Friday, October 19, 2012

Black Hole Exploit Kit 2 (BHEK) summary


This post is just to summarize some quick facts about the problematic BHEK v2.  Why problematic?  Well this version of exploit kit has risen the bar in sophistication and is harder to detect, defend and find.  It's currently driving many of us on the threat ops and intel side crazy so the sharing of information is paramount.

Here is a roundup of data and analysis on BHEKv2:

Great write-up via spider labs
http://blog.spiderlabs.com/2012/09/blackhole-exploit-kit-v2.html

Malware don't sleep (inside BHEK v2)
http://malware.dontneedcoffee.com/2012/09/behind-captcha-or-inside-blackhole.html

Excellent analysis by Malware Must Die!
http://malwaremustdie.blogspot.jp/2012/09/following-lead-of-suspected-blackhole2.html

Great analysis by Mila
http://contagiodump.blogspot.fr/2012/09/cve-2012-4681-samples-original-apt-and.html

Download BHEK v2 (partial pack)
http://contagio.deependresearch.org/files/Blackhole2files.zip

Snort signatures:

SOURCEFIRE SNORT
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder"; flow:to_server,established; content:"href=|22|http|3A 2F 2F|"; content:"/index.html|22|"; within:50; pcre:"/\x2f[a-z0-9]{8}\x2findex\.html\x22/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:24171; rev:1; )
EMERGING THREATS
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:4;)


List of BHEKv2 compromised domains (from contagio):
arksylhet.com
badshahpromotions.co.uk
centroedusantaterezinha.org
chambe-aix.com
colombianfashion.com
curatatorie-sibiu.ro
davidicke.pl
domaister.com
dpwparking.com
ecoaction21.fr
estetiqueroman.ro
fengshuitonight.com
ferretsac.com
firetowerguard.com
groupe-cmb.com
hmlanding.com
innovahogar.es
jusprev.org.br
justwebdesign.co.za
karpar.gr
lehoapaper.com
muzee.org
nailtaxi.com
onewaytransportproducts.com
sloanegroup.com
sv.thanmadailuc.com
trends-und-freizeit.de
ukhs.dk
wnyportal.com
www.golfer360.de

Target Email URLS (from contagio):
http://arksylhet. com/A67iD4eo/index. html
http://arksylhet. com/QSpUShbL/index. html
http://badshahpromotions. co. uk/zpVjiR/index. html
http://centroedusantaterezinha. org/foRHmF8/index. html
http:///Wjn56cM6/index. html
http://chambe-aix. com/yCkWRN/index. html
http://chambe-aix. com/yYiD9SAs/index. html
http://colombianfashion. com/Mt1T26/index. html
http://curatatorie-sibiu. ro/fbwoGoYB/index. html
http://curatatorie-sibiu. ro/QeHis8s/index. html
http://davidicke. pl/0qaSfRv/index. html
http://davidicke. pl/mZbkMz/index. html
http://davidicke. pl/x1s0xB8z/index. html
http://domaister. com/LD2nAc/index. html
http://dpwparking. com/PYG35et/index. html
http://ecoaction21. fr/QBA8Re4S/index. html
http://estetiqueroman. ro/KD31RjXc/index. html
http://fengshuitonight. com/JTARZz/index. html
http://fengshuitonight. com/vRNXQq/index. html
http://ferretsac. com/wBbsvpF/index. html
http://ferretsac. com/wc4hACm/index. html
http://ferretsac. com/z7ShYa3/index. html
http://firetowerguard. com/AEuifWY/index. html
http://groupe-cmb. com/JWBpK7qd/index. html
http://groupe-cmb. com/ukKmLYf0/index. html
http://groupe-cmb. com/zc0XNMxZ/index. html
http://hmlanding. com/60QuVZQ/index. html
http://innovahogar. es/4oRnMr/index. html
http://innovahogar. es/V2dSnzdv/index. html
http://innovahogar. es/ZUCufHc/index. html
http://jusprev. org. br/aZhDGJ1e/index. html
http://justwebdesign. co. za/X1dWrR/index. html
http://karpar. gr/mMDBNKhE/index. html
http://karpar. gr/yoTkZUm0/index. html
http://karpar. gr/yUyj1crG/index. html
http://lehoapaper. com/hUvbnijs/index. html
http://muzee. org/AA9njNS/index. html
http://nailtaxi. com/yjgSuE/index. html
http://onewaytransportproducts. com/auVejpR/index. html
http://sloanegroup. com/1n70Gvt/index. html
http://sv. thanmadailuc. com/9vy1FW/index. html
http://sv. thanmadailuc. com/UotPEhM/index. html
http://sv. thanmadailuc. com/x4MSyKCz/index. html
http://trends-und-freizeit. de/4UDFo4/index. html
http://ukhs. dk/ZjUP5CCZ/index. html
http://wnyportal. com/cKodnh/index. html
http://justwebdesign. co. za/X1dWrR/index. html


Sunday, August 19, 2012

Open-Source Centralized Log Management

With the rise of SIEM and IT operation data mining use-cases many organizations are investing or deciding on how to invest in centralized log management. I'm sure people wonder is there interesting open source alternatives or shall I even bother?

Well it depends, I think there are some great new options to test or keep an eye on, some fantastic mature commercial options and something in-between (Splunk).

So here are the latest a greatest open source options to commercial products such as:
Splunk, Qradar Log Manager , ArcSight Logger, Logrythem, etc.

enterprise-log-search-archive (ELSA)

Perl, MySQL and SOLR based solution which is said to be faster than Splunk at large data sets and seems to have a large following. There is currently no commercial backing or support and it looks that the web interface is highly usable but not rich with visualization options (a trait you will find common in the open source offerings).

http://code.google.com/p/enterprise-log-search-and-archive/
http://vimeo.com/39722091

Sentry

Python and Django based solution by the guys from DISQUS. Seems to be an interesting HTTP based approach and looks high performance. Lots of documentation available, great option for the Python hackers (like me).

http://sentry.readthedocs.org/en/latest/
https://www.wunki.org/posts/2012-01-19-centralized-logging-with-sentry.html

Graylog2

Looks to have the best interface of the group, this is a ROR and ruby based project by the smart folks at XING. Looks to be well maintained and feature rich. Would love to know how it scales.

http://graylog2.org/

LogStash

Java + ROR based streaming log aggregation. Looks very cool, it was created by an ex-google engineer now working at Loggly. Very actively maintained project with lots of documentation and some cool features. This one is definitely worth checking out.

http://logstash.net/
http://www.oscon.com/oscon2012/public/schedule/detail/26347

Logsandra

Another Python based project using Cassandra (NOSQL) backend database. Cool looking project but early stage and does not seem to have a mature UI.

https://github.com/thobbs/logsandra
http://my.safaribooksonline.com/book/databases/9781849515122/libraries-and-applications/ch10lvl1sec12

Scribe

Python based log aggregation tool used by Facebook. Does not seem to be actively maintained or updated in several years :(

https://github.com/facebook/scribe


Unfortunately I cannot speak to the performance, feature or overall quality these solutions. Perhaps when I have more time I can try them out and create some reviews. Enjoy!

Monday, July 30, 2012

ArcOSI is now Bad Harvest


ArcOSI has been officially re-named to Bad Harvest and has great new threat intelligence sources in the latest version available now... Get it!

PPTP VPN is Critically Vulnerable.

Moxie Marlinspike does it again. The eclectic hacker who previously brought you SSLStrip now has released (@ Defcon 20) a utility and advisory on cracking MSCHAPv2 which powers most PPTP VPN. Get the code here: https://github.com/moxie0/chapcrack Suggestion is to migrate to OpenVPN for a more secure VPN setup. Also if your bored read some of his excellent stories

Tuesday, June 12, 2012

Friday, April 13, 2012

Looking for a localhost cacheing nameserver?

Back in the day I would use dnscache and sometimes even bind for local network or localhost cacheing recursive DNS. I was hoping there was a newer, better, faster and easier to setup / maintain solution in 2012....

I found unbound. http://unbound.net/

If you have a server that does tons of DNS lookups (think SIEM), then this is a must.

Debian/Ubuntu:
apt-get install unbound

Redhat/Centos:
yum install unbound

It's secure and listens only on 127.0.0.1 by default. How cool is that?

Lastly don't forget to update resolv.conf...

echo "nameserver 127.0.0.1" > /etc/resolv.conf

Thursday, April 12, 2012

Tuesday, April 3, 2012

ArcOSI 30 released

Added new sources, some parsing fixes and the feature to specify a custom port via command line. Currently only the python code is release but will compile the windows binary later today.

Download @ code.google.com/p/arcosi

-Greg

Wednesday, March 28, 2012

A little about MS12-020

Great history on the vulnerability by the original Italian researcher: http://aluigi.org/adv/ms12-020_leak.txt
He sold the bug to ZDI with a DoS POC, they reported to MS and the bug is suspected to have leaked through a MAPP partner to Chinese entity and surfaced as the rdpclient.exe

Small companies: Firewall off all remote access to 3389
Enterprise: Scan and test, deploy signatures, alert SOC and start monitoring campaign during lockdown efforts

Snort signatures (untested):

alert tcp any any -> $HOME_NET 3389 (msg:”Potential MS12-020 RDP DoS attempt – MaximumParatmers”; flow:to_server,established; content:”|03 00|”; depth:2; content:”|7f 65 82 01 94|”; distance:24; within:5; content:”|30 19|”; distance:9; within:2; content:”|30 19|”; distance:25; within:2;content:”|30 1c|”; distance:25; within:2; byte_test:1,=,255,2,relative; reference:cve,2012-0002; classtype:attempted-dos; sid:1000031; rev:1;)

alert tcp any any -> $HOME_NET 3389 (msg:”Potential MS12-020 RDP DoS attempt – MaximumParatmers”; flow:to_server,established; content:”|03 00|”; offset:0; depth:2;content:”|7f 65 82 01 94|”;distance:24;within:5;byte_jump:1,10,relative;byte_jump:1,1,relative;byte_test:1,=,255,4,relative; reference:cve,2012-0002; classtype:attempted-dos; sid:1000026;rev:1;priority:1;)