Archive for the ‘Uncategorized’ Category

How to write a web app worm

Saturday, November 6th, 2010

When I say web app worm I mean a web site specific worm such as twitter. Twitter has been picked on (they should be because it’s a meaningless app) when it comes to web app worms so why stop now. There are other types of worms that could include web servers and databases but that won’t be addressed in this write up. The web app I’ll pick on for this example is Gruyere. Gruyere is an intentional vulnerable application that a handful of folks over at google wrote to point out some of the major vulnerabilities within web applications. Gruyere is very twitter like so my example would be relevant to other applications that function in similar ways.

Most web site worms spread because they allow javascript to be inserted somewhere into the web application. For example in twitter when a status is updated (via a moronic “tweet”) you are allowed to insert words, sentences, and even links to other interesting sites. If twitter allows you to input all this information what do they block? Javascript is a well known programming language that you should never allow to be inserted into your web application. Even though many web developers know this they continually make mistakes and allow javascript to be inserted into their web apps. There are different categories of javascript attacks such as XSS and XSRF, I’m not a big fan of this naming convention but  you should be familiar with the terms and what they mean. Most all web app worms are spread via the XSRF attack. Basically a XSRF attack is where javascript (possibly other languages) is inserted into the web app, that javascript will then make a request on behalf of the user. This request could be malicious in nature or in case of the twitter worm examples just for fun. The example I’ll be going over will be a classic XSRF attack where I’ll insert javascript to make requests on behalf of the user.

Let’s get started. I went ahead and created several accounts within Gruyere to demo the attack, in this case Travis will be the attacker.

To create a web app worm first you’ll need to discover a vulnerability within a web app that allows you to insert javascript. Luckily the “New Snippet” functionality will allow us to insert javascript. Now to find vulnerable input that allows you to insert javascript may not be that easy. In order to successfully insert javascript you’ll need to be able to insert certain characters such as “<” and “>”. One great tool to find these characters which will in turn find vulnearbilities is Firefox addon named “XSS Me”. XSS Me will tell if an input will allow certain characters. So now that we have vulnerable input how do we get this worm started? As the attacker I will place the following link into a new snippet.

Now all I’m doing here is creating a link to my evil code, to create a worm you don’t have to keep your evil code in another location you could insert all the evil code you need into the vulnerable web app itself. Most of the time inserting all of your evil code into the app itself would be ideal but it really depends on what the vulnerable app will allow you to do. Now that we’ve inserted a link to our evil code what exactly does our evil code look like, below is the source code in evil.html.

1
2
3
4
5
6
7
8
9
10
11
<p <body onload="Wait();"><img src="http://google-gruyere.appspot.com/251625447516/newsnippet2?snippet=%3Ca%20href%3D%22http%3A%2F%2Ftravisaltman.com%2Fevil.html%22%3Ekitten%20videos%3C%2Fa%3E">
<script>
function Redirect()
{
window.location="http://google-gruyere.appspot.com/251625447516/";
}
function Wait()
{
setTimeout("Redirect()", 1000);
}
</script>

Now let’s break evil.html down line by line. All the magic is happening in line one. The first thing that is written is the html paragraph tag “<p”, this is done specifically for this app because anything after the <p> tag would allow other characters. Next is the html body tag with an “onload” action. An action in malicious code is common so that the attacker perform other steps, another common action event is an onmouseover event. Once the page loads it will call the “Wait” function, we’ll come back to that in just a bit. After the wait is the image tag (<img>) to make the XSRF request for me. The request is to add a new snippet to whomever clicks on the link. In this case if a victim were to click on my link it would create a new snippet for them with a link saying “kitten videos”. To add a new snippet within Gruyere the url would be the following

http://google-gruyere.appspot.com/251625447516/newsnippet2?snippet=

Anything after the equal sign would show up as a new snippet so I inserted the following “malicious” snippet

%3Ca%20href%3D%22http%3A%2F%2Ftravisaltman.com%2Fevil.html%22%3Ekitten%20videos%3C%2Fa%3E

So what does all that mess mean? If you take all that mess and url decode it’s the following.

<a href="http://travisaltman.com/evil.html">kitten videos</a>

In this case I had to url encode my attack so that it would work, this is not uncommon when performing these types of attacks. So as the attacker I’m placing a link inside a new snippet for the victim that says “kitten videos” but that link is still pointing to my evil.html. Now let’s get back to the wait function. I won’t break it down line by line but what happens is when the page fully loads the code will jump to the wait function on line seven. After that setTimeout will execute after one second which calls the Redirect function, the Redirect function will redirect the user to the home page of Gruyere. The whole point of everything after line one is to simply redirect the user back to the homepage after the attack. So now that we have planted the seed of attack let’s see what happens when Alice clicks on our evil link.

Just by clicking on our “evil” link Alice created a snippet that she herself didn’t write, it was our malicious javascript that created the link. Now let’s login as Bob and click on the “kitten videos” in Alice’s snippets.

Bob has now updated his snippets just by simply clicking on the link in Alice’s snippet. You can now see how this can snowball much like other web app worms have spread as well. So in only a few lines of code I have created a worm that will replicate throughout the application infecting whomever clicks on my malicious link. The twitter worm was very simple as well. I could have just as easily made it that if a user were to simply view my snippet that they would get infected as well. Once you allow javascript to be inserted into your app that are a number of things an attacker can do to manipulate your application.

Hopefully this small write up at least some what explains how web app worms get created and how simple they can be. Developers of major applications such as twitter need to better test and review code they have written. As one of my links points out a seventeen year old kid exploited the mighty twitter, just goes to show you how well major applications are focusing on their security. As a user I would never click on a link that you don’t trust and turn off javascript for web apps that don’t need javascript in the first place. If another worm pops up in twitter or facebook I won’t be sad.

Malware analysis tool, Capture-Bat

Wednesday, April 14th, 2010

The main purpose of this write up is to create a tutorial for running, installing, and analyzing results of Capture-Bat. I didn’t really want to name this article “Capture-Bat tutorial” because not everyone is familiar with the tool and what its used for. When it comes to analyzing malware there are a handful of tools that every analyst should have, Capture-Bat is one of those tools. Capture-Bat will monitor changes malware makes to your system so that you can effectively determine what the malware is attempting to do. Capture-Bat does a great job of eliminating noise and ignoring “regular” windows events. It is a behavioral analysis tool which means that it does not analyze the malware itself, it only monitors changes the malware makes to the windows system. In this article I hope to highlight the best way to use the tool and what options I always use when running the tool. Capture-Bat is a free tool which can be grabbed here. I’ll get into all the details later but whenever I run this tool I execute the following command right before I execute the malware.

C:\Program Files\Capture\CaptureBAT.exe -c -n -l c:\temp\output.txt

Below are what the options mean.

-c   capture any deleted or modified files

-n   capture network activity

-l   save output to a specified location (lowercase L)

Let’s walk through an example using the zipped up malware located here (password is “malware”). For the inexperienced keep in mind you’ll need to run this malware in a virtual machine environment that is not connected to a network. Now that you’ve downloaded the malware open up two command prompts in windows (Start > Programs > Accessories > Command prompt). In the first command prompt you’ll need to start up Capture-Bat with the command above. Once you run this command you should see the following.

C:\Program Files\Capture&gt;CaptureBAT.exe -c -n -l c:\temp\output.txt
Option: Collecting modified files
Option: Capturing network packets
Option: Logging system events to c:\temp\output.txt
Loaded kernel driver: CaptureProcessMonitor
Loaded kernel driver: CaptureRegistryMonitor
Loaded filter driver: CaptureFileMonitor
Creating network dumper
Loading network packet dumper
network adapter found: 192.168.94.130
---------------------------------------------------------

My output is going to c:\temp, you may have to create this directory before running the command. It looks like Capture-Bat is just sitting there but it’s actually monitoring changes to your system. It’s important to only run the malware while Capture-Bat is monitoring your system, if you launch another application it will muddy your output and you may not be able to tell it’s the malware making changes to your system or a benign application. Now that Capture-Bat is monitoring let’s go ahead run our malware. I’m a fan of running exe’s from the command line because you may get a more verbose output, so execute the command below to launch the malware.

C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe

After you execute the malware let Capture-Bat sit there and monitor events for about 30 seconds to one minute, after that time period simply go into the command prompt running Capture-Bat and type “control + c” to kill the Capture-Bat process. Next step is to open up our output.txt to see what the malware has done to the system, my output is below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
"12/4/2010 11:30:36.81","process","created","C:\WINDOWS\system32\cmd.exe","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:37.222","file","Write","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\WINDOWS\system32\spoolsvc.exe"
"12/4/2010 11:30:37.222","file","Write","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\WINDOWS\system32\spoolsvc.exe"
"12/4/2010 11:30:37.222","file","Write","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\WINDOWS\system32\spoolsvc.exe"
"12/4/2010 11:30:37.222","file","Write","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\temp\zcbgjy.bat"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache"
"12/4/2010 11:30:37.300","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies"
"12/4/2010 11:30:37.347","process","created","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\WINDOWS\system32\cmd.exe"
"12/4/2010 11:30:37.378","process","created","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\WINDOWS\system32\spoolsvc.exe"
"12/4/2010 11:30:37.331","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f04edc3-85c6-11de-af20-806d6172696f}\BaseClass"
"12/4/2010 11:30:37.347","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cb7e6034-4640-11df-b8d9-806d6172696f}\BaseClass"
"12/4/2010 11:30:37.347","registry","SetValueKey","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f04edc0-85c6-11de-af20-806d6172696f}\BaseClass"
"12/4/2010 11:30:37.347","file","Write","System","C:\WINDOWS\system32\spoolsvc.exe"
"12/4/2010 11:30:37.362","file","Write","System","C:\WINDOWS\system32\spoolsvc.exe"
"12/4/2010 11:30:37.362","file","Write","System","C:\WINDOWS\system32\spoolsvc.exe"
"12/4/2010 11:30:37.597","process","terminated","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\WINDOWS\system32\cmd.exe"
"12/4/2010 11:30:37.581","file","Write","C:\WINDOWS\system32\cmd.exe","C:\Program Files\Capture\logs\deleted_files\C\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:37.581","file","Write","C:\WINDOWS\system32\cmd.exe","C:\Program Files\Capture\logs\deleted_files\C\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:37.581","file","Write","C:\WINDOWS\system32\cmd.exe","C:\Program Files\Capture\logs\deleted_files\C\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:37.581","file","Delete","C:\WINDOWS\system32\cmd.exe","C:\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:37.581","file","Write","C:\WINDOWS\system32\cmd.exe","C:\Program Files\Capture\logs\deleted_files\C\temp\zcbgjy.bat"
"12/4/2010 11:30:37.597","file","Delete","C:\WINDOWS\system32\cmd.exe","C:\temp\zcbgjy.bat"
"12/4/2010 11:30:38.362","file","Write","System","C:\Program Files\Capture\logs\deleted_files\C\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:38.472","file","Write","System","C:\Program Files\Capture\logs\deleted_files\C\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:38.487","registry","SetValueKey","C:\WINDOWS\system32\spoolsvc.exe","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spooler SubSystem App"
"12/4/2010 11:30:39.472","file","Write","System","C:\Program Files\Capture\logs\deleted_files\C\temp\40033d8063564d1b3e4b41f1d5c9a31f.exe"
"12/4/2010 11:30:39.472","file","Write","System","C:\Program Files\Capture\logs\deleted_files\C\temp\zcbgjy.bat"

The first line is simply us executing the malware. Lines 2 – 4 is where the malware creates a file, an exe in this case, named spoolsvc.exe. Spoolsvc.exe doesn’t already exist on windows systems but spoolsv.exe does so the malware author is trying to be tricky in creating an exe that is very similar to what already exists on the system. It’s very important to note that spoolsvc.exe is not executed here but simply created, had it been executed you would have seen “process”,”created” as is seen in line one. Spoolsvc.exe is eventually executed on line 15. Line five is where a “.bat” file is created, for those that don’t know “.bat” files are windows batch scripts which contain a series of commands to be executed. Capture-Bat ends of saving this batch script which we will take a look at later. Lines 6 – 13 is where the malware is setting registry values. It appears that lines 6 – 11 are ensuring the “Local Intranet” has certain settings (see IE setting screen shot below) in internet explorer, this will allow internal connections to have a lower security setting than external connections.

My virtual machine is setup in a default and vulnerable setup, my registry values for lines 6 – 11 didn’t change after the malware was executed. Also I intentionally changed these settings before the malware executed but the malware failed to modify the registry so go figure. McAfee states that these settings are used to bypass firewalls? More information about internet explorer security settings and registry values can be found here. Also good information here about IE security zones. Lines 12 and 13 are modifying where temporary internet files and cookies are stored, in my case I didn’t notice a difference between before and after. Also I modified the default location where temporary internet files are located, the malware failed to change this location after execution so go figure once again. I haven’t contacted the developers of Capture-Bat but “SetValueKey” could also be used to query the registry? Either way the values stayed the same for me, it could have been that the malware authors wanted the registry settings for cache and cookies in a default state? Lines 14 – 15 are having cmd.exe execute the malware spoolsvc.exe. Lines 16 – 18 are setting a value in the registry. Once again these values did not change for me after the malware was executed and it appears that the value for BaseClass the value of “Driver” is default? I haven’t yet figured out why this piece of malware sets the value of BaseClass to driver but I have seen other malware perform these same actions. In lines 19 – 30 the malware and Capture-Bat delete and create certain files and processes so hopefully that output is clear to you. It gets interesting again on line 31. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ is the location of exe’s set to run when a user logs into the system. It is very common to see malware modify these registry values to have itself execute once the user logs into the system. In this case it only modified the Spooler SubSystem App value but it’s common to see it modify other values in that location. The last two lines of the output are Capture-Bat saving deleted files. So that’s a basic analysis of this malware. I only let the malware run for about 30 seconds so it may actually perform more actions than my output.

You may be wondering why the funny name for this particular piece of malware, 40033d8063564d1b3e4b41f1d5c9a31f.exe. The experienced will recognize the name as a MD5 hash, MD5 hashing is commonly used to uniquely identify malware or any exe for that matter. I will also google search the MD5 hash of the malware to see if anyone else has run across it. Turns out others have and Anubis has a good analysis of this malware as well. Anubis reports some of the same activities as we see in our output. You can also perform a hash search over at virus total, looks like other anti-virus vendors have signatures for this malware. For the uninformed virus total will query about 40 anti-virus vendors to see which ones have seen it before. I love malware analysis sites like Anubis and Virus Total but nothing beats performing analysis on a local system. For example we were able to capture the deleted batch script that the malware executed, below is the output of that batch script.

@echo off
:deleteagain
del /A:H /F 40033d8063564d1b3e4b41f1d5c9a31f.exe
del /F 40033d8063564d1b3e4b41f1d5c9a31f.exe
if exist 40033d8063564d1b3e4b41f1d5c9a31f.exe goto deleteagain
del zcbgjy.bat

Granted the batch script is lame, it’s a very basic script that deletes the malware and deletes itself but the batch script could have contained a lot of useful information. All deleted or modified files that Capture-Bat sees are located in the following directory.

C:\Program Files\Capture\logs

Below is a screen shot of my deleted files for this malware.

Don’t forget that Capture-Bat collects pcap’s during the analysis under the same directory as the deleted malware, see screen shot below.

From a quick google search it doesn’t look like that memehehz.info has a great reputation. It could be that memehehz.info is a malware site or it could be that memehehz.info got infected with malware itself. The malware analyzed here isn’t the most recent malware I simply wanted to walk you through an example and how Capture-Bat can help you in the analysis of what the malware is trying to do. When it comes to analyzing malware I wouldn’t say only the tip of the iceberg has been analyzed but there is definitely more to cover. My main goal was to get others familiar with good malware analysis tools such as Capture-Bat so that they may be better able to react and respond to malicious activity on their own networks. Hopefully this helped and as always if you have any feedback I’d love to hear it.

Nessus not free anymore :-(

Friday, May 23rd, 2008

Well that’s not entirely true, they will still offer the “engine” for free just not all of the plugins (maybe?). The current but soon to be old model had two types of subscriptions,

  1. Direct feed ($1,200 per year)
  2. Registered feed (free but plugins were 7 days old)

Come the end of July they will switch to a different model,

  1. Professional feed = Direct feed
  2. Home feed (only personal plugins, whatever that means?)

The press release was some what cryptic and I couldn’t decipher what exactly this “Home feed” will be. It could be all the plugins minus the compliance stuff but the proof is in the pudding.

So it’s a sad day but I guess we all knew this was coming. In fact I’m all for Tenable getting paid for their valuable service I just hope they don’t go the next step and raise the price of the plugins feed to something outrageous. I think $1,200 is a reasonable price especially is you’re an independent contractor like I used to be. Let’s just hope the “Professional feed” remains a reasonable price. Tenable could always introduce a 3rd tier geared towards large organizations to get even more capital, but maybe that won’t be necessary with their new model. If for some reason the 2 tier model doesn’t work I hope they will entertain the 3 tier model, I can only hope (cross fingers). They could be shooting themselves in the foot with this move, which is essentially shooting their user base in the foot as well.

I’m not a hater, I like love Nessus and think it’s bottom line the best vulnerability scanner on the market period. I remember not too long ago (~ 4 years?) when Nessus had around 1,000 plugins, now there are over 21,000 so they have definitely grown over the years. I hope this move will help them to keep growing, just don’t forget the little guy.

Defcon 15 videos released early

Thursday, September 6th, 2007

DefconA good friend of mine named Eric Jenko, who is also in web application security, sent me a link this morning to RoySAC’s blog that contains videos of Defcon 15. Now Defcon does release videos of their presentations but it does take them some time to do so. Luckily Carsten over at RoySAC is nice enough to rip these videos from DVD and share the content. I don’t know if this is legal or not but keep the open spirit Carsten.

Scan for Blank Admin Passwords without Commercial Software

Tuesday, August 7th, 2007

I’ve seen blank administrator passwords at every organization I’ve worked. Without fail there will be some user that manages to get a PC onto your network without setting a password. This type of scenario opens up Pandora’s box into the number of vectors that could be created. Once a malicious user has control over a machine on your network its essentially game over. So as someone with security and risk management in mind you want to periodically scan for such activity, but your organization isn’t gonna spring for some fancy tool. Luckily this task can be put into a windows script that can check for this condition, see the script below.

(more…)