Images of Pixels and Light tag:www.ita.org,2007://1 2007-02-16T16:53:33Z Movable Type 3.33 DC3 Challenge Rankings tag:www.ita.org,2007://1.8 2007-02-02T01:55:36Z 2007-02-16T16:53:33Z We got our rankings in the DC 3 Challenge... we came in 4th! We were 3rd in the Academic category! 21 teams submitted results, 140 teams were sent results, which means 119 teams felt the challenges were either too hard... DC 3 Challenge... we came in 4th! We were 3rd in the Academic category! 21 teams submitted results, 140 teams were sent results, which means 119 teams felt the challenges were either too hard or their results were too crappy. That is not bad at all. We expected maybe top 10, but were all very happy to break the top 5 and the top 3. I took a screenshot. I will link to it here tomorrow after I upload it. Or you can just go to the site and look at the results.

Challenge solutions should come out in a week or two. Another update about DC3 at that point when we compare our actual scores and see how our solutions hold up.]]> IRC bot action tag:www.ita.org,2007://1.7 2007-01-19T18:07:51Z 2007-01-19T18:12:30Z

Not really exciting, but I found it interesting anyway. I usually see traffic giving IRC bots on campus instructions to scan and exploit various vulnerabilities. Today I got one that was trying to pass on malware using, predictably, a MySpace... :sv-5.s3cr3t.net 332 [A07|USA|37152] ##vap1d## :.aim I was going to put this pic of us on myspace. Is that ok with you? A H - REF="http://www.do not follow.dk/includes/picture- ustogether.002.com">http://myspace/userphotos/us-together/picture-ustogether.002.jpg :sv-5.s3cr3t.net 333 [A07|USA|37152] ##vap1d## H0AX 1168997693 I broke up the HTML so it would display properly. Not sure what the second command string does, the H0AX one.]]> W32/agony.exe-1 Rootkit tag:www.ita.org,2007://1.6 2007-01-17T01:30:56Z 2007-01-17T01:53:32Z Yeah, that's right, I'm a security professional. I am so good I managed to infect myself with a rootkit this afternoon. Okay. I'll wait while you laugh. Finished? Alright, I can continue. So, whatever it was that this trojan was... Finished? Alright, I can continue. So, whatever it was that this trojan was trying to masquerade as, it did a really crappy job. Didn't make much of an effort to hide itself at all. First, as expected, it attempted to phone home. My firewall immediately pitched a fit when "mswinup.exe" attempted to get network access. I refused it access and pulled out the network cable. After refusing it network access, my machine promptly rebooted on its own.

As Windows came back up, I saw a very brief window popup saying something about creating directories. It came and went too fast for me to read it, but I knew that wasn't right. At this point, it was pretty clear something was wrong.

ProcessExplorer did not indicate anything unusual running, however, TCPView showed outbound connection attempts even though I didn't have anything running and they weren't to the usual suspects (ie Google, Symantec, etc). AutoRuns on the other hand, showed several new additions to both services and autorun startup.

A new, hidden service called "Agony" was in place and a hidden entry in startup called "c:\windows\system32\winsecurity\mswinup.exe". Sitting my home directory was a file called "agony.sys" with a duplicate in c:\windows\system32. Both of which were clearly part of this given their name and time stamp.

Rootkit Unhooker (which I had never heard of before) showed me several hooks into the kernel originating with agony.sys. Additionally, a new registry key had been created:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

that read:

%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer Also bogus. I removed everything related to it and rebooted. Upon reboot, all services and files noted above had not returned. Rootkit Unhooker did not show any unknown hooks. On the safe side, I am imaging the system to run it through FTK and get a filesystem timeline, see if anything else changed that I might have missed. It looks, though, that I got it all.

I am a little annoyed that Symantec didn't even bat an eye when this thing loaded into memory. The agony part appears to be what is used to hide everything from the general user space. On the other hand, the detection signatures I am seeing for other AV vendors for this particular threat are dated on or about 12/26/06, so it's rather recent. If I don't see a signature in Symantec for it soon, it might be time to change AV vendors.

If the FTK timeline shows any missing dangly bits, I'll update.]]> ActiveX Phishing - FTP followup tag:www.ita.org,2007://1.5 2007-01-12T14:49:50Z 2007-01-12T15:06:11Z

I got some phishing mail yesterday that was puzzling me. It was, of course, bogus, because I didn't have accounts (let alone ever heard of) at the sites the mail was talking about but when I examined the links and... I got some phishing mail yesterday that was puzzling me. It was, of course, bogus, because I didn't have accounts (let alone ever heard of) at the sites the mail was talking about but when I examined the links and the body of the mail, it all seemed "legitimate". I use that in quotes because by legitimate I mean there was no obfuscation being used. The links went where they said where they went. I fired up my sandbox VM and went to visit the page they asked about. The first thing it tried to do was install an ActiveX component for MDAC. Yeah... I think not. Drive-by intalls and attacks aren't new, but it was the first time I got to play with one. I might go back later and let it install and see what it wants to do with my data. I completed my analysis of the distributed FTP network machine we seized. It had the drftpd FTP daemon on it which seems specifically designed to work with IRC as a file distribution mechanism. It itself doesn't appear suspect, but it definitely didn't belong there. Seems the initial compromise occurred back in JULY 06. Radmin and its friends were installed at that point, but the FTP server was installed till 12/21/06. It doesn't appear to have been populated as I found no warez of any kind on the machine. The IRC channel it was configured to connect to doesn't exist anymore either. Oh well. DC3 and FTP Networks tag:www.ita.org,2007://1.4 2007-01-03T16:46:01Z 2007-01-03T16:54:21Z DC3 results came out two weeks ago. We didn't win, although, we didn't expect to win. What I was hoping for was a ranking list, but that won't be released for some time yet, along with the actual solutions to... DC3 results came out two weeks ago. We didn't win, although, we didn't expect to win. What I was hoping for was a ranking list, but that won't be released for some time yet, along with the actual solutions to the challenges. That makes the waiting that much more difficult! The Academic category winner was UoSF, who where the ones everyone expected to take the lead. The Commercial winner, however, was AccessData, makers of Forensic Toolkit. Not sure how I feel about that. I mean, it's their business to do this stuff, how much of a challenge could that be for them? Got some mail last week about several computers on campus being part of a meshed, multi-school, FTP warez network. First time I had encountered this. The systems apparently kept in touch with each other and distributed the files amongst themselves. I seized 1 one of the machines here and am running an analysis on it. More about that later when I find something of interest. The other one is in a computer lab which makes it harder to find. One PC in a room of indistinguishable PCs. "Just trace the cables!" I wish it were that easy. I don't have access to the switch to do that. Gonna have to check MACs instead. Detecting Apple Airports from the wire tag:www.ita.org,2006://1.3 2006-12-05T17:25:56Z 2006-12-05T17:37:57Z One of my challenges (not to be confused with the DC3 challenge below) is being able to detect rogue devices on our network. One of the most elusive is the wireless access point. Sure, I can detect that from the... 0000: 6163 7070 0000 0001 c832 06d8 0000 0001 [ acpp.....2...... ] Nmap, however, would not recognize port 5009 (using the -A flag) as an Airport management port. But it did recognize the port as open. What we did next was scan the network space for devices with an open port 5009. That output was then chained into Amap. Amap got the ACPP response when sending the SSL identity trigger! So, any device listening on port 5009 AND responding on that port with ACPP was definitely an Apple Airport! We're looking into other access point devices now to see if we can get something similar. ]]> Done with DC3 tag:www.ita.org,2006://1.2 2006-11-29T20:13:19Z 2006-11-29T20:16:14Z We're as done as we're gonna get with the DC3 Challenge. We even submitted our results. We're in first place! Okay, we're the only people that have submitted their results so far, but that still puts us in first. If... DC3 Challenge. We even submitted our results. We're in first place! Okay, we're the only people that have submitted their results so far, but that still puts us in first. If no one else submits, we win! You can see the number of people who have submitted their results on the "Challenge Results" page off the link above. According to our calculations, we scored ~2550 points. That equals a 65%. I know, not the greatest, but we did a lot, learned a lot, and had a good time while we did it. When they release the results and official scores, I will mention it. I will also mention the methodologies for some of the challenges we couldn't do at all, such as the steg and image CG stuff. Final results are due 12/1/06 and scores are distributed 12/15/06.]]>