Wild Wild West – 12/2014

Added the following packs:

Null Hole
“Hanjuan EK”
“Archie EK”
“Astrum EK”
“SedKit”
“SPL2 Pack”

Special thanks to Kafeine for his valuable input.

wildwildwest_1214

Posted in Exploit Packs | Comments Off

Registry Dumper – Find and Dump Hidden Registry Keys

The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method.

The technique of hiding/protecting registry keys using a non-ASCII character goes all the way back to over a decade ago. It’s remarkable in a sense that after all these years, it still works on the latest Windows platform.

Here we see the built-in Windows Registry Editor choke on the hidden/protected key after infecting the computer with Poweliks.

2014-12-06_01

Clicking past the error dialog, you should see something like this. This default key is exposed and fully downloadable/viewable. However, there’s another key that contains the “trigger” that’s not visible.

2014-12-06_02

If we need to research what this particular malware is doing, we ought to find out what else is hiding there. For that we need to find a tool to help us view these hidden registry keys.

With online registry viewers/editors, you can get mixed results. Some seem to work well but lack some basic functionality like exporting keys as text. Others get confused and display the wrong key.

2014-12-06_03

2014-12-06_04

2014-12-06_05

Offline registry viewers/editors fare much better and offer consistent results. However, you will need to log into a separate account on the computer and use this tool. Or you have to copy the registry off of the infected machine and view it on a computer with the tool installed.

2014-12-06_06

I prefer to do an initial triage on the live machine and get to the data as quickly as possible. Since I couldn’t find a portable, online tool that had the features I wanted, I figure I would try my hand at creating one. The tool is called Registry Dumper and uses a DLL which interacts with the registry via NT native APIs that was written by Hoang Khanh Nguyen.

2014-12-06_07

This tool allows you to scan for null characters in a given path. It will iterate through the path to find all the keys with nulls in them.

2014-12-06_08

If you click on the “Show in Hex” checkbox, you can see the key names in hex. Here you will notice that the second entry’s name is “010001” which is equivalent to 0x01 0x00 0x01. This is impossible to view, edit, or delete using the Windows’ Registry Editor.

2014-12-06_09

From here you can copy/paste the path over to the left side and dump the keys to a text file.

2014-12-06_10

Here’s the text file containing all the key values in the given path.

2014-12-06_11

With this tool you can create hidden keys for testing purposes. And if you wanted to delete that impossible-to-remove key, you can use this tool by entering “[x01][null][x01]” as the key name.

2014-12-06_12

The obfuscated data you see there is the result of running it through Microsoft Script Encoder. To deobfuscate it, you can use an online decoder or download a VBS decoder. A fellow by the name of Lewis E. Moten III wrote a decoder program. I repackaged his function in the following tool.

2014-12-06_13

Here is the decoded version. You will notice that I didn’t have to strip away everything else but the encoded string. The decoder program will look for the start and end markers of the encoded text and replace it with the decoded result.

2014-12-06_14

Just recently, a newer variant of Poweliks was found. It uses a different registry hiding technique based on user permissions. You can read about it here.

If you use this tool to access one of these keys, you will get an error message saying that the key doesn’t exist. It does exist but it’s just that it doesn’t have the rights to view it.

2014-12-06_15

Here’s the permission properties of the key using the Windows Registry Editor. Notice that the current user has no read permissions.

2014-12-06_16

You can still use this tool to dump the keys but you first need to grant permission to the user account that’s running the tool. Just click on the Set Permission to User button and the permission is changed to allow the current user the rights.

2014-12-06_17

Now you can access the key:

2014-12-06_18

Here is the dump of the keys:

2014-12-06_19

And the decoded string:

2014-12-06_20

By the way, that Javascript in the “(Default)” key can be deobfuscated easily using Converter. You will see that the value in between the quotes are shifted over by one character (e.g. the word hello = ifmmp). Just enter the value “-1″ and click on the SHIFTx button (or you can click once on the minus button on the right).

2014-12-06_21

You can download both tools here.

Posted in Malscript, Tools | Tagged , , , | Comments Off

Securing KeePass with a Second Factor

Cybercriminals are now stealing password managers so it’s time to make them more secure. You can check out this article for details about how it’s being done.

I wrote this up as a guide to help friends secure their password manager by implementing a second factor. The second factor will come in the form of a USB token that you insert into your computer when you need to run the password manager. If your password manager database and master password gets stolen by Citadel or anything else, criminals won’t be able to open the database without the physical USB token you have in your possession.

Two popular password managers are currently being stolen based on the article above — Password Safe and KeePass. There is a nice walkthrough on Yubico’s website on how to enable YubiKey for Password Safe here. YubiKey can also be used to secure LastPass, Passpack, and others.

Getting YubiKey and KeePass to work was a little tricky so I’ll be describing my experience here.

Requirements
1. YubiKey made by Yubico

What’s great about the YubiKey hardware is that it supports a number of use cases such as computer logins, disk encryption, and web applications like WordPress, Google, and others. Unfortunately, not all YubiKey hardware supports all applications so be sure you pick up the right YubiKey hardware.

There are basically two types of hardware and the one you want to get to protect KeePass will either be the Standard or Neo version. The FIDO U2F Security Key doesn’t appear to support the protocol we need.

2. YubiKey Personalization Tool

This software program will allow you to configure your YubiKey. We will be configuring the second slot since the first slot is apparently reserved according to Yubico’s website — “Re-programming your YubiKey’s 1st configuration slot will overwrite the YubiCloud configuration, and you cannot undo this action!”

3. KeePass Professional Edition

You may need to install Microsoft .NET Framework 2.0+ if it’s not installed already.

4. KeePass plugin

You have a choice between two different security models — One-Time Pad (OTP) and Challenge-Response. Here are the links to the KeePass plugin that you’ll need:

OtpKeyProv
KeeChallenge

If you decide on the OTP method, you can follow the instructions on Yubico’s website. It works but I had trouble. I had it generate three sets of OTP values which required three button presses on the YubiKey. Using the YubiKey Neo version, it worked most of the time. With the YubiKey Standard version, it rarely worked for some reason. I think it has something to do with how quickly you can press the button to generate the values. Tinkering with the OtpKeyProv settings (e.g. counters, look-ahead windows) did not yield consistent results but YMMV.

I opted for the Challenge-Response method via KeeChallenge which I’ll be describing here. With KeeChallenge, I didn’t have any problems like I did using the OTP method.

The KeeChallenge plugin can be downloaded directly from here. You will also need to download the latest YubiKey-Personalization release (download both Windows 32- and 64-bit versions) from Yubico. This was the part that I got hung up with but a helpful tip on a discussion board provided the solution.

Setting Up YubiKey
Install and run the YubiKey Personalization Tool then plug in the YubiKey into an available USB port.

2014-11-26_01

Click on the Challenge-Response menu item at the top then click on the HMAC-SHA1 button.

2014-11-26_02

Click on the Configuration Slot 2, ensure user input is required, and the fixed 64-byte input is selected. Click on Generate then on the Write Configuration buttons. You should get feedback that the configuration change was successful.

2014-11-26_03

Make sure you copy and backup the secret key you generated! You will need this to setup KeePass as well as to regain access to your database should YubiKey fail for some reason. Store this in a safe place, preferably printed on paper and definitely not stored on the same computer that you’ll be using KeePass on.

If you want to set up multiple YubiKeys to work with the same KeePass database, just use the same secret key and write the change to the configuration.

That’s it for the YubiKey setup.

Setting Up KeePass and KeeChallenge
Download KeePass as well as the KeeChallenge plugin and Yubico’s YubiKey-Personalization release.

Install KeePass and go to the folder. Copy over the files and folders from the KeeChallenge plugin into the KeePass folder so it looks like this (the items in red belong to KeeChallenge):

2014-11-26_04

Open the folder called “32bit”. See those DLL files? Replace them with the ones from the YubiKey-Personalization files you downloaded (the DLL files are located in the bin folder). Do the same for the 64-bit files.

Start KeePass and create or open an existing database.

2014-11-26_05

Click on File > Change Master Key. Enter a new master password (twice). Click on the “Key File / Provider” checkbox and choose “Yubikey Challenge-Response”. Click on OK.

2014-11-26_06

You will be asked for the secret. Paste the secret key you generated when you configured your YubiKey.

2014-11-26_07

You will then be prompted to plug in your YubiKey if it’s not in already.

2014-11-26_08

Tap the button on your YubiKey when you see this prompt on the screen.

2014-11-26_09

Setup is done!

Usage and Recovery
To use KeyPass going forward, enter the password and ensure the Key File option is checked and set to YubiKey Challenge-Response.

2014-11-26_10

Insert your YubiKey and tap on the button to log in.

2014-11-26_11

You’re in!

2014-11-26_12

If you lose your YubiKey, it broke, or you just can’t log in using it for whatever reason then unplug it, enter your password, and click OK. You will see this prompt. Choose “Recovery Mode”.

2014-11-26_13

Enter the secret key and click OK.

2014-11-26_14

And you’re back in!

2014-11-26_15

You can feel a little more at ease now while shopping online!

Posted in Awareness | Tagged , , , , | Comments Off

Drupal 7 SQL Injection Info

There’s a lot of sites covering this vulnerability but I wanted to document some indicators for anyone who might need it.

Resources
Drupal Security Advisory
Drupal Public Service Annoucement
Drupal Documentation on “Your Drupal Site Got Hacked. Now What?”
Drupal Site Audit
Volexity Blog
Sururi Blog

What follows is a brief walk-through of evidence found on a couple of compromised hosts. YMMV.

Incident Response
Logging into phpMyAdmin and checking out the “users” table. Two accounts were created. The “drupaldev” account seems to have been found on many compromised hosts.

2014-11-02_01

There was one host that had hundreds of accounts. What made the malicious accounts stand out was the missing mail field. This would occur if the user could get past the requirement on the registration page or if the account was added directly to the table.

Going to the “sessions” table, there’s one entry with the “uid” that matches the account created by the attacker. You can find out the attacker’s IP address this way.

2014-11-02_02

Here’s info on this IP address:

2014-11-02_03

The firewall logs showed activity over port 8888. If you visit the IP:port, you get this site:

2014-11-02_04

Looking at the webserver logs, we can see POSTs hitting the user/login file on the host. The server 500 errors probably indicate a failed first attempt.

2014-11-02_05

Going back to phpMyAdmin, a quick search for “.php” was done across all of the tables.

2014-11-02_06

There was an entry found in the “menu_router” table which seems to be a very common indicator.

2014-11-02_07

Clicking on the link, you can download the blob.

2014-11-02_08

Going to the file system, there is a directory called “README.txt” with a php file inside. The folder and file names appear to be random but the script itself is the same as what others have reported.

This PHP script is particularly interesting, it’s a simple backdoor that’s triggered by a cookie. Sucuri covered this awhile ago.

Here’s a cleaned up version. If you hit the script straightaway, you will get the results of phpinfo(). If you wish to send your own commands, you need to pass three variables. The “Kcqf3″ variable contains a value that triggers the script. The second variable “Kcqf2″ will be preg_replace. “Kcqf1″ contains the command. I imagine the attackers might send commands along the lines of uname, wget, curl, etc.

2014-11-02_09

I wrote a program to craft HTTP requests and can include my own cookie values into the header. Here, I’m sending the phpinfo command and you can see the result in the background. What stands out is its simplicity and cleverness.

2014-11-02_10

You could create an IDS rule to look for HTTP requests that contain a cookie with the value “preg_replace” and detect/block those coming in. You can then follow up on the targeted host to see if the backdoor is there.

Good luck!

Posted in Malscript | Tagged , , , | Comments Off

Tools Update

No significant updates, just several enhancements and bug fixes to four tools:

Converter
– Added new features to Custom PHP Search/Replace
– Added Convert Word (to decimal) feature
– Enhanced Key Search/Replace input checking (see Data Converter changes)
– Improved Beautify Generic routine
– Updated some labels to provide more clarity
– Fixed PHP decoder toggle
– Fixed Base64 by Delimiter option to handle nulls
– Fixed unescape issue by removing ` replacement
– Fixed Character Frequency array function to remove last item
– Fixed Base64 to Text function to properly handle CRLFs

Data Converter
Thanks to Thijs Bosschert for his suggestions. I still need to look into his additional enhancements without slowing things down but for now:
– Split by single char if key value is text
– Split every two chars if key value is hex
– Remove spaces and commas if input value is hex

Scout
– Added –ignore-ssl-errors=true option to PhantomJS call

Sounder
– Added –ignore-ssl-errors=true option to PhantomJS call

Thanks for your support!

Posted in Tools | Comments Off