After some coffee and croissants, the second day started with a speech of the Minister of the Economy and Foreign Trade, Jeannot Krecké. He spoke about the importance of security awareness on the Internet and IT infrastructure mentioning the Cyberworld Awareness Security Enhancement Structure (“CASES“) active in Luxembourg.
Due to family issues, Jose Nazario, working for Arbor Networks, had to go back to the United States in emergency. As a specialist of the emerging security threats on the Internet, he should talk about politically motivated Denial of Service attacks (DoS). Sad! In last minute, Eric Filiol came and presented an analyze of Word & Excel encryption. Attacks against Office documents are based on a mix of forensic and cryptographic techniques. Usually documents are protected by the author with a simple password. The default encryption is weak: based on XOR constant patterns (by default to maintain compatibility with older versions). Via advanced settings, RC4 encryption can be enabled. To crack documents encryption, analyze of documents is required and, often, such documents are easy to find on USB sticks, in temporary directories, caches, …
The next slide also covered Office documents: “New advances in Office Malware analysis” by Frank Boldewin (the owner of reconstructer.org). He came back on another important vector of attacks: malicious “business” files like PDF or Office documents spread via e-mail or available online. Exploits for MS Office exist since 2006! (buffer overflows). Frank briefly introduced documents are saved and managed. Parsing of data can be done by Win32 COM API. The shell code and executable (often encrypted) are present is the malicious document. Not much information available at the moment. Tools to analyze malicious documents: DFView, Officecat, FlexHex editor or OffVis. Other tool: the OfficeMalScanner suite created by Frank which has several operating modes:
- Scan mode (Shellcode scanner)
- Info mode (dumps OLE structures, offsets, lengths)
- Inflate mode (decrompress documents – Office files are zipped)
- MalHost-setup is a shellcode runtime environment
A good practice should be to scan automatically all your incoming documents with OfficeMalScranner…
After the coffee break, Gabriel Campana presented his tool called Fuzzgrind. “Fuzzing” became a hot topic in security conferences this year. Last week, during the RSA Conference in London, another tool was presented. How can we define “Fuzzing”? “It is a testing technique that provides invalid, unexpected, or random data to the inputs of a program“. Fuzzgrind is based on two tools: Valgrind and STP. Valgrind is a framework for dynamic binary instrumentation and is supported by multiple architectures. It helps you to perform some profiling on your application (one of the well-known tools is memcheck). STP is a constraint solver. On top, a bunch of Python scripts help to link these two tools. In the real life, Fuzzgrind was successfully used to discover bugs in readelf, swfextract or libtiff.
The next presentation was about fun with Firefox extension malware. The scheduled presentation about side channel attacks: “Sniff Keystrokes With Lasers/Voltmeters” was also canceled in the last minutes. Canded Wuest came back on Firefox and its extensions. How they work, how they are developed (XPI files). One of the first issues is coming from unsigned XPI files. Wth 17 millions of extensions downloaded per day and 150 new ones per day, extensions are a good vector of attack. What can a malicious extension do? EVERYTHING. They are several classic ways to receive a malicious extensions (obscure source, social engineering, …). Note that some extensions can be hidden using the “hidden” tag in the install.rdf file. Good extensions can also be hijacked! Canded showed a live demo of a fully hiddent extension loaded into Firefox: after each launch of the browser, a calc.exe popped up!
Another demo: “JS.FFsnif”, an open source JavaScript released in 03/2006 to steal passwords from web forms or “Trojan.Chromeinject” which loads malicious DLLs for certain URLs and steal credentials from financial sites. Do not download extensions from unknown sites. mozilla.org is the only one to trust. At the moment, most security tools can not detect nor remove malicious extensions. Good idea is to check your system using Tripwire or similar tool but false alarms could arise due to the auto-update process. Conclusion: “If you’re in doublt, use Lynx!”
After the lunch breach, a lightning talks session (maximum 10 minutes per topic) was proposed.
- Didier Stevens spoke about “Windows 7: ROT13 or Vigenère?” or how are encoded entries in the registry database (like the history of launched applications).
- Eric Filiol was back with the results of iAWACS2009 contest results about finding weak points in antivirus programs.
- Fernando Gont presented the last updates of the research on TCP security.
- Guillaume Delugré presented its Origami in PDF, a framework to write malicious PDF files with a small demo of an IRC session embedded in a PDF file 😉
- Finally, Moxie Marlinspike presented a usefu tool for all of us: knockknock
Eric Filiol (again ;-)) and Eddy Deligne presented Perseus: A Coding Theory-based Firefox Plug-in to Counter Botnet Activity. Data collection is important during attacks (botnets) but behind attacks what about privacy concerns or local issues like the HADOPI law in France? The solution is to adopt “noisy coding” instead of encryption.
As cryptography can be prohibited by law in some countries, Perseus works in the same way as HTTPS and encode (by adding noise) all traffic between the browser and the server. If a bad guy intercept the traffic, it must first reconstruct the data, this will consume a lot of resources. Source and documentation is available on mozdev.org. To communicate with the extension, the server must be able to understand “noisy” requests. This is done via an Apache module (the module will be released soon).
Next track covered HostileWRT or “Fully-Automated Wireless Security Audit Platform on Embedded Hardware”. Philippe Langlois, Eugene Parkinson (from /tmp/lab). They presented the same talk during FRHACK in Besancon, September (see my previous post).
The last two tracks of the day were merged into one: a big festival of information about PDF files. Didier Stevens, Guillaume Delugré, Fred Raynal and Damien Aumaitre joined their efforts to bring us the results of their researches. The PDF format is nice (from an attacker point of view) because it is open, documented and dynamic. It’s a descriptive language (GoTo, Submit, IRU, Rendition, Launch, …) and of course has JavaScript support! Note that JavaScript can be disabled via the reader settings but everything done with JavaScript can be also done in native PDF language! It’s even possible to write viruses in PDF: A demo showed an opened PDF file spawning an .exe file! What about the Acrobat Reader? 300MB to download, lot of DLLs and a bad security model (black/while lists based on file extensions, everything is stored in the user profile and easily compromized – no admin rights required). They also showed some results about antivirus tests results. An example? a PDF with a raw EICAR file had a success rate of only 5/41! Didier explained how to analyze PDF files using tools like PDFiD (also available via virustotal.com). A common way to hide Javascript in PDFs is to use obfuscation. (“JavaScript” -> “J#61Script”). Once a malicious PDF has been detected by PDFiD, Origami can be use to perform further analysis. They talked about famous PDF files: Calipari report & Facebook case. Funny, the text to Speech feature in Acrobat Reader: If you cannot read it, at least listen to it! 🙂 As usual don’t forget meta data and check also the revisions (and discover the differences between the versions). Now, how to protect your machine? Use another PDF reader, know your ennemy, disable JavaScript, find his Achille heel. Don’t work as local admin (to prevent access to c:\windows\System32). Use Restricted Tokens (DropMeRights)
Another nice one: SMB relay & PDF file: Via Origami, add an URL in the PDF file pointing to \\a.fake.server.com\file.tmp. Credentials were sent to the SMB share (without warning) The grabbed hash can be decoded via John-the-ripper. Bingo! (very useful in companies to grab passwords). Conclusion as always: take care and do not trust anybody.
That’s all for today…