Every code is breakable!!!

Saturday, March 14, 2015

Your files are encrypted!!! Pay the Ransom!!

Ransomware - Pay or lose all your files.

Ransomware - Malware which primarily encrypts the files in the systems and asks for the ransom to be paid within some "estimated" time in exchange for decryption key.

Ransomware is spread across victims by email or botnets. Malware is sent as a attachment in a email or as "drive-by download" by some malicious website.

Once the malware is downloaded into the system, it starts installation in the background. Then creates a "system id" by creating "hash of the system config parameters" so that it would be unique to each system the malware infects. Then it tries to connect to "C & C server" controlled by the attacker or the malware's author. It sends the "system id" to the C&C, which in turn creates a public key and private key pair for the system and saves it in the server. The public key is sent to the malware in infected system.

The malware uses the pub key to encrypt all the files(with .pdf, .jpg, .doc extensions) in the system. Once the encryption is done, the malware shows a alert that says "All the files are encrypted." and ransom has to be paid within the said time, or else the decrypted key saved in the remote server would be deleted and thus all the files would be lost forever.

If there are other systems connected to the infected system, then the whole infrastructure would be compromised and encrypted.

Once the system is compromised, there is no other way to get the files back other than getting the decryption key.
Over time, malware has evolved along with the anti-virus, anti-malware protections. These were perfected to be hidden, country specific, target specific, etc.
Most commonly known ransomwares are cryptolocker, cryptowall, CTB.

More on specifics of malware analysis and detection in the next post!

In security, with time trending becomes obsolete soon!!!!

Friday, October 10, 2014

Nmap - Get it on!

Nmap - What is it and how to make best of it?

Nmap is the network mapper that is used to discover the number of hosts and devices on the network that it is accessing, thus mapping the whole network.
Let's not jump into the details of the installation as that is not the information everyone is looking around. Some of you might even have it on the system beforehand but not using it. So here are some details on the information it could provide us with.

scan your own host to determine the open ports and connections:

nmap -sV -p 1-65535 localhost/24

Here sV - get the service version that is running on open ports
-p - specify the port numbers to be scanned.
localhost - target to be probed. (24 means the first 3 octets are part of the network and the remaining 1 octet is open for the other hosts on the network ). This way you can scan multiple hosts at the sametime.

It will return a series of open ports and service running on the ports.
Some basics you got to know to understand the nmap.
1. nmap establishes a 3-way TCP handshake with the "host" as any other client would do.
different ports - service that should be noted :
port 80 - web server
81 - firewall (this drops all the packets that could potentially harm the server)
Any connection to a webserver passes through the firewall(80). Closed ports mean that there are no service running on those ports.

2. Host specified can either be a ip address or the url.
3. nmap basically probes every port on the host network to determine what service is established.
Open ports means - service/port is open for any public connection and is accepting any TCP/UDP client connections.
Closed ports means - port is not providing any service or application but can be accessed to find some other information about the OS or server
filtered ports means - these ports cannot provide any kind of information as the firewall/router drops any packets trying to access these ports.
open/filtered means - the probe cannot determine the type of the port. The open port doesn't give any response which means the firewall simply drops the packets sent to the port.

4. nmap -A google.com
Gets you the OS detection of the target server.
5. nmap -iL textfile.txt
Reads the list of targets from the text file.
6. nmap -sA target.com
Tells you if the target server is protected by a firewall .
If such a firewall exists then use nmap -PN target.com to scan the network. How is this different from the normal scan?

Almost on any information associated with the ports, server OS, servicces attached to the ports can be accessed without any credentials.

Nmap - SQL access:
We can do a whole lot with the Nmap to get all the more information about SQL server/databases access. We can pass additional scripts along with the nmap command on the port -p as "ms-sql-info" - Get database information
"ms-sql-brute" - Pass brute force attacks to check for weak credentials within the database
"ms-sql-empty-password" - Check if the database has empty passwords set for any table/user. Once we know which user has no password set,we can try to detect the databases or privileges that user has been provided.
"ms-sql-hasdbaccess.nse --script-args mysql.username=" - Check the dbaccess provided to the user.
"ms-sql-tables --script-args mysql.username=" - gives the table names and description in each db under the user.

Any details obtained from these scripts could provide the entire infrastructure and any credential associated. If there is a empty password set to any user in the db schema, it could provide the whole table schema which is very scary and harmful.
There are whole lot of customized scripts that can get the password hashes from the server and thus providing direct access into the server to any outsider.

All of this information on this Nmap/mysql access pings are provided so that any security assessment can be made. Don't try to hack into anyone's server. Be it productive.

Remember, Every code is breakable. That doesn't mean you have to be the black hat hacker!!!!!!!

More exploits coming soon...

Tuesday, March 4, 2014

"THE MASK" - Real data breach threat.

The MASK - Most sophisticated(frightening) attack till data!

When we say "data breach" these path months,we think of "Target, Neiman Marcus" and all other typical public use places. There has been a major threat which has attacked all the nation's most classified data , research interests, financial settlements and highly valued data within government offices, diplomats, educational institutions,..etc. Irony is this attack is been under the radar "invisible" almost 6 years in almost every country / systems possible.

What is MASK ?

The Mask - advanced threat actor that has been involved in cyber-espionage operations since at least 2007, was found only by the end of 2013. Thought to be from Spanish group because of the word “Careto” used in the some of the modules.

Has infected 31 countries and 1000 + IPs worldwide.

Most Advanced threat at current time.

Suspected to be the nation state attack - because it is sophisticated, highly organized, .

Targets of the Attack:

Once the malware is active in the system,it collects a list of documents from the infected system, including encryption keys, VPN configurations, SSH keys. Some of this files are related to custom military/government-level encryption tools.

.AKF,.ASC,.AXX,.CFD,.CFE,.CRT,.DOC,.DOCX,.EML,.ENC,.GMG,.GPG,.HSE,.KEY,.M15,.M2F,.M2O,.M2R,.MLS,.OCFS,.OCU,.ODS,.ODT,.OVPN,.P7C,.P7M,.P7Z,.PAB,.PDF,.PGP,.PKR,.PPK,.PSW,.PXL,.RDP,.RTF,.SDC,.SDW,.SKR,.SSH,.SXC,.SXW,.VSD,.WAB,.WPD,.WPS,.WRD,.XLS,*.XLSX

Targets : Government institutions, Diplomatic offices , energy and gas companies, research institutions.

Detection : Extremely difficult because of the stealth capabilties. Malware changes when downloaded to new systems. So its sign is never the same.

Infestation :

  It uses multiple vectors

- phishing emails

- exploit old adobe flash player vulnerability (first used to break chrome sandbox) Chrome broken

- prompting the user for java update / chrome plugin

- Subdomain of genuine websites. Guardian links used in malware

Malware uses the packages for spreading through all the connected systems:

Careto and SGH. Careto – general purpose backdoor that collects all the information and executes arbitrary codes by remote C&C servers. SGH - primarily works in Kernel and maintains its own connection to the C&C.

Files from these packages are signed with a certificate as "valid".

Each works standalone without other.

What does it do ?

Once active, Mask can intercept network traffic, keystrokes, intercept Skype conversations, analyse WiFi traffic, fetch all information from Nokia /Android devices, screen captures and monitor all file operations.
Collects large chunks of data from the victim including encryption keys, VPN configurations,SSH keys and so.

Complexity : An extremely sophisticated piece of malware, a rootkit, a bootkit, Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).

Customized attack on old Kaspersky lab products to hide in the system “invisible”. This is the step where Kaspersky got alert that someone is exploting their vulnerability and eventually discovered this malware.

Supports plug-ins,configuration files, built-in functionalities and any additional modules could be uploaded.

Stealth and platform independency:

The Digital signature is given as issued by a fake "Techsystem" Company.

Careto conquest:

Sample CARETO code "Careto ..." and with all other modules are "encrypted".

Careto - Map of Conquest.

Tuesday, December 3, 2013

How does communication protocols exchange streams of data.?

Three Way Handshake :

TCP/IP is the communication protocols used in connecting hosts between internet. Every OS in the market comes with the inbuilt TCP stack in them. Without the kernel's TCP network ,there is no possible data exchange can happen between devices, be it mobile devices, laptops, desktops and any other network hardwares.
Among the 4 layers in the suite, the transport layer takes the responsibility of transmission,error detection,recovery,reliability and session control.

How does the data transmission really takes place?
The blocks of data are sent through the transport layer. Each segment of a message sent from the machine contains a checksum which checks if the data at the receivers's end is correct. If the data received at the destination is undamaged, then an acknowledgement will be sent to the sender machine, else the receiver discards the segment and the sender machine sends all the segments for which a positive acknowledgement has not been received.
This is the frame for a 3-Way HandShake. Three distinct segments are exchanged between the hosts for reliable TCP session to be established.

EVENT	DIAGRAM
Host A sends SYN to Host B Host B receives A's SYN Host B sends a acknowledgement SYN-ACK to Host A Host A receives B's SYN Host A sends a acknowledgement ACK to Host B Host B receives A's ACK. TCP socket connection is ESTABLISHED.	TCP Three Way Handshake (SYN,SYN-ACK,ACK)

Steps in the handshake:

Machine A sends a SYN signal to initiate the connection to the target Machine B.
( 1 Shake)
SYN - synchronize sequence number . Its just the sequence number it starts the segment with.
Machine B acknowledges the communication with the SYN-ACK signal. It responds along with sequence number it will start with. (2 Shake)
Machine A, after receiving the acknowledgement from B, checks the SYN number from B and acknowledges the initial sequence number of B. A sends the final ACK signal and starts the data transferring in segments(bits). (3 Shake)

That's why this is called a 3 way Handshake (SYN - SYN - ACK)

TCP/IP is the de-facto standard for transmitting data over internet.

Wednesday, November 13, 2013

Pakistan Hijacked Youtube - Prefix Hijack

Even a single fixed-route attack can destabilize a Network....!

Everyone remembers the time in 2008 when Pakistan Gov. put down orders to officially block YouTube broadcast in Pakistan. In response to this, Pakistan telecom blocked the YouTube telecast by the very old Prefix hijack, which resulted in YouTube being blocked.

How did this happen?

Pakistan Telecom provider tried to block YouTube in their homeland by advertising an unauthorized prefix route, to its providers. This newly defined prefix route ( 208.65.153.0/24) happens to be the more perfect destination route of the Youtube server ( 208.65.152.0/22). The upstream providers of the country relayed it to the Internet World, rerouting all of YouTube's traffic to Pakistan Telecom, thus blocking YouTube for all of its users worldwide.

Within 2 minutes from the first relay of the bad route, almost all the world providers carried the route.

Youtube alerted that the /24 prefix has been hijacked.

All the providers start dropping the erroneous route and carried out the /25 prefix thus getting Youtube back to its users.

Its times like this , the term BGP takes revival and fame. BGP - Border Gateway Protocol used in exchanging routing information within and between Autonomous systems (Google,Bank of America,Samsung,etc).

This attack states a phenomenon "Even when a router announces seriously bogus information,it will continue to announce the same bogus information for the duration of its attack".

Wednesday, November 6, 2013

ASSEMBLER - X86

Assembler --- Assembly instructions into Machine Code Instructions.

When the assembly instructions is sent into the ASM , the named 'variables' are hard-coded as memory address and ;label' variables as code address. Some parts of the prog source are always lost when assembler is used,which is inevitable.

MASM - Microsoft Assembler. (Macro Assembler)

Used by Microsoft systems for the low-part definition of the Operating systems.
Used for Intel core.
This is not portable and hence is the disadvantage with other platforms.

TASM - Turbo assembler

Developed by Borland and used in integration with Borland's software development tools.
This assembler is not free .

NASM - Netwide Assembler

Free, portable and retargetable.
Can be used both in Linux and Windows systems.
Not mature as TASM and MASM,but definitely user-friendly.

FASM - Flat Assembler

Fast Self-assembling Open-source (X86) assembler .

AT & T Syntax

AT&T syntax is different from Intel Syntax, but is used in GAS (GNU Assembler) ,mainly distributed in Unix and Unix-based Systems.
GAS is specifically designed to be used as the back-end of GCC (GNU Compiler Collection) package.
GCC always feeds it syntactically correct code,GAS often has minimal error checking.
GAS syntax can be switched to Intel syntax with the directive ":intel_syntax noprefix"
GAs is automatically installed with GCC or GNU binutils distribution package.

HLA - High Level Assemblers

An assembler with high-level syntax.
HLA acts as a front-end to other assemblers as FASM, MASM , NASM and GAS. So, the programmer must have another assembler installed to assemble programs with HLA.
HLA comes with a comprehensive standard library.
HLA syntax is very easy and closely resembles to C.

Example of a HLA code :

mov (src, dest) ;

pop(eax) ;

push(ebp) ;

for (mov (0, ecx) ; ecx < 10; inc (exc)) do

mul (ecx) ;

endfor ;

Friday, October 25, 2013

Binary Bomb!!!! BOOMMM!!!!

BINARY BOMB - A BOOM at each phase!

A "binary bomb" is a Linux executable C program that consists of six "phases." Each phase expects the user to enter a particular string on stdin. If the user enters the expected string, then that phase
is "defused." Otherwise the bomb "explodes" by printing "BOOM!!!".
The goal is to defuse as many phases as possible without defusing the bomb.

Each bomb phase tests a different aspect of machine language programs:
  Phase 1: string comparison
  Phase 2: loops
  Phase 3: conditionals/switches
  Phase 4: recursive calls and the stack discipline
  Phase 5: pointers
  Phase 6: linked lists/pointers/structs

There is also a "secret phase" that only appears if students append a certain string to the solution to Phase 4.

Each user gets a unique bomb that they must solve themselves.  The unique
solution to each bomb is available to the instructor.

Catch the source code at Binary Labs: CMU Binary Bomb