Tuesday, July 1, 2014

OpenSSL CCS Attack

As you might see from my posts frequency, last months have been pretty busy to me. My hacking team and I are working really hard and we are achieving incredibly results which makes me happy but really busy as well. OpenSSL CCS Attack (CVE-2014-0224) is almost one month old and not super interesting to be exploited so far, but since we got a great experience on that specific vulnerability I decided to "fix-it" on my memories in the following way.

CVE-2014-0224 bug exists since the very first OpenSSL release and this makes (at least to me) the whole story very fascinating. The issue basically happens because OpenSSL inappropriately accepts the ChangeCipherSpec (CCS) during a handshake. The following picture shows the correct way to implement a full protocol handshake.

The bug finds its own start if If a ChangeCipherSpec message is injected after the ServerHello but before the master secret has been generated  (ClientKeyExchange). At this point ssl3_do_change_cipher_spec generates the keys pair and the expected Finished hash for the handshake with an empty master secret (implementation bug). Moreover, the keys pair will be latched because further ChangeCipherSpec messages regenerate the expected Finished hash, but not new keys anymore. The following image shows the injection time frame.



The buggy code is the following one (the red numbers follow the above description):

int ssl3_do_change_cipher_spec(SSL *s)
 {
 int i;
 const char *sender;
 int slen;

 if (s->state & SSL_ST_ACCEPT)
  i=SSL3_CHANGE_CIPHER_SERVER_READ;
 else
  i=SSL3_CHANGE_CIPHER_CLIENT_READ;

 if (s->s3->tmp.key_block == NULL)1
  {
  if (s->session == NULL)
   {
   /* might happen if dtls1_read_bytes() calls this */
         SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
   return (0);
   }

  s->session->cipher=s->s3->tmp.new_cipher;
  if (!s->method->ssl3_enc->setup_key_block(s)) return(0); 2
  }

 if (!s->method->ssl3_enc->change_cipher_state(s,i))
  return(0);

 /* we have to record the message digest at
  * this point so we can get it before we read
  * the finished message */
 if (s->state & SSL_ST_CONNECT)
  {
  sender=s->method->ssl3_enc->server_finished_label;
  slen=s->method->ssl3_enc->server_finished_label_len;
  }
 else
  {
  sender=s->method->ssl3_enc->client_finished_label;
  slen=s->method->ssl3_enc->client_finished_label_len;
  }

 i = s->method->ssl3_enc->final_finish_mac(s,
  sender,slen,s->s3->tmp.peer_finish_md); 3
 if (i == 0)
  {
  SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
  return 0;
  }
 s->s3->tmp.peer_finish_md_len = i;

 return(1);
 }

Fortunately a patch is available here and a simple go tool to check the bug presence is here. For having more detailed infos, please visit (this post, and the original post).

Friday, May 16, 2014

MalControl Video

After the big success obtained through MalControl open source software, people asked me to record a simple video to show how it's supposed to work. I did use screencast this time.

http://screencast.com/t/GGMH8q77F9a

This short quick'n dirty video shows how MalControl is supposed working. Please refer to the original GitHub page (https://github.com/marcoramilli/malcontrol) for every needs, tickets, request and so on. If you want to add your scraper and/or new frontend features please email me, every support is welcome.

Friday, May 2, 2014

Say Hello to MalControl: Malware Control Monitor

Gathering open data from malware analysis websites is the main target of Malware Control Monitor project. Visualize such a data by synthesize statistics highlighting where threats happen and what their impact is, could be useful to identify malware propagations.  

Open Data:

We actually scrape the following services:
  1. malwr 
  2. phishtank 
  3. urlquery 
  4. virscan 
  5. webinspector 
If you are a malware scan provider and you would like to actively partecipate to the project by giving some of your data, please contact us, we'll be glad to add your service to our project. Each visualized threat comes with the original and 'clickable' URL pointing to the original report. The original report owns all the specific information to the threat. 

Backend Structure:

A backround node scrapes websites to grab malware informations and fills up a mongod database. An API node serves API useful to frontend layer. Public API are available, please read doc/index.html for a full list of API. If you are interested on developing a website scraper take as example one of the scrapers available into the scrapers folder. Each scraper must be a function 'goScraper' ending-up saving scraped data to db using the functionsaveMalwareToDB respecting the db schema placed into schemas folder.

Screen Shots:

Screenshots talk laudly :) The following image shows how MalControl geolocalize malware and threts by grouping them by country. On the rigth side of the screen graphs with transparent gradient shows trends and totals of the analized sources. The top two charts show the "top countries" spreading malware/threats.  



The second top two charts shows how many malware/threats per hour Malcontrol is able to capture. This feature gives an instant view on how the "malware world" is progressing. The last two charts show the totals of malware/threats coming from the scraped sources. If you are interested on adding a source (by writing a scraper) please make a pull request or contact us.


 By drilling down into a specific malware/threat you will see the icons of the scraped sources. By clicking on such icons a tooltip pops-up within detailed informations on the selected malware/threat. The imformations are source specific and might be different from source to source. The following image shows you detailed information on a PhishTank which provides Malicius URL and Report specific Report.



Download and Contribute:

If you like to download it, try-it, put into your home room or helping us to develop MalControl, a good place to start over is on Github Repository:https://github.com/marcoramilli/malcontrol 

Super Important Note:

Everything is: as it is, this projects is still "under construction", what you see on Github Repo is an early version of the full stack implementation.  "Dont' even thik to use it on any production environment". Code might change, might be deleted and so on..

Monday, April 28, 2014

InfoSec London 2014

Just a quick note to my readers from London. I'll attend InfoSec London 2014, if you want to have a beer or share some "Security Thoughts" I'll be more then happy. Just drop me an email I'll answer you shortly.

While I'll be most of my time in M96 Stand, I'll try to attend some of the following sessions:




Hope to meet you there !


Thursday, April 3, 2014

Malware Writers.

I am not used to report malware analysis made by "big security companies" since easy to find in planty of media. Linking such a reports to my blog is useless because many of my reders would probably read those feeds before my blog. However today I 'd like to share a pretty nice article written by Symantec titled: Simple njRAT Fuels Nascent Middle East Cybercrime Scene. The described Malware ("njRAT") is an  old and simple malware already well described in reports: 1009 and 1010 by General Dynamics. The malware could be taken back to hacker team called "STTEAM" (2013), one of the last born Middle East hacking teams. For the time being, the last malware' built and its own CandC could be find on the "official" njRat  website  (high risk of infection on that site). Underground sources assert one of the main .net developers behind njRat is called "Zehir" (zehirhacker@hotmail.com) already known for a revisited version of the ancient "asp shell".

Image taken from here.

Beside technical notes -- if you are interested on "bits and bytes" regarding this specific  topic please refer to reports 1009 and 1010 by General Dynamics -- what is interesting on this malware is its geolocalization. It  has been developed in "middle east" and it is spreading on most of the Middle East and North Africa regions, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya as the images shows up. 
Quoting the Symantec report:
"The main reason for njRAT’s popularity in the Middle East and North Africa is a large online community providing support in the form of instructions and tutorials for the malware’s development. The malware’s author also appears to hail from the region. njRAT appears to have been written by a Kuwait-based individual who uses the Twitter handle @njq8. The account has been used to provide updates on when new versions of the malware are available to download."
I am deeply fascinated on the fast paradigm change of the malware distribution. Few years ago the malware writers would never let public his/her email address and/or his/her twitter account even if fake ones, nowadays malware writers let their signature on what they deliver without caring too much about identity protection. Thanks to their uncovered traces is possible to profile them such as: where they are from, which programming language they prefer, what malware they have already written, what is the favorite target, what websites they reads and so forth and so on. On my personal point of view this behavior is due to the last hiring fashion ( namely: hire a hacker!) which makes hacker heros. Lets think about it and how fast the malware world is growing up.  

Tuesday, April 1, 2014

Cloud Security: Infographics

In the last 2 years I've been working mostly on private companies. Since often the "computer security" is not on the company main business ( ... in fact, for many companies computer security is just a kind of "utility"... ) because belonging to a different, often even not digitalized, world, having a survey of what they think about "security" is always a welcomed help. The following infographic, made by PersecSys is a nice, coincise and good looking survey of what 130 security professionals from RSA conference think about Cloud Security in the companies they serve.


Cloud Security Opinion

Cloud Security graphic by PerspecSys

Saturday, March 8, 2014

Managing and Writing

Today I want to simply share on my diary a great picture of my working day (this picture is a screen capture of a double monitor running a progect in nodejs). This picture represents an amazing security project finally ready to the first public release and ...  the desire of writing "amazing code".


You will never have enough time to write the "perfect code" (whatever definition you are giving to "perfect code"), it doesn't care if you are working on Agile programming, Extreme programming, RAD (Rapid Application Development), waterfall, prototype development or sphiral development the time you have to build your amazing applications will be money driven a so, quite often, you will need to deal with timing issues.
But the great news is that nobody wants you to write the perfect code. What you have to do is to improve your code step-by-step and writing the best code for the time being.