I just returned from this year’s DEFCON conference held in Las Vegas. Overall, it was a great time and I enjoyed meeting everyone. This year was my first time attending DEFCON and I was surprised at the number of attendees. There were so many great presentations that I wasn’t able to attend them all. Here’s a brief recap of some of the talks I enjoyed:

How to get your FBI file (and other information you want from the Federal government)
This talk was delivered by Marcia Hofmann of the EFF (Electronic Frontier Foundation). She spoke about using the Freedom of Information Act (FOIA) and the Privacy Act to properly request information from the government. Attention to detail and limiting the scope of requests is important when making FOIA or Privacy Act requests.

Cloud Computing, a Weapon of Mass Destruction?
This talk centered on DDoS (Distributed Denial of Service) attacks from the cloud. The presenters unveiled a proof-of-concept tool called ThunderClap, which utilized the Amazon EC2 cloud. They instantiated multiple virtual machines and started running DDoS attacks against their target. The economics of this attack are surprising. For an very small amount of money, a potential adversary may command a staggering amount of bandwidth, rendering the victim site unusable.

Token Kidnapping’s Revenge
Cesar Cerrudo of Argeniss delivered this impressive talk, in which he describes a token kidnapping vulnerability affecting modern versions of Microsoft Windows including Windows 7. Token kidnapping leads to a process thread’s execution under an alternate security context, opening the door to privilege escalation attacks. He demonstrated a proof-of-concept exploit involving the Windows Telephony Service.

Build Your Own UAV 2.0 – Wireless Mayhem from the Heavens!
This was one of my favorite talks at DEFCON. For around $1500-$2000, anyone can build a UAV (Unmanned Aerial Vehicle) with surprising capabilities. The speakers recommended an inexpensive and quite capable foam plane called the Skywalker. Using upgraded components along with an auto-pilot and GPS unit, the UAV was able to carry a payload of approximately three pounds. In flight, their UAV is capable of broadcasting live video and performing a variety of wireless network reconnaissance. I am inspired to build my own UAV after hearing this talk!

I had a great time at DEFCON this year. My only regret is that they ran out of the sought-after hardware badges and I got a paper badge instead. Alas, there’s always next time. Thanks to the DEFCON organizers and ‘goons’ (the DEFCON volunteers) for all their hard work. I’ll see you next time!

The SecureWorks CTU^SM is closely monitoring a 0-day vulnerability in multiple Microsoft Windows operating system releases. The vulnerability lies in how Windows handles hcp:// URLs, used to access help documents. An attacker may create a malicious hcp:// URL and distribute it to victims via an HTML web page, e-mail message, document, or a variety of other attack vectors. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands, which may result in total system compromise. This vulnerability is an excellent example of a blended threat: leveraging several vulnerabilities of a lesser severity to accomplish an attack of greater severity.

The original discloser reports that Windows XP and Windows Server 2003 using Internet Explorer 8, Mozilla Firefox, and Google Chrome are affected. Microsoft has reported that Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are not vulnerable to this attack. Microsoft has released Microsoft Security Advisory 2219475 discussing the details of this vulnerability.

When invoked using an hcp:// URL, Windows Help Center uses a whitelist to only allow certain help documents and parameters. An error in the MPC::HTML::UrlUnescapeW() function bypasses this whitelist, permitting access to any help documents on a system. Combined with a known DOM-based (Document Object Model) cross-site scripting (XSS) vulnerability in sysinfomain.htm, hcp:// links may be created that launch arbitrary commands when visited on a vulnerable computer, although a warning dialog box displays to the victim before the command can launch.

Figure 1. Warning dialog to allow command execution.

Figure 2. Successful execution of calc.exe.

The warning dialog may be suppressed when the exploit is placed in an IFRAME in an .ASX file containing an HtmlView element. This approach is advantageous to a potential adversary, because viewing a malicious web page or e-mail may be all that is required to successfully exploit the vulnerability. Other methods of suppressing the warning dialog box may also exist. Proof of concept code is available at the following site:

http://seclists.org/fulldisclosure/2010/Jun/205

An unofficial hotfix has been released by the original discloser; however this patch may be bypassed as it does not properly correct the underlying vulnerability. At this time, there is no official patch available. Disabling the HCP protocol handler is the recommended mitigation, but doing so will impact some legitimate Windows Help Center functionality. This mitigation may also be pushed to multiple clients using Group Policy.

Before modifying the registry, the CTU recommends you export a copy of the HCP registry hive so it may be restored later if needed.

1. Click Start, and then click Run.
2. Type regedit, and then click OK.
3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
4. Right-click the HCP key, and then click Export.
5. Export the registry hive to a local file.
6. Right-click the HCP key, and then click Delete.

References:

• http://www.microsoft.com/technet/security/advisory/2219475.mspx
• http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY
• http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
• http://secunia.com/blog/103

Recently, programmer Ruben Unteregger released the source code for a Trojan that allows an attacker to listen in on a victim’s Skype conversations [1]. For approximately seven years, Unteregger has worked as a software engineer for ERA IT Solutions AG where he developed the trojan. Skype traffic is encrypted using a 256-bit AES block cipher [2], the kind approved by the US Government to protect “TOP SECRET” information.

The Megapanzer trojan variant was released as free software by Unteregger under the GNU General Public License (GPL). The trojan works by injecting a thread into the Skype process and hooking several API calls. While Unteregger’s trojan does not break Skype’s encryption, this method allows an attacker to bypass it as PCM audio data is captured after being decrypted and converted to MP3 digital audio files. The MP3 recordings of the Skype call may then be uploaded to an attacker-controlled server [3].

Fig. 1: Skype Trojan Overview [1]

Governments around the world worry about the use of Skype for nefarious purposes, as the service may be used to place calls that cannot be traced or monitored using contemporary lawful interception techniques. The NSA has reportedly offered billions of dollars to anyone who can “offer reliable eavesdropping on Skype IM and voice traffic” [4]. Even though no backdoors or weaknesses in Skype’s encryption scheme have been disclosed, this trojan demonstrates that an attacker doesn’t need to exploit a flaw in Skype to eavesdrop on Skype communications. This is essentially a variation on the Man-in-the-Browser (MitB) techniques used by malware to steal information and commit financial fraud.

It seems novel that a programmer would release a trojan as free and open source software, however Unteregger stated in an interview that he wanted the code to be available to anyone who wanted to learn or add additional functionality [5]. In addition, since the code is published, it will be detected and blocked by most AV products. The trojan is currently detected by AV as Trojan.Peskyspy.

Fig. 2: Skype Trojan Source Snippet

After becoming infected, the trojan will attempt to disable the following firewalls (if they are present):

• Outpost firewall
• McAfee firewall
• ZoneAlarm firewall
• BitDefender firewall
• F-Secure firewall
• Kerio firewall
• AVG firewall
• Webroot firewall

A backdoor will be created, allowing an attacker to communicate with the victim’s machine. Once connected, an attacker may upload captured MP3 files, update the trojan, or remove the trojan from the machine. The released trojan does not contain a mechanism to spread itself, and has not been weaponized. The CTU believes that we may see variations of this trojan in the future and as always recommend keeping gateway and host AV signatures up to date and the use of a defense in depth approach to security.

References:

1. http://www.megapanzer.com/source-code/
2. https://support.skype.com/faq/FA145/What-type-of-encryption-is-used
3. http://blogs.zdnet.com/security/?p=4133
4. http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/
5. http://www.megapanzer.com/2009/08/25/interview-on-gulli-com-about-the-skype-trojan-and-trojans-in-general-english/

Twitter is a social networking and microblogging service launched in late 2006. Once logged in, users post small updates to the site frequently throughout the day. These short update messages, known as “tweets,” may not exceed 140 UTF-8 encoded characters. User’s tweets are displayed on his or her “timeline” for their “followers” to see, accessible anonymously via the Twitter web site, RSS, or the Twitter API.

A web service like Twitter that allows users to publish short update messages to a publicly accessible page is a prime candidate for botnet command and control. This is especially true with regard to Twitter, since it is widely used. This large amount of content generated on a daily basis makes it easier for an attacker to blend in without being noticed. A proof-of-concept tool named KreiosC2 was released by Robin Wood that allows users to control machines via a central Twitter feed.

Jose Nazario of Arbor Networks recently uncovered a Brazilian infostealer trojan that uses Twitter for command and control and targets online banking credentials. Here we can see the malicious Twitter account (now cancelled by Twitter) and several encoded tweets:

Source: Arbor Networks

The messages shown are Base64 encoded URLs. Decoding the links and following them leads to an encoded .ZIP archive, which contains the infostealer trojan. In my opinion, using Twitter is an expected but novel addition to the list of previously used command & control protocols, including HTTP, IRC, P2P, et. al. Here we can see a graph of infected machines, the majority of which are located in Brazil.

Source: Arbor Networks

Twitter is not alone; it’s also important to note that other microblogging services such as Jaiku and Tumblr are being used in similar ways. In this case, the malicious tweets look suspicious and are easily decoded, revealing links to malicious sites hiding behind URL redirection services such as bit.ly. The complexity of these command & control mechanisms will continue to increase, with the end goal of operating in a completely undetectable manner.

Mozilla Firefox has long been my browser of choice. Even though Firefox has not surpassed IE’s market share on the web, there are several features that make the browser indispensable to many of us. Firebug, NoScript, AdBlock Plus, Tamper Data, and the entire plugin architecture are must-haves!

Today, both the Google Chrome and Internet Explorer web browsers have a multi-process memory model, which allows each browser tab or component to run in its own memory space. A tab that crashes in this case will not affect other pages. This is great, except that it does not apply to Firefox. If one of my tabs crashes, the entire browser must be restarted.

Until now! Recently announced was a radical change to Firefox’s memory model. A new project called Electrolysis aims to outfit Firefox with multi-process capabilities. This is great news for Firefox fans. The Electrolysis page states that a future goal of the new memory model may be to provide security enhancements as well.

Summary:

Eurocrypt 2009 was recently held from April 26-30 in Cologne, Germany. Sponsored by the International Association for Cryptologic Research (IACR), the website states that "It is devoted to all aspects of cryptology." This year’s Eurocrypt rump session was held on April 28, which featured a talk entitled "Automatic Differential Path Searching for SHA-1". Authored by researchers at Macquarie University in Sydney, Australia, their work reveals a collision attack on SHA-1 with a complexity of 2⁵² operations (the previous fastest known SHA-1 collision attack had required 2⁶³ operations). This is a significant improvement in finding SHA-1 collisions.

Hash Function Attacks:

A cryptographic hash function is an algorithm that takes a message as an input and computes a fixed-size digest. SHA-1 generates 160-bit digests. The generated digest is used for a variety of applications related to information security, information assurance, and digital trust relationships. When designing new algorithms, designers of cryptographic hash functions aim to fulfill three basic properties:

• Pre-image Resistance:
  Given a hash digest, it is difficult to find any message that will hash to the specified digest value.
• Second Pre-image Resistance:
  Given a message, it is difficult to find a different message that hashes to the same digest value as the original message.
• Collision Resistance:
  It is difficult to find any two unique messages that hash to the same digest value.

In this case, the SHA-1 attacks affect collision resistance, not pre-image or second pre-image resistance. This means that after 2⁵² operations, the researchers are able to generate two unique messages that hash to the same digest value. Obtaining a SHA-1 collision via brute force would require 2⁸⁰ operations. To date, it remains computationally infeasible to perform pre-image and second pre-image attacks on SHA-1. At the time of writing, I am unaware of a practical collision that has been found.

One iteration of the SHA-1 function:

Until recently, SHA-1 was widely regarded as the standard in cryptographic hash functions, and remains widely used in a variety crypto systems and as a normative reference in other RFCs and standards. The transition to the stronger SHA-2 functions presents the potential for interoperability issues, as SHA-2 signatures generated by updated systems may be unsupported by older systems. Adoption of the stronger hash functions must be carefully planned in order to reduce disruption to critical business functions.

The Digital Signature Algorithm (DSA) is an example of an important standard that relies in part on SHA-1. It specifies the use of a 160-bit hash function for the signatures used in 1024-bit DSA keys. The SHA-1 algorithm is nearly always the one used to sign these 1024-bit DSA keys. In order to eliminate reliance on SHA-1, users of 1024-bit DSA keys will need to transition to 2048-bit or larger DSA keys.

The OpenPGP Message Format (RFC 4880) also presents a challenge to the transition away from SHA-1. Section 13.3.2 states that SHA-1 is "the MUST-implement algorithm," and that even "if it is not explicitly in the list [of hash functions configured to be supported], it is tacitly at the end. However, it is good form to place it there explicitly." The GNU Privacy Guard (GnuPG) gnupg command-line tool will automatically reenable SHA-1 if you removed it from a key’s list of supported hash functions, visibly adding it to the end of the list just as suggested in RFC 4880. On the bright side, both GnuPG and the proprietary PGP have supported SHA-256 for well over 5 years now, making interoperability during the transition must less of an issue for users of those popular implementations.

The OpenPGP Web of Trust (WOT) is almost exclusively made up of SHA-1 signatures. Abandoning SHA-1 signatures today would immediately "evaporate" the Web of Trust. Because of the decentralized nature of the WOT, transitioning off SHA-1 will require a collective and distributed effort on the part of WOT users. There is much work to be done to eliminate reliance on the SHA-1 hash function.

The Debian Project uses OpenPGP and the WOT extensively, and has begun the process of transitioning Debian Developers and Debian Maintainers onto stronger crypto algorithms. That link contains some valuable guidance on making the switch as non-distruptive as practicable. Debian’s transition might well serve as an example for other organizations they rely heavily PGP-based cryptgraphic infrastructure.

A centralized, Certificate Authority (CA) based chain-of-trust Public Key Infrastucture (PKI) forms the basis for SSL/TLS authentication, and with that, the trust needed for secure use of the Web. Such a system offers a different set of challenges for a transition to the SHA-2 familiy of hash functions. CAs will need to recreate their intermediate chains-of-trust using SHA-2 signatures and make plans to revoke their SHA-1 signed certificate chain. (Will someone please explain to me how you revoke a root CA certificate?). Users and system administrators with certificates signed using SHA-1 will need to be issued SHA-2 replacements, or more likely will receive a new SHA-2 certificate when they go to renew their certificate with a CA. OS and web browser makers will need to build in support for SHA-2 hash functions if they have not already, and update their lists of trusted root CAs. And of course, users will need to update their OSes and web browsers to support SHA-2 and to receive the updated lists of trusted root CAs.

Every actor has a role to play: end users, organizations, software makers, Certificate Authorities, standards bodies, and of course let’s not forget the system administrators.

Previously, the April 1st "activation date" of the Conficker.C worm was hyped as a doomsday. As Joe Stewart explains in the previous post, an update to the worm used a new algorithm to generate 50,000 domain names which could potentially be used as update or command and control servers. Conficker A and B variants chose from a list of only 250 domain names per day.

A week later, Conficker’s authors seem to be up to no good, as Conficker.C has just started delivering a nasty cocktail. It is interesting to note that the updates were sent to infected machines via P2P, not HTTP. This may mean that using the list of 50,000 possible domains for updates was a red herring. Another possible reason behind the use of P2P updates as opposed to HTTP is perhaps controls and mitigations put in place by security vendors were sufficient enough to warrant the use of P2P instead.

The SecureWorks Counter Threat Unit has observed Conficker.C installing Waledac. Waledac then installs the rogue security product Spyware Protect 2009. At some point, users of these machines will see popups trying to get users to pay for the software at a price of $49.95. The SecureWorks CTU continues to monitor and protect against this threat.

In this post, we will be taking a look at the Tornado Malware kit. Tornado is a Russian web-attack kit used by hackers to compromise as many machines as possible. “Out of the box,” it comes with 14 exploits, although users have space to add more, thanks to a modular design (handy!). Visitors are greeted with the following login prompt:

The spelling throughout the application is generally poor. After login, users are taken to the stats page (a dashboard of sorts) which shows information about the traffic the kit has seen so far, broken down by OS and web browser. The Tornado kit has a target URL which attackers direct as much traffic to as possible. Once an attacker is able to lure a visitor to the malicious URL, Tornado chooses an exploit most likely to succeed and serves it up. It does this by analyzing the visiting browser’s User-Agent header. Here we can see part of that process:

In some cases, attackers place the link into other compromised sites, so that visitors may have no idea they are browsing a malicious site. Buried in the obfuscated code, several requests are made to Russian web sites. This allows the author of the kit to monitor where the kit is used, and make sure that it is being used, you know, “legally”.

If the browser exploit attempt is successful, the victim’s machine will make a request to download an EXE from the attacker’s site. At this point, it is game over. The loader that Tornado uses is configurable, so it’s easy to add additional payloads, or change to a different payload altogether, as seen in our final screen shot. Overall, this simple exploit kit has some worrisome capabilities.

Beijing, China 4/2008

Zhong guo hei ke tan hei ke, or ‘Chinese Hackers Talk Hacker,’ was an information security conference held earlier this year in Beijing, China. Sponsored by Yesky, a popular Chinese electronics e-retailer, the event drew around 80 attendees, most of which were hackers that had previously communicated entirely over the internet. Some of the more well-known attendees included Frankie Zie (now CTO of a network security company in China, former black-hat and well-known in Shenzen), r00t (has hacked numerous U.S. websites), and netcc (claims to possess the ability to hack a thousand websites per month).

These figures show some attack trends gathered by the SecureWorks CTU (Counter Threat Unit). Shown here is number of cyber-attacks per foreign country. These stats are from September 2008, however it is clear China’s numbers dwarf other foreign countries, and still, attacks from China continue to increase.

In interviews given at the conference and online, we get some insight into the Chinese hacking subculture and how it is growing at such a rapid pace. Translated below are some interesting responses that seemed to reflect the attitude of the populace:

Q: Under what circumstances will you perform a hack?

A: If it is a matter that affects us internationally, then we will gather members to perform the attack. Most of the time, we attack through the web site.

Q: What’s the difference between Chinese and U.S. hackers?

A: Over the past few years, Chinese hackers could not compare with hackers overseas. However, our hacking level is increasing rapidly. For example, we recently discovered a Microsoft vulnerability.

Xiao Rong, well known among the guests, provides software tools for use by other members of the hacking community. He begins his work nightly at 9pm, and spends all night scanning overseas websites for latent vulnerabilities. His guiding principle is `Don’t be hostile towards society.’ Overall, the attitude seems to be white-hat in nature, despite some guests’ history. It seems that if one’s intentions are judged to be `good,’ performing the hack seems to be acceptable (nevermind the legalities).

Here’s more from the conference:

Q: What is a hacker?

A: Hackers are a very disagreeable topic. In my opinion, hackers are interested in any kind of computer system, they proactively look for vulnerabilities in systems and at the same time look for solutions. Another kind of hacker, the `cracker,’ just intentionally break into others’ systems and cause interruption to their systems. Now, the media categorizes both hackers and crackers alike. I must clarify that this is wrong.

Q: Who is your idol?

A: Kevin Mitnick. In my opinion, the real hacker will not name himself as such, only by others.

Q: What does the existence of hackers mean for the Internet?

A: The internet would not exist without hacker culture. In the 70’s, hackers proposed a simple machine to serve people, and thus created the PC. Apple was also created by 70’s hackers. Later, hackers proposed the sharing of information and thus created the Internet.

Another guest known as `Shot Gun’ commented: “…more than 80 percent of Chinese websites are vulnerable. In February of this year, the most secure network, Yahoo, was hacked–this made people realize the importance of network security. However, many companies don’t have the resources to secure their own network.” Later, while speaking about what `real hacking’ involves:

…the true hacker will lock themselves in a room, eating only instant noodles, with cigarette butts everywhere. The men do not shave for months, just to solve a technical difficulty.

…hackers are irreplaceable. Hackers are warriors, we should be grateful for their dedication and give them a “real name.”

As the Chinese `hackers’ and `crackers’ (it’s not immediately apparent that white-hats in other nations are playing by the same rules either) continue to mount attacks, the SecureWorks CTU continues to investigate and protect against these threats.

Information Source: http://blog.54master.com/index.php/710520/viewspace-31153

DarkMarket.ws (known in carding, identity theft, and other black-hat rings) went “Dark” earlier this month. DarkMarket was widely known and respected among criminals as a forum for exchanging stolen banking data, credit card information, and other underground activities. What users of the site didn’t know was that the site wasn’t really hosted by Eastern-European hackers. Run from an FBI location in Pittsburgh PA, Agents of the National Cyber Forensics Training Alliance collaborated with industry professionals and graduate students for assistance tracing the identity and locations of criminals. The DarkMarket site was run primarily by agent J. Keith Mularski, under the handle ‘Master Splyntr’.

Reports leaked from Südwestrundfunk, a German radio station, revealed the FBI operation’s role in detaining a German card fraudster active on the site. In operation since November of 2006, DarkMarket was especially well known for English-speaking forums. Ironically, soon after DarkMarket’s launch in 2006, well-known hacker Max Ray Butler penetrated the site’s servers and found information revealing FBI ties. Butler’s claims to the underground were largely ignored; at the time, he ran a competing underground forum. As a result, most believed his claims false. DarkMarket successfully continued operations despite Butler’s claims.

Now that the site has gone down and the cat is out of the bag, numerous arrests are expected. This is a big win for the good guys. So far, 56 arrests have been made. We have a suspicion that others who may have conducted business at DarkMarket have not been sleeping too well, as additional arrests are expected.

In this case, the FBI got it right. It’s an impressive feat to penetrate the inner circle of these criminals.