This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Following the Trail: Determining the Origins of Linux/Bckdr-RKC

It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by 216.83.44.229.  Furthermore, the first variant had a phone-home address of 216.83.44.226.

Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here).

Let's use what we already know to try to find the organization responsible for this malware.

Chinese Origins in .ssyslog Decompiled - Linux/Bckdr-RKC and Hutizu

 I have partially decompiled the second piece of malware which was similar to the original Linux/Bckdr-RKC dropped on my honeypot.

Update: .ssyslog is now detected as "Hutizu".

I am publicly posting the first section of this file to highlight my findings so far...

Update: The full decompiled source of both pieces of malware is now available at Google Code

The first part of this decompiled code which really stood out was a clear marker that this malware is definately of Chinese origin.  This snippet of code is from the following function  
int autoupdate(char* url_address, char* local_to_file)
Code:

L0805FF50( &_v3660, "GET /%s HTTP/1.1
\nAccept: */*
\nAccept-Language: zh-cn
\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
\nHost: %s:%d
\nConnection: Close
\n
\n",  &_v2380);
The "Accept-Language" of zh-cn represents Traditional Chinese as the desired web browse language.

This means the malware in question was most likely programmed by a native speaker of Chinese.  Add to this the fact that the malware is hosted by a fake corporation in China, and that the previous version of this malware also phoned home to the same fake corporation, this all becomes very interesting.

Here are a few other function names from this latest version:
  • copy_myself(const char* name)
  • autostart(const char* inser_to_file)
  • int SendSevMonitor()
  • int SendServerPack()
  • GetNetPackets(long long unsigned int* lNetOut, long long unsigned int* lPacketOut)
  • int moniter(char* host)
  • int udpflood(_Unknown_base* ThreadData)
  • int synflood(_Unknown_base* ThreadData)
  • int synbigpacket(_Unknown_base* ThreadData)
  • int ackflood(_Unknown_base* ThreadData)
  • int ackbigpacket(_Unknown_base* ThreadData)
  • GetStructureDnsPacket(char* QueryDomain, char* QueryData, int* nQueryData)
  • int dnsflood(_Unknown_base* ThreadData)
  • int more_ip_dns_test(_Unknown_base* ThreadData)
  • int autoupdate(char* url_address, char* local_to_file)
  • int get_online_ip(char* domain, char* return_ip)
  • int parse_dns_response(char* return_ip)
  • parse_dns_name(unsigned char* chunk, unsigned char* ptr, char* out, int* len)
  • send_dns_request(const char* dns_name)
  • connect_to_server()
Make no mistake, this malware is clearly designed to perform reconnaissance on internal networks and disrupt communications when instructed to do so by the command and control server.

The malware has self-replication and automatic update capabilities.

I find this malware very disturbing.

What I find even more distrubing is the fact that since my submission of this malware to antivirus vendors, with the exception of Avira who believes this file is clean, none of the antivirus vendors have completed their analysis.

These two pieces of malware seem very professionally crafted with a clear purpose - to serve as a "cyber weapon".

Protect Insider Data By Googling First, Often

Dark Reading has an excellent article called "Protect Insider Data By Googling First, Often".  The summary of the article states:
Sensitive company data is often leaked via Google, Bing, and other search engines -- find it before the bad guys can
Sound advice, and excellent example of why it's important to setup Google Alerts to monitor for privacy breaches, as I described in a previous post.

Anonymous: Friend or Foe?


Is Anonymous a force for good, or just another threat online? This video has been posted in response to the Stratfor hacking incident.

How to Get a Cyber Security or Information Assurance Job

So, you've decided you want to start working in the security field?

Where do you start?

First, develop a plan and some career goals.  Do you want to just be a tech all your life, or do you want to eventually become a manager?  What interests you?  Do you want to know how to protect networks and computers, or do you want to analyze malware and perform penetration testing?

There are many paths available to you.  This is a brief guide on what to do and how to get the job you want.

Woman Gives Birth to Three Plates

Just saw this email in the "funsec" mailing list:

Hello,

My name is Mrs Yetunde Owolabi from Republic of Benin, I gave birth to three plates, 3 children at a time after the death my husband on 18th of June 2011 by auto car
accident. Already we have received 5 children from God, right now I can't take care of them so I have decided to give them out for adoption, if you are interested let me know, I am not selling them but you will only pay for adoption fees to the ministry in concern and the Lawyer will legalized all the relevant documents and the baby will become legally yours.

Thanks,

Mrs. Yetunde Owolabi
You read that right.  She gave birth to 3 plates.

I really wish I had her email address, as I would be very impressed if she could provide some pictures of these plates.

Linux/Bckdr-RKC: A New Variant Appears

Someone was busy this Christmas.

A new variant of Linux/Bckdr-RKC has been placed on my honeypot.

Unfortunately detections by Sophos do not detect this variant, so I've sent it back to them for analysis.

I have posted the strings from the unpacked malware, as well as a diff between the strings of the old version and new version.

I will post updates as I can.

Protect Your Family While Using Social Media

Cyberbullying and sexual predators are an ever increasing threat online, especially with social media sites like Facebook. See how to protect your children with this great informational video!




Linux/Bckdr-RKC Initial Analysis

A malicious user dropped off a VERY interesting piece of malware on my honeypot today with the filename ".xsyslog"

This piece of malware was previously undetected, and many kudos to Sophos for being the first to confirm my findings that the software was malicious.

So far, I have been able to determine the following:

This is a UPX packed Linux ELF which appears to have been around since late November 2011, according to internet searches.



The malware is installed from a compromised system after cracking a SSH server's root password, in the path /etc/.xsyslog

The malware is downloaded from an IP address which appears to be hosted in Hong Kong by a fake corporation: 216.83.44.229 port 99

It phones home to an IP address which appears to be hosted by the same fake corporation: 216.83.44.226 port 81

I have uploaded all relevant strings within the unpacked file to Pastebin.

I will provide additional details as I find/receive them.  This malware has been forwarded to US-CERT, as well as multiple anti-virus vendors.

Track current AV coverage at http://md5.virscan.org/58c23ca549c941f0d44b35fa31d77011

Related Reading:
Sophos Whitepaper Protection for Mac and Linux Computers: Genuine Need or Nice to Have?

New Resource: Threat Watch

The "bad guys" never sleep.

I'm happy to announce that now even when I'm sleeping, my blog will be able to bring up-to-date news alerts relevant to computer security.

Check out the Threat Watch page today!

Insider Threats and Data Loss Prevention

One of the biggest challenges many organizations face is how to deal with the insider threat.

A common means of attempting to control insider threats is through Data Loss Prevention software.

Unfortunately, there is no one clearly superior method for implementing Data Loss Prevention.

I'm happy to offer to my readers a free research report on different Data Loss Prevention techniques from the Aberdeen Group.

The ideal approach to security and compliance is like the ideal referee: one that makes good calls and enforces the rules regarding safety and fair play, but generally doesn't get in the way of the people playing the game. In its fifth annual study on best practices in data loss prevention (DLP), Aberdeen analyzed and compared the results from more than 600 organizations which have adopted one of four distinct approaches to the operational use of DLP technologies. The best approach, in terms of balancing enterprise risk and reward, is like the children's fairy tale of Goldilocks and the Three Bears: the bed we choose to lie in should be neither too soft (Do Nothing, Monitor / Notify), nor too hard (Stop / Go), but just right (Adapt / Protect).

Access Your Complimentary Copy Today. This $399 Value Offer Expires 01/09/2012

Holiday Computer Essentials CD

The holidays are here again.  A wonderful time to eat too much, exchange presents, and secure your family's computer systems.

Each year IT professionals travel to relatives houses, and are called upon as free tech support to remove the latest virus infections.

It helps if you have a CD-R burned and ready to go, so that you can properly clean and secure your family's computer systems.

So what should you include on your "holiday disaster recovery" CD? Fortunately you can assemble such a CD at no cost to you.


Iran, a Lost Drone, and a Computer Virus - Lessons to be Learned

Did a computer virus infection result in Iran acquiring a United States recon drone?

In October, the major news outlets announced that the piloting systems used by unmanned recon drones in Afghanistan and other nearby countries was compromised by a virus capable of recording keystrokes or user authentication information.  The Air Force followed up with a press release that this virus was only a credential stealer, and was not designed to transmit or corrupt data, and that the systems were completely disconnected from the internet and that the malware was introduced through removable media.

Free Subscription to Security Magazine

I'm happy to provide my blog readers a chance to get a free subscription to the print or digital versions of Security magazine, which focuses on ways to apply technology and services to solve security problems.

Security magazine reaches 35,000 security end-user and integrator subscribers in government, healthcare, education, airports, seaports, transportation, distribution, utilities, retail, industrial, financial, hospitality / entertainment, construction, industrial/manufacturing and other markets.

Sign up today!

Mystery Malware: An echo powered DDoS Script?

Christmas came early today, and a hacker dropped off a present...a piece of mystery malware.

This piece of malware was dropped onto my Linux honeypot simply named "DDoser".

The file has a 0% detection rate.  Interesting.


This appears to simply be a Linux/UNIX shell script.

It starts with the following line repeated multiple times:

echo "2e61e112030709378914f8280fd09f62e

61e112030709378914f8280fd09f62e61e11203

0709378914f8280fd09f62e61e1120307093789

14f8280fd09f62e61e112030709378914f8280f

d09f6"

And ends with the following lines:
clear
echo
echo "**********************************************"
echo "The Installation Of D3v1Lz T34m Ddoser"
echo "Should Be Running Now On D3v1Lz Ircds"
echo
echo "Make Sure That Ddoser Is Running - Use This Command:"
echo "ps x"
echo
echo "If You See 'addict' Listed, Then It's Running."
echo "You Can Then Fuck Ips Randomly On Your Botnets."
echo "**********************************************"
echo
echo "Enjoy Our Best Services At WebShells Co. , For More"
echo "Info Contact Us On Tech@WShells.Ws Or Call Us On 03-50 12 10"
echo "More Info About Script: Chadi@WShells.Ws"
exit 0
fi
An echo powered DDoS script?  That doesn't make sense...


Introducing Caffeine Security Secure Firefox!

I'm proud to announce I have completed my Secure Firefox add-on.

Make your Firefox browser more secure! This add-on uses Defense Information System Agency guidelines to harden your browser from attackers. For maximum security, combine this add-on with other security related add-ons such as NoScript!

Download Now!

The (VERY) Unofficial Guide To Facebook Privacy

To fully understand the privacy of Facebook and how it's likely to evolve, you need to understand one thing...Facebook executives want everyone to be public.

As the service evolves, executives tend to favor our open access to information, meaning information you think is private will slowly become public, but that doesn't mean you can be private if you want to. Facebook gives its users the option to lock things down, but users need to be aware of their controls, how to use them and how to prepare for future Facebook privacy changes. Facebook has not and will not make information obvious, and that's where this guide comes in.

Get your copy today!

And please share this link with your friends and family, so they can better protect their privacy as well!

Misuse of Your Personal Information and Google Alerts

It's always a good idea to keep tabs on your online presence.  This can help prevent embarrassing situations, such as an ex girlfriend posting all your dirty laundry for the world to see, or keep someone from stealing your identity, or using your name or address for fraudulent activities, resulting in the police knocking on YOUR door instead of theirs.

Here is an excellent example...

One of my former co-workers had a rather interesting event happen to him after moving in to his new house... Someone was running a "women's retreat" business from his home address!

He found this out through randomly searching for his own home address using Google.

Apparently someone had setup an entire website for this fake business using the real estate information from his home before purchase.

Luckily, this site did not remain online for long, but things could have become really interesting if someone showed up with suitcases in hand expecting to spend a weekend at the "retreat" they already paid for in full...

A few other situations which could happen...
  • Someone decides to try to rent or sell your house without your knowledge
  • Someone posts your address for a "everything for free" event on Craigslist as a cover for looting your house
  • A former co-worker or client posts your personal information on an online bulletin board accusing you of something "bad", resulting in harassing phone calls from thousands of complete strangers
  • An online group such as Anonymous posts your name and address on bulletin boards to coordinate a "prank SWAT raid"
  • Your college or university accidentally publishes a list of student names and social security numbers
The above are very real situations which have occurred, and could possibly have been avoided (or at least provided some warning) if only the victim would have regularly checked the internet for their personal information.

So how can you protect yourself from these situations?


Free IT Security Magazines and Whitepapers from TradePub

Caffeine Security has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit http://caffinesecurity-blogspot.tradepub.com today to browse our selection of complimentary Industry magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!


We are pleased to offer you this exciting, new, and entirely free professional resource. Visit our Free Industry resource center today to browse our selection of 600+ complimentary Industry magazines, white papers, webinars, podcasts, and more. Get popular titles including:

It\'s Time to Think Differently About Access and Data Center Networks!
Cloud First IT: Managing a Growing Network of SaaS Applications
Busting the Myth of Email Encryption Complexity

No credit cards, coupons, or promo codes required. Try it today!

See who's trying to hack your Facebook profile!

Many links claim to let you see who's "stalking" you on Facebook.  This link claims to let you see who's trying to HACK your Facebook profile!

http://bit.ly/vXjiBw

Were you brought to this blog post by a shortened link on Facebook? Why did you click that?

Haven't we learned yet not to click on strange links?

After all these years, users are STILL being infected with malware and helping to propagate it by clicking on links they shouldn't. (And yes, that link is safe)


URL shorteners such as bit.ly can be very conveniently used to hide malicious links.

Here's a little trick to help keep you safer.

There are actually URL "unshorteners" such as UnFwd4Me and Unshorten.com which will reveal the true address of a shotened URL.

So, now that your security awareness has been raised, please, share this link with others by copying the text below, and help them raise their security awareness as well!  To be more effective, please turn the URL preview OFF.


See who's trying to hack your Facebook profile! http://bit.ly/vXjiBw


Related Reading:

Protecting electronic devices from an EMP attack

Today one of my articles have been featured as a guest post at ModernSurvivalOnline.

The topic of the article is "Protecting electronic devices from an EMP attack", a very informative how-to guide.

Please visit ModernSurvivalOnline.com to read the article. Thanks!

If ET were a Hacker, he would just try to phone home...

Up until now, all of the honeypot compromises I've logged have simply been attempts to propagate network scanning and IRC bots.

Today's compromise was a little different.

It started off with a regular SSH dictionary crack attempt which ultimately succeeded..


11/16/11 is American Internet Censorship Day

Reposted from SecLists.org

On 11/16 2011, Congress holds hearings on the first American Internet censorship system.

This bill can pass. If it does the Internet and free speech will never be the same. I'm afraid InfoSec News will be forced offline, if you are in the U.S., please visit the URL below and join the fight to stop SOPA!

Join all of us on the 16th to stop this bill.

http://americancensorship.org/

The Lottery Scam - Jeani's Story

Advance Fee Fraud scams don't always come through email.  This is a true story from a friend.

During the holiday season in 2008, Jeani received notification that she had won a lottery in Russia.  This notification was through postal mail, and included a $6,000 check.

The scam offered Jeani $25,000 in exchange for her cashing the $6,000 check and returning the money via Western Union within 24 hours.

Luckily Jeani suspected this was a scam.  Continue on to read the rest of her story...

BUSTED!

The password cracker script kiddies can't resist my picnic basket...

Today an attacker with a SSH brute force script accidentally "showed his hand" by connecting to my honeypot from his own system shortly after stopping his scan from his compromised system.

Unlike my previous, um, visitor, this attacker seems to have very few tricks up his sleeve.  He attempted to upload something to my honeypot through sftp.  Unsuccessful, he abandoned his attempts.

Today's "guest" is from Romania, and seems to prefer to scan using compromised systems in Germany to prevent his IP from being immediately reported for conducting port scans.

Much like other attackers, he shows that he is using his Windows system through the client version string "PuTTY-Release-0.53b".

A notification email has been sent to both ISPs to report the attacker, as well as his compromised system being used for scanning.


Original Log: Kippo-Mon 10172011.log

A look at the various advance fee fraud methods...

As part of my continuing "To Catch a Scammer" project, I've decided to begin analyzing various advance fee frauds.

Covered in this post:
Lottery/Contest Scam
Money Laundering Scam
Inheritance Donation Scam


Mystery Malware Examined

In a previous post, I looked inside a hacker's toolkit, and found two "mystery files", "i" and "f".

Analysis of these files has revealed that these files were both Linux executables.

In addition to forwarding these files to AV vendors, I am analyzing these files myself.

Using decompile-it.com, I was able to retrieve source code for "i", and limited source for "f".


Netscape 8? Really?

I was browsing my demographics for target audience, and was VERY shocked by seeing Netscape 8 as one of the browsers someone was using to read this security blog.

The last update for Netscape 8 was in 2007...

I hate to imagine how many vulnerabilities that browser has.  I counted over 20 unpatched vulnerabilities at the SecurityFocus Vulnerability Database

If you're the person visiting my blog using Netscape...please...upgrade.

What's in a hacker's toolkit?

An attacker recently gained access to my honeypot, and began uploading hack tools using wget.

While his hack tools did not actually infect anything, I retained a copy for evaluation, and even gained access to his FTP server which contained all of his tools.

The available tools in this attacker's bag of tricks is quite interesting.




A look at a simple SSH probe and password crack

Here's an annotated look at how an attacker using a SSH password cracker compromises servers.


First the attacker probes to see if SSH is accepting connections.  Most likely the scanner also attempted to fingerprint the IP address to identify the operating system.  This is most likely an automated process on a compromised system.

2011-10-05 05:08:56-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 221.176.11.13:35868 (192.168.1.165:22) [session: 0]
2011-10-05 05:08:56-0400 [HoneyPotTransport,0,221.176.11.13] connection lost

Next the attacker begins attempting to crack the SSH password for the root user.  Once again these attempts are automated, and use a cracking tool which is based upon SSH-2.0-libssh-0.11.

Flash Drives: Helping Spread Malware since Y2K

Flash drives are an ever growing threat in the computer industry.  They are quickly becoming one of the most targeted infection methods for malware.
Does your organization have a policy to address the vulnerabilities associated with USB Flash Drives?

In this case, Dilbert says it best.

See Also: ENISA USB Flash Drive Whitepaper hosted by Sandisk

Ducati Motorcycle Default Password Vulnerability.

There's an interesting vulnerability writeup at osvdb.org detailing how to gain unauthorized access to a Ducati Motorcycle using the default ignition password.  Apparently by default the ignition password is set to the last 4 digits of the motorcycle's VIN number.

Guide to Malicious Linux/Unix Commands

UbuntuGuide.org has an excellent guide to Malicious Linux/Unix Commands which may be observed on live systems or honeypots.

Not only is it a good idea to monitor logs for attempts at using these commands, but it may also be a good idea to test your honeypot (especially if it's a virtual machine) to see if these commands will damage/destroy your honeypot.

Below is a current copy of the guide.  It has already dissapeared from the Ubuntu forums, so I felt it would be a good idea to archive "just in case".


"Listening" to a Password Cracker

I used the P22.com Music Text Composition Generator to create music using attempted usernames and passwords I gathered during just one cracking attempt at my honeypot.  The music is recorded at 2400 BPM using Lead 8 (bass + lead).
I feel the music has an electrifying video game feel to it.  The purpose of this video is to raise online security awareness.  I hope you enjoy it!


YouTube Link

Solar Activity could cause severe issues

From http://www.spaceweather.com/

STRONG SOLAR ACTIVITY: Having already unleashed two X-flares since Sept. 22nd, sunspot AR1302 appears ready for more. The active region has a complex "beta-gamma-delta" magnetic field that harbors energy for strong M- and X-class eruptions. Flares from AR1302 will become increasingly geoeffective as the sunspot turns toward Earth in the days ahead.

Strong solar activity could potentially cause severe disruptions in power grids world-wide, should a solar storm be observed similar to the one from 1859, in which "Telegraph systems all over Europe and North America failed, in some cases even shocking telegraph operators. Telegraph pylons threw sparks and telegraph paper spontaneously caught fire."

More password analysis

As more passwords are processed by my honeypot, I've decided to publish the password list in "cloud" format in addition to the raw data.  I feel this visualization is rather insightful, and shows interesting trends in password attempts.

Password Cloud

Interestingly enough is the fact that the most attempted password is "branburica".  A Google Search does not yield much info.

Password Cracker Analysis

Well I'm excited to say that just after a day of running Project Picnic Basket, I've already had someone stumble upon my SSH server and crack the password.

This was clearly an unintelligent cracker, which kept trying to crack the password after successfully cracking it.

I have taken the passwords which were used in the cracking attempt and dumped them into a nice Google Docs spreadsheet: Project Picnic Basket Cracked Passwords

Is your password on there?

I will update the list as I receive more crack attempts.

Research Project - Project Picnic Basket

I've decided to start a second research project called Project Picnic Basket.

This is of course a reference to Yogi Bear's crazed attempts to obtain any and all picnic baskets.  I have setup a SSH honeypot with a weak root password.  The honeypot has no access to my internal network, and is actually a virtualized Linux system using Kippo.

I've also setup a spam honeypot on this blog site using Project Honey Pot.

I will post any interesting results as I get them.

Introducing the Scam Fund!

I have decided to begin tracking how much scammers are offering to "give" to me, and how much money in transaction fees are requested to obtain said funds.

Currently, I have been promised over 20 million US Dollars.

Please check out the Scam Fund page, which will be updated regularly.

Scam Fund

Anonymous Plans 'Day of Vengeance' to Protest Execution, Arrests

A massive cyber attack is planned for tomorrow, September 24.  If your business could be a possible target, you might want to review your Disaster Recovery and Continuity of Operations plans, and be ready to enact them this weekend...

From PCMag:
To avenge the Wednesday execution of Troy Davis, hacktivist group Anonymous has added the Atlanta Police Department to its list of targets for a nationwide cyber attack scheduled for this Saturday, September 24.
...
On Wednesday, Anonymous announced a "Day of Vengeance" starting at noon ET this Saturday, when aligned hackers would launch cyberattacks on targets like "Wall Street, corrupt banking institutions, and the New York City Police Department."


 Read more at PCMag

Abandoning the Client-Server Model

Once every two weeks, I will try to write an in-depth blog post on an interesting topic within the security community.  My first topic is why the client-server model should be abandoned for antivirus and host intrusion detection/prevention.

It always seems that malware creators are always 1 step ahead of the security community.  Their methods for deploying and updating sophisticated botnets seems to be ever evolving, while the security community lags behind in technology.


Research Project: To Catch a Scammer

My first featured research project on this site will be "To Catch a Scammer".  I'm sure you've heard of NBC's To Catch a Predator.

The idea behind this research project is to examine internet scams and frauds, such as Advance Fee Fraud aka Nigerian 419 scam, auction scams, stock scams, etc.

I am currently researching the techniques used by Advance Fee Fraud scammers.

Surely this will be filled with fun.  I'm already conversing with one of the scammers, and will be uploading some rather interesting findings soon.

Emergency Adobe Flash Patch Today

Good Morning!

Today we will be treated to an emergency patch for Adobe Flash.
Prenotification: Security Update for Flash Player

Keep an eye on Adobe's security bulletins page for the patch.

Apparently this patch will address zero-day vulnerabilities which are currently being exploited.

Happy Patching!

A little note on Password Strength

I've always wondered why organizations encourage such strict, hard to remember, password combinations, ultimately resulting in the user being forced to write down the password, making the password less secure.

xkcd, a web comic, defines the problem perfectly...xkcd: Password Strength

Welcome

Welcome to Caffeine Security. Here you will find a daily dose of interesting security articles, news clips, white papers, and research.

Computer Security...Cyber Security...Information Assurance...whatever you call it, you know the purpose. Protect computer systems and networks from pretty much everything, including malicious users, clueless users, and even mother nature herself!

Each day I will try to post one security-related news item.

At least once every other week I will be posting some of my thoughts and my own research in the computer security/cyber security/information assurance field.

So why Caffeine Security? Obviously we're not trying for protect the secret formula to our favorite soft drinks... but if you're like me, you probably consume large quantities of caffeine just to keep you going in today's stressful security world.

Enjoy, and try to have a little fun!