Hakin9 Exploiting Software April Issue is Out!

The April issue of Hakin9 Mobile Security is out. This month’s magazine features the article “Cisco IOS Rootkits and Malware: A practical guide” by Jason Nehrboss:

Propagating the worm code into a new router can either be quite easy, difficult, or impossible. There are many variations of supported IOS code and hardware platforms. The author discusses the use of and demonstrates an IOS Embedded Event Manager rootkit and worm. When a router is infected it can be leveraged into a powerful malware platform. Capabilities demonstrated are network packet captures, reverse shell connections, a spam module, and a mini malware httpd server leveraged with ip address hijacking. In this article you will learn how to exploit critical network devices, network traffic traversing these devices and act as a launch point for further attacks into a network You will also learn about a self replicating IOS worm with stealth features and self defense mechanisms, all with platform independent code.

Also in this issue Craig Wright continues his excellent series on exploit creation. This month’s article is entitled, “Taking control, Functions to DLL injection“:

DLL injection is one of the most common methods used by malware such as a rootkit to load it into the host’s privileged processes. Once injected, code can be inserted into functions being transmitted between the compromised code and a library function. This step is frequently followed with API hooking where the malicious code is used to vary the library function calls and returns. This article is part of a monthly series designed to take the reader from a novice to being able to create and deploy their own shellcode and exploits. With this knowledge, you will learn just how easy it is for sophisticated attackers to create code that can bypass many security tools. More, armed with this knowledge you will have the ability to reverse engineer attack code and even malware allowing you to determine what the attacker was intending to launch against your system.

Other articles include:

  • Deceiving Networks Defenses with Nmap Camouflaged Scanning By Roberto Saia
  • Exploiting Software By Swetha Dabbara
  • Cross Site Request Forgery – Session Riding By Miroslav Ludvik and Michal Srnec
  • Data Logging with Syslog: A troubleshooting and auditing mechanism By Abdy Martinez
  • Social Engineering – New Era of Corporate Espionage By Amar Suhas

Check it out!

Advertisements

USB Attack Vectors move Beyond Flash Drives to Malicious USB Devices

You have all heard about the dangers that USB drives can pose. In 2008, the US Military suspended the use of USB drives after a large worm attack hit military systems. Iran’s Nuclear power plant was hit with Stuxnet, supposedly from a USB drive. And following the recent Wikileaks disaster, the military is banning all removable devices from systems connected to SPIRNET, the government’s secret network:

Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued the Dec. 3 “Cyber Control Order” — obtained by Danger Room — which directs airmen to “immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET,” the Defense Department’s secret network. Similar directives have gone out to the military’s other branches.

So no more CD’s, DVD’s or thumb drives will be allowed near these machines.

Then there is always the threat of malicious hardware. For years the government has been worried about counterfeit electronic hardware mainly from Chinese manufactures that have built in backdoors. Earlier this year millions of dollars of counterfeit Cisco equipment was confiscated that was to be sold to Marines in Iraq:

Ashoor purchased counterfeit Cisco Gigabit Interface Converters (GBICs) from an online vendor in China with the intention of selling them to the U.S. Department of Defense for use by Marine Corps personnel operating in Iraq, the DOJ said. The computer network for which the GBICs were intended is used by the Marine Corps to transmit troop movements, relay intelligence and maintain security for a military base west of Fallujah, Iraq, the DOJ said.

So security experts have been on the lookout for USB drives and even counterfeit routers, but what about an innocent looking USB keyboard, or mouse? How much attention would that garner?

Adrian Crenshaw (Security Specialist and Speaker) has shown from his recent work with the Arduino “Teensy” programmable keystroke device that almost any USB device, including keyboards, mice, and the innocent desktop toy could be used as an attack vector. Adrian (also known as “Irongeek”) created the tool for professional security pen testers, but it has really shown how USB attacks can and will move way beyond “Autorun.inf” infectors.

The Teensy programmable keystroke device is made from PJRC’s Teensy USB Development Board.

The computer does not see the Teensy device as a USB drive or another accessory, but as a human interface device (a keyboard). The Teensy circuit board can be inserted inside a keyboard or mouse and can be set to activate when a certain key is pressed or a certain condition is met. So, for example, if the “Scroll Lock” or “Caps Lock” key is pressed, the teensy could send the commands to copy all the data from a certain directory. The Teensy can also be set to activate via timer or whatever the pentester desires. And antivirus would not detect it as it would seem to be just standard keyboard input.

Also, the inside of the mouse or keyboard leaves amble room for the miniature teensy and whatever else the pentester may want to use. Inside a standard mouse case, Adrian was able to insert a Teensy device, a USB hub and flash memory. With this type of setup, he could have the teensy device issue commands to run a script from the flash drive or even copy data from the system to flash storage. (View Adrian’s video on YouTube)

I believe that with the Teensy programmable keystroke device, we are really looking at a new generation of intelligent malicious hardware that will be limited only by the imagination of the attacker.

Counterfeit Network Equipment Used to Spy on America?

This week, the FBI released information on “Operation Network Raider“. The FBI arrested 30 people and confiscated over 143 Million dollars of network gear from an international counterfeiting ring. The equipment is made overseas, China being one source, and then sold as “new” product. According to the press release:

Today, as a part of this joint initiative, Ehab Ashoor, 49, a Saudi Citizen who resides in Sugarland, Texas, was sentenced in the Southern District of Texas to 51 months in prison and ordered to pay $119,400 in restitution to Cisco Systems. A federal jury found Ashoor guilty on Jan. 22, 2010, of charges related to his trafficking in counterfeit Cisco products.

According to evidence presented at trial, Ashoor purchased counterfeit Cisco Gigabit Interface Converters (GBICs) from an online vendor in China with the intention of selling them to the U.S. Department of Defense for use by U.S. Marine Corps personnel operating in Iraq.

The computer network for which the GBICs were intended is used by the U.S. Marine Corps to transmit troop movements, relay intelligence and maintain security for a military base west of Fallujah, Iraq. The case was investigated by ICE and the Defense Criminal Investigative Service and was prosecuted by the U.S. Attorney’s Office for the Southern District of Texas.

Several red flags appear when you read this quote from the FBI’s statement.

  • The suspect is from Saudi Arabia
  • He is selling counterfeit equipment made in China
  • The equipment was for the US military in Iraq
  • The devices would be used to communicate troop movement, intelligence and security

China now does a lot of our manufacturing. One would have to ask the question, how hard is it to put a back door into networking equipment when you are manufacturing it? Spying using hardware is nothing new. During the cold war, the US installed cameras inside Xerox machines that were installed at the Russian embassy.

Also, what better way to compromise a network than to infiltrate equipment that has backdoors in it? Cisco recently made news by a security flaw in its built in backdoor called Lawful Intercept. This allows law enforcement to view data on the device without leaving any trace that the device had been monitored. Could the counterfeit equipment have this feature tampered with?

I just find it very disturbing that someone from Saudi Arabia is trying to sell the military counterfeit equipment to be sent into an area of operation. It begs the question, is equipment that has been compromised already placed in military and government locations?

Building Systems at Risk Due to Cisco Bug

Cisco warned today of vulnerabilities in their Cisco Network Building Mediator products. These products are used to remotely connect building systems to an IT controled monitoring panel. The system controls building lighting, HVAC, security and energy systems.

According to an article on The Register:

No authentication is required to read the system configuration files, making it possible for outsiders to take control of a building’s most critical control systems.

“Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device,” a Cisco advisory stated. The notice also warned that the vulnerabilities are present in the legacy products from Richards-Zeta, the Cisco-acquired company that originally designed the system. The bugs were discovered during internal testing.
When I worked at an electrical engineering company, these devices were just coming out. The ones that I saw were simpler and only read data, they did not allow remote control. They were interesting because management could see realtime on their desktop what the building energy supply and loads were. The were great for forecasting energy use and supply.
 
Allowing control of these systems via computer was the next logical step, but bugs allowing a hacker remote control of your electric and lighting is a serious issue, especially in large metropolis buildings.