IntSec Bulletin - CCFIS · device classes do not exists till date. Also behavioral analysis is quite difficult since a BadUSB device’s behavior when it changes its persona looks

IntSec Bulletin October 2014 | Volume - 7

1

Index

02 executive summary

03 in-transit encryption

05 mayhem

07 badUSB

09 windows 10 technical

preview keylogger

12 bot based bruteforce

‘ylmf-pc’

14 about us

executive summary Any Organization – big or small, can be target of any

Cyber-attack. Password only protection are weak

authentications and are too risky. Also, with the adoption of

Cloud based IT Infrastructure, Organizations are expected to

secure what they don’t own, manage or control. Users want the

complete freedom to browse on web, not only when and how

but also with the devices of their own choice. Cyber criminals

are taking advantage of today’s “any-to-any” world where

individuals are using any device. The threats targets are across

domains without discriminating by Industry, Businesses, size or

Country. Cyber criminals are constantly evolving new

techniques to bypass security. “IntSec” is special CCFIS monthly

Series Bulletin based on Internet Security as per research work

done by CCFIS Team, who is constantly watching vigilantly all

new advanced techniques and cyberspace threats.

As per recent survey by one of reputed Research Center, 50% of

Organizations had experienced at least one occurrence of

economic crime in last 1 year. Instances of such frauds losing

billions of dollars. Those, who commit frauds have become

craftier and are launching more complex plan. However, only

few of the Organizations are responding to growing threats by

tightening up their controls and investing in fraud detection and

prevention as per professionals/expert opinion.

The “any-to any” evolution already involves billions of internet

connected devices and is expected to grow many folds in next

few years. IntSec Bulletin is a small step to make our Users aware

about Internet Security.

2

in-transit encryption Vulnerability worse than Heartbleed and Shellshock

Cloud computing is the

technology that brings a

complete changing the

way we use internet for

personal and business use.

From running a complete

web application on virtual

server to baking up our

personal files on online

storages, we use cloud

technology. Researchers have developed many encryption

technologies to keep our files secure and encrypted on cloud. But

the issue we found in our CCFIS research labs in the channel

through which our files are sent. Unfortunately, our files are only

encrypted once they reach the server, not in-transit.

The biggest issue with this attack vector is that incredibly popular

services like Dropbox and Google Drive that are used for business

as well as personal purposes are vulnerable to in-transit

encryption. As per researched conducted at CCFIS HQ, we found

that data sent to these services are only encrypted once it is

stored on the service, not in transit to the service.

In simpler words, the photos of files which you are uploaded are

not encrypted the moment it leaves the system. Hence the data is

not encrypted and ultimately not protected before it reaches the

cloud, and a hacker with advance knowledge of Man in the

Middle attack or sniffing can steal these data.

3

There should be a mechanisms of local encryption of encrypting

the data before it leaves the system. But the challenge is that if

the encryption algorithm is locally stored on systems then hackers

can reverse engineer it to generate the decryption algorithm and

again the encrypted data can be captured in-transit and can be

decrypted.

To resolve this issue, CCFIS team has already started working on

open-source cloud based encryption tool that will act as a middle

man agent between cloud based services and users. This tool will

give GUI interface to users for uploading data on cloud. The file

will be automatically encrypted before leaving the system and

hence the data will be encrypted even during transit. Hence the

data will be protected during the transit and even if the cloud

storage of a user is compromised then also the data which

attacker will get will be encrypted.

4

mayhem Linux botnet 'Mayhem' spreads through Shellshock exploits

We all know about shell shock, a bug that is game over for any of

Linux user. Shell shock bug was discovered recently and it left

many systems & servers vulnerable.

Earlier in 2014, when we deployed out Advance Threat Protection

Sensor (ATP Sensor) which captures malware and attacks in

different national as well as international location, we captured a

sophisticated malware called Mayhem. After malware analysis

and reverse engineering our malware analysis team conformed

that it gets installed through a PHP script that attackers upload on

servers via compromised FTP passwords, website vulnerabilities or

brute-forced site administration credentials.

Mayhem’s main component is a malicious ELF (Executable and

Linkable Format) library file that, after installation, downloads

additional plug-ins and stores them in a hidden and encrypted file

system.

5

50% of web

servers run

Apache, which

means they may

have some

version of Bash

on them

The plug-ins enables attackers to use the newly infected servers to

attack and compromise additional sites. After reverse

engineering, we found that around 1,400 infected servers were

connecting to two separate command-and-control servers

Recently we captured another variant of Mayhem. After deep

analysis, our malware analysis team found that that Mayhem’s

authors have added Shellshock exploits to the botnet’s arsenal.

We also found that the Shellshock attacks originating from the

Mayhem botnet target Web servers with CGI support. The bots

probe Web servers to determine if they’re vulnerable to the Bash

flaws and then exploit them to execute a Perl script.

This upgraded script contains malicious Mayhem ELF binary files for

both 32-bit and 64-bit CPU architectures embedded into it as

hexadecimal data and uses the LD_PRELOAD function to extract

and run them on the system.

6

We use USB every day, from phones to laptops to servers and

whatnot. We all have more than 10 devices in our offices and

homes that interacts with USB. Now days, almost every device has

USB connection functionality. Even healthcare equipment has

feature to connect USB ports for different purposes. We knew

about possibility of hardware backdooring but the procedure and

programs were confidential and wasn’t accessible to common

peoples. But in a recent Blackhat conference, the process was

demonstrated publically and source code has been uploaded on

Github to anyone to download and tinker with.

7 badUSB

CCFIS research lab found that these backdooring are not only possible

in USB drives but can be done very easily in keyboard, cameras,

printers and almost all components that can be connected with via

USB. The vulnerability exists in USB controller chip’s firmware which

offers no protection from reprogramming and reverse engineering.

After reverse engineering, even a thumb drive can be used to

compromise a computer or an entire network. Following are some

BadUSB threats –

Any USB device can emulate a keyboard and issue commands on

behalf of the logged-in user, for installing malicious files or malwares.

A small pendrive can spoof network card and can change the

computer’s DNS settings and can redirect entire traffic to hacker’s

IP.

It can also be configured to infect system before the system boots

up. The malware can detect when the computer is booting up and

it can plant a small virus on boot

Backdooring is possible by many other techniques too. Hackers can

read the program stored on keyboard’s microcontroller and bind the

program with a malicious code and then write it back to keyboard. If

installed microcontroller doesn’t allow rewriting then hackers can

install a new microcontroller with malicious code. We also found that

addition another microcontroller along with original microcontroller is

also possible. Now this keyboard will send all the data typed through

this malicious keyboard to a hacker’s FTP.

Unfortunately there isn’t any effective way to detect a malicious USB

device because malware scanner or antivirus cannot access the

firmware running on any USB device. USB firewalls that block certain

device classes do not exists till date. Also behavioral analysis is quite

difficult since a BadUSB device’s behavior when it changes its persona

looks as through a user has simply plugged a new device.

8

windows 10 technical preview keylogger Microsoft is gathering information from its Windows 10 Technical

Preview in every way possible.

Microsoft is keeping a

very close eye on those

participating in the

Windows 10 Technical

Preview—closer than

you might think, in fact.

The Technical Preview has been released for two reasons. First, it

gives the demo to crowd users to try out the next big thing

Windows 10. But the other, more important reason for Microsoft is

to gather data on both how Windows 10 is running on your system,

and how you’re using the OS and maybe that’s why as per

researchers they have installed a keylogger in their new Windows

10.

Well, how many of you actually read the “Terms of Service” and

“Privacy Policy” documents before downloading or installing the

Preview release of Windows 10? I believe none of us even read

those documents, because most computer users have habit of

ignoring that lengthy paragraphs and simply clicking "I Agree" and

then "Next", which is not at all a good practice. Do you really

know what permissions you have granted to Microsoft by installing

Free Windows 10 Technical Preview edition? You actually gave

permission to keylog your system.

9

If you are unaware of Microsoft’s

new privacy policy, then now you

should pay attention to what the

policy says. Microsoft is watching

your every move on the latest

Windows 10 Technical Preview, as

mentioned in Microsoft's privacy

policy, which indicates that the technology giant is using

keylogger to collect and use user’s data in a variety of ways

without the information of user.

“If you open a file, we may collect information about the file, the

application used to open the file, and how long it takes any use

[of] it for purposes such as improving performance, or [if you] enter

text, we may collect typed characters, we may collect typed

characters and use them for purposes such as improving

autocomplete and spell check features,” the privacy policy

states.

Essentially by accepting the Windows 10 privacy policy you are

allowing Microsoft to screen your files and log your keystrokes. This

means, if you open a file and type, Microsoft have access to what

you type, and the file info within. In our research lab, we found

that all the keystrokes that were typed in Internet Explorer of

Windows 10 were stored in below hidden location -

C:\Users\CCFIS\AppData\Local\Microsoft\Windows\inetcache\

low\ie\ZPBXU1LL

Microsoft says it may collect even more data. The company will

be watching your apps for compatibility, and collect voice

information when you use speech to text. This information will be

used to improve speech processing, according to Microsoft.

10

"When you acquire, install and use the Program, Microsoft collects

information about you, your devices, applications and networks,

and your use of those devices, applications and networks," the

privacy policy states. "Examples of data we collect include your

name, email address, preferences and interests; browsing, search

and file history; phone call and SMS data; device configuration

and sensor data; and application usage."

The data Microsoft collects could have thousands of username

and password combinations stored in a database somewhere.

Several researchers over security blogs has already started talking

that Microsoft might have started a mass surveillance program

with collaboration with some intelligence agencies. Whatever the

rumors are, at least Microsoft is asking you before using your data.

11

bot based bruteforce ‘ylmf-pc’ SMTP connection at HELO/EHLO matching machine name

We all use mailservers, cPanel and many

more other service in which are

somehow vulnerable to bruteforce

attacks. There are many best practices

to block a bruteforce attack but

everything fails when it’s a targeted

bruteforce attack.

Recently our team received a case from one of our major client

that their mailboxes are being compromised, no matter how

complex password they are using, their mailboxes are

compromised and confidential information about organizations is

leaked. During investigation, we came to know that it was a

successful bruteforce attack in their Smartermail even after

properly updated server and password policies properly defined.

To conform this, we clustered several systems of our cyber lab and

launched a bruteforce attack and we were able to crack the

password using bots installed on all machines. We created one

Command & Control server and controlled all systems to launch

bruteforce attack on one dummy account which was using a

strong password. The test attack was successful and account was

compromised. Then we realize that even after implementing all

best practices, one cannot stop a bruteforce attack.

Performing bruteforce to break a 12 character long password will

take more than a year if attack is performed with single system

and user has used combination of small caps, large caps,

numbers and special characters.

12

But now days, attackers have developed a malware based bot.

This bot search for vulnerable machines and servers connected to

internet to compromise it and connect back to Command &

Control server which is actually the master of all these bots. If this

bot has compromised 10000 systems, then the same password

which it was cracking in 1 year, can be crack it in few minutes.

Enabling CAPTCHA (Completely Automated Public Turing test to

tell Computers and Humans Apart) image verification doesn’t

work always as hackers have already identified to bypass it

because almost all of the CAPTCHA verification API’s relied on

plain text HTTP protocol to perform CAPTCHA validation. Because

of this, the CAPTCHA provider’s identity are not validated,

message authentication checks are not performed and the entire

CAPTCHA validation are performed on an unencrypted channel.

Also one cannot implement CAPTCHA when bruteforce is coming

to SMTP. Blocking an IP after few failed login attempts will also not

work as in an organization, 1000s of users share the same gateway

IP and if one user fails to login into his account and cross the limit

then the gateway IP will be blocked by server and no one from

that organization will be able to access their mails.

On later stage, we found a bot, representing itself as ‘ylmf-pc’

which was used to perform the bruteforce attack to break

password of email accounts. The bot first compromised users

across the globe and then performed the bruteforce attack

through these compromised users to hide its original IP and to

remain untraceable. In our research lab, we performed pattern

analysis on logs of mail sever and we found the bot’s behaviour

and we were able to locate the Command & Control Server.

13

about us

Center for Cyber Forensics and Information Security (CCFIS) is a Research

Organization incubated at Amity Innovation Incubator which is a

Technology Incubator supported by NSTEDB, Ministry of Science &

Technology (Government of India).

Noida Office HQ : Amity Innovation Incubator, Block E-3,1st Floor, Amity University,

Sector-125 Noida, UP-201301, India, Email Id: [email protected], Phone no: +91-120-4659156

Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP - 226028, India

Gwalior Office: Amity University Madhya Pradesh, Maharajpura (Opposite Airport), Gwalior

Jaipur Office: Amity University Rajasthan, 14, Gopalwadi, Ajmer Road, Jaipur, Rajasthan

Manesar Office: Amity University Haryana, Panchgaon, Manesar, Gurgaon, Haryana

Disclaimer—This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of

their employees, nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty,

express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or

the results of such use of any information, apparatus, product, or process disclosed, or represents that its use would not infringe pri-

vately owned rights.

© Center for Cyber Forensics & Information Security

14