URL monikers through the FindMimeFromData method
-Determining the MIME type proceeds as follows:
1.If the suggested MIME type is unknown, FindMimeFromData immediately returns this MIME type as the final determination
2.If the server-provided MIME type is either known or ambiguous, the buffer is scanned in an attempt to verify or obtain a MIME type
3.If no positive match is obtained, and if the server-provided MIME type is known
4.If no conflict exists, the server-provided MIME type is returned. If conflict exist, the file extension is tried.
5.Otherwise defaults to text/plain or application/octet-stream

Features (vulnerabilities) enumeration
-Hiding the key under the doormat
-A chip off the old block
-Two zones, the same place
-How to put HTML/script code in remote computers
-Everything that glitters is not gold

Hiding the key under the doormat
-Internet Explorer cookies and history files are stored in different files and folders under %USERPROFILE%
-As a security measure, these files are stored inside randomly named folders with random file names
-These random names and locations are logged inside different mapping files named index.dat
%USERPROFILE%\Local settings\History\History.IE5\index.dat
%USERPROFILE%\Local settings\IECompatCache\index.dat
-These files are not entirely text formatted
-As these files work as maps to other files, access to these files would reveal the actual locations of mapped files and folders

A chip off the old block
-Internet Explorer resembles Windows Explorer in many aspects (both of them implement the Trident layout engine and both of them support UNC paths for SMB access)
-This way, Internet Explorer allows to access special files and folders, same as Windows Explorer does

Any web page in the Internet zone or above can include an HTML tag as follows:
-It will trigger an SMB request against
-As part of the challenge-response negotiation, the client sends to the server the following information about itself:
1.Windows user name
2.Windows domain name
3.Windows computer name
4.A challenge value chosen by the web server ciphered with the LM/NTLM hash of this user’s password

Two zones, the same place
-Internet Explorer will determine the security zone of a given UNC address as belonging to:
1.The Internet security zone if this path contains the IP address of the target machine
2.The Local Intranet security zone if this path contains the NetBIOS name of the target machine

-It makes sense, as SMB names just can be resolved in the same network segment
-\\NEGRITA is in the Local Intranet zone
-\\ is in the Internet zone
-This is one of the root causes of the problems the Microsoft staff has into closing the attack vectors exposed here
-After several discussions with MSRC team members, they stated this issue is kind of a dead end, and cannot be fixed
-According to the Security Zones scheme, a page in a given zone can not redirect its navigation to a more privileged zone
-This behavior is known as Zone Elevation
-Now, consider the following dialog:

-In this case Internet Explorer will erroneously (due to this ambiguity) apply Zone Elevation restrictions and the redirection will effectively occur
-There is another way to bypass Security Zone restrictions
-Suppose that ( was explicitly added to the Restricted Sites Security Zone
-Then this URI will be treated with the privileges of that zone
-However, if the same resource is requested using the UNC notation, it will be treated as belonging to the Internet Security Zone (e.g. \\\index.html)
-Restricted Sites restrictions to a given resource are bypassed if it can be accessed using a different protocol [file: | https: | ...]

How to put HTML/script code in remote computers
-There are different ways for remote servers to write HTML/script code in clients hard drives
1.Navigation history files
3.Mapping files (Internet Explorer index.dat)

-Problems in the design/implementation of these feature
1.Contents are saved as they were received, with little or no sanitization/overhead, into these files
2.Internet Explorer allows rendering the contents of non-pure HTML files skipping the parts that can not be rendered

Everything that glitters is not gold
-The way Internet Explorer decides how to treat a given file is known as MIME type detection
-It basically uses an algorithm to find and launch the correct object server/application to handle the requested content
-Is based on information obtained from
1.The server-supplied MIME type, if available
2.An examination of the actual contents associated with a downloaded URL (FindMimeFromData)
3.The file name associated with the downloaded content (assumed to be derived from the associated URL)
4.Registry settings (file extension/MIME type associations or registered applications) in effect during the download

-Problems in the design/implementation of this feature:
1.The server-provided MIME type is returned when the following conditions are true:
-no positive match is obtained from the FindMimeFromData() buffer scan
-server-provided MIME type is known
-no conflict exists (format is either text or binary)

2.Has been probed (more than once) not to behave deterministically when accessing the same resource through different methods
-direct navigation
-frame/iframe reference

Turning features into vulnerabilities to build an attack
-In and of itself each of these bugs may not seem like something you should be concerned about
-The combined use of them by an attacker may lead to some interesting attacks

Case 1: Attacking local networks with shared folders

Case 2: Attacking the Internet user

Overall Impact
-By chaining the exploitation of a series of weak features an attacker is able to store HTML and scripting code in the victim’s computer and force the victim’s browser to load and render it
- is in the Internet Zone, but as the code is actually stored in the victim’s computer, it can access other files in the same computer (in this case, the victim’s computer)
1.SAM backup files
2.All of the victim’s HTTP cookies and history files
3.Source files in Inetpub\wwwroot
4.Recent files, personal pictures (thumbs.db maps these files)
5.Any other file on the local system (system events, configurations)

These attack scenarios have been proven to work:

-The only difference is in the way Internet Explorer is tricked into rendering its internal tracking files as HTML
-That is the only thing Microsoft is fixing. This is a design problem. They are just blocking our proof of concept
-That is why we are breaking it over and over again

Solutions and Workarounds
-Internet Explorer Network Protocol Lockdown
-Set the Security Level setting for the Internet and Intranet zones to High
-Disable Active Scripting for the Internet and Intranet zone with a custom setting
-Only run Internet Explorer in Protected Mode
-Use a different web browser to navigate untrusted web sites

Thursday, June 30, 2011

Attacking VMWare Guest Machines

Vulnerability Discovery
-Vulnerability identified on 5/14/09
-Reported to VMware on 5/15/09
-VMware responded on 5/21/09
-CVE-2009-3733 reserved on 10/20/09
-VMSA-2009-0015 released on 10/27/09
-"Directory Traversal vulnerability"

-Originally identified on VMware Server 2.0.1 build 156745 (on Ubuntu 8.04)
-Thought to be localized to inside of NAT interface of Host (8307/tcp)
-Can steal VMs from within other VMs... if NAT.

-Web Access web servers also vulnerable
-Server (default ports 8222/8333) - ../ x 6
-ESX/ESXi (default ports 80/443) - %2E%2E/ x 6
-No longer requires NAT mode / Remotely exploitable
-Not as straightforward as originally thought
-Still trivial to exploit because...

Root Access Is Easy

How it works?

-Web server on 8308/tcp is vulnerable, but will only serve certain filetypes (xml, html, images, etc.)
-Web server on 8307/tcp is also vulnerable, but serves ALL filetypes
-Simply append /sdk to our URL request and we’ve got complete access to Host filesystem (including other Virtual Machines)
-ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)

Vulnerable Versions
-VMware Server 2.x < 2.0.2 build 203138 (Linux)
-VMware Server 1.x < 1.0.10 build 203137 (Linux)

-ESX 3.5 w/o ESX350-200901401-SG
-ESX 3.0.3 w/o ESX303-200812406-BG
-ESXi 3.5 w/o ESXe350-200901401-I-SG

Guest Stealer
-Perl script remotely ‘steals’ virtual machines from vulnerable hosts
-Supports Server, ESX, ESXi
-Allows attacker to select which Guest to ‘steal’
-Utilizes VMware configuration files to identify available Guests and determine associated files

-/etc/vmware/hostd/vmInventory.xml (default location)
-Gives us Guest inventory & location information

-Patch, patch, patch
-Hosts are an attractive target (compromise one = access many)
-Better yet...Segment, segment, segment
-Segment management interfaces
-Segment systems of different security levels
-Don’t share physical NICs between different security levels
-Virtualization is not always the "best answer"

Credits:  Justin Morehouse @ ShmooCon

Tuesday, June 28, 2011

Broad View of Cloud Security

Cloud Computing in the security industry has multiple definitions and several approaches:
-URL scanning
-AV scanning
-Spam scanning
-and more...

Cloud Paradigm
-Pro Cloud
-Against Cloud
-A hybrid approach is better

-No versioning (no large product updates)
-Low resource consumption
-Higher speed
-Not OS dependant
-Not hardware dependant
-Instant access to updates
-New technologies available like outbreak detection or statistics based algorithms
-Sometimes...It is also cheaper

-No internet connection means no cloud
-Susceptible to DDOS attacks
-Resource Consumption just moved in the cloud. It didn’t vanished!
-Connection spikes can cause false negatives (or, even self-DDOS)
-Instant updates can also mean instant faulty updates
-Data center failure means no detection

What Else Can Cloud Offer?
Opens the door to a new set of:
-Operating systems

Size Does Matter
-Several sources of URLs means an extremely large number of URLs
-Several clients that query the cloud means a massive number of links that have to be analyzed
-Links have various statuses (clean, infected, phishing, fraud) which change dynamically
-So, one has to move fast...

Lies, Damned Lies and Statistics
-Targeted attacks stay under the radar
-Slow spreading malware too

Not everybody likes us
-Website owners
-Maybe even social networks?
-And hopefully the bad guys (i.e. Hackers)

-We believe that a hybrid approach is best
-The cloud should be used as another filtering method and not as a universal solution
-Not only there should be a hybrid approach, but also these techniques have to be interconnected
-Although it looks quite easy in theory, creating and maintaining a cloud architecture is not an easy process

Wednesday, June 15, 2011

Advanced Mobile Spyware

Mobile Spyware

-Often includes modifications to legitimate programs designed to compromise the device or device data
-Often inserted by those who have legitimate access to source code or distribution binaries
-May be intentional or inadvertent
-Not specific to any particular programming language
-Not specific to any particular mobile Operating System

Attacker Motivation
Practical method of compromise for many systems
–Let the users install your backdoor on systems you have no access to
–Looks like legitimate software so may bypass mobile AV

Retrieve and manipulate valuable private data
–Looks like legitimate application traffic so little risk of detection

For high value targets such as financial services and government it becomes cost effective and more reliable

–High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation
–Think "Aurora" for Mobile Devices

$149 -$350 PER YEAR depending on features
–Remote Listening
–C&C Over SMS
–SMS and Email Logging
–Call History Logging
–Location Tracking
–Call Interception
–GPS Tracking
–Symbian, Blackberry, Windows Mobile Supported

Mobile Spy
$49.97 PER QUARTER or $99.97 PER YEAR
–SMS Logging
–Call Logging
–GPS Logging
–Web URL Logging
–BlackBerry, iPhone(JailbrokenOnly), Android, Windows Mobile or Symbian

Etisalat (SS8)
-Cell carrier in United Arab Emirates (UAE)
-Pushed via SMS as "software patch" for Blackberry smartphones
-Upgrade urged to "enhance performance" of Blackberry service
-Blackberry PIN messaging as C&C
-Sets FLAG_HIDDEN bit to true
-Interception of outbound email / SMS only
-Discovered due to flooded listener server cause retries that drained batteries of affected devices
-Accidentally released the .jar as well as the .cod (ooopsie?!)

Bugs & Phonesnoop
–Exfiltration of inbound and outbound email
–Remotely turn on a Blackberry phone microphone
–Listen in on target ambient conversation

Storm8 Phone Number Farming
–iMobstersand Vampires Live (and others)
–"Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhoneuser who downloads any Storm8 game," the suit alleges. "... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed."
–"Storm8 says that this code was used in development tests, only inadvertently remained in production builds, and removed as soon as it was alerted to the issue."

Symbian Sexy Space
–Poses as legitimate server ACSServer.exe
–Calls itself 'Sexy Space'
–Steals phone and network information
–Exfiltrates data via hacker owned web site connection
–Can SPAM contact list members
–Basically a "botnet" for mobile phones
–Signing process: Anti-virus scan using F-Secure (Approx 43% proactive detection rate (PCWorld))
-Random selection of inbound manually assessed
–Symbiansigned this binary as safe!

09Droid –Banking Applications Attack
–Droid app that masquerades as any number of different target banking applications
–Target banks included: Royal Bank of Canada, Chase, BB&T, SunTrust, Over 50 total financial institutions were affected
–May steal and exfiltrate banking credentials
–Approved and downloaded from Google’s Android Marketplace!

Blackberry Takes Security Seriously
-KB05499: Protecting the BlackBerry smartphoneand BlackBerry Enterprise Server against malware:
-Protecting the BlackBerry device platform against malware: BlackBerry device platform against malware.pdf
-Placing the BlackBerry Enterprise Solution in a segmented network:
-BlackBerry Enterprise Server Policy Reference Guide:

Does It Really Matter?
-Only 23% of smartphone owners use the security software installed on the devices.
(Source: Trend Micro Inc. survey of 1,016 U.S. smartphoneusers, June 2009)
-13% of organizations currently protect from mobile viruses
(Mobile Security 2009 Survey by Goode Intelligence)

Code Signing
-Subset of Blackberry API considered "controlled"
-Use of controlled package, class, or method requires appropriate code signature
-Blackberry Signature Tool comes with the Blackberry JDE
-Acquire signing keys by filling out a web form and paying $20
–This not is a high barrier to entry
–48 hours later you receive signing keys
-Install keys into signature tool
-Hash of code sent to RIM for API tracking purposes only
-RIM does not get source code
-COD file is signed based on required keys
-Application ready to be deployed
-Easy to acquire anonymous keys

IT Policies
-Requires connection to Blackberry Enterprise Server (BES)
-Supersedes lower levels of security restrictions
-Prevent devices from downloading third-party applications over wireless
-Prevent installation of specific third-party applications
-Control permissions of third party applications
–Allow Internal Connections
–Allow Third-Party Apps to Use Serial Port
–Allow External Connections
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Application Policies
-Can be controlled at the BES
-If no BES present, controls are set on the handheld itself
-Can only be MORE restrictive than the IT policy, never less
-Control individual resource access per application
-Control individual connection access per application
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Installation Files
-.COD files:A COD file is a proprietary file format developed by RIM that contains compiled and packaged application code.
-.JAD files:An application descriptor that stores information about the application itself and the location of .COD files
-.JAR files:a JAR file (or Java ARchive) is used for aggregating many files into one. It is generally used to distribute Java classes and associated metadata.
-.ALX files:Similar to the .JAD file, in that it holds information about where the installation files for the application are located

txsBBSpy Logging and Dumping
-Monitor connected / disconnected calls
-Monitor PIM added / removed / updated
-Monitor inboundSMS
-Monitor outbound SMS
-Real Time trackGPS coordinates
-Dump all contacts
-Dump current location
-Dump phone logs
-Dump microphone capture (security prompted)

txsBBSpy Exfiltration and C&C Methods
-SMS Datagrams(Supports CDMA)
-TCP Socket
-UDP Socket
-Command and control hard codedto inbound SMS

Future Work (Offensive AND Defensive)
-Reverse engineer .cod file format
-Continued research into unobstructed installation methods (requires exploitation)
-Infect PC with virus that acts as distribution hub
-Research additional exfiltration methods for tunneling without prompting

Tuesday, June 14, 2011

Automated Independent Gadget Search

The goal of this research is to be able to use return-oriented programming platform independently across multiple platforms.

-CPU Architecture diversity is increasing.
-We want to execute code on machines despite the presence of non-executable memory, but we do not aim for ASLR.


-Use only already present code
-No single instruction / return like approach
-Use REIL to be platform independent
-Use "free-branch" instructions rather than ret only
-"Find all first, then filter useful ones" approach
-Keep an eye on side-effects and minimize them

Small RISC instruction set:
-17 instructions for arithmetic, control flow and misc functionality
-Instructions are always side-effect free

-Virtually unlimited memory and temporary registers
-Implemented as a register machine

No support for:
-Exceptions, floating point instructions, 64Bit instructions yet


Algorithms stage I
Collect data from the binary:
1.Extract expression trees from native instructions
-Handlers for each possible REIL instruction
-Most of the handlers are simple transformations
-Memory store and conditional execution need special treatment

2.Extract path information
-Path is extracted in reverse control flow order
-We want to have all possible outcomes for a conditional execution in a single expression tree

Algorithms stage II
Merge the collected data from stage I:
1.Combine the expression trees for single native instructions along a path
1:  0x00000001 ADD R0, R1, R2  
2:  0x00000002 STR R0, R4  
3:  0x00000003 LDMFD SP! {R4,LR}  
4:  0x00000004 BX LR  

2.Determine jump conditions on the path
3.Simplify the result

Algorithms stage III
Goal of the stage III algorithms:
-Search for useful gadgets in the merged data. Use a tree match handler for each operation.
-Select the simplest gadget for each operation. Use a complexity value to determine the gadget which is least complex (side-effects).

-Algorithms for platform independent return-oriented programming are possible
-We are able to find all necessary gadgets for return-oriented programming using our tool
-Searching for gadgets is not only platform but also very compiler dependent
-Minimizing side-effects is possible if the right approach is chosen

Future work
-Abstract gadget description language
-Automatic gadget compiler for all platforms
-Bring more platforms to REIL
-Better understand the implications of different compilers

Sunday, April 24, 2011

Office Documents: New Cyber Weapons

Reallity of cyberwarfare
-August 2007: Espionage case of China against German chancelery. 163 Gb of Gouvernemental data stolen through a Trojan-infected Office document.
-2009 to 2010: Chinese hackers succeeded in stealing economic and financial data from European Banks, through malicious PDFs. 

Document as cyberweapons
-(Open)Office document are good vectors
-PDF documents are also used nowadays

The Cyberwarfare Show
-PWN2KILL, May 2010 Paris, challenge has proved the risk is real and high.
-Huge technical possibilities on one side, quite no protection and detection capability on the other side.
-Many critical systems are rather secure with a strong security policy enforced.
-Classical approaches are less and less possible, not say impossible.

Which applications are concerned?
-Office 2010
-OpenOffice 3.x
-All other office applications

What is the Purpose?
-To install malicious payload into the operating system, whithout being detected by any AV.
-We do not want to exploit any vulnerability (target = secure sensitive systems e.g. combat systems).

Macro Security in MSO
Possible level of security:
Level 4 (0x00000004): Disable all macros without notification.
Level 3 (0x00000002): Disable all macros with notifiation.
Level 2 (0x00000003): Disable all macros except digitally signed macros.
Level 1 (0x00000001): Enable all macros.

Location of settings:
Registery key : HKEY_CURRENT_USER\Software\Microsoft\Office\ 12.0\ \Security
Application = {Word, Excel, Powerpoint, Access}

Trusted location:
A trusted location is a directory where macros of documents stored inside are allowed to be executed automatically.

Macro Security in OpenOffice
Security settings:
Both Macro security level and trusted location are defined in "Common.xcu" file at:\3\user\registery\data\org\openoffice\Office

1:  <node oor:name="Security">  
2:  <node oor:name="Scripting">  
3:  <prop oor:name="MacroSecurityLevel" oor:type="xs:int">  
4:  <value>0</value></prop></node></node>  

Trusted Location:
Set the root directory as Trusted location
1:  <node oor:name="Security">  
2:  <node oor:name="Scripting">  
3:  <prop oor:name="SecureURL" oor:type="oor:string-list">  
4:  <value>file:///C:/</value></prop></node></node>  

The use of 'AutoExec' event with MSO:
-Able to naturally bypass the level 2 of execution.
-Several events are available: AutoNew, Open, Close, Exit, Exec
-Applied on template named Normal.dotm and stored inside MSO's users settings file.
-Execute the macro at opening event even if any macro are not allowed to be executed (Level 2).

MSO and OO: The integration
-Both are based on the W3C specification. But the integration is totally different.

MSO’s integration:
-Office makes it easier to create signatures.
-It is possible to create self-signed certificates.
-They are stored inside _rel\.rel file within the document.

Openoffice’s integration:
No significant change about signature since 2006, the first study.
Black Hat 2009, Amstersdam, E.Filiol J.-P. Fizaine, Openoffice v3.x Security Design Weaknesses.

MSO Case
+Change to the lowest level: 0
Interesting Keys: HKEY_CURRENT_USER
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security
Windows API: RegOpenKeyEx, RegSetValueEx, RegCreateKeyEx, RegCloseKey

+Set the directory c:\Users as a Trusted Location.
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations
Path2: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations\\Location3

OpenOffice Case
+Change the Macro security level to the lowest: 0
-Settings are stored in only one file! No use of specific library is needed, the C Standard Library is sufficient.
-Forge the Path
-Locate the position inside the file
-Insert the value:
1:  <node oor:name="Security"> <node oor:name="Scripting">  
2:  <prop oor:name="MacroSecurityLevel" oor:type="xs:int">  
3:  <value>0</value> </prop> </node> </node>  
-Update by restart the application

+Trusted Locations
-Insert the value:
1:  <node oor:name="Security"> <node oor:name="Scripting">  
2:  <prop oor:name="SecureURL" oor:type="oor:string-list">  
3:  <value>file:///C:/</value> </prop> </node> </node>  

K-ary Malware
Malware made of k-different, innocent-looking (from the AV point of view). Each of them can (inter)act independently or not and can either be executed in parallel or in sequential. Not all the parts are necessarily executable. The cumulative action of each part defines the malware action.
Proof of Concept (PoC):
E. Filiol, Journal in Computer Virology, 2007. 2009, A. Desnos, Implementation of K-ary viruses in Python.

Two waves of attack: The use of 2-ary malware
Suppose the security level is set to the paranoid mode, it is impossible to change the level from inside the macro.
Journal in Computer Virology, 2006, D. de Drézigué, J.- P. Fizaine, N. Hansma, In-depth Analysis of the Viral Threats with Documents

Why this approach?
-Attacking (secure) systems becomes really complex. Just exploiting one or more vulnerability does no longer suffice. Installing a functionnally sophisticated program is less and less easy. The solution is to split the viral information into many pieces!
-Real case: secure systems generally filter and forbid packed binaries/shellcodes.
-Using 2-ary malware is a powerful alternative.
-The first executable performs a innocent, generally legitimate simple action.
-The office document then installs more complex malware transparently and silently.

Protection and Countermeasures
-Use of Public Key Infrastructure
-Whenever self-signed certificates are used. Check the serial number, timestamp and validity systematically. The serial number is supposed to be unique.

Friday, February 11, 2011

Ineffectiveness of AntiVirus Solutions

Many recent high profile attacks into major software companies, public sector institutions and international organizations.
–Aurora attack on Google and 32 other companies last year
–In all cases: malicious email was sent to victim

Email-borne threats fall into two general categories:
–Mass email attacks
–Targeted attacks
Traditional AV increasingly ineffective and heuristic engine is necessary.

Typical Bredolab/Trojan.Sasfis
Most prolific family of mass-mailed threats using executable attachment.
Social engineering lures:
–Social Media website password reset
–Western Union or UPS invoice
–"You have received an E-Card!"
–Spammed out in very large numbers (Cutwail botnet)
–Many different payloads
–13.3% of all Malware stopped by Skeptic
–Between June 2009 and June 2010 (excluding Phish and links)
–Typically low AV detection (< 10 on VT)
–Good social engineering tactics
–Use of Word or Excel icons
–Spoof prolific companies (Facebook, UPS, Fedex)
–Heavy use of server-side polymorphism (SSP) to evade signature-based AV

Signature-based AV
–Create a "signature" for a piece of Malware
–String(s) of bytes
–Very specific
–Evidence of increased use of SSP
–In 2008, Symantec created 1,691,323 new malicious code signatures
–In 2009, 2,895,802 new signatures were created (71% increase)
–139% increase from 2007 to 2008
–Not sustainable!
–Solution: heuristic-based approach

Signature Development Process

Heuristic-based Approach
–Generic detection
–Features known to exist in Malware
–Decision based on extracted features
–Cloud based
–no reactive signature deployment delays

Polymorphic Viruses
–Big problem for AV
–Many different variants
–Functionally equivalent
–Signatures required for each variant
–Solution: "emulation"
–Emulate past decryptor stub
–Sig the static virus body

Server-side polymorphism (SSP)
–Custom encryption routine
–Decrypt at runtime
–Generated by a polymorphic engine
–Hundreds or perhaps thousands of unique variants
–Random junk instructions
–API calls

Use in mass-email attacks
–Attackers generate a number of unique binaries
–Change the binary being spammed throughout the attack
–Problem for any vendor without proactive protection in place

Bredolab Case Study - 30 March 2010
–Standard Bredolab run:
–Subject: variation of 'UPS Delivery Problem NR 18800'
–Attachment: similarly named 'UPS_invoice_1845.exe'
–relatively small (only 56 observed copies)
–Started at 19:08:33 GMT (time 0)
–Last observed sample at 19:36:31
–Total of 27 min 59s

Case Study - AV Detection & Response Time
–At time 0, AV detection was 0
–Average response time?
–661 minutes (11 hours and 1 minute)
–Remember that the attack only lasted 28 mins
–This is the average response time

Aurora and Targeted Attacks (Spear-Phishing)
–Up to 34 different companies compromised in same period using similar techniques
–Email links to malicious web pages
–Flaws in Adobe Acrobat Reader
–Google hackers are back?

According to US Department of Defense Cyber Crime Center:
"102 breaches of the Pentagon’s agencies, partners and contractors in a two-year period ending August 2009"

Targeted Attack Case Study - 24 March 2010
–Targeted attack blocked attempting to exploit CVE-2010-0188 (libTiff)
–Single copy sent to an individual in a major international organization
–Co-ordinates governments from around the world
–Trojanized a clean PDF from a World Cup travel site

Case Study - AV Detection & Response Time
–AV detection was 0
–One week later, AV detection at 33%
–Sample sharing, blogged
–Average response time?
–3631 minutes (two and a half days)
–Only takes into account the 33% of vendors that were actually detecting the threat

Monday, January 31, 2011

Targeting SAP Platform Using Trojans and Rootkits

Typical Enterprise Environment
-Has more than a thousand of employees
-Is a circus of IT Systems
–Mixture of operating systems, databases, applications and their different versions
-Decision makers care more about their bonus than the interest of the company
-Is a political battlefield

Enterprise Security
Even a medium level of IT security is too expensive to achieve
–Missing asset management (how many Oracle DBs, Windows servers, etc)
–Tons of security scanning, to few remediation chasing
–Many of the vulnerabilities cannot be mitigated
-Obsessed by Cross Site Scripting
-IT security departments cannot influence security decisions of business applications much, because of political reasons.
-Nobody cares about the hacked UNIX machine, SQL DB, or others.
-Defacement and similar security incidents are budget approvers

SAP Systems
-Business specific
-Industry solutions
-Hold the Crown Jewels
-Are usually extensively customized
-Less exposure to typical hackers (ABAP)

SAP Security
-Security mostly focuses on authorizations and segregation of duties
-Intrusion prevention is still a baby
-Risks are underestimated/general IT Security efforts are typically unbalanced at companies
-Unlike e.g Active Directory, SAP systems belong to the business, not the IT
-Security departments usually fail when they are challenged

RFC (Remote Function Call) protocol lets you run functions remotely
–To run; use Java, C, etc. with RFC-SDK or simply execute the test program "startrfc". Following
creates a new user with god rights:

startrfc -3 -h -s 05 -c 010 -u ERTUNGA -p CCC42 -F SUSR_RFC_USER_INTERFACE

There is no exploit involved. Everything is intended functionality.
–Beats "RFC users are not a threat because they cannot login via SAPGUI"
–Time to recheck company’s shared folders and eliminate hardcoded passwords.

RFC (a.k.a communication) users are thus very very important!
–Secure their passwords and make them part of the password change process
–Don’t forget: GUI (dialog) users which have S_RFC rights can also execute remotely

Reads the contents of any table (Including ones with sensitive data e.g salary information)
Has bugs in converting e.g binary fields

Can be used for creating/modifying users

-Takes ABAP source lines and executes them
-Widely known! tighten user authorizations to prevent abuse
-More restricted in latest NetWeaver Systems

RFC can be encapsulated in SOAP messages (SOAP RFC)
-Company’s internal proxy suddenly opens the doors to all SAP systems
-Disable it if not used!

Single Sign-on (SSO2)
-Is a convenient feature, not a security feature
-RTFM: Secure Store and Forward [SSF] documentation
-Personal Security Environment files hold the private key data
-If an attacker obtains it, it can create authentication tickets for the victim system. Accepting these tickets is enabled per default. Attacker can logon as any user.
-The private key container (PSE) can be pin-protected
-Advice: Disable accepting tickets using relevant profile parameters!

SQL Injection-ABAP typically uses parametrized queries (Developers can still specify parts of sql statements dynamically by parentheses)
-Not dynamic: SELECT ColumnA FROM TableA INTO[...]
-Dynamic: SELECT(var_ColumName)FROM(var_TableName) INTO[...]WHERE(var_WhereClause)
-Avoid dynamic statements where possible!

Cross Site Scripting
-Proper sanitization/encoding of the input data is the key for self developed web code such as BSPs.
-If not done, an attacker can do everything related to XSS, plus steal e.g the SSO2 (Authentication) cookies from the clients SSO2 cookies are stateless so client impersonation is a breeze. Avoid using this mechanism without proper controls.
-If you have F5's or similar devices, encrypt cookies based on origin IP.

ABAP Executable Manipulation
-Writes custom code to any ABAP program
-It's even possible to call an editor to make it more user friendly
-Very suspicious if found in self-developed code

-Unpatched version does not have authorization checking.
-People with e.g SE38 rights can execute this and manipulate the system and data of it.
-Same as ABAP injection, only more convenient.
-SAP patched it via: SAP Note 1167258: Program RS_REPAIR_SOURCE

ABAP Rootkits
-It is possible to modify system executables (ABAPs)
-An attacker can easily infect important ones executables and install an ABAP rootkit
-SAP has RFC functions that do not require user authentication by default (SRFC Function Group). This could be one candidate.
-Installed rootkit can give anonymous access to the attacker with functionality such as: Installing
SAP_ALL users, Manipulating ABAP reports, Running OS commands, Stealing hashes or PSE files, Deleting Logs.

Triple-Penetration Attacks
Penetration 1: Attacker exploits the weakest system
-Typical enterprise setup: Testing/Development ­> Quality Assurance ­> Production
-Among them, most unprotected are test/development systems

Penetration 2: Attacker infects clients which connect to the weakest system
–Starts with modification/infection of the critical areas such as logon screen ABAP code
-When admins/developers successfully login, malicious payload is downloaded and executed on these users computers

Penetration 3: Victim infects all the systems it later connects to
-Modification of critical components of the newly accessed SAP systems (Internal production systems, Partner systems, critical systems)

How to stay secure
-Have proper "check-in" and "leavers process" that take the ABAP developer risks into consideration
-Audit the code against security vulnerabilities before transporting to production systems
-Syncing passwords to development systems means, possibility of developers to capture valid passwords for production systems. Avoid it!
-Get rid of insecure and/or default passwords
-Disable backwards compatiability of passwords
-Install the latest security patches