Tuesday, July 30, 2013

As you know, the majority of the webmasters upload a file called robots.txt to their servers in order to give instructions to the crawlers like Google, Yahoo, Bing... about what pages mustn't be indexed.

Example: http://behindthefirewalls.blogspot.com.es/robots.txt

Why does the webmaster want to hide some URLs? One of the first things the hackers can do is check these files. Hackers can get a lot of valuable information trying to locate the data, scripts... that the webmaster wants to keep hiding...

Sometimes Google indexes the robots.txt,  giving hackers the oportunity to locate words in this file through Google searches.

For example, if a hacker wants to locate phpMyAdmin installations, he could use the robots.txt files indexed in Google to locate them and then try to exploit them.

inurl:.com/robots.txt- + "Disallow: /phpmyadmin/ "



The hackers could locate Wordpress installations...

inurl:".com/robots.txt" + "Disallow: /wp-admin/

The hackers could locate Drupal installations...
inurl:".com/robots.txt" + "Disallow: ?q=admin"

The hackers could locate Joomla installations...

inurl:"/robots.txt" + "Disallow: joomla"

The hackers could locate Plesk Statistics installations...

inurl:"/robots.txt" + "Disallow:  plesk-stat"


The hackers could locate Tinymce installations in order to try to get information about the plugins installed on these servers and then try to exploit them...

inurl:".com/robots.txt" + "Disallow: tinymce"

 Is someone trying to hide their password? Oh my god...

inurl:"/robots.txt" + "Disallow: passwords.txt"

You should be careful when you are writing your robots.txt because if someone checks it or someone with imagination searches on Google with this types of queries,  you could be a hacker's target...

Posted on Tuesday, July 30, 2013 by Javier Nieto

No comments

Monday, July 22, 2013

Cuckoo is a free malware analysis system. You can analyze any suspicious file with Cuckoo and it will give you some very detailed feedback:

  • Traffic captures in Pcap format.
  • Traces of win32 API calls.
  • Information about processes created by the malware.
  • Files that have been downloaded, modified or removed during the malware execution.
  • Register keys that have been modified.
  • Malware behavior.
  • Screenshots taken while the malware was running.

You can use this website if you want to test it for free. https://malwr.com/

In this post I'm going to show you how to install your own Cuckoo for the purpose of malware investigation.

My computer has the following operating system.
lsb_release -a
No LSB modules are available
Distributor ID:    Ubuntu
Description:    Ubuntu 10.04.3 LTS
Release:    10.04
Codename:    lucid

It is necessary to install SQLAlchemy for Cuckoo.
apt-get install python-sqlalchemy

There are other optional dependencies. Their installation is recommended:
  • Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
  • Jinja2 (Highly Recommended): for rendering the HTML reports and the web interface.
  • Magic (Optional): for identifying files’ formats (otherwise use “file” command line utility)
  • Pydeep (Optional): for calculating ssdeep fuzzy hash of files.
  • Pymongo (Optional): for storing the results in a MongoDB database.
  • Yara and Yara Python (Optional): for matching Yara signatures (use the svn version).
  • Libvirt (Optional): for using the KVM machine manager.
  • Bottlepy (Optional): for using the web.py and api.py utilities.
  • Pefile (Optional): used for static analysis of PE32 binaries.

We can  Install the majority of them through the Debian repositories.
apt-get install python-dpkt python-jinja2 python-magic python-libvirt python-bottle python-pefile

We can install pymongo with pip
apt-get install python-pip
pip install pymongo

Now, we are going to download and install Yara.
apt-get install libpcre3 libpcre3-dev
wget http://yara-project.googlecode.com/files/yara-1.7.tar.gz
wget http://yara-project.googlecode.com/files/yara-python-1.7.tar.gz
tar xvfz yara-1.7.tar.gz
cd yara-1.7
make check
cd ..
tar xvfz yara-python-1.7.tar.gz
cd yara-python-1.7
python setup.py build
python setup.py install

It's a requirement to have installed Ssdeep before installing Pydeep. We can download it from: http://sourceforge.net/projects/ssdeep/files/ssdeep-2.10/ssdeep-2.10.tar.gz/download
Then, we are going to install it.
tar xvfz ssdeep-2.10.tar.gz
cd ssdeep-2.10
make check
make install

Now, we are going to download and install Pydeep
wget https://github.com/kbandla/pydeep/archive/master.zip
unzip master.zip
cd pydeep-master
python setup.py build
sudo python setup.py install

If you haven't installed Tcpdump yet, you need to install it. With the following commands we can run Tcpdump as a normal user instead of a root user.
apt-get install tcpdump
chmod +s /usr/sbin/tcpdump
apt-get install libcap2-bin
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump
apt-get install libcap2-bin
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump

Currently we have all the Cuckoo's tools installed. Now we need to install Virtualbox in order to create our Windows Virtual machine where we will run the malware. Remember when you are installing the Windows operating system to disable the automatic updates and install the old software versions like Adobe Reader, Java, Flash Player. We want to have a vulnerable virtual machine.
wget http://download.virtualbox.org/virtualbox/4.2.16/virtualbox-4.2_4.2.16-86992~Ubuntu~lucid_i386.deb
dpkg -i virtualbox-4.2_4.2.16-86992~Ubuntu~lucid_i386.deb

Now, we are going to create a cuckoo user with permission from the Virtualbox machines.
adduser cuckoo
usermod -G vboxusers cuckoo

We should download Cuckoo from the original repository.
wget https://github.com/cuckoobox/cuckoo/archive/master.zip
unzip master.zip
cd cuckoo-master/ 

It's necesary to have the following tools installed on the Windows Virtual Machine.

The next step is to copy the Cuckoo agent.py from the Cuckoo package to the virtual machine. Then it's necessary to excute it. If you want, you can create a key register allowing the agent to  run automatically  each time the computer is restarted.

Now, we need to change the following settings on the Cuckoo Server.

This is my configuration of the Virtual machine.

mode = headless
path = /usr/bin/VBoxManage
machines = Cuckoo Sandbox
label = Cuckoo Sandbox
platform = windows
ip =

This is my configuration of the cuckoo server.

version_check = on
delete_original = off
machine_manager = virtualbox
ip =
port = 2042
interface = vboxnet0

Configuring the Virtualbox server this way is necessary in order to get the traffic capture with tcpdump.

vboxmanage hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip
vboxmanage modifyvm 'Cuckoo Sandbox' --hostonlyadapter1 vboxnet0
vboxmanage modifyvm 'Cuckoo Sandbox' --nic1 hostonly

We need to configure these network settings on the virtual machine.
Static IP -
DNS - any DNS server (
Default Gateway -

Now, we need to forward the packets through the server:
sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo echo 1 > /proc/sys/net/ipv4/ip_forward or sudo sysctl -w net.ipv4.ip_forward=1

When you have everything ready, you need to take a screenshot of your Virtual Machine.
vboxmanage snapshot "Cuckoo Sandbox" take "Cuckoo Sandbox" --pause

The first time I ran Cuckoo, I had a problem that I fixed with the following command.
pip install argparse

Now we are going to play with malware files. First of all, we need to run the Cuckoo server.
jnieto@behindthefirewalls:~/cuckoo/cuckoo-master$ python cuckoo.py 

We are going to send a malware file to the virtual machine and we are going to wait a moment while the malware is running and Cuckoo is analyzing it...
python submit.py /home/jnieto/cuckoo/cuckoo-master/malware_samples/iwmsax.exe

When the analysis is finished, we can see all these files.

We can see the HTML report and view all the information about the malware.

When we have finished testing the malware, we need to recover the fresh screenshot of our operating system again. We are going to use the following commands.
vboxmanage controlvm "Cuckoo Sandbox" poweroff
vboxmanage snapshot "Cuckoo Sandbox" restorecurrent
vboxheadless --startvm "Cuckoo Sandbox"

Santi's Labs

Posted on Monday, July 22, 2013 by Javier Nieto

No comments

Friday, July 12, 2013

In this post I'm going to talk about Volatility. Volatility is one of  the best tools for memory forensics. It is an open source framework writen in python for incident response and malware analysis.

Thanks to Malware Analyst's Cookbook we can get a real memory dump from an infected host with Zeus Trojan. You can donwload zeus.vmem.zip [41,4 MB]
1) With the option "imageinfo" you can find out what type of OS was running.
python vol.py -f zeus.vmem imageinfo

2) Now, we are going to watch what processes were running on the computer when the memory dump was recorder.
python vol.py -f zeus.vmem pstree

3) I couldn't see anything weird... I wanted to know if the machine was making connections...
python vol.py -f zeus.vmem connscan

4) Ok. Our machine was making connections with by the 80/tcp port. The proccess Pid is 856. We want to know whether this process belong to an Internet Browser.

We run it again:
python vol.py -f zeus.vmem pstree

5) We can see that svchost.exe is the process which is making connections with193.104.47.75 instead of an Internet Browser... This is not common... Is this IP address blacklisted?


6) As you can see, this IP is blacklisted. It is common that a trojan adds a registry key to be sure that it will be running every time the computer is restarted. Take a look at the Winlongon register key...

python vol.py -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"

You can see sdra64.exe will run when the computer starts. If you search on Google you can see a lot of websites talking about this process... It seems to be a trojan....

7) Now, we are going to try find a hidden or injected code/DLLs in the user mode memory and dump it...
python vol.py -f zeus.vmem malfind --dump-dir evidencias/

8) We are really interested in dumping the process with the Pid 856 which has established connections with the blacklisted servers.

9) Now, I'm going to get the SHA256 hash in order to search in Virustotal and see if this process is recognized by any Antivirus.


Ok, so far so good.

10) We are going to use the mutantscan command. With this option, we can display all objects.
python vol.py -f zeus.vmem mutantscan

We noticed _AVIRA_2108... I don't know where I've heard this before...
python vol.py -f zeus.vmem mutantscan | grep AVIRA

I was looking for this object on Google. I visited www.fortiguard.com and found this.

11) This trojan usually shuts down our Firewall.. We can check it with the next command.
python vol.py -f zeus.vmem printkey -K "ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"

This is evidence that the computer was infected with Zeus Trojan. In the next post, we are going to analyze another memory dump with Volatility.

Interesting links:

Posted on Friday, July 12, 2013 by Javier Nieto


Friday, July 05, 2013

Scalp is a log analyzer for the Apache web server written by Romain Gaucher. The goal of this tool is to search through the apache log files and detect the possible attacks that have been sent through HTTP/GET.

Scalp get the regular expression from the PHP-IDS and matches the lines from the acces.log file. This script is written in python and needs a XML which contains the rules to detect the attacks.

You can download Scalp here.

You can download the XML file here.

See below Scalp help. It's interesting run the script and only make searches for xss, sqli, dos.. . attacks.

$ ./scalp-0.4.py --help
Scalp the apache log! by Romain Gaucher - http://rgaucher.info
usage:  ./scalp.py [--log|-l log_file] [--filters|-f filter_file] [--period time-frame] [OPTIONS] [--attack a1,a2,..,an]
                   [--sample|-s 4.2]
   --log       |-l:  the apache log file './access_log' by default
   --filters   |-f:  the filter file     './default_filter.xml' by default
   --exhaustive|-e:  will report all type of attacks detected and not stop
                     at the first found
   --tough     |-u:  try to decode the potential attack vectors (may increase
                     the examination time)
   --period    |-p:  the period must be specified in the same format as in
                     the Apache logs using * as wild-card
                     ex: 04/Apr/2008:15:45;*/Mai/2008
                     if not specified at the end, the max or min are taken
   --html      |-h:  generate an HTML output
   --xml       |-x:  generate an XML output
   --text      |-t:  generate a simple text output (default)
   --except    |-c:  generate a file that contains the non examined logs due to the
                     main regular expression; ill-formed Apache log etc.
   --attack    |-a:  specify the list of attacks to look for
                     list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi
                     the list of attacks should not contains spaces and comma separated
                     ex: xss,sqli,lfi,ref
   --output    |-o:  specifying the output directory; by default, scalp will try to write
                     in the same directory as the log file
   --sample    |-s:  use a random sample of the lines, the number (float in [0,100]) is
                     the percentage, ex: --sample 0.1 for 1/1000

We ran Nikto and some Metasploit modules against one of my own Apache web servers and then, I analyzed the access.log with Scalp.
python scalp-0.4.py -l /var/log/apache2/access.log -f default_filter.xml -o scalp-output/ --html

I've taken some pictures of the Scalp html report. You can see SQL Injection, Local File Inclusion and Cross Site Scripting attacks.

Posted on Friday, July 05, 2013 by Javier Nieto


Monday, July 01, 2013

As I said in ZeroAccess Trojan - Network Analysis Part I ,  the goal of this trojan is to earn money through Click Fraud...

When the host has been already infected and it is a member of the botnet, the host beginning to generate a large amount of clicks on advertisements. With each click on an advertisment they are making money.

I'm going to show you some Ads which have been clicked. (The links can be removed with the passage of time). The majority of the advertisments are from porn sites.


Sophos has published a great document here  They have calculated how much money this botnet is making. The picture below from the Shopos document shows us an approximate calculation.

In my opinion, that is a huge amount of money!!!

Posted on Monday, July 01, 2013 by Javier Nieto

No comments