Archive for May, 2009

May Supermondays Presentation – Video Evidence

2009/05/29 1 comment

I jumped the gun slightly when I said previously that there was no recording of my talk, the camera managed to catch the first 2+ minutes of the presentation. Just enough time for a brief overview of the intention behind honeypot systems. Direct Link.

The rest of the Super Mondays event was recorded more successfully. Check it out here for the official write-up and event videos. Well worth a look.

Andrew Waite

May SuperMondays Presentation: The Aftermath

2009/05/27 1 comment

I had a really enjoyable night at last night’s SuperMondays event.

Some of the innovative uses for technology on display from Newcastle University provided a great glimpse of where we could be heading in the future towards ubiquitous computing. Of special interest were the research being undertaken with surface computing, which seems to have taken centre stage of new technologies recently, although unfortunately the expected MS Surface device wasn’t available at the last minute.

I also liked the work being done by the Ambient Kitchen project. While the technology is still in it’s early stages it is easy to see how this technology could be a part of every day life. With the focus the group has on providing assistance and support to people with cognitive difficulties the fruits of the project could go a long way to genuinely improving people’s lives. It makes a nice change to see new technology being developed for a real, useful purpose rather than the usual, ‘we can, it’s cool, why not’ approach to some tech development.

Linked with these new technologies Patrick Oliver and Jayne Wallace demo’d and talked about some of their work with developing cultural and meaningful technologies. One example was a twinned pair of necklaces which allowed the wearers to communicate some acts of distance, for example holding one pendant would cause the other to vibrate. As wireless communications become more pervasive I can envision similar technologies becoming more subtle and common place. Despite my initial perception of the topic as being ‘arty’ and not really that useful, I enjoyed the presentation and can see some valid and quite exciting uses for this technology in the future.

The event finished with a change of pace, with me presenting about my experience with using honeypot systems and hopefully convincing others that the system are valid additions to any network, and are good fun in the process. From my perspective I feel that the presentation went well, although I blew through the material a bit rapidly. I was genuinely relieved and thrilled with the amount of questions and discussion that was generated at the end of my presentation.

Unfortunately I believe that there isn’t a recording of this presentation, as is customary with SuperMondays talks, as the video camera decided to flatten it’s battery just before I started. As a compromise I’ve posted my slide-deck from the presentation. Hopefully people may find this useful, I’m always open to questions or discussions so please let me know your thoughts.

Bottom line from all this? SuperMondays is a blast, if you’re in the area and haven’t been along yet, why not? I’m definitely going to make more of an effort to ensure I’m available for future events, see you all there next time.
Andrew Waite

Categories: Nepenthes, SuperMondays, VMware

Cheat Sheets

OK, so we’d all like to be 1337 and know everything without missing a beat, but for mere mortals like myself I find that impossible so I’m a fan of the various cheat sheets that people and organisations put out for succinct, to the point memory joggers.

I’ve got links to these scattered in various places and I’ve been meaning to get them organised in single location for a while, Lenny Zeltser’s recent tweet (@lennyzeltser) pointing out a couple of new resources gave me a reminder that this has been on my to-do list for too long, so here goes:

  • Security By Default – Nmap 5
  • Counterhack – Permission Memo (OK, not strictly a cheat sheet, but still a handy template/guide)

If you’ve got some resources I’ve missed, then please feel free to share.

Likewise, if you created one of the linked to resources and don’t want the link here, just let me know and I’ll remove it. These resources have saved my bacon on numerous occasions so I definitely don’t want to be stepping on anyone’s toes.

Andrew Waite

Categories: InfoSec, Tool-Kit

Random Malware Analysis

2009/05/22 1 comment

Having recently been left with several hours to kill with nothing but a laptop and my virtual lab I thought I’d try my hand at some rudimentary malware analysis. For a random live sample I selected the most recent submission to my Nepenthes Server.

$ tail -n1 /opt/nepenthes/var/log/logged_submissions
[2009-05-21T19:10:59] -> creceive:// 93715cfc2fbb07c0482c51e02809b937

To start with I wanted to get an idea of what I was dealing with, so I passed the file’s hash to VirusTotal’s Hash Search utility; and promptly found that VirusTotal had no knowledge of this particular hash. Means we could be dealing with a completely new malware strain or variant! or more likely a polymorphic binary creating a unique file signature…

The question was promptly answered when transferring the binary to my analysis machine by AVG, ‘Threat detected: worm/Allaple.b’. Not wanting to take the word of a single AV vendor I proceeded to upload the binary itself to VirusTotal (have I mentioned I like VirusTotal yet?). Sure enough most AV engines agree with AVG’s analysis although there was some dissention over which version of Allaple the sample was. Most AV engines (37/40) flagged file as malicious (Comodo, nProtect and PrevX gave the binary a clean bill of health.)

Beginning with some static analysis, the ‘strings’ utility is always a safe place to start. As I’m using a Windows platform for this analysis I use the SysInternals strings binary. This revealed little, other than confirming the binary is a windows executable (usual ‘!This program cannot be run in DOS mode.’ string) and a reference to Kernal32.dll and some function names (FindFirstVolumeW, GetShortPathNameA, GetConsoleAliasesLengthW, AddConsoleAliasA, GetModuleHandleW, CreateProcessA, GetUserDefaultUILanguage, LocalReAlloc, SetHandleInformation, SetConsoleCursorInfo).

As there was limited information available from a plaintext strings search my next step was to see if the binary had been packed. For this I used PEiD utility, PEiD initially stated that there was ‘Nothing Detected’ although the entropy found within the file (7.93) caused PEiD to suggest that the binary had indeed been packed.

With some basic static analysis undertaken (this could/should have been taken further but my RE/assembly-fu is a bit rusty, especially at 3am) I changed tact and went with some initial behavioural analysis. For an initial run I utilised iDefense’s SysAnalzer tool written by David Zimmer. SysAnalyzer is a great utility for automating behavioural analysis and capturing system changes, from it’s download page:

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states.
SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system.

The tool snapshots (not to be confused with VM snapshots) the state of the system, runs a given binary, then snapshots the system after execution before comparing the two snapshots. This can provide some detailed, succinct information to an analyst, but may miss any dynamic and temporary system changes. One weakness (or strength, depending on your perspective) that SysAnalyzer has is that it does not sandbox the malicious binary from the analysis system. Meaning that if the binary is destructive it *will* hose the system it is being analysed on, obviously if you’re utilising virtualisation and snapshop functionality this shouldn’t be an issue.

On starting the analysis, the malicious executable promptly errored (usual Windows’ ‘executable has failed, please send all information to Microsoft’ type pop-up) and SysAnalysis stated that the system was unchanged by the binary. Well that was disappointing, possible some form of VM detection causing the malware to shut down?

Not to be denied, I re-ran the process: Again the executable crashed with Microsoft’s pop-up, but this time SysAnalysis saw some system changes, from API and registry calls to the creation of new processes. However on further analysis the new processes and files were all only related to the DWWIN.exe executable which, as explained here, is part of Windows itself and is the cause of the pop-ups discussed above.

One aspect that may be causing the binary to lock up is that it is isolated from the network. From experience some malware will perform an initial lookup to an external resource, if the code can’t access said resource the malware assumes it is on a closed system and shuts down. To test this theory I re-ran the executable (this time manually, without the SysAnalysis utility) with Wireshark sniffing all network interfaces. As expected the binary crashed with the same error pop-up, reviewing the wireshark capture no traffic was generated outbound to any resource from the infected host.

Another possible reason for malware to refuse to run is newer VM detection techniques. However no evidence of this is present in the API calls captured by SysAnalysis, nor can I find any reference to VM detection capabilities present within the Allaple family from a search of the web. Ideally to test this theory the malware would be executed on a natively installed OS to bypass any potential VM detection. Unfortunately at this stage I do not have resources available to sacrifice a physical machine in this manner, so analysis must stop here.

One final possibility is simply that the binary is defective, just because the malware is spreading does not necessarily mean that the payload delivered upon exploitation is fully functional. It is not uncommon to have one malware strain being propogated by an entirely different strain. This is rapidly becoming more prevelant as ‘cybercrime’ (I hate that phrase) matures with the recent emergence of crimeware-as-a-service.

What-ever the reason for the binary failing to have any perceivable impact on the system, the behaviour that has been observed during this sample’s execution does not match that which is expected from other analysis of the Allaple.b malware strain. Sophos’ analysis for example, states that upon infection Allabple.b will:

  • When first run W32/Allaple-B copies itself to [system]\urdvxc.exe.
  • The W32/Allaple-B is registered as a COM object.
  • W32/Allaple-B installs itself as a service with the name “MSWindows”.

No evidence of this behaviour has been seen during analysis, nor are any of the changes present on the system post infection. This is a good example of why there isn’t always a need to panic when AV picks up a malicious item. Until the infection has been analysed in more depth there is no way of knowing how scary the compromise and infection is.

Andrew Waite

May SuperMondays (on a Tuesday)

For those that don’t know I’m scheduled to give a presentation at the upcoming Super Mondays meeting next week. The topic of the presentation is malware honeypots, and is based as a follow up to my original Honeypotting with Nepenthes, and I’m hoping to discuss some statistics generated by my script from my honeypot logs.

The session will begin with a demonstration of some new technologies, including ambient kitchens and surface computers. Following this will be a presentation on cultural technology and HCI by Patrick Oliver and a presentation of meaningful technology and her work on digital jewellery by Jayne Wallace, before ending the night with my presentation.

Tickets are free and going fast so register now to reserve your place, event registration.

It is shaping up to be a good night, so look forward to seeing you all there.

Andrew Waite

Categories: Nepenthes, SuperMondays

Phorm e-Petition Response

2009/05/19 Comments off

Quick heads up to anyone following the Phorm/privacy debates: The government’s response to an e-petition to ask the government to stop ISP’s from breaching privacy laws has been released.

The full response can be read here, it’s fairly short so I won’t go into too much detail, but I’m glad to see the government is taking this seriously and not passing the buck to the ICO (the ICOs view):

ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.

“Thank you for bringing this to our attention; your concerns are very important to us; your concern will be answered shortly…”

Andrew Waite

Categories: Legal, Privacy

Several days of playing working with the raw data and a couple of intermediate scripts (csv & mysql) have paid off. I’m now ready to release the first version of Infosanity‘s Nepenthes log parser.

This utility is substantially larger than my previous two releases (although still small) so I’ll not include source code here, head to Infosanity for the file. Usage is fairly simple, read logged_submissions file into stdin and let the script do it’s job.

Statistics are quite general at this stage, mainly compiling overall statistics from the log file including:

  • Total number of submissions
  • Number of unique malware samples (based on MD5 hashes)
  • Number of unique source IPs
  • Run time
  • Average daily submissions
  • Five most recent submissions

By default the script outputs plaintext to standard out, but this can be changed to HTML via the –output=html commandline flags.

I’m going to hold back releasing any example output from my own servers as I wanted to generate the statistics for use in an upcoming presentation I’m giving for local group Super Mondays. If you’re free and in the area (Newcastle, UK) on May 26th please stop by for the event and to say hi.

If you’re running a Nepenthes server I’d appreciate any feedback or issues running the script. I’m still looking to flesh the system’s capabilities out, so any suggestions/requests for additional features or statistics would be appreciated (contact(no-spam)[at]infosanity[dot]co[dot]uk ).

Andrew Waite

N.B. The latest versions of all Infosanity tools related to statistic generation for Nepenthes can be found here.

Categories: Nepenthes, Python