Resolving DNS requests for malware analysis

INetSim is an interesting tool for simulating common internet services. It's worth gold when you want to run an air-gaped network and still simulate "the internet" so that malicious software continue to work as they should be. While they do some activity you monitor their behavior on your victim machine, and on the INetSim server.

One thing that was frustrating me was the default behavior of the DNS service within INetSim. When a client connects to INetSim to resolve a DNS name the service will always respond with the same fixed IP address.

This is rather annoying when analyzing malwares that use multiple DNS names to connect to multiple command and control servers, or just performing test-connections. As the DNS service replies with the same IP, and the malware establishes a TCP connection to that IP you can't make the relation between the domain name and the communication. There is no clear way for you to know what tcp session, and what communication matches which command and control server.

Except if you hardcode the different domain names in the configuration file of course. However, how do you encode a name in that configuration if you don't know the name yet? Basic static analysis could already have given you a name, however that is likely not the case if the malware was packed with a non-standard packer. So should I first spend loads of time to manually unpack the malware? Or should I run the malware, look at the DNS requests, encode these DNS names in my INetSim, restore from snapshot, re-infect the machine, see new domain names, re-encode them, etc...

Being a lazy person this doesn't motivate me a lot, so when I was following Lenny Zeltser's SANS 610 class some time ago I threw him this question. Fortunately I was not the first one with this frustration and another student if him wrote a python script to do incremental DNS responses and gave me a copy. However I didn't like the idea to use yet-another-additional-tool, so I looked into the code of INetSim and a hack looked easier than expected.

So I wrote a simple patch that added this new functionality:
- for each dns request, a new IP is returned (i++)
- requesting the same dns name twice returns the same IP of course (I save it in the temporary hash with the hardcoded hostnames)
- the start IP is the default IP
- functionality is activated by a configuration flag.

There is however a limitation: once the x.y.z.254 IP is reached the DNS response will stay the same IP.

This patch has been sent to the developers of INetSim, and they were going to look into it to integrate it when they would have a little bit more time. It seems I have forgotten to publish this 5 months old code here.

You can apply the patch using the following commands:

tar xzf inetsim-1.2.3.tar.gz
wget http://documentation.vandeplas.com/inetsim/inetsim_incrementaldns.patch
cd inetsim-1.2.3/
patch -p1 < ../inetsim_incrementaldns.patch

This will output: (the fuzz is because the patch was for INetSim v1.2.2)

patching file conf/inetsim.conf
patching file lib/INetSim/Config.pm
patching file lib/INetSim/DNS.pm
Hunk #1 succeeded at 67 with fuzz 2.

Now install INetSim and start it up and perform some DNS queries. We see the responses increment each time, while staying consistent when requesting the same name.

MISP - Malware Information Sharing Platform

It took some time, but finally we were able to release MISP as open source software.
This MISP - Malware Information Sharing Platform has been developed in collaboration between the Belgian Defence CERT and the NATO Computer Incident Response Capability (NATO NCIRC) and is today actively developed and used in production.

The problem that we experienced in the past was the difficulty to exchange information about (targeted) malwares and attacks within a group of trusted partners, or a bilateral agreement.
Even today much of the information exchange happens in unstructured reports where you have to copy-paste the information in your own text-files that you then have to parse to export to (N)IDS and systems like log-searches, etc...

To facilitate the exchange of technical information we started to develop this tool, that :
- automates exchange of IOC
- enables you to have your internal IOC database accessible (include uploaded malwares and reports,...)
- correlates different malwares and events
- generates files in various export formats (snort/IDS, plain text, xml, ...)  (in the future MAEC and other IOC formats)

- synchronizes with instances of external trust-groups

This results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that others already worked on this malware.

The Red October malware for example gives a similar view:

(...)

Feel free to have a look at the (pdf) documentation in the INSTALL directory.

For the future version (v2) this is the develop branch: https://github.com/MISP/MISP/tree/develop/INSTALL

We are actively developing this tool and many (code, documentation, export formats,...) improvements are coming.

Feel free to fork the code, play with it, make some patches and send us the pull requests.

Feel free to contact me if you have questions or remarks.

The project site is: https://github.com/MISP/MISP

There are 2 branches:

- develop: future v2 with many many improvements

- main: current stable version, but it has some bugs in the synchronization functionality (we're fixing these)

Some people might think about CIF, the collective intelligence framework, however both tools are different. Perhaps integration might be provided between those two in the future.

Migration from Drupal to Blogger

(update2: added link to Drupal 7 version by Nico Schlömer)
(update: Migrated the code to GitHub and implemented minor improvements.)


It has finally happened: this blog is migrated away from Drupal to Blogger. My reason to move towards Blogger (and thus not away from Drupal) is very simple: No need to patch/update the application.
An important thing for me is that I wanted to keep all my blogposts, timestamps and comments. Unfortunately it looks like most people move away from Blogger towards Drupal and the web is full of code and information to export your data from Blogger in XML and then import it into Drupal.
But information how to upload everything into Blogger was nihil.
So I wrote a php script to do the export while keeping:

• posts
• comments
• tags / categories 
• publishing date

However there are a few quircks.

• It seems to work only for Drupal 6, not 7.
• Comments are (partially) anonymized because of a security feature of Blogger
• URLs are not customizable, so you will create dead links
• Images are not changed or imported. So manual work is still necessary

To use this script first create your blog into Blogger, create a test posts and export it to XML. Then run my php script and copy paste the output towards the bottom of the XML, where your test post is located.
Save the file and import it again in Blogger. It usually takes some time, but in the end you get the message that everything is imported correctly.

The code to do this is located here: https://github.com/cvandeplas/inet_scripts/blob/master/drupal_to_blogger.php .
A version for Drupal 7 has been written by Nico Schlömer is located here: https://github.com/nschloe/drupal2blogger

Book review: BackTrack 5 Wireless Penetration Testing

Just before my holiday I got a new mail from Packt publishing to read a new book of theirs about Wireless Penetration Testing. Perfect to read on a sunny beach.

As this book is directed towards beginners I tried to read and review it with beginners eyes. Like their other book I was positively surprised to see a name I knew. The author Vivek Ramachandran not only gave a Wireless Pentesting training at BruCON, but is also known for his work on wireless security.

Content
The book has nine chapters starting with info how to build your lab, and what kind of hardware is required to more advanced attacks like Mis-Association, Caffe Latte, and breaking WPA-Enterprise.

I wouldn't compare this book to a standard book you read, because this book would be more a training manual teaching you some (basic) theory and then giving you lab exercises (or vice-versa). This is a great thing for geeks like me that remember by doing, and not by reading.

The disappointing bit was the lack of cryptographic theory. I think it is rather important to not only learn to use a tool with its command line options, but it's also important to know what the differences are between PTW and FMS attacks, and why it's possible to do ARP replays while the packets are encrypted. (Answer: because an ARP packet has a fixed length it can be recognized even being encrypted.)

As I am more experienced half of the book was a quick read, however the second half was a lot more pleasing as it taught me things I didn't know. (or forgot because of a lack of practice)

Conclusion
If you don't have experience with Wireless Cracking/Penetration Testing this book is definitely a must-read. I do advice however that you open Wikipedia and the site of Aircrack when reading trough WLAN Encryption Flaws (Chapter 4) to better understand the cryptographics.
Don't forget to buy a wireless card supporting monitor mode and packet injection while ordering this (e)book.

If you want to read a bit have a look at the free sample chapter.

RTBF TV Series downloader

Some time ago I wrote a simple script to automagically download TV episodes from the "revoir" functionality from the website of the RTBF.
That first script was rather unstable, so I analyzed the HTTP flow occurring while playing a video manually and wrote a lot more stable script that seems to work for some time.
The rtbf_tv_series_downloader.py script is available on a github repository.

How is it working?

1. The XML feed with the latest episodes is fetched.
2. From that file the unique id is extracted.
3. That unique id is used to download the JSON file for that episode.
4. In that JSON file a full download url is available.
5. That file is downloaded and saved to the disk. Only if it was not yet on the disk.

Python global variables

Some things in python are weird, especially when considering global variables. Let's take the following code where we define two global variables (string and dict) and change their value inside the function.

dictionaryVar = {'A':"original"}
stringVar = "original"
globalStringVar = "original"

def aFunction():
    global globalStringVar
    dictionaryVar['A']="changed"
    stringVar = "changed"
    globalStringVar="changed"
    return dictionaryVar, stringVar, globalStringVar

print "Output of the function is:"
a = aFunction()
print "Dictionary   : ",
print a[0]
print "String       : "+a[1]
print "Global String: "+a[2]
print "\nGlobal variables are now: "
print "Dictionary   : ",
print dictionaryVar
print "String       : "+stringVar
print "Global String: "+globalStringVar

And now when running the code we see the following output (Python 2.6.6) we see the following:

$ python tmp/foo.py 
Output of the function is:
Dictionary   :  {'A': 'changed'}
String       : changed
Global String: changed

Global variables are now: 
Dictionary   :  {'A': 'changed'}
String       : original
Global String: changed

So the conclusion is:

• Global strings changed in a function are returned correctly, and not changed outside the scope of the function. (expected)
• Global dictionaries changed in a function are returned correctly, but they are also changed outside the scope of the function. (not expected)
• Global strings, declared as global (in the function), changed in a function are returned correctly, and are also changed outside the scope of the function. (expected)

Book review: BackTrack 4: Assuring Security by Penetration Testing

Recently Packt publishing contacted me to ask me if I would like to review their BackTrack 4 book. Being an avid user of this distribution, and wondering what a book about BackTrack would look like, I accepted the offer.

A few days before BackTrack 5 came out the book finally arrived in my mailbox. As I also had the opportunity to play with BackTrack 5 during the time I read the book, I should be able to see how useful it is now BT5 is out.

A suprise
A first surprise was when I read the first pages about the authors and reviewers. Peter Van Eeckhoutte, also known as corelanc0d3r (from Corelan Team), is one of the three reviewers of this book. Seeing his name in this book gave me a good feeling about what I was going to encounter. (no no, it's not because he's Belgian)

Content
The book is divided into twelve chapters, with the first chapter an introduction to the BackTrack distribution, the various forms, how to configure the basics, update the system and make your own version of the live CD. The second chapter (free sample) gives an overview of various penetration testing methodologies, including the OSSTMM, ISSAF, OWASP, ... but also a BackTrack pentesting process in ten consecutive steps: Target Scoping, Information Gathering, Target Discovery, Enumerating Target, Vulnerability Mapping, Social Engineering, Target Exploitation, Privilege Escalation, Maintaining Access, and last but not least Documentation and Reporting. 

If you already used BackTrack before you will certainly recognize some of these names in the menu's of the BT4 menu ... and even more from the BT5 menu ... 

The next ten chapters first elaborates each step in some detail, to then dive into the real usage of each of the tools delivered with BT. So what options and arguments you need to do your job. This review won't go into detail into each chapter as it can be considered as an "enumeration of many tools". Many tools I already knew, but also many I discovered while reading.

At the end there's the very-much needed chapter about Documentation and Reporting ... a step often hated by techies. The book tries to convince you of the utility of your report and helps you by giving some tips and tricks with a sample table of contents to start with.

Downsides
Unfortunately no book is perfect and the thing that I really missed was a discussion of IPv6 tools, and examples with IPv6 IP addresses. Fortunately there's still that rather old Uninformed article from H D Moore to fill the gap.

Also be careful not to read the whole book at once, as your brain risks a buffer overflow if you do.

Conclusion
As this book is really focused on the BackTrack distribution the authors knew they wouldn't need to fill pages on how to install these hundreds of tools, but instead they could concentrate on explaining what every tool does and how to use them.
Of course you can't expect to have an extremely deep dive into each one of the tools, knowing that the book discusses around 100 of them. But they found a good equilibrium by going deeper with the more important tools available, with for example the five practical examples of exploitation with metasploit. (db_nmap, snmp scanner, vnc scanner, iis6 webdav attack, bind/reverse shell and meterpreter and msfpayload)

I already know what I'll do with this book: First put my name in it, then lend it to some friends who will certainly learn a lot from it and finally make sure I get it back (that's why I put my name in it) to use it as a later quick reference. An eBook version is available with a discount if you have the paper-version, and I'm hesitating to buy that one for the sake of mobility.

So if you're interested to buy the book, you can do that here.

BruCON Call For Papers

2009 was the first edition of BruCON, a non-profit conference meant to unite all the people in and around Belgium interested in discussing computer security, privacy and computer technology related topics. It was a great first edition thanks to the help of the sponsors and many volunteers.

I'm happy that I'll be able to play a (more significant) role in the organization of the second edition.

Do you have an interesting topic to present or a cool workshop? Have a look at the Call of Papers here.

I'm going to FOSDEM

Change files on the read-only filesystem of your Android phone

I am currently working on an small application that needs to load kernel modules at the startup of the Android phone. I could eventually start up an Activity or Service using a trigger on the BOOT_COMPLETED_ACTION, (howto), but this creates some complexity as I need to load compcache kernel modules requiring lots of free memory.
Using a boot script is much better.
(Un)fortunately an application cannot change things in the /system partition as it is mounted in read only.

# mount
rootfs on / type rootfs (ro)
tmpfs on /dev type tmpfs (rw,mode=755)
devpts on /dev/pts type devpts (rw,mode=600)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /sqlite_stmt_journals type tmpfs (rw,size=4096k)
/dev/block/mtdblock3 on /system type yaffs2 (ro)
/dev/block/mtdblock5 on /data type yaffs2 (rw,nosuid,nodev)
/dev/block/mtdblock4 on /cache type yaffs2 (rw,nosuid,nodev)
/dev/block/mmcblk0p2 on /system/sd type ext2 (rw,noatime,nodiratime,errors=continue)
/dev/block//vold/179:1 on /sdcard type vfat (rw,dirsync,nosuid,nodev,noexec,uid=1000,...)

Fortunately, as I have root support on my phone, I can simply remount the /system partition as rw, do my change and then remount it back to ro.
Here is how you do this in java code:

public static void saveCommandsToBootFile(String script, String filename) {
 // first remount filesystem in rw
 // save the file
 // remount the filesystem back to ro
 String command = 
  "mount -o remount,rw /system \n" +
  "echo '" + script.replace("'", "\\'") + "' > " + filename + " \n" +
  "mount -o remount,ro /system \n";
 executeCommand(command);
}

public static void executeCommand(String command) {
 Log.d(MainActivity.LOG_TAG, "Executing the following commands: \n" + command);
 Process process;
 try {
  process = Runtime.getRuntime().exec("su -c sh");
  DataOutputStream os = new DataOutputStream(process.getOutputStream());
  //DataInputStream osRes = new DataInputStream(process.getInputStream());
  os.writeBytes(command); os.flush();
  // and finally close the shell
  os.writeBytes("exit\n"); os.flush();
  process.waitFor();
 } catch (IOException e) {
  e.printStackTrace();
 } catch (InterruptedException e) {
  e.printStackTrace();
 } 
}

Some remarks you could have:

• I didn't use java to write the file: Indeed, my java application runs in a limited environment and has no rights to write to /system/, even mounted rw. I would need to write the file temporary somewhere else, to then move it back to the final location. This looks a little to complex.
• I escape the ' quote in the script to prevent my echo foo > bar failing.
• An uncontrolled filename could result in command injection as root !  (Thanks to Steve Nugen from UNO to report that!)