Oct 19 2008

First attempt – Binary ‘analysis’.

Category: Malware,Practical,Programs,TrojanParker @ 9:11 pm

Trojan-Downloader.WMA.Wimad.o

Well, having tried for a few days to find a good source of viruses to play with and having come up with little except spyware, I visited my parents for Sunday Roast (Lamb, it was good). Whilst fixing their second PC, which is used by my sisters to download music via Limewire, I find that Nod32 has detected and quarantined 20 viruses so far, including Trojans. Finally giving me something to play with…

So roll up the first file,  “Sam Sparo Black n Gold Sexy girl has shaking orgasm.mp3″ – 450KB

OK, so initially I learned two things here.

  1. DO NOT take a regshot before you open Windows Media Player for the first time, the amount of registry changes it will make will make locating malware related additions a nightmare.
  2. IDA is completely above my head. I will have to learn what all those codes mean.

Beyond that I was able to see a few things changing and some data packets that indicated linked oddities.

Firstly the Trojan connects to a site at http:// 208.91.207.92 and commits a number of GET commands to load images, see below examples (Can you guess what kind of site it is?);

GET /r/100×100/w/r/Trouble702-19.jpg HTTP/1.1
GET /r/100×100/w/r/boredxxx-18.jpg HTTP/1.1
GET /r/100×100/w/r/caliCockluvr-30.jpg HTTP/1.1
GET /r/100×100/w/r/35608-S-3.jpg HTTP/1.1
GET /r/100×100/w/r/Trisha_69-20.jpg HTTP/1.1
GET /r/100×100/w/r/Savana-20.jpg HTTP/1.1
GET /r/100×100/w/r/sexyhannah-30.jpg HTTP/1.1
GET /r/100×100/w/r/fuckmyass-22.jpg HTTP/1.1
GET /user-images/12940/12940122-S-0.jpg HTTP/1.1
GET /user-images/9473/9473802-S-3.jpg HTTP/1.1

Having done all of that and loaded a new IE7 window full of naughty pics some odd network traffic picks up. From my potentially flawed view-point it looks like an attempt to first find out whether I’m behind a router and then attempt a remote connection .

192.168.0.13 192.168.0.1 ICMP Echo (ping) request
192.168.0.1 192.168.0.13 ICMP Echo (ping) reply
64.13.192.114 192.168.0.13 TCP http > remote-as [FIN, ACK] Seq=869 Ack=202 Win=6432 Len=0
192.168.0.13 64.13.192.114 TCP remote-as > http [ACK] Seq=202 Ack=870 Win=16812 Len=0
Z-Com_97:c9:39 Broadcast ARP Who has 192.168.0.1?  Tell 192.168.0.13
Netgear_bf:c2:8c Z-Com_97:c9:39 ARP 192.168.0.1 is at 00:0f:b5:bf:c2:8c
192.168.0.13 192.168.0.1 ICMP Echo (ping) request
192.168.0.1 192.168.0.13 ICMP Echo (ping) reply
192.168.0.13 85.92.200.253 TCP brvread > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
87.248.211.192 192.168.0.13 TCP [TCP Retransmission] [TCP segment of a reassembled PDU]
192.168.0.13 87.248.211.192 TCP td-postman > http [ACK] Seq=486 Ack=1361 Win=17680 Len=0 SLE=1416 SRE=1417
87.248.211.192 192.168.0.13 HTTP [TCP Retransmission] HTTP/1.1 200 OK  (PNG)
192.168.0.13 87.248.211.192 TCP td-postman > http [ACK] Seq=486 Ack=1417 Win=17625 Len=0
192.168.0.13 64.13.192.114 TCP remote-as > http [RST, ACK] Seq=202 Ack=870 Win=0 Len=0
192.168.0.13 87.248.211.192 TCP td-postman > http [FIN, ACK] Seq=486 Ack=1417 Win=17625 Len=0
87.248.211.192 192.168.0.13 TCP http > td-postman [ACK] Seq=1417 Ack=487 Win=65534 Len=0
192.168.0.13 208.67.222.222 DNS Standard query A playmoviesx.com
208.67.222.222 192.168.0.13 DNS Standard query response A 64.20.49.14
192.168.0.13 64.20.49.14 TCP kiosk > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
64.20.49.14 192.168.0.13 TCP http > kiosk [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1360
192.168.0.13 64.20.49.14 TCP kiosk > http [ACK] Seq=1 Ack=1 Win=17680 Len=0
192.168.0.13 64.20.49.14 HTTP GET /go/?a=vidwmv&t=search&cmp=wmv_audio&embedded=false HTTP/1.1
64.20.49.14 192.168.0.13 TCP http > kiosk [ACK] Seq=1 Ack=388 Win=6432 Len=0
64.20.49.14 192.168.0.13 HTTP HTTP/1.1 301 Moved Permanently  (text/html)
192.168.0.13 208.67.222.222 DNS Standard query A www.playmoviesx.com
192.168.0.13 64.20.49.14 TCP kiosk > http [ACK] Seq=388 Ack=764 Win=16917 Len=0

I’m guessing that the below GET request may be an attempt to utilise a script that can be dynamicaly updated and used to download further malware onto my PC, but am not 100%.

“GET/enter.php?prg=1&t=search&id=inxioltd2&cmp=wmv_audio HTTP/1.1″

When checking the DNS results for the main IP’s you get one for the UK, US and Netherlands, so no need to blaim the Eastern Block or Chinese for this one.

Finally there seems to have been some kind of tracking taking place with an IP 66.165.186.99, which is registered in the US. This IP conducts a TCP GET action against a imgcount.cgi string. There is also mention of instl_bootc which is a request to Install Bootstrap Protocol Client which I understand to be a prelude to the DHCP system and likely offer any sites / attackers further IP / MAC address info for my machine and network.

So nothing mental going on that I could see, no obvious sign of new running processes or of opened listening ports, but given that this was my first bit of analysis, I have probably missed lots.

Packet Traffic Info File
Registry Info File

Oct 16 2008

First Find… BT clear text authentication

Category: Practical,ProgramsParker @ 5:27 pm

Well, getting everything installed and having a bit of a poke around to see what’s what.

The first real interesting find is the authentication that takes place when I grab email from my BTYahoo mail. (For my sins I use Windows Live Mail Beta so grab it all via POP3). 

When looking at the packets as they leave my PC I could see the POP request, then the server respond, the username gets sent off in clear text (no biggy) but then to my astonishment my password shows up on screen. So first thing I do is head into Live Mail and check the options, sure enough the authenticate in clear text option is selected. Now I must have done, but I don’t recall choosing that option, and when sitting back and thinking about it, even now I stupidly assume that some form of obscuring will take place, clearly not.

So I pick up the phone and speak with BT, they install some remote gumph on my PC and the Indian chap starts clumbsely clicking about the place (he clearly didn’t know much). I then stepped in and showed him the options and asked “Can I use either secure password authentication or authenticated POP (APOP)?” “No” he replied.  So I get off the phone and spend a little time removing everything BT just put on my machine.

So I’m pretty confident that nobody is able to get into my network as such, but all that needs happen is some kind of proxy or packet grabbing malware to get in-between me and BT and I’m f*cked. My greatest concern was around the other services I use which share this password rather than my email, suffice it to say they are all now changed and I’m looking to move my email elsewhere. (I know that sharing passwords is stupid but the reality is my mind can only cope with so much).

So now I wonder, what other insecure stupid options have I blindly clicked??

First 'security' find.

First

Oct 16 2008

Step 2. Toys to play with

Category: Practical,ProgramsParker @ 1:04 pm

Having spoken with some of my friends and colleagues who work in this arena and comparing that advice with information found on the Internet, I have been gifted with the following shopping list. I have not put links for fear they will move location, let Google be your guide.

  • Vmware – Allows you to run a ‘sandbox’ environment and prevent your machine from infection.
  • SteadyState – Allows you to set a static hard disk ‘image’ that is reloaded when you restart your PC.
  • Wireshark – Used for identifying command and control channels.
  • Capturebat - A behavioral analysis tool of applications for the Win32 operating system.
  • Ida pro - A Windows or Linux hosted multi-processor disassembler and debugger.
  • Packetyzer - A network enabled packet analyser.

From system internals (Which largely now allows remote execution);

  • Process explorer – Shows you information about which handles and DLLs processes have opened or loaded.
  • Process Monitor – Replaces Filemon and Regmon on Vista and other M’Soft OS’s (not XP).
  • FIlemon – Monitors and displays file system activity on a system in real-time. *See Process Monitor
  • Regmon - A Registry monitoring utility that will show you which applications are accessing your Registry. *See Process Monitor
  • Tcpview – Shows detailed listings of all TCP and UDP endpoints on your system.
  • Regshot – A tool allowing snapshots / comparisons of the registry.

Best get installing then :D

Oct 16 2008

Step 1. Knowledge

Category: Practical,TheoryParker @ 1:03 pm

So I had a word with a guy from SkillsTrain (who was very nice but their product / support is pretty terrible.  I quit same day claiming back the £100 deposit and cancelling the £3700 direct debit).
He and I talked for a while about various options for learning and gaining some form of recognised certification in a field of interest and use, my biggest problem is that I have a ‘pro-sumer’ level of knowledge in supporting, building, maintaining and using PCs and Macs but no actual proof of that knowledge. (It could be troublesome explaining / demonstrating my skills in an interview and if I were to leave my employer i’d be pretty much f*cked!)

Having had a think he suggested that working towards the COMPtia Security + certification is probably a very good idea.  I had a look at the syllabus and it looked very interesting, sadly though the very sensible and probably required pre-lude to that certification is the COMPtia Network +, which doesn’t look as interesting, but as said, is needed.

If you think about it as I have, you will likely realise that to protect a product or indeed to attack a machine via any kind of network, you will need to first understand how that Network works.  As it happens I am currently around two thirds of my way through the learning for the Network + examination (hoping to take the exam in November) and have found it very useful and interesting. For anybody who cares I have chosen to use the Network + Certification Kit, and it seems to be pushing the information into my head.
(Note to others, these books are in order, I suggest you start with the first more in-depth book rather than the thinner 3rd ‘first pass’ overview book as I did).

Oct 16 2008

Learning to be a better Geek

Category: TheoryParker @ 1:02 pm

Well, this may more than likely turn out to be a self serving page (if even that much), but my intentions are to document everything I learn along my route of self-discovery (that is to say my new found focus that caters for both personal and work life).

For anyone that stumbles on this let me try to set the scene. Having basically floated around without really knowing what I want to do / could do to further my knowledge and/ or career I’ve come face to face with a field within IT that caters for both. This blog is hopefully going to list what I’m doing / learning and achieving. Which will help me and may help someone else.

Let’s go.