Flayed surveillance outfit Hacking Team is telling customers to suspend running instances of its software after 400GB of its source code and internal data was stolen and posted online.…
Posted: 6 Jul 2015 | 9:02 pm
Posted: 6 Jul 2015 | 6:17 am
Everywhere I go it seems to be that “critical” systems are being attacked. Earlier this year people were talking about whether planes could be hacked. We’ve talked about whether smart grids can be hacked, too. Just a week or so ago, LOT Polish Airlines was almost completely grounded by a distributed denial-of-service (DDoS) attack.
In many cases, these critical systems turn out to have been built on off-the-shelf open-source software. Almost a decade ago, I said that open-source software was safer. While that’s turned out to be mostly true, more recent issues like Heartbleed and Shellshock have illustrated that open-source software has its own problems, too.
Non-technical people may ask: “Why did nobody spot these problems earlier? Are we software developers just too lazy? Did developers forget how to build secure applications?” Basically, they are asking the software community: how did we screw up so badly?
Developing secure code is hard under the best of circumstances, and unfortunately for many developers this has not been a priority. It’s one thing if a game or a browser turns out to be insecure, bad enough as that can be. It’s another thing if a SCADA device that’s part of a power plant fails. It’s another thing if a medical device is hacked and hurts a patient.
As smart devices become more and more prevalent and are used in critical situations, software developers will have to understand that they now have a greater responsibility to keep their software products safe. Perhaps regulators in the relevant industries may need to have put in place new rules covering software security! Given how serious the consequences of bad software can be, this is not as crazy as it sounds.
Just as importantly, we need to decide what does need protecting and what needs to be online. For example, people keep saying: smart meters are safer and will help the power grid. That may be true, but what are the consequences? Who controls these devices? Who has access to this data?
If truly critical devices are going to be put online, they need to be properly secured. The software used must be developed with best practices and hardened to resist exploits. Testing using “black box” methods must also be in place to vet these critical systems against known vulnerabilities and attacks.
More and more critical systems will be connected in the near future. The software industry must behave responsibly in order to ensure that we do not repeat the security mistakes of the past – with more adverse consequences to society at large.
Posted: 3 Jul 2015 | 4:54 am
I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.
Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.
I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies
The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:
Introducing Dynamic IDA Enrichment framework (a.k.a DIE):
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.
With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.
After the framework was explained, 3 live demos showed how to use the tool.
This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.
Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).
The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.
Other interesting talks included:
You can find the full conference schedule at http://recon.cx/2015/schedule/
Slides and the videos from every talk will be uploaded soon on the REcon website.
See you next year at REcon 2016!
Posted: 1 Jul 2015 | 8:12 am
The latest version includes several new features which I’d like to highlight here:
Enhanced Range Search/Replace
The feature can be found by going to this menu item under Tools:
You can now add incrementers as a text replacement as seen in this graphic. Just add ^i if you want to start with 0 or ^I if you want to start with 1. If you check the “Keep Enclosed Contents” box, the “from” and “to” values will be included in the results (inclusive).
The other option is called “Keep Value From String… and To String…” which just keeps the in-between values.
New Hashing Algorithms
Added new hashing algorithms (credit: Karim Wafi) under the stats menu:
Convert Mixed Format
I moved the mixed format options from under the Format menu to its own form under the Tools menu. I included examples so you can understand what it’s used for.
I also added a “Mixed Entities to Hex” feature. There’s a button on the main screen called “Decode HTML” to decode HTML entities but if your input string has a mixture of HTML entities and other text, it fails. This feature will convert your input to hex then you can convert it back to text to get your results.
Microsoft Script Decoder
Microsoft Script Encoded strings are now being seen in the wild. I added a script encoder and decoder function in two places (credit: Jean-Luc Antoine and Shawn Stugart).
If you have a large file to convert, you can use the Convert Script File option by going here:
This is the form which allows you to choose an input file, output file, and option.
Your input file you wish to decode needs to contain only the script which starts with #@~^… and ends with ^#~@.
If you have a short string to decode then you can use the Script Encoder/Decoder feature which is located under the Tools menu.
Just paste in the script and make sure it contains the starting and ending key values.
Deobfuscating “Sundown EK”
Now let’s use some of the features to deobfuscate “Sundown’s” landing pages. Here’s a look at exploit chain in Fiddler (credit: Kafeine):
The first file is the landing page which looks like this:
Paste that into Converter, choose Tools > Convert Mixed Format, click on the Mixed Entities to Hex option and click on Convert. To makes things a bit easier, choose the “Percent” output format at the bottom. (This saves you from having to do a Format > Hex Format – % in the next step.)
Click on the “Copy Output to Input” button then click on the “Hex to Text” button. Almost done…you can see some hex values in there.
So click on the “Copy Output to Input” button then click on the “Unescape” button. Now we’re done.
Back to Fiddler…I chose the 10th item called “street4.php.htm”. Here’s what that looks like:
There’s three scripts on this page. Two are encoded as “JScript.Encode” and the third as “VBScript.Encode”, however, it’s the same encoder. I did the first one above so let me do the second.
Click on “Send Data to Main” then click on the “Unescape” button.
For the third script, let me paste that into its own file.
I make my selections and click Convert.
And we’re done!
Here are the other changes/fixes that were made to Converter:
You can download Converter here. Thank you for your support!
Posted: 20 Jun 2015 | 7:52 pm
By: Eddie Lee and Jaime Blasco
Imagine if an authoritarian state had a tool to get private information about users visiting certain websites, including real names, mail addresses, sex, birthdays, phone numbers, etc. Imagine that even users that run TOR or VPN connections to bypass the tools that the authoritarian government uses to block and monitor these websites were exposed to this technique.
In this blog post we are going to describe a series of watering hole attacks that have been targeting NGO, Uyghur and Islamic websites since at least October 2013, with the most recent attack discovered a few days ago. We want to thank Sumayah Alrwais, a PhD student in the system security lab at Indiana University, for discovering and notifying us through RSA Labs about this latest watering hole attack affecting the Chinese website of an international NGO.
A Watering Hole is a technique where the attacker wants to target a particular group (company, industry, ethnic, etc). The attackers compromise websites used by the group and include malicious content that gets executed when users access the affected websites.
In addition to this, it is not the first time we have documented cyber espionage campaigns targeting China’s Uyghur minority:
The latest attack that we are describing is a novel technique that we haven’t seen before with watering hole attacks. Let’s describe how it works:
When we started to write this blog post we weren’t going to publish the list of affected services; however, after doing a bit of research, we found the same vulnerabilities have been public since 2013! Details of the vulnerabilities are mentioned in a Chinese security blog as well as several Chinese forums.
To describe the severity of the issue, we are showing a list of Alexa ratings for the affected services and the personal data the attackers are able to steal:
The vulnerable site responds with the following content:
When the browser receives the data, it calls the renren_all callback function that prepares the personal data including sex, birthday, real name and user ID to be sent to an attacker-controlled server.
Implications to privacy and attribution
All of the Watering Holes that we have observed are targeting Chinese users visiting Uyghur or Islam-related websites or NGOs sympathetic to freedom of speech. It looks like this campaign has been targeting a very small group of people, and since there is no financial gain on collecting most of the leaked personal data, we can say that whoever is behind these attacks is looking to reveal the identity of the users visiting certain websites. Another point is that some of the affected websites are hosted outside of China, and the Great Firewall likely blocks some of those sites. According to The China Story Project, one of the main categories of foreign websites that was blocked in China was regarding “Web pages belonging to organizations that campaign against the Communist Party or that promote Tibetan and Uyghur causes or independence for Taiwan, as well as sites belonging to the banned religious organization Falun Gong.”
In general, the Great Firewall (GFW) is able to analyze and block traffic that is leaving China; however, this is not necessarily true when Chinese users run VPNs (Virtual Private Networks) or TOR. In these cases, the GFW doesn’t have full visibility into the traffic that goes through VPNs or TOR. When plaintext traffic comes out of VPNs or TOR endpoints, the GFW doesn’t know the real IP address of the user that is visiting a specific website.
Now imagine that the Chinese government wants to know the real identities of individuals visiting certain websites that are sympathetic to certain causes, people who are exiled, or specific people living abroad even when they use TOR or VPNs. In the scenario we have described, this is a reality and has been happening since 2013. Even if the only data the attackers can obtain is a user ID for a specific website, this information can be used to pinpoint targets for espionage within the GFW.
First of all, the list of affected sites (Baidu, Taobao, etc.) should fix the JSONP Hijacking vulnerabilities. There are several ways to do this:
- Include a random value in all the JSONP requests (this also works to prevent CSRF attacks)
- Use CORS instead of JSONP
- Don’t include private/user data in JSONP responses
The recommendation for users is be vigilant and follow best practices when browsing the Web, especially if you live in an authoritarian country or you are worried about being tracked. For example, do not browse sensitive websites after logging into another website - even in a different tab or window.
It is really important to understand the differences between anonymity and privacy. For instance, if you are using TOR or a VPN service that encrypts your communications, it is going to give you a certain level of privacy, but your anonymity is still at risk. Anonymity is the idea of being “non-identifiable” or un-trackable, but as we have described in this blog post it is hard to remain anonymous if you are using services where you have revealed personal information and you browse other sites that can exploit vulnerabilities to access your personal information.
We would like to thank you Citizen Labs for helping us with victim notification. On the other hand we want to point out that every TOR user should be using the TOR browser that is more suitable to browse the web to prevent these kind of attacks and other privacy related issues.
Posted: 11 Jun 2015 | 11:54 am
|Exploit Pack Table Update 20|
|Click to view or download from Google Apps|
|Gong Da / GonDad||Redkit 2.2||x2o (Redkit Light)||Fiesta (=Neosploit)||Cool Styxy||DotkaChef|
|Angler||FlashPack = SafePack||White Lotus||Magnitude (Popads)||Nuclear 3.x||Sweet Orange|
|CK||HiMan||Neutrino||Blackhole (last)||Grandsoft||Private EK|
|CVE-2012-4792*||CVE-2013-2465||CVE-2013-2465*||and + all or some||CVE-2013-2423||CVE-2013-1347|
|CVE-2013-0634||* switch 2463*<>2465*||from the previous||CVE-2013-2423|
|CVE-2013-3897||Possibly + exploits||version||CVE-2013-2460|
|* removed||from the previous|
|Sakura 1.x||LightsOut||Glazunov||Rawin||Flimkit||Cool EK (Kore-sh)||Kore (formely Sibhost)|
|and + all or some||CVE-2013-1690||CVE-2013-2423||CVE-2013-2471||CVE-2013-2463|
|from the previous|
|Styx 4.0||Cool||Topic EK||Nice EK|
|CVE-2013-2423||and + all or some|
|CVE-2013-2463||from the previous|
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .
- Blackhole 1.2.1 (Java Rhino added, weaker Java exploits removed)
- Blackhole 1.2.1 (Java Skyline added)
- Sakura Exploit Pack 1.0 (new kid on the block, private pack)
- Phoenix 2.8. mini (condensed version of 2.7)
- Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
Merry Christmas Packread analysis at
read analysis at
|Sava Pack |
read analysis at
Old (2009), added just for
|Zero Pack |
62 exploits from various packs (mostly Open Source pack)
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.
It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
Go1Pack (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack
- Eleonore 1.6.4
- Eleonore 1.6.3a
Posted: 12 May 2015 | 9:05 pm
On 24/04/15 At 12:37 PM
Posted: 24 Apr 2015 | 1:37 am
A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.
The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.
Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.
At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.
If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.
Posted: 19 Sep 2014 | 2:46 pm