The objective of this laboratory test, scenario is to make explore alternative “clever” solutions (as opposed to making the site more resilient by optimizing it) to protect your site against attacks. Moreover, DDoS¹ attacks, malicious code, etc.

Therefore, we need to develop countermeasures for the working attacks simulated with a standard DoS attack from a single IP address (performed with AB² or Jmeter). Limitations for this scenarios is highlighted:

• No additional hardware can be used
• The wordpress installation can not be optimized: no caching plugins, no reverse-proxy (varnish, squid etc)
• No reactive measures that automatically block incoming traffic: the site must respond to at least some of the requests coming from the attacker at all times
• The countermeasures must not have negative effects on “normal usage pattern”. Normal usage pattern is defined as:
  • Bursts of 10 connections per IP address in 1 second
  • Page load times not over 10 seconds
• Normal usage must be possible from the same IP address that the attack originated from after a 20 second delay maximum.

In addition, we have to make much of the rules for the scenario. Rules as follow: Fresh installation of the latest version of Ubuntu Server and the most recent WordPress as of 20.10.2011. First priority: No normal usage pattern connections can be dropped! Second priority: service speed of normal connections. Defined by number of connections / second (easy to measure). Third priority: How fast after the attack is stopped, the site can be accessed from the attacking IP again.

Each test and measured results will be exposed in to Test section. Whereas, the process of installation of clever solution and attacking scripts will be provided in to Appendixes section.

Finally, the measurement results will be compared with the first state without attack and any security solutions applied. Alternatively, providing measurement results with one solution and attack will help us to identify the most beneficial security solution. Therefore, in Conclusion section comparison results will be highlighted.

TESTS

Because of requirements of our scenario we need to display the results before security solution is applied and attacker performance. For this purpose we are going to use an AB script to display the response time of the server:

ab -t 10 -n 10 -c 10 http://192.168.56.102/wordpress/

The above script provides detail information, yet only important is Request per second. Thus, with an fresh installation and without any security solution, it provided with result of 3.95 [#/sec]. With other word, 3.95 number of request per second. After applying different security solution and performing an attack to the server, results will be divers.

In addition, test were done by two different virtual environment machines. One is for testing results and the other one is to perform attack with the following script:

ab -n 100 -c 10 http://192.168.56.102/wordpress/

TEST 1

First test is to install libapache2-mod-evasive [libapache2-mod-evasive]. Where, mod_evasive is an evasive maneuvers module for Apache is to provide some protection in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.

The process of installation and configuration refer to the Appendix 1.

After completed the installation and configuration process it is time to test the security solution and to highlight the results. Before performing the attack the results were somehow, lower then, before installing the mod-evasive, 2.06 number request per second. When we start the attack and in same time analysis the server responded with timeout. The conclusion is that mod-evasive it is not enough solution.

TEST 2

From previous test we can see that the solution was not enough clever for our needs. The server somehow was dead. However, we are going to install now mod_security module for apache, with side of previous test. For more detail information of installation process and configuration refer to Appendix 2 or to the following source [mod_security].

CONCLUSION

There are three points that we should consider and to see which proposal was more accurate and it did the job that was required in the scenario.

In conclusion, the above proposals are nice and good example to have an view of how and with what tools we should perform script kiddie techniques. How to shutdown access to a server. On the whole, it show as how to use tools and methods of measuring the bandwidth of network and how to limit the transfer in comfortable way.

APPENDIXES

Appendix 1 is connected with the Method 1, which highlighted points are illustration on what information we should check, to clarify that the virtual environment has limitation of the network interface. Where Appendix 2 is for installation process of Ubuntu Server 10.04 LTS and wordpress, mysql installation.

APPENDIX 1

Installation process:

sudo apt-get install libapache2-mod-evasive

Configuration process is followed and gather from the following source [Evasive Module], for addition proposal please refer to[Blacklist]:

sudo mkdir /var/log/apache2/mod_evasive

sudo chown www-data /var/log/apache2/mod_evasive

Afterwards, create its configuration file with a default content, with the following command:

sudo nano /etc/apache2/apache2.conf 

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/apache2/mod_evasive
DOSEmailNotify root@localhost
DOSWhitelist 127.0.0.1
DOSSystemCommand &quot;/sbin/iptables -I INPUT -p tcp --dport 80 -s %s -j DROP
</IfModule>

The above changes to take effect please restart the apache service by:

sudo service apache2 restart

You can test whether it works using a script included in the deb package:

perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl

APPENDIX 2

Installation and configuration of mod_security:

apt-get install libapache2-modsecurity
/etc/init.d/apache2 force-reload

• Installation media: Ubuntu 11.10 32bit iso image;
• HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
• NIC1 NAT;
• NIC2 host only (for ssh and http access from host);
• Language used in installation process: English and country Estonia;
• Keyboard Layout English;
• no http proxy
• Default applications
• sudo apt-get install lamp phpmyadmin
• wget -c http://wordpress.org/latest.tar.gz
• tar xvjf latest.tar.gz
• sudo cp wordpress /var/www/wordpress
• sudo nano /var/www/wordpress/wp-config.php
  
• Change the settings to your needs

Bibliography

libapache2-mod-evasive: Canonical Ltd., Package: libapache2-mod-evasive (1.10.1-1), 2011, http://packages.ubuntu.com/hardy/libapache2-mod-evasive

mod_security: How to Forge, Secure Your Apache With mod_security, 2006, http://www.howtoforge.com/apache_mod_security

Evasive Module: Deep Logic, Inc., Apache Evasive Maneuvers Module, 2005, http://fossies.org/unix/www/apache_httpd_modules/mod_evasive_1.10.1.tar.gz:t/mod_evasive/README

Blacklist: Jeff Starr, Eight Ways to Blacklist with Apache’s mod_rewrite, Feb 2009, http://perishablepress.com/press/2009/02/03/eight-ways-to-blacklist-with-apaches-mod_rewrite/

The objective of this laboratory test, scenario is to create a solution and instructions for
testing an IDS¹ systems usefulness for detecting attacks against a wordpress site. In
addition, we have to develop/download/find/whatever a SNORT configuration (rulesets,
preprocessors, whatever) that performs better than the default configuration in previous
post. By better we mean:

• Less false positives
• Less false negatives
• The objectives are contradictory so the rule of thumb is one false negative per 10 false positives eg. solution with 10 false positives and 2 false negatives is better than the solution with 100 false positives and 1 false negatives, but the solution with 10 false positives and 1 false negative is better than the solution with 1 false positive and 2 false negatives.
• Attack is defined by a single invocation of all the test scripts in a row

Meanwhile, the new rules have to be able to detect not only the default attacks that
are set to a default snort configuration, yet they have to be able to detect SQL injection,
brute force password, apache killer script, pytbull, etc. Furthermore, in figure 1 we are
illustrating the scenario.

Illustration 1: Illustration of Scenario

Therefore, in the proposal section we will present two proposals that have been submitted due to this laboratory test and additionally in result section we will highlighted the identification numbers made by snort set new rules. In section appendixes we will provide you with more details configuration procedures, configuration of VM’s – Virtual Machines, attacks, etc.
Finally, closing with an conclusion and the results of best set of rules made of the proposals.

SETUP of SNORT

To setup snort in a right way, that will work for the second Host only network please following the instruction link provided with a full description and configuration of snort
[SNORT2].

PROPOSALS

In total two proposals are presented in next sub-sections.

PROPOSAL 1

Add http://www.tud.ttu.ee/~t061780/attacks/robert.rules to your Snort.
On your Snort machine:

cd /etc/snort/rules
wget http://www.tud.ttu.ee/~t061780/attacks/robert.rules

Now you have the rules, add them to your snort conf file (default /etc/snort/snort.conf). To do that inser:

"include $RULE_PATH/robert.rules"

somewhere with rest of the rules after line 800. Run Snort and test.

PROPOSAL 2

Add the following rules: http://predragtasevski.com/predrag.rules
To be able to insert the snort rules in to the snort file please double check where it is located. You can find the location with the following command: find / -name snort.conf
Before you continue please change the IP address to your server address on line number #6, example alert tcp any any -> 192.168.56.X where x is your octet.
Then to add the following rules at the conf file do the following command:

cat predrag.rules >> snort.conf

Now it is time to start or restart snort. It should work.

RESULTS

After executing the above proposal we will highlight the results into the table bellow. Result
are presented from the total amount of reports, registered alerts in the snort. This is done
by help of web interface of Basic Analysis and Security Engine in addition Analysis
Console for Intrusion Databases (ACID) project tool [ACID]. Therefore, the result from the
proposals are highlighted below:

Table 1: Details of total report numbers of alerts made by SNORT and the different proposal rule sets. Details of the attacks conducted in the table are presented in appendixes section.

Additionally, figure 2 is presenting the pine chart of the total number alerts
recognized by Snort.

Illustration 2: Total number of Alerts

Secondly, figure 3 is representing the pine chart of total number of unique alerts recognized by Snort.

Illustration 3: Total number of Unique Alerts

CONCLUSION

From the above results we came to conclusion that the new applied rules were successful and were able to recognize alerts more then the default rule set of Snort. Meanwhile, only proposal 2 was able to recognized an SQL injections without any additional tweaking. Although proposal 1 was still useful, on the other hand the best solution is when we combine the both rule sets proposals. Then the Snort is able to recognized an significant number of total alerts and additionally for our laboratory report more interesting is unique total number alerts.

Closing, even the default Snort rules configuration is good, yet when you tweak it by
your own needs, you will have much better IDS system for your network. In future it should be recommended always refer to [snort_rules], to gather more available advance Snort rules, made by experts. Where will help you to configure and setup Snort IDS system to detecting attacks against a wordpress site, etc.

APPENDIXES

Appendix 1 is the configuration of the attacker virtual machine, in more detail Blacktrack 5
distribution. Secondly, Appendix 2 is the ubuntu wordpress configuration server and
additional is the configuration and setup process and refer links of IDS Snort virtual
machine. Appendix 4, 5 and 6 are providing brief details about the attacks that were
conducted during this laboratory test.

APPENDIX 1

● Installation media: Black Track 5 GNOME 32bit iso image;
● HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
● NIC1 NAT;
● NIC2 host only (for ssh and http access from host);
● Downloadable link: http://www.backtrack-linux.org/downloads/

APPENDIX 2

● Installation media: Ubuntu 10.04 32bit iso image;
● HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
● NIC1 NAT;
● NIC2 host only (for ssh and http access from host);
● Language used in installation process: English and country Estonia;
● Keyboard Layout English;
● Hostname: pece
● Partition methods: Guided, use entire disk
● Username: pece
● no http proxy
● Default applications

sudo apt-get install lamp phpmyadmin
wget -c http://wordpress.org/latest.tar.gz
tar xvjf latest.tar.gz
sudo cp wordpress /var/www/wordpress
sudo nano /var/www/wordpress/wp-config.php Change the settings to your needs

APPENDIX 3

● Installation media: Ubuntu 10.04 32bit iso image;
● HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
● NIC1 NAT;
● NIC2 host only (for ssh and http access from host);
● Language used in installation process: English and country Estonia;
● Keyboard Layout English;
● Hostname: pece
● Partition methods: Guided, use entire disk
● Username: pece
● no http proxy
● Default applications
● Snort configuration and installation refer to [SNORT1] in addition, please refer to
[SNORT2].

APPENDIX 4

Here we test typical SQL- injection in URL.
Commands used:

wget "http://192.168.56.101/?p=1'%20OR%20'1'='1"
wget "http://192.168.56.101/?p=1'%20AND%201=(SELECT%20COUNT(*)%20FROM
%20tabname);%20—" 

Snort by default does not detect this, where in applying the proposal 2 rules, it did detect.

APPENDIX 5

To test Snort and acidbase, perform a portscan of the Snort host.

sudo nmap -p1-65535 -sV -sS -O 192.168.56.102

APPENDIX 6

To setup pytbull it is a bit of pain, yet if you follow the rules and the documentation it will
work like shark. For documentation please refer to [pytbull_doc].

Bibliography

SNORT2: Nick Moore, Snort 2.8.4.1 Ubuntu 9 Installation Guide, June 2009,
http://www.snort.org/assets/113/Snort_2.8.4.1_Ubuntu.pdf
ACID: Basic Analysis and Security Engine, Welcome to the Basic Analysis and Security Engine (BASE) project , 2008, http://base.secureideas.net/about.php
snort_rules:  http://rules.emergingthreats.net/open/snort-2.9.0/rules/
SNORT1: kat-amsterdam, SnortIDS, December 2010,
https://help.ubuntu.com/community/SnortIDS
pytbull_doc: Sébastien Damaye, Official documentation for pytbull v1.3 -, 2011, http://pytbull.sourceforge.net/index.php?page=documentation

1 IDS – Intrusion detection system

The objective of this laboratory test, scenario is to create a solution and instructions for
testing an IDS^1 systems usefulness for detecting attacks against a wordpress site. In
addition, a repeatable process to evaluate vendor claims. Whatever passive IDS system
sample delivered as a VM or a dedicated box. Creating the IDS system itself is out of
scope.
The process must be detailed enough so that somebody else can get the same
results when applying that. The “other person” is expected to have IT knowledge sufficient
to install and run a Linux desktop.
Budget requirements: Modest – 2 machines + a tester (Joe) + networking equipment
to connect the two machines and an IDS together.
The process must test at least the following attacks:

• Port scan
• SYN flood
• “Regular” DoS overwhelming attack (Ab)

Optionally the process may test:

• slowloris/pyloris
• Apache Range header DoS vulnerability http://httpd.apache.org/security/CVE-011-3192.txt
• An attack targeting any other fairly recent (not older than 3-4 years) known vulnerability that could in theory apply to the target system (wordpress server)

However the competition rules are:
The highest number of attacks evaluated. Limits: * Each attack must be relevant eg.
if it attacks IIS it’s NOT relevant. If it attacks Windows RPC it’s not relevant. If it attacks
some other CMS eg. Drupal it’s NOT relevant. * Basically equivalent attacks count as one
(different port scanners for example) * You must be able to explain in broad terms what the attack does eg: attacks the vulnerability #X in Apache server If the #attacks is equal.
Lab instaractions:
Install 3 VM-s: Attacker IDS and Target

1. Make sure all VM-s have two network adapters: NAT and Host-Only.
2. Install Snort and it’s GUI called “acidbase” on IDS https://help.ubuntu.com/community/SnortIDS.
3. Install Apache, Mysql and WordPress on Target.
4. Execute an attack on Attacker towards the IP address on the Host Only network.
5. Take notice of the results displayed on Acid console.
6. Reset counters, move on to next attack

Additionally, illustration 1 describes the overview of above scenario

Illustration 1: Lab 5 Illustration of Scenario

Firstly, setup procedure of snort, secondly available proposals and thirdly illustrating the results and the functionality of proposals. Finally, closing this laboratory report with conclusion. In addition, appendixes is configuration of VM’s – Virtual Machines.

SETUP of SNORT

To setup snort in a right way, that will work for the second Host only network please following the instruction link provided with a full description and configuration of snort [SNORT2].
After completing the setup and configuration to run snort on the second interface
use the following command:

snort -c /etc/snort/snort/conf -i eth1

PROPOSALS

In total three proposals and each one is highlighted in the next sub-sections.

PROPOSAL 1

Full instructions
1. Set up IDS (Snort) and WordPress on the first PC
2. Install Ubuntu server on the second PC . Then install all attacking tools there :

wget enos.itcollege.ee/~avein/lab4i.sh
sudo sh lab4i.sh

After that you should have:
[sourcecode]ab.sh – DoS attack script – uses ab to generate traffic flood
apachekiller.pl – Apachekiller attack script More info:

http://www.hackersgarage.com/apache-killer-denial-of-service-flaw-in-apache-

webserver.html[/sourceocode]
README.txt – extra instructions

scan.sh - Port scanning script - uses nmap
sloworis.pl - Sloworis attack script More info: \ 

http://ha.ckers.org/slowloris/

synf.sh - syn flood attack script - uses hping3

3. Start your IDS/wordpress server and the server with attack tools.
4. Run each attack tool ONE AT A TIME (targeting the wordpress/IDS server of
course) . Monitor the logs/notifications on yours IDS system (SNORT) and check
whether wordpress site is still accessible.
Let each attack tool run 2 minutes, then stop the attack by pressing CTRL+C on the
terminal window where the attack tool is running.
The only exeption is port scan- its better to wait until it finishes .
After each attack save the IDS log and wait atlest 5 minutes before trying next
tool (to give server time to recover). Best practice is to manually check if the
server load is at normal (one can use htop for that)

a) To run DoS attack :
sh ab.sh
Page 6
{target}
eg sh ab.sh 192.168.56.101
b) For port scan:
sh scan.sh
{target IP}
eg sh scan.sh 192.168.56.101
c) For Syn flood (with hping3)
sh
synf.sh {target}
eg synf.sh 192.168.56.101/wordpress
d) For Sloworis attack:
perl slowloris.pl -dns {target}
eg perl sloworis.pl -dns 192.168.56.101/wordpress
e) For Apachekiller attack:
perl apachekiller.pl
{target IP}
eg perl apachekiller.pl 192.168.56.101

PROPOSAL 2

Intro

For this scenario we need to run several different attacks and scans to be able to compare the results with different IDS setups and rulesets. We might also want to test it with legitimate traffic to see that we dont get false positives in our alarms. We dont have that much legitimate traffic possibilities with 1 blog on our servers right now, but if we start tweaking the IDS false positives becomes an important metric and we might want to
test normal usage and create traffic to run with tcpreplay for example. My proposal is to test the IDS with pytbull running on BackTrack. Pytbull is IDS testing framework and BackTrack a Linux ditribution.
I will assume that we have WordPress server with running default Snort set up on it and working. No extensive testing has been done with different snort setups so we might have to tune the methods, but basic things should be covered.

DL and install BackTrack

backtrack-linux.org/downloads/
Install it rather than running a live version for this scenario. Boot it up in default mode, start GUI and launch installation from desktop. Default login root / toor. Standard setup comes with pytbull and several pieces of software the IDS test-system depends on like nmap, hping3, nikto and others.

Setup connections

Connect the machines and install ftp and ssh on server. We need ftp to get snort alert files and ssh to run attacks against.

apt-get install vsftpd openssh-server

Setup pytbull

You will find pytbull from /pentest/enumeration/ids/pytbull/ or Applications > BackTrack > Information Gathering > Network Analysis > IDS IPS Identification > pytbull when using the GUI. Change the configuration file values to have correct connection information, user credentials and locations of dependencies. Here you also select which test modules out of the 9 available you want to run. ClientSideAttacks needs extra configuration.

cd /pentest/enumeration/ids/pytbull/
gedit config.cfg
Example conf file: http://www.tud.ttu.ee/~t061780/attacks/config.cfg
Now get custom DoS module to have hping SYN flood and  \
ApacheBench DoS tests covered.
cd modules
mv denialOfService.py denialOfService.py-backup
wget http://www.tud.ttu.ee/~t061780/attacks/denialOfService.py
You may want to refer to Pytbull documentation

Run

/pentest/enumeration/ids/pytbull/pytbull -t <WP/Snort server IP>
If everything works you will find html report file under /reports. If you have problems add -d on run for debugging.

(optional) Slowloris

To have slowloris attack test for pytbull we need to get custom slowloris that allows to set how many packets to send because we dont want the tests to run forever. I added argument s that tells the script to stop after we have sent s packets.

cd /pentest/stressing
wget www.tud.ttu.ee/~t061780/attacks/slowloris.pl
Slowloris attack has been written into DoS module,  \
 you have to uncomment it. Lines 47-52.
gedit /pentest/enumeration/ids/pytbull/modules/denialOfService.py

PROPOSAL 3

For this proposal I will suggest to use open source tool OpenVas for vulnerability scanning, to test our IDS system. It contains many security tools integrated. The security and analysis tools are: Nikto, nmap, ike-scan, snmpwalk, amap, ldapsearch, SLAD (John-the-Ripper, Chkrootkit, LSOF, ClamAV, Tripwire, TIGER, logwatch,
trapwatch, lm-sensors, snort and ovaldi), pnscan, portbunny, strobe, w3af, etc.
Instructions of installation process, for further more information please refer to http://www.openvas.org/setup-and-start.html

Step 1: Configure OBS Repository

sudo apt-get -y install python-software-properties
sudo add-apt-repository "deb

http://download.opensuse.org/repositories/security:/OpenVAS:\

  /STABLE:/v4/xUbuntu_10.04/ ./"
sudo apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys \
   BED1E87979EAFD54
sudo apt-get update

Step 2: Quick-Install OpenVAS

sudo apt-get -y install greenbone-security-assistant gsd openvas-cli \
 openvas-manager openvas-scanner
openvas-administrator sqlite3 xsltproc

Step 3: Quick-Start OpenVAS

(copy and paste whole block, during first time you will be asked to set a password for user “admin”)

test -e /var/lib/openvas/CA/cacert.pem || sudo openvas-mkcert -q
sudo openvas-nvt-sync
test -e /var/lib/openvas/users/om || sudo openvas-mkcert-client \
  -n om -i
sudo /etc/init.d/openvas-manager stop
sudo /etc/init.d/openvas-scanner stop
sudo openvassd
sudo openvasmd --migrate
sudo openvasmd --rebuild
sudo killall openvassd
sleep 15
sudo /etc/init.d/openvas-scanner start
sudo /etc/init.d/openvas-manager start
sudo /etc/init.d/openvas-administrator restart
sudo /etc/init.d/greenbone-security-assistant restart
test -e /var/lib/openvas/users/admin || sudo openvasad -c \
 add_user -n admin -r Admin

Step 4: Log into OpenVAS as “admin”

Open https://localhost:9392/ or start “gsd” on a command line as a regular user (not as root!).
Optional we can use and the Slowloris and Pyloris DoS attacks.
Download link for Slowloris is: http://ha.ckers.org/slowloris/slowloris.pl
The above solution and tool will help us to check and test our IDS system usefulness. It tests the following attacks: Port scan, SYN flood, DoS, etc. The results are presented with nice GUI interface. For more info about the project please refer to www.openvas.org.

RESULTS

After executing the above proposal we will highlight the results. Nevertheless, only the
Proposal 1 was able to run the test. Others two, Proposal 2 and Proposal 3 were
unsuccessful of installation process and configuration and to run the attacks. Moreover,
the result are presented from the total amount of reports, registered alerts in the snort.
This is done by help of web interface of Basic Analysis and Security Engine in addition
Analysis Console for Intrusion Databases (ACID) project tool [ACID]. Therefore, the result
from the Proposal 1 and from the rest are highlighted below:

• Proposal 1

• DoS – registered alerts: 2;
• Port scan : 8;
• synf.sh: 1344;
• slowloris.pl: 1782;
• apachekiller.pl: not working;
• Proposal 2
• pytbull: 0, the message was: Error: FTP error, 550 failed to open file.
• Proposal 3
• Too complicated to be configured and installed. The instructions and the procedures should be more easy. After few hours of configuring and test, tweaks are is still not working. Yet there are many good tutorials how to configure OpenVAS please refer [OpenVas1] and [OpenVas2].

CONCLUSION

Primarily, setting-up IDS, the Snort, it is not an easy task to complete. On the other hand,
configuring, installing, etc. the testing tools for IDS system is even more complicated.
Therefore, the Proposal 1 has the best solution and installation process of the test tools.
Despite, that it was the only one that worked.
Finally, recommendation for the IDS solutions and in addition to the penetrating
tools to test the usefulness of IDS has to be more simple and stepwise solution. However,
the above scenario and proposals are great tools and solutions for a future reader.

APPENDIXES

Appendix 1 is the configuration of the attacker virtual machine, in more detail Blacktrack
distribution. Secondly, Appendix 2 is the ubuntu wordpress configuration server and
additional is the configuration and setup process and refer links of IDS Snort virtual
machine.

APPENDIX 1

● Installation media: Black Track 5 GNOME 32bit iso image;
● HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
● NIC1 NAT;
● NIC2 host only (for ssh and http access from host);
● Downloadable link: http://www.backtrack-linux.org/downloads/

APPENDIX 2

● Installation media: Ubuntu 10.04 32bit iso image;
● HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
● NIC1 NAT;

● NIC2 host only (for ssh and http access from host);
● Language used in installation process: English and country Estonia;
● Keyboard Layout English;
● Hostname: pece
● Partition methods: Guided, use entire disk
● Username: pece
● no http proxy
● Default applications

sudo apt-get install lamp phpmyadmin
wget -c http://wordpress.org/latest.tar.gz
tar xvjf latest.tar.gz
sudo cp wordpress /var/www/wordpress
sudo nano /var/www/wordpress/wp-config.php

Change the settings to your needs.

APPENDIX 3

● Installation media: Ubuntu 10.04 32bit iso image;
● HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
● NIC1 NAT;
● NIC2 host only (for ssh and http access from host);
● Language used in installation process: English and country Estonia;
● Keyboard Layout English;
● Hostname: pece
● Partition methods: Guided, use entire disk
● Username: pece
● no http proxy
● Default applications
● Snort configuration and installation refer to [SNORT1] in addition, please refer to
[SNORT2].

Bibliography

SNORT2: Nick Moore, Snort 2.8.4.1 Ubuntu 9 Installation Guide, June 2009,
http://www.snort.org/assets/113/Snort_2.8.4.1_Ubuntu.pdf
ACID: Basic Analysis and Security Engine, Welcome to the Basic Analysis and Security Engine (BASE) project , 2008, http://base.secureideas.net/about.php
OpenVas1: NA, Backtrack 5- OpenVas Tutorial, NA, http://www.ehacking.net/2011/06/backtrack-5-openvas-tutorial.html
OpenVas2: BackTrack Linux, Getting started with OpenVas, June 2011, http://www.backtrack-linux.org/wiki/index.php/OpenVas
SNORT1: kat-amsterdam, SnortIDS, December 2010,
https://help.ubuntu.com/community/SnortIDS

1 IDS – Intrusion detection system

The main goal of this post is to introduce the reader with the security programing techniques into deferent program languages and operating system security models. The post is introducing four following topics:

1. Session storage’s in Ruby on Rail
2. Parameterized statements into Java with JDBC, C# with ASP.NET, PHP5, php-mysqli, Perl, Python and Hibernate Query Language (HQL)
3. Unix permission model, Unix ACL and Windows 7 security
   model
4. Finding all the security vulnerabilities in bash script

Each topic will be divided into own section, where at the end of each topic we stated the reference and additional reading material. The source code, scrips and the additional task were given by the lecture. However this will help the readers and people interesting into programing for further work and involvement with the above topics.

1. Session storage’s in Ruby on Rail

Session in Rails is a hash-like structure which allows you to store data across requests.
Sessions can hold any kind of data object (with some limitations) because they store
data using Data Marshalling.Session in rails it is not a hash. Session creates new
instant of session in every time new user visit the site. Recommendation is to not store
large objects in a session and critical data should not be stored in session.Rails way of
implementing session is:

1. session_id is a 32 hex character MD5 hash based upon time, random number and constant string. It is stored in cookie at client browser. Rails provides transparent support for session_id.
2. Session storage discussed below.

Ruby on Rails provides with many session storage option:

1. PStore – it implements a file based persistence mechanism based on a Hash. User code can store hierarchies of Ruby objects (values) into the data store file by name (keys). An object hierarchy may be just a single object. User code may later read values back from the data store or even update data, as needed. The files that are stored are usually located in the tmp/sessions folder for the Rails app. The main downside of using the PStore is that you will have to do some session-pruning periodically because performance decreases as the number of sessions stored increases.
2. ActiveRecordStore – keeps the session id and hash in a database table and saves and retrieves the hash on every request.
3. CookieStore – it saves the session hash directly in a cookie on the client-side. The server retrieves the session hash from the cookie and eliminates the need for a session id. Cookie-based sessions are just faster to retrieve and process than hitting the file-system on every request, were it was previously. Cookies are generally limited to 4K in size. While not an issue for most (proper) usage of the session, this could be a legitimate limit for some scenarios. If your application abuses the session, you’ll need to decide on a different session store that are available. The cookie has a SHA512 fingerprint attached and is hashed with a secret stored up on the server and there are, however, derivatives of CookieStore which encrypt the session hash, so the client cannot see it.
4. DRbStore – it store uses distributed Ruby to store a user’s session data. The performance is great, but it requires a bit more setup than the other stores.
5. FileStore – This store keeps the fragments on the hard disk instead of in memory. It works well if you have a lot of file storage and have outgrown the MemoryStore.
6. MemoryStore – keeps your session data in server memory. It keeps the fragments in your application’s memory, which can potentially take up a lot of memory on your server. It is used by default, but it is hard to manage and scale if your application becomes popular.

Note: Ruby on Rail CookieStore is available only in edge rails. PStore is the default option for stable release, whereas its CookieStore as default for edge rails.

Reference

Ruby On Rails Security Guide, From: http://guides.rubyonrails.org/security.html
Sessions and cookies in Ruby on Rails, From: http://www.quarkruby.com/2007/10/21/
sessions-and-cookies-in-ruby-on-rails#sstorage
What’s New in Edge Rails: Cookie Based Sessions are the New Default, From: http://
ryandaigle.com/articles/2007/2/21/what-s-new-in-edge-rails-cookie-based-sessions

2. Parameterized statements into Java with JDBC, C# with ASP.NET, PHP5, php-mysqli, Perl, Python and Hibernate Query Language (HQL)

For this task we will take a look at the parameterized statement API-s and we will find out and document how much does each of them protect against the following possible
misuses of SQL statements:

• String injection (quotes, double quotes)
• SQL statement injection (expression syntax etc)
• Out of range integers
• Blind SQL injection

Java with JDBC

PreparedStatement prep =
conn.prepareStatement("SELECT * FROM
USERS
WHERE USERNAME=? AND PASSWORD=?");
prep.setString(1, username);
prep.setString(2, password);
prep.executeQuery();

There are no possibilities of string injection because of the filtering the statements. It enables users’ input to be initially filtered instead  of directly embedding it in the SQL statements. In this example is that the each parameter is a scalar, not a table, where the user input is then assigned (bound) to a parameter. It is a good idea if the character range is limited. Another thing that can be done to avoid SQL injection is to convert numeric values to integers before parsing them into the SQL statement. Or using ISNUMERIC to verify that they are integers.

C# with ASP.NET

using (SqlCommand myCommand =
new SqlCommand("SELECT * FROM USERS
WHERE
USERNAME=@user AND
PASSWORD=HASHBYTES(’SHA1’, @pwd)",
myConnection))
{
myCommand.Parameters.AddWithValue("@user",
user);
myCommand.Parameters.AddWithValue("@pwd",
pass);
myConnection.Open();
SqlDataReader myReader =
myCommand.ExecuteReader();
...
}

The placeholder – @user and the hashbyte value of password @pws – has become part  if the hardcoded SQL. At runtime, the value provided by the querystring is passed to the database along with the hardcoded SQL, and the database will check the Username and password field as it attempts to bind the parameter value to it. This ensures a level of strong typing. If the parameter value is not the right type for the database field (a string, or numeric that’s out of range for the field type), the database will be unable to convert it to the right type and will reject it. If the target field datatype is a string (char, nvarchar etc), the parameter value will be “stringified” automatically, which includes escaping single quotes. It will not form part of the SQL statement to be executed.

PHP5

$db = new PDO(’pgsql:dbname=database’);
$stmt = $db->prepare("SELECT priv FROM
testUsers WHERE
username=:username AND password=:password");
$stmt->bindParam(’:username’, $user);
$stmt->bindParam(’:password’, $pass);
$stmt->execute();

In this example to protect against SQL injection, it is used an input not directly to be  embedded in SQL statements. Instead, it is used an parameterized statements (preferred), or user input must be carefully escaped or filtered. This example shows and parameterized example/statement in php v. 5 and PDO database to protect from SQL injections and blind SQL injections.

PHP-MySQLi

$db = new mysqli("host", "user", "pass",
"database");
$stmt = $db -> prepare("SELECT priv FROM
testUsers
WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();

Same as above but this time it is used the vendor-specific methods; for instance, using the mysqli extension for MySQL 4.1 and create parameterized statements to protect from the SQL injection.

Perl

use DBI;
my $db = DBI-
>connect(’DBI:mysql:mydatabase:host’,
’login’, ’password’);
$statment = $db->prepare("UPDATE players SET
name = ?,
score = ?, active = ? WHERE jerseyNum = ?");
$rows_affected = $statment->execute("Smith,
Steve",
42, ’true’, 99);

Automatically “sanitize” input to parameterized SQL statements to avoid the catastrophic  database attacks.

Python

import sqlite3
db = sqlite3.connect(’:memory:’)
db.execute(’update players set name=:name,
score=:score,
active=:active where jerseyNum=:num’,
{’num’: 100,
’name’: ’John Doe’,
’active’: False,
’score’: -1}
)

It is parameterized statement with an example of named placeholders. Which insure to avoid the SQL injections and database attacks.

Hibernate Query Language (HQL)

Query safeHQLQuery = session.createQuery(
"from Inventory where productID=:productid");
safeHQLQuery.setParameter("productid",
userSuppliedParameter);

Unsafe example: Query unsafeHQLQuery = session.createQuery(“from Inventory where
productID=’”+userSuppliedParameter+”‘”); The example from left it’s used prepared statement approach because all the SQL code stays within the application. This makes your application relatively database independent. However, other options allow you to store all the SQL code in the database itself, which has both security and non-security
advantages and the approach is called Stored Procedure

3. Unix permission model, Unix ACL and Windows 7 security
model

In this topic we will describe two security set-ups that can not be expressed with traditional Unix permission model, UNIX ACL and Windows 7 security model.

Unix permission model

• Giving an different permission to different users in the same group
• Read and write permission/access to all groups, which gives and access to the ‘private files’, and you can gain access through a root account by an unwanted user, which brings and complete breach of the system

Unix ACL- enabled permission model

• If the user has permission over the file, he can read/write and delete it, which brings that it is not possible to give ‘some’ permission to the user.
• ACL’s are not very portable and are very hard to maintain. For instance good example is transferring of files with ACL’s between different of Unix systems is an exercise for brave person, even if the both file systems support them. Which brings a difficulty to maintain for existing files for instance backup, restore, copying, etc.

Windows 7 security model

• As a standard user you can perform an action that requires administrator privileges by the UAC(User Access Control), which is controlled by the Admin Approval Mode. It can be turn off and on. Every time when you need to gain an access of the administration privileges it will be prompt a dialog box to gain and provide the password for an access. Therefore in the medium settings with any malware could turn it off.
• And the settings of the UAC are in medium mode not off, still brings an opportunity to being turn off by the malware.

4. Finding all the security vulnerabilities in bash script

In this topic we will find all the possible vulnerabilities into the following bash script:

#!/bin/sh
# remove files with name pattern matching regexp
if [ x$1 = x ]; then
# if [[ x$1 = x ]]
echo -n "Please enter directory name: "
read dir
else
dir=$1
fi
if [ x$2 = x ]; then
# if [[ x$2 = x ]]
echo -n "Please enter pattern: "
read pattern
else
pattern=$2
fi
find $dir > /tmp/listing
# can use >> or print the output first before
cmd='rm `grep '$pattern' /tmp/listing`' #+the command is execute
echo "Running command $cmd"
eval $cmd //it converts string in command
rm /tmp/listing
exit 0

We should avoid temporary file, instead we should use pipes [2].
We should avoid eval [2].
Using the double brackets, instead of single one ([[... ]]) it is comment on the script above [1].
$REPLY can be used to read the previous value of the dir and pattern variable [1].
We can use instead of find, while read contracture (loop) [1]. Find – can be set with a cycle, for or while to check the validation of the file and the directory/path, also comment on the script or using “$pattern” /tmp/listing [1].
No sensitization of the input, the user can put any value and therefore, execute any command to create another command.
As we can see above the script it looks like that it is security vulnerable. If we want to
implement the security in the script we should implement the above changes into the script.

Reference:

[1] Mendel Cooper, 30 April 2011. Advanced Bash-Scripting Guide; An in-depth exploration of the art of shell scripting. Retrieved from: http://tldp.org/LDP/abs/html/index.html
[2] Lecture 8 slides Scripting, Meelis Roos. Retrieved from file: 08-scripting.pdf

The main goal of laboratory report is to identify possible leaked/stolen information,
documents from our system without recognising that attacker had an access. Thus access of the document will inform us immediately with the information of the burglar. The report should highlight the following aspects:

• Constructed an document as non malicious code, for instance honey document that will help us to track from where, who, information about the system, etc. is using our document.
• Detail description of process, how did we build the document and the idea behind the tracking system.
• Description of needed infrastructure that is tracking the document.

The laboratory report is created by a team of 7 members. Where each member had
own task to accomplish.
Moreover, to be more contingent the unknown person has gain access to our
computer/laptop. Thereby he is looking for interesting name of file, folder, etc. that most
likely will have a content of interesting data, information for his purpose. After he
downloaded file/folder from our system the intruder will open this file in his system
assuming that contains very important personal/corporate information. However, by
opening this file/folder, document it will send us immediately leaked information about his
system to our server and additionally an e-mail. This process and procedures that are
behind the honeypot document, or with other words trap set to detect, deflect, or in some
manner counteract attempts at unauthorized use of information systems [1] is described in following sections.
Furthermore, the coding of the honeypot document is done in HTML file with
additional java script queries, where detail information and construction are displayed in
Honeypot section.
Meanwhile in Appendix section we provide the code of the honeypot document and
additional what is the leaked/collected information of the intruder system, with other word,
content illustration of mail and server logs.

Finally the conclusion made of the laboratory report will be concise in summary
section.

HONEYPOT IDEA

HTML file We can name the file online banking or etc. cause it is html and it is more
convincing way that the attacker will assume that this is an not only a online banking link
but yet an the stored cookies and other leaked information.
The honeypot file has inline javascript that will collect as much information as it can
from the users browser, make it into a JSON object and create a request to our server
using that information. The request will return an image, so nothing will be broken,
however on our server we decode the information and send ourselves an alert email, that
someone has accessed that document and where the accessing came from. There is also an image embedded that requests it from our server- these requests are logged and we see the IP address of the opener. This is as a backup in case the user doesn’t allow
javascript to execute.
How we lure an attacker into trap
To discover the identity of attacker and get information, she/he has to open html file.
Besides setting up honeypot from technical point of view, we have to make document
attractive.
On our system all the documents will be protected by (different) passwords. We can
have same password for files with same extensions (for example, for PDFs or for MS Word documents).
In html file, we store these passwords. The name of html document should be
corresponding (“file passwords” for example). Attacker will need additional time to crack
the passwords, so we are offering easy, quick way to get over additional obstacles.
Actually, in html file passwords should be correct not no make the attacker suspicious.
Attacker may be suspicious why we stored this kind of information in html file, but it
can be explained with the following reasons: a) to open html (with notepad or browser for
example) is quicker than opening .pdf and .doc (by Adobe Reader and MS Word
respectively) b) html has different extension (.html) that PDF or MS Word documents, so it has different icon in GUI. If you put a lot of different files in a folder, html is much easier to find with a glance among PDFs and DOCs.

What information we get

The honeypot is scripted to give us the following information about the attacker: first of all IP address. Time, when the attacker accessed the honeypot file.
Except that, we also get information about user agent, OS, language and other details
about attacker’s system. For this concrete task that should be enough. The script is configurable to get some additional information too. As our plan is to simply gather information on our infiltrator, it is essential to avoid being malicious with our code. It will not alter target’s system or bypass any restrictions of it. The solution will not announce itself and will be as stealthy as possible.
The information is sent to mail. For the example of sent e-mail, please refer to Appendix 2.

HONEYPOT INFRASTRUCTURE

We need a Web server running PHP. The PHP script will collect the JSON data received
from the attacker, format it nicely and send via email to people who will process it. If
JavaScript is not enabled on the attacker’s side we rely on the fact that a picture is
accessed from the honeypot html file. The server has to serve this image and the request
for it of course appears in the web server access logs. This information again is processed by the same PHP script mentioned above and forwarded to analysts. Another alternative way to inform security personnel about this honeypot image being accessed is the Simple Event Corelator (SEC) written by Risto Vaarandi [2]. This software is freely available under GPL license. We could write a rule for SEC that would monitor the web server access log file for the specific image file request and send an email with the IP address from which the image was accessed. The rule that is used for SEC can be found in Appendix 3. The content we are looking for in the log file may look like this:

192.168.1.34 - - [07/Dec/2011:19:16:07 +0200] "GET /honey.png HTTP/1.1" 200 1932

SUMMARY

Nowadays the most common vector in unauthorized access into the system is followed by stealing important data, either is from personal computer or corporate network. Therefore, solution of implementing a trap for detecting, and deflecting the attacker of collecting valuable information is important. This laboratory report consists solution for future detection, by creating an honeypot document that will help us to collect data from the attacker. The document it self it is not an malicious code, likewise does not corrupt or infect the attacker system. Solution provided above is designed with an simple infrastructure which help us to identify identity of attacker in different operation system.
Moreover, the honeypot document provides us an information of what is the attacker
or user of this document operation system, which browser he is using, what plugins are
installed in the browser and additional the time of accessing the file and attached IP
address. Thereby, by identifying the above information will guide us in further steps. For
instance by identifying his IP address we can find his location, ISP, etc.
However, is this above provided information enough? The answer to the question is
simple, indeed it is, cause we don’t need more. The idea in this laboratory is not to find or
assail the attacker, but it is just to identify, and realize that someone had an unauthorized
access to the system and to distinguish his identity.
Consequently, from the above we can conclude that we rather gather the
information from the attacker then to attack him back.

APPENDICES

Appendix 1 is the HTML and Java script code presented and in addition in Appendix 2 we
present the e-mail received after the attacker has open the document. SEC are described
in Appendix 3

Appendix 1

HTML + Java script code presented below:

<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<script type="text/javascript">
var JSON;JSON||(JSON={});
(function(){function k(a){return 10>a?"0"+a:a}function o(a){p.lastIndex=0;return
p.test(a)?'"'+a.replace(p,function(a){var c=r[a];return"string"===typeof c?c:"\\u"+
("0000"+a.charCodeAt(0).toString(16)).slice(-4)})+'"':'"'+a+'"'}function m(a,j){var
c,d,h,n,g=e,f,b=j[a];b&&"object"===typeof b&&"function"===typeof
b.toJSON&&(b=b.toJSON(a));"function"===typeof i&&(b=i.call(j,a,b));switch(typeof b)
{case "string":return o(b);case "number":return isFinite(b)?""+b:"null";case
"boolean":case "null":return""+b;
case "object":if(!b)return"null";e+=l;f=[];if("[object
Array]"===Object.prototype.toString.apply(b))
{n=b.length;for(c=0;c<n;c+=1)f[c]=m(c,b)||"null";h=0===f.length?"[]":e?"[\n"+e+f.join("
,\n"+e)+"\n"+g+"]":"["+f.join(",")+"]";e=g;return h}if(i&&"object"===typeof i)
{n=i.length;for(c=0;c<n;c+=1)"string"===typeof i[c]&&(d=i[c],(h=m(d,b))&&f.push(o(d)+
(e?": ":":")+h))}else for(d in
b)Object.prototype.hasOwnProperty.call(b,d)&&(h=m(d,b))&&f.push(o(d)+(e?": ":":")
+h);h=0===f.length?"{}":e?"{\n"+e+f.join(",\n"+
e)+"\n"+g+"}":"{"+f.join(",")+"}";e=g;return h}}if("function"!==typeof
Date.prototype.toJSON)Date.prototype.toJSON=function(){return isFinite(this.valueOf())?
this.getUTCFullYear()+"-"+k(this.getUTCMonth()+1)+"-"+k(this.getUTCDate())
+"T"+k(this.getUTCHours())+":"+k(this.getUTCMinutes())+":"+k(this.getUTCSeconds())
+"Z":null},String.prototype.toJSON=Number.prototype.toJSON=Boolean.prototype.toJSON=fun
ction(){return this.valueOf()};var q=/
[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufe
ff\ufff0-\uffff]/g,
p=/
[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\
u2060-\u206f\ufeff\ufff0-\uffff]/g,e,l,r={"\u0008":"\\b","\t":"\\t","\n":"\\n","\u000c"
:"\\f","\r":"\\r",'"':'\\"',"\\":"\\\\"},i;if("function"!==typeof
JSON.stringify)JSON.stringify=function(a,j,c){var d;l=e="";if("number"===typeof
c)for(d=0;d<c;d+=1)l+=" ";else"string"===typeof c&&(l=c);if((i=j)&&"function"!==typeof
j&&("object"!==typeof j||"number"!==typeof j.length))throw
Error("JSON.stringify");return m("",
{"":a})};if("function"!==typeof JSON.parse)JSON.parse=function(a,e){function c(a,d){var
g,f,b=a[d];if(b&&"object"===typeof b)for(g in
b)Object.prototype.hasOwnProperty.call(b,g)&&(f=c(b,g),void 0!==f?b[g]=f:delete
b[g]);return e.call(a,d,b)}var
d,a=""+a;q.lastIndex=0;q.test(a)&&(a=a.replace(q,function(a){return"\\u"+
("0000"+a.charCodeAt(0).toString(16)).slice(-4)}));if(/^[\],:
{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]
{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,
"]").replace(/(?:^|:|,)(?:\s*\[)+/g,"")))return d=eval("("+a+")"),"function"===typeof
e?c({"":d},""):d;throw new SyntaxError("JSON.parse");}})();
</script>
<script type="text/javascript">
var l=window.navigator,q={},a={},r={};delete l.geolocation;for(var i in
l.plugins)a[i]={},a[i].description=l.plugins[i].description,a[i].filename=l.plugins[i].
filename,a[i].name=l.plugins[i].name;delete l.plugins;delete
l.mimeTypes;q.plugins=a;q.nav=l;var h=JSON.stringify(q),s="?
i="+encodeURIComponent(h);document.write('<img
src="http://78.47.222.185/honey.php'+s+'" />');
</script>
<div>TODO write content</div>
<img src="http://78.47.222.185/honey.png" />
</body>
</html>

Appendix 2

What we receive via email:

stdClass Object
(
[plugins] => stdClass Object
(
[0] => stdClass Object
(
[description] => Shockwave Flash 11.1 r102
[filename] => gcswf32.dll
[name] => Shockwave Flash
)
[1] => stdClass Object
(
[description] => Shockwave Flash 11.1 r102
[filename] => NPSWF32.dll
[name] => Shockwave Flash
)
[2] => stdClass Object
(
[description] => NPRuntime Script Plug-in Library for Java(TM)
Deploy
[filename] => npdeployJava1.dll
[name] => Java Deployment Toolkit 7.0.10.8
)
[3] => stdClass Object
(
[description] => 4.0.60831.0
[filename] => npctrl.dll
[name] => Silverlight Plug-In
)
[4] => stdClass Object
(
[description] =>
[filename] => internal-remoting-viewer
[name] => Remoting Viewer
)
[5] => stdClass Object
(
[description] =>
[filename] => ppGoogleNaClPluginChrome.dll
[name] => Native Client
)
[6] => stdClass Object
(
[description] =>
[filename] => pdf.dll
[name] => Chrome PDF Viewer
)
[7] => stdClass Object
(
[description] => DivX VOD Helper Plug-in
[filename] => npovshelper.dll
[name] => DivX VOD Helper Plug-in
)
[8] => stdClass Object
(
[description] => DivX Plus Web Player version 2.1.3.529
[filename] => npdivx32.dll
[name] => DivX Plus Web Player
)
[9] => stdClass Object
(
[description] => Allows digital signing with Estonian ID cards
[filename] => npesteid-firefox-plugin.dll
[name] => EstEID Firefox plug-in
)
[10] => stdClass Object
(
[description] => Google Update
[filename] => npGoogleUpdate3.dll
[name] => Google Update
)
[11] => stdClass Object
(
[description] => Provides functionality for installing third-party
plug-ins
[filename] => default_plugin
[name] => Default Plug-in
)
[length] => stdClass Object
(
)
[item] => stdClass Object
(
[name] => item
)
[namedItem] => stdClass Object
(
[name] => namedItem
)
[refresh] => stdClass Object
(
[name] => refresh
)
)
[nav] => stdClass Object
(
[vendorSub] =>
[product] => Gecko
[userAgent] => Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2
(KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2
[language] => en-US
[productSub] => 20030107
[appVersion] => 5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like
Gecko) Chrome/15.0.874.121 Safari/535.2
[onLine] => 1
[platform] => Win32
[vendor] => Google Inc.
[appCodeName] => Mozilla
[cookieEnabled] => 1
[appName] => Netscape
)
)
TIME-1323861098
IP- xxx.xxx.xxx.xxx

Appendix 3

SEC rule file for web server log monitoring (will work only for IPv4). Alerts the root user via email and suppresses alerts for one hours for the same IP address

type=SingleWithSuppress
ptype=RegExp
pattern=^((?:[\d]{1,3}\.){3})\.[\d]) .+ GET /honey.png
desc=Honeypot picture file accessed from $1
action=pipe mail ‘%s’ mail root@localhost
window=3600

Bibliography

1: Wikipedia, Honeypot (computing), 4 December 2011,
http://en.wikipedia.org/wiki/Honeypot_(computing)
2: Risto Vaarandi, SEC man page, NA, http://simple-evcorr.sourceforge.net/man.html

The above post is written by: Predrag Tasevski, Robert Pallas, Kuuno Pärnoja, Mikheil Basilaia, Karl Düüna, Roman Stepanenko and Heliand Dema

The main goal of laboratory report is to identify possible infection of malware into the
wireshark capture file. The report should highlight the following aspects:
• Download https://sim.cert.ee/hw/download.pcap
• Find malware download in this pcap and extract malware or malwares find out
where malware was downloaded from.
• What malware, malwares changes in system.
• C&C Names and address.
• Document the process also where You found hints and how exactly You did it (you
need to show Your thought and communication process – please write a summary of
it.)
• Write an incident report.
Moreover, we have to consider the malware analysis report reminders, please refer
to [1] or [2].
Additional, analysis it is stated into the Analysis section, where we explain the
techniques, filter tools, gather knowledge, links, etc. Structure of the laboratory report is
first to present analysis with details information. Malware and infections description are
described.
Finally the conclusion made of all analysis will be concise in summary section.

ANALYSIS

To be able to open and use the above file, firstly we have to download the wireshark tool.
Where the main goal and purpose for wireshark application is to analysis a network
protocols from captured file. Therefore please refer to the following link: http://www.wireshark.org/
Useful links for future use, please refer to [3], [4], [5] and [6]. On figure 1 it shows
the Graphic Interface of Wireshark application with running filter: http protocol.

Illustration 1: Wireshark application, filter: http protocol

However, from the figure 1 we can see that there is a lot of traffic generated by the
user. Therefore we have to apply and additional filter rules, which will help and guide for
better and easy analysis. As we go through each generated http protocol traffic we can
conclude that the user generated and has been visiting different source, where can be
potential threat for the organization and personal use with a different malicious code.

To be able to filter only the http protocols on port 80 with a header GET, we should
use the following filter: http.request.method == “GET”. Where this filter will narrow down
the results that are presented into the captured file. In spite of the filter above it helps a lot,
yet there is still a lot of traffic generated, consequently we have to utilize an additional filter.

Another extremely useful wireshark option we used, was Analyze → Follow TCP
Stream which shows communication between IP addresses in more readable and useful
way: shows DNS name for the IP and if file was downloaded gives filetype and name.
We discovered that IP address 79.137.237.34 belongs to accord-component.ru. When we
accessed the site with various web browsers, all of them showed that it contained
malware.

GET /serial/index.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Connection: Keep-Alive
Host: accord-component.ru
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 30 Nov 2011 23:07:18
GMTContent-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.2
Content-Encoding: gzip

Another suspicious IP was 86.63.168.101, where from this IP address brought us to
domain name zumlelao.com, but it was un-accessible from browsers. Wireshark showed the User downloaded file 4.exe from zumlelao.com.

GET /load.php?file=0
HTTP/1.1Accept: image/jpeg, application/x-ms-application, image/gif,
application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: et
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: zumlelao.com
Connection: Keep-AliveHTTP/1.1 200 OK
Date: Wed, 30 Nov 2011 21:55:02
GMTServer: Apache/2
X-Powered-By: PHP/5.2.17
Cache-Control: public
Content-Disposition: attachment; filename=4.exe
Content-Transfer-Encoding: binary
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 10666
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

Additionally, we can always use an Find function, which will help as to identify
certain traffic or site. Figure 2 demonstrated the usage of the Find function, accessible
from menu Edit → Find.

Illustration 2: Wireshark, Find function

Other IP addresses that were generated/extracted first the ones with malware
detected:79.137.237.34 -accord-component.ru; 86.63.168.101 zumlelao.com. Other IP’s
are: 173.194.32.32 (33,34,41,50,51,52,58,59,60,63), 192.168.123.1, 193.184.164.159
(174,176,185), 193.40.252.83, 193.88.71.156, 194.126.108.69 (70), 194.126.124.136,
194.204.14.49, 195.222.15.74, 199.7.48.190, 209.85.173.95, 123.168.24.204 (209,221,225,229,235), 79.137.237.34, 80.252.91.41 (61), 69.171.228.11, 23.32.89.55, 23.32.99.172, 216.34.181.45 (48), 213.168.24.26, 90.190.148.34 (40), 86.63.168.101, 82.98.58.48, 81.19.238.61.

If we run or analysis the above domain names into the google we will automatic
indicated that the zumlelao.com it is an before reported as a malware site and the second
too. Therefore the analysis and the infection of details of malware are highlighted into the
next section.

INFECTION

Indeed, the above captured file presents traffic generated by the user, that can be threat
for the organization, home user, etc. As from the previous section demonstrates how to
identify if the generated traffic has infected or has the user visit the malicious code sites.
This section identifies the malicious code and displays their details.
Moreover, the zumlelao.com host it is reported previous as malicious code site. For
this purpose we gather the help from the following link: http://sopport.clean-mx.de/. Here is
the reported malicious, suspicious code from the above host in the table bellow.

Furthermore, figure 3 is proving the analysis made through the wireshark, were one
of the above links has been access, for more details clink on the above link and points in a figure 3:A and B.

Illustration 3: Prove of generating traffic of following malware link: http://zumlelao.com/load.php? file=0 were B and A are proving the links and the IP initiation.

Moreover, to get the file itself for analysis, we used Netresec’s Network Miner 2.1
http://www.netresec.com/?page=NetworkMiner. In Files menu, it shows all packets as files.
We uploaded 4.exe.octet-stream to virustotal.com – 30 Antivirus software identified as
malware Virustotal link: http://www.virustotal.com/file-scan/report.html?id=d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b-
1323098398
MD5 : 94a7f6430510fe7314c1e746bad79bf4
SHA1 : 69ab04c9c586a8cf07a00665e160a48260a2465e
SHA256: d6ee8736cd2eae8571b193b28b59dff33e9607237f78b0888d69c70f241bb04b
F-Secure identified malware as Trojan.Generic.KD.438472

Trojan.Generic.KD malwares usually are classified as Backdoors. It infects
executable files in the system and its main goal is to make backdoor into the system. It
changes registry. In some cases it can put payload on the infected system, slow it down
and make internet browsing difficult and time consuming. Aim of the malware can be
stealing information or gaining partial/full access of the victim’s system. On the other hand, Trojan.Generic.KD malwares are difficult to remove from infected computers.
From VirusTotal analysis we can see that various antivirus software can discover
and identify Trojan.Generic.KD.438472. Therefore one can remove malware by
downloading antivirus software provided by F-Secure, Comodo, Microsoft, Sophos,
Symantec, DrWeb, etc. Here is an example from Dr.Web how to delete Trojan.Generic.KD malware http://www.drwebhk.com/en/virus_removal/694829/Trojan.Generic.KD.53986.html
For our case we downloaded Dr.Web CureIt (free edition for home PCs, which discovered
the malware and removed it) – http://www.freedrweb.com/download+cureit/?nc=t&lng=en.
Before continuing to disinfect the system, please read and understand the massage
delivered through this forum: http://forums.majorgeeks.com/showthread.php?t=35407.

SUMMARY

Nowadays malicious codes, infection of the system is one of the highest vector of
production work everyday of the organizations. Therefore, different approaches, advance
analysis, troubleshooting, etc. has to be applicable and stated in every organization.
Leaking of data, information, access of network (internal and external) can be very harmful for organization and even the home usage of computers. Therefore, this laboratory report main aim is to provide the reader to be able to conduct advance analysis of system and their identification of infection within the wireshark network analysis tool.

From the above sections in Analysis and in the Infection we have to follow the steps
and links that will help us for a further work. Meanwhile, the captured generated traffic from the distributed file has indeed indicated that the system it is infected. Were as an prove we demonstrate an screen-shot, figure 3, that one of the infected link has been visited. Likewise, the system of this user is infected. Thus infection identified name is:
TR/Crypt.XPACK.Gen3, where we do supply and the disinfecting stepwise solution with the above link.
Closing, as there are many different ways, tools, process for analysing the malicious
code behaviours in system this laboratory report is supplying the reader with advance and
stepwise solution for identifying the infection of the system within advance network
analysis wireshark application.

WORKLOAD

We made analysis on the virtual Windows 7 machine. For virtualization we used
VirtualBox. During analysis each of group member did the same analysis to cross-
reference the results.
We basically used the following tools: Wireshark, Network Miner and virustotal.com.

Bibliography

1: Lenny Zeltser, Reverse-Engineering: Malware Analysis Tools and Techniques Training, 2011, http://zeltser.com/reverse-malware/
2: Lenny Zeltser, Malware analysis report reminders, 2011, http://zeltser.com/reverse-
malware/malware-analysis-report-template.mm
3: Kevin, Malware Analysis & Malware Reverse Engineering, NA, http://technology-
flow.com/articles/windows-malware-analysis/
4: Chris Greer, Top 10 Wireshark Filters, April 2010,
http://www.lovemytool.com/blog/2010/04/top-10-wireshark-filters-by-chris-greer.html
5: Russ McRe, Security Analysis with Wireshar, November 2006
6: Chief Banana, Using Wireshark filters for capturing malware, Marh 2011,
http://securitybananas.com/?p=529

The above post is written by Predrag Tasevski and Mikheil Basilaia

Shorter link: http://predragtasevski.com/?p=330

The main goal of laboratory report is to identify possible infection of two Windows 7 virtual
machine. Virtual machines presented by the lecture:

• Win 1
• Win 2

The assignment is following:

Find out what is infecting the machine win1

• Understand which way is the current malware dangerous to “your organisation”
• If possible, do clean win1
• Is win2 clean or it has problems, too?
• If needed, do clean win2

Additionally, deliverable questions should be visible:

• Summary – Your thoughts about the exercise. Please provide a short summary
• Malware that infects machines
• Md5 hash – if it possible and if not, please explain, why.
• Sha256 has -if it possible and if not, then please explain, why.
• A description – in which way that malware is a threat to “You organization”
• Tools You used to find the infection(s)
• Tools You used to clean machine(s)
• Where You found hints and how exactly You did it (you need to show Your thought and communication process – please write a summary of it.)
• How would you evaluate your partner.

Moreover, we have to consider the malware analysis report reminders, please refer to [1] or [2].

Furthermore, each virtual machine will be analysed with different tools, in case to
gather more information and solution for disinfecting process.
Structure of the laboratory report is first to present each virtual machine with details information in section Virtual Machine’s, Each visualization is examined. Malware and disinfection process are described. Meanwhile in appendices, we explain what virtual  environment and tools we have used for this written report.
Finally the conclusion made of all analysis will be concise in summary section.

VIRTUAL MACHINE’s

In this section each virtual machines are going to be examine in sub-sections, analysis  and additionally the disinfection solutions, etc. will be presented. The tools that are used for conducting the analysis are presented in the Tools section.

Win1

Intense detail information are highlighted bellow and MD5 sum for Win1 virtual box
machine:
OS: Ms Windows 7 Professional
Version: 6.1.7601 Service Pack 1 Build 7601
System type: 32 bit
Computer name: DoeM
Users Names:

• Jane Doe
• Jhon Doe

MD5 Sum: 6313cf7303de37ba62aadf5208b6ea78

Analysis

The analysis starts firstly from the observations, then with an supporting figures, sample of
identification, are there any dependencies and in closer with summary of the analysis.
From analysis with a different tools we came to conclusion that the above virtual
image it is infected with some malicious code. Were certain tools have provides as an information that there is background accessing to network. However, this analysis it is not enough so therefore we will do more inside investigation to come-out with the hosts or network that the malicious code is trying to access, or an information that is shared.

To be able to identify the behaviour of a network we have used the Wireshark tool.
Bellow are highlighted the steps: Network adapter type: NAT, logged in as: John Doe,
additionally Wireshark run as Administrator. Upon the testing, the only user application
open on WIN1 is Notepad. No additional network activities from log-in user, also no
network activities from user on Host System. Wireshark, it detected suspicious traffic:

1. Classification: BAD TCP (according to Wireshark coloring rules), Destination: 192.168.0.254 / 8.8.4.4 (Googne Public DNS) with Protocol: DNS; Info: Standard query A mamtumbochka766.ru / Standard query A followmego12.ru / Standart query A losokorot7621.ru / standard query A hidemyfass87111.ru /; Reason for classification as BAD TCP: Header checksum incorrect, maybe caused by “IP checksum offload”, Message: Bad Cheksum, Severity level: Error
2.  As a response, WIN1 machine got UDP packet (according to Wireshark coloring rules); Protocol: DNS; Info: Standard query response, Sever failure.
3. Additionally, Wireshark detected another round of BAD TCP packets; Classification: BAD TCP; Destination: 195.226.218.135; Protocol: TCP; Port: 50530; Info: HTTP ACK (before that, WIN1 sent ACK message, got SYN ACK and this packet was an ACK). Where during HTTP session, WIN1 machine received the following linebased text data: i5eOnJKV57mp5biuqK+0tri0tbW+uK+0qeDr57mp5b29uL6pr7ypurm5vqng6+e 5qeU=; Then WIN1 received FIN ACK message from server and send ACK and FIN  ACK. Session was finished.

The session was repeated once in 3 minutes and received line-based text data, for
all sessions was the same. For illustration please refer to the following link for more details
of pcap life of wireshark: http://bit.ly/mDdqAQ.

Additional log files and screen shots are presented bellow during the analysis with
other tools that are listed in the sections of tools.

Illustration 1: TCPView tool, YGLA.ru access to domain

Furthermore, log illustration of hijackThis tool:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:35:44, on 27.11.2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\VBoxTray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Jhon Doe\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F3 - REG:win.ini: load=C:\Users\JHONDO~1\LOCALS~1\Temp\5b17fff70008a4e8.exe
O4 - HKLM\..\Run: [VBoxTray] C:\Windows\system32\VBoxTray.exe
O23 - Service: FJOSKX - Sysinternals - www.sysinternals.com -
C:\Users\JHONDO~1\AppData\Local\Temp\FJOSKX.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE
Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SUUKATRPY - Sysinternals - www.sysinternals.com -
C:\Users\JHONDO~1\AppData\Local\Temp\SUUKATRPY.exe
O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Oracle Corporation -
C:\Windows\system32\VBoxService.exe

Alternatively, we turn to Process Explorer and Process Monitor from Sysinternals. In
spite of comprehensive information and some suspicious activities, these tools were
unable to show direct link to malware. We analyzed some suspicious DLLs and .exe files,
but all of them appeared to be legitimate Windows files. Also ee turned to Security Task
Manager by Neuber Software where it discovered file 061afffa0005f9e5.exe in
C:\Users\JHONDO~1\LOCALS~1\Temp folder. Usually malware runs itself or is hidden in
Temp folder. So weird name and location give us enough reason to think it’s malware.
Additional information provided by Security Task Manager: Company: Not provided;
Type: Program. Hidden; Starts: when Windows starts and Registry: win.ini.

Meanwhile, for advance analysis we have conduct with clean boot which is
explained into the KB article in the following link: http://support.microsoft.com/kb/929135.
Now we run the wireshark analysis network tool, where no more suspicious network traffic
is identified. This means that the malicious code is running from 3rd party applications and
not from Microsoft services or process.

Likelihood, to be able to identify the malicious code, threads in virtual machine, we
recommend to run an online free virus scanning. Thus process is done by ESET free
online tool scanning, refer to the following link: http://www.eset.com/us/online-scanner/.
The aim of this step is to help to identify if the threads have been registered in to the virus
signature database. If so, this will be a useful information and will assist to continue with
analysis.

Eset Online scanner, found 20 threads:

C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.2.60\c39bb188f2ac6534e75c6d961b9a78a2 Win32/Spy.SpyEye.BY trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-

1.2.99\92bf8b3eb04be42f6aba05d6b97e8f25 Win32/Spy.SpyEye.BY trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.10\21da6142e3cd3979b7ef122ee638c78f a variant of Win32/Kryptik.MKM trojan
cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.25\7822bbf0c8ea3e9a75a19e954a39d6c9 Win32/Spy.SpyEye.CA trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.31\2bed4bbed303c91e2169b2f32db46acb.exe Win32/Spy.SpyEye.CA trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.32\1686b7e48871dd715336c732cfc32c1d Win32/Spy.SpyEye.CA trojan cleaned
by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-
1.3.34\b2c3acf99f68c42626cf345b74095d51 a variant of Win32/Spy.SpyEye.CA trojan
cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R387J1S IRC/SdBot
trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R6TYLIY a variant of
Win32/Kryptik.KUQ trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R8Y8LWG Win32/Pepex.E
worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RD4Q6CZ
Win32/AutoRun.IRCBot.FC worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RI87EEE
Win32/AutoRun.KS worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIJ4S9U a variant of
Win32/Kryptik.KUQ trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$ROFILPO probably a
variant of Win32/Autorun.MHBFUDT worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RQNEZXA Win32/Pepex.F
worm cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RU9MNXT IRC/SdBot
trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RY4NX2I IRC/SdBot
trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RY6CB6A
Win32/AutoRun.KS worm cleaned by deleting - quarantined
C:\Bios.Bin\Bios.Bin.exe a variant of Win32/Injector.FPL trojan cleaned by deleting -
quarantined
C:\Users\Public\Videos\Sample Videos\moos.exeIRC/SdBot trojan cleaned by deleting -
quarantined

Each virus definition is presented bellow in the following table with the description
link:

From the above table we can come to the conclusive proof that total sum number of
malicious code running in the virtual machine are 20, with an 9 different definitions of
trojan, warms, etc. However, most of them were located in to the Recycle bin folder.
Additionally to the analysing packets with Wireshark showed that Win1 has some malware, which sent and received some information over network without knowledge of the user. Destination IP addresses, names and port numbers were suspicious.

Disinfection

Indeed, this virtual machine it is infected. Therefore we have to perform an disinfection
process. However, from the above table of the links it provides an solution and steps that
should be followed for disinfection process. Either with an tool or steps for removing the
malicious code. Also, we can remove the files with some additional tools that are available
for free, for instance Eraser tool. Now that we know the exact location of each infected file
it is much easier and simple to be able to delete, remove the files from our system.
Although we could use the Eset scanner tool that we have performed previously.
Nevertheless, to be sure and more save way is to do the removing process manually.

Therefore, recommendation for deleting the malicious code of all time from virtual
machine is eraser tool. You need to configure task and which folders or files you specify to
be removed. After the task was completed, restart the machine and now the system should be disinfected and additional we recommend to run the Eset online scanner free tool one more time, just in case in a meaner of your organization.

 Win2

Intense detail information are highlighted bellow and MD5 sum for Win2 virtual box
machine:
OS: Ms Windows 7 Professional
Version: 6.1.7601 Service Pack 1 Build 7601
System type: 32 bit
Computer name: DoeM
Users Names:

• Jane Doe
• Jhon Doe

MD5 Sum: 155a5b9e8b842dff4aa5a7b4361113d3

Analysis

Despite the fact that Process Monitor, TCPView and other Sysinternals Suite analysis tools did not help us at all (also Wireshark did not detect any suspicious network activities), at this point, additionally registry changes were detected with CaptureBat tool, where the log file will be presented in figure 2. However by running the ESET online free scanner tool, it did detect in total three threads to our virtual machine, logs are presented bellow.

Eset Online Scanner, found 3 threads:

C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1001\$RKV8ZW1.exe
Win32/Duqu.A trojan
C:\Users\Jane\AppData\Local\Temp\0004fbd1.tmpa variant of Win32/Kryptik.VFI trojan
C:\Users\Jane\AppData\Local\Temp\b01dffe3001c4fe2.exe
Win32/TrojanDownloader.Agent.QXN trojan

Threads are located in to the system directory of Jane user name. Additionally, there
is an other malicious code located into the Recycle bin as we were able to detect into the
previous analysis for Win1 virtual machine. In spite of fact that in previously scenario we
had only a threads located into Recycle Bin, at this virtual environment we have as an local
files. Therefore to be able to identify the above file and there integrity we have to sum the MD5 and SHA256 algorithms. For this action we are using an online tool winMd5Sum.

For advance analysis, we will run the MD5Sum into the virustotal.com search to
identify the threads. Indeed, all of the above have been reported previously as a malware.
Meanwhile, to gather better description of the above malicious codes we will search the
definitions in the Eset database and descriptions provided in the following table.

Illustration 2: CaptureBAT, win2, registry changes

Figure 2 is just a part of the log files that were able to be capture of the CaptureBAT tool, as we can see form the above that many changes were effected over the registries. Therefore, we need to run either an registry system check or as we know the location of the malicious code, with OllyDbg we can run the files and inspect there behaviour and if they have any additionally affect over the memory dump, etc. presented in figure 3.

Illustration 3: OllyDbg analysis, memory dump, system dll access, etc.

Nevertheless, because now we have the locations and the threads description it is
next step to disinfected the system, yet it is still a big thread for the organization, etc.

Disinfection

As on the previously scenario, we recommend either to use the Eset online free scanner or to use in more convinced way the Eraser tool, for removing the malicious code from the
machine forever. Furthermore, to just make sure that the above malicious code is
removed, disinfected from our system still recommendations is to run the Eset tool for a
second time, for double check the system.
All the above files and threads could be a very harmful for the organization and for
everyday production work. Therefore, advance analysis of the system it is always in hands
to help us to protect our data, internet access, etc. of being leaked.

Tools

Tools that help for conducting the results are highlighted in this section. Those are just few
of them that are available for this purpose. Nevertheless, we have use only the listed ones.
Tools and downloadable links:

• CaptureBAT: http://www.honeynet.org/node/315
• Most of the tools that are used for this laboratory report are Sysinternals Suite: http://technet.microsoft.com/en-us/sysinternals/bb842062
• Advance report: HijaskThis: http://free.antivirus.com/hijackthis/
• Wireshark: http://www.wireshark.org/
• ESET Free Online Scanner: http://www.eset.com/us/online-scanner/
• Eraser: http://www.heidi.ie/eraser/
• Virustotal: http://www.virustotal.com/
• Security Task Manager: http://neuber.com/taskmanager/index.html
• OllyDbg v1.10: http://www.ollydbg.de/
• WinMD5Sum: http://www.nullriver.com/products/winmd5sum

SUMMARY

The goal of this post is to identify and analyze mobile malware file: mmc.jar. Thereby please follow the following steps for completing the task:

• Unpack the file (hint – using zip on .jar)
• Examine .class files using tool available here (local copies for Mac, Linux, Win)
• Find code sending SMSes using ‘sms://’ URI
• Calculate short number used in SM.send
• Finally for compiling the code use the developing tool Eclipse IDE.

ANALYSIS

After running the decompiler tool we are examining and analyzing the Java source code. Whereby on the source code on the class M.class line 343 we have found the following source code:

if ((i >= 35) &amp;amp;&amp;amp; (SM.isSending != true) &amp;amp;&amp;amp; (i % 6 == 0) &amp;amp;&amp;amp; (f < count_query)) {
  if (SM.GS()) f += 1;
   if (f == 1) {
            RS.L(rs);
            RS.L("Slide");
            rs = RS.j("Slide");
            game = RS.L(rs, Integer.toString((int)(System.currentTimeMillis() / 1000L)));
            RS.L(rs);
   }if (f < count_query) {
  game = SM.send("sms://" + ms[1][b], ms[2][b]); // sms://
  if (b == count_query) b = 1; else b += 1;
}

public static int send(String s, String s1)
{
   if (isSending) return 0;
      new SM(s, s1);
   return -1;
}
public SM(String s, String s1) {
 success = false;
 isSending = true;
 this.destination = s;
 this.message = s1;
 try {
      Thread thread = new Thread(this);
      thread.start();
 }
 catch (Exception exception) {
 isSending = false;
}

/0SIF|6XI8ULE|YNLD5QDA6WM|YJ90RL/+WPJDAFY2 DC3QJ/+3RKA/5YPA0MD-5QFD
while 7375/88600168904|7202/65510006691|1899/FTEME 1283|8385/88600168904|
1 16
2 33
3 49
4 66
7375 88600168904 //sms://7375
7202 65510006691 //sms://7202
1899 fteme 1283 //sms://1899
8385 88600168904 //sms://8385
decoded
36
7375 88600168904
42
7202 65510006691
48
1899 fteme 1283
54

Task

Write a regular expression for matching the names which follow the following rules:
1) Each name consists of one or more parts. If there are two or more parts, they are separated either with a single space (” “) or dash (“-”) character.
2) Each name part must consist of letters only. The name part must begin with an upper-case letter which are followed by one or more lower-case letters. Each name part can  have an optional prefix which begins with an upper-case letter, followed by one or more lower-case letters.

Solution

^([A-Z][a-z]+([A-Z][a-z]+)?(\s|-))*[A-Z][a-z]+([A-Z][a-z]+)?$

For completing the task, we are dividing into several sub-tasks.

Firstly, we had to find expression, which satisfies the first requirement of the task: representing one or more parts, which can be separated either with space (“ “) or dash (“-”). Thereby, we can represent space and dash with the following expression (\s|-).

If the entry is just one legitimate part (without space or dash after), (\s|-) has 0 occurrences. Yet the entry may consist of many legitimate parts divided by spaces or dashes. The expression should be (\s|-)*.

As for the legitimate parts, we have to write expression considering second part of requirements.

Legitimate part should consist of letters only, begin with (only one) uppercase letter and followed by one or more lowercase letters. Legitimate part can have prefix beginning with (only one) uppercase letter, followed by one or more lowercase letters.

Therefore, [A-Z][a-z]+ represents the entry which begins uppercase letter and is followed by one or more lower case letters. In addition, to represent prefix, which occurs either 0 or 1 time, we will have the following expression: ([A-Z][a-z]+)?. Moreover, to represent the whole legitimate entry, we merge the two expressions (it does not matter whether prefix expression comes first) with: A-Z][a-z]+([A-Z][a-z]+)?. Thus with this expression we go back to (\s|-)* where putting [A-Z][a-z]+([A-Z][az]+)? into parentheses with (\s|-) and take * outside of parentheses (as this whole expression) legitimate part with either space or dash should be presented for 0 or more consecutive times.

(([A-Z][a-z]+([A-Z][a-z]+)?(\s|-))*

To be able to exclude entries, which end with “-”, we add expression of legitimate part. and add “^” and “$” respectively at the beginning and the end of expression, to mark the  beginning and an end of the string.

^(([A-Z][a-z]+([A-Z][a-z]+)?(|s|-))*([A-Z][a-z]+([A-Z][a-z]+)?$

Finally, we have the whole expression we have to test it (we have to put the expression in quotation marks).

egrep ‘^([A-Z][a-z]+([A-Z][a-z]+)?(\s|-))*[A-Z][a-z]+([A-Z][a-z]+)?$’ <file_name>

The above solution is written by: Predrag Tasevski and Mikheil Basilaia