securitybananas.com

It is known that many of us (including myself) are using social media. A lot about security and privacy is already been written about this kind of media. Many people are posting on Twitter their moments often illustrated by pictures taken from their mobile phones. There is some nice interesting (forensic) thing about some pictures taken with an I-phone. It includes GPS-data. Let me show you an example:

Last year I was for my job in Senegal and over there I took following picture:
(I know it’s a blurry image, but the smell of rotten <->>>-< was far more worse)

Images taken by digital media contain 'EXIF'data; in short information about the picture like time, date, brand camera etc. For forensic examining pictures I mostly use the tool 'Exifviewer'. In this case I used it for the picture above:

The output of the tool showed us some GPS data. When using this data in Google Maps it exactly showed the place where the picture was taken.
Noticing this following (evil) thought came up:

Many celebs are posting on Twitter and Facebook. I would like to organise a competition about spotting the celebs. So crawl and search for twits and pictures and examine them for the GPS data.

RULE 1: I respect the privacy of any celeb/person, NO!!!! GPS data will be posted and I ask you to do as well;
RULE 2: Send the name of the celeb including the picture of Google Maps to: christiaan@securitybananas.com;
RULE 3: Top 50 of Celebs will be posted on this Forum without GPS Data; fun pictures maybe

This competition is for fun and learning and another try to make people aware of their digital traces

Today I stayed in a hotel for my job. After my quick dinner I started to wrestle through my inbox. Suddenly I noticed an e-mail from Blackhat.
My paper was accepted and they invited me to speak in Barcelona about forensics and virtualization. After squeezing myself and a lot of cold water in my face I realized it is really true. I’m really thankfull for the trust and great chance.

The rest of this month I don’t want to be disturbed; I need to finish a whitepaper and ppt and meanwhile my small workshop about basic reverse engineering malware needs also be finished and taught. Maybe some more hours into a day just for this month?

Waar men in november 2009 mee startte, is weer begonnen: wederom een phishing campagne tegen gebruikers van de (voormalige) Postbank. De phishers zijn er wederom op uit om het ‘ip-adres’ te laten registreren:

Opvallend is natuurlijk de aanhef in het Engels en vervolgens de (slechte) Nederlandse tekst. We hebben hier te maken met een ‘phishing’ e-mail. Interessant is om te onderzoeken wie er achter deze campagne zitten.
Na de headers te hebben onderzocht werd er een ip-adres aangetroffen waar vandaan de e-mail werd verstuurd; dit ip-adres behoorde niet toe aan de ING cq Postbank; het ip-adres stond op een aantal black-lists vermeldt. Het ip-adres staat bekend als een adres in SPAM campagnes.
De e-mail is afkomstig van het adres ‘verification@postbank.nl’ . Het domein’postbank.nl’ is een bestaand domein dat eigendom is van de ING groep. Vermoedelijk hebben de phishers onderzoek gedaan naar dit domein en zoveel mogelijk informatie te gebruiken om de e-mail zo echt mogelijk te laten lijken. Gekoppeld aan het ipadres dat gebruikt wordt voor het domein ‘postbank.nl’ zit ook het domein ‘mijn postbank.nl’, dat eveneens genoemd wordt in de e-mail.

Gevolg van het gebruik van het postbank domein is dat inmiddels dit domein op een blacklist is geplaatst (abuse.rfc-ignorant.org). Het is voor een organisatie absoluut niet wenselijk om op een blacklist te komen. Dit kan inhouden dat klanten niet e-mail van de Postbank in dit geval ontvangen.
Vervolgens wordt in de e-mail een link vermeldt waar je geacht wordt je ip-adres te registreren. Het betreft de link:
hxxp://www.advance2go.org.uk/mode/parameters/onlineaccess/mijn.ing.htm
Kijkend naar deze URL kunnen we eigenlijk al zien dat dit niet afkomstig is van de ING of Postbank. Wat zou een domein in de U.K. nu met een inlog van de ING moeten doen?
Overzicht domein ‘advance2go.org.uk’:

Het domein ‘advance2go.org.uk’ behoort toe aan een hosting bedrijf gevestigd in Sheffield, UK. Diverse sites worden door dit bedrijf gehost waaronder de website voor de stad Londen.
Bij het bezoeken van de URL werd een 404-error vermeld; de site is inmiddels al uit de lucht gehaald.
Een andere URL die ook werd waargenomen:
hxxp://www.teenreviewblog.com/_vti_dp/sitefiles/secureserver/mijn.ing.htm
Dit leverde het volgende resultaat op:

Bij het raadplegen van deze website vanuit een Sandbox omgeving alarmeert Firefox voor het feit dat het hier een vervalste site betreft. Inmiddels is deze website uit de lucht gehaald.
Overige gebruikte (vervalste) sites:
hxxp://www.mifl.co.cc/_vti_data/secure/customers/mijn.ing.htm
hxxp://www.ceshaiti.org/data/resources/onlineaccess/mijn.ing.htm
hxxp://www.intrepidearth.net/cache/private/secure/mijn.ing.htm

Inmiddels zijn alle sites bij Phistank aangemeld en afgesloten.

This information was provided to me by Longshot & Mark McKinnon (Just passing this great information along).

Decoding the DateCreated and DateLastConnected registry values from the registry keys

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}

In Vista and Windows 7

The DateCreated and DateLastConnected are binary values that can be broken up into 4 byte parts, with 1 part left over. Each 4 byte part corresponds to a value of a date. The order of the values are as follows:

Year
Month
Weekday
Day
Hour
Minutes
Seconds

Each of these 4 byte parts is in little endian. Using the following data that was unpacked from binary and converted to hex we get the following translation:

d9070200020018001700140025000001

d907 0200 0200 1800 1700 1400 2500 0001

Year = h4 = d907 = 07d9 = 2009

Month = h4 = 0200 = 0002 = Month {Jan = 1, Feb = 2, etc….}

Weekday = h4 = 0200 = 0020 = Weekday {Sunday = 0, Monday = 1, etc…}

date = h4 = 1800 = 0018 = 24

hour = h4 = 1700 = 0017 = 23

minutes = h4 = 1400 = 0014 = 20

Seconds = h4 = 2500 = 0025 = 37

The Month and Weekday fields have to be converted to their proper Month and weekday name.

which would yield the following:

Date First Connected: Tuesday, 24 February 2009 23:20:37

Here is the perl code to do the above, I only include the $data as a place holder that would need to get data fed to it:

use strict;

# This is the binary data that would be read from the registry file
my $data = “”;

my %month_type = (1 => “January”,
2 => “February”,
3 => “March”,
4 => “April”,
5 => “May”,
6 => “June”,
7 => “July”,
8 => “August”,
9 => “September”,
10 => “October”,
11 => “November”,
12 => “December”);

my %dayofweek_type = (0 => “Sunday”,
1 => “Monday”,
2 => “Tuesday”,
3 => “Wednesday”,
4 => “Thursday”,
5 => “Friday”,
6 => “Saturday”);

my ($year, $month, $weekday, $date, $hour, $minute, $second ) = unpack(”h4 h4 h4 h4 h4 h4 h4″, $data);

#This part converts the year
my $finalyear= hex(reverse $year);

#Now we convert the month
my $monthnumber=hex(reverse $month);
my $finalmonth = $month_type{$monthnumber};

#Now we convert the weekday
my $weekdaynumber=hex(reverse $weekday);
my $finalweekday = $dayofweek_type{$weekdaynumber};

# This converts the date
my $finaldate=hex(reverse $date);

#This converts the hour
my $finalhour=hex(reverse $hour);

#This converts the minute
my $finalminute=hex(reverse $minute);
my $howlongisfinalminute=length($finalminute);
if ($howlongisfinalminute == 1){
$finalminute=”0$finalminute”;
}
if ($finalminute eq “0″){
$finalminute=’00′;
}

#This converts the second
my $finalsecond=hex(reverse $second);
my $howlongisfinalsecond=length($finalsecond);
if ($howlongisfinalsecond == 1){
my $finalsecond=”0$finalsecond”;
}
if ($finalsecond eq “0″){
$finalsecond=’00′;
}

my $ssidtimestamp= “$finalweekday, $finaldate $finalmonth $finalyear $finalhour:$finalminute:$finalsecond”;
if ($n =~ /Created/){
$finaln=”Date First Connected:”;
} else {
$finaln=”Date Last Connected:”;
}

print “$finaln $ssidtimestamp\n”;

For all phreaskers: if you type following code on your I-phone you can enter the fieldtest modus.

*3001#12345#*

After this you can read the GSM cell data:
*********************
* – MM info *
* – UMTS Cell Environment *
* – PDP Context list *
* – GSM Cell Environment *
*********************
Have Phun!

Last weekend a couple of friends asked me to look ater their websites; they got complaints from users when visiting their websites their antivirus software start alerting. So starting up my malware research machine I used Mcafee File-insight to go over the website. My avir (NOD32) went crazy and alerts popped-up.
It looked like if all index.html and index.php files were infected.

When analyzing these pages I discovered at the bottom of the source code obfuscated script code.

Putting this code up to Virustotal, I got following response:

S/TrojanDownloader.Agent.NRO trojan – NOD32
Trojan-Downloader.JS.Pegel.c – Kaspersky
MD5 : f6040c041562a481ea0b4d6a79d0ca49

After cleaning the index.* files I did a last check and downloaded the folder of the website to check if I forgot to check some files; My avir again full alerts, now all *.js files were infected.

Ok, analyzing time, what is this trojan doing:
It is injecting hidden I-frames with all kind of URL’s referring to different sites.

example:
hxxp://chip-de.ggpht.com.deezer-com.viewhomesale .ru:8080/google.com/google.com/timeanddate.com/avg.com/zshare.net/
hxxp://wowhead-com.gougou.com.redtube-com.viewhomesale .ru:8080/58.com/58.com/google.com/rediff.com/uol.com.br/
hxxp://it168-com.sky.com.xe-com.viewhomesale .ru:8080/google.com/google.com/pagesjaunes.fr/sify.com/nate.com/
hxxp://seznam-cz.king.com.boston-com.viewhomesale .ru:8080/linkedin.com/linkedin.com

UPDATE: thx Herzel for pointing me to your blog: here are some screenshots of the code analysis:
Blog

Earlier variations of this malware were already detected, but this variant is using code obfuscating and is using two ways to spread:

- inserting script code into the bottom of index.html and index.php files
- attaching/inserting to *.js files

Word has been spread that the Gumblar team is responsible for this virus

Affected websites should:

* Delete or restore from backup infected files.
* Patch all software on the box.
* Change all password especially FTP ones
* Review logs

In the on-going battle between virus-writers and avers, different techniques and methods are use by both parties. In this short article I will discuss some of them. Virus writers are using techniques like polymophic, epo or metamorphic to hide their code. Avers already know how to battle these.
So how would you in the first place want to detect a virus? By using Wildcards. Wildcards is one of the most famous detection techniques. Example of an AV vendor using this technique is ClamAV. ClamAV searches for pattern and includes some features to detect some polymorphic engines. You can easily defat this wildcards search by using an obfuscated polymorphic engine like Marburg.
Another trick to discover a virus is by using emulation. Emulation needs an entrypoint to begin the analysis. Most of virus writers bypass the whole emulation by a trick to avoid an entrypoint is discovered.
What other techniques use Avers? Static Analysis
Static Analysis contain two types the First is code Disassembling and the second is Static analysis for Executables. Code disassembling will not be discussed in this article.
Static analysis for Executables:
This type you can simply name it “Tracing the Registers Behavior”. This Analysis work by trace the registers and search for a register that should be in the decryptor the counter or the pointer and test if there are all the decryptor’s registers’  behavior. If there are so this code is decrypting the virus so we should emulate this code and test if the virus appeared in the memory. If not so the file is not infected.
How can this be defeated? Using Dynamic Register Swapping:

This idea was recently published on certain forums. Any playing with the register will defeat the static analysis of an executable. You could simply swap the registers in the middle of the code like this:
;ecx–>counter
xchg eax,ecx
;eax–>counter or ecx–>counter

This code will swap the registers in the middle of the decrypter code. The values will be exchanged and the eax will have the value of ecx and will act as a decryptor in the next instructions.
Another example:
;ecx–>counter
mov eax,ecx
;eax–>counter or ecx–>counter
This example will make the value of eax deleted but you will have two registers have the same value and also can any one of them act like the counter. Who will detect what you choose as a counter?  More scenarios for this trick are applicable. Avers need to keep up-to-date with the ‘latest’ tricks to modify their detection methods and algorithms.

My dear friend Ivan Buetler from Compass & Hacking-LAb posted a movie of the SSL/TLS re-negotiation attack on his site.

Have a look here

Great work and thanx for sharing!

The European Network and Information Security Agency) released their 124 page report on Cloud Computing Security Risk Assessment.

It’s a great project; I will dig into this document this week.

You can download the document here