securitybananas.com

My dear friend Ivan Buetler has invited me to talk on Swiss Cyberstorm III:

More info can be found at: link

At the end of this week the HITB conference will be held in Europe. Amsterdam is the city to be and I will attend this conference. I think my schedule for this conference will be:

Day 1
- Welcome & Keynote
- Breaking Virtualization by switching to Virtual 8086 mode – Jonathan Brossard
- From Russia with Love 2.0 – Fyodor & The Grugq
- Web in the middle-attacking clients – Laurent Oudot
- JIT-spray & advanced shellcode – Alexey Sintsov
- Having fun with Apple’s IOkit – Ilja van Sprundel

Day 2
- Keynote 2
- Malware Analysis Lab
- Subverting Windows 7 x64 Kernel with DMA attacks – Christophe Devine & Damien Aumaitre
- Top 10 Web 2.0 attacks – Shreeraj Shah
- The traveling Hacksmith 2009/2010 – Saumil Shah

Yesterday evening I received an email if I would like to speak on BHat USA about my topic ‘forensic research/security of virtual environments. Really appreciate it and I’m thankfull to Him for giving me this chance and oppertunity to meet great people in Vegas.

J. D. Durick is discussing my BHAt paper on his website:

VMforensics

Thanks for the comments and compliments! Really appreciate it!

C.

Disclaimer: For educational use only, stealing is against hte law. This article is not mentioned to talk negative about Apple. (any iPad donation for further research is welcome)

As I was researching the iPAd/iPhone-security features and sniffing traffic from the apps, I discovered something that could be misused. When you visit the Itunes online store, you can listen to songs and/or ringtones. All songs and ringtones have 30 seconds preview. Ringtones don’t last 30 seconds.

To preview traffic from my iPad and iPhone I created a sniffing environment:
- Wifi gateway to the Internet
- laptop with Paros proxy running on a local ip-address port 8080
- iPad and iPhone connected to Wifi Gateway through Paros Proxy

When I select a ringtone and preview it, following reguest is made:

http://a1.phobos.apple.com/us/r1010/027/Music/9c/24/12/mzi.wrstuwb.aac.p.m4p.

Interesting… Maybe we could download the file by using ‘Wget’; In my sniffing sessions, I discovered the user-agent that is send from the iPhone e.g.: iTunes-iPhone/3.1.3 (2)

So my request will look like:

wget -U ‘Apple iPhone OS v3.1.3”http://a1.phobos.apple.com/us/r1010/027/Music/9c/24/12/mzi.wrstuwb.aac.p.m4p.’

Result:

Connecting to a1.phobos.apple.com|*.*.*.*|:80… connected.
HTTP request sent, awaiting response… 200 OK
Saving to: “mzi.wrstuwb.aac.p.m4p”

2010-06-17 13:12:11 (256 KB/s) – “mzi.wrstuwb.aac.p.m4p” saved

After downloading, the ringtone can be listened or added to iTUnes.

How can Apple fix this?

- Use https instead of http (takes only a little time more to solve)
- Shorten the preview for ringtones
- Add effect in preview which is removed in the download version.

This paper was written a while ago and formed the base of a File Carving workshop held at ITUnderground 2009.
Have fun with it and if you like to do some research: go file carving on VM’s provided by vendors. The results can be quit fun.
If you have found some nice results, please share it with the community and I will publish it on the blog.

Introduction to file carving

A few of the customers I work for, are using great solutions to fight their SPAM. Ironmail, McAfee or the Watchguard XCS are some of the products they work with. These devices are succesfull in blocking the SPAM. At a certain time, there was a giant increase of the amount of SPAM. After investigating the messages and the diffrent sources, I discovered that many e-mailadresses of that specific company were compromised.

We all now that in many cases we warn the users that they don’t use their work emailaccount for subscriptions, newsletters etc. Or if you are lucky it’s described in the user’s security policy. In this case it was different. Performing research on how they retrieved so many emailadresses, surprise (not) I ended on some Russian underground forums. On these forums, several bulk files with e-mailaddresses were sold for the highest bidder. One of the files contained more than four million captured e-mailaddresses. After infiltrating I managed to get a copy of this file and started to analyse it. With fresh in mind the APT attacks on many companies, this file contained many interesting e-mailaddresses that could be used in an APT campaign.

Focussing on the Netherlands, I discovered that many e-mailaddresses from Dutch Universities, a Department of the Goverment, Research facility and the Centre for Work (CWI) had been harvested.

It doesn’t mean that they were compromised, but somehow by scraping forums, search-engines, scripts or maybe a hack, the people of that Russian forum managed to gather an interesting list of potential (SPAM/Malware) targets for APT attacks.

The use of virtualization could have great benefits. Many books and articles are written about this topic. It is a technique which could reduce costs. As with many other technique, it could also be used for the ‘dark side’.

It is known for some time that in the Middle-East, young people are recruited on digital forums which have affinity with terrorist groups like Al-Qaeda. With colorful banners and movies, the ‘heroic’ actions of martyrs in Iraq, Afghanistan, Nigeria and Bosnia are promoted. They deliver a good service by spreading the movies in all type of qualities so that spreading by cellphones is easy and not so visible as downloading. Even if some sites are blocked, they will find a way to spread. A great example was a page on a forum where you could click on certain words of a religious text. By clicking on these Arabic verses, some illegal versions of software and/or movies could be downloaded.

In a closed and private part of the forum, they offered the latest version of virtualization software, including a ‘prepared’ Virtual Machine ‘for terrorists’. In the included manual the authors explained how to install and use the VM. After installation the manual explains how to upload the action videos for example to Youtube and how to circumvent the filters Youtube applies. The manual also stated that after uploading the ‘promotion videos’, to safe delete the VM and built a new one for other actions.
Researching computer systems which have used the installed VM as a steppingstone could be difficult. Investigation of this kind of systems could be interesting and challenging.

Corelan: link

Rootshell: link
link

Cupfighter:link

C22 : link

Baidu.com: link

Computable: link

TenICT: link
link

Here is the link to the presentation I did on Virtual Forensics: Virtual Forensics presentation

Watch out! It’s in the Penetration Document Format (aka PDF).

The whitepaper can be downloaded here:
paper Virtual Forensics BlackHatEurope2010