Archive

Archive for November, 2009

Expert speaker session at Northumbria University

Last week I had the pleasure of being asked to speak at Northumbria University, presenting to students of the Computer Forensics and Ethical Hacking for Computer Security programmes. As I graduated from Northumbria a few years ago it was interesting to come back to see some familiar faces and have a look at how the facilities had developed.

Despite the nerves of having to speak in front of a crowd I really enjoyed the event, especially as the other speakers were excellent and I enjoyed their sessions. The event kicked off with Dave Kennedy, a soon to retire member of Durham Police’s computer crime unit. Dave’s talked about his personal experience with a couple of high profile cases, explaining some of the groundwork and behind the scenes activity that isn’t known to the general public. I found the information interesting; but also disturbing, given the nature of the material that is handled by Dave and his department I can safely state that I wouldn’t want to have much experience in the area.

Next up was Phil Byrne, an internal auditor for HM Revenue and Customs (HMRC). For those that don’t know, HMRC were/are at the centre of one of the UK’s largest data loss stories in 2007 after CDs containing approximately 25 million child benefit records were sent, unencrypted, by standard post and did not reach their intended destination (some backstory here). Phil talked openly about the incident, discussing both the incident itself and the changes made in response. One of Phil’s comments has stayed with me (if I’m mis-quoting someone let me know):

If you put people into the process, something will go wrong at some time

Third to the stand was Gary Witts, owner of a manage services company specialising in on-line backups. The talk was very indepth and had some interesting content, but from my perspective I felt it was more of a sales pitch than a technical discussion of the secure backup’s place within a security standing.

I took the fourth and final slot of the day, which left me with the unenviable position of being between around 100 students and the pub, which didn’t help my usual rapid-fire presentation style. My presentation took a different focus from the previous sessions, discussing some of the real-world security incidents that can regularly be encountered, and some advice on handling the incidents in question. I also discussed my findings from honeypot systems, introducing a less common method for monitoring an environment for malicious activity. Assuming the feedback I’ve recieved is genuine the presentation seems to have been well-recieved.

From a student’s perspective; Tom was in the audience and has been writing up his take on the event in a series of blog postings. Tom also recorded the talks, for any one interested a direct link to my session is available here.

Andrew Waite

Advertisements

Rise of explo.it database

2009/11/17 Comments off

The team from Offensive Security have just announced the opening of explo.it (re-directs to exploits.offensive-security.com, just more memorable). The site is designed as a successor to milw0rm. If you’ve ever browsed the milw0rm site the layout will be instantly familiar.

I think this is great news for the infosec community, not only does the OffSec team always produce high quality output, but it helps provide some stability in the wake of milw0rms recent uncertainty.

At this point the site’s content volume is growing rapidly, when I looked this morning the archives exploits numbered around 9000, already it has reach 10000+, and a refresh of the front page has this number increase a good percentage of the time.

One feature of the site that I do like is a link (where available) to the vulnerable version of the application or code. I believe this will make testing much easier as it removes the need to trawl the web for an often unsupported and unavailable old version of an application. I really hope that this feature will become popular and all/most of the published exploits will link to a download location for retrieving the vulnerable code where possible.

Happy exploiting (in your lab, obviously)

Andrew Waite

Categories: Exploit, InfoSec, Tool-Kit

Article Review: Carving malware from memory

2009/11/17 Comments off

I’ve recently had the pleasure of talking with Leon van der Eijk which resulted in me getting the opportunity to review an article he had been working on. The focus of the article is to identify and collect malware samples from running processes within volatile memory. Given my predilection for malware collection and analysis Leon correctly guessed that I would enjoy the article, which does a great job of describing a method for collecting and analysing malware (and other files and processes) from RAM on a live Windows system

Leon’s method utilises Meterpreter’s memdump.rb script to collect the a snapshot of an infected system’s memory, then utilises Foremost to carve up the collected memory image into individual files which can then be analysed as normal. As the article has just been published today I won’t try to improve on the work already, but I would suggest giving it a read here.

My own forensics skills aren’t yet up to the level that I would like, but I was able to replicate Leon’s process relatively easily within my own lab environment, and without too many problems. This, along with my experience at Northumbria University last week (more later), has re-ignited my interest in improving my forensic skills, and has proved to me that some of the basic skills and techniques involved with the forensic process isn’t all black magic.

The article is definitely worth a read if you have an interest in either computer forensics and/or malware analysis. In case you missed it above, link to article: Carving malware from live memory. Keep up the good work Leon.

Andrew Waite

mimic-nepstats.py

As I discussed in my last post about Dionaea I am really impressed with the improvements to logging capabilities over Nepenthes. I’ve now had a Dionaea system online for ~24hours, which while it isn’t enough data to draw any meaningful statistics, it has provided enough data to work on some new tools. I had been intending to extend my Nepenthes tools to parse the logs and enter data into a database for additional and simpler analysis. This was promptly squashed with the migration to Dionaea, but the theory has proven to be a good one as Dionaea’s default logging to an SQLite database has made development much quicker and easier.

To get a feel for the new system, and to keep my capabilities up to speed, I’ve spent this evening writing a script to provide the same information for a Dionaea system that my Nepenthes statistics script provided previously. As usual, the script can be found over at InfoSanity, here. An initial set of results from my system is below for an example:

Statistics engine written by Andrew Waite – http://www.infosanity.co.uk

Number of submissions: 11
Number of unique samples: 10
Number of unique source IPs: 8

First sample seen: 2009-11-09 14:19:15.518382
Last sample seen: 2009-11-10 18:35:28.235052
SystemrRunning: 1 day, 4:16:12.716670
Average daily submissions: 11.0

Most recent submissions:
2009-11-10 18:35:28.235052, 195.90.106.212, emulate://, a4dde6f9e4feb8a539974022cff5f92c
2009-11-10 16:23:12.925538, 195.93.135.67, tftp://195.93.135.67/ssms.exe, 1d419d615dbe5a238bbaa569b3829a23
2009-11-10 16:00:14.846435, 195.170.57.28, tftp://195.170.57.28/ssms.exe, fd28c5e1c38caa35bf5e1987e6167f4c
2009-11-10 15:39:48.598303, 195.46.34.91, http://zonetech.info/61.exe, beee7a74712b2e3c84182c1bf18750ae
2009-11-10 13:00:29.916721, 195.95.170.138, emulate://, ddf1259a8fcef0776054460ebdf3cae4

Andrew Waite

Categories: Dionaea, Honeypot, Tool-Kit

Starting with Dionaea

As my previous post states, my Nepenthes system has been retired. In it’s place I’m building up a Dionaea system. The new features proposed by Dionaea should go a long way to improving on a couple of Nepenthes’ shortcomings, a good comparison of the two systems can be found on the Nepenthes blog (post October 27th). But what really caught my attention was the recent post on November 6th detailing the improved logging capabilites that are going to be built into Dionaea. I intend to cover these features at a later date once I’ve had more time to get used to the new system.

I must admit that I was shocked with the ease of installation and compilation. The instructions on Dionaea’s home page look a bit long winded to me, especially as I’m used to the ease of ‘apt-get’ and past experience with manual compilation of source code always leaves me expecting a headache. This was doubled when I discovered my available hardware is starting to show signs of it’s age, and was unable to successfully complete a fresh install of the latest Ubuntu, resulting in some of my components not quite meeting the written requirements. Some how though I manage to muddle through the compilation instructions without issue, and now have a working Dionaea install.

Getting the system started was also a breeze, one-line command as prescribed in the documentation and the system is live. Unsurprisingly it didn’t take long get my first hits, retrieving my first binary within 40 minutes of first starting the system. As I restarted several times whilst playing with config settings it could be that I missed a compromise that would have shortened this time frame in the real world.

So far I have only made a couple of changes the config, replacing the dev’s email with my own to recieve sandbox reports for collected binary samples (thanks for pointing that out in the mailing lists, probably would have missed it) and enabling the ihandler for p0f to try and take advantage of the system’s included fingerprinting capabilities.

As I’ve always liked statistics from honeypot systems, here is what I’ve got so far:

  • Running approximately 4 hours
  • Logged 20 unique attacks
  • Retrieved 4 unique malware binaries (and received the third party sandbox reports)
  • Generated 10,000+ log entries

Finally, thanks to the dev team for continuing to build and improve systems that I love to use. Couldn’t do halve of what I do without quality systems to work with.

Andrew Waite

Categories: Dionaea, Honeypot, Malware

Last Nepenthes Statistics

Following on from the move from Nepenthes to Dionaea, I’m decomissioning my Nepenthes server to start afresh with Dionaea. As such I thought I’d share the final statistics using InfoSanity’s statistic script for Nepenthes.

Statistics engine written by Andrew Waite – http://www.InfoSanity.co.uk

Number of submissions: 4189
Number of unique samples: 1189
Number of unique source IPs: 2024

First sample seen on 2008-05-09
Last sample seen on 2009-10-31
Days running: 540
Average daily submissions: 7

Andrew Waite

Sad news: RIP Str0ke – Update, was hoax

2009/11/04 1 comment

UPDATE:

Turns out this was a hoax, @Str0ke:

I’m not dead yet, just being trolled.

Whoever started it, you got me. Hope the laughs you got from claiming a guy is dead was worth it. Get A Life.

Original Post

Sad news for the information security community today; it seems that Str0ke, the creator and maintainer of Milw0rm, has passed on. The Black Security blog reports a heart condition.

I didn’t know Str0ke personally, but like many I have benefitted from the work and effort placed into the Milw0rm framework over the years.

Condolences and best wishes to Str0ke’s remaining family, rest in piece.

Andrew Waite

Categories: Exploit