This week we saw the proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET ‘10). Past years had seen the release of plenty of novel and groundbreaking research, so expectations were high.

A group of researchers from I.N.R.I.A. in France published an impressive paper on new techniques for identifying and tracking users of the BitTorrent protocol titled, “Spying the World from Your Laptop: Identifying and Profiling Content Providers and Big Downloaders in BitTorrent” (Abstract, Full paper, Slides). From their website, I.N.R.I.A. is the French national institute for research in computer science and control.

In the paper, the researchers describe a series of experiments they performed to identify and profile BitTorrent users. In particular, the researchers tested methods to indentify two important classes of BitTorrent user: “Content Providers” and “Big Downloaders”.

A content provider is a user who provides the initial seed (i.e., complete copy) of a particular item of content (e.g., a video file). The researchers report that they were able to successfully identify the content provider for 70% of contents monitored by their system. Their findings conclude that relatively few content providers insert most of the content. Of the top 20 content providers identified, half were using the IP addresses of machines hosted by two French and German providers. However, further analysis showed that the content providers were probably not French or German nationals, and further, that the nationality of a content provider is difficult to extrapolate from the physical location of the computer they use.

Like many networking technologies, the BitTorrent protocol may be used both legally and illegally (e.g., to illegally share copyrighted content). While parties using BitTorrent for illegal purposes obviously have a vested interest in avoiding identification, legitimate users also have reason to be concerned by these findings. With a better understanding of the ease at which they may be identified and tracked, legitimate users may want to weigh the privacy risks involved in sharing their content over BitTorrent.

On March 5, 2010, Energizer and US-CERT announced that some consumer Energizer DUO USB battery chargers had shipped with a malicious software trojan. The hardware device is used to charge Nickel Metal Hydride (NiMH) batteries from both a wall outlet and USB connection. The charger includes Windows software to allow the user to view the battery charging status when connected to a PC via USB. This software was found to contain malware.

Here is the ThreatExpert report for a sample of this trojan with an MD5 of 3f4f10b927677e45a495d0cdd4390aaf

The installer software places a file named "usbcharger.dll" in the applications directory and "arucer.dll" in the Windows system32 directory.

The trojan modifies the registry by adding itself to the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

The trojan also spawns a listener on port 7777/tcp. This is a bit curious, because widespread firewalling and NAT have pushed the authors of backdoor trojans to adopt a connect back or reverse shell approach. A listener on 7777/tcp would only typically be accessible within the local network, and even then only after the trojan has punched a hole in the host firewall found on more recent Windows platforms.

The capabilities of this trojan include the ability to:

• List directories
• Send and receive files
• Execute programs
• Delete files

The decompiled .dll that is installed indicates the origins may be Chinese:

--a-- W32i   DLL CHS    1.0.0.1  shp   28,672 05-10-2007 arucer.dll
Language        0x0804 (Chinese   (PRC))
CharSet         0x04b0 Unicode
OleSelfRegister Disabled
CompanyName
FileDescription Arucer DLL
InternalName    Arucer
OriginalFilenam Arucer.DLL
ProductName     Arucer Dynamic Link   Library
ProductVersion  1, 0, 0, 1
FileVersion     1, 0, 0, 1
LegalCopyright  ???? (C) 2006
LegalTrademarks

A mutex name also suggests a possible Chinese origin:

liuhong-061220

The purpose of the backdoor and how it was included in the distributed software was not disclosed.

The disclosure from Energizer was soon followed by another report of compromised consumer electronic equipment. On March 8, 2010, Panda Security’s Research blog reported that they had received a new Vodafone HTC Magic with Google’s Android OS that was infected with Butterfly Bot (a.k.a. Mariposa). In addition, it was reported that the handset contained Conficker and a password stealer identified as "Lineage". The infected Vodafone handset was reported to be an isolated incident, however Panda subsequently reported that Spanish security outfit S21sec had also obtained a compromised HTC Magic handset directly through Vodafone’s website. Vodafone has recently confirmed shipping at least 3000 handsets with Mariposa.

Of course, this is not the first time consumer electronics devices have reached consumers with malicious software. Digital music players have shipped with Windows viruses. New hard drives come with trojans. Digital picture frames get bundled with trojans. Compact discs intentionally sold with rootkits. It is important to remember that any device or removable media could be used to store malicious code.

During the course of 2009, the amount of publicly available information on the security of GSM cellular networks and devices has steadily increased. GSM stands for the “Global System for Mobile communications” and is the world’s most popular standard for mobile handsets. The GSM Association estimates that more than 3 billion people are now using GSM technology. With such a massive install base, addressing potential security vulnerabilities in GSM handsets or in GSM networks themselves is clearly an enormous challenge.

The DeepSec In-Depth Security Conference 2009 in Vienna, Austria saw the presentation of research on attacking GSM networks, as well as attacking GSM handsets using SMS / MMS. David Burgess and Harald Welte held a highly regarded workshop entitled “Security on the GSM Air Interface”, covering contemporary technologies and techniques for radio direction finding, including the capabilities and deployment of devices known as “IMSI Catchers.” An IMSI Catcher device functions as a rogue cellular access point and can be leveraged to aid in radio direction finding or may offer full voice and data man-in-the-middle capabilities with a variety of uses. Commercially available hardware and software from the OpenBTS and OpenBSC projects was used to demonstrate attacks and countermeasures under laboratory conditions using a private GSM network.

Continuing the thread of GSM security material at DeepSec, noted security researchers Zane Lackey and Luis Miras presented research on techniques for attacking GSM handsets using SMS/MMS, both the implementations themselves as well as architectural vulnerabilities in the carrier networks.

At the 26th Chaos Communication Congress (26C3) in Berlin, Germany, noted cryptographer and hardware hacker Karsten Nohl and colleague Chris Paget announced that their “A5/1 Cracking Project” had successfully calculated the cryptographic base needed to demonstrate cracking GSM communications secured using the A5/1 encryption algorithm. This data, commonly referred to as a “rainbow table”, is now publicly available on the Internet. Nohl and Paget also announced they have open sourced the software they used to calculate the rainbow tables. The ability to passively decrypt A5/1 secured GSM communications is critical to performing passive, difficult to detect interception. This contrasts with active and easily detectable interception techniques using an IMSI Catcher device.

GSM is being adopted in a growing number of sensitive applications including financial transactions, mobile payments, and of course sensitive voice communications. Capabilities once only available to very well-resourced organizations such as the military, intelligence agencies, civilian law enforcement and organized crime are now increasingly within reach of much less well-resourced organizations, such as smaller criminal groups or even malicious individuals.

Organizations using GSM for sensitive applications or to discuss or transmit sensitive information should adopt a proven information security risk management approach to their use of mobile communications technologies such as GSM, just as they do for more traditional IT systems. For organizations that must utilize GSM communications for sensitive applications within hostile environments, several third-party security solutions are commercially available.

On February 24, 2009, Microsoft published Microsoft Security Advisory 968272 confirming the existence of a recently disclosed 0-day vulnerability in Microsoft Office Excel. For now, there are reports of only limited and targeted attacks attempting to exploit this vulnerability. Unfortunately, with public disclosure and exploits in limited circulation in the wild, the risk is high that more widespread attack will follow.

The flaw lies in code handling the Microsoft Office 2003 and earlier binary file formats. Microsoft confirmed that all versions of Office 2000 and later are at risk. The list of affected platforms also includes Mac OS X, with Microsoft Office 2004 for Mac and Microsoft Office 2008 for Mac being vulnerable.

Even in the absence of a security update from Microsoft, there are some good recommendations included in Microsoft’s advisory.

The Microsoft Office Isolated Conversion Environment (MOICE) offers users of Microsoft Office 2003 and Microsoft Office 2007 a way to more securely open Microsoft Word, Excel and PowerPoint binary format files. KB968272 contains details on how to set MOICE as the registered handler for .XLS, .XLT, and .XLA file formats. Documents that are converted to the Office 2007 XML format with MOICE will lose their macro functionality (which depending on your perspective might not be such a bad thing). Password protected or DRM encumbered documents can’t be converted with MOICE. Mac users are unfortunately left out in the cold here, since MOICE isn’t currently supported on the Mac OS X platform.

You can also block your users from opening Office 2003 and earlier documents using Microsoft Office File Block policy. KB968272 contains details for Microsoft Office 2003 and Microsoft Office 2007 on applying registry changes to prohibit users from opening Office 2003 format documents. Office 2007 offers the ability to manage “trusted locations” that can be excluded from the File Block policy. Office 2003 users must instead use an OICEExemptions registry key if they want to exempt a directory from the File Block policy.

It remains to be seen if OpenOffice or other alternative office suites are affected by the same kind of programming flaw that caused the vulnerability in Office. Although Microsoft’s new Office Open XML (OOXML) formats, and the SDLC-developed code that Microsoft wrote to implement them, do seem less at risk to these kind of vulnerabilities than the legacy formats, a move to the exchange of strictly OOXML would have its own drawbacks. Some older releases of Microsoft Office and many alternative office suites do not support the newer OOXML formats. Even users of Office 2003 must go out of their way to install additional software from Microsoft in order to open OOXML documents. When exchanging documents with partners in a business setting, the recipient’s ability to easily read the attachment is an certainly an important consideration.

The Microsoft Security Response Center is a good source for updated information as Microsoft’s investigation continues. I’m sure there will be new developments on this issue shortly.

References:

CVE-2009-0238

We attended ShmooCon V the first weekend in February. We arrived early on Friday morning and had a wonderful time at the con and in DC. Thanks to the all guys (and gals) from The Shmoo Group and the conference staff for all their hard work in putting this event together!

There were a number of talks this year worth noting. Rick “Zero_Chaos” Farina’s humorously titled talk on 802.11 provided some interesting information on using consumer WiFi chipsets to receive (and potentially transmit) on non-WiFi frequencies. Rick found that the radios of many consumer chipsets have the ability to operate outside the normal WiFi channels 1 – 11 that those of us in the United States are legally permitted to use. Other frequencies in the range supported by some of these chipsets include those used for public safety, military communications, terrestrial broadcasts of satellite radio (i.e., SIRIUS Satellite Radio, XM Radio), and DECT-based cordless phones. We hadn’t realized that there was DECT plug-in available for kismet-newcore. Rick also discussed some changes being made in the Linux kernel and userspace around software control over which frequencies a wireless chipset can operate on.

We also attended “Jsunpack: An Automatic JavaScript Unpacker” from Blake Hartstein. Jsunpack looks to be a promising new tool for analyzing packed or obfuscated JavaScript and appears to address many of the shortcoming that plagued previous approaches.

Another talk we enjoyed was “All Your Packets are Belong To Us: Attacking Backbone Technologies” by Enno Rey and Daniel Mende. The talk raised some interesting questions about the trust model (or lack thereof) of MPLS and Carrier Ethernet services used by many enterprises today. Enno and Daniel also threw in a few live demos of re-labeling MPLS traffic traversing a carrier network, and of launching Layer 2 attacks across the cloud via Carrier Ethernet.

Overall it was a great time. We enjoyed having an opportunity to visit with our InfoSec friends, as well the getting chance to make some new ones!

- Ben Feinstein & Bow Sineath

I have the honor of presenting at ToorCon X this coming weekend at the San Diego Convention Center. I will be delivering a new talk entitled “Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln” at 2pm PDT on Saturday, September 27. If you’re in the vicinity of southern California this weekend, I encourage you to make the trip down to ToorCon. Based on my experience as an attendee last year, it is a great smaller con with a strong reputation for very deep technical talks.

I’ll also be in the Crash Course in Penetration Testing Workshop and the Deep Knowledge Seminars, so maybe I’ll catch some of ya’ll there too, before the actual conference kicks off Friday evening.

At SecureWorks, we follow a Responsible Disclosure Policy. As such, when we find vulnerabilities in other vendors’ products or services, there is often a delay between the discovery and when we can publicly disclose the issue.

The following cryptographic hashes are related to a couple of disclosure processes I kicked off on Thursday, September 18, 2008.

File #1
MD5 b0625c8d39e3fcfaf51a577e310eb053
SHA1 0a8bdb073855eee0d31ff3afb081cf1d8d17c2bd

File #2
MD5 c74309900e7b11de5d7f211eb536cdb6
SHA1 99870aa6a0b4b33a88a2fbfd3eb83ce38bfbb7ce

Now that I’m back from Las Vegas and have had a week to dig out from under email and work tasks, I’d like to share a short post-con wrap-up.

The Black Hat Briefings 2008 were a good time. Just as important as the briefings, I had a lot of fun meeting new people, seeing old friends, and networking with others in the security community. Our industry is really based on trust and trusted relationships, so I always try and get out and mingle at the con.

Both of my DEFCON presentations seemed to be really well received. I was surprised with the large turnout Friday 10am for my web application firewall (WAF) talk, given that my slot was competing directly with the Dark Tangent’s annual DEFCON keynote and Joe “Kingpin” Grand’s talk on the making of this year’s badge. There were a few good questions, so at least someone was awake and paying attention.

My Friday afternoon talk on Snort plug-in development was very well attended. A group of Sourcefire employees were filling out the front row. They didn’t throw any rotten vegetables at me, so I figure I did alright.

Updated presentation materials should be getting posted to the DEFCON site soon. Here are links to the slides for my WAF talk, and slides for my Snort-plug-in development talk. I’m busy adding to my Snort preprocessor for weak SSH2 Diffie-Hellman Group Key Exchange, and should be releasing some new code released in the next few weeks.

I’ll be delivering two talks at DEFCON 16 in Las Vegas this Friday, August 8th. My first talk, The Wide World of WAFs, covers web applications firewalls and some PCI DSS background. In talk that afternoon, Snort Plug-in Development: Teaching an Old Pig New Tricks, I’ll be releasing GPL licensed Snort plug-ins for ActiveX control detection and for detecting OpenSSH clients and servers using a broken Debian OpenSSL PRNG.

I hope to see some of ya’ll out in Vegas!

The Unnamed Police Department (we’ll just call them the UPD for short) is charged with keeping the peace in a major American metropolitan area. For a public safety website, theirs is quite advanced. Visitors can view dynamically generated maps showing the distribution of different classes of crimes, make anonymous tips to the narcotics squad, and even try to sign up to join the force. As those of us that work in information security well know, all that rich web functionality brings increased risk.

This past Thursday afternoon I received a report from a colleague that the UPD public website appeared to be serving up malicious JavaScript injections. The URLs of the injected scripts were consistent with the recent waves of mass SQL injection attacks that have targeted Microsoft IIS sites backed by Microsoft SQL Server databases. The injected JavaScript payloads were consistent with malicious scripts generated using the Neosploit obfuscation tool. The first stage script redirected victims to another script, this one hosted at a domain name registered just the day before with a German domain registrar.

The impact of all this? Visitors to the UPD website were having their web browsers loaded with a witches brew of exploits, potentially leading to complete system compromise. While not all visitors were successfully exploited, enough folks are getting owned with these attacks to make them increasingly popular with the bad guys. Users of a tool such as the NoScript extension for Firefox (or possibly Microsoft’s new XSSFilter being included with Internet Explorer 8) would have been protected.

I immediately contacted the UPD and reported the issue. The conversation was initially pretty humorous, as you might imagine. Fortunately, the department includes a cybercrimes unit and my report was immediately routed to them. The contact at the UPD called me back about 5 minutes later and informed me one of the investigators in the cybercrimes unit had indeed confirmed the problem, and that they were working to resolve the issue. To verify the report, the cybercrimes investigator supposedly browsed to the UPD’s own public website and saw his anti-virus software light up with warnings.

I checked back less than four hours later, and the site appeared clean. I’m impressed with the speed of the response, given previously reported compromises of state and local government websites (credit to Sunbelt Blog: here, here, here, and here). I really thought I had enough time to get home before writing a cron job to keep checking the site for when it got cleaned up!

Unless the underlying SQL injection vulnerability was fixed however, this site is very likely to fall victim again, and soon.