It’s been some time since I’ve poked my head and tried to write something technical online, in December I gave a walkthrough of a CTF VM that I developed for a local CTF. I didn’t fully finish the walkthrough (theres a lot!). In this part, the technical challenges start to spice up, involving knowledge in data type overflows in PHP and reverse engineering Linux ELF files. I really enjoyed making this challenge, although sometimes I feel I made it a little too abstract, especially with the integer overflows and login flags, but never the less, it was a learning experience! I apologise to anyone who can’t follow my writing, I’m not the greatest writer. I left the last post which you can find here where we were on a login screen, it looks a bit like a famous web shell, at least, the theme on the web response does, perhaps not the functionality.
I recently made a VM for students at a CTF in London, sadly some reportedly used hex editors to get some flag values, it’s a shame for them that they couldn’t find the last two flags because they involved reverse engineering. I decided to release this to the public before the event, but let the event run before releasing to ensure no one got ahead. There are a load of different challenges aimed to make the most intelligent student question wtf is going on. This VM was intended to be one of the harder ones compared to other virtual machines available to students. I made this VM in my free time and am a bit busy at the moment, I apologise for any errors or if anything is broken! Note: I’ve wrote this in the evening, there will be errors.
I was unsure whether to publish this, I’m no fan of marketplaces on anonymous networks like TOR, especially ones which decide to sell weapons that could harm someone. While this vulnerability is interesting, I don’t think theres any real value to it to which it’s worthy keeping it secret. I have already informed the developer of the forum software but it seems very inactive, the last update was last year and the forum is very quiet. Many forums on the internet must use this particular software that is vulnerable but I came across it through using an anonymous network, TOR. ‘Dream Marketplace’ and ‘Traderoute’ both use this forum software, there are many little parts that I’ve found that are fairly uninteresting but allow you to understand more about the marketplaces (Confirmed environment like version etc.). For now I want to discuss the problems that face accounts using this software. Some notes before I get on with the technical discussion.
Over recent weeks I have been analysing threats that just come at me, from my personal email to friends who alert me when they see something suspicous. The techniques used are rudimentary and have been done for many years, the perculiar thing about these techniques is that they still seem to evade some antivirus solutions and even email protection providers. Google, the largest provider in emails has a sophisticated system which is used to identify malware, but some samples I witnessed were not picked up by the email provider, instead they were deemed clean. I’m going to discuss how you can analyse malicious PDF’s and Office documents not from a sandbox. Sandboxes are great, but sometimes can give you little information to what you actually need; new patterns, new techniques and new C2’s are sometimes not picked up by Sandboxes. Sometimes it’s best to go deep, luckily for us, the PDF and Microsoft Office formats are actually remarkably simple to understand. There are many other factors we can use to understand about malicious items, one common choice is entropy. This can be true in the PDF format, the PDF format has something called ‘streams’, these streams are compressed.
Large amounts of samples simply rely on the user accepting the PDF attachment, thus, there is not much content other than the ‘Embedded Object’, text and format specification requirements. Reviewing the entropy of files that are both PDF’s show us that there is a large amount of compressed data, in fact, this is a word document, so is a compressed file itself as a zip. The amount of red (Red indicating the highest amount of entropy) from a malicious PDF compared to a benign PDF is clear, although this cannot be a huge indicator, it can provide analysts help to quickly identify possible malicious documents. Large portions of highly compressed data cannot be images, in fact, this sample is primarily the embedded object.
If you open a PDF in a hex editor or a text editor you may be pleasantly surprised to find a surprising amount of ASCII strings allowing you to understand the format, in fact, hex combinations are not used to define different parts of the format. It is clear the most important part of PDF’s primarily are the streams, streams can be many things but are where payloads primarily reside. I don’t want to give complete indications because of exploits and you can never say never with file formats. Adobe’s PDF File Format manual is over 1,000 pages and you’ll be surprised to learn I haven’t read all of it. Streams are very important and can be identified through ASCII strings, terminators are set to the hex 0xA throughout the PDF format. The ASCII strings are fairly easy to distinguish, stream endstream, obj and endobj. We can also clearly see that one of the first objects specified in this PDF is an image, but this is unimportant to us, it’s completely dwarfed by the embedded object.
The embedded object is clear to see, much like the image, in stream objects we should also be sure to look at the Filter ASCII string as it’s parameter is important in decoding or inflating the content. There are multiple variants of what the format could do, I’m not sure if it’s a complete list but you can find variants in a list in this resource. You can see at the end of this stream we also have some clear indications of an embedded object, this is our payload a word document which has macros. We have an indicator of comprimise for us by simply looking at the first stage of infection, the PDF. The name is set as we can see, look for “.docm”.
Embedded objects are pretty big indicators that something fishy is going on, but it’s not the only stream that we can rely on, there are many different types of functionality a PDF can perform and one of them is Adobe’s Javascript functionality. With this Javascript functionality we can achieve what an image above shows, although prompting the user this message is dangerous, it must work somewhat for them to use this technique. It can be convincing enough if done correcttly. The problem is this PDF was attempting to be seen as an image, using IMG_[random numbers here], which doesn’t really fall into place when you have to open a PDF and then accept you want to open a word document of some description. The ‘FlateDecode’ filter is zlib with Default Compression set, the hex value 0x78 is a indicator of zlib/deflate/gzip (There are differences, but very minor, if you know, go you!). The second value fully identifies zlib, Default compression is 9C, low or none is 01 and best is DA, if you want to know more about zlib, give the format specification a look over. There are some variant headers for zlib I must add, but these are the main ones to look out for if you’re manually analysing. There are multiple instances of 0x78, 0x9c in the file, this is also confirmed when I use a small tool to analyse the data to confirm it’s compressed data. In this example, I’m looking at the javascript of the PDF, highlighted in the picture, it’s small but we can see the magic number for zlib default compression. The plaintext Javascript is essentially attempting to launch the dialogue from the picture above, also giving indicators of comprimise by referencing document or embedded object strings. The actual embedded object is a confirmed word document, I analyse it through a hex editor and find it has ‘PK’ at the start, associated with zips, but office files have contents encapsulated in zips.
Hopefully you learnt something from the blog post. 🙂
One of the far more simpler techniques I’ve seen from malware as of recently, many from Hackforums would do something like this in .NET language, but seems to still be slightly effective with AV detection (although, when I analysed it the detection rate was very high). The particular variant to come out of this unpacking was ‘Shade Ransomware’, which has been a prominent strand from around 2014. Shade ransomware is spread like many other ransomware through email attachments and exploiting vulnerabilities from a clients machine. When a user is infected, you will see your desktop background replaced with a set of instructions. These are in what I assume are in Russian and English. You will provided a unique identifier for which you must send to an email address to be able to recieve help for decryption of your important files. The actual ransomware will not be analysed in this post, although possibly a follow up post will show us more about the ransomware internals. For this post, I am concentrating on the intial infection, in how it unpacks rather easily. The hashes and links to analysis will be available at the bottom of the blog post.
Since Mirai, security researchers and the telecoms industry have become far more aware of the security risks that routers produce, especially from ones with poor security. Mirai highlighted how incompetency had led to mass infections around the world which allowed individuals with limited knowledge in computing to carry out devistating attacks on corporations/governments and most importantly complete countries. Well, it seems that routers can still help malware, but in a different way. Although security considerations are taken into account in modern household routers, they can still be utilised to identify an individual. This security issue also led me to think about how dangerous it can be to actually stay connected to your home network, to which you rely on your router to not identify you from your client. Many considerations are taken on the client aspect of a network, your own PC. Many privacy advocates would say the best way to stay safe would be to install tails, all traffic through TOR by first connecting to a VPN. But little is talked about the first step of getting actually online and the security issues that may occur if not correctly setup from there. Custom router firmware is around, but very few use it, instead we rely on telecoms to keep our gateway to the internet safe. Spoofing your MAC address is something else that many practice when carrying out nefarious behaviour, but without a custom piece of firmware, your router will always show it’s own MAC address when requested correctly.
So why is it so interesting that a household router leaks information without authentication? It is true that logins could be intercepted by malware, but not many people login to their router interface often and so you could be waiting a long time. The information that is leaked in this particular household router, a TALKTALK one, allows malware to do far less calls than it needs to. Many pieces of malware will search for an external IP address by using a HTTP request to a ‘what is my ip address’ type site, reading the response which could be inaccurate and from a VPN or proxy. With one HTTP request (ofcourse, assuming that the infected client has this particular router firmware) we can understand their external IP address, DNS servers used on the router, the MAC address of the router and the routers default gateway. We can also learn some less important things like the SSID of the router, but, the most important ones are things we can uniquely identify a user from, even when they have installed such strong protections on their computer. The one caveat to this is ofcourse, the actual attack vector is fairly small, although TalkTalk is a large ISP in the UK, a targeted attack would only really gain from this. Either way, to me, it is bad privacy design.
So with all that talk, let’s give you a picture of me showing you information that can be retrieved unauthenticated. Don’t worry just about your PC, worry about your the security on your router and how they give out information.
Remote administration tools are used often in many attacks, from entry points to APT attacks to the teenager in the bedroom, it is still a popular class of malware used today to infect systems. Nanocore has had many owners since it’s inception and has had many alterations and changes put upon it, when the cracked version of Nanocore was released it provided many criminals the ability to use the tool for free. Many now utilise the cracked version as its openly available, free and fairly powerful in features. The most popular cracked version, although there are many variants, is the “Alcatraz” crack, which was produced by a prominent reverse engineer. This crack is using the version 1.2.2.0, which is fairly old compared to how many revisions Nanocore has since had. There has been much research on Nanocore due to it being used in attacks, one such research is from ‘Kevin’, who in 2014 talked about “decoding” the config of Nanocore. The cracked version uses this old way of holding configuration and so is trivial to extract, later versions have implemented different ways of retrieving configuration.
I was recently browsing on Hybrid Analysis and decided to take poke at this sample, what made me interested in it was the call of “certutil.exe”. I was browsing the various subroutines when I find a fairly long subroutine which had some obvious indicators to deobfuscating strings, the repeated use of a ‘key’ was one clue I saw. I call this a ‘banker’ as I used that as a search term from Hyrbid Analysis, I have yet to confirm this is used to target a user logging into a bank. We could use dynamic analysis to figure out every single string but this would be laborious in logging every return compared to copying the string table and working from there. The sample also seems to have various anti-analysis techniques implemented within it, although not in this case, it can sometimes be best to compartmentalise and be realistic about what is the best option in getting information on the sample.
We push four arguements to our calls, these are the length of the input string we wish to deobfuscate, the input string offset, the length of the key and the offset to our key. I’m using key loosely because the individual characters are used as a key, key pool would be more an appropriate term. It is fairly small function which sometimes isn’t the case with malware, it is an obvious for loop as we are looping and producing a comparison in the early stages to check whether the length of our inputString has been reached or not. We set a char pointer for one of our characters in the key pool, dependent on EDX and iterate through these by the length of the key string. It is modulated in every iteration, which is fairly common in cryptographic algorithms, so that it wraps back around to potentially have any length of input. We also get a single character from our input string in preperation for the main operation, every character from our input string is treated seperately and has its own iteration.
We then use a famous XOR operation to manipulate the value that we return. Quite common to see this used in malware samples and is fairly trivial to rewrite code to deobfuscate such strings, but we have an interesting choice from the developers in which most of the strings also include complete junk which we do not want to return when deobfuscating our string, this may be used to defeat automatic methods of malware detection. By XOR’ing the values with the initial string, you will get exceptions to the code. The string has every number from 1-9 but we need to also include 0 when we try to reproduce our string deobfuscation as well due to modulation, this is something static analysis may not of clocked. If we print our strings without exception handling we get results like this.
The actual subroutine where this all gets called from is rather wasteful, instead of implementing some sort of loop towards an array of these strings we are instead presented with a long branch of code which repeatedly calls the same function with a seperate input string. This leads to IDA having a very scary looking function, but in fact, is very simplistic, and could be shortened considerably.
I have decided to use Python as I am very comfortable with it at the moment and the script I produce can be implemented into an IDA script. Reproducing the values that IDA had provided, appending the 0, and ensuring when we hit an exception to return the string, the deobfuscation worked. I confirmed that the deobfuscation worked with strings that had hit an exception by live debugging the sample and replacing the origin of the EIP. Here I was able to give a comparison of the compared results in which I saw the junk characters were ignored. The finished result was produced by copying all the string table lines into a text file, removing parts of it that were not relevant and then feeding this by reading it from the Python script. The end result was sucessful.
Reading an article from The Gurdian today I discover that Google finally plans to lower results from what are deemed as pirate or illegal (https://www.theguardian.com/technology/2017/feb/20/google-and-bing-to-demote-piracy-websites). It is obviously quite late and even in the article a spokesman says it is ‘no silver bullet’. The aim for this is to make it harder for users to find pirate material, but in recent years we see that blocking sites has no ill effect to piracy.
When The Pirate Bay was blocked from UK internet service providers most thought that this would be the end of the matter, these people were evidently not familiar with technology. Later on, multiple mirrors were provided by various anonymous identities across the internet to facilitate access to the site. It is now a cat and mouse game which is theoretically infinite. An unlimited amount of domains, refreshed IP’s means that it is possible to provide others access to such a site, unless the media industry are able to block access to the torrenting site everywhere. It’s shown in a study, whether some agree or not, that blocking the site didn’t increase sales anyway (https://torrentfreak.com/pirate-bay-block-doesnt-boost-sales-research-shows-150604/)
The music industry in the 90’s received a rude awakening by the internet when consumers started to pirate music on a mass scale, only recently providing alternatives to their traditional model of single sales. Ownership has been replaced by renting with services such as Spotify which enable a user to stream music but not actually own it for a monthly fee. An academic study still states that streaming isn’t stopping piracy (http://www.sciencedirect.com/science/article/pii/S0969698916301849), had the music industry been too slow in implementing a suitable model for consumers to use rather than piracy? If we look at the premier league, they have kept the same format of subscription for quite a while, only NOWTV (a match-by-match purchase alternative) was started four years ago. This is in contrast with Kodi which has been developed since 2004 and is the source of a lot of piracy to everyday consumers, to which people purchase a ‘Kodi Box’, a familiar Android system which has apps enabling people to watch various content. There is correlation to sticking to a model by the music industry with the sport entertainment industry, although ofcourse, you cannot ‘own’ sport entertainment. What is interesting to note, is how slow industries are to react to piracy in an effective way, with most simply opting to fight fire with fire in my opinion.
Social media has a big part in information distribution in regards to piracy, it is also much harder to cut down on. Examples of this can be a YouTube tutorial on bypassing the block, Facebook users having a conversation or on Twitter where a link is shared. The most technological minded users on these sites use their knowledge and pass it down, simplified albeit, to non-technological audience to continue pirating. Multiple tech savvy users also produce websites linking football streams, they are then shared on multiple platforms like Twitter, Reddit and Facebook. This has left the entertainment industry with a still very large and hard issue, how can it be stopped? Blanket censorship on live streams sites is implausible, if it isn’t Twitter, Facebook or YouTube an alternative would be developed.
The word monopoly can mean different things to people, some see it as a positive, dominating in business and getting as much profit as possible compared to competitors. Others would see a monopoly as an ugly word pushing prices up because of the market share a particular company has on a product, becoming more powerful and relentlessly attacking independent small businesses. The TV channels in the UK that cover The Premier League, arguably the biggest league in the world, have been consistently rising the prices of subscription fees to their services (http://www.mirror.co.uk/money/sky-prices-going-up-march-9658301)(http://www.independent.co.uk/news/business/news/subscription-costs-to-rise-after-skys-42bn-bet-on-football-rights-10121473.html)(http://www.wired.co.uk/article/bt-broadband-bt-sport-price-increases). This is mostly to stay competitive as the premier leagues TV rights increase by 71% (http://www.bbc.co.uk/news/business-31379128).
Looking into Google trends we can see an interesting trend, when searching for ‘Sky Sports’ in Google Trends we can see a slight decline in interest overall as the graph depicts, this is because sport content has become available easily on the internet, alternative providers, be they illegal or legal.
The related queries for Sky Sports show the rise of piracy online with the big providers showing one query being ‘cricfree sky sports’ and ‘wiziwig’. Wiziwig was subsequently shutdown in 2015 (http://www.independent.co.uk/voices/comment/the-premier-league-has-shut-down-wiziwig-but-it-cant-keep-the-pirates-at-bay-for-ever-9959136.html) but alternatives with similar names cropped up early one, this is similar to what happened when Silk Road was shutdown (http://www.theverge.com/2013/10/4/4799770/drug-dealers-set-up-mini-silk-roads-after-federal-bust) and Pirate Bay (discluding mirrors in arguement)(https://www.extremetech.com/extreme/195936-the-pirate-bay-revived-by-rival-isohunt-while-figures-show-no-decline-in-piracy-after-shutdown).
Looking at Google Trends for the term ‘Kodi Box’ show us a very interesting picture. From late 2014, Kodi begins it’s appearance in Google search terms and begins to rise. It has had slight decline but seems to have steady growth and is only one alternative in sport piracy, a hub for providers like cricfree and others a like.
Cricfree holds a range of different coverage of sports, but has a main audience of Football. It’s Administrators are competent and well versed in censorship circumvention and is by far the biggest source to find football via Flash streaming online at this moment of time. Cricfree’s trend peak was around March-April 2016, similar to Kodi’s Trend which was set to a 100 on Googles scale. The correlation to the services rise can be in my view down to the announcement from media outlets on further price rises to services, most, published in March to April 2016. (http://www.moneysavingexpert.com/news/protect/2016/03/customers-could-pay-72-extra-a-year-for-sky, http://www.express.co.uk/life-style/science-technology/655242/Sky-TV-Subscription-UK-Prices-Increase-June, http://www.mirror.co.uk/money/sky-tv-hiking-prices-again-7600479, http://www.telegraph.co.uk/bills-and-utilities/tv/how-to-avoid-sky-price-hikes/, https://recombu.com/digital/article/sky-price-rises-june-2016-sport-movies-bundles-increases).
Google Trends show that people still use Google so this policy is a step in the right direction? Well if we look at social media to quantify the popularity, we can see that information is distributed in many ways. We cannot resolve by censoring as there are too many sources, it depicts that we cannot always rely on technological solutions for technological problems. From 116 posts about ‘cricfree’ on Twitter which 99 users posted, 101,528 people were reached (I’ve used Keyhole.co for these statistics). A YouTube video which was showing users how to get BT Sport and Sky Sports for free on Android/IOS devices has 54,000 views in a year. In various Football Team Subreddits which some have 50,000+ members outline how to watch the game for free using Kodi and other equipment in a one time cost. Facebook’s video platform is exploited often to show premier league games, although shutdown often, appear once again soon after the former is closed. So why is football piracy becoming so popular?
Football is undoubtedly the UK’s most popular sport and it has always been popular with the working class as one study states ‘atleast from the 1890s on’ (http://www.pages.drexel.edu/~rosenl/sports%20Folder/Sport%20and%20the%20Working%20Classes.pdf). Due to the huge media coverage of Football overall all around the world, ticket prices around the country have increased to a hefty sum, football stadiums have seen a gentrification from 90’s-00’s and with clubs starting to build new stadiums, it does not seem to be stopping (https://www.netbet.co.uk/blog/2017/01/23/football-money-gentrification-football/). With it becoming harder to pay for tickets in Premier League clubs and the price of subscription going up by TV companies, there is very little needed to explain why many are moving to piracy to watch games. Frustrated and angry by the franchise, many have little sympathy on content being pirated.
Most pirate sites vary in sophistication, many may steal or scrape links from other providers but streams must come from somewhere. There many parts to football piracy eco-system where content is delivered from flash, HTML5, acestream or other P2P technologies. Cricfree use Akaima media content delivery for some livestreams, although diversify the live stream sources to other operators as well, presumably copyright holders are fairly active in take down requests. These streams have blurred out corners to avoid forensic analysis on the subscriber (http://tech.thaivisa.com/this-is-bad-news-if-you-stream-premier-league-football-or-tv-broadcasts-online/18204/) and show that even media content distributors are unaware pirates are using their platform. With P2P technologies, soon developers will create an application that is intelligent, unable to be taken down and able to find HD or quality streams. Looking at popcorn time it was so popular due to the ability of it being like Netflix, Kodi apps are quite close to this, but consistency, quality and resistance to take down are features still lacking in many.
How could pirates make revenue to pay for their equipment and risk of getting caught? Overlay advertising within a stream during half time and in corners of the screen which are not too much of an annoyance to the user would be one. Cheaper subscriptions than “legal” providers is another path many are taking, namely the infamous Acestream streamer named bloodzeed. It is very plausible that a capable network of technologists and criminals can provide the world with a world beating sport streaming service which could topple big sport TV entertainment channels. Pushing Google results further is not the solution, the change of business for its target consumer. Learning from history, technology is able to circumvent and barriers that organisations may put up, including technical solutions like CISCO’s protection system (http://tech.thaivisa.com/this-is-bad-news-if-you-stream-premier-league-football-or-tv-broadcasts-online/18204/).
Many people already welcome sport streaming as they see legal products as too expensive. If a service prevails which is resistant to take down and provides HD content, the UK people will not be calling for it to be taken down, rather rejoice, as sport entertainment monopolists fall as they fail to engage sport fans. This cannot be solved by technology.
I notified the WordPress Team upon a non-critical cryptographic flaw in their multi-site feature which can provide an attacker a vector for impersonation in certain special circumstances. It sounds like a very good vulnerability when I state impersonation but it’s non-critical, I will explain further in the article. WordPress multi-site allows you to take manage multiple blogs (with different domains) in one place. This can be attractive to businesses with multiple installations of wordpress, it can also segment multiple teams that you may be managing which is helpful. The vulnerability was reported on 26th September in which they replied on the 28th. This research was for my job at insinia in which I was looking at possible attack vectors in a default installation of WordPress. I discovered many things on WordPress but have decided first to simply talk about the flaw that I found for simplicity and making things less cluttered.