Issue33 – Oct2012 | Page-1
Issue33 – Oct2012 | Page-2
Issue33 – Oct2012 | Page-3
FUD through Hex Editor Heading INTRODUCTION Mostly all Trojans/key loggers are detectable by the antivirus. One of the most common problems being faced is making Trojan/key loggers undetectable from the antivirus. So in this tutorial I am going to tell you how to make your Trojan undetectable from the antivirus. But first you need to understand how antivirus software works.
DETECTION TECHNIQUE
Antivirus software typically uses two different techniques to identify malicious program. First is, signature based malware detection and second is behavior based malware detection. Antivirus software can employ one or both of the methods depending on the sophistications of the program. Signature-based Malware Detection Signature-based detection depends on pattern recognition. The antivirus software scans the file in question, comparing specific bytes of code against information in its malware-signature database. If the scanned file has a pattern duplicating one in the database, the file is considered malware. Behavior-based Malware Detection In the behavior based malware detection, the antivirus monitors the behavior of a program to determine whether it is malicious or not. For example if any executable tries to write data on another program or want access to write to a locked file. This behavior is identified as suspicious and user is prompted for the action. This
Issue33 – Oct2012 | Page-4
malware detection technique is basically used to identify the new malware.
How to make a FUD In simple words, we can say that if we change the signature of the Trojan/key loggers, we can easily make the Trojan undetectable from the antivirus software. The ways to make Trojan/key loggers undetectable from the antivirus software are listed below. 1. Encryptors/Compressors: This is a very simple way to make a Trojan undetectable. In this technique we use some encoding software that changes the signature of the Trojans. But the problem is that most of the people use the same software so often that the anti-virus software knows pretty much all the signatures.
TUTORIAL: In this tutorial we are going to use hex editing to make a Trojan undetectable. Hex editing is one of the most secure, most complicated technique used by some people to make their file Fully Undetectable (FUD). As we have learnt before that antiviruses use signature based identification to identify a suspicious file read and through hex editing we search for the antivirus flagged signature and change it to some other hex so antivirus can‟t identify the file. These are following tools which you need to be installing on the system to make the Trojan undetectable.
Antivirus Software Hex Editor File Splitter A Trojan making software
Antivirus Software 2. Hex Editing: This is much more complicated and takes a lot more practice to get right. The idea here is to find the signature that the antivirus software detects in the Trojan and change it by adding a different byte so that the antivirus cannot detect the Trojan program any more. 3. Byte Adder: This technique allows you to add junk bytes to your Trojan, so as to confuse anti-virus software. It does this by moving the code inside the executable around, as the bytes are being added. This means that the signature will not be in the place the Anti-Virus expects it to be.
I am going to use avast antivirus software for Trojan detection. Hex Editor A hex editor is a program that allows a user to manipulate the fundamental binary data that makes up computer files. You can get this software under the following link. http://mhnexus.de/en/downloads.php?product=HxD File Splitter File Splitter is freeware program which does not require installation and can be use to split a file into multiple files as well as to merge multiple files into a single file. You can get this software under the following link.http://www.filesplitter.org/
Issue33 – Oct2012 | Page-5
Trojan Making Software
Now click on Build.
A Trojan making software is used to create a Trojan. In this tutorial I have used a general key logger software program to make the Trojan. It is key logger program which records all keystrokes and sends these key logs through the email. You can get this software through a simple google search for „General Key logger‟. These are following steps which you need to follow to make the Trojan undetectable. Step 1: First of all turn off your antivirus real-time protection. In my case I am using avast antivirus so first I will disable the real –time protection. Make the key logger server file and place the server file in a folder. Step 3: Scan this folder with your anti-virus software and check whether this file is detectable by the anti-virus software. Step 2: Download and launch the key logger software, and enter the details like Gmail Username, Gmail Password and Send Logs Every. Gmail Username: Enter the Gmail ID to which the Trojan will send the key logs. Gmail Password: Enter the Gmail password of the account. Send Logs Every: In this text box enter the time period after which you want to receive the logs.
Now I scan server.exe file with avast antivirus software. You can see this file is detected by the antivirus.
Issue33 – Oct2012 | Page-6
Step 4: Download and launch the File Splitter software. And split your server file with your File Splitter into 200 bytes per file. This may make a lot of files in your selected folder (depending on how large the server file is).
way of doing this, you will have to experiment. In my case this is the hex code of the infected file. Now I will change AntiWireShark into antiwireshark and save this file.
There will not be much which you need to change. Just change one character or byte at a time and then save the program. Re-scan to see if it worked. If it did not, go back and try again. Step 5:
Step 7:
Now Scan the split the files with your antivirus software and make note of those files which are infected. Those will be once you edit.
Once you have found all signatures are changed then, Rejoin the file with File Splitter and test your Server to see if it works.
In my case only one file server.exe.chunk145 is infected. Now I will edit this file in hex editor. Step 6: Now open each infected file in the hex editor and change the offset. There is no full proof
Issue33 – Oct2012 | Page-7
Steps 8: Scan the server file with the antivirus and we can see now is not detectable by the antivirus.
Remember that too much editing will make your Trojan file useless so be careful while editing the file in the hex editor.
REFERENCES: http://en.wikipedia.org/wiki/Malware http://en.wikipedia.org/wiki/Antivirus_sof tware http://www.techrepublic.com/blog/security /how-antivirus-software-works-is-it-worthit/3015 http://www.avast.com/free-antivirusdownload http://mh-nexus.de/en/hxd/ http://www.filesplitter.org/
Nikhil Kumar He is working as an Information Security Consultant with Xiarch Solutions Pvt. Ltd (www.xiarch.com).
Issue33 – Oct2012 | Page-8
OWASP Zed Attack Proxy (ZAP) Introduction The OWASP Zed Attack Proxy (popularly known as ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. OWASP ZAP is a fork of version 3.2.13 of the open source variant of Paros Proxy. Paros was a HTTP/HTTPS proxy for assessing web application security. It should be noted over here that Paros Proxy was not updated since August 2006. Zap is a product of the hard-work of Simon Bennetts‟ (Psiinon), with help from co-lead Axel Neumann. However ZAP has now become some sort of an international effort with people from various countries, organizations and volunteers helping with the development of ZAP. Anyone and everyone is welcome to contribute to ZAP, and not necessarily coding only but also with testing, documentation, localization, issues identification, and enhancement requests. It has also been translated into 10 different languages.
INSTALLATION AND CONFIGIRATION ZAP installation is very easy. Once we have unpacked ZAP on our preferred platform
then we just need to invoke ZAP from the application icon or at the command prompt via the appropriate executable. A current JAVA Runtime Environment is the basic requirement for installing ZAP. Now since Zap runs on proxy the next important thing to be taken care of is that our preferred browser should be configured to proxy via local host and a port. Also we have to configure ZAP to listen to that proxy and port. I personally prefer using the port 8085 to avoid conflict with other proxies and services. To set up the proxy in ZAP we have to go to TOOLS → OPTIONS → LOCAL PROXY in ZAP and set it with the same configuration as that of the browser.
Issue33 – Oct2012 | Page-9
We must also generate an SSL certificate in order to use and test SSL enabled sites. We will be prompted to do so when running ZAP for the first time. ZAP FEATURES There are numerous features available with ZAP. Let us discuss some of the features now.
1. Break Points: A break point is perhaps the first feature that I used when I started using ZAP. A break point allows us to intercept a request from our browser and also allows us to change it before it is submitted to the web application that we are testing. We can also change the responses received from the application.
The two arrows represent the HTML request or response to be intercepted. The forward arrow represents the request and the backward arrow represents the response. Initially they are green which means that neither the HTML request nor the HTML response will be intercepted. Once clicked the arrows turn red which means that the respective request and responses will be intercepted. The request or responses intercepted are now displayed in the Break tab thus allowing us to change disabled or hidden fields, and also allowing us to bypass client side validation. Also we can set up URL specific break point by right-clicking on the site in the sites tab or in the history tab. Now once we are done editing or viewing the intercepted request or response we then have to click on the play button just beside the break points to allow the request or responses to be forwarded. 2. Active Scan: Active scanning attempts to find the potential vulnerabilities by using known attacks against the selected
Issue33 – Oct2012 | Page-10
targets.However active scanning cannot find certain types of vulnerabilities. Certain vulnerabilities like Logical vulnerabilities can never be found out through any active or automated vulnerability scanning.
3. Alert: An alert is a potential vulnerability and is associated with a specific request. A request can have more than one alert. Alerts are shown in the UI with a flag indicating the risk.
An alert is basically raised when we run an Active Scan on the site however some alerts may get listed even without running an active scan based on basic HTTP requests and responses exchanged. Also we can manually raise an alert using the Add Alert dialog. Now the Alert tab has various features in it. We get the alerts grouped by the type of vulnerabilities it presents and under those vulnerabilities each and every vulnerability is explained in detail.
If we now click on any vulnerability on the right hand side we get details of the vulnerability. Such as it describes the risk factor, the reliability of the vulnerability being actually present, the parameter it actually performed the attack on and the attack it performed is described as well. Also what really impressed me was that it had four scroll text area which were as follows:
Description: - As the name suggest that over here the vulnerability is explained in a very concise manner. Though concise its explained in a very easy to understand way where one is able to gain a basic knowledge about the vulnerability found. Other Info: - Any other info on that particular vulnerability is noted here Solution: - This is perhaps the sweetest part from the point of view of a developer. It describes the possible solution to avoid such a kind of vulnerability in your web application. Though very concise it is basically successful in giving us a
Issue33 – Oct2012 | Page-11
brief idea about the possible ways to overcome the vulnerability. Reference: - In this block ZAP lists the references it has used for giving us this valuable information. 4. Spider:A Spider is a tool, which is used to visit and list all the resources (URL) in a particular site. What it does is that first of all it will start with a list of URL‟s to visit based on how the spider is started. The spider then visits these URLs and identifies the new resources or URLs from these pages and then lists these URLs to visit and the process continues recursively until and unless the list is complete.
How this spider works is that while processing an URL, it makes a request to fetch the resource. After getting the response it then parses the response identifying the hyperlinks. It not only processes the HTML responses but also nonHTML Text responses and if set then also analyses the „Robots.txt‟ file.
Now how it helps is that instead of us visiting each and every link manually and creating a site map, spider does so automatically and presents us with a site map, listing all the URLs in that particular site. 5. Brute Force: There is an option in ZAP called Brute Force. Now this option is not for brute forcing the password or something similar. This option is used to try to brute force directories and files. Now the ZAP team has not reinvented the wheel over here instead this brute force or forced browsing support is provided via DirBuster.
What happens is that there is a set of files provided which contain a large number of file and directory names. Now ZAP instead of relying on links to find the other files and directories, it tries to access the files and directories directly with the help of the list of names provided to it. There are various files containing an exhaustive list of such different directory and file name. So select the list we want ZAP to check and then click on start, and the magic begins.
Issue33 – Oct2012 | Page-12
6. Port Scan:Port scan as the name suggests allows us to do a basic port scanning on the selected website. Sites can be selected via the Sites tab or in the port scanning toolbar. Any sites on which the port scanning is running is marked in bold letters in the port scanning toolbar. To start the port scanning we have to click on the play button on the toolbar after selecting the site to be scanned and ZAP would start doing a basic port scanning. To pause the port scanning we have to click on the pause button and to on stop we have to click on the stop button. Itâ€&#x;s very easy and simple to operate. 7. Fuzzer: One another interesting feature of ZAP is the option of Fuzzing through Fuzzer. This feature of ZAP is based on code from the JBroFuzz which too is an OWASP project and also includes files from the fuzzdb project. Fuzzing is basically a technique of submitting lots of invalid or unexpected data to a targeted site. Using ZAP we can fuzz any selected part of the request with the help of a built in set of payloads. In order to Fuzz we have to first select the string we want to fuzz in the request string (circled in red in our case). Next when we right click
in the request tab and select Fuzz a new window opens where we can select from a list of fuzz categories. Each fuzz category has again has a number of fuzzers and based on our need we can select one or even many fuzzers from that list.
Now all we have to do is press the fuzz button. The results from the fuzzing will then be listed in the fuzzer tab, where we can select them to see the full request and responses. 8. Params:The Params tab basically shows a summary of the parameters a site uses. We can select the site from the site drop down menu in the params tab. For each parameter there are several information given like the type of the parameter (like COOKIE, FORM or URL), then the Name of the parameter, the number of times the parameter is used, the number of unique values the parameter has, then the percentage change (0 means only one value has been used while 100 would mean that all the values are unique), then the flags of the parameter like the cookie flags
Issue33 – Oct2012 | Page-13
etc and finally the value of the parameter.
Thus I have tried to discuss and give an overview of the ZAP tool. Each and every feature again has a lot of functionalities and can be used according to ones need and use. Now since ZAP is an open source project we can all help to develop the plugins for ZAP. It truly is a wonderful tool which can use for finding vulnerabilities in a web application and also for penetration testing. With so many features and ZAP essentially being an open source project it can truly give the paid HTTP proxy tools a run for their money.
Ramesh Chandra Bhattacharjee Ramesh works for Infosys and is a beginner to information security domain.
Issue33 – Oct2012 | Page-14
Bluetooth Reconnaissance: Watching Over Invisible
#hciconfig
Remember Paris Hilton case? All her confidential data was compromised through her mobile-phone. Though it was not Bluetooth attack but your handheld devices can be one of the best targets for attacks and Bluetooth can be major part of it. The goal of the discovery process is to identify the presence of Bluetooth devices, and finding each device‟s 48-bit MAC address which is known as BD_ADDR. The challenging part in this step is finding the devices which are in invisible mode along with visible ones. So let‟s do it… First we will look at basics of Bluetooth and scanningBluetooth specification defines 79 channels and devices hop across these channels at a rate of 1600 times per second.
So here two Bluetooth interfaces are available hci0 and hci1. And hci1 is longrange external Bluetooth dongle which I am using for this demonstration. Initially these interfaces are in Down state. Let‟s make it UP…
Issue33 – Oct2012 | Page-15
Scenario1: All devices are in visible mode
#hcitool scan
The above scan gives overall information that currently six Bluetooth devices are available and it also provided their names and BD_ADDR. But it doesn‟t give any idea of what type of device is. For ex: Akash can be mobile, or laptop or anything else. Android Setting
So let‟s make the inquiry scan. #hcitool inq
Devices were discovered with their BD_ADDR, system clock information, and the device class. In device class you can see underlined section of every class i.e.00, 02, 01 and 04. These are nothing but major device class bits from which we can find the type of device. Ubuntu Settings
Issue33 – Oct2012 | Page-16
See the chart below:
I would like to remind you that till now we were scanning the devices which are in visible mode. But what about the devices which are not visible? Redfang is the tool in which we can scan devices that are in invisible mode by giving the range.
Now if we made cross-check, the Akashâ€&#x;s BD_ADDR is 00:1d:6e:..and its class is 0x50020c. So we can surely say it is Phone type Device by looking at chart.
000000000000-ffffffffffff. But scanning every mac (BD_ADDR) may take some years to finish up. If the devices are in vicinity, we can see manufacturer and find the mac prefixes for the device. And can give approximate ranges to redfang, Source: http://hwaddress.com/
btscanner tool does the same but it provides bt_names along with other specifications.
Bluemaho is Bluetooth penetration testing tool but it has also scanning option which provides very important piece of information.
Here I am giving very small range i.e. 0007abffcf85-0007abffcf90 to demonstrate the tool. Once it scans that BD_ADDRESS which is in invisible mode, it will show all information about it.
You can clearly see the BD_ADDRESS along with bt_name.
Issue33 – Oct2012 | Page-17
But finding the BT_ADDR of devices whose WiFi is also on is little bit simple as compared to scanning thousands of addresses. Here it goes… FINDING BD_ADDR FROM MAC: My little handy victim‟s settings->
Now observe the packets, especially the source field. You may see Samsung, Apple like names. So here it it…
WiFi is on and Bluetooth is invisible mode.
Start sniffing in the air by enabling monitor mode to wireless interface.
In above screenshot you can see Samsung name and its mac address. And the important thing is SamsungE_ff:cf:88 is not Bluetooth/Wifi name, rather it is manufacturer name. Now we can surely say 00:07:ab:ff:cf:88 is of Samsung Device. So many MACs. Here the question is who‟s mac it is? Means how we look for smartphones/smart-devices from this bulk of mac addresses? So start wireshark. #wireshark& Start capturing on mon0 interface.
Issue33 – Oct2012 | Page-18
Okay, we come to know that we got one Samsung smartphone/device. The next challenge is finding its Bluetooth address. We have, MAC: 00:07:AB:ff:CF:88~MAC address plus one.
One of the interesting thing is that when you enumerate the laptops, you can see the information of Operating systems and other services.
No output. Means no BT device with that address is available currently ~ MAC address minus 1.
So here we get the Bluetooth device along with the name my_android. So you can observe that BT address is associated with MAC address, i.e Minus or Plus 1. Once you find the Bluetooth device, the scan can be made to check the services on the device.
You can observe the field Service Provider: Microsoft. So this is the basic step i.e. first find the target before exploiting them
References: 1. Bluetooth Hacking: The state of art by trifinite.org 2. Bluetooth Wiki
# sdptool browse 00:07:ab:ff:cf:87
Swaroop D. YermalkaR swaroop.wireless@gmail.com Swaroop is a final year engineering student from M.I.T.College Of Engineering, Pune. He is a EC-Council Certified Ethical Hacker, enthusiastic and hobbyist for Infosec.
Issue33 – Oct2012 | Page-19
Firos Vs. State of Kerala AIR2006 Ker 279, 2006. Introduction The Government of Kerala issued a notification u/s 70 of the Information Technology Act, 2000 (IT Act) declaring the FRIENDS application software as a protected system.
Sec. 70 of the IT Act reads as – Protected System 1. The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.
2. The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1). 3. Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine. 4. The Central Government shall prescribe the information security practices and procedures for such protected system. The author of the application software filed a petition in the High Court against the said notification. He also challenged the constitutional validity of section 70 of the IT Act.
Issue33 – Oct2012 | Page-20
Findings of the court –
There is no conflict between provisions of Copyright Act Section 70 of IT Section 70 of the IT Act is unconstitutional.
While interpreting section 70 of the IT Act, a harmonious construction with Copyright Act is needed.
Section 70 of the IT Act is not against but subject to the provisions of the Copyright Act.
the and Act. not
Government cannot unilaterally declare any system as "protected" other than "Government work" falling under section 2(k) of the Copyright Act on which Govt.'s copyright is recognized under Section 17(d) of the said Act. Hence, Court upheld the validity of both, section 70 of the IT Act, as well as the notification issued by the Kerala Government.
Sagar Rahurkar contact@sagarrahurkar.com Sagar Rahurkar is a Law graduate, a certified Digital Evidence Analyst and Associate member of Association of Certified Fraud Examiners (ACFE). He specializes in Cyber Laws, Fraud examination, and Intellectual Property Law related issues. He has conducted exclusive training programs for law enforcement agencies like Police, Income Tax, etc. He is a regular contributor to various Info-Sec magazines, where he writes on IT Law related issues.
Issue33 – Oct2012 | Page-21
Secure File Upload Form: PHP Programming Hello ClubHack readers ! This is my first Article in ClubHack and I wish to be here with some more nice articles!! This Article is about Developing Secure File Upload Form. Web Pages having File Upload Forms are most commonly seen. These forms are intended for users who want to upload one‟s photograph, resume, application, video file or any other kind of file as per the need and requirement. If your website or web application is having such a form or if you are planning to enable file uploads then this article is for you. I am writing this for PHP Programming Language but the logic remains same for any programming language. Let me throw some light on why it‟s important to secure your forms with file uploads. If your form is accessed by genuine user then definitely there is no harm as he would be so kind that he reads your “upload instructions” page before uploading and as per your policy would limit his file size and file format and proceed with uploading his
file. On seeing successful upload message from you he would be happy. Just think that if it‟s a bad guy who is interested in hacking or harming, what can happen to your server? Wondering how he can benefit out of your file upload page? If your form is not validating the file size and file format properly then it could be that, an attacker can upload a file which act as web shell. Web shell is nothing but your server‟s command prompt or shell prompt which can be accessible through the browser. I am not going to talk on Web shells much in this article as its already been covered in the earlier issue of clubHack, it can also be referred at http://www.chmag.in/article/jul2012/phpshells. Not only web shell, one can also try to upload a worm infected file which can spread itself across your LAN and affect other servers, it could also be a keylogger or any other harmful file. So with this awareness of file upload which could be dangerous if not coded properly, let us proceed towards understanding how to stop such mischievous file uploads through your file upload enabled forms. General coding done for file uploading pages would have the following two files:1. index.php – Page which holds form with file upload enabled 2. uploadfile.php – Server Side file which processed the uploaded file
Issue33 – Oct2012 | Page-22
like moving the uploaded file to target folder. Most developers add JavaScript validation for verifying the file extension which was chosen by the end user and to verify the file size. As you all might be aware, that JavaScript validation can easily be bypassed by using tools like tamper data, proxy etc you might be adding up server side validation for the script uploadfile.php which might look like this:
With the above code, the server side validation is done with which the file would successfully be uploaded if its file type is zip or rar compressed and file size is less than 2MB. Even though you are performing server side validation here, one can try to fool your server by modifying the file type field while uploading the file and successfully upload php file, exe file or any other file and succeed in exploiting your website. This can be done by renaming the file extension to something else or again by using tools like Tamper data or proxy. So, what next? It‟s been told in many tutorials that server side validation would stop most of the attacks like SQLi, XSSi etc
and thus are the file upload pages protected here. But it seems that this is also not enough to secure your server. Definitely “Server Side Validation” is the best solution to avoid most of the web attacks, but let me add another word “Perfect” to the above which makes “Perfect Server Side Validation”. So to complete the above code with Perfect Server Side Validation, you should do something to check the file content and then
judge the file type if its matching your “Upload Instructions” or not, rather than relying on the file type field value which was sent by the Browser from client side as done above. This can be done in PHP by using mime_content_type() function. This function returns the file type by verifying the content of the file. If its PHP file but extension is .zip then it returns “text/x-php” rather than returning “application/zip”, thus the file type can be verified from server side perfectly and can control the successful upload of mischievous files.
Issue33 – Oct2012 | Page-23
With this the above code will look like below:
file types also. So this mime_content_type will help in this scenario also to cross verify
the file type so that we have only zip and rar files in our server uploaded. In this example, we are moving the uploaded file to a certain location based on extension and then checking the file content to cross verify the file type. It itâ€&#x;s not matching with our requirement then we can delete the uploaded file using @unlink and inform user to re-upload the correct file. This mime_content_type also solves another problem, where if a user uploads a file from a windows based client, a .rar extension file is set to application/octetstream by the browser. So we may have to add application/octet-stream in the if condition, but adding this will accept .exe
Thus, you can secure your server from getting hacked through web shell uploads or any other kind of mischievous file uploads.
Issue33 – Oct2012 | Page-24
Apart from Secure Coding, the following are some best practices to avoid problems and reduce risk. 1. Rename the file received from client, so that if by mistake some mischievous file has been uploaded the client/hacker cannot access the file as he cannot get the filename. 2. Disable the Director Indexing where you are storing the uploaded files. 3. Have uncommon directory name to store files. Most common names are like files, upload, store, list, pictures, resumes, images, storage etc. 4. Accept compressed file formats where ever possible so that automatic file execution cannot happen. If your application really needs an executable to be accepted from client, then its compulsory to accept them in compressed format only. Your code secures your server!!
Indraveni.K indraveni.chebolu@gmail.com Mrs. K. INdraveni is associated with CDAC since July 2005 and presently designated as Senior Technical Officer. Her core working areas are web technologies, open source software, cloud computing and information security. She is GIAC (SANS) Certified in “Web application Penetration Testing and Ethical Hacking” (GWAPT – Analyst No: 00729.) She is also one of the core members of BOSS GNU/Linux, an Indian Linux Distribution Development team. Her interests are exploring more on web security and following up with latest web threats & vulnerabilities and with a goal of expertising herself in the web security domain.
Issue33 – Oct2012 | Page-25