Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-03-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IP Addresses Triage

Published: 2016-03-21
Last Updated: 2016-03-22 07:22:27 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Last week, I was in Germany to attend the TROOPERS security conference and I had the opportunity to follow Chris Truncer’s talk about passive intelligence gathering. Passive intelligence is a must-do when you need to collect information about a target (when working from the offensive side) or an attacker (from the defensive side). It helps to collect as much information as possible and relies often on OSINT (Open Source INTelligence - publicly available data). From a defensive point of view, the first step is to collect logs (as much as you can). And what do we find in logs? Mostly IP addresses! We can have tons of IP addresses collected every day. The next step is to get more information about them and it is often a pain. During his talk, Chris presented his tool (called Just-Metadata) that helps to collect and manage information on IP addresses. This is performed via two phases:
  • Phase 1: collect information about the IP addresses
  • Phase 2: analyze the gathered data and get interesting information
When I tested the tool, I was surprised to not see any module for DShield! As we have a nice database of IP addresses and reputation, why not use it from Just-Metadata? The tool being very modular, it was easy to add an extra module to gather information from our database and a simple reporting module. Here is a list of the current available gathering modules:
[>] Please enter a command: list gather
Shodan => Requests Shodan for information on provided IPs
GeoInfo => This script gathers geographical information about the loaded
           IP addresses
DShield => This module checks DShield for hits on loaded IPs
Whois => This module gathers whois information
FeedLists => This module checks IPs against potential threat lists
MyWOT => Requests MyWOT for domain reputation information on provided domains
VirusTotal => This module checks VirusTotal for hits on loaded IPs
All => Invokes all of the above IntelGathering modules
And modules to analyze the collected data:
[>] Please enter a command: list analysis
TopNetBlocks => Returns the top "X" number of most seen whois CIDR netblocks
Keys => Returns IP Addresses with shared public keys (SSH, SSL)
FeedHits => Lists IPs being tracked in threat lists
DShield => Returns IP addresses with results in DShield
PortSearch => Returns the top "X" number of most used ports
TopPorts => Returns the top "X" number of most used ports
Country => Search for IPs by country of origin
MyWOTDomains => Parse mywot domain reputation results
GeoInfo => Analyzes IPs geographical/ISP information
Virustotal => Returns IP addresses with results in VirusTotal
All => Invokes all of the above Analysis modules
How does it work? Create (or generate) a text file containing the IP addresses to analyze and load it into Just-Metadata:
[>] Please enter a command: load ip.txt
[*] Loaded 5 systems
[>] Please enter a command: gather all
Querying Shodan for information about 120.27.31.143
Querying Shodan for information about 77.247.182.246
Querying Shodan for information about 193.169.52.214
Querying Shodan for information about 46.4.120.238
Querying Shodan for information about 101.200.0.122
Getting info on... 120.27.31.143
Getting info on... 77.247.182.246
Getting info on... 193.169.52.214
Getting info on... 46.4.120.238
Getting info on... 101.200.0.122
Information found on 120.27.31.143
Information found on 77.247.182.246
No information within DShield for 193.169.52.214
No information within DShield for 46.4.120.238
Information found on 101.200.0.122
Gathering whois information about 120.27.31.143
Gathering whois information about 77.247.182.246
Gathering whois information about 193.169.52.214
Gathering whois information about 46.4.120.238
Gathering whois information about 101.200.0.122
Grabbing list of TOR exit nodes..
Grabbing attacker IP list from the Animus project...
Grabbing EmergingThreats list...
Grabbing AlienVault reputation list...
Grabbing Blocklist.de info...
Grabbing DragonResearch's SSH list...
Grabbing DragonResearch's VNC list...
Grabbing NoThinkMalware list...
Grabbing NoThinkSSH list...
Grabbing Feodo list...
Grabbing antispam spam list...
Grabbing malc0de list...
Grabbing MalwareBytes list...
Information found on 120.27.31.143
Information found on 77.247.182.246
Information found on 193.169.52.214
Information found on 46.4.120.238
Information found on 101.200.0.122
[>] Please enter a command: save
State saved to disk at metadata03212016_150606.state
Then, you can use analyzis modules to build intelligence from the collected data. Here is a sample output of my DShield module:
[>] Please enter a command: analyse dshield 10
**********************************************************************
                    IPs and Detected Counts
**********************************************************************
101.200.0.122: 832 count(s)
120.27.31.143: 596 count(s)
77.247.182.246: 186 count(s)
**********************************************************************
                    IPs and Attacked Targets
**********************************************************************
101.200.0.122: 270 target(s)
120.27.31.143: 119 target(s)
77.247.182.246: 7 target(s)
**********************************************************************
                    IPs and Detected Risk
**********************************************************************
I sent a pull request to Chris yesterday and he already merge it. The tool is available on his github repository. It's easy to set up, does not have lot of dependencies and it runs smoothly in a Docker container.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)

Apple Updates Everything (Again)

Published: 2016-03-21
Last Updated: 2016-03-21 23:44:12 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

As part of today's product announcements, Apple released new operating systems across its different products. In addition to new features, these updates do address a number of security issues as well.

OS X Server 5.1 ( for Yosemite 10.10.5 )

This update improves warnings in case the administrator stores backups insecurely and removes old SSL ciphers (RC4). Also, authentication bypass issues are addressed in the Wiki.

Safari 9.1

The Safari update is available for OS X back to 10.9 (Mavericks). It fixes a total of 12 vulnerabilities, some can be used to execute arbitrary code.

OS X El Capitan 10.11.4 (Security Update 2016-002)

A total of 59 vulnerabilities are patched (I hope I counted them right). Here are some of the highlights:

Apple USB Networking (CVE-2016-1734): This vulnerability could lead to arbitrary code execution if a malicious USB devices is connected to the computer.

Bluetooth (CVE-2016-1735/1736): Bluetooth can be used to execute arbitrary code. It isn't clear (but likely) that you first need to pair with the device which would mitigate the problem somewhat.

Messages (CVE-2016-1788): This vulnerability, which would allow the interception of iMessage messages has gotten a lot of press in the last couple days. 

OpenSSH (CVE-2016-0777,0778): The roaming vulnerablity that could lead to a leak of the private key is fixed in this patch.

Wi-Fi (CVE-2016-0801/0802): A malicious WiFi frame could be used to execute arbitrary code. Since this requires an unspecified ether type, I am assuming that this requires that the victim first associates with the network. But the advisory doesn't provide sufficient details to tell for sure.

XCode 7.3:

Two vulnerabilities. One in otool (a tool to display object files) and another two vulnerabilities in subversion. 

WatchOS 2.2:

A lot of overlap here with the OS X and Safari patches. Note that the Watch is also vulnerable to the WiFi exploits, but not the Bluetooth issues.

iOS 9.3:

A total of 36 vulnerabilities, many of which are also patched for OS X. The Wifi vulnerability applies to iOS just as for the WatchOS and OS X.

TVOS 9.2

Again a lot of overlap with the other updates.

In short: patch...

For details from Apple, please refer to the usual security bulletin page: https://support.apple.com/en-us/HT201222

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

Why Users Fall For Ransomware

Published: 2016-03-21
Last Updated: 2016-03-21 19:17:53 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

We got the following message from our reader Steven:

"Yesterday I received an email regarding "STEVEN, Notice to Appear in Court on March 28", which included a ZIP folder attached. I am actually scheduled to appear in court on March 28th, so I assumed it was legit. I scanned the ZIP folder with Avast, and it said there was no problem.

I
un-zipped the folder and scanned the .doc.js file with Avast, and it said there was no problem. So I double clicked on the .doc.js file. Nothing happened. I then changed the file name, removing .js from the extension. I clicked on the file and it opened in Word. Upon seeing the mess of text letters, I became alarmed and then found your webpage: https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
"

I think the message does make some important points: Malicious spam does work. It just has to hit the right person. Just like Steven had a court appointment, others may be waiting for a shipping confirmation or are waiting for an airplane ticket they just booked. Attacks do not have to work every time, and even a relatively small success rate is still a "win" for the attacker.

In this case, I ran the script in a Windows 8.1 virtual machine. Windows Defender blocked it (the only anti-Malware I have on the system). The javascript then as expected downloaded crypto-ransomware. The ransomware went ahead and renamed various files by adding the .crypted extension, and went ahead encrypting files. 

Anti-Virus coverage was pretty decent for the unzipped attachment according to Virustotal. But it looks like Steven's copy of Avast did let this sample slip past. 

Doing a quick analysis of the PCAP, it looks like the actual malware was downloaded from 

http://wambofantacalcio.it / counter/?ad=1N....[long string]&dc=[6 digit number]

Anti-Virus coverage on the binary is mixed, with Symantec identifying it as Cryptolocker: 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)
Diary Archives