Malzilla

August 26, 2008

Here is a pretty awesome tool to connect to links hosting malicious code, spoof your Useragent settings, use a proxy, download malware, and deobfuscate and observer the source of hostile Javascript, pretty bad ass.  The tool is called Malzilla.  Then you can download the malware and analyze or reverse it. 

This can be used with other tools like Fiddler which is a web debugging proxy which can do all kinds of cool stuff.

Of course if you want to be sort of safe testing malicious links, run it through the Firefox plugin

Its Microsoft's fault

August 26, 2008

So the WIN32 platform as you know is based on modern code libraries.  This is how large coding projects have evolved over the years through the development of reusable code called libraries.  The idea is you can create a check of code to do something, say draw a picture, and then every application developer can use that code if its part of the base operating system. 

This has grown and grown and grown over the years of Windows versions in the form the WIN32 API and its associated .DLLs that come with every OS.  Sounds great right?  Sure!  Programming exploded and you can google the stats for the impact of the Software industry and the billions of Windows programs that enabled our modern capitalist economy.  Well that’s awesome, the only problem was that when Windows was developed Security was not a driving issue, it was code functionality.  The same problem exists for *nix brands/distributions through the use of shared libraries.

This leads to the modern day problem of malware being able to basically do whatever the hell it wants to do and successfully hide from modern security software protections.  If you can run executable code on a machine you can hook / filter / patch / delete / modify any of these important DLLs and code at the user / kernel level or both.  Even in firmware code but thats a different story.  Some call this cracking, some call this necessary.  Case in point, tons of debuggers, disassemblers, security software, anti -virus anti-everything .et al require the ability to extend and hook into critical system libraries to do stuff, for example extend functionality, monitor things, or modify operations, or fix a problem. 

When a program is developed and compiled it is linked to DLLs that are loaded into the process space when it is executed.  These DLLs implement function but unfortunatly Microsoft has 6 ways to Sunday to do DLL injection or code injection into process spaces and modify the function address which then malware uses to add hostile functionality such as bypass host base intrustion detection and firewalls, and proxies.  Typical processes that get injected are the web browser, winlogon process, explorer.exe and any other .exe that can get executed especially at run time via registry startup hooks.  O yea there are about a thousand of those so good luck checking all that. 

The REAL problem though is do you REALLY want to be able to do this on production systems?  This stuff should be done in secure development environments.  Microsoft has tons of code called , and (think hotpatching) VERY POWERFUL that can modify your system at will, not to mention hostile code which can do the same.  SO step back a minute.  So your telling me that no matter what I do my systems can basically be told what to do without my knowing if someone can run code on them, and you want me to entrust my business model or personal information (COKE formula, cancer cure, invention) to that kinda of a RISK model??   

There really should be someway to have a production configuration of the OS build not be able to be extensible and hookable in this manner.  I believe VISTA has attempted to harden the OS against these types of attacks with Signed drivers/code/libararies and all but there are definately ways around that and many times like exploit prevention mechanisms easy to circumvent and voluntary such as the optional compiler protection bits.

So you see my point.  ROOTKITS are a special set of software malcode that can basically hide everything from everything and do even more than that.   Rootkits are usually dropped and installed by malware to protect it from being discovered (think how much time an attack window is needed to walk with the crown jewels with our highly connected, large bandwidth pipes and the size of our modern storage device capacity.)

There is tons of ANTI-ROOT kit scanner software out there, most of it templated me too crap that you can find at .  You can find Rootkit software at and there is couple of great books on it as well for the developer minded.  Keep in mind to be a power Anti-Rootkit you actually need to insert your own monitoring hooks sometimes as some of this software does, but good ones unhook things after they are done being used.

My two personal recommendations are and both developed by Russians.  These two products do a TON of stuff including the ability to remove and fix hooks, do secure deletes, force processes to kill themselves by erasing their process space memory, and can enumerate through every conceivable area that a product can hook into the system.  Some rootkits are specifically attacking these software packages if they are present on the systems.  So they have methods to protect themselves from modification using code signing techniques.  Most people seem to LOVE Rootkit Revealer by SysInternals/Microsoft which is an outdated not very functional piece of crap that you can’t even run from the command line.  This is an important functionality for corporate wide scanning.  Infact, Microsoft actually hired the developed that wrote Rootkit Unhooker.  Not sure if he is still with them though. 

RookKit Unhooker

GMER

HackBackJack U up.

August 14, 2008

So the concept of hacking back is very simple.  The problem is no one wants to talk about it.  And it rarely gets done.  At least in the public domain.  There have been a ton of examples where malware has exploited vulnerbilities in bots/zombies to take over the Command and Control and update them with their own malcode.  There have been other examples of researchers exploiting botnets for research to identify C&C and decode the command sets.  

Then there is the actual  such as the ever popular STORM.   This is the really cool stuff unfortunately some people consider this research area TABOO which I think is bullshit.  Lots of malware have features to delete themselves and clean up their systems.  An attack on a bots commandset that tell it self to delete itself would have all kinds of benefits.

This is an from Bitsec who is reverse engineering malware trojans for bugs, writing exploits to them and then sending software to the attackers computer.  Hopefully to identify their name, and IP address.    This guy is pissed and “he aint gonna take it no Moe!”

The trojan he exploited was Bifrost which is a BAD ass Remote Access Tool “read TROJAN” that freaking does everything under the sun.  Its like Poison Ivy and other RATS which seem to be templated in code these days.  They are very very full featured.  A bunch of them can grab mic audio for bugging, and video capture from webcams giving a whole new voyeuristic side adventure to malicious attackers. 
 

Theres actually a ton of Youtube video on these things in action.  One of them showed HUNDREDS of webcams being viewed on the screen after the attacker logged in and connected to a ton of people that he compromised.  Can you say privacy is DEAD!! Or did it every exist. Do you feel violated yet?

Back to hackbacks.  There are a ton of opportunities for this, and it sort of comes from the Honeypot philosophy yet instead of sitting there waiting to be attacked, you do the attacking.  Recently

The real purpose.

August 14, 2008

So I was pondering the content I have posted here and thought back to the original reason for why I wanted this blog.  It was about hacking the constructs of security itself, not the actual tools, and methods for how people hack.  I want to use this site as a thought incubator and (Patent idea – preestablisher).  This content will be more or less an evolving stream of conciousness on some of the things I have been evaluating of late.

Infowar Construct Meme #1 – TAR and FEATHER results in digital mob effects

Why in the hell do you hear alot about what attack tools do against vulnerabilities and what the effects were in real world situations, and you always here about the “Authorities”  that are on the “case”, but you NEVER see the bad actors actually SPLASHed in the global media conciousness.  Ok so it think its already preestablished that you can use technology and code to pretty much do anything you want.  So there goes any time of theory about how LEET you are because you developed some kick ass piece of code.  Back in the day, hacking for reputation and props was the modus operandi. 

Now with cyberespinage and cybercrime we need to reconsider the concept of NOT identifying the perpertrators and start to SERIOUSLY expose every part of them, their lives, their networks, and their belongings to EXTREME scrutiny.  With Internet mob effects, there would rapidly result in a large drop in activity or at least drive it underground more, or deter their actions in to more legitmiate activities, or spend their resources protecting themselves more vs doing bad things.  

This is a thought exercise in the concept of using extreme justice (Namely Total personal privacy exposure of the attacker on a global “read Internet” scale) in order to advance the deterrent effect.  Attackers are people too, they live places, the use technology, they have friends and family, they have jobs, they need to eat, they need to learn and go to school, they have reputations, and they have Bank accounts, and credit records. It is highly unlikely that these people would enjoy having their lives ripped apart through identity theft and other actions. 

In the old days if you did antisocial behaviors you where ostricized, discriminated against, and pilloried in the community.  We need to establish a series of digital actions that can be leveraged against targets that are known bad actors.  And I am not talking about giving then F#$ing book deals, movie deals, intel or computer security jobs.  I am talking about a series of digital and real world actions similiar in the vein of how a penetration tester will perform target recon on a organization, its systems, processes and people.  But this will be in the context of personal destruction from a digital, reputation and real world side of things.

I guess an example of things would start like this.  Identification of the real name, address, social security or national id number, identification of digitial identifiers, such as email, IM, social network and user accounts, where they work, what they do, what they own, how much money they have, where they conduct business, digital images of where they live, their health records, their credit records, they military histories, job histories. 

Every single thing that “Personalizes a target”  This information is gleaned from a billion data sources and real world actions and exposed, dosseier style on the open web.  Along with it are the proven actions that they have done, to who, and how long they where involved in that activity.  This is called target intelligence except its done in the open forum of the Web, reachable by everyone and providing a very real and unwanted look in to the personal lives of the attacker.   Not to many people can stand this kind of scrutiny without seriously reconsidering their future actions.

THESE ACTIONS if levyed against anyone will support a very very very Real detterent affect which is the entire point. There are no detterants to current cybercrime/espinonage at the moment that would put a real dent in the problem. This is a step in the right direction. 

Targets would need to be selected carefully such as the most prolific spammers, phishers, identity theives, industrial espionage, paedophiles, bot herders, denial of service attackers, and ransomware users.  Its blatently obvious that digital attacks are not see or treated like real crimes and you could reference a whole host of bullshit penalties from some of the most egregious sitations.  Many individuals and companies never report their incidents for a number of reasons.  This is a serious inequity of justice that is out of balance due to victims not being empowered to strike back at their attackers. and even being legally prevented from doing so. 

The fallacy here is that legally you can’t do “BAD things to BAD people, even though they deserve it”  which will be a second or third stage area of research after researching another vexing problem.  Target identification through attack attribution.  Atribution is one of the hardest research problems there is due to the advanced ways of cloaking your identity and actions via anonymity software, proxies, multihops, encryption, and obfuscation. 

Researchers who discover flaws, and developers who write code are irrelevant, these things are just considered tools, like a real world gun is,  CYBER activity should be evaluated on what you do with the tools, what your intentions are, and what the actual effects where.  This is the equation that should be used in determining the level of digital retribution

This is a RAW concept, not fully refined and should be taken as such and used as a starting point for further research and possible tool development.  This can be lumped onto social network research currently used in Law enforcement/Intel against organized crime, white collar crime, and terrorist organizations.

Wow, this has done some awesome research.  He created a tool that can allow you to visualize HEX and packetcapture dumps to derive new and interesting,  uh figure it out.

The tool is called

So virus’s spread back in the day, then got PWNed by antivirus, then vulnerabilities lead to exploits, which lead to worms.  Worms get PWNed by antivirus, Worms get whittled down and turned into trojans that become massively networked to become bots which came from IRC scripts.  Everything is now hid by and protected from reverse engineering and analysis by packing, crypting, poly and meta morphism.  Advanced features are built-in such as automatic bank account balance checking… YEOCH.  Been going on for years.. 

Here is a example of one such bot () that has been OWNING for years and got progressively nastly,  It now targets powerusers in the organizations that can use Sysadmin tools such as psexec and Microsoft SMS or patch distributiom mechanisms to seed entire organizations, including the STATE police.  Fun Fun.  Wonder what data systems they have access to know.  O yea keystroke logging, cookie theft, and password grabbing on the wire, but that’s all STANDARD now in this malware code.  The guys at  are badasses for this. 

This little diddy had HUNDREDS of gigabytes of user data and credentials on its drop site.  Most of which had been already pulled off. Not to mention all the CASH MoOLa they have walked off with.  $90,000 grand on one account alone. 

O ya and No they still have’nt caught the guys yet.  When the US goverment charges the head driver/protector of Osama bin Laden with 5 years in jail even though he most likely knew about the 9/11 plot, what kind of penalties do you think we are levying against extreme ripoff artists with digital weapons….. HRMMM?

is everyone on when this stuff is running around?! Granted Storm is pretty kickass because its decentralized and using a hacked up p2p protocol and .  .  I did tons of research on P2P and its disruptive effects a long time ago, awesome stuff.

By the way why the hell do we not see any AES encrypted malware out there.  Are malware coders dumbasses because most all of their encryption in their products is based on RC4/ROT13/Base64 or some other weak ass pseudo crypto/encoding/scrambling that gets easily broken.

I’m going to have to search for lightweight AES implementations.

So a primary attack vector these days is seeding legitimate websites with links to malicous websites that exploit browsers and drop malware to users.  This attack vector is called which is a take off of the ages old technique of exploiting systems that do not sanitize and validate user input.. Sound Familar?  It basically inserts SQL language code into websites with database backends and makes modifications to the website content.  Think modification of every single page on the site to host an invisible obfuscated Javascript with an Iframe in it. 

In a YA(for fun and profit paper) the guys at present a on these issues and what you can do with them. NGSsoftware also has for these problems.

So a company local to my area has a product that gets below the OS to start monitoring and SNUFFin out some of the malware out there.  is a startup that has a lot of really good features in the security solutions space.  This is the future, especially when tied to and hooked to Type 1 hardware based optimization in platforms. 

These technologies are also sort of related to efforts around technology that in my opinion allows for a TON of security research for malware purposes.  Ability to run code and script below the OS.  Watch out.  with is the MAN in this area and has contributed a bunch of great stuff on .

Tons of great stuff coming out of Blackhat.  A company called now has a engine for Cisco routers.  Check out the . Pretty awesome.  Several years ago based on from a guy named and the Phenolit group, a guy named Michael Lynn that PWNs Cisco routers based getting around Heap memory checking and was able to execute code.  

It caused crazy controversy and Mike left his job with IBM and CISCO ripped out the material from the Blackhat media and threatened all kinds of lawsuits.  It was actually pretty funny.  Anyways, the research area of exploiting embedded hardware and non-Wind0z type OS platforms has got the best and brightest in the world on the case.  Felix works now at Recurity doing some awesome RE stuff.  This will not be the last time this area of comes up.  Now they are talking .  Researchers like at are even taking this stuff even down the rabbit hole.

O and if that isn’t enough there is a huge stink right now with the FBI and others CISCO devices.  This poses a potential huge .  Now is on the !

An attack vector trend that is currently in vogue is exploiting legitimate websites such as via SQLinjection attacks to plant hostile IFrames into the websites pages, somtimes all of them, that are invisible because their properties are 0x0 in dimension.  The content of these IFrames are highly javascripts which bounce to other IFrames over and over and finally wind up at a site hosting a malicious webpage constructured to identify user agent settings (IE What browser you are using) and then run a version/product/platform/geographic region specific series of exploits against the users system which has unpatched vulnerabilities either in the OS/Browser or now the trend is in exploiting ancilliary applications such as Browser helper activeX objects, and file parsers such as flash, Jpeg, quicktime. 

Sometimes it takes a whole organization to set this up but there are entire packages that can enable this crimeware to work and even report (enterprise reporting style via digital dashboards back to the operator).  Fortunately there is a lot of competition now and access to these kits are getting easier.  They typically rely on PHP and other scripting languages with a typical database backend. 

When this whole enchilada works however you basically have organizations PWNing their own customers and facilitating the theft of their information.  Each victim that visits the site gets a nasty little downloaded piece of malware, mostly likely packed to get around their antivirus, injected into their explorer.exe process to evade firewalls, and opcode instructed via shellcode to do a reverse shell out of their organization or dump additional modular capabilities.  All in all its an ugly day. 

Some of these are even under the guise of intellectual property protection.

Follow

Get every new post delivered to your Inbox.