DerbyCon

DerbyCon was fantastic again this year, with talks from some of the best and brightest in NetSec. If you're not familiar with it, it's been held each year in September in Louisville, Kentucky since 2011. Admission to the conference (3 days) is only $175.00, and there are (relatively) inexpensive training classes held the previous two days before the con. If you've never been to a hacker conference, I highly recommend DerbyCon. The atmosphere is very friendly and helpful, and even someone brand new to NetSec can find plenty to learn and participate in.There is a lock pick village, a hardware hacking village, a SOHO router hacking room, a Capture The Flag contest and lots more, as well as official parties Friday and Saturday nights. This was my fifth year attending, and it gets better each time.

All the talks are recorded and available on Adrian Crenshaw's web site. This years talks are at:

http://www.irongeek.com/i.php?page=videos/derbycon6/mainlist

FPC

Here is my opinion on FPC. 

Full packet capture can be an intrusion analyst's best friend. Consider this example: You receive an alert that an internal device accessed a piece of JavaScript on some web site and the rule says there was an object use-after-free attempt. You need to inspect that code and see if it is malicious and preferably, what occurred afterwards. 

You could use a tool like wget or Spondulas to download the code, or you could use a sand boxed machine to browse to the URI and view the source. You could put the URI into some online site checker and see what it finds. You could check the reputation of the domain.

But, what if you are capturing full packets going in and out of your network to the Internet?

You can pull up the URI in a tool like Moloch or a commercial tool, and look at the session. You can see the JavaScript as it was delivered exactly to THAT client, running that OS, using that browser and user-agent and see what happened afterwards. You can save the code off as a file to further inspect it and run the pcap through Wireshark or SteelCentral Packet Analyzer or Netwitness or some other analysis tool.

You CAN do intrusion analysis without FPC, but you can't do it as quickly OR as effectively. 

Flow data and logs and threat intelligence are all fine (well, maybe not so much on the threat intelligence) but having packets trumps them all.

Infosec Writers

Got a topic you've become very knowledgeable about and would like to share your expertise? Want to add to the cumulative knowledge base of InfoSec/NetSec? You can write and upload your paper(s) to infosecwriters.com, and if it meets their criteria for suitability, have it published on their site.

http://infosecwriters.com/

Great List of Hack Sites

The SANS Pen Test group has a poster they hand out at SANS conferences and put in mailings that has an awesome mind map of hacking challenge/skills sites.

Won't be going to conference soon or not on the mailing list? No worries, the poster can be downloaded here and all of the SANS posters are located here, including  DFIR, Threat Intelligence, CIS and some general information posters.

If you're not familiar with SANS posters, they're not just marketing tools (but of course they advertise an event, too) but are full of good, useful information. Like the hack sites mind map.

Enjoy!

Dorking

There's a good article on Google Dorking on DarkReading here. If you're not sure what Google Dorking is, in essence, it's using Google (you can do the same with other search engines) with advanced operators to find information on the Internet that shouldn't be exposed. You can find files, passwords, user accounts, open webcams and all sort of other data. The concept was made popular by Johnny Long, who now resides in Uganda with his family helping educate needy kids (Hackers For Charity is his organization and and a worthy place to donate funds, equipment or time). http://www.hackersforcharity.org/

Transistioning

I'll be moving to a new position over the next few months, from intrusion analyst to penetration tester. As I make the transition to Red Team, I'll be posting articles and some of what I'm learning (but NetSec is ALWAYS learning something new) as well as Blue Team/intrusion analyst content.

Using Splunk To Monitor Tor

Great article by Xavier Mertens on the Internet Storm Center Handler Diaries about how to automate Splunk to keep track of Tor traffic. Article is here.

Heavy Obfuscation != Malicious

Malicious actors use obfuscation to evade detection, but programmers use it also for various reasons, like restricting reuse or bypassing ad blockers. Obfuscation should increase your attention to an alert, but it's not always indicative of hostile activity.

Here's an example.

IDS triggered on a rule for a common exploit kit, specifically on an eval statement. The code was:
(function(){var z="";var b="2866756e6374696f6e28297b66756e6374696f6e20682865297b7472797b636f6f6b696541727261793d5b5d3b666f722876617220623d2f5e5c733f696e6361705f7365735f2f2c643d646f63756d656e742e636f6f6b69652e73706c697428225c78336222292c633d303b633c642e6c656e6774683b632b2b296b65793d645b635d2e73756273747228302c645b635d2e696e6465784f6628225c7833642229292c76616c75653d645b635d2e73756273747228645b635d2e696e6465784f6628225c78336422292b312c645b635d2e6c656e677468292c622e74657374286b657929262628636f6f6b696541727261795b636f6f6b696541727261792e6c656e6774685d3d76616c7565293b636f6f6b6965733d636f6f6b696541727261793b646967657374733d417272617928636f6f6b6965732e6c656e677468293b666f7228623d303b623c636f6f6b6965732e6c656e6774683b622b2b297b666f722876617220673d652b636f6f6b6965735b625d2c633d643d303b633c672e6c656e6774683b632b2b29642b3d672e63686172436f646541742863293b646967657374735b625d3d647d7265733d652b225c7832635c7836345c7836395c7836375c7836355

;for(var i=0;ieval(eval('String.fromCharCode('+z+')'));})();

Changing the eval to print, and running it through Rhino, we get this:

[jstebelton@bwyissrv05 ~]$ rhino 10
(function(){function h(e){try{cookieArray=[];for(var b=/^\s?incap_ses_/,d=document.cookie.split("\x3b"),c=0;cres;g=new Date;g.setTime(g.getTime()+2E4);document.cookie="\x5f\x5f\x5f\x75\x74\x6d\x76\x63\x3d"+e+("\x3b\x20\x65\x78\x70\x69\x72\x65\x73\x3d"+g.toGMTString())+"\x3b\x20\x70\x61\x74\x68\x3d\x2f"}function l(e){for(var b=[],d=0;d"\x3d"+k)}break;case "\x76\x61\x6c\x75\x65":try{b[b.length]=encodeURIComponent(c+"\x3d"+eval(c).toString())}catch(h){b[b.length]=encodeURIComponent(c+"\x3d"+h)}break;case "\x70\x6c\x75\x67\x69\x6e\x73":try{p=navigator.plugins;pres="";for(a in p)pres+=(p[a].description+"\x20").substring(0,20);b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+pres)}catch(l){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x73\x3d"+l)}break;case "\x70\x6c\x75\x67\x69\x6e":try{for(i in a=navigator.plugins,a)if(f=a[i].filename.split("\x2e"),2==f.length){b[b.length]=encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+f[1]);break}}catch(m){b[b.length]=
encodeURIComponent("\x70\x6c\x75\x67\x69\x6e\x3d"+m)}}}return b=b.join()}var m=[["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x76\x65\x6e\x64\x6f\x72","\x76\x61\x6c\x75\x65"],["\x6f\x70\x65\x72\x61","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x61\x70\x70\x4e\x61\x6d\x65","\x76\x61\x6c\x75\x65"],["\x70\x6c\x61\x74\x66\x6f\x72\x6d","\x70\x6c\x75\x67\x69\x6e"],["\x77\x65\x62\x6b\x69\x74\x55\x52\x4c","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"],["\x6e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x70\x6c\x75\x67\x69\x6e\x73\x2e\x6c\x65\x6e\x67\x74\x68\x3d\x3d\x30","\x76\x61\x6c\x75\x65"],["\x5f\x70\x68\x61\x6e\x74\x6f\x6d","\x65\x78\x69\x73\x74\x73\x5f\x62\x6f\x6f\x6c\x65\x61\x6e"]];try{h(l(m)),document.createElement("\x69\x6d\x67").src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+Math.random()}catch(n){img=document.createElement("\x69\x6d\x67"),img.src="\x2f\x5f\x49\x6e\x63\x61\x70\x73\x75\x6c\x61\x5f\x52\x65\x73\x6f\x75\x72\x63\x65\x3f\x53\x57\x4b\x4d\x54\x46\x53\x52\x3d\x31\x26\x65\x3d"+
n}})();

We have hex encoding as the output of the function, so we can use a hex decoder to get the final output:

encodeURIComponent("plugin="+m)}}}return b=b.join()}var m=[["navigator","exists_boolean"],["navigator.vendor","value"],["opera","exists_boolean"],["ActiveXObject","exists_boolean"],["navigator.appName","value"],["platform","plugin"],["webkitURL","exists_boolean"],["navigator.plugins.length==0","value"],["_phantom","exists_boolean"]];try{h(l(m)),document.createElement("img").src="/_Incapsula_Resource?SWKMTFSR=1&e="+Math.random()}catch(n){img=document.createElement("img"),img.src="/_Incapsula_Resource?SWKMTFSR=1&e="+
n}})();

Incapsula is a DDoS protection security vendor.

Excellent Manual Javascript Deobfuscation Walk through

Security Researcher Aditya K Sood posted an excellent walk through of manual Javascript Obfuscation on his log, Malware At Stake (http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html).

Malware at Stake

An Official Malware Research Blog of SecNiche Security Labs. 

Analysis, straight from the hidden and underground.

Saturday, April 7, 2012

JavaScript Obfuscation - Manual Armor (1)

Recently, we came across a similar set of obfuscated JavaScripts that are being used continuously in conjunction with automate Browser Exploits Packs (BEPs) such as BlackHole etc. There are several variations of this type of obfuscated JavaScript. Our team prefer to do obfuscation manually because sometimes automated tools are not good enough to perform the deobfuscation. In this post, we are going to discuss about the methodology that  we prefer to follow at SecNiche labs. Let's take a look at the obfuscated JavaScript shown below

The methodology  goes like this:

Step1: Beautify Your JavaScript: 
The very first (basic) step is to beautify the obfuscated JavaScript. For analysis perspective, beautifying the

code such as appropriate indentation makes it very easy to decipher the initial structures in the JavaScript. 

Always do this step before proceeding further.

Step 2: Divide and Rule
This strategy works perfectly fine while analyzing obfuscated JavaScripts. The motive behind this step is to a

analyze the code in small snippet for better grasp.

Applying step 1 and step 2 to the given JavaScript code,  we get part 1 of the code as follows

and part 2 of the code as follows

In part 2, to interpret the given code as single string , one has to use characters ["" +]. Even for doing 

automated analysis, these parameters are required to be tuned so that appropriate interpretation of the string 

can be done. Check the string passed to variable "n".

Step 3: Extract the Logic 
On the modular code (divided code snippets), try to apply the logic step by step (top to bottom). When we

compute the value of "h" we get : h=-2*Math.log(Math.E);   //     h = -2      //

The next logic is to compute the value of "n" first. We have the n="[string]".split("a"), which means we have 

to split the string. By default, split function actually dissects the string n by a delimiter ",". We tweak the code

a bit as presented below:

 

On executing this code in JavaScript interpreter we get the output as follows,

At this point, we successfully unwraps some part of code by having the value of h and n. Now, we have to 

dissect the loop present in the part 2 as follows

for(i=0;-n.length<-i br="" i="">        {
            j=i;
            ss=ss+s[f](-h*(1+1*n[j]));
        }
   
    if(1)q=ss;
    if(s)e(q);

To compute the code finally, we need to unwrap the logic used in the loop. Step 4 involves the automation of 

the code.

Step4: Automating the Process - Python
In step 4, we need to automate the process to get the next value of the string. On understanding the logic, we

write a following python script to compute the loop

The code actually multiply the every single value by 2 and build up the new string. So, we are almost at the 

end. So we need to build up the final code as presented below

So here we have the final script as follows

 

A good methodology always  helps to attain the target.

Humble Hacking Bundle from No Starch Press

No Starch Press is teaming up with Humble Bundle again to raise money for the EFF, the Electronic Frontier Foundation. Pay $15.00 to help support the EFF and receive a bundle of thirteen eBook titles.
Some of the titles are: Hacking: The Art of Exploitation, Hacking the XBox, Automate the Boring Stuff with Python, Python Crash Course, Practical Malware and The Linux Command Line.

Any amount gets you four titles and a $15.00 donation gets you all 13. You decide how much goes to EFF, No Starch or Humble Bundle.

Details are at https://www.humblebundle.com/books/no-starch-hacking-books

JavaScript Deobfuscation Update

It didn't take long for the Internet Storm Center to post another article on JavaScript deobfuscation, this one by Didier Stevens. This time the previous deobfuscation techniques failed,so Didier uses python to do static analysis.Nice work. The article is here.

Angler Exploit Kit to TeslaCrypt

There's an excellent write up by Brad Duncan in the Internet Storm Center's Handler Diaries on analyzing a compromise that used the Angler Exploit Kit to deliver TeslaCrypt.

From the article:

On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events.

The chain started with a compromised website that generated an admedia gate.

The gate led to Angler EK.

Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.

·         178.62.122.211 - img.belayamorda.info - admedia gate
·         185.46.11.113 - ssd.summerspellman.com - Angler EK
·         192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic

 Full write up is here.

Some of the obfuscation may seem daunting, but there's a wealth of information on techniques to deobfuscate Javascript and other code. A lot of that information is in the Handlers Diaries itself. Here's some other write ups from the ISC:

1. Decoding Javascript

2. Deobfuscating VB Script

3. Advanced Obfuscated Javascript Analysis

4. Javascript Traps For Analysts

5. Mixed (VBScript and JavaScript) Obfuscation

6. Browser *does* matter, not only for vulnerabilities - a story on JavaScript deobfuscation

7. V8 as an Alternative to SpiderMonkey for JavaScript Deobfuscation

8. Decoding Common XOR Obfuscation in Malicious Code

9. Javascript decoding round-up

And from other sites:

1. JavaScript Obfuscation - Manual Armor - Malware at Stake

2. Javascript Deobfuscation Tools (Part 1) - Kahu Security

3. Javascript Deobfucation Tools (Part 2) - Kahu Security

Surcuri Labs Hex Decoder

Sucuri has a nice decoder page at http://ddecode.com/hexdecoder/ that might help if you're having trouble figuring mixed forms of obfuscation. Even if it can't completely decode the segment, it may be able to deobfuscate it enough to give you a sense of what the code is doing.

Chrome view-source:

A quick and easy way to take a look at the source code of a web page using the Chrome browser is to prepend "view-source:" to the URL.

Example: view-source:www.google.com

If you suspect the page is malicious, be careful to type it in correctly so you don't accidentally load the page in your browser.