Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

April 25 2015

raistlin
22:33

February 17 2015

raistlin
15:36

January 30 2015

raistlin
00:00

A few notes on the recent wave of Cryptolocker attacks


A wave of cryptolocker samples hit recently, with the following interesting characteristic: besides the usual English version, there were French, Italian, German and Dutch versions.

At least the Italian one featured a very convincing translation of the emails trying to social engineer users into installing the malware, thus obtaining arguably a high success rate.

Form of propagation is an attachment in a .cab file containing a .scr executable. According to intelligence, it consists of a Dalexis dropper that eventually will install CTB-locker. 

The malware encrypts all files with extension: wm,kwm,txt,cer,crt,der,pem,doc,cpp,c,php,js,cs,pas,bas,pl,py,docx,rtf,docm,xls,xlsx,safe,groups,xlk,xlsb,xlsm,mdb,mdf,dbf,sql,md,dd,dds,jpe,jpg,jpeg,cr2,raw,rw2,rwl,dwg,dxf,dxg,psd,3fr,accdb,ai,arw,bay,blend,cdr,crw,dcr,dng,eps,erf,indd,kdc,mef,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,pdf,pef,pfx,ppt,pptm,pptx,pst,ptx,r3d,raf,srf,srw,wb2,vsd,wpd,wps,7z,zip,rar,dbx,gdb,bsdr,bsdu,bdcr,bdcu,bpdr,bpdu,ims,bds,bdd,bdp,gsf,gsd,iss,arp,rik,gdb,fdb,abu,config,rgx

At the moment I don't have notice of any ways to extract the key or reverse the process. The only resolution available is to restore data from backups. A worthy attempt could be to carve the drive in hope to recover the former version of files.

A couple of virustotal sample analyses:

Runtime info for the latter:

Another runtime analysis of a similar sample:

The following connections are observed with this specific dropper:
"91.142.215.77" TCP 443
"95.211.144.65" TCP 443
"66.96.131.12" TCP 443
"mmadolec.ipower.com"
"evalero.com"
"springtree.cba.pl"

The in memory strings contain the following URLs, common to Dalexis:

"hXXp://collection-opus.fr/_gfx/cario.tar.gz"
"hXXp://compassfx.com/OLD/cario.tar.gz"
"hXXp://evalero.com/img/cario.tar.gz"
"hXXp://masterbranditalia.com/downloader/cario.tar.gz"
"hXXp://mmadolec.ipower.com/me/cario.tar.gz"
"hXXp://springtree.cba.pl/modules/cario.tar.gz"

A semi-useful IOC is the following string which seems to appear in many samples: "proftur.pdb"

Also, intelligence says that samples connect to TOR hidden service dpaqjri6tinnqleh via web2tor proxies, e.g.:
dpaqjri6tinnqleh.onion.lt 
dpaqjri6tinnqleh.onion.gq 
dpaqjri6tinnqleh.onion.cab 
dpaqjri6tinnqleh.tor2web.org 
dpaqjri6tinnqleh.tor2web.fi 
dpaqjri6tinnqleh.tor2web.blutmagie.de

Unconfirmed intelligence is the usage of 587/tcp to spam, possibly propagate.

A few hashes of samples:
SHA256 (august-bebel-str_17_15569_woltersdorf.cab) = 7efcbd21fafaa001488491599b8e0fe9235b08c523b866a06cd8d538255f9d37
SHA256 (barquiel_y_hurtado_s_l.cab) = 675e79c44d0223d63a7cf311ce59c541cb93b3e6f09e1e670b4f0fca15d71476
SHA256 (berliner_all_33_40212_dsseldorf.cab) = 8aba6e465598ee28e9a59657db3604b7ac9250352ac81fbf052ce2a373f1ef23
SHA256 (bureau_detudes_clement_sas.cab) = e99e4bc3d477654cc74dc735854a628e5bf20ba844d7abd4e45f70799d92e284
SHA256 (cariverona_banca_spa.cab) = 8b580acada5284bc8e95f8f69d66930d91c7c1c5c6a88899c102312083dd1f96
SHA256 (daimlerstr_6_71546_aspach.cab) = 675d395c361a37d0afea0010d20bca0ebfdbf8c6a18e396e1008370e955ae9a9
SHA256 (entreprises_gros-louis_roger.cab) = 1e41dafe1795b6956e2410979ee7e8c0aab20fac77594955293807c7286ddc09
SHA256 (envol_voyages_sarl.cab) = 8799ca8ecfdae3451ffbd56fd7f487bfedf9a870bf378b4f4ce13825e9462755
SHA256 (fico_tooling_bv.cab) = 97823a4065d0f8db039e5ece3a0a65a01057d0d976232abda828914fc24c458e
SHA256 (friesenstr_40_26655_westerstede.cab) = f26e80494cd83400115dc0fcb6148c65be347fe1e8339e8c2c4efefdff3013c0
SHA256 (jahnstr_18_42579_heiligenhaus.cab) = adaa38dbaecd443c48d249f04c599000fbc3653937972a67123ba2d065c03e78
SHA256 (lantania_srl.cab) = 87e11ae952e8e991f1de70511d33ae642a2d8e9602d5d54b0a5b8a6d9223f5be
SHA256 (mokrupak_verpakkingen_bv.cab) = 53f990073b7e3c68bf7a92233f4ba600619f172ffa48294eda5422077c16c206
SHA256 (pocklington_coach_works_ltd.cab) = 1671e03689b67602a9ec64395f49f16021c5b7c0c28b9f5f514705c9161006d5
SHA256 (rheinmhlenstr_7_68159_mannheim.cab) = dc7f73ec15eee49e3f88a92ae710f966f75bda62e668c71a5f9d6348b1b5dcca
SHA256 (scitec_group_ltd.cab) = d2fe2adea73466264461a05da4e0fcae41aebf57bbe0f1c0f07a9eb8edf2f80b
SHA256 (siempelkampstr_94_47803_krefeld.cab) = a1cb46f0f65607afa2304a378c17274bf4f05bfb6d6d461679b71423d77ce204
Tags: cryptolocker

January 25 2015

raistlin
20:08
Reposted byphd-studies phd-studies

December 09 2014

raistlin
09:53

October 04 2014

raistlin
16:19
How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use onlywhen a court has approved a search warrant.
Compromise needed on smartphone encryption - The Washington Post
Tags: idiocy

September 30 2014

raistlin
14:33

Quick summary on ShellShocker

This post contains no original research but just a few links and info on the ShellShocker bug. I put it together to have a handy reference for friends & co., feel free to share.

A summary, along with test cases and info:

Attacks going on in the wild:

- Multiple reports of IP addresses scanning for the vuln with consistent user agent: User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138. 

Request: "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0"
Host: -
UA: "() { :;}; /bin/ping -c 1 198.101.206.138"

Originally this was by Graham at Errata Security (read here) but he has not been scanning for days, so if you still see it, that's not good. 
Also, Robert's scanner is polite:
IP: 209.126.230.72
Request: "GET / HTTP/1.0 "
Host: "() { :; }; ping -c 11 209.126.230.74"
UA:  "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

The pattern above is being used in active exploitation (see also here), and that specific attack drops a bot that a source connected to past infection of routers (although this version is for x86).

July 04 2014

raistlin
09:56
Reposted bygafmanxxarabuscliffordbollabollakanikanischlachtorosevangelyndesiderdrittedonaudampfschifffahrtsgesellschaftankinavgpPachadisrecnigkhabarakhpetrogroeschtlraven

June 24 2014

raistlin
12:17
Reposted byflanel flanel

April 18 2014

raistlin
16:45
8059 eda2 500
Reposted byoskigurski

January 10 2014

raistlin
22:46
8631 7818 500
Reposted byimsickofthishitsnoopybox

November 02 2013

raistlin
14:37

The BadBIOS story and my comments

As I usually do when there's a developing story, here are some reflections and comments on the BadBIOS story.

If you don't know what I'm talking about, just do yourself a favor and start from here, which is a good summary as any. You can also read a different summary, complete with many of the tweets by Dragos, here.

First things first: Dragos Ruiu is a friend, a trusted peer, and if he comes public with something so wild and difficult to believe, I completely trust he has seen something. As all humans, Dragos might be wrong, he might be overestimating stuff, or whatever, but I don't doubt for a minute that he has (what he think is) proof of what he says.

I completely agree with the analysis Robert Graham has done here and share most of his observations. What has been described is all technically possible, but the combination of everything in such an evil and nasty set of malware (more on this in a minute) would be completely unheard of. If anybody shrugs and says he's seen stuff like this before, please waterboard him until he says where.

I would like to share these useful observation on what BIOS can/cannot do. However, I would respectfully disagree with the conclusion that what Dragos is seeing cannot be there. We know that malware and rootkits can be composed by multiple components, and the BIOS component might only be responsible for a few of the reported behaviors. We simply have to wait for more details and samples to be provided.

It should be noted that Igor Skochinsky, a well respected malware reverser, analyzed some samples provided and believes them to be malware free.

In conclusion: I completely respect and trust Dragos. I do believe he saw something complex and behaving misteriously. I think we are missing a lot of technical details still, and I look forward to release of malware samples, at least in the usual trusted communities for malware analysis.
Tags: BadBIOS
Reposted byunskilled unskilled

October 20 2013

raistlin
22:17

September 23 2013

raistlin
19:40

August 07 2013

raistlin
21:55

A quick summary on the "0-day against Tor" brouhauha

It was recently announced that "the FBI" had apparently used a "0-day" exploit against people using Tor, with subsequent explosions of comments from the usual privacy advocates.

While I'm all for privacy advocacy, at times we shouldn't let our preconceived notions get the better of us. So let's look at the available data here.

On Aug. 4th the Tor people were advised of something gone awry. Hidden services from an organization called "Freedom Hosting" were unreachable, and apparently, someone had exploited the software used on them to deploy this malicious Javascript in the web pages it delivered to users. An advisory was released shortly thereafter. 

Now, Freedom Hosting services include TorMail (a very secure anonymous email operation); hacking and fraud forums such as HackBB; money laundering operations; the Hidden Wiki (sort of a Dark Net wikipedia...); and virtually all of the most popular child pornography websites on the planet. A Freedom Hosting account cost a one time fee of $5, offered unlimited space and bandwidth, an onion domain, PHP and MySQL support, FTP access, and even backups (!). A large number of hidden websites were hosted by Freedom Hosting, so it's easy to see how the "attack against Tor users" generalization was borne. 

By analyzing the code (see the excellent writeups here and here) we can observe a number of things.

First of all, this was an attack exploiting a known  vulnerability in an older version of the Firefox JavaScript engine. Specifically, this older version was present in some of the Tor Browser Bundle (TBB) versions. TBB includes Firefox plus some privacy patches.

For the sake of documentation, I will note that this was fixed in Firefox 17.0.7 ESR, and in TBB 2.3.25-10 (plus several of the alphas and the betas). Fixes were available for TBB since June 26th.

So, whoever was affected after June 26th, was affected because they didn't patch their software, this was no zero-day by the time this attack came to light.

Additionally, the exploit was targeted to Windows users, while the Firefox vulnerability is cross-platform.

What the payload does is it connects to 65.222.202.54:80 and sends an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.

So, what happened is that through compromising one or more hidden services, the unknown attacker collected at that IP address a list of the vulnerable users that accessed that/those services.

The payload does not open a backdoor or install other stuff, so this is very unlikely to be a black hat operation. It looks much more like a tracking mechanism, so it's not a bad guess that this is law enforcement or three-letter-agency activity. It actually sounds suspiciously like CIPAV, the FBI malware we know about from 2007.

The fact that 65.222.202.54 is in the Northern Virginia area, served by Verizon Business, only confirms this suspicion. Be aware that the suggestion that this IP is allocated to SAIC and previously in use by NSA turned out not to be correct.

Around the same time, a guy named Eric Marques was arrested and is awaiting extradition on FBI's request for facilitating the exchange of child porn. There's no direct link so far, but it's easy to believe that Marques is the founder of Freedom Hosting, and these two operations are related: However, we may wish to be cautious on saying this is what happened.

Interestingly, a couple of years back Anonymous did dismantle for a few hours Freedom Hosting (operation Darknet), under the lead of Sabu, back then an important member of Anonymous, afterwards disclosed as an FBI informant. Since his turning to informant is dated in August 2011 and the operation against Freedom Hosting is dated in October, there's been speculation of that being the first FBI led operation against the network. But this is really a wild shot in the dark.

We shouldn't also believe that child porn is such a large component of the Tor traffic. The curious reader may wish to check some statistics on what is actually hosted on the Dark Net.

What is pretty funny, or sad, are the suggestions given to Tor users to avoid falling into a similar trap in the future. Besides the obvious "keep up-to-date your software", another suggestion from fairy-crypto-lands is "disable Javascript" (try on your own and let me know how many websites you are able to browse after that) - and also, while you are at it, "css, svg, XML"... Other suggestions included "randomizing your MAC address" (I can see Windows users out there doing just that!), and "install various firewalls" (which in this case would have surely helped, right?).

Another suggestion was to use Tails, a live distribution of Linux with Tor and privacy software preinstalled. Which is precisely the best way to keep software up-to-date, right?

I think the Tor community should face, and have users face, the sad reality. It is impossible to safely use Tor to browse common websites without risking an attack of this kind (because it is basically impossible to use ordinary websites with Javascript-and-everything-else-disabled). This was terribly effective and used a month-old vulnerability. Just go figure what would happen with a zero-day. Also, while using Tails per se is a good suggestion (because in this way you compartmentalize privacy browsing from data and systems used in non-private browsing) this wouldn't really help in this scenario (except for the fact that this specific payload was Windows based, but there's no reason for that except the fact that a vast majority of the interesting subjects were using Windows).

If you have a real need to go anonymous, you need to implement good opsec, as my friend Grugq is demonstrating here (slides here).

July 17 2013

raistlin
10:53
9545 81c2 500
Reposted bytonietak tonietak

May 25 2013

raistlin
19:20
Reposted bywarlordiambabsipascalmhviceernilsfsupernele

April 15 2013

raistlin
12:12

AndroTotal is basically the Android equivalent of VirusTotal: Given a suspicious APK, it submits it to several unmodified Android antivirus apps running in an unmodified Android OS, and reports back to the caller with detailed information about what the antivirus detected, what network traffic is generated, what information is displayed on the screen and, most importantly, the label of the detected threats (if any).

Differently from VirusTotal, we scan the APKs using the original antivirus mobile apps installed and run on a genuine, unmodified Android OS image.

AndroTotal official blog
raistlin
12:11

AndroTotal - Home

A free service to scan APK (Android apps) for viruses

April 13 2013

raistlin
10:35

A comment on the "hacker attack" on beppegrillo.it

Since some American friends are asking, I thought I'd share a few comments on the purported hack attack on a political movement here in Italy (source in English).

First, a brief reconstruction of the events (and note I'm trying to stay clear of political nuances, which is costing me some effort). In a few days, the Italian parliament is set to vote for the elections of our next President. Italy is a parliamentary democracy, and the President is elected jointly by the houses of parliament and other representatives of the Regions. Since it's a 7-year mandate, this is a particularly important moment in the Italian system.

The political movement in question, Movimento 5 Stelle, launched a poll (not a vote, technically, as the vote takes place only as I mentioned before) among its members (and not an open poll) to indicate "names" of personalities they should propose as next president. This is important, as it deflates the practical value of attacking such a system for any external threats (except politically motivated ones, for demonstration purposes). The names coming out of this poll would just be an "indication", for the MPs of the movement, on how to vote during the actual elections. An indication because, of course, at some point they might have a choice between an agreement other candidates or irrelevance (since there's a qualified majority needed to elect the President).

Now, the facts we know are that:
1) the movement leader decided to stop the poll and start it over, due to a purported "hacker attack" which was "detected" and "solved".
2) the event was discovered by DNV (a certification entity, hired to ensure that the election process was not flawed). The certification body states an anomaly was discovered, namely that there were more votes than registered voters.
3) DNV is not in the business of information security, but of compliance. They discovered the event by analyzing the process and the data, and discovering implausible values.
4) Contrarily to what immediately said in 1), the successive versions of the story talk of a "sophisticated intruder" that "hid their traces" and of a non-identified first moment of access
5) The software is realized in house, is not open source, and the servers which host it are owned and managed by the PR agency which supports the leader of the movement (which is also, we believe, the author of the software, or has contracted the author).
6) A facebook group claimed the "attack" was just a matter of organized trolling, i.e. that they basically accessed the voting system without control due to a flaw in the process and in restricting access.

What is my personal opinion on this, founded on my experience?

I honestly don't know whether or not a willing attacker was behind this event (I take exception, in general, to calling that attacker "hacker", but this is another story). However, since the practical value of a hidden attack against such a system is close to zero (given that this is a poll completely under the control of the movement leadership, which can call it off at any time or mangle the results as they see fit), the only reasonable course for a politically motivated attacker would be to make the system fail visibly (say, a defacement). Since nothing like this happened, my opinion is that an attack from an external entity is very unlikely.

But regardless of this, my opinion is that, most likely, what happened was the result of badly designed and written software, realized by less-than-competent people. Open source software for polling is available, tried and true, and could have been used. Honestly, this is not rocket-science, either. Also, the process of registration for voting should be scrutinized as it is probably part of the issue.

Finally, my opinion is that a poll managed and run by a PR agency working for the leader of a movement, on closed systems and with a software that has been specifically developed for this, has very little to do with any form of voting. The sheer fact that they needed to hire a certification body (DNV) to give some proof that the process was not flawed (resulting in the boomerang of having to admit it was) is a demonstration of a basic flaw.

The movement under discussion hosts a number of technically savy people who could easily form a committee to manage and run a neutral technology platform for this kind of polling, or for internal debate. The fact that this does not happen, alone, casts serious doubts on anything that is done "online" with a closed platform.

The core issue here, and I'm really trying hard to stay clear of any political comment, is that this movement is trying to confuse online polling with real e-voting, and a blog with its comment with e-democracy. E-voting and the transformation of democracy in a more evolved form through the adequate use of technology is difficult, it cannot be realized in-house with closed processes by a bunch of incompetent folks who cannot even realize a functional polling system. 

E-voting, or e-democracy, entails deeply complex research issues such as voter/citizen identification, guarantee of vote secrecy, guarantee of anonymity coupled with ensuring authentication, crowdsourcing of the management of online discussions, possibility of open scrutiny of the process by voters and third parties... This is difficult, friends, more difficult than you can possibly believe. There's only a few handfuls of experts around the world who know how to do this, and surely they don't work for a marginal PR company in Italy.

The obvious snake oil sign here is the classical statement "Well, no system can be 100% secure". That's obviously true. But some system can be immediately identified as incredibly stupid, or at very least terribly boorish.
Reposted byobiwankesoze obiwankesoze
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.