Dec 18 2009

Recent Viral Investigations

Category: Malware,Programs,Theory,TrojanParker @ 11:00 am

Below is a list of detail that I have gathered recently whilst investigating numerous malware incidents.

If you are that way inclined, there are a number of samples of most of these on my domain, but clearly only head to these if you know what you are doing. (You will be intentionally infecting your PC with a virus). Further more, be aware that the command & control or script issuing sites will be offline, largely affecting the viruses capacity to do evil, so that others infected in the traditional sense, do not suffer harm.

Zeus

Known capacities

  • Html injection
  • Communication with C&C
  • Man In The Middle / Man In The Browser
  • Capacity to engineer two factor beating scenarios
  • Receipt of customised javascript pages, to allow engineering of page specific attacks and exploits.

Known file locations / tell tale signs

  • Modified registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit
    Value Data – C:\Windows\system32\ sdra64.exe.  Should be C:\Windows\system32\userinit.exe,Malicious executable  - C:\Windows\system32\ sdra64.exe
  • Config files – Located within C:\Windows\system32\lowsec There will typically be a  user.ds and local.ds file, although sometimes there will be others. These can all be assumed malicious, because the lowsec folder would never exist under normal circumstances.
  • The virus also carries with it the capacity to shut down or at least disable some antivirus and firewall programs. Therefore the unexplained ‘switch off’ of your AV may be indicative of an infection.

Removal

I have recorded and made a screen capture video of the removal available below. I learnt by following someone’s video guide, so I would suggest doing the same. I have however also recorded additional steps, for further ease.

  • Open regedit (normally via Start > Run) and drill down into the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit string and note its value data.
  • Assuming that the sdra64.exe was present in the above key, then you are infected and you will need to kill a thread, loaded into memory, which retains the malicious presence within the Winlogon key.
  • Download and run the ProcessExplorer application from the TechNet website.
  • Access View and ensure that Lower Pane view is enabled.
  • On the top menu bar, select Find Handle or DLL. Within search type and search for sdra64.exe
  • This should find and select sdra64.exe within your Lower Pane. In the top pane, locate and double click on Winlogon.
  • From the new Window select the threads tab (this will sometimes produce an error which can just be clicked past).
  • Once the threads have displayed, sort by CSwitch Data. There will be one thread which shows as constantly active (retains a numeric value).
  • Once this thread is identified, highlight it and select Kill from the bottom right.
  • Exit ProcessExplorer, reopen regedit and drill down onto the Winlogon\Userinit key. Delete the sdra64 location data (typically this is c:\windows\system32\sdra64.exe)
  • Restart the PC.
  • This should have stopped the virus loading at boot, allowing you to locate the C:\windows\system32\sdra64.exe and ..\lowsec files (user.ds and local.ds) . All of these should be purged from the system.

Zeus Jabber

As the name suggests, this virus is an extension of the Zeus family trojan, so much of its technical ability and its file locations, mirror that of the above. Removal of this virus, is achieved in the same manner as removing the above, Zeus virus.

Known capacities

  • Html injection
  • Communication with C&C / admin via messenger service
  • There is some talk of MitB capacity, but I have yet to see this implemented successfully in the wild (far from proof that it does not retain this ability however).

Known file locations / tell tale signs

  • Modified registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit
    Value Data – C:\Windows\system32\ sdra64.exe.  Should be C:\Windows\system32\userinit.exe,Malicious executable  - C:\Windows\system32\ sdra64.exe
  • Config files – Located within C:\Windows\system32\lowsec There will typically be a  user.ds and local.ds file, although sometimes there will be others. These can all be assumed malicious, because the lowsec folder would never exist under normal circumstances.
  • Drops php files into %system%/temp, typically containing credentials obtained in clear text (so a good way to see what data of yours have been stolen). These files should record the malicious servers IP address, so tracking and shutting down the related malicious or hosting servers for shut down is made somewhat easier.
  • Packet capture will show a lot of chatter, watch and record this to fathom how and who it is speaking with.
  • Config files cannot currently be decrypted by the ZeusDecoder @ ThreatExpert. Expect updates
  • The virus also carries with it the capacity to shut down or at least disable some antivirus and firewall programs. Therefore the unexplained ‘switch off’ of your AV may be indicative of an infection.

Removal

See above Zeus removal steps and video.

Silon v2

Known capacities

  • Key logging
  • HTML Injection
  • Man In The Middle / Man In The Browser
  • C&C communication
  • Capacity to engineer malicious two factor scenarios, allowing for Bank or other secure site security exploitation

Known file locations / tell tale signs

  • HKCR\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InProcServer32\Default
  • Value data should read c:\windows\system32\msimtf.dll If however a Silon infection has occured, the malicious key data item will instead show a malicious msls50.dll
  • The virus will install its config details and C&C information within a newly created registry key. This registry key is created, using system specific values, arranged in a set format. In this instance it obtains your C drive’s serial ID and then applies its format to the 8 digit hex value (excluding the hyphen).  To find your drives serial ID, open a command prompt and type “vol”. This will provide you with the number in the format xxxx-xxxx.
  • Open your registry editor and search for a key containing those 8 digits (without the hyphen). You should find a key with these 8 digits and other permutations of those 8 digits. This will contain a ProcServer32 element which itself contains subkeys named 0, 1, 3 & 4. These all contain encrypted data and will look like nonsense, but actually contain the targeted website list and Command & Control server locations.
  • The virus will also create two files which it uses to store stolen credentials. To find these navigate to your c:\windows\temp folder, where two files using the drive ID in differing format.

Removal

Despite the viruses obvious technical ability, the removal is incredibly simple. I am working on a quick video to show this graphically, but the below should certainly suffice in the meantime.

  • Open regedit and drill down into the HKCR\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InProcServer32\key.
  • Open the default key and over type the value data with the correct DLL location namely c:\windows\system32\msimtf.dll
  • Restart PC
  • Locate and delete malicious DLL from c:\windows\system32 folder. (Sometimes the dll is hidden, so you need to ensure hidden files are visible Tools > Folder Options > View > Show Hidden Files and Folders.
  • Delete the registry key named with your C:\ serial
  • Delete the located dump files from your hard drive, retained within C:\Windows\temp.

Dropper / installer not yet understood, Re-infection if executed again highly possible.

Tags: , , , , , , , , , , , , ,

Jul 11 2009

Cracking WEP keys using Backtrack 4 pre & aircrack-ng

Category: Practical,Programs,Theory,WEP key crackingParker @ 10:18 am

Ok. First off, cracking someone else’s WEP key and gaining access to their Network is illegal.
Doing so, may result in you getting an enforced reach-around by a man much bigger than you. Remember, you are sat at a PC, whilst he is out shanking grannies or robbing banks.

You can however have lot’s of ‘fun’ as I have, setting your own (or a spare) router to WEP and turning this theory into practical experience

———————-

I’m no expert, but here is the theory from what I have picked up.

An ARP packet is basically your router or PC saying “Who is on IP 192.168.0.3?”, the response would be “I am, and my MAC is 00:00:00:00:00″. So because an ARP packet has a defined size, everything in addition to that can be considered the enclosing WEP encryption, so by collecting enough of these ARP packets and running a comparison, you should be able to find the static data across all of the packets, which will be the WEP key.

Anyone who has sat watching a packet analyser like WinPcap, will know that ARP packets are not that common, maybe 1 every few minutes. To crack a 56bit WEP key you need about 30,000; for a 128bit key you’ll need 60,000+. So we need to trick the router into sending an excessive amount of ARP packets.

ARP INJECTION

Now I may be wrong, but from my testing I believe the following to be true “If the AP has no clients connected there will be no ARP packets being sent”, hence any attempt to increase this flow will fail, anything multiplied by zero is zero.
There are ways to trick a router into thinking a client is connected (see Frag and Chop Chop attack to follow), but I am less aware of how these two techniques work at present. If however there is a connected client then you can continue.

Before we begin, I’ll give some background regards my own setup which may help the following make more sense.

  • My mac [-h] is 00:22:69:35:6D:C5,
  • My routers BSSID (mac) [-a & -b] is  00:0F:B5:BF:C2:8C,
  • It is on channel [-c] 6,
  • It’s ESSID [-e] is Hackyou.
  • Your wireless lan card’s identifier, mine is wlan0
  • I am using BT4 pre on my Acer Aspire One. (Your wireless card must support injection, you should check this on the madwifi site, before you waste your time)

The science bit

You want to open a konsole window and be on root (sudo) for all of the below steps.

Airodump-ng wlan0

Screenshot of 'airodump-ng wlan0' command

Screenshot of

Grab the ESSID, BSSID & Channel details, you will need all of this to complete the crack. (You can Ctrl+C to stop it at this point, allows copy and paste to work) You want one with an associated client (bottom detail) for this attack to work.

Airodump-ng –w wep –c [channel] –bssid [bssid] wlan0 (There are two – before bssid)

Screenshot of 'airodump-ng -w -c --bssd wlan0' command

Screenshot of

Locks onto AP for ARP data collection and begins saving it to the defined -w file-name.

New konsole Aireplay-ng -1 0 –a [bssid] –h [mac] wlan0

Screenshot of 'aireplay-ng -1 0 -a -h wlan0' command

Screenshot of

This associates your mac address with the AP, allowing you to ‘communicate’ with it.

New konsole Aireplay-ng -3 –b [bssid] wlan0

Screenshot of 'aireplay-ng -3 -b wlan0' command

Screenshot of

Starts collecting ARP packets – Wait for 30,000 for 64bit key or 60,000 for 128bit (Below screen shot of airodump at work. We care about the #data value at the top, currently at 12152)

aireplay-ng -3 -b wlan0

aireplay-ng -3 -b wlan0

New konsole Dir

Screenshot of 'dir' command

Screenshot of

Copy the wep*.cap file name, you’ll need this (the data airmon-ng has collected) to crack the WEP key. Mine was full of previous attempts, suggest you either delete after each attack or give a unique -w file-name.

Aircrack-ng [wep*.cap]

Screenshot of the 'aircrack-ng wep*.cap' command.

Screenshot of the

This will keep trying if the collected data is not enough, but the end result should be “Key Found” et voila!

Tags: , , , , ,

Oct 16 2008

Step 1. Knowledge

Category: Practical,TheoryParker @ 1:03 pm

So I had a word with a guy from SkillsTrain (who was very nice but their product / support is pretty terrible.  I quit same day claiming back the £100 deposit and cancelling the £3700 direct debit).
He and I talked for a while about various options for learning and gaining some form of recognised certification in a field of interest and use, my biggest problem is that I have a ‘pro-sumer’ level of knowledge in supporting, building, maintaining and using PCs and Macs but no actual proof of that knowledge. (It could be troublesome explaining / demonstrating my skills in an interview and if I were to leave my employer i’d be pretty much f*cked!)

Having had a think he suggested that working towards the COMPtia Security + certification is probably a very good idea.  I had a look at the syllabus and it looked very interesting, sadly though the very sensible and probably required pre-lude to that certification is the COMPtia Network +, which doesn’t look as interesting, but as said, is needed.

If you think about it as I have, you will likely realise that to protect a product or indeed to attack a machine via any kind of network, you will need to first understand how that Network works.  As it happens I am currently around two thirds of my way through the learning for the Network + examination (hoping to take the exam in November) and have found it very useful and interesting. For anybody who cares I have chosen to use the Network + Certification Kit, and it seems to be pushing the information into my head.
(Note to others, these books are in order, I suggest you start with the first more in-depth book rather than the thinner 3rd ‘first pass’ overview book as I did).

Oct 16 2008

Learning to be a better Geek

Category: TheoryParker @ 1:02 pm

Well, this may more than likely turn out to be a self serving page (if even that much), but my intentions are to document everything I learn along my route of self-discovery (that is to say my new found focus that caters for both personal and work life).

For anyone that stumbles on this let me try to set the scene. Having basically floated around without really knowing what I want to do / could do to further my knowledge and/ or career I’ve come face to face with a field within IT that caters for both. This blog is hopefully going to list what I’m doing / learning and achieving. Which will help me and may help someone else.

Let’s go.