Archive


2013's Blog Archive - A collection of all blog
posts from the year 2013.

Archive 2013

Last modified 2013/01/03 by Flo

Here you will find my posts from 2013, tl;dr.


Ephemeral Diskless Malware

2013/11/24 by Flo

The guys at FireEye reported another diskless ephemeral piece of malware. This in-memory malware used a new IE zero-day exploit that was injected into an important website regarding national and international security policies to drive-by infect their targets. The attackers loaded the intended malware payload directly into memory without writing it to disk, thus an successful attack is hard to detect and an further analysis, too. It seems that the attackers were sure that their victims visit the infected web site epeatedly, hence running the malware is guaranteed in some fashion.

For more details check out Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method

As I said in a blog post back in 2012 I think we will see more such attacks in the future with regards to always-on computing as featured by Smartphones and Tablet-PCs. In such environments there is no need to install malware on a target's machine anymore, just let the malware live in-memory without leaving traces on the disk. Because such systems will not be rebooted for a long time such diskless ephemeral malware is able to spy for weeks and months. A lot of interesting and valuable information can be collected even in just a few days. Just think about a simple key- or screenlogger and then think about all the information one could gather from you...


Brainpool Curves For OpenSSL

2013/10/24 by Flo

I have updated my collection of OpenSSL-ready brainpool curves and added some more curves into the ZIP file, so you can make use of them in OpenSSL. Since the NIST elliptic curves are not trustworthy anymore I highly recommend not to use the NIST curves and make use of the brainpool curves instead.
Just for getting started I show you some basic stuff you and OpenSSL can do whith this curves.

To generate a key out of a given brainpool curve enter:

openssl ecparam -inform DER -in brainpoolP256r1.der -out brainpoolP256r1.key.pem -genkey

openssl ec -in brainpoolP256r1.key.pem -pubout -out brainpoolP256r1.public.key.pem

You can generate a elliptic curve based certificate with the following command:

openssl req -new -x509 -sha256 -days 356 -key brainpoolP256r1.key.pem -out ca.crt

openssl x509 -in ca.crt -text

To sign and verify messages with a given elliptic curve you just enter one of these:

sign with private key:

openssl dgst -ecdsa-with-SHA1 -sign brainpoolP256r1.key.pem -out file.txt.ecdsa-with-sha1 file.txt

verify with private key:

openssl dgst -ecdsa-with-SHA1 -prverify brainpoolP256r1.key.pem -signature file.txt.ecdsa-with-sha1 file.txt

verify with public key:

openssl dgst -ecdsa-with-SHA1 -verify brainpoolP256r1.public.key.pem -signature file.txt.ecdsa-with-sha1 file.txt

If you have any questions, need help or assistance feel free and fire an e-mail.


MZWriteScanner - Monitor Your PC Against Malware

2013/10/07 (updated 2013/10/20) by Flo

Thinking about different approaches to monitor malware while they are installing their evil code on your machine I ended up in a monitoring minifilter driver that might help you out analyzing potential zero-days and other malicious stuff on your forensics machine.

MZWriteScanner is a simple minifilter that intercepts IRP_MJ_CREATE, IRP_MJ_CLEANUP and IRP_MJ_WRITE (and some other) to track what files should (and will) be written on your disk. The driver checks if a file contains the magic bytes for an executable, namely the string 'MZ'/'ZM' at offset (0) of the file. If this is the case MZWriteScanner outputs the filename via DbgPrint and writes the path and filename to %SystemRoot%\mzwritescanner.log. Well, the approach seems to be a bit cheesy on the first view, but should work for many malware executables that hit your face through drive-by exploit kits.

Since version 2.1 the driver needs a configuration file at %SystemRoot%\mzwritescanner.ini where you are able to enable the so called lethal mode which enables you to deny execution of newly written executable files and to whitelist paths or files that are allowed to contain newly written executables without blocking them. The latter might be helpful in automated scenarios where you might want to allow updating system executables (e.g. the executables of patches, updates etc.) or anti-virus tools. But be careful with what you gonna whitelist, because whitelisting the wrong path or file might open the doors for potential malware -- keep that in mind!

The whitelist in %SystemRoot%\mzwritescanner.ini *must* be in UNICODE file format and must contain at least one line enabling or disabling the blocking mode:

[LETHAL]

to enable it, or

[#LETHAL]

to disable it.

If you would like to whitelist some paths or files, just add their path and/or name in a line followed by an asterisks before the new line. See the following example:

[LETHAL]
whitelist*
\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Definition Updates\*
\Device\HarddiskVolume2\Windows\SoftwareDistribution\Download\*
\Device\HarddiskVolume2\Users\XXX\Desktop\Dbgview.exe*
\Device\HarddiskVolume2\Windows\System32\Drivers\Dbgv.sys*

To install the driver just go into the binaries path regarding your version of Windows (Windows x86/x64 Vista, 7 and 8). Then right-select the .inf and hit "install". Then run one of the cmd-scripts to start, stop, restart and uninstall the driver. Do not forget to fire up DbgView to peek the messages the driver prints out. Make sure to disable driver signing on 64-bit versions of Windows, the driver was not signed yet.

The driver is for educational and test purposes only. It might contain bugs that lead to system crashes and other damages to your system. Use the driver by and on your own risk. Only try it on a non production environment. I am not responsible nor liable for any damages caused by using the driver. The target audience for MZWriteScanner are Windows enthusiasts (IT forensic guys and hackers).

You can download the whole package here: MZWriteScanner.zip


Checking out my access logs...

2013/08/12 by Flo

Checking out my access logs is usually boring at all, but sometimes it really gets funny as you can see here:

access log


Code-Review on Tuersteher Light

2013/07/27 by Flo

visual c windowHaving some performance issues and other problems running Tuersteher Light on Windows 8.1 (preview) we decided to review the whole source code of Tuersteher Light. We also decided to add a black-list feature into the core and enabled better logging. You are now able to white- or blacklist files and paths, log the names of such items into a file and, if enabled are able to fully log a blocked executable's binary blob. This might help to trace some transient malware that deletes itself after execution etc.


You can download the x86 32-bit version of Tuersteher Light here: tuersteher_light.zip

Due to a missing driver code certificate we decided not to publish any x64 drivers here. If you are interested in a x64 version of Tuersteher Light just send us an e-mail request. We will then send you a x64 version incl. a detailed description on how to install and use the driver in your environment.


Monitoring your driver with DbgView

2013/07/01 by Flo

DebugView is a really pleasant driver monitoring tool for Windows. It lets you monitor all the debug output on your local system, or any computer on the network (via TCP/IP). It is capable of displaying both kernel-mode and Win32 debug output, so you don't need to install a debugger to catch the debug output. And the best is: DebugView is also able to log straight after booting up your system, thus you are able to log all the early stage messages your drivers or service applications log.

All the drivers that are featured on bitnuts.de are heavily using such debug messages and thus their output can perfectly be screened with DebugView. I personally use DebugView to quickly analyze malware with my minifilter drivers and ProcessMonitor in first instance. To give you a quick starting guide, just use the following steps:

To directly log into a file just

Dbgview.exe /l dummy_log.txt /a /t
Make sure that you enabled DebugView's VerboseMode and kernel logging.

For more details on monitoring the behavior of other applications see my post from 2013/02/1 featuring the usage of Process Monitor.


Onion Pi - Make a Raspberry Pi into a Anonymizing Tor Proxy

2013/06/19 by Flo

A pretty cool Raspberry Pi project at adafriut I wanna feature right here:

Feel like someone is snooping on you? Browse anonymously anywhere you go with the Onion Pi Tor proxy. This is fun weekend project that uses a Raspberry Pi, a USB WiFi adapter and Ethernet cable to create a small, low-power and portable privacy Pi.

[...]

If you want to browse anonymously on a netbook, tablet, phone, or other mobile or console device that cannot run Tor and does not have an Ethernet connection. If you do not want to or cannot install Tor on your work laptop or loan computer. If you have a guest or friend who wants to use Tor but doesn't have the ability or time to run Tor on their computer, this gift will make the first step much easier.

For more details check out: http://learn.adafruit.com/onion-pi/overview


Swapped Data and Application Flaws

2013/06/16 by Flo

As noted in Bloomerg, thousands of U.S. companies are working closely with U.S. national security agencies, providing sensitive information like flaws and bugs in their popular products. In return they are receiving benefits such as access to classified intelligence. Well, and people around the world are afraid of technology by ZTE and Huawei?! LOL

By the way: Seeking through german press regarding all this Snowden stuff I read about german experts representing research, industry and politics that claim compensation by boosting german IT firms to come up with competiting products that are open, free and not leavened by other countries' intelligence agencies.

My opinion on that: For a long time the whole german IT economy just leads to some kind of shadowy existence. In Germany we do not have a noteworthy start-up scene and except SAP, Frauenhofer's MP3 and the creators of StarOffice I could not think about any product or firm that influenced the IT world in a big manner - except all these german copy cats that just re-invented the wheel to resell it to its original inventors. All the lost investment and encouragement could not be compensated in short term projects. It will be a long journey to IT - Made in Germany. Watching the german security scene for some time now it seems funny that most german IT security experts work for fortune companies in the U.S. How will we create secure IT - Made in Germany without the experts. Well, currently it seems that this train has left ;-)


WinDivert - A Windows Packet Divert

2013/06/16 by Flo

While peeking around TCP/IP tracking in Windows' kernel mode I finally stumbled across WinDivert by basil that I would like to feature in this post.

WinDivert (Windows Packet Divert) is a user-mode packet capture-and-divert package for Windows (Vista, Server 2008 and Windows 7). Using WinDivert you can capture, modify or drop network packets sent to/from the Windows network stack. You can use the framework to

  • capture network packets
  • filter/drop network packets
  • sniff network packets
  • (re)inject network packets
  • modify network packets

As basil notes in the description of WinDivert you can use the framework

to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc., etc.. If you need to intercept and modify packets, then WinDivert is for you.

WinDivert comes with a kernel-mode driver and an user-mode DLL to handle to complicated networking stuff. Thus it is really simple to "hook" on the framework and write pretty cool capturing and sniffing tools. For more details check out basil's web-site or the GitHub online project hosting repository.


Misinterceptions in whitelisting

2013/06/01 by Flo

Harry Sverdlove definitely brings it to the point in Bit9's blog article on whitelisting and misinterceptions regarding this word:

To protect against modern attacks, additional measures are required to ensure security. Still, even after installing more advanced security measures, no one is running around taking the locks off their doors. This is the idea of a defense-in-depth approach, because there are no silver bullets. For cyberattackers, blacklist solutions are no longer a speed bump on the road to corporate intellectual property, but they are still effective against older-style attacks. On the other hand, next-generation solutions fill the gap left by older solutions that were never designed to defend against modern or targeted cyberattacks. The future of cybersecurity is around trust – or “whitelisting,” but it’s policy-driven whitelisting that can truly meet the needs of today’s at-risk enterprises.

Whitelisting is "just" an in depth approach and it is no silver bullet against all attacks. On the other side: no classic malware prevention tool like an AV, Desktop-Firewall, Honeypot or IDS target all the attacks we are faced today - especially specialized and targeted attempts to pain you.

Conclusion: You must combine several IT security technology, because none of them alone will totally secure you up.


Kernel-based monitoring on Windows (32/64 bit)

2013/05/26 by Flo

Since malware works fast and quiet there is demand to analyze such programs at some central point. There is nothing as central as the kernel of an operating system. This whitepaper describes how to monitor your Windows-based system by using a minifilter driver intercepting IRP_MJ-Functions in its PreOperation-Callback. By following Microsofts’ recommendation and guidelines for multi platform (e.a. Microsoft Windows versions) compatible driver development, the resulting drivers are so called kernel minifilter drivers that are reliable and compatible with all modern versions of Microsoft's Windows (2000, XP, Server, 7, 8) – including their 64 bit versions. I started writing this whitepaper back in 2011 and elevated the whole document since 2011 and now included some more examples. Have fun reading it, any feedback is appreciated.

Download: http://bitnuts.de/KernelBasedMonitoring.pdf


Tuersteher Light: A Path Based Application Whitelisting Filter Driver

2013/05/20 by Flo

AppLocker's capatilities to whitelist and block executables, libraries and scripts with the comfort of group policies are great but it is pain if you need to use AppLocker as a helping hand to monitor, track and block potential malicious code in forensic scenarios. Furthermore AppLocker is only available in Enterprise versions of Microsoft Windows, thus not within reach to the majority of Windows users.

Having developed several minifilter drivers I was able to build up a light and easy to use filter driver that helps you to monitor and block executables (exe, dll, sys, ocx...) that were not started from a trusted path. Components of this driver are part of our malware detection framework ExploitBuster and Tuersteher but Tuersteher Light does not contain all the sticky icky features I have build into our heavy weight versions. In Tuersteher Light you simply specify a whitelist of trusted paths and fire up the driver. The driver then checks the correspondig path of every executable before allowing it to be read into memory for execution. Thus the driver is able to block malicious code started from external USB drives, e-mail attachments, your internet browser's cache and many more. It is no silver bullet against all attacks with regards to 0-days leading to privilege escalation and hence write their executable into a whitelisted path before execution. But most exploits just write their malicious executables somewhere into the user’s folder space and hence can effectively being blocked by the driver’s approach using a carefully defined whitelist of paths.

In a common set I think the driver is able to block many exploits that just start up their malicious code from typical temporary folders and the user paths. In a typical forensic scenario where you run a test machine against potential toxic web contents I heavily encourage you to only whitelist the folders \Windows\ and \Program Files\. Then fire up DbgView, open a toxic web site (e. g. running an exploit kit) and watch out what my driver blocks and logs.

First at all define list of paths or files you want to whitelist, save this list into an unicode file named whitepaths.txt and copy it to your Windows folder (in most cases it is c:\windows\). The file must be an unicode text file to prevent deadlocking your machine. The list of names is case sensitive, beware of that, so specify all paths or filenames by their path and filename you want to whitelist into the file whitepaths.txt. After each line of a path or filename you must set an asterisk (*). If you forget the asterisk you might crash or deadlock your system after starting up the driver. You are not allowed to specify paths and files directly by their DOS filename, e.g. c:\Windows\ etc. Instead you must use the path's device and volume descriptor! To make things a bit more clear I included an example whitepath.txt file into the driver's package, so check out this file for more details and on how to specify the names there:

\Device\HarddiskVolume2\Windows\*
\Device\HarddiskVolume2\ProgramData\*
\Device\HarddiskVolume2\Program Files (x86)\*
\Device\HarddiskVolume2\Program Files\7-Zip\*
\Device\HarddiskVolume2\Program Files\Application Verifier\*
\Device\HarddiskVolume2\Program Files\Common Files\*
\Device\HarddiskVolume2\Program Files\DIFX\*
\Device\HarddiskVolume2\Program Files\Microsoft Games\*
\Device\HarddiskVolume2\Program Files\Microsoft SQL Server\*
\Device\HarddiskVolume2\Program Files\Microsoft SQL Server Compact Edition\*
\Device\HarddiskVolume2\Program Files\Microsoft Visual Studio 11.0\*
\Device\HarddiskVolume2\Program Files\MSBuild\*
\Device\HarddiskVolume2\Program Files\Reference Assemblies\*
\Device\HarddiskVolume2\Program Files\Windows Defender\*
\Device\HarddiskVolume2\Program Files\Windows Journal\*
\Device\HarddiskVolume2\Program Files\Windows NT\*
\Device\HarddiskVolume2\Users\bitnuts.de\Desktop\Dbgview.exe*
\Device\HarddiskVolume2\Users\bitnuts.de\AppData\Local\Google\Chrome\User Data\PepperFlash\*
\Device\HarddiskVolume2\Users\bitnuts.de\AppData\Local\Google\Chrome\User Data\SwiftShader\*

The driver was compiled for Microsoft Windows Vista, 7 and 8 (32/x86 and 64/x64 bit versions). To start it up go into the driver binary's path regarding your version of Windows and execute the corresponding *.inf file in order to install the driver.

If you use a 32bit Version of Windows, driver signing is not required and you should be able to run Tuersteher Light just out of the box. In Windows Vista, 7 and 8 x64 you need to digitally sign any driver. This is Microsoft policy for all kernel drivers in recent versions of Windows, for more details see Driver Signing Requirements for Windows.

As a temporary work around you can also disable the signature check in Window’s boot options. An alternative way is to digitally sign the driver by yourself using a test certificate and booting up Windows into the TESTSIGNING mode:

  • Download and install the Windows Driver Kit.
  • Open a WDK Build Environment console as Administrator.
  • Run the MakeCert.exe tool to create a test certificate, e.g. with
    MakeCert -r -pe -ss TestCertStoreName -n "CN=TestCertName" CertFileName.cer
  • Install the test certificate with CertMgr.exe, e.g. with
    CertMgr /add CertFileName.cer /s /r localMachine root
  • Sign Tuersteher_Light.sys with the test certificate, e.g. with
    SignTool sign /v /s TestCertStoreName /n TestCertName Tuersteher_Light.sys
  • Enable Windows TESTSIGNING mode, to do this, run the command
    Bcdedit.exe -set TESTSIGNING ON
  • Restart Windows.
After these steps you should be able to run the driver without disabling driver signature check every time.

BEWARE! The driver is for educational and test purposes only. It might contain bugs that lead to system crashes and other damages to your system. Use the driver by your own risk and only try it on a non production environment. I am not responsible nor liable for any damages caused by using the driver. Using this driver is by and on your own risk!

If you have any questions, suggestions or need assistance feel free and contact me.

You can download the driver here: tuersteher_light.zip
A general description is given here: tuersteher_light.pdf

Further reading:

  • Application Whitelisting: Approaches And Challenges at http://airccse.org/journal/ijcseit/papers/2512ijcseit02.pdf
  • See Microsoft’s Driver Signing Requirements for Windows at http://msdn.microsoft.com/en-us/windows/hardware/gg487317.aspx
  • For more information on TESTSIGNING check out http://msdn.microsoft.com/en-us/library/windows/hardware/ff553484(v=vs.85).aspx


Tracking executables on Windows

2013/05/14 by Flo

On Windows there is no way to directly monitor and track what executables (exe, dll, sys, msi, ...) are gonna be on the run, meaning: when is an executable image loaded for execution into memory. If you are a malware analyst or just interested in what executables are loaded into memory while your Windows machine was turned on, my new kernel mode driver ExecutableTracker might give you a deeper look inside.

ExecutableTracker is just a simple minifilter driver that logs any executables mapped into memory for execution. You can keep track of the logged executables by using Dbgview (enable 'Capture Kernel', 'Enable Verbose Kernel Output' and 'Pass-Through'). ExecutableTracker determinates the corresponding file and calculates a SHA-256 digest of the file, thus you can use the digest to fire it against a malware database for example. A typical log of Dbgview looks like:

executable tracker

ExecutableTracker does not block any executable image nor is it some kind of protection driver, so beware of what you gonna execute on your machine. The driver just monitors what executables are loaded and will be executed on your machine. To detect (and block) malware there is more to do, ExecutableTracker is just a stripped down version of a driver that ships with the ExploitBuster framework and Türsteher, that we currently use to detect malware on our forensic machines. We will not publish such drivers for free right now and think you have sympathy for this decision.

BEWARE! The driver is for educational and test purposes only. It might contain bugs that lead to system crashes and other damages to your system. Use the driver by your own risk and only try it on a non production environment. I am not responsible nor liable for any damages caused by using the driver. Using this driver is by and on your own risk!

You can download the driver for Windows 7 and 8 (32bit/64bit) right here. If you have any questions, need assistance or versions for Windows XP, Vista or a Windows Server Editon just let us know and send me an e-mail.

Additional note: ExecutableTracker is some sort of cleanroom-design implementation of an executable tracker that bases on information gained from the CodeShield architecture paper.


How to simply use elliptic brainpool curves in OpenSSL

2013/04/29 by Flo

OpenSSL comes with great elliptic curve support, but unfortunately does not support brainpool curves directly from its API using the named curve parameters. Searching the web I did not find a light and simple description on how to use brainpool curves in OpenSSL without doing crude hacks. Finally I started reading the documentation more conscientiously and ended up in OpenSSL's ecparam parameter option, making it really easy to import other elliptic curves not in the list of OpenSSL's supported curves.

To sum things up, all you have to do is calling OpenSSL with ecparam specifying your favorite elliptic curve parameters explicitly given as described in RFC3279. As an example I show how things gonna look like if you are using the brainpool curve P256r1 (a.k.a. brainpoolP256r1), given as:

Prime:					0x00A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
A:						0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
B:						0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
Generator (uncompressed): 0x048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE32
							62547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
Order:					0x00A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
Cofactor:				 0x01

Encode the parameters above in the format as specified in RFC3279 and save the file as brainpoolP256r1.asn1:

asn1=SEQUENCE:ecparams

[ecparams]
no=INTEGER:0x01
prime_field=SEQUENCE:prim
coeff=SEQUENCE:coeffs
generator=FORMAT:HEX,OCTETSTRING:048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
primeord=INTEGER:0x00A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
cofac=INTEGER:0x01

[prim]
whatitis=OID:prime-field
prime=INTEGER:0x00A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377

[coeffs]
A=FORMAT:HEX,OCTETSTRING:7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
B=FORMAT:HEX,OCTETSTRING:26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6

Call OpenSSL as follows:

openssl asn1parse -genconf brainpoolP256r1.asn1 -out brainpoolP256r1.der

You can cross check that the elliptic curve parameters are proper by calling

openssl ecparam -inform DER -in brainpoolP256r1.der -check

checking elliptic curve parameters: ok
-----BEGIN EC PARAMETERS-----
MIHgAgEBMCwGByqGSM49AQECIQCp+1fboe6pvD5mCpCdg41ybjv2I9UmICggE0gd
H25TdzBEBCB9Wgl1/CwwV+72dTBBev/n+4BVwSbcXGzpSktE8zC12QQgJtxcbOlK
S0TzMLXZu9d8v5WEFilc9+HOa8zcGP+MB7YEQQSL0q65y35XyyxLSC/8gbevud4n
4eO9I8I6RFO9ms4yYlR++DXD2sT9l/hGGhRhHcnCd0UTLe2OVFwdVMcvBGmXAiEA
qftX26Huqbw+ZgqQnYONcYw5eqO1Yab3kB4OgpdIVqcCAQE=
-----END EC PARAMETERS-----

Now you can use this curve to perform any crypto on it like you would do with the named curves natively supported by OpenSSL, for example generate an elliptic curve key:

openssl ecparam -inform DER -in brainpoolP256r1.der -out brainpoolP256r1.key.pem -genkey

I am currently working on a complete set of well known brainpool curves that I will publish here so you can easily use them without encoding them by hand as shown for the example given above.

Further reading:


Internet Census 2012

2013/03/19 by Flo

"The Internet Census 2012", a really nice idea, but the following should scare you a little bit:

while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world.

I heard in a 2012's Black Hat Talk that some guys scanned the internet for industrial PCs connected to the internet that could be accessed through HTTP without any passwords set. Reading about the Internet Census 2012 just confirms it again, that one must not be a high class hacker to attack industrial computers etc. There are thousands of poorly protected machines out there directly connected to the web and we are seriously talking about cyber war, professional hackers etc?! Well, hold on for just a minute and think about it again ;-)


Drivers, DosDevices and MountPoints

2013/03/19 by Flo

I peeked through my old code and found three little cuties from back in the days:

  • MountPointFunctions: Checks for the mounted drives and prints Windows NT internal names.
  • QueryDosDevices: Simply calls the API-function QueryDosDevice and prints out all Dos devices.
  • DriverList: Calls NtQuerySystemInformation and gives you a list of all installed drivers including the driver's loaded base address.
Just give the tools a try. It is interesting to get a short peek behind the scenes. You can download the set of tools here: querydostools.zip


Subject to targeted attacks?

2013/03/18 by Flo

tuersteher tag cloud
Are you subject to targeted and special crafted (cyber) attacks?

Your Windows based information technology is attacked to drain your intellectual property?

An Anti-Virus and other protection systems are too generic forcing against these attacks?

Well, you visited the right place. During the last years we carefully developed core technology against many attacks and can now use the sources as a strong code base. We are able to

  • build up fully customized Microsoft Windows Kernel drivers helping you to identify, block, protect and mitigate against new and unknown threats.
  • compile the drivers in front of your eyes to ensure that only trusted sources will be compiled. Because our code base is less than 1000 lines of code it is easy to peek through, even if you are not a kernel hacker.

If you want to test one of our solutions just send us an e-mail and we can build up fully customized demos with respect to your needs, so do not hesitate. We look forward hearing from you.


TrustWalk - Determining and Checking executables on your disk

2013/03/12 by Flo

In order to get an overview about the executables on my machine I wrote TrustWalk, a simple tool that recursively walks through a given path and determinates all executable images in there, calculates their trust state and generates a SHA256 digest. You might use it in forensic scenarios or just if you want to know what executables are on your disk.

You can download the tool here: trustwalk.zip


How Application Whitelisting Works

2013/03/12 by Flo

In my late posts I named application whitelisting solutions as powerful tools to detect 0-days and other malicious code again and again. And in fact, application whitelisting seems to be an effective way to reduce the impact of executed malicious code. Some of you asked me to give a short overview on application whitelisting and how it works.

Application whitelisting just defines what executable code (application, library, driver, etc.) is allowed to run on your computer. In an whitelisted world there exists only black and white. Meaning: If you are on the whitelist you are allowed to pass and if not, you are blocked. It's like the doorman in front of a night club. If you are on the guest list you gonna pass him, if not you better leave the place. Hence is it here. If some executable is on the whitelist it can run, if not, it is blocked. Sometimes there also exist additional blacklists that explicitly block well known (bad) executable code.

An administrator defines a list of authorized and trusted executables that are allowed to run on a specific machine. If such an executable is not registered as trustworthy (=listed in the whitelist), it is blocked. Depending on the complexity of a whitelisting solution there are different approaches to build up such whitelist. Approved applications can be identified by

  • the publisher certificate of the executable image file itself,
  • a message digest (hash) of executable image file, or
  • a simple path and filename.

Building up whitelists by the executable's publisher certificates or their hash fingerprint seems to be more secure than by identifying an trustworthy executable by its path and filename (for more details and a basic description read the article at Windows IT Pro).

The tricky part is to initialize, manage (update, depoly, etc.) such a whitelist. Products like Bit9 Parity, Sophos’s Endpoint security, or Lumension Application Control have outstanding solutions to build up and maintain/manage the whitelists for their solutions with simple administrative tools.

If you read their product descriptions and whitepapers you can crack this process down to the following simple steps:

  • 1. Initialize
    First at all you have to initialize your whitelist, e. a. build up a list of trusted executable images. Just snapshot your endpoint to identify and catalog all executables (applications, libraries, driver, scripts etc.) currently installed on your system. All well known application whitelisting solutions generate hash values of the determinated executable images. After initializing you should cross check the listed executable images. To make it more convenience you could check the digital signature of them. On Microsoft Windows most (trusted) executables provide a digital signature that can be approved.
  • 2. Enforce
    Enforce your whitelist and block unknown and unauthorized executable code, thus you are able to prevent zero-day attacks even before your anti-virus or software-provider knows that there is an "problem" to solve. Hence you can dramatically reduce the risk getting caught by a drive-by.
  • 3. Manage
    Manage your whitelists, generate reports, view logs to do additional forensics if needed. You also have to create policies that automate how new applications, their updates, patches etc. are introduced to and executed on your whitelisting protected system. You could whitelist executable code in a more general fashion by using code signing certificates. On Windows you could check the digital signature of an executable and whitelist it directly without running through a full re-initializing process.

It sounds simple but the whole process of deploying, managing and running a whitelisting approach on a large amount of nodes is a hard task and not as convenience as it might looks like.


Introduction to Elliptic Curve Cryptography

2013/02/25 by Flo (updated 2013/10/31)

If you are new to elliptic curves, my light introduction into ECC might help you out. It is a very basic and simplified introduction into elliptic curve cryptography. I tried to keep things as simple as possible. There are no mathematical proofs or something. The whitepaper hopefully gives you a nice start into the field of elliptic curve cryptography without fearing you to hell by using heavy weighted proofs, definitions and cryptic acronyms as usually seen on this topic.

Download the PDF: Introduction to Elliptic Curve Cryptography


Signing a digest using Elliptic Curves in OpenSSL

2013/02/20 by Flo (updated on 2013/04/09)

If I need to manage cryptography stuff quickly I like OpenSSL's elegant simplicity doing lots of crypto operations on the fly just using its console application. Paul Heinlein's howto on OpenSSL gives an excellent introduction into the basic stuff you can do with OpenSSL on the console. Unfortunately the howto lacks an in depth look onto elliptic curves.

If you want to sign a message digest using elliptic curves instead of RSA the following might give you a starting point:

Build up an elliptic curve key

openssl ecparam -out key.pem -name prime192v3 -genkey

Check the elliptic curve key

openssl ec -in key.pem -text

Extract the public part of your elliptic curve key

openssl ec -in key.pem -pubout -out key2.pem

Digest a file and sign it with your elliptic curve key

openssl dgst -ecdsa-with-SHA1 -sign key.pem -out helloworld.txt.ecdsa-sha1 helloworld.txt

Verifiy the digest of a file signed with an elliptic curve key

openssl dgst -ecdsa-with-SHA1 -verify key2.pem -signature helloworld.txt.ecdsa-sha1 helloworld.txt

Further reading:


Doing "quick and dirty" malware analysis with Process Monitor

2013/02/19 by Flo

Process Monitor is a really pleasant monitoring tool for Windows. It allows you to capture process details, including image path, command line, user ID, session ID, thread stacks, etc. It also captures registry, file and network operations etc. Its powerful features makes Process Monitor a core utility for malware hunters.

I personally use Process Monitor to quickly analyze malware in first instance. You just need to fire it up, start up a suspicious executable or document and wait some period of time. Then stop logging and analyze the bunch of generated logs. To give you a quick starting guide, just use the following steps:

start procmon.exe and start logging:

procmon.exe /Quiet /Minimized /NoFilter /BackingFile log.pml

after logging your system a little while quit procmon and convert the pml into a csv as follows

procmon.exe /Quiet /Minimized /OpenLog log.pml /SaveAs log.csv

Now you can use the csv in your further analysis. Please note: There exists malware that checks if Process Monitor is running and quits if so; keep that in mind.


Zero-days here, exploits there - Welcome to a cyber attacked world

2013/02/17 by Flo

What a nice start up into 2013. In the last two months we saw lots of (targeted) attacks making use of zero-days in Adobe's PDF and Flash, in Office, scripting hosts and web browsers. Check on the recent security blogs for more details. To get an impression check out the following blog posts e.g.

All these attacks trigger some kind of executable (EXE, OCX, DLL, SYS) to place their malicious code on an user's machine. Except the zero-days nothing new and nothing special there. Most targets getting hit because they lack an anti-virus solution or their anti-viruses do not know the second-stage malware served by the exploit.

Again, nothing new here - we all know that targeted attacks are prone being not detected by the ordinary anti-virus. Hence special solutions like the tools from Lumension, FireEye or Bit9 should be used. Besides these "classical" heavyweight defense champions it is really nice to know that ExploitBuster, MZWriteScanner and Tuersteher ALL were able to detect and block the recently reported attacks. This makes us some kind of proud. If you are interested in our forensics and protection stuff, feel free and contact us. We are looking forward hearing from you.


Ouch Bit9!

2013/02/15 by Flo

Bit9, a well known company that provides security services to governments and large companies was hacked. Bit9 is leading in the field of so called application whitelisting and early detection systems to protect IT infrastructures especially from unknown malicious code. Unfortunately they got hacked because some of their systems were not protected by their own suite (see their blog post):

Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.

Ouch! Although all of us know that protection of our systems is vital and any failure and oversight is injurious, we might (or can) understand that nobody is perfect and s*** happens. Well, I think there are lessons learned here.

As you can read on krebsonsecurity.com:

Grossman said the compromise at Bit9 demonstrates both the strengths and weaknesses of relying on an application whitelisting approach.

"It’s also interesting that they went after Bit9's certs, and not by trying to exploit vulnerabilities in it. Instead of hacking the Bit9 application or network device, they went after Bit9 directly. That says a lot on its own."

Yepp, that's true. In fact all I can say regarding our experience with the usage of our monitoring tools of ExploitBuster and Tuersteher: It is hard to bypass application whitelisting and central code execution monitoring. You will not just need a zero-day to exploit in an application like web browsers, document viewers etc. you also need to bypass the kernel based protection suite and that is hard to mange with the little amount of memory one usually is free to use within an exploit’s execution environment.

I do not wonder why the attackers went after Bit9's certs. There might be vulnerabilities in their suite, but I think from my knowing that it will be hard to bypass.


Transient malware is coming

2013/02/14 by Flo

In late 2012 I described Transient Malware As A Show-Stopper For Proactive Application Control On Always-On-Systems. Now a first (experimental) case was documented by Sophos:

The downloaded malware programs never appear as files on disk, which makes them much tricker to spot. The explorer.exe bot has a built-in program loader that constructs an executable software image directly in memory. This loader handles function imports, relocations and more, just like the operating system does when it loads a program from disk.

Well, this is just the beginning. Get ready and prepared, I bet that we will see more transient malware in the next few years.


Automated Exploit-Crawling

2013/01/19 by Flo

firewallIf you want to perform some kind of active Internet measurements with commonly used operating systems and applications opening potential toxic web content you might need some automated scripting that performs the processing and logging.

In this post I gonna give you a basic and abstract how to setup automated exploit-crawling. Use it as a starting point to develop your own scripts (or stand alone application) that is able to perform application calls and logging.

To perform the processing of potential toxic web content I assume that you use a Windows 7 (32bit or 64bit) with Internet Explorer 9, all patches and security updates installed. To track what happens on your machine I recommed that you have installed some analyzing/tracking software that is able to track, block and log the execution of executable modules. You might use AppLocker if you know how to extract its logging results. Beyond AppLocker there are still other solutions, e.g. Bit9 Parity Suite, CoreTrace Bouncer, Lumension Application Control or kautilya to name a few. For more details about trust- and real-time-based proactive application control see my post from 2012/10/17.

If you do not want spend too much money I recommend to use ProcessExplorer by Sysinternals or another monitoring tool provided at their web site. The same here: Make sure that you are able to log your system's behaviour into easy to process scheme (e.g. csv fomat).

If you have set all the things up its time for some action. All you need is a list of web sites (domains) you want to open and process against your forensics machine. Use this list and the following script to walk through them and log what happens while you open a site.

The following script opens a file containing domain names. For each domain it

  • resets system behaviour logging (depends on your backend)
  • opens the domain with Internet Explorer
  • Waits some period of time
  • kills the Internet Explorer process
  • Saves system behaviour logging (depends on your backend)

Function OpenDomain(strDomain)

Const SW_NORMAL = 1
strComputer = "."
strCommand = "C:\Program Files (x86)\Internet Explorer\iexplore.exe " & strDomain
Set objWMIService = GetObject("winmgmts:" _
	& "{impersonationLevel=impersonate}!\\" _
	& strComputer & "\root\cimv2")

' Configure the Notepad process to show a window
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = SW_NORMAL

' Create process
Set objProcess = objWMIService.Get("Win32_Process")
intReturn = objProcess.Create _
	(strCommand, Null, objConfig, intProcessID)
If intReturn = 0 Then
' wait some time
' I also recommend to do some mouse movements and Sendkeys, because
' there is malware checking for mouse movements and keystrokes (such crap
' will quit if there are no such events)
WScript.Sleep((1000*30))

End If


' Set SeDebugLevel to terminate process
Set objLoc = createobject("wbemscripting.swbemlocator")
objLoc.Security_.privileges.addasstring "sedebugprivilege", true

' Lookup the new notepad process and terminate it...
Set colProcessList = objWMIService.ExecQuery _
	("SELECT * FROM Win32_Process WHERE ProcessId = '" & intProcessID & "'")
For Each objProcess in colProcessList
	objProcess.Terminate()
Next

End Function


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("domains.txt")

Do Until objTextFile.AtEndOfStream
		strLine = objTextFile.Readline
		' ## log domain and reset your system behaviour logging
		' ## call domain with Internet Explorer
		OpenDomain strLine
		' ## Save system behaviour logging
Loop

You can use and adjust the following code. It is also possible to open the web sites with other web browsers or to open potential toxic PDFs for example. All you need is a list of domains or URLs to open and your logging backend that tracks what is going on while you have opened such content. A very simple approach is to use Sysinternal's ProcessExplorer to do such logging. I recommend to use minifilter drivers like MZWriteScanner or Türsteher that are able to detect potential malicious files written and tried to startup on your machine. You might also use a combination of such drivers alltogehter with ProcessExplorer.


Multi-million dollar Industry

2013/01/16 by Flo

I fully agree, there is nothing more to say:

The anti-virus industry makes me sad, he says. We should build systems to be more resistant to computer viruses rather than have a multi-million dollar industry to do clean up.

Taken from The Register. An interview by John Leyden with Rich Skrenta, the autor of the virus Elk Cloner, who looks back.


Businesscard info leaking

2013/01/15 by Flo

The following screenshot was taken at engadget.com

business card

The first photo was pixelated the second not. Epic fail :-D

Original photos and post by Daniel Rubino, www.wpcentral.com. In the original blog post none of the businesscards were pixelated. Don't know why the guys at engadget pixelated them and why in such a bizarre way?! Still funny.


Say hello to Türsteher

2013/01/14 by Flo featuring K3rnelP4n!k

A well known approach to track executable code, especially malware that should be installed on your machine, is to use some kind of trust- and real-time-based proactive application control, meaning that code (an executable, library, driver, script etc.) will only be executed if such executable code was identified as trustworthy. Unknown or already known untrusted code should be blocked. Since Microsoft Vista, Microsoft introduced AppLocker that prevents users from executing unknown and untrusted code in a more general fashion. This also enables you to track the execution of code if you check out the logs. Beyond AppLocker there are still other solutions, e.g. Bit9 Parity Suite, CoreTrace Bouncer, Lumension Application Control or kautilya to name a few. For more details about trust- and real-time-based proactive application control see my post from 2012/10/17.

Unfortunately AppLocker is not available for standard versions of Windows and (to my opinion) is not easy to use, especially if you deal with forensics and malware analysis. As part of Exploitbuster a friend of mine and me (greetings to K3rnelP4n!k) started to write a proactive application control driver named Türsteher (the German term for doorman or bouncer) that works as an application whitelisting tool. Türsteher is an AppLocker-like tool which runs under Windows 2000, XP, Vista, 7 and even Windows 8 that is a bit easier to use for us forensics guys because there is no GUI, nor a console application to run it from etc. Türsteher is a stand alone driver that just needs a configuration file and that's it. Türsteher does not need a service, it is hardcore and fires up directly after kernel init. Logs are directly written through DbgPrint() making it easier in automated forensic scenarios. Everything, YES EVERYTHING is done in the driver itself, there is no communication into real-mode, there is no GUI and other code making stuff complicated. The driver was completely written as a minifilter and makes use of all well known and supported filtering driver APIs Microsoft recommends. This makes Türsteher a fast and plain minifilter driver with a very small binary footprint.

Thanks to K3rnelP4n!k I was able to test Türsteher for quite more than two months on different machines and different versions of Microsoft Windows. The driver seems to do a good job and I was impressed what executable code should be run on a fresh installed Windows machine. As an example check out the log file I have generated on a 12h Windows 7 64bit run. As mentioned Türsteher also runs very well on Windows 8 (32bit/64bit). Currently we use Türsteher as part of active Internet measurements performed on a Windows 8 (32bit) based machine pool. K3rnelP4n!k and I will provide you additional information as soon as we finished the current walk through.

View the log here: tuersteher.log


Malware: Replace myself if I could not make a deal

2013/01/04 by Flo

During my winter holidays I came across a tricky thread targeting Internet Explorer 9. Luckily I ran a more advanced version of MZWriteScanner and other minifilter drivers (as part of Exploitbuster) that finally detected something suspicious going on although there was no process or malicious thread started on my machine.

What happened? Well, the exploit managed to download a file (named as .jpg) to the browser cache and finally tried to execute it via CreateProcess(). The call to this API-function failed due to analyzing- and filtering drivers running on my machine that blocked such an attempt. Instead of crashing and giving up, the exploit was tricky enough to replace the executable by an inconsiderable image file. Thus it replaces the executable content in the .jpg file with proper image content that could be viewed. This protects the attacker against further (and possible random) detection by a virus scanner that might also scan the browser's cache.

The most interesting about it was, that the exploit overwrote the downloaded executable as soon as it realized that it could not make a deal on my machine. Well, that's really, really insane. I will provide more details as soon as I have analyzed this peace of junk in more detail. (By the way: I was using IE 9 on a fully patched Windows 7 x64 machine!!!)


Online BASE64 en-/decoder

2013/01/07 by Flo

From time to time I need to en-/decode into/from base64 without using an application. Everytime I was used to do such en-/decoding I was forced to google for a web site that does such stuff. Most sites offering such service use PHP behind the scenes making me feel not comfortable using it. I just "implemented" a JavaScript-based version (JavaScript-Base64) using Base64 by http://www.webtoolkit.info/, thank you guys!


If you are bored...

2013/01/02 by Flo

If you are off duty and bored during christmas and new year holiday just have a look on the following posts at FireEye:


Happy new year folks!

2013/01/02 by Flo

I wish you a happy new year full of joy, peace and success on whatever you gonna do 2013.

To make reading my blog more comfortable I rearranged and reorganized stuff a little bit. All my prior posts are located in the archives now.