welcome to
www.bitnuts.de


The private web page of Florian Rienhardt - IT security researcher, Windows (kernel) hacker, nerdy gadget geek.

Do hackers already know your password?

2017/09/10 by Flo

Well, if you read IT-Sec related press you will finally stumble from one breach into another. In many cases the hacks are not as sophisticated as one might think. Besides attacks originating in trojans placed through weaponized e-mail attachments, a lot of IT breaches have their origins in simple attacks where the hackers just got into a corporate IT network by weak login credentials.

Over the past few years I have set up some honey pot machines to better understand how attackers work and how they penetrate networks. I have logged a lot of information about attacks against my fake IoT devices, CMS and web servers and gained a lot of information about one major attack vector out there.

Well, it is not malware. It is just password guessing and brute forcing. Yes, it is that simple. There are hundreds of bots out there who don’t do anything else than just attacking servers and common content management systems by brute forcing well known user names and passwords.

With the knowledge collected I have decided to implement an online password breach check. You can check whether your password is already known to attackers in the web. You can try my password hash checker here, which simply calculates the hash of your password and checks it against a list of well known and often used password hash lists. I do not collect your password in plain text. First your password will be transformed to lowercase, then a SHA-256 hash value will be calculated in your web-browser and then sent to my service interface. If the password's hash is known, it will return “found”, if not, it returns “not found”. I do not collect the posted hashes, they are processed in-memory and not stored in any log.

What is this service good for? Well, it can help to avoid using passwords that are already leaked, i.e. in the wild, and used by hackers in brute forcing campaigns. If your password is found in the list you should change it as soon as possible.

How to choose secure passwords

Imagine a rhyme or phrase you always remember. You can directly use the whole rhyme or sentence or just the first letters of the words. Imagine your own rhyme or phrase, do not re-use a song or poem.

Exchange some of the letters using special characters or numbers like $%*[]731586.

Example:

Deine Reime haben sich unauflösbar wie Webfehler in nem Teppich verstrickt
Du googelst nach Lösungen, aber es kommen nur Web-Fehler, denn du hast dich verklickt

This rhyme can be transformed into:
DrhsuwWinTvdgnL,aeknW,ddhdv

you can make it even more complicated:
[|>rhsuwW!nTvdgnL,aeknW,ddhdv]

Just be creative.

Passwords: What you should not do

  • Do not reuse your passwords across different providers, e.a. just one password for all of your different accounts
  • Do not use words that can be found in any dictionary
  • Do not use your pet’s name, your current or previous addresses, names of family members or friends, or loved belongings
  • Do not use your birthday, telephone- or social numbers as passwords
  • Do not use patterns on the keyboard like qwerty123, asdfg, 1234567, etc

Passwords: What you should do

  • Reduce the number of accounts, always try to use a web service without suscribing
  • Make use of a password safe like KeePass, and then make use of strong passwords with high entropy
  • Make use of additional e-mail addresses you only use for newsletters and on not so trustworthy web-pages
  • If it is offered, make use of multi-factor authentication

Bypassing script filtering in firewall appliance solutions

2017/08/03 by Flo

In professional environments appliance web proxy firewalls are state of the art to protect PCs from malicious content. Depending on the level of mitigation, some of these appliance solutions divert-filter all active content like flash and scripting code out of the HTML content transferred.

While reading a course on SVG I stumbled upon the scripting support of SVG, and then an idea came to my mind: Well, if SVG is interpreted as HTML code in modern browsers, and SVG also supports active content using JavaScript, why not use it to bypass script filtering. As you might already assume: it seems that some vendors lack filtering out scripts in SVG, so it it could be possible to inject evil code into protected systems by just using SVG and forcing a target to open such an image, e.g. though a watering-hole attack. Some of these appliance solutions perfectly filter out scripting code from HTML, but fail to do so with SVG.

I do not want to publish a list of vulnerable manufacturers, you can try it yourself. I have created a JavaScript SVG PoC, so you can try to open from your protected environment and can instantly see if active code is still getting executed - even if e.g. JavaScript usually gets filtered out by your firewall appliance. The PoC shows a smiley, if you click onto the image, the embedded JavaScript performs a AJAX call to my server and returns a message shown below the smiley.

If you have any questions, please do not hesitate and contact me.


File-Schizophren in ZIP/HTA

2017/06/28 by Flo

There was a presentation by Ange Albertini and Gynvael Coldwind back in 2014 discussing schizophrenic files. What is meant by a Schizophrenic file? Well, in short: You have one file and this file can be opened and processed by at least two tools correctly. I stumpled upon a zip-compressed file which contains a .hta file. This file can be successfully opened by any ZIP tool but also successfully opens with mshta.exe. The example file I was analyzing was yet another malware dropper as you can see in the following screenshot:

a zipped HTA file schizophren example


Phishing-Mails targeting Amazon Seller Central

2017/06/12 by Flo

There is an Amazon Seller Central phisihing mail scam/spam campaign ongoing. The cyber crooks send complaint e-mails containing an attachment which imitates Amazon's German Seller Central page. Do not open such attachment and please do not enter your username and password into the scam-page which pops up, if you have opened the attachment. It is a phishing page hunting for your Amazon credentials!

Amazon Seller Central Phishing Spam

Amazon Seller Central Phishing Spam


cmd.exe shell code obfuscation using ^-characters

2017/06/11 by Flo

A while ago, I stumbled over some Word- and Excel-files containing malicious macros, which forced to download and execute ransomware via the cmd.exe shell. Well, nothing really new, the fact that made me curious was that the cyber crooks utilized the command shell in a tricky way:

obfuscated cmd.exe shell

Instead of executing the commands in plain text, they used the ^-symbol to obfuscate their call to the powershell interpreter. If you remove the ^-symbol you quickly identify a well known HTTP downloading technique often used by cyber criminals and seen in many malicious campaigns.


Deutsche Telekom's Malware Warning Service

2017/05/28 by Flo

Well, as you might know, I do not just love to hack and implement kernel drivers, I also love to analyze malware samples. I have set up a dedicated analyzing machine where I can install and track down a specific malware sample file. I make heavily use of my drivers to log what such a malware sample does, but also have some special drivers for the networking stuff. It is great fun to see what a specific malware family is downloading and doing on an infected machine. I never expected that my online provider gives a damn on what I am doing until I have received a security warning notice:

Telekom Sicherheitswarnung (Telekom Security Warning)

Well, it is somehow a great service to warn customers and also to help keeping the network stay clean from malware, especially from infected client machines which distribute spam and malware across the own and other's networks. But on the other hand I also feel a bit monitored. To run such a service you need to log all requests and compare them against a _list_. If this list just contains well known malware domains this is okay, but it could easily be changed into a list containing domains of political parties, critical news papers that someone thinks of should be flagged red. But who is or will be the authority to manage this now and in the future?! Well, this could be a delicate matter. Right now I do not feel bad about it, but this could change very quickly if there is a new legal code telling network providers to flag this and that. The technology is right in place and working.

I am not a conspiracy theorist or paranoid, but this is something we should keep in mind. As an IT security guy I am happy to see that companies work against cyber crooks, and also to help to mitigate against malware campaings, but it is also worth to discuss the controvery stuff 😀. Amen.


Fake postal tracking messages and persionalized invoices feat. Malware and JScript-Droppers

2017/04/18 by Flo

Recently, I have seen more and more professional designed fake invoice e-mails coming in the name of well known (big) German companies, namely DHL (German Post Service) and Deutsche Telekom (German Telecommunication Provider). Both companies send e-mails to their customers which fairly look similar to the fake e-mails I have observed. I assume that the criminals behind this mails just used the "official e-mails" as a blue-print for their own campaigns.

Well, somehow this progression is obvious: In the past, such spam e-mails could have been detected easily because of their bad design, bad spelling and grammar. But by using the official e-mails as an blue-print, such e-mails look original and if one expects a message from such a company it is even more likely that users click on the links referenced in such mails. In addition more and more of spam e-mails are personalized, meaning that such an e-mail also preludes with a proper greeting. In some cases the correct address and phone number is also referenced. For an unsuspecting user there is no reason for distrust.

The thing that should make ringing the alert bells in your head is, that the attachments or linked documents are still suspicious and odd. In most cases it is yet another invoice.pdf.js, or invoice.pdf.exe, or a link to a scripting (js, vbs) file, see the screenshots:

Fake DHL e-mail devlivering ransomware Fake Deutsche Telekom e-mail directing to malware download

I have also come across some samples where the faked messages contained a Word (.doc, .docx) or Excel (.xls, .xlsx) file, containing a malicious macro. How can one differentiate from an original e-mail now? Well, to be honest this can be a difficult task - even for experienced users - as the criminals elevate. You need to dig deeper. Check the attachments in a more conscientious way, e.g. do you really expect an invoice or message from the provider? Does your provider really send attachments or does the provider link to external resources (like DOCs, PDFs.)? Conscientiously check such links: For example hover a link and look where the reference is. In the examples from above I have highlighted such links. For example if a link goes to a strange external domain you should be highly alerted.

What else can you do? Well, I often recommend to directly visit the home page of the service/provider and check the status or invoice there. In most cases companies have customer areas and ticket systems where you can directly check the status. You often do not need and must not use the links or attachment from an e-mail. Just see such e-mails as an trigger information to check manually on the provider’s/company’s home page. Directly navigate to page, and do not use the link from the e-mail, type it by hand, or better use a favorite link if you visit the page frequently.


Some thoughts on CVE-2017-0199 and Application Whitelisting

2017/04/17 by Flo

As you might already know there is an Office Remote Code Execution Vulnerability (CVE-2017-0199) being actively exploited by cyber crooks. If you look at the incident from a more formal perspective there is nothing really new. Well, yet another exploit which leads to code execution. Hackers first exploit, then start some kind of malware-dropper to place and install the final malware executable onto your machine.

This again proofs that any application whitelisting strategy proactively helps to mitigate against attacks. Sure, there are still ways to bypass application whitelisting, but in most cases it dramatically reduces the risk of getting infected by most common malware and exploits we see in the wild. If you deploy application whitelisting you do not have to mess around with all these ordinary malware stuff. You can focus on the more sophisticated attacks, and this is what you should! For example you can use Excubits' drivers like MZWriteScanner, MemProtect, and Pumpernickel to monitor your end-points for suspicious behavior and track down sophisticated exploits and attacks more easily by getting informed about executables dropped onto the machines, access attempts to uncertain folders or by checking command line parameters of started executables. But you do not need to install such expert tools, Sysinternals' free kit of tiny helpers and the powerful Windows Eventlog are also beneficial and great tools to monitor what is going on.

Application whitelisting in combination with consistent monitoring can help a lot to counter threats we see. You can make use of dedicated tools but you can also just use Applocker, GPOs and the Eventlog. Well, the most important thing here is not what to use or to start a battle on who or what solution is better. Just get up and start doing it.

As noted above, not just the ordinary malware droppers coming in fake pdf.exe or as JS or VBS scripting files, also the more sophisticated ones. I am seeing a lot of malware campaigns featuring malware executables that are changed really quickly; the result is that most anti-virus solutions fail to detect them and that is a big problem. On Virus Total and other static Malware Analysis Frameworks I often see recognition rates of around 4/56. Relying on just an anti-virus, even if the AV supports cloud based checks, heuristics and deep learning strategies is not enough as of today. Having application whitelisting in place, plus doing comprehensive logging brings significant value. If you fine-tune it with additional blacklisting, parent and command line scanning rules, you are well prepared; and by the way you have more time to focus on the really bad stuff instead of fighting yet another well-know ordinary attack again.


Magical increasement of disk space after update

2017/04/16 by Flo

This one is just for the collection of curiosities. After patching my system I often start Windows' build in cleanup service to free some space service packs, patches and updates require for roll-back and statistics. Well, the latest patch day was great, Windows was able to upgrade the amount of capacity my hard disk drive has. Have a look:

Magical increasement of space after update

Great, some additional 3.99 terabytes are really awesome, especially if your drive's max. amount was just 40 gigabytes. Thanks Microsoft 👏.


Turn your console into the MATRIX

2017/04/15 by Flo

Recently I stumpled upon this funny bash script to turn the console window into the MATRIX:

echo -e "\e[1;40m" ; clear ; while :; do echo $LINES $COLUMNS $(( $RANDOM % $COLUMNS)) $(( $RANDOM % 72 )) ;sleep 0.05; done|awk '{ letters="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@#$%^&*()"; c=$4; letter=substr(letters,c,1);a[$3]=0;for (x in a) {o=a[x];a[x]=a[x]+1; printf "\033[%s;%sH\033[2;32m%s",o,x,letter; printf "\033[%s;%sH\033[1;37m%s\033[0;0H",a[x],x,letter;if (a[x] >= $1) { a[x]=0; } }}'

That's pretty cool, isn't it?! 😎


Your dishwasher does not work?! Try to reset it.

2017/03/12 by Flo

In the last couple of months my dishwasher often started to hang while performing a dish washing program. It seemed that the washing program stopped the machine at some point before cleaning was properly finished. Just stopping and restarting the program often was the solution. Once before a weekend the machine finally got stuck in a pumping loop and did not start any dish washing program. At the first moment I was like “hey it seems to be time for a new machine”, but then I remembered that the service technicians that tried to find a hardware failure some weeks before, started pressing some weird combinations of buttons, and then the dishwasher started to work again. So I started googling for technical information for my dishwasher's model and finally found some interesting information: that dishwasher model is well known. The company seems to struggle with some sort of (software) bug that lead the dishwashers to stop the program or getting stuck while in a pumping-loop where the machine is not able to escape from - even if you power down the machine. A solution is to run the self-testing program and if everything is okay, the machine will reset the board, which then results in turning the machine into factory settings.

So why not try this, before buying a new one?! I pressed the magic button combination and voila the machine started to run the self-test program which it passed. The internal board was set to factory settings, and the machine was running like nothing happened before.

What have we learned from this? Well, a dishwasher is also just a computer and like all computers they also have software bugs. So if if it does not work and a technician cannot find any technical issues - like it was with my dishwasher - you should also take into consideration that this creepy thing has just a software problem. Just try to reset it, maybe this is all what was wrong. I guess that other home appliances also often might just have a software problem and not a hardware issue. Please note: For security reasons you must ensure that there is really no electric/technical issue. If you are sure it is not, try to find a way on how to reset the machine, this might help like it did in my case. 🔧👾


USB Port Blocker Lock

2017/02/22 by Flo

I just stumbled upon this: An USB port blocker lock. Well, it will not protect against sophisticated attacks but can help on business trips, PCs exposed to visitors etc. to reduce the risk that someone manages to quickly plug in an evil USB device.

Lindy USB Port Blocker Lock


How Backups can become a security risk

2017/01/26 by F. Rienhardt

We all know that we should make backups to be prepared in case of cyber attacks, mistakes or hardware failures destroying our valued digital gems. So why I am talking about this here? Well, since yesterday I detected a massive amount of scans for backup files across some of our web servers and web sites from related security researchers I am are connected with. It seems that someone is scanning for backup files on web servers, I encountered HTTP GET requests for the following filenames:

1.sql
1.sql.7z
1.sql.bz2
1.sql.gz
1.sql.rar
1.sql.tar
1.sql.tar.bz2
1.sql.tar.bzip2
1.sql.tar.gz
1.sql.tar.gzip
1.sql.tgz
1.sql.zip
backup.sql
backup.sql.7z
backup.sql.bz2
backup.sql.gz
backup.sql.rar
backup.sql.sql
backup.sql.tar
backup.sql.tar.bz2
backup.sql.tar.bzip2
backup.sql.tar.gz
backup.sql.tar.gzip
backup.sql.tgz
backup.sql.zip
data.sql
data.sql.7z
data.sql.bz2
data.sql.gz
data.sql.rar
data.sql.sql
data.sql.tar
data.sql.tar.bz2
data.sql.tar.bzip2
data.sql.tar.gz
data.sql.tar.gzip
data.sql.tgz
data.sql.zip
db.sql
db.sql.7z
db.sql.bz2
db.sql.gz
db.sql.rar
db.sql.sql
db.sql.tar
db.sql.tar.bz2
db.sql.tar.bzip2
db.sql.tar.gz
db.sql.tar.gzip
db.sql.tgz
db.sql.zip
db_backup.sql.rar
db_backup.sql.sql
db_backup.sql.tar
db_backup.sql.tar.gzip
dbadmin.sql
dbadmin.sql.7z
dbadmin.sql.bz2
dbadmin.sql.gz
dbadmin.sql.rar
dbadmin.sql.sql
dbadmin.sql.tar
dbadmin.sql.tar.bz2
dbadmin.sql.tar.bzip2
dbadmin.sql.tar.gz
dbadmin.sql.tar.gzip
dbadmin.sql.tgz
dbadmin.sql.zip
dbase.sql
dbase.sql.7z
dbase.sql.bz2
dbase.sql.gz
dbase.sql.rar
dbase.sql.sql
dbase.sql.tar
dbase.sql.tar.bz2
dbase.sql.tar.bzip2
dbase.sql.tar.gz
dbase.sql.tar.gzip
dbase.sql.tgz
dbase.sql.zip
dbdump.sql
dbdump.sql.7z
dbdump.sql.bz2
dbdump.sql.gz
dbdump.sql.rar
dbdump.sql.sql
dbdump.sql.tar
dbdump.sql.tar.bz2
dbdump.sql.tar.bzip2
dbdump.sql.tar.gz
dbdump.sql.tar.gzip
dbdump.sql.tgz
dbdump.sql.zip
dump.sql.7z
dump.sql.bz2
dump.sql.gz
dump.sql.rar
dump.sql.tar
dump.sql.tar.bz2
dump.sql.tar.bzip2
dump.sql.tar.gz
dump.sql.tar.gzip
dump.sql.tgz
dump.sql.zip
home.sql
home.sql.7z
home.sql.bz2
home.sql.gz
home.sql.rar
home.sql.sql
home.sql.tar
home.sql.tar.bz2
home.sql.tar.bzip2
home.sql.tar.gz
home.sql.tar.gzip
home.sql.tgz
home.sql.zip
mysql.7z
mysql.bz2
mysql.gz
mysql.rar
mysql.sql
mysql.sql.7z
mysql.sql.bz2
mysql.sql.gz
mysql.sql.rar
mysql.sql.tar
mysql.sql.tar.bz2
mysql.sql.tar.bzip2
mysql.sql.tar.gz
mysql.sql.tar.gzip
mysql.sql.tgz
mysql.sql.zip
mysql.tar
mysql.tar.bz2
mysql.tar.bzip2
mysql.tar.gz
mysql.tar.gzip
mysql.tgz
mysql.zip
public_html.sql
site.sql
site.sql.7z
site.sql.bz2
site.sql.gz
site.sql.rar
site.sql.tar
site.sql.tar.bz2
site.sql.tar.bzip2
site.sql.tar.gz
site.sql.tar.gzip
site.sql.tgz
site.sql.zip
sql.7z
sql.bz2
sql.gz
sql.rar
sql.sql
sql.sql.7z
sql.sql.bz2
sql.sql.gz
sql.sql.rar
sql.sql.tar
sql.sql.tar.bz2
sql.sql.tar.bzip2
sql.sql.tar.gz
sql.sql.tar.gzip
sql.sql.tgz
sql.sql.zip
sql.tar
sql.tar.bz2
sql.tar.bzip2
sql.tar.gz
sql.tar.gzip
sql.tgz
sql.zip
temp.sql
temp.sql.7z
temp.sql.bz2
temp.sql.gz
temp.sql.rar
temp.sql.tar
temp.sql.tar.bz2
temp.sql.tar.bzip2
temp.sql.tar.gz
temp.sql.tar.gzip
temp.sql.tgz
temp.sql.zip
upload.sql
upload.sql.7z
upload.sql.bz2
upload.sql.gz
upload.sql.rar
upload.sql.tar
upload.sql.tar.bz2
upload.sql.tar.gz
upload.sql.tar.gzip
upload.sql.tgz
upload.sql.zip
users.sql
users.sql.7z
users.sql.bz2
users.sql.gz
users.sql.rar
users.sql.tar
users.sql.tar.bz2
users.sql.tar.bzip2
users.sql.tar.gz
users.sql.tar.gzip
users.sql.tgz
users.sql.zip
web.sql
web.sql.7z
web.sql.bz2
web.sql.gz
web.sql.rar
web.sql.tar
web.sql.tar.bz2
web.sql.tar.bzip2
web.sql.tar.gz
web.sql.tar.gzip
web.sql.tgz
web.sql.zip
www.sql
www.sql.7z
www.sql.gz
www.sql.rar
www.sql.sql
www.sql.tar
www.sql.tar.bz2
www.sql.tar.bzip2
www.sql.tar.gz
www.sql.tar.gzip
www.sql.tgz
www.sql.zip

If you have any backups on your web servers using one of the names from above it might be too late and someone has already crossed your server and peeked for such files. You should check your access logs for more information.

What can I do?

Doing backups is great, so first at all congratulations for creating a backup. But well, do not store any backup directly into the root directory of your web site, they should not be accessible via a HTTP GET. It is recommended to store backups onto a so called cold-backup site, meaning a system which is not connected to a network and only used for backups. If this is not possible, you shall at least protect such backups in an encrypted container using a strong pass phrase (25-30 characters with very good entropy). If a backup was created just for temporary reasons, delete such backups if you have finished your work and the backup is no longer needed.

Next steps

I expect more such attacks in the future, so keep an eye onto your access logs, check the file system of your web site and ensure that temporary or backups files are not accessible from the internet. Ask yourself what information is critical and could directly be accesses through the internet: Assume this information being at high risk and think about countermeasures.

I will have an eye on it and follow up to this post. Please share and make others aware of the problem.

This article first was posted on Excubits, but was moved to my private blog, because I felt it was a bit off-topic there.