Malware Research by Sean

Virtual Private Networks are great if you want to remote into your home computers/network securely… or want to drop your Pi behind enemy lines and have it securely call home. This post will outline how to make a VPN with particular notes for having a Raspberry Pi client. First choose an always on computer at home to be your server. It can be running Windows or Linux. Then choose the software you want to use. I looked at:

• Neo Router – slick propretary
• OpenVPN – Powerful, not as friendly
• Hamachi – LogMeIn’s product seems nice

Set up your VPN server with a domain, listening port, users, & passwords. If you’re like most people your server will be sitting behind a Network Address Translator (NAT) in the form of a wireless router. Point your browser at your router and edit the port forwarding rules so that when the NAT recieves a connection on a certain port, it will direct that connection to your VPN server.

Port Forwarding with a router

If your are like most people your Internet Service Provider reserves the right to change your assigned IP address, however you still want to be able to connect back home, so we’ll have a computer (probably the VPN server) always run a program to constantly report your current IP address to a DNS register. So the next step is to setup a free Dynamic DNS account online with an organization like:

• noip.com
• afraid.org

Download and install your Server (probably your computer at home) to report it’s ip address periodically.

• noip.com has a executable  you can download: https://www.noip.com/downloads.php
• afraid.org hosts a page listing  http://freedns.afraid.org/scripts/freedns.clients.php

Now that the server is all setup, it’s time to move on to your clients. Depending on the purposes of your VPN I might suggest auto starting the VPN client which uses the DNS name you assigned earlier to call home. VPN relies on the correct time for encryption purposes so you might need to add a freely available time server made for this purpose (The Raspberry Pi has no internal battery so it can’t keep time between reboots). Like many other networks UTA has a time server that you need to add (time.uta.edu) to the Network Time Protocal configuration file /etc/ntp.conf

Helpful links:

http://www.raspberrypi.org/phpBB3/viewtopic.php?f=36&t=21566

http://gettingstartedwithraspberrypi.tumblr.com/post/24142374137/setting-up-a-vnc-server

http://neville-wright.com/setup-your-raspberry-pi-wireless-network/

A the professor of mine was teaching an Engineering Economic’s class and posed this depreciation problem:

“If I buy a new car right now for $50,000 what will it be worth in 30 years?”

I said, “It will be worthless because we won’t have any oil any more”

He looked at me a bit annoyed and said to the class, “Well let’s just ignore that”

To which I responded, “Most people usually do”.

He looked at me with a strange kind of frustration

Economics in the colloquial since examines the incentives behind individuals who are designing, implementing, and defending various systems which organizations (normally corporations) rely on. As software is developed there is always the potential for software bugs that in turn have the potential to introduce a weaknesses and security vulnerabilities to the software system as a whole. The technical details of how software is exploited will almost always be found out and corrected. The economic explanation as to the why software vulnerabilities continue to plague modern software despite such terrible negative repercussions is a topic pioneered by researchers that include Ross Anderson, Tyler Moore, Bruce Schneier, and Dan Geer.

There are four main facts that are responsible for the current state of security related software bugs:

• Companies exist to make money
• Large amounts of software are produced by companies
• Users are forced to trust this software
• Most users are unable to test the security of the above mentioned software.

In the best case scenario, the user is in control of the source code, and the hardware but users rarely have the resources or knowledge to perform in-depth security analysis. The more typical software solution involves third party’s creating and (possibly not maintaining) a software solution in which it is virtually impossible for users to possess resources or knowledge to perform any kind of security analysis. Anderson and Moore’s idea that commercial software will almost always put priority on being first to market rather than security; and users will only perceive security in terms of the number of exploited vulnerabilities they experience- which is mainly a function of the software’s market dominance.

Measuring user’s trust of a software system is an interesting economics’ research problem because trust is a difficult entity to quantify in which there are a number of current ideas:

A very common tactic to measure public opinion is via survey. Currently a website at cybersecurityindex.org seeks to measure risk perceived by chief information officers in technology related companies.

For purpose of research trust can be measured in the amount of private information users choose to disclose to an organization. This type of information is commonly thought of as a commodity to an attacker, because it can be bought and sold, but such private information is typically not valued as a high priority asset to most companies. As a result, a business’s resources will typically not be used to mitigate the risk of private data theft. An interesting development here is the Australian government has recently mandated that publicly traded corporations list non-tangible assets on quarterly balances. In response, corporations are starting to cite the amount of personal information they possess as having a significant financial value and as a result, more resources are being spent on protecting that data.

One intriguing idea is to measure users’ trust in software by initiating a futures market in which users are allowed to wager on the number of publicly disclosed software vulnerabilities found in various products in the coming year; A similar structure for this type of market can be seen at University of Iowa Futures Exchange.

Credit card processors are like a religions:
They’re old, don’t work very well, out-of-date, and for some reason it’s socially unacceptable to criticize them.

Malware can come in many forms, differentiated mainly by its purpose and by its level of access. Its level of access consists of either:

• User level: where it takes on the privileges of the user that executed the malware (usually living in the user land process space)
• Administrator level: where it was either executed by the administrator or gains privilege escalation though some type of exploit.
• Kernel Level: where it lives and works in the kernel land process space.

Privilege Ring System

In the kernel level malware can do ANYTHING, such as hooking in to critical components in order to hide itself. This level of sophistication is normally reserved for ‘rootkits’. The best way for malware to gain such access is to install itself as a driver.
Programming a driver is no simple task.

• Wiki books provide good Windows driver terminology, but I’m not sure if I just everything is up to date: http://en.wikibooks.org/wiki/Windows_Programming/Device_Driver_Introduction
• This link guides a programmer though installation of the compiler, debugger, and symbols necessary to build a Windows driver. It’s a bit old (working with XP and server 2003) but all the links are still good: http://www.tenouk.com/windowsddk/windowsdriverdevelopmentkit.html

The best way to learn what hackers do to compromised computers is to watch them while they do it! In this tutorial we will be setting up Kippo, a SSH honeypot which will log everything attackers do. Kippo is a bit old and not really maintained but it serves as a great starting point. An example of what kind of information is collected take a look at this demo:  http://kippo.rpg.fi/playlog/?l=20100316-233121-1847.log

1. I will be doing this on Ubuntu, but since Kippo is written in Python it can be run on anything as long are the dependances are installed:
   user@ubuntu:~$ sudo apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted libcap2-bin
2. Then download kippo:
   user@ubuntu:~/Desktop/kippo$ wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
3. Then untar it, cd in the directory then run start.sh WITHOUT root prevlages:
   user@ubuntu:./start.sh
   

   Kippo start and log in

4. Now you may have noticed that port 2222 is the default and might be be attacked by hackers. But the issues is that the normal SSH port 22 requires root prevlages which is something we definately do NOT want kippo to have. So we do some port-forwarding magic:
   setcap ‘cap_net_bind_service=+ep’ /path/to/program
   OR some iptables magic:
   iptables -t nat -A PREROUTING -i IN_IFACE -p tcp –dport 22 -j REDIRECT –to-port 2222

Having a VM is handy if you don’t quite trust a program from the net (like the old addage says, ‘beware of geeks baring gifts’), or you’re like me and want to see what some malware is doing. One of the most telling information of an app is how it communicates with the net so I’ve set up an XP VM to relay all of it’s traffic to a linux box in a local VPN. The linux box is BTR3 running a catch-all for network traffic: inetsim
sudo apt-get install inetsim

but before hand make sure you set your special network to ‘host-only’ and give your machines static IP addresses. Here’s a decent article:

http://blog.zeltser.com/post/8978449246/vmware-network-isolation-for-malware-analysis

Linux static IP address:

http://www.cyberciti.biz/faq/linux-configure-a-static-ip-address-tutorial/

Then you need to redirect all your DNS queries to your catch-all by editing inetsim’s config file with the option:
dns_default_ip 10.0.0.1 #My catch-all gateway.

Of course you could do this locally on your non-gate way vm, but I want to mess with that as little-as-possible. And there’s also the option of doing this inside the metaspoit framework as seem here: http://johnhsawyer.blogspot.com/2009/11/sandnetting-with-inetsim-metasploit.html

Now in order for you to edit requests with inetsim you need to update a particular PERL module:
cpan upgrade module NET::DNS

Then

apt-get upgrade libnet-dns-perl

Now go ahead and run inetsim:
inetsim –bind-address 10.0.0.1

Backtrack R3 Running inetSim

Is an interesting field that relies on a huge amount of technical knowledge of how exactly computers/OS’s/Compiled code works together. I think it’s interesting because it combines the down and dirty details of what’s going on in the system, with the global implications of what a little piece of code can do. Plus while watching the code run, one can guess at the motivations of the authors (which is something that I think is intriguing). As I’m learning I’ll post the links I find most helpful:

Understanding Microsoft technology:

• Windows API: Windows Internals
  http://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
• PE files: Corkami
  http://code.google.com/p/corkami/wiki/PE101
• Windows Datatypes:
  http://www.codeproject.com/Articles/76252/What-are-TCHAR-WCHAR-LPSTR-LPWSTR-LPCTSTR-etc

Debugging/Reversing:

• The legend of Random’s great tutorials:
  http://thelegendofrandom.com/blog/sample-page

Assembly:

• Calling conventions:
  http://en.wikipedia.org/wiki/X86_calling_conventions

Unpacking/Anti-debugging:

• A few anti-debugging techniques with some code examples:
  http://www.veracode.com/blog/index.php?s=Anti-Debugging+Series&search_submit=Go
• An good paper over unpacking called, ‘The Art of Unpacking’
  http://cs.gmu.edu/~astavrou/courses/ISA_673/bh-usa-07-yason-WP.pdf
• Basics of Code Obfuscation. Interesting technique with example code, but can only be complied gcc
  http://syprog.blogspot.com/2012/03/dynamic-code-encryption-as-anti-dump.html

Reverse Engineering malware:

• Zelters’ cheat sheet is good for keeping focus on what one should do when looking at malware:
  http://zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html
• Some malware analysis tutorials http://ipositivesecurity.blogspot.in/2011/07/analyzing-malware-slackbot-i.html

There is a built-in keylogger in metasploit. It’s really cool in that it never writes to disk so it doesn’t leave any evidence for forensics. To use metasploit for keylogging all one has to do is:

• Update the metasploit framework (as you always should!) cd /…/framework3; svn update
• Exploit your target and use: set payload meterpeter
• Then migrate your payload to some safe process (like explorer.exe) with the keyword migrate
• Then start your keylogger with: keyscan_start
• Then grab the info with: keyscan_dump

Metasploit Basics:

• http://netsec.cs.northwestern.edu/media/handouts/metasploit.pdf
• http://en.wikibooks.org/wiki/Metasploit/Tips_and_Tricks

Awesome article on Payloads: http://www.room362.com/blog/2011/6/26/metasploit-payloads-explained-part-1.html

Awesome guide through exploits: http://www.offensive-security.com/metasploit-unleashed/Exploits

Guide for the keylogger: http://www.offensive-security.com/metasploit-unleashed/Keylogging

New Project: InjectorCatcher_v1
This program will hook into the following API calls (commonly used in code-injecting malware):

• virturalAlloc() and virturalAllocEx()
• VirtualProtectEx()

InjectorCatcher will record the locations of all the memory allocated and has the permissions of read, write, and execute. When anyone of the event below happens the virtually allocated memory in the list is dumped to disk:

• a pre-set time limit expires
• exitProcess() is called
• createRemoteThread() is called
• createProcess() is called

Some Problems I might run into:

• the dumped code section will have to be rebased and probably decrypted.
• If I want the dumped code to be runnable, I could use corkami’s code to generate a native generic PE

Arguments: the program path for InjectorCatcher to hook into

Notes:

1. VirtualAlloc is the raw allocator in Windows. You shouldn’t use it unless you intend to suballocate from it. It allocates full pages, so allocates multiples of 4K.
2. As VirtualAlloc allocates a buffer, it returns void* (LPVOID in Windows speak)
3. virturalAlloc might not return the given memory at the given location