Archive


2014's Blog Archive - A collection of all blog
posts from the year 2014.

Archive 2014

Last modified 2014/02/09 by Flo

Here you will find my posts from 2014, tl;dr.


Password Brute Forcing Bots

2014/12/15 by Flo

In 2014/07 I have posted on these password brute forcing bots trying thousands of passwords on default content management system's login pages. As I previously noted, I set up a bunch of honey pots to have an eye on these bots and track what they are doing. In the last few weeks the amount of attempts has heavily grown and I collected a huge and comprehensive list of unique passwords. I will soon start a tiny web service where you can cross check the SHA-256 value of your password's hash value against my list. For privacy reasons I will not do a complete check on the SHA-256 value, instead I follow "a simple trick" Google has introduced with its SafeBrowsing: I fold the SHA-256 value to 4 or 8 bytes, so if you submit a hash it might be hit by several real SHA-256 values. My service will return this set of hash values, so you can do the final check by yourself. What is this good for? Well, your privacy! I am not interested in you password's hash, I will just provide a service for you, and I think this is the best I can do to respect your privacy with regards to this service.

What is such a service good for? Well, it can help you to avoid using passwords that are already known and used by these password brute forcing bots. As I have noted in my previous post: These bots are heavily targeting websites with their requests and I assume that the guys behind the bots would not scan the web for weak passwords if they were not successful! Thus there must be lots of Blogs, CMS, Board, and other accounts out there, that can be hit trough such attacks. My suggestion: The best you can do is, to check for these bots by yourself and build your own list of common passwords to ensure that you (or your users/clients/customers) will not become a victim such bots. If you will not or cannot, check out my service.

Besides the passwords it is also very interesting to see what user names the attackers try and from which IP-ranges they initiate the requests. Regarding usernames I can tell, that they often use the domain name of the attacked Blog (CMS, Board), they often use combinations with different top level domain names and combine them to an e-mail address to something like [info |admin |administrator |press |presse |test |test1 |test2 |test3 |test123 |demo |pr |public |abc |blog |wordpress |cms |yourdomain |user |user1 |user2 |user3 |user123 |mail |siteadmin |tester |asd |login |web |webmaster |domainmaster]@yourdomain.com/.de/.org/.co.uk/.nl/... But they also use the names by itself (e.a. without the @yourdomaind.xxx).

Regarding the source of the attacks: It seems that they often use hi-jacked PCs to perform their stuff. I could trace back IPs from all over the world, but most of them came from the Ukraine and Russia. Some victims belong to infrastructure services like land line and water suppliers. It seems that the attackers were able to hi-jack PCs on industry controlling systems that were connected to the Internet via Remote Administration Tools. Well, I can understand that a supplier has no desire to send technicians on site of an oil or water pump, to check trivial status. But making the controlling PC directly available to the Internet (through GPRS/EDGE) is not very clever at all. I assume that the tagets were weakly protected, thus it was no big deal to get in. But I also found IPs from very big US Fortune 500 companies and this is even more scaring to me. Okay, the machines might be insignificant PCs in a test environment, but in general it is not good seeing your company's IP in the context of an attack - this has something to do with reputation. Hence my recommendation: You shall also check your outgoing HTTP-traffic regarding infected machines that perform password brute forcing attacks on others. It is not just all about protecting your own network and environment.


Ready, Set and Go

2014/12/15 by Flo

Since I have final clearance from court and trade office I opened up the doors of Excubits last week. There was a lot to do behind the scenes but now I feel comfortable enough to start the German website. Although it was a bit annoying at times I really learned a lot and it was not just hard work, it was also great fun. The English version and website will be started soon (beta here), but I have to carefully check my international Terms Of Service to avoid legal trouble. If you cannot await, the German website is kept simple, you may try Google translate and order. I will do my best to support international customers with their orders placed on the German website.

Due to comprehensive feedback and discussions from international readers of my blog, I decided to rebrand Türsteher, because the name was subject for so many irritations (I did not think that Türsteher sounds so bad for Non-Germans, well...). For my German customers I will keep the name Türsteher, international customers will call it "Excubits Bouncer" or just Bouncer, as you like. Why bouncer? Because it is the translation of Türsteher and because every Windows kernel should have a bouncer to defeat against attacks (thanks to Dave for his feedback and ideas). Besides that I heavily optimized the overall user experience. There is an administration tool and a tool for your task-bar's tray, so you can quickly see what is going on with bouncer. This tool also writes into the Event Log, so more experienced users (or administrators) are able to check computers remotely or due probing. If you have notes, comments or critique just let me know. By the way, Türsteher/"Excubits Bouncer" also runs on x86 based Windows tablet PCs, so you can enjoy the protection on your tablet, too! A modern UI app might follow up if there is enough demand.

I was asked about my future plans and next steps. Well, my first and foremost goal is to place Türsteher/"Excubits Bouncer" in the scene, making Excubits visible to more people and users. There is more to come in 2015. As I noted in a previous post, MZWriteScanner will be published at Excubits under a new brand name and will have more features. Internally I am also testing a variant of Türsteher/"Excubits Bouncer" that will be marketed as Türsteher Plus/"Excubits Bouncer Plus". This package is for users on high risk and will support checking all executables against a comprehensive whitelist of cryptographic high quality prooven signatures, maybe I will include some additional in-depth mitigations, too. It depends on my workload and other legal stuff (export regulations and stuff). The target audience for this Plus version will be "hardcore" security aware users like ATM, POS or Control Unit manufacturers that often cannot update their machines on every service pack or patchday Microsoft deploys, but want to protect their machines against attacks. With Türsteher Plus/"Excubits Bouncer Plus" you can ultimately limit the number of executables to a strict minimum set that is really needed in your specific case, e.a. the set of executables, libraries and drivers etc. that are really necessary to boot up Windows and run your dedicated binaries. Strictly nothing more!

If we earn enough money and break even, Excubits is gonna spend more bucks on the logo design and marketing, also on better translations (especially English and Spanish) and training videos. Currently we also attend to a German start-up competition and wanna come as far as we can. Our goal is, reaching podium for the challenge here in Cologne/Bonn.

Last but not least I would like to thank all the people who supported me so far, special greetings go to Conny, my family and friends, Dave, Said, Brian, Yousif, Rasheed and Moxa. Thanks for your feedback, critique, ideas and nice e-mails. This Excubits thing would not be possible without your encouragement, suggestions and support.


xtray for Türsteher

2014/11/30 by Flo

screenshot of xtray a simple tray icon for Türsteher

As I mentioned in my last post there will be a simple tool for Türsteher that will show up a tray icon in different colors depending on what is written into Türsteher's log. If there is no new entry in the log (e.a. no attack, no attempt to execute something) the T will be green. If there was a new entry (e.a. an attack/attempt detected) the T turns red and you will see a balloon tool tip providing more information. By double clicking on the tray icon the log will be opened in notepad and the T will then change its color back to green.

Some readers asked me what is they key difference between Türsteher and other competitor's solutions that might look more convenience, have a more advanced graphical user interface and other "cool" options. Well, I am aware of my competitors, don't worry. One of they key features Türsteher provides is its clean simplicity. To make it short, there is no extravagantly over-engineered GUI simulating security by just graphical design. Guys... we do security not design.

Türsteher is an in-depth approach, it sits directly in the Windows Kernel, if you don't not know: this is where Microsoft Windows' heart and brain is working. Thus Türsteher is able to intercept and control at a central point. Türsteher works without any dependency to user mode, there is no service, no application - well there is truly absolutely nothing in user mode that can directly talk to Türsteher. It is one of the key (security) features that makes Türsteher superior in contrast to other solutions. Türsteher does also no sticky-icky hacking or hooking tricks other solutions often do. Türsteher does not modify or hack the Registry to perform its actions, it does not hook the API or any system DLL to control execution flow, nor does it manipulate or hook the Windows Kernel itself. Everything implemented in Türsteher is officially documented by Microsoft, thus there is no magic dust, no hacks and other foolish things some security software often stumbles. We are not afraid of future Service Packs or other Updates some competitors shall fear because of their hacks. This is not gonna happen to Türsteher, because it was well designed. That is why we don't need a shiny GUI, because it won't increase security. Everything Türsteher does is already there, a shiny and animated GUI won't make it more secure, it only leads to possible more attack vectors and this is what Türsteher should mitigate against.


First view on the simple admin tool

2014/11/23 by Flo (updated 2014/11/29)

The initial version of TAtToo is finally done, you can download a first beta of the tiny administration tool for Türsteher right here: tattoo.7z. Any feedback is appreciated, thanks in advance.

screenshot of Türsteher Admin Tool

I am not just busy in launching the company, I spent some time on "programming" a simple GUI for managing the initial configuration stuff, see screenshot on the left. As you can see, things are kept very simple, but the tool fully manages the pesky internal drive mapping Türsteher requests for. Using the tool you may not do the conversion by hand anymore, it is all done by the tool. All you have to do is to choose a folder or file and decide whether it is on the whitelist (allow) or blacklist (deny). Choosing both will be done by showing Windows standard GUI-Dialogs like the FileOpen and FolderOpen-Dialog, every user shall already came across, so things are known and easy. By the way: The tool is written as an AutoIt script, the source will be provided, so you can adjust, modify and optimize it regarding your needs (cool isn't it?!). I will also provide a tool that will hook on changes on the log-file and that will notify the user with a simple tray icon, plus it will write a short message into the Event Log. The latter option is for advaced users, especially with Windows Servers in mind where people are used to monitor the Event Log rather than individual log files.
Besides that I was also heavily reviewing and testing the core driver again and again and was able to optimize Türsteher's internal working and amount of kernel memory the driver assigns. Nothing the ordinary user will ever notice and feel in everyday work, but it can be valuable for users that may use Türsteher on their Servers (and/or cloud infrastructure). I was also able to do some more speed optimizations, hence the driver again is faster - although Türsteher was really fast before :-)

Side note: I also heavily optimized MZWriteScanner, the core driver is now also faster and more reliable. I did a lot of testing with MZWriteScanner and there is more to come from that little project in future. I plan to add a java-, flash- and pdf-scanning engine to scan and track such files too. I think that this will be good news for all the forensics guys already using MZWriteScanner and requesting that functionality.


Tuersteher gets official

2014/11/23 by Flo (wrap-up based on previous posts)

I am pleased to say that I am planning to distribute Tuersteher Light as a product called Tuersteher. After a long journey with my lawyers and a lot of reading, official paperwork and application forms there are some more news. I finally launched a brand new company called Excubits. Excubits, coming from Latin "Excubitores", Binary Digit and Security. Legally it is an UG (haftungsbeschränkt) that is informally known as the German Ltd. We are just waiting for commercial register release, than everything is official. Just to look into the stuff we did so far, you can read/view our German and English language manual of Türsteher right here (German) and here (English). There you will also see our logo and name.

Starting up a company also means to do some more stuff behind the scenes, for example choose the right name for your company. One result was, that my lawyers strongly recommended not to use my initial choosen name foxtron.de, regarding name right issues that might occur etc. Thus we have choosen Excubits and registred brand new domains. Starting up an UG also means you have to initially pay more money for registration and stuff. Thus you will understand, that Türsteher cannot be free anymore. Tuersteher will be free for private/non-commercial use in a demo version with some limited functions, for commercial use Tuersteher SHALL be licensed and features some more options needed for professional usage.

Regarding German regulations and legal determination I need some weeks to get all the things working in a sound legal framework, I am sorry for the delay, but I will provide status updates below.

Status Update:

  • District Court Clearance (done almost final)
  • Registration at Commercial Office Bonn (done)
  • Official Registry Request to Tax Office (done)
  • Obtaining a Driver Signing Certificate (done)
  • Obtaining a brand new VSC license (done)


Tuersteher ready for Win 10

2014/10/10 by Flo

I have tried to install and use Tuersteher (Light/Lite) on Windows 10 (x64) and it successfully passed all my initial tests. It seems that Tuersteher will also easily join the Windows 10 family. Yeah!!!


First Class Domains distributed by me

2014/08/31 by Flo

Take advantage of first-class domains and their synergies. Benefit from a first-class domain's competitive advantage or generate additional traffic on your web-site. In addition, a well-selected domain can be beneficial to your brand. Increase the value of your appearance, use the marketing benefit of a catchy domain name.

If you have any questions or are interested in the following domains, do not hesitate and contact me.


Breaking AV Software

2014/07/29 by Flo

At this year's SyScan'14, Joxean Koret showed why you should not blindly trust your AV engine. Even more, he impressively shows why this extravagantly designed security tools are vulnerable due to their complexity. Yet another argument for tiny, quick and streamlined minifilter drivers like Türsteher (Light).

Some highlights from the conclusion of his slides:


- Do not blindly trust your AV product
- Isolate the machines with AV engines used for gateways, networks, ...
- Audit your AV engine (use fuzzing, code review...)
- Review your online updating process (especially TLS)
- Set up a Bug Bounty Program
- Do not run your code in highest privileges
- Use Sandboxing
- Run dangerous code under an emulator
- Do not trust your own code

Well, I would suggest: Reduce complexity and all that bling bling features modern AVs come with. Besides all that AVs and Desktop Firewalls use additional mitigations like EMET, AppLocker (whitelisting), network monitoring and automated filesystem monitoring that can detect suspicious behaviour (see MZWriteScanner for example). Do not only rely on the classic Anti Malware stuff, add new technologies to detect, track and mitigate!

Check out Joxean Koret's slides at Web-Site or SyScan-Slides


Better Support => Donate & Contribute

2014/07/28 by Flo

This blog post is dedicated to the people who steady ask for signed drivers, MSIs and Installers, better documentation, a log-file viewer and other convenience features for my drivers and tools: Keep calm, it is on my to-do list.

There are a lot of people living that all right now and all for free mentality. bitnuts.de is my private blog, the things I publish here are for non-commercial private usage only, it is just for having fun. The drivers and tools published here for free are not a product, so at the end you get what you pay for.

Driver signing costs yearly fees, to build the drivers for all major versions of Windows you need licenses for different versions of Visual Studio, debugging costs a lot of time, you need to spend time on testing and setting up test beds, you need time for answering requests and building customized versions of drivers etc. I did all the implementation and a lot of support without even asking for any kind of support yet, and there was not even $1 donated on a volunteer basis or any other sponsorship and contribution so far. In most cases people did not even spend a thank you, they just request, ask and take and this is it. Shame on all of these scavengers -- at least a thank you -- that's not asking too much I think.

If you want things done faster, better and more convenience, then support me and DONATE or let me do my things as fast as I can make!

Stay tuned and thanks to all of you, who supported me with substantial feedback so far.


Say Hello to Wordpress hacking bots

2014/07/27 by Flo

For some time now, I see that there are plenty bots visiting my Blog and searching for well known CMS/Blog-Software login and administartion pages. Well, my Blog is static and does not use any well known Blog- or CMS-Software like Wordpress, Joomla, etc. Although a quick meta-data analysis of the HTML would suggest that my web-site does not use such systems, those cracking-bots try to get access using up to ~6.000 login-requests in just one day and continue trying to log into Wordpress or Joomla! on my site, using common usernames and passwords.

While checking my access-logs I recognized all the unsuccessfull 404-attempts to log in, and was a bit curious about the passwords this bots gonna use again and again. Therefore I set up a simple Wordpress-login page to fox those bots and to record their login attempts. I measured up a list of common passwords then, but had to sanitarize it from obvisious bogus attempts that suggest that the lists these guys are using are impure from run-time errors and poor string management of their scripts. At the end I had a collection of common passwords, different bots used on my blog. I also found very fruitful information regarding the attackers. It seems that the lists they are using are sometimes of bad quality and/or programming errors result in some information leakage, because they often did not submit the intended password itself, they submited obviously the password followed by another garbage string very likely originated from their internal program. So, if you gonna do research and investigation on simliar things, keep an eye on such additional information these kids leave by accident :-).

I also recommend to check out your access logs and if you are subject to such attacks: Also collect the passwords, cross-check them with your (or your clients) passwords just to ensure that your web-site, Blog or CMS is not vulnerable to one of those passwords. These bots are heavily targeting websites with their requests and I assume that the guys behind the bots would not scan the web for weak paswords if they were not successful. Thus there must be lots of Blogs, CMS and Forums etc. out there that can be hit trough such attacks. So take the time, build your own list of common passwords and ensure that you will not become a victim by a bot just using such well known and bruteforced passwords. I will keep up in investigating this and will follow up on this post. If you have additional information, want to support me, you can contact me by e-mail. Feel free to send me your comments, ideas, feedback or criticism.


miniLock

2014/07/24 by Flo

Just a short feature: miniLock is file encryption tool that does more with less. The overall design looks very promising and I like the idea of generating a public-/private-key out of a well chosen password an user is able to memorize. There is no need to permanently save your asymmetric key pair on your hard drive, you just have to remember your passphrase to backup they key pair. The source is currently subjected to a cryptographic code audit, we will see what comes up, but there are some fairly cool concepts used.

Check out the project's site at: https://github.com/kaepora/miniLock


Some words for the Bigmouths

2014/07/24 by Flo

In the last few months I received a little more feedback than I was used to receive. Well, since I have started writing and publishing whitepapers and tools to analyze and track malicious content for Windows with selfmade stuff, not so many people were interested in such. The total number of downloads was little, and my whitepers were not recently read or commented. During the last few months I received more feedback and lots of questions regarding my drivers.

Although I am happy to see that people are getting interested in tracking, analyzing and mitigating against malware by using selfmade minifilter drivers, I am also a bit confused that some of the feedback I received was written by (I will call 'em) heads of the scene. People who claim to be professional IT-security consultants and analysts. By the way, I am not a young, inexperienced hacker. I hold a degree in CS and I am in that malware business for awhile. I will not publish any names nor companies here, but I really wondered on some of the questions those guys were asking. And I was a bit perplexed that these people are giving high rated lectures on IT-security and Windows internals, attend to security conferences as honorable speakers and asked questions like beginners at OSR's do.

This blog post is not meant to be disrespecting or laugting you guys down. Nobody is omniscient, I do lots of mistakes too, and still learn. IT-security business is a hard, fast and like malware some kind of polymorphic at times. It is hard to keep up with all the trends and it is hard to build security measures that hold for a time. So, exchanging information and knowledge is the number one key to get things better and done. That is, why I always appreciate any feedback, suggestions and critique. I believe that you will never elevate knowledge without others.

But I do not like those pickle head know-it-all guys, that quickly fly over my blog, give some universal feedback and critisism like "your drivers will not defend this and that", "what about this attack?", "You gonna fail against the following attack...", etc. And at the end of their "feedback" they often ask me for the source code of my drivers or parts of it, especially for some APIs they need very likely for their own projects.

Well, Mr. Bigmouths: I am hacking for quite a time and what I've learned in all the years is, that nothing is secure and you will never ever build a system on these Von-Neumann-Machines that is secure. Everybody claiming that, would be the absolute genius that found "THE FORMULA" or what I would expect is, yet another jerk trying to get famous AND rich by collecing some million $ from venture capitalists. So, I know that my tools and drivers are not the Silver Bullet, but I think that they are good mitigation. They assist and help you where a naked Windows and the classical AV and Desktop-Firewall will fail. And they help to detect and analyze malware a bit faster instead of doing it the hard way with a debugger or live API-analysing and things of that kind...

The tools and drivers I publish here for free are just one part of the stuff we do e.g. with regards to the ExploitBuster framework. The stuff you can download here is slim down and lite. Thus do not assume that for example Türsteher Light is all I have to offer and is all I know about mitigation techniques. ExploitBuster is much more than Türsteher Light. Türsteher Light for example is just a stripped down version of Türsteher. Hence, do not blame on just one little driver you saw, or the whitepapers I publish. Ask if you want to know more or if you are confused. I am not a native speaker, thus it is likely that some prts of my papers and descriptions are unclear in some details -- so ask!

I can tell that my framework and as I call 'em my heavy weight champion drivers are able to mitigate against a damn whole bunch of scrap out there. There was currently no well known exploit reported by the relevant IT press that was not detected by my framework so far - without any adjustment afterwards. So I can say, that my drivers and tool set are good enough to win the match so far.

You might also understand that I will not publish everything for free, I always mention in the READMEs and whitepapers that there is more and if you need additional information: contact me. I am open minded and appreciate any substantial feedback and critisism. I also like to discuss on new malware (trends), mitigation techniques, experiences in this field, malware samples and bad URLs that distribute such scrap. I am also willing to help and provide source code snippets. But this is not an one-way street. Just having a "big name" in the scene does not mean you get things for free. And last but not least: It does not mean you know it all best -- first ask and discuss before blaming. Thank you.


The good old days...

2014/07/24 by Flo

screenshot of my andorid

Since Microsoft announced that they will discontinue Nokia's Symbian line and that they will do some Spring Cleaning there are a lot of articles that bemoan the good old Nokia Days where mobile phones had a running-time of about 14 days whilest new smartphones will just last about one day, etc. etc... Well I currently use a very handy smartphone from Acer that is able to run about 14 days without recharging, although it is dual-sim and I checked my e-mails through WiFi, wrote some messages and did some phone calls.

As you can see, this has nothing to do with Nokia, it is all about good design and how you configure and use your phone. By the way, you cannot compare a 20 years old Nokia, with monochrom 1 line text-only display with an iPhone and its Retina Display and all the other features. But if you know how to tweak such devices you will not recharge your smartphone every single day - and that is for sure! So stop to hate and pull off the pink glasses.

By the way: Although I liked Nokia much I think they rest on their laurels and were lordly arrogant. It reminded me of Motarola, same story there. All I heard from them was how proud they can be of what they made-up, that they were the first with this, the first with that, the first with some kind of a smartphone back in the 90s etc. Well, maybe! But they got lost in their extravagantly and huge product line. It felt like they had a thousand new models each year, and all the phones were not significantly different. There was no clear company concept (would it be high-end, mid-end or low-end), no eye catcher, nothing cool, it was just a stack of electronics glued and merged with colorful plastics. I often felt that their engineers and product designers never ever used one of the devices they were responsible for. Lots of tiny but annyoing bugs and missing convenience made me change to iOS and Andorid. To be honest, a lot of Android Phones also feel like their enigneers never used one of their babies, but even the cheapest low-end phones look and feel better than most of the scrap Nokia enigneered in the last years.

Maybe Microsoft will save the rest of European Mobilephone History and hopefully they will design smarter phones and do not follow the Asian (former Nokia's) trend to flood the market with junky, ugly looking phones that function poorly just to say, hey guys: We had a thousand new phones this year, they're almost muck, but hey! every month 'yet another' brand new phone line with lots of stupid features and services most users do not understand and thus will not use.

Saying it in the spirit of a well known tech-CEO: "not everything that is technically possible, should be implemented". Less is more. Hopefully we will see less Lumia phones in the feature, but with great features and a well done overall design in mind.


How To QueryDosDevices for Türsteher Light

2014/07/04 by Flo [update 2014/07/27]

QueryDosDevices screenshot

Just an update: You can also call "fltMC.exe volumes" from an admin command line to list up the device mapping. Thanks to Rasheed.

Configurating Türsteher the right way is not an easy task, because the driver does not use the well known drive letters like C:\, D:\ or X:\. I already included a simple tool into the Türsteher Light package that outputs several device and drive mappings, but it seems that most people do not understand what to do with the output. So I decided to write another tool that just gives you what is needed for Türsteher's .ini-file. Just execute QueryDosDevices.exe or the AutoIt-script and press the refresh-button to map drive letters to Windows' internal device names. Use this and only this mapped names for your installation in tuersteher_light.ini. For example, if the mapping says, that C:\ is \Device\HarddiskVolume2, then configurate tuersteher_light.ini like this to grant access to Windows' common paths:

[LETHAL]
[FORENSICS_PATH]
whitelist*
\Device\HarddiskVolume2\Windows\*
\Device\HarddiskVolume2\Program Files\*
\Device\HarddiskVolume2\Program Files (x86)\*
\Device\HarddiskVolume2\ProgramData\*
blacklist|
\Device\HarddiskVolume2\Users\|
\Device\HarddiskVolume2\Windows\System32\calc.exe|

This configuration allows access to all system executables but will block executables in your User's folders. Thus if you copy an executable to your Desktop or the Download folder, they will be blocked. This example also blocks calc.exe, the default calculator of Windows just to show you how to block things. Play around to get comfortable with the notation and learn what happens if you allow or block access to certain files or paths. But beware! You might lock down and crash your system if you block too much :-)

You can download the tool here: QueryDosDevices.zip. I used AutoIt for this tool, the source is included so you can adjust it for your needs and build a customized tool. Any feedback or a proper configuration tool for Türsteher as a feedback is welcome.

I am currently working on a Türsteher Admin Tool, this will make the configuration more convenience. If you are interesed in beta testing contact me or stay tuned until the final version is released here.


Blocking Process Creation using a Windows Kernel Driver

2014/06/15 by Flo

Since I have published monitoring drivers that are able to detect process creation and executable image mapping etc. I was often asked, if I could publish some code examples on how to do dectection or filtering of executable code. In this post I will not publish a complete monitoring driver skeleton but give you everything you need to start your first own project.

To filter out process creation, Microsoft Windows supports a simple callback function called PsSetCreateProcessNotifyRoutineEx. This routine registers or removes a callback routine that notifies the caller (your driver's code) when a process is created or exits. Just register a create process notify routine and return a failure CreationStatus from the callback for a creation notification.

Regarding the specifications on MSDN, see PsSetCreateProcessNotifyRoutineEx:

VOID CreateProcessNotifyEx(
	_Inout_	 PEPROCESS Process,
	_In_		HANDLE ProcessId,
	_In_opt_	PPS_CREATE_NOTIFY_INFO CreateInfo
);

where

  • Process [in, out]
    A pointer to the EPROCESS structure for the process.
  • ProcessId [in]
    The process ID of the process.
  • CreateInfo [in, optional]
    If this parameter is non-NULL, a new process is being created, and CreateInfo points to a PS_CREATE_NOTIFY_INFO structure that describes the new process. If this parameter is NULL, the specified process is exiting.

Microsoft states:

For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running. The driver can cause the process-creation operation to fail by changing the CreateInfo->CreationStatus member to an NTSTATUS error code.

What we are interested in is

typedef struct _PS_CREATE_NOTIFY_INFO { ... }

Use parameter CreationStatus and return some error status code like STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT or STATUS_ACCESS_DENIED if you want to block process creation. For more status codes see http://msdn.microsoft.com/en-us/library/cc704588.aspx. If you want to filter out process creation like in an AppLocker-approach you must decide which executables are allowed to run on the machine and which are not. For example in AppLocker you can choose between registred path- and file names or a hash value of a given executable. You can also use a link between your driver and an user-mode application that asks the user, if an executable is allowed to run like in Trust-No-Exe (an executable filter driver for Windows XP - see Trust-No-Exe). There are plenty of ways to decide, but I think the simplest way is doing it like in AppLocker: Just use file- and path names or hash values in a whitelist.


Using L2TP-IPSec-VPN with Windows 7, 8 and 8.1 avoiding errors 789 and 809

2014/06/14 by Flo

Having a Raspberry Pi, one of my first projects was to set up my own VPN server on this cute little machibe. Why? Well, we see free, unencrypted wireless hot spots everywhere, but you shouldn't read your private mails, facebook or your bank account on such networks, because other users or the provider of such spots might eavesdrop on your communication. A reliable solution is to use a so called virtual private network (VPN).

Using a VPN gives you the privacy of your own private network in public places, where you are using open networks in hotels, universities, coffee-shops etc. With a VPN you are using the Internet encrypted and secured over often unsecure networks, like you were at home.

Some of you might already use one of the professional VPN providers, and there are plenty of ways and providers to have a VPN from, both with free and paid plans. But you never have an in-depth look behind the scenes of such providers, do not know if they are trustworthy, secure etc. A very simple solution is to set up your own VPN server on the well known Fritz!-Boxes or using a cute Raspberry Pi and build a VPN up from scratch, if you do not own a Fritz!.

While setting up the VPN on my Raspberry Pi I ran into several issues making the server usable on my zoo of devices. The most problems and issued occured on my Windows machines, especially this pesky errors 809 and 789 on Windows 7 and 8/8.1. I tried several solutions found by googling the web, but none of them did it on the first and only run.

The main problem is, that since Windows 7 and the Server 2008, Microsoft Windows does not support IPsec network address translation (NAT) Traversal (NAT-T) security associations to servers that are behind a NAT device, like it is on most home-brew VPN servers that are behind a DSL- or LTE-modem/router. Thus, if the VPN server sits behind a NAT device, your Windows 7, 8/8.1 VPN client cannot make a (L2TP)/IPsec connection to the VPN server.

The following Windows Registry hack worked at the end, and that's why I would like to share it with you guys, hopefully it helps some of you out:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"ProhibitIpSec"=dword:00000000

Just install this Regsitry entries, and restart your machine and try to connect with your NATed VPN server. For more details also read http://support.microsoft.com/kb/926179/en-us.


Tuersteher Light For Windows XP

2014/05/27 by Flo (updated 2014/06/11)

Tuersteher Windows XP
Endpoint Protection

I got a lot of feedback on Tuersteher in the last few months, most regarding a special edition of Tuersteher Light for Windows XP as some kind of endpoint protection system. Since Microsoft discontinues support for Windows XP, this operating system will no longer receive any (security) updates by Microsoft. Operating Windows XP is risky, because security issues are not fixed, users must expect attacks on their beloved XP machines. Something like Tuersteher for Windows XP sounds great to mitigate against the risk. I think that's why I received so many comments and questions on a special edition for XP. Tuersteher Light was initially not available for Windows XP, but I am now proud to say: Tuersteher Light runs under Windows XP.

Tuersteher prevents your system from executing untrusted executables in a so-called whitelisting approach. Just specify what files/paths are okay and what files/paths are not, and the magical pixie dust behind Tuersteher manages to block any attempt to pass by. Whitelisting is a well known technique and is already built into the business versions of Microsoft Windows. Bad news for the ordinary user, because such techniques are only available in the supreme ultimate editions of Windows (e.a. AppLocker), most users do not buy and use -- even worse: Windows XP never ever supported whitelisting out of the box.

I wrote lots of kernel drivers back in the days to detect, analyze, protect and mitigate against the ordinary malware out there. Once upon time I have decided to program a simple to use driver for the ordinary Windows user. One of many solutions was Tuersteher Light. It is a AppLocker like, path-based minifilter driver that enables you to specify from which path Windows is allowed to start executables. You are also able to define bad paths, you do not want any executable started from and thus blacklist them. From a blacklisted path even Windows itself is not able to start up an executable file from.

For example, you can whitelist "c:\WINDOWS" and "c:\Program files" and can blacklist paths like your browser's cache "..\Temporary Internet Files\" etc. By simply disallowing everything except "c:\WINDOWS\" and your trusted program file paths you will mitigate against many attacks out there without a too complicated configuration.

Tuersteher Light is a helping hand, mitigating against ordinary attack vectors and supporting you to operate Windows XP a bit more secure these days. But keep in mind: Tuersteher Light will not protect you from all possible attacks, especially transient in-memory attacks will not be caught - but these attacks are fairly not detectable by the vast majority of protection tools out there, and most of them are very expensive. If you need additional information on what Tuersteher Light is able to mitigate against and what not, contact me.

In general: do not get reckless when running Tuersteher Light on your XP box! You are still using an old and outdated operating system, so no time to get cocky. As I said, use it as a helping hand and get yourself updated soon.

I had no time to fully test the driver, so any feedback is welcome. If you find Tuersteher Light helpful and if it saved your ass, any donation or just a thank you is highly appreciated. I spent a lot of time on my drivers, so any sign of life and feedback is welcome.

By the way: If you are interested in my other protection drivers or customized versions of my drivers feel free and contact me, too. For example, Tuersteher Light's Big Brother is Tuersteher, my heavy weight champion that mitigates against many more attacks. This driver is not published as a free download here, so for more details and consulting, please send an inquiry to info (at) bitnuts.de.

You can download Tuersteher Light For XP here: tuersteher_light_xp.zip

Update: Due to some architectural changes I had to adjust the driver for Windows XP again for stability reasons. The new version should now work better and pesky BSoDs should be avoided. Thanks to Gerard and Razone for your helpful feedback!


DoS-Attacks on bitnuts.de

2014/05/18 by Flo

It seems that some jerks tried to DoS-attack bitnuts.de during the last days. Well guys, I am sorry to say: nice try but the servers and network did not went down. As far as I can see what you were interested on was to shut down access to KernelBasedMonitoring.pdf and Türsteher. Why? Are you suckers afraid of people trying to build their own protection systems or to protect their Windows-based PCs? :-D My PDF and tools are out in the wild and you cannot stop them by just firing on bitnuts.de.

I will now make arrangements that my PDF and tools will scattered to the four winds and if you try to shut me down the hard way, I guarantee, you will reap what you suckers sow.


Managing file downloads without a bulky cloud framework

2014/05/14 by Flo

From time to time I upload files onto my web space to share with family and friends. This practice is far away from being convenience, because I can not restrict access to such files without managing complicated access rules on the server, nor restrict access only for a defined period of time (e. g. 7 days) or limit the total number of downloads (e. g. 10 downloads).

Well, I know there already exist services like Google Drive or Dropbox, you can easily share files using them, but I do not want my files stored on foreign servers. While sharing CDs or USB Sticks is no option the only solution to me is to run my own file sharing server, for example something like pydio (http://pyd.io). Well, such systems seem to be a bit over engineered for purely non frequent private usage. However pydio showed me some smart idea: It supports sharing files where each publicly share comes with its own php script that manages access, download limits etc.

So I started to write a generic download php-script that does exactly the same, except the huge framework of an AJAX driven cloudy fileserver. All you need is just web space that supports php scripts. You can use my php template, adjust parameters like welcome message, filename, and if needed: password, download expiration date and a download limiting counter. That's it, save it on your server (e. g. use a base64 encoded short filename) and share the link to the file with your buddies.

The advantage of this approach is that you need no big cloud framework to share files comfortably -- with a short link, password restricted and/or limit the number of downloads. All you need is php, no database, no AJAX. That's kind of cool. You can download the script here: http://bitnuts.de/aGVsbG9mb2xrcw.php.

If you find any bugs, have comments or questions, feel free and contact me.


Malware: Do Not Forget About The Simple Stuff

2014/04/07 by Flo

I recently received some spam message containing yet antoher pseudo-invoice. But this time it wasn't the well-known infected PDF invoice hoping that I use an outdated PDF viewer, nor was it a Word or Excel document exploiting Microsoft's Office. It was some plain malware executable attached to the e-mail without trying to trick me by using two extensions (for example .doc.exe or .pdf.exe). Neither the mail server's anti-virus nor my local one catched it on the first run. While we see attacks that are increasingly sophisticated and protection systems fully armed with heuristics and an armada of mitigations, the simple stuff sneaks past like wind though an door gap, even if the door ist protected by state of the art locks.

Have a look at the e-mail:

Guten Tag,

Im Anhang dieser Email senden wir Ihnen Ihre aktuelle Rechnung fuer den
Monat April.

Der offene Betrag ist innerhalb von 10 Tagen auf unserem Konto zu
ueberweisen.


Mit freundlichem Gruss
Ihre Saragov AG

---
1 Anhang: Rechnung-April.exe

The text was kept simple and the name of the attachment was short, too. It seems that the orginator did not try to confuse its target. Besides some minor typing errors the mail itself looks okay but I still wonder that the executable was attached without tyring to hookwink the user. While IT professionals are talking about next generation threats it seems that there are enough people out there that can be tricked by an ordinary executable attached to an e-mail.

Because attackers are profit-oriented today they definitely make profit out of such a campaign or they won't start it. What do we learn about it? Sophisticated attacks are very interesting for us hackers and IT pros, but we should not forget about the simple stuff...


Some minor changes on my blog

2014/04/05 by Flo

Hi folks! I just did some minor changes on my blog: moved my 2013 posts to the archive, changed the font to a web font and migrated the whole webserver. You should not have nocited the technical changes (hopefully), but if so please let me know about it so I can fix broken links or other issues.

I am currently experimenting with a Raspberry Pi, so look forward I will post something about my first Raspi project here in a little while...


Uroburos - An alleged intelligence agency espionage rootkit

2014/03/03 by Flo

Security experts at G Data have analyzed a very complex and sophisticated espionage rootkit that was able to steal confidential files and capture network traffic. G Data names the rootkit Uroburos as they say

G Data refers to it as Uroburos, in correspondence with a string found in the malware's code and following an ancient symbol depicting a serpent or dragon eating its own tail.

Ouroboros by Zonk

The analyzed malware was highly flexible and able to set up some kind of p2p network inside a cooperate network it targets resides, hence it was able to steal information and exifiltrate it to the Internet, although not all infected machines must be connected to the Internet. It was enough that already one machine was connected to the Internet, hence the gathered information went through that machine. The overall comlexity of the malware suggests some connections to an intelligence agency.

For more information and a detailed description read the following paper: GData_Uroburos_RedPaper_EN_v1.pdf


Analyzing URLs from urlquery.net

2014/03/03 by Flo

You might have noticed that I have build a lot of Windows kernel mode drivers that are able to monitor Windows-based systems for suspicious executables. Because I am not employed at an anti-virus lab, nor have direct access to lists of sites that spread malware through exploit kits, my knowledge depends on publicly available information and links. Over the years I have collected lots of IP addresses and URLs of toxic web sites and servers that are known as 'bad'. To build my collection one of my sources was and is urlquery.net, because it often gives you potentially toxic URLs at an early stage, before the doors are closed through enforcement acts.

Extracting URLs out of web pages like urlquery.net by hand is time consuming and not really elegant. There comes scripting in, and thus I would like to feature my tiny script used to extract URLs out of www.urlquery.net. The following package contains the .cmd-scripts and GnuWin Utilities (http://gnuwin32.sourceforge.net/).

Always keep in mind, that URLs extracted from urlquery.net might be dangerous and lead your system being infected by malware. So, take care when using these URLs. Do not open and call them form a production system, I highly recommend using these URLs on honeypot- and sandbox-systems. I am not responsible nor liable for any damages caused by using the scripts and the extracted content from urlquery.net.

If you have any questions, suggestions or other feedback feel free and contact me. You can download the script here: urlquerycollect.zip


Some thoughts on the people who are surprisedly paranoiac on WhatsApp these days

2014/02/28 by Flo

OMG! Have you seen all these articles, twitter and facebook posts on alternative messenger Apps for your smart phone? Well, since facebook acquired WhatsApp there is some kind of anti-WhatsApp movement on the Web. Newspapers, Online Magazines, Blogs etc. all together zero in how to leave WhatsApp and start up messaging with one of the supposedly secure messages featured in the App-Stores out there.

I see the mass hastily saying goodbye to WhatsApp and Hello to alleged secure messaging services like Threema, Telegram etc. Well strangely enough, most of these newborn anti-WhatsApp privacy freaks are seen on facebook, twitter, instagram and God knows where else. Of course, with their real name and wide open profiles. These jerks could easily be found and "stalked" by your neighbors Dachshund Puppydappy, just by entering their real names into Google's search box and getting hit all over the place on common social networks. What a silly fuss.

WhatsApp was and is not secure today, nor was it in the past. Their protocol was hacked several times and everybody knew (or should have) that WhatsApp does not support end-to-end encryption. Nothing new - good morning. By the way: most social apps and services do not.

Just because all these WhatsApp competitors come up with terms such as AES , SHA-256 , RSA and ECC crypto, most of this is not better or safer than WhatsApp. Most of the currently hyped Apps are closed source, use proprietary crypto protocols etc. And most important: who are these companies? Wo sits behind them? Who pays their bills? Why should I entrust my feelings, pictures, videos and voice messages to some back yard programmers just claiming and buzz-word-shouting that they are secure? Is there any proof that their code is free of bugs or flaws?

Regarding all this Snowden stuff last year, nobody left facebook, Google, WhatsApp, twitter, Yahoo, Hotmail etc. although there would have been lots of reasons just on spec. Nobody left, nobody 'invented' a competitive service alike. But if facebook acquires WhatsApp for about 19 billions everybody seems to freak out and panic, talks about privacy and acts like a security expert. What is wrong with you guys? You should have taken care a long time before facebook acquired WhatsApp! And you should not just take care on WhatsApp, you should whenever you use IT these days.

My personal recommendation: Calm down, globally think about IT security, privacy and freedom of speech, instead of acting like 'herd instincted' Lemming.


Building a totally locked down Windows for POS-, ATM- and kiosk-mode-Environments

2014/01/21 by Flo

During my winter holidays I was working on Türsteher and brought its drivers to full Windows 8.1 support (incl. x64-support). I also tweaked and optimized the driver and did a lot of stress testing on a Windows 8.1 box. While performing boring driver testing the following idea came through my mind:

"On a kernel-level: Is it achievable to limit the access to executable code to an absolute minimum, so that there is only a limited set of executables loaded and allowed to run?"

Meaning: You are able to boot up Windows and run, for example, only notepad and a browser - nothing else. And "nothing else" means absolutely nothing -- not even a driver, or any additional module after you've started up the machine.

If this is possible, one is able to protect a kiosk-mode Windows environment besides guest accounts, special lock down GPOs or other third party applications. Hence such an approach provides additional security and mitigation against attacks on such environments. Currently most of these kiosk-mode environments are protected by simple mitigations that just check for running only allowed executables, or limit access to the Explorer and its "execute as..."-Dialog, hide the TaskManager, Startmenue or Taskbar etc. Indeed, blocking all executables except the white listed ones is some sort of protection at application/desktop level, but this is not an in depth approach. Most available kiosk-mode environments do not block all the background binaries (DLLs, drivers, etc...) that e. g. get fired up if an user plugs in an USB-device, manages to init additional DLLs for plug-ins etc or even is able to detect that some sort of exploit is able to execute a library.

Well, I began to adjust Türsteher's kernel mode driver a little bit, so that it logs and measures out a minimum set of executables needed to successfully boot up and execute my pre-configured Windows 8.1. That proof of concept kiosk-mode Windows should only allow to run Notepad, the Calculator and Google's Chrome. And by saying "only allow" I mean, that only the vivit system binaries can be executed and only application modules that are needed to run the named applications.

At the end I had a list of about 800 executable files (drivers, exe, ocx, dll, ...) that must at least be available to Windows to boot up, log on and run the intended applications noted above. I managed Türsteher to real-time-check this set of executable binaries and to ensure, that those files are loaded correctly into system memory.

Impossible?! Noop! My proof of concept is able to boot up Windows with a minimum set of executables and take care that only Notepad, Calculator and Chorme are running on the system -- and even more: that all executable code loaded in is trustworthy. Even if ~800 files sounds like a huge number it is still little in contrast to all the executables that are stored on a typical installation of Windows (also if your subject matter is a lovely vanilla installation of Windows).

Well, and what is it good for? Security! As I said some lines above: if you set up a locked down Windows in an kiosk-mode environment it is still possible for attackers to start up libraries or executables through a bug in the permitted applications.
How many of the sheer mass of executables of your actual running Windows box are really needed by a POS, ATM or kiosk-mode environment, where you already limit access to executables/applications through GPOs and others?
You will come to the conclusion: Not so much. So why should you allow to execute such files even by accident (or through an exploit that utilizes them to start). It is better to lock out everything that is not needed and this is what I did with Türsteher: Limit things to the absolute minimum.

Do not get me wrong: GPOs and lock-down applications for POS, ATMs and kiosk-mode environments are great mitigation techniques to protect them, but together with a whitelisting approach like Türsteher that limits the attack vector to an absolute minimum of really needed executable code, it is possible to protect your POS, ATM or other kiosk-mod environment even better.

I tested Türsteher on several POS and kiosk-environments, but my resources are limited. So, if you are interested in protecting or locking-down your Windows-based POS-, ATM- or kiosk-mode-environment feel free and contact me to set up Türsteher for your needs (I have more than 20 years of experience in the field of Microsoft Windows, and about 8 years of experience in Microsoft Windows Kernel Development, I know how to set things up and give you a helping hand). The basic driver runs under Windows 32bit/64bit-versions of XP, Vista, 7, 8 and 8.1. The driver is also able to run under Microsoft Windows Server Editions as well. If you are interested, do not hesitate and fire an e-mail to me.

Additional note: Türsteher ist not Türsteher Light, so you cannot transfer the results from my Türsteher research PoC to Türsteher Light, because Türsteher internally works with signatures and not with paths like Türsteher Light.


Türsteher Light Update

2014/01/07 by Flo

Well, I just want to announce that I updated the package of Türsteher Light. During my winter holidays I cleaned up and optimized the driver a bit. The bundle now contains binaries for Windows 7, 8 and 8.1. If you want binaries for older versions of Windows, contact me.

Download Türsteher Light here: tuersteher_light.zip