My Security Journey

3/24/19

https://www.malwaretech.com/2019/01/tracking-the-hide-and-seek-botnet.html

This is a blog from a malware analyst. In this post he goes through Hide and Seek. This targets primarily *nix based systems like cameras, tvs, and other IoT devices.

Unlike the majority of analysis I see, this is not a virus or trojan, but a worm. The worm runs through and creates a botnet without a main C2C. One of the cool results of this is that once an update is loaded to an infected device, the update is sent to the other infected peers.

The spread of the worm is through an infected device sending it’s peer list and it’s own IP to be added as a peer. The device will continue this until the device can no longer fill up it’s peer list. This means infecting one P2P connected device can affect that system and every system it is connected to, every device that those devices are connected to... etc. This can be done quite fast.

The counter-measure against discovering and mapping the entire botnet is done through coding that will record the requester’s IP onto the peer list, and then (basically in effect) not send new peers.

This can be resolved by using a snippet of the worm’s code to “churn” through IP’s making it possible to map the peers once every 128 seconds. With multiple IPs and fast enough throughput (to send enough requests at the correct time) the botnet can be mapped.

I would suggest checking out this guy’s review of the NSA’s new malware analysis tool as well. It is interesting for anyone looking to pursue malware/software analysis seriously.

3/24/2019

This article on Xtreme Rat is an in depth analysis of the Trojan Xtreme RAT. The program itself was written by someone known as xtremecoder, and has affected multiple organizations. Although this has been known since 2010 it still exists in the wild, and derivations have been used in major attacks with 2017 being the most recent in the article. Further analysis by fireeye in 2014 looks further into the CnC GUI used to control the RAT as well as the traffic involved.

The RAT itself uses a self-extracting exe which shows as a downloaded internet file. In this case the default message about safety from downloaded files should read: This file was downloaded from the internet. Do you wish to run this Trojan? YES PLEASE GIVE ME MALWARE! or No thank you I don’t want to be taken over and be part of a spam cluster

The trojan executable is setup with a specific ID, a campaign code, and a mutex/mutant. Once the payload has been delivered (someone opens the document) the program sets up a backdoor, and connects to the CnC that is part of a list generated by the CnC GUI. This malware also has a keylogger, and file encryption. The Command Center can track specific instances on computers, create servers, setup the names of the processes, setup persistence, etc. 

The analysis shown in this article was completed through monitoring network traffic based on these 3 unique variables (ID, Campaign Code, Mutex). The analysts created a sinkhole (something similar to iNetSim) to detect how the infected computers connect. An interesting thing about this malware is that it creates clusters known as molerats. These groups will act in tandem to help spread the malware from point to point, as well as coordinate spamming efforts.

https://securelist.com/how-exploit-packs-are-concealed-in-a-flash-object/69727/

2/24/2019

This article addresses a “new” way (2014/2015)in which Flash exploits are used with the Neutrino exploit pack. Instead of dropping a malicious flash file, the flash binary itself rewrites the page which is being viewed by the browser.  

The Flash binary will load exploits onto the users computer, using an image/configuration file in some cases. Normal methods of decompiling using common methods do not work, and it will not be detected using normal extensions/security tools. 

The code has objects that are obfuscated using hex, RC4, as well as a deflate algorithm. The code itself uses CVEs which allow the use of system legitimate Windows DLLs to give access to a shell. Then a script is dropped on the victims computer and executed. 

Malware designers are ingenious, and resourceful. With the advent of a newer variant of malware DarkHydrus APT, there are a lot of interesting ways in which this software works. (see: https://www.bleepingcomputer.com/news/security/darkhydrus-apt-uses-google-drive-to-send-commands-to-roguerobin-trojan/)

An APT is an Advanced Persistent Threat, what this means is that this is the type of malware that just won't go away. Usually APTs will involve some type of command and control (C2C) to help ensure that the software stays in the system.

The malware named DarkHydrus APT, is the name given, but DarkHydrus is also the name given to the group. It is not "new" (it's also known as LazyMeerkat) the group was first identified in July 2018. The malware itself uses DNS tunnels to do most communication with the C2C, and HTTP as a fallback. This is an effective way to control traffic as most firewalls will allow DNS traffic through, and HTTP traffic somewhat less.

One of the things about this malware that makes it tenacious is the sandbox and debugger evasion built into the code. When running there are functions which will check and quit, and depending on the method of detection will redirect to a hex that translates to Good Luck. You can't say there isn't a sense of humor behind all of this.

The method of distribution appears to primarily through Excel documents with VBA scripts. These scripts will create a text document then use a legitimate Windows program to run from the text document, starting a chain until the C2C has control, using task handler to control the device.

The big news of course this week has been with the Facebook hacks (using the View As page and connecting to wish someone a Happy Birthday, then capturing the OAuth token to use for all connected apps).

However, there was also a Linux Kernel bug which is still affecting some of the distros still. 

Basically it is using an overflow in memory. I have seen it explained a few ways, one is with using long integers, and others explaining it is very vague ways. This article (from ThreatPost) seems to explain it in a way where we can get a good idea of what is happening and why the threat is “bad”.

Basically when a program is running it will be using up memory when this changes/increases there will be a page fault (there isn’t a clear path to the memory), the Linux Kernel is trying to run through and find accessible memory. There was a shortcut written to speed up the process tagging the Virtual Memory with a 32 bit identifier. That process lead to another problem where a something could be written to access already “used” memory, basically making memory vulnerable to an overflow by sending more than 32 bits. The fix was to bring the ending numbers for the Virtual Memory to 64 bits.

https://thehackernews.com/2018/09/linux-kernel-exploit.html

If you ever heard the the old adage that “If the attacker has your machine, it is no longer yours” it still rings true today.

Even though there have been many advances in protecting data once it falls into the hands of an attacker, someone will find a way to break in. This has been shown to be true again.  Researchers Heat Up Cold-Boot Attack That Works on All Laptops

Cold Booting attacks have been around for a while, and the name is derived from the original method of getting information. With a traditional Cold Boot attack you can turn off the machine, put the machine in sleep or hibernate mode, and dump the memory. One method involves using canned air to freeze the memory, then pull the disk image from the memory. When a computer goes to sleep it basically will save the system “state”. What this means is that this state can be recovered, and the entire running system will be accessible as if the computer had been unlocked (or never locked).

Recently with the implementation of BitLocker it is possible to protect the area by making BIOS changes, through pre-boot methods of verification, as well as using volume encryption. (Although FireWire still is an issue due to the transmission standard).

This new method allows someone to configure a micro-controller (basically a circuit board with programmable instructions) to act as an intermediary between the rewrite instructions, and the where the encryption keys are stored.

Using the encryption keys allows the attacker to unlock BitLocker and any encrypted drives/data, or plant a backdoor and use the trusted device/user to gain VPN access, and use the device as a pivot. 

Luckily hibernation is not vulnerable, the reason for this is that when hibernating BitLocker will encrypt the system state (similar to post shutdown/preboot). The drive data can be recovered, but it would not contain any of the encryption keys to make sense of the data.

I have followed Krebs on Security (Brian Krebs) for a few years and there is always a nice mix of more technical information and information that anyone can digest. 

The site that Krebs runs is always under attack (like almost any public facing site), but one of the larger groups was caught, and one of the “leaders” was arrested. KrebsOnSecurity

The group/gang does things that are reprehensible, calling in bomb threats, and terrorizing people. I know some people will justify the DDoS attacks basically saying the group is just making sure the “victim” is keeping up their security. There is not a release of the attack procedure so I wouldn’t agree.

What is mind boggling to me is that this is really common for every site even one that deals with cyber security. The message I get from this is although in the end the red team, if persistent, will always get in, eventually they are caught if the blue team persistently keeps track of the group/individual. 

I love, and I mean love open source software. I think the model is great the flexibility is great and to be able to make something, or participate in something. It has its ups and downs as far as reliability, but if a project is active it beats out closed programs any day. 

A recent article I read on ZDNet shows one of the negatives about having open source tools available to everyone.

Most of the hacking tools (or security tools used for hacking) are open source and free to use. If you work as a PenTester or Security Analyst this is great because you can pop right in, maybe edit some of the programming if needed and truly find out the issues there are at an organization. However the downside is that the “bad guys” have the same tools you do, and they aren’t going to settle for just getting in and stopping. 

This can be scary, but I feel like it shouldn’t be. At least these tools are out there for the security side to see. There will always be some custom software, and with open source the bug reports are usually excellent, because everyone wants the software to work well. Censoring open source will just put it into the underground; i.e. darkweb, WareZ groups on IRC, or maybe even back rooms where a USB stick gets passed from attacker to attacker.