- 1 Episode Media
- 2 Announcements & Shameless Plugs
- 3 Tech Segment
- 4 Interview: Dr. Gene Spafford
- 5 Announcement
- 6 Stories
- 7 Paul's Stories
- 8 Larry's Stories
- 9 Jack's Stories that would make Motley Crue blush
- 10 Allison's Stuff
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 318 for Thursday January 31st, 2013
- Offensive Countermeasures in Europe! - March 12-15 in Amsterdam!
- Security BSides Rhode Island tickets are NOW ON SALE at WePay.com
- The Stogie Geeks Show! - For cigar enthusiasts, by cigar enthusiasts.
- New tech segment on SQL injection and PHP at http://pauldotcom.com by intern Patrick Laverty - "From '1' to Pwned: Using SQL Injection and PHP to Own the Box"
SANS is running a special promotion for Forensic Online courses.
To learn more about the 15% discount on online forensic classes, visit SANS Specials Training page, which will also tell you how to access the many FREE forensic resources available from SANS. Hurry, the discount will only be valid through February 20.
Beating up Exploit kits and stealing their malware with Thug - Ben Jackson
Thug is a Python low-interaction honeyclient. All too often in Incident Response you have logs that indicate a client was exploited by an exploit kit and compromised, but retrieving a copy of the the applicable piece of malware is difficult. Thug is designed to mimic a vulnerable web browser and follow the exploit kit back to its malware.
Setting Up Thug
First, I usually run Debian stable for my server environment, coming from a SysAdmin background stability is like a warm blanket. However, Debian 6.0, the current stable version, runs Python 2.6. Thug needed Python 2.7, so I needed to upgrade to unstable. I haven't tested other distros, but I would imagine CentOS might have similar issues. Ubuntu would be fine. After upgrading, I set up my working directory to compile all the dependencies in:
cd /usr/local/src mkdir thug_dev cd thug_dev/
Now let's get cracking on all the easy dependencies that Thug needs. Be forewarned, it needs a lot of them. Let's start with the Debian packages: apt-get install libemu2 libemu-dev python-libemu subversion libboost-dev libboost-python-dev python-pip python-dev Next, let's use pip to install the remaining Python libraries we need:
pip install beautifulsoup4 zope.interface pymongo cssutils httplib2 pefile
Now let's get Thug, we will need it to complete the next dependency:
git clone https://github.com/buffer/thug.git
svn checkout http://v8.googlecode.com/svn/trunk/ v8 svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8 cp thug/patches/V8-patch* ./ patch -p0 < V8-patch1.diff
It should go ahead and patch v8/src/log.h. Now we'll need to set up V8 and PyV8. First we'll need to tell PyV8 where the V8 source is:
Next you'll set up PyV8. This will also compile and install V8 itself.
cd pyv8/ python setup.py build
After compiling, you can run the test.
When I ran this, it resulted in one failure:
FAIL: testDestructor (__main__.TestWrapper) ----------------------------------------------------------- Traceback (most recent call last): File "PyV8.py", line 1608, in testDestructor self.assert_(self.deleted) AssertionError
Personally, I consider everything under a 50% failure rate good-to-go -- However, in this case, everything ran fine even after I finished compiling Thug, so you could choose to ignore this. Finally, let's install it:
python setup.py install
Now, to set up pylibemu:
cd .. git clone https://github.com/buffer/pylibemu.git cd pylibemu/ python setup.py install
Now that all the dependencies are satisfied, it's time to move on to Thug. I usually toss it in /opt as that is where most utilities think it should go. I copy it from the working directory so when I need to upgrade it, I can do my testing in the ëthug_dev' directory first before I trash my ëproduction' copy.
cp -ar ./thug/ /opt/thug
Now, let's see if it works:
python /opt/thug/src/thug.py ñh
This should produce a help screen with all of Thug's options. If you see this, you're in business.
So, now that you have it installed, lets use it. First, we need to find an exploit site. Normally this happens when someone on your network gets popped and you want to grab a copy of the Malware. But, if you just have a hankerin' for malware, it's simple to find plenty of it by looking at such resources as the Malware Domain List, Clean-MX or NovCon Minotaur. In this example, we picked a Blackhole Exploit Kit on the Malware Domain List.
Now, let's fire up Thug:
python /opt/thug/src/thug.py -p http://10.1.2.3:8123 \ '188.8.131.52/c9fce1bfcd7eddde451f87e58ec173be/q.php'
We used the ñp option which specifies that Thug should use a TOR proxy on my network. It's always smart to cover your tracks a bit. Thug starts chewing and parsing through the webpage. This can take some time and may not always give results. Sometimes Thug will occasionally get tied into a loop as well. It's not an exact science. Eventually, you'll see something similar to:
Saving log analysis at ../logs/7dbc19beba8ef0677bd8d6ba33505227/20130108165413
This is where Thug keeps all the files it downloaded along with its report. Let's look at the contents ./analysis.xml
./text ./text/html ./text/html/d41d8cd98f00b204e9800998ecf8427e ./text/html/5b8fc7319290a5edf3b93003fa52439d ./application ./application/java-archive ./application/java-archive/5e680fea0817a8b6da48bc1d39840332
The files that Thug downloaded are classified by MIME type and named by their SHA1 sum. The report is an XML file located in analysis.xml. In this case we're most interested in the application/java-archive file in 5e680fea0817a8b6da48bc1d39840332 -- Let's load it up to VirusTotal:
=== application/java-archive/5e680fea0817a8b6da48bc1d39840332 === Report: - MicroWorld-eScan (184.108.40.206, 20130108): None - nProtect (2013-01-08.01, 20130108): None - CAT-QuickHeal (12.00, 20130108): None - McAfee (5.400.0.1158, 20130108): None - Malwarebytes (220.127.116.11, 20130108): None - K7AntiVirus (9.156.8087, 20130108): None - TheHacker (None, 20130107): None - NANO-Antivirus (0.22.6.49175, 20130108): None - F-Prot (18.104.22.168, 20130108): None - Symantec (2022.214.171.124, 20130108): None - Norman (6.08.06, 20130108): None - TotalDefense (37.0.10242, 20130108): None - TrendMicro-HouseCall (9.700.0.1001, 20130108): TROJ_GEN.FCBHZJ8 - Avast (6.0.1289.0, 20130108): None - eSafe (126.96.36.199, 20130103): None - ClamAV (0.97.3.0, 20130108): None - Kaspersky (188.8.131.527, 20130108): UDS:DangerousObject.Multi.Generic - BitDefender (7.2, 20130108): None - Agnitum (184.108.40.206, 20130108): None - SUPERAntiSpyware (220.127.116.118, 20130108): None - Emsisoft (18.104.22.1689, 20130108): None - Comodo (14841, 20130108): None - F-Secure (9.0.17090.0, 20130108): None - DrWeb (7.0.4.09250, 20130108): None - VIPRE (14912, 20130108): None - AntiVir (22.214.171.124, 20130107): None - TrendMicro (9.561.0.1035, 20130108): None - McAfee-GW-Edition (2012.1, 20130108): None - Sophos (4.84.0, 20130108): None - Jiangmin (13.0.900, 20121221): None - Antiy-AVL (126.96.36.199, 20130108): None - Kingsoft (2012.12.21.213, 20130107): None - Microsoft (1.9002, 20130108): None - ViRobot (2011.4.7.4223, 20130108): None - AhnLab-V3 (2013.01.09.00, 20130108): None - GData (22, 20130108): None - Commtouch (188.8.131.52, 20130108): None - ByteHero (184.108.40.206, 20130108): None - VBA32 (220.127.116.11, 20130108): None - PCTools (18.104.22.168, 20130108): None - ESET-NOD32 (7872, 20130108): None - Rising (24.44.00.03, 20130108): None - Ikarus (T22.214.171.124.0, 20130108): None - Fortinet (126.96.36.199, 20130108): None - AVG (10.0.0.1190, 20130108): None - Panda (10.0.3.5, 20130108): None
Not very well detected, but this is the malware. Now it should be fairly simple to take this file and analyze it either manually or with tools such a Cuckoo or other sandboxing utilities.
Interview: Dr. Gene Spafford
- What is the most significant computer security threat we face right now?
- What is the most significant security threat out there that no one seems to be addressing?
- So many companies are breached on a daily basis, what can we do better to first prevent intrusions and then to detect them?
- How can we adjust incentives to motivate programmers to write more secure code and companies to produce more secure products?
- There is a lot of talk lately about legislation to improve computer security, what, if anything, should be included in "cybersecurity" legislation to make things better?
- How has the wide-spread adoption of mobile device technology changed computer security, or has it?
- What has been your biggest surprise in your long journey in infosec?
- Larry is most fond of your quote: The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. How do we balance security and usability now that we've progressed from one giant shared computer to everyone owning a laptop and a smartphone?
- "You’ve been called by people like Gene Kim as a cross between Einstein, a Disney professor, James Bond and Mr. Bean. How would you respond to that?"
- "You've influenced a generation of security practitioners, but you've also personally mentored people like Dan Farmer who wrote COPS, Gene Kim who wrote Tripwire, Sandeep Kumar who advanced intrusion detection, and numerous others -- why do you suppose you've had such a big influence?"
- If there were a movie about your life, what would the title be?
- Three words to describe yourself
- Stranded on a desert island, what would you take with you for an operating system: Mac, Windows or Linux?
- Name on piece of technology you can't live without
- Favorite Sci-Fy movie?
- Join us on our 3d ever Google+ Hangout! Add PaulDotCom on Google+ and join us in the Google Hangout.
- We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013
- Suicidal Sensors: Darpa Wants Next-Gen Spy Hardware to Literally Dissolve - Talk about wiping your phone, not just wiping, but it would literally melt! This cannot get into the hands of administrators, can you imagine if the system controlling this got hacked and you melted every phone in the organization? Scary, but freaking cool. My guess is the CIA and NSA already have such technology, but then again I watch too many movies.
- VMware Management Interface - A Little Story of XSS - An XSS vulnerability in VMware is bad. Once an attacker gets on the internal network, or learns of your architecture, getting you to click on a link could lead to forking over complete control of your virtualization environment. I am a firm believer that you need to patch and harden the crap out of your virtualization platform. As a pen tester, its a huge target for me, I will take all those snapshots thank you very much.
- Hackers Hijacking Security Cameras for Malware and Spying - "In addition to security cameras, modems, printers and routers, Stiansen says the company’s honeypots are also picking up increased traffic from smart TVs." Yes, bring on the embedded device hacking baby! Love it. It amazes me that we are still dealing with this problem. The more embedded systems we deploy does not in and of itself increase awareness. I watch a lot of spy shows. The good and bad guys are always hacking into the CCTV cameras, spying or running a loop to evade detection. It happens fast, like hollywood hacking. The scary part is that it happens just as fast in real life because no one pays attention to the security of their security systems. WHY??!?!?!?!?!?
- Web smut sites are SAFER than search engines - Its safer to surf to news web sites than porn web sites. This is great, see now we can adjust the web filters to ONLY allow people to browse for porn. Nice! Score, get the lotion as we say.
- Chinese hackers break into the New York Times - The New York Times has reported that for the last four months Chinese hackers have been infiltrating its networks, broken into the email accounts of senior staff, stolen the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees. Sounds like they got a free pen test, but never got a report.
- Kali Linux – A Teaser into the Future. - I like how as awesome as Backtrack is, they are constantly making it better. I like how it went from a bootable CD, to a full-fledge Linux distro. I will always have a VM running Backtrack, its just handy to have a bunch of tools that work in one place.
- Hacker 'sextorted' 350 women into stripping off after stealing embarrassing pictures - he then attempted to blackmail the women into letting him take topless pictures of them via webcam using Skype, posting pictures on their Facebook pages if they refused to cooperate. Okay, so here's the thing, if you are going to store naked pics of yourself on your computer, don't include your face! Also, try not to let people install malware on your systems. And if push comes to shove, just let them post the pictures and try to profit from it, heck it worked for Kim Kardashian.
- UPnP scan shows 50 million network devices open to packet attack - This is not a shock to me at all. UPnP is horrible, there just had to be a flaw in there somewhere. HD Moore found some, and turns out there are millions of vulnerable devices on the Internet. I am so happy to see this research come to light, it needs to happen. Free tools exist to check for the vulnerabilities, and details are forthcoming.
Jack's Stories that would make Motley Crue blush
- The New York Times was hacked by evil Chinese hackers. Or maybe the story is not completely accurate? And here's Dennis Fisher's take on China, The New York Times and the Value of Self-Shaming
- Two Good posts from Robert Graham on the New York Times Story: NYTimes and more Rainbow Table nonsense and The NYTimes article was content free
- Once More Into The (PRC Aggregated) Breaches an informative post by Bob Rudis on the challenges of interpreting aggregated data sources.
- Security No-Man's Land Mike Rothman reminds us of the "have-nots" of InfoSec as we approach the RSA conference. Echoing some of what Dan Geer wrote about the week before, and some of Wendy Nather's "Security Poverty Line" work- it is important to remember that imnproving security for Fortune 1000 companies falls far short of actually improving security overall.
- Robert Graham's ten-year retrospective on the SQL Slammer worm
- Remember the college kid tossed from school for reporting a vulnerability? It turns out his story isn't quite as innocent as it was portrayed by some. Still dumbness and overreaction IMHO, but more has come to light, including this letter of expulsion.
- Jailed for jailbreaking: The new law could land you in the slammer Haha. The US government is completely disconnected from reality. haha ha ha ha ha
- After silence on Java flaws, Oracle now says it cares ha ha ha ha ha
- Group halts bank cyberattacks Maybe they realized big banks can't delete Youtube videos. Hahahahahhaha
- Opera Browser Update Patches Remote Code Execution Vulnerabilities Attn: both Opera users: Luls.