That phone call you dread…

So, you’re a sysadmin, and you get a call from that friend and co-worker…we all know that our buddies don’t call the helpdesk, right?

This person sheepishly admits that they got an email that looked maybe a bit suspicious in hindsight, it had an attachment…and they clicked.

Yikes. Now what?

Well, since you’re an EXCELLENT sysadmin, and you work for the best company ever, you’ve done a few things to make sure you’re ready for this day…

  • The company has had a business impact analysis, so all of the relevant policies and procedures are in place.
  • Your backups are in place, offsite, and you know you can restore them with a modicum of effort – and because you’ve done baselines, you know how long it will take to restore.
  • Your team has been doing incident response tabletops, so all of the IR processes are documented and up-to-date. And you set it up to be a good time, so they were fully engaged in the process.

But now, one of your people has clicked…now what, indeed..

  • Pull. The. Plug. Disconnect that system. If it’s hard wired, yank the cord. If it’s on a wifi network, kick it off – take down the whole wifi network if feasible. The productivity that you’ll lose will be outweighed by the gains if you can stop lateral spread of the infection.
  • Pull any devices – external hard drives, USB sticks, etc.
  • DO NOT power the system off – not yet! If you need to do forensics, the live system memory will be important.

Now you can breathe, but just for a minute. This is the time to act with strategy as well as haste. Establish whether you’ve got a virus or ransomware infection, or if the ill-advised click was an attachment of another nature.

If it’s spam, but not malicious:

  • Check the email information in your email administration portal, and see if it was delivered to other users. Notify them as necessary.
  • Evaluate key features of the email – are there changes you should make to your blocking and filtering? Start that process.
  • Parse and evaluate the email headers for IPs and/or domains that should be blocked. See if there are indicators of other emails with these parameters that were blocked or delivered.
  • Add the scenario of this email to your user education program for future educational use.

If it’s a real infection, full forensics is beyond the scope of this blog post. But we’ll give a few pointers to get you started.

If it’s a virus, but not ransomware:

  • If the file that was delivered is still accessible, use VirusTotal and other sites to see if it’s known to be malicious. The hash can be checked, as well as the file itself.
  • Consider a full wipe of the affected system, as opposed to a virus removal – unless you’re 100% successful with removal, repeated infection is likely.
  • All drives or devices – network, USB, etc. – that were connected to the system should be suspect. Discard those you can, clean network drives or restore from backup.
  • Evaluate the end user account – did the attacker have time to elevate privileges? Check for any newly created accounts, as well.
  • Check system and firewall logs for traffic to and from the affected system, as well as any ancillary systems.

If it’s ransomware:

  • Determine what kind of ransomware you are dealing with.
  • Determine the scope of the infection – ancillary devices, network shares, etc.
  • Check to see if a decrypt tool is available – be aware these are not always successful.
  • Paying the ransom, or not, is a business decision – often the ransom payments are not successful, and the files remain encrypted. Address this in your IR plan, so the company policy is defined ahead of time.
  • Restore files from backup.
  • Strongly consider a full wipe of the system, even if the files are decrypted.
  • Evaluate the end user account – did the attacker have time to elevate privileges? Check for any newly created accounts, as well.
  • Check system and firewall logs for traffic to and from the affected system, as well as any ancillary systems.

In all cases, go back and map the attack vector. How did the suspect attachment get in, and how can you prevent it going forward?

What are your thoughts? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

RansomWeb Attacks Observed in HITME

Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse.  A new technique called RansomWeb is affecting production web-based applications.  I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications.  I can only assume the frequency of these attacks will increase throughout the year.  As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware.  Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.

The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application.  Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files.  Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files.  Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.

To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:

  • Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
  • Audit your application and system logs for any irregular entries.
  • Verify that you are performing regular application and system backups.
  • Be sure to test the backup/ restore process for your applications and systems on a regular basis.  After all, your backup/ DR process is only as effective as your last successful restore.

If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com

Do You Browse From a Virtual Machine?

Configure 256

This article brings to mind an interesting trend we see going on among our financial and highly regulated clients – using a virtual machine for all Internet browsing. Several of our clients have begun using this technique in testing and small production groups. Often they are using ChromeOS images with VirtualBox or some other dedicated browser appliance and a light VM manager. 

Have you or your organization considered, tried or implemented this yet? Give us a shout on Twitter (@lbhuston, @microsolved) and let us know your thoughts. Thanks for reading!

Watching Malware Evolve with TigerTrax

Recently, I have been spending a lot of my time working with TigerTrax, our intelligence platform, and using it to further my research into emerging threats. One of the most interesting areas has been using to track and trace the fits and starts of malware evolution using social media data and the web.

TigerTrax is really good at finding and analyzing the data for trends. The visualizations make spotting emerging patterns and even outliers very easy. For example, we noticed a trend around side loading of malware payloads recently. Not an overwhelming trend across all of malware, but associated with a specific group of verticals being targeted. This emerged easily from the graph data and analytics engines. We were able to use that information to inform our customers in that space and increase their capabilities in detection and incident response.

We have only just begun to find the deeper use cases for TigerTrax, but it is already changing the way MSI does work, even the core work of assessments. For example, with a small window of lead time, we can generate specific pattern analysis and cases to support findings in risk assessments, vulnerability and pen-testing work. The engines can keep our scenarios refreshed, keep us up to date with the latest attack vectors and exploits being used in the wild.

All in all, TigerTrax has given us a larger view of infosec, and watching malware evolve through its lens has become an interesting part of what we do at MSI. We look forward to the day when we can discuss more publicly what we are doing with TigerTrax and some of the findings we are generating, but for now, just know that the platform is being used in a myriad of ways, and that new developments are occurring on a daily basis. If you’d like to discuss what TigerTrax can do for your organization, give us a call. We’d be happy to sit down for a briefing with your team.

Three Talks Not To Miss at DerbyCon

 

Here are three talks not to miss this year at DerbyCon:

1. Bill Sempf (@sempf) presents a talk about pen-testing from a developer’s point of view. (PS – He has a stable talk too, catch it if you sell stuff in the Windows store) His work is great and he is a good presenter and teacher. Feel free to also ask him questions about lock picking in the hallways. He is a wealth of knowledge and usually friendly after a cup of coffee in the morning. Beware though, if he asks you to pick the lock to get to the pool on the roof… This talk is Saturday at 6pm. 

2. Definitely catch @razoreqx as he talks about how he is going to own your org in just a few days. If you haven’t seen his bald dome steaming while he drops the knowledge about the nasty stuff that malware can do now, you haven’t lived. I hear he also may give us a bit of secret sauce about what to expect from malware in the next 6 months. You might wanna avoid the first couple of rows of seating in this talk. He often asks for “voluntolds” from the audience and you might not look good in the Vanna White dress… His chrome dome presents on Friday at 7pm.

3. Don’t miss the Keynote by @hdmoore. His keynotes are always amazing and this time it appears he is going to teach you how to port scan the entire Internet, all at once and all in an easy to manage tool and timeframe. He probably will astound you with some of his results and the things he has seen in his research. It’s worth it! The Keynote is Friday at 9am. Yes, 9am in the morning. It rolls around twice a day now… I know… 🙂

Lastly, if you want to see me speak, you can find me on Friday at 1pm as I discuss and unveil the Stolen Data Impact Model (SDIM) project. Check it out! 

PS – There will be plenty of hallway talk and shenanigans at the con. Come out and sit down and chat. I can’t wait to talk to YOU and hear what you have to say about infosec, threats, the future or just what your thoughts are on life. Seriously… I love the hang out. So, drop down next to me and have a chat! See you this weekend!

 PSS – Yes, I might wear my “hippy hacker”/”packet hugger” shirt. Don’t scream “Packet Hugger” at me in the hallway, please, it hurts my feelings…. 

Quick PHP Malware vs AV Update

It’s been a while since I checked on the status of PHP malware versus anti-virus. So, here is a quick catch up post. (I’ve been talking about this for a while now. Here is an old example.)

I took a randomly selected piece of PHP malware from the HITME and checked it out this afternoon. Much to my surprise, the malware detection via AV has gotten better.

The malware I grabbed for the test turned out to be a multi-stage PHP backdoor. The scanner thought it was exploiting a vulnerable WordPress installation. 

I unpacked the malware parts into plain text and presented both the original packed version from the log and the unpacked version to VirusTotal for detection testing. As you know, in the past, detection of malware PHP was sub single digits in many cases. That, at least to some extent has changed. For those interested, here are the links to see what was tripped.

Decoded to plain text vs Encoded, as received

As you can see, decoded to plain text scored a detection of 44% (19/43), which is significantly improved from a year or so ago. Additionally, excitingly, undecoded, the attack in raw form triggered a detection rate of 30% (13/44)! The undecoded result is HUGE, given that the same test a year or so ago often yielded 0-2% detection rates. So, it’s getting better, just SLOWLY.

Sadly though, even with the improvements, we are still well below half (50%) detection rates and many of the AV solutions that fail to catch the PHP malware are big name vendors with commercial products that organizations running PHP in commercial environments would likely be depending on. Is your AV in the missing zone? If so, you might want to consider other forms of more nuanced detection

Now, obviously, organizations aren’t just depending on AV alone for detection of web malware. But, many may be. In fact, a quick search for the dropped backdoor file on Google showed 58,800 systems with the dropped page name (a semi-unique indicator of compromise). With that many targets already victim to this single variant of PHP backdoors, it might be worth checking into if you are a corporate PHP user.

Until next time, take a look around for PHP in your organization. It is a commonly missed item in the patch and update cycles. It also has a pretty wide security posture with a long list of known attack tools and common vulnerabilities in the coding patterns used by many popular products. Give any PHP servers you have a deeper inspection and consider adding more detection capability around them. As always, thanks for reading and stay safe out there! 

Ask The Experts: Malware Infection Mitigation

This time, we have a question from a reader:

Dear Experts, I’ve been fighting with my help desk team about the proper response to a malware infection. Once we know a workstation or server has been infected, what should we do to make sure that machine is clean before we put it back in service? We have heard a variety of stories about cleanup versus rebuild. What is the MSI security expert’s take on the proper response to malware infection?

John Davis replied:

It would be nice to be able to eliminate Malware without having to totally rebuild your computer. I wish I had some good news for folks on that score. But unfortunately, the only way to be sure that a malware infection has been totally eliminated is to do just that: rebuild your computer completely from reliable backups. This illustrates the importance of making frequent backups and storing those backups securely!

Adam Hostetler also added:

The only proper response is complete wipe and reinstall. It’s impossible to say it’s clean after it has a known infection, one part might be gone but the malware may have installed or downloaded other components that weren’t detected. I recommend having a good image to use on workstations, and store as little data on them as possible, so a quick turn around is likely. It’s also a good idea to implement strong egress controls on your firewalls and monitor them. This helps in preventing malware from doing damage, and aids in finding infections. 

Got a question for the Experts? Get in touch on Twitter (@lbhuston or @microsolved) or via the comments. Thanks for reading!

PS – Chris Jager (@ChrisJager) points out on Twitter: Also to consider: Closing vuln that allowed the malware onto the host & refreshing backups & build docs w/said updates.

Thanks Chris! We just ASSUMED (yeah, we know…) that was already in scope, but good to mention that it should be pointed out. Clearly, making sure the bad guys lose their foothold from being re-exploited is CRITICAL.

Tool Review: Hopper Disassembler for OS X

 

J0289552

I have recently been playing with Hopper, a disassembler for Mac OS X, quite a bit. The tool is essentially a mid-line tool for working to reverse engineer code. It is more accessible on the mac than firing up a VM and using the venerable OllyDbg and the interface is quite a bit more elegant and user friendly. It is even mid-line in price, coming in between Olly, which is free, and IDA Pro which can run over a thousand dollars per license. If you hack stuff, reverse stuff or study malware on the Mac, the $60 price point is likely to make this a big winner for your budget. The app store link for the tool, in case you want to check it out, is here

In terms of use, the tool does exactly what you expect from the description – it disassembles binaries into assembler and makes exploration of the deeper nuances of the code accessible. The newest release supports ARM, 32 & 64 bit ELF and iOS Mach-O. These add to the existing support for the standard Intel platforms of Mac OS X and Windows binaries, making this an all around useful tool for doing the basics. The flow control graphing, colorized interface and intuitive controls make the tool use less complex than Olly and IDA Pro. 

One of things I would like to see in future versions of the tool would be a detector for encoded binaries and support for some of the basic decoding tools to make analysis of obfuscated applications a bit quicker, easier and more intuitive. This a common issue among disassemblers and shows that we have a way to go to improve these products as the reverse engineering and malware study tool sets improve and mature over time. Overall though, that’s about the ONLY complaint I have about Hopper. It’s an amazingly versatile and useful tool at an incredible price. Truly, it is a worthwhile investment if you want to learn more about assembler, the inner workings of code and beginning malware analysis. You can’t go wrong with this one.

Lastly, I would like to thank the author of Hopper, Vincent Benony for his work on this tool and for his engagement with the infosec community on Twitter. Seriously, he is great. He responds quickly to questions and requests, plus provides great insights into where he is taking the product next. 

PS – If you want to see what the GUI looks like, there are a wide variety of screenshots in the App Store at the link above.

PSS – MSI has no affiliation or relationship with the product and/or the developers. 

HoneyPoint Tales: Conficker Still Out There

I had an interesting conversation this week over email with a security admin still fighting Conficker.

If you haven’t recalled Conficker in a while, take a moment and read the wikipedia entry here: (http://en.wikipedia.org/wiki/Conficker). Back in 2008, this nasty bugger spread across the net like wild fire. It was and is, quite persistent. 

Back in those days, we even put out a free version of HoneyPoint called HPConficker to act as a scatter sensor for detecting infected hosts on networks around the world. That tool expired eventually, and to be honest, we stopped really tracking Conficker back in 2010 to move on to studying other vectors and exploits. I hadn’t even thought about the HPConficker tool since then, until this week. 
 
In order to help this admin out as they battled the worm, I came in on a vacation day, dug the old code out of the source vault and updated it to run through the end of 2012. I then built a quick compile, zipped it (in my hurry forgetting to remove the OS X file noise) and sent it on to the sales person who was helping the client directly. When I heard that the zip file with OS X noise was a problem, I quickly cleaned the zip and sent it back up to the server for them to re-download, install and use. Sadly, I haven’t yet had time to build a readme file or the like, but the tool is pretty easy to use. Unzip it with folder extraction enabled, execute it and follow the GUI instructions. I haven’t heard back from my new security admin friend, but I hoped it helped them fight the good fight.
 
I took a couple of key points from this: 1) Conficker is still around and causing trouble; and 2) Helping people with HoneyPoint is still one of the core reasons I do what I do.
 
I may not say it often enough, but, thanks to all of you for playing with my toys. Since 2006, the knowledge gained, the insights and the outright chance to help people with my software has been a great joy. I look forward to pursuing it for many years to come. 
 
Keep playing with HoneyPoint. Keep talking to us. We want to engage, and we want to help YOU solve YOUR problems. At the core, that’s what MSI is all about. As always, thanks for reading and stay safe out there!
 
PS – We haven’t decided if we are going to release the tool again. If you want it and it can help you, drop me a line in the comments, send me a tweet (@lbhuston) or get in touch. Even if we don’t push it out in public on the site, it’s here if you need it…

Stealth Code for New Mutation of PHP Bot Infector

Recently, I found another new mutation of a PHP bot infector, with zero percent detection by anti-virus software. There was an anti-security tool code included, as well. 

For those interested, you can view this link to see that the total number of anti-virus detections was 0.

However, when I decoded the PHP backdoor, I got 17 anti-virus hits on it. It seems they locked into the c99 backdoor code remnants, which is a pretty old backdoor PHP trojan. This leads to the question about evasion techniques and how effective anti-virus applications are at doing code de-obfuscation. For example, if you want a currently effective AV evasion technique in PHP, it comes down to this simple line of code: (gzinflate(str_rot13(base64_decode($code)))); – There’s the cash money key in terms of evading most, if not all, current anti-virus tools.

However, if you have a process that runs grep against your files  looking for base64_decode and alerts you to new ones, you’ll get visibility to it and many, many others like it. Base64 encoding is still quite a popular call in PHP attack and compromise tools.

Here are some examples of this specific trivial control — here, and here. Now you have a real life example of how it pays off. So simple, yet so effective at detecting these slippery backdoors.

Finding specific nuance controls that pay off against specific threats to your assets is a key way to better security. It’s a win, all around!