Monthly Archives: August 2015

Unhandled program exceptions and informative error messages – free support for Cyber Attackers

30 August 2015

Today companies know their business critical information and protect them against unauthorized use and disclosure.

Cyber criminals don’t attack the business critical information, but the application systems through the vulnerabilities in the system and application software. Application and system developers make life easy for them by disclosing information about the system design caused by unhandled program exceptions and informative error messages.

Unhandled program exceptions exist in almost every web application. Candidates are URLs with parameters like

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=11&languageCd=GER

Most programmers do in-depth tests to make sure that the program retrieves exactly the information defined in the requirements specification. But what happens if an invalid value is input?

Let’s rewrite this URL and assign SiteId the value  -1:

https://xxxxx.xxxxxxx.com/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL?Page=HRS_CE_HM_PRE
&Action=A&SiteId=-1&languageCd=GER

The result is:

A negative number was assigned to an Attribute of type "Unsigned": HRS_SITE_ID.HRS_SITE_ID. (2,121) WEBLIB_XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:ax_Parameter_security PCPC:1176 Statement:19 Called from:WEBLIB_ XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:Iscript_Load XXXXXXXX Portal Statement:28

Okay, it’s not the entire program stack, but it shows that input is not fully sanitized, and gives an attacker the hint, that the site is possibly vulnerable against SQL injection attacks.

Unchecked error conditions are listed as CWE-391 in the Common Weakness Enumeration list. Programmers can easily solve this problem by adding an extra “when others” exception to the code.

The best error message is one that reveals neither information about the application system nor about the internal structure of the application:

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please excuse the inconvenience caused.

Period. For a good overview about error handling problems and mitigations see the SANS Securing Web Application Technologies (SWAT) checklist.

Have a good weekend, and fun with boundary value tests.

Howto protect against Just-in-time malware

18 August 2015

On Sunday morning at the breakfast table I always read the latest issue of invincea’s The Cyber Intelligencer. In this week’s issue Michael Applebaum writes about just-in-time malware that is not recognized by any traditional or next generation endpoint protection tools. I fully agree with Michael, that an attacker has to hijack only one endpoint to compromise an entire company network.

But it’s not necessary to exploit unpatched vulnerabilities or zero days. Just use a built-in weakness of a Windows OS, e.g. UAC not set to “Always notify me” as default, to get privileged access and start exploring the victim’s computer and network.

But the worst is yet to come: If the attacker is not too greedy and impatient, it is very hard to detect his activities because only standard windows means are used.

Prevent, detect and contain are the keys to successful protection against such threats. In report Defensive Best Practices for Destructive Malware the NSA’s Information Assurance Directorate shows the direction. It’s worth to note that most of the technical measures described in this report are just built-in functions of operating systems. No rocket science! But the measures on the people and process level make the difference. For details see e.g. bullet point “Protect and restrict administrative privileges”.

Enjoy reading and have a good day!

Bypassing protection measures by direct upload of malicious content to OneDrive/Office 365

9 August 2015

I am happy about every email with malicious content or attachment, in particular if I find the mail in my inbox. Sound’s strange, but it’s important to analyze the technology of the attackers to develop proper protection strategies.

Last Wednesday I spent an hour with the analysis of an obviously malicious email attachment. Outlook blocked the access to the attachment without any error message. Therefore I logged in to my outlook.com account and opened the email:

Malicious Mail in Outlook.com

Malicious Mail in Outlook.com

A click on Download as zip resulted in the following error message:

The file “Automatische Lastschrift konnte nicht vorgenommen werden 05.08.2015.zip” is infected with an unknown virus, so it isn’t safe to download.

Perfect! This explains the strange behavior of Outlook. But saving to OneDrive surprisingly works.

Malicious Mail Save to OneDrive

Malicious Mail Save to OneDrive

Some minutes later I uploaded the zip archive to VirusTotal and found, that the malware was already known with name Trojan:Win32/Bulta!rfn. For more details please see below.

When I extracted the nested zip-archive to my local hard disk the endpoint protection system correctly identified the program, blocked access and took the predefined action.

What happened? The attackers used a standard technology (malware in nested zip archives) to deliver their payload. The outlook client and outlook.com both blocked downloading the payload because they identified a suspicious attachment.

But all protection could be bypassed by uploading the file to OneDrive. When OneDrive or Office 365 is used as collaboration platform with suppliers and partners an attacker could easily use bypass to distribute malicious content across companies. In particular for zero day exploits this may become a serious problem.

For protection against the download of malicious content from Cloud Services we have to change our endpoint protection strategy. The anti-malware systems on the surf proxy will not recognize the malicious objects because the data stream is encrypted (https protocol used). Even if the surf proxy breaks SSL it is very likely that zero day exploits, and already known viruses, are not identified. The same holds for the endpoint protection systems on the end-users desktops.

But the first line of defense, the cloud provider, has the most important task. Bypassing protection by uploading malicious objects to the cloud storage is not acceptable. This strange behavior should be corrected as soon as possible. From the above we know that this is an easy task because the system already identified the attachment as malware.

Have a good week!

VirusTotal results: 2015-08-06 20:21:06 UTC

Detection rate: 23 / 55

AntiVirus Result Last Update
Avast Win32:Malware-gen 20150806
Microsoft Trojan:Win32/Bulta!rfn 20150806
Ikarus Trojan.Win32.Crypt 20150806
Arcabit Trojan.Mikey.D538C 20150806
DrWeb Trojan.Inject1.62743 20150806
TrendMicro TROJ_KR.2B7B2BF7 20150806
TrendMicro-HouseCall TROJ_KR.2B7B2BF7 20150806
Avira TR/Crypt.Xpack.248161 20150806
Rising PE:Trojan.Win32.Generic.18EBC66C!418104940 20150731
Sophos Mal/Generic-S 20150806
AVG Generic_r.FOY 20150806
Panda Generic Suspicious 20150806
Emsisoft Gen:Variant.Mikey.21388 (B) 20150806
Ad-Aware Gen:Variant.Mikey.21388 20150806
BitDefender Gen:Variant.Mikey.21388 20150806
F-Secure Gen:Variant.Mikey.21388 20150806
GData Gen:Variant.Mikey.21388 20150806
MicroWorld-eScan Gen:Variant.Mikey.21388 20150806
McAfee-GW-Edition BehavesLike.Ransom.lc 20150806
Kaspersky Backdoor.Win32.Androm.humu 20150806
Symantec Backdoor.Matsnu 20150806
McAfee Artemis!B65DB4920F67 20150806
ESET-NOD32 a variant of Win32/Kryptik.DSND 20150806
ALYac 20150806
AVware 20150806
AegisLab 20150806
Agnitum 20150806
AhnLab-V3 20150806
Alibaba 20150803
Antiy-AVL 20150806
Baidu-International 20150806
Bkav 20150806
ByteHero 20150806
CAT-QuickHeal 20150806
ClamAV 20150806
Comodo 20150806
Cyren 20150806
F-Prot 20150806
Fortinet 20150804
Jiangmin 20150804
K7AntiVirus 20150806
K7GW 20150806
Kingsoft 20150806
Malwarebytes 20150806
NANO-Antivirus 20150806
Qihoo-360 20150806
SUPERAntiSpyware 20150806
Tencent 20150806
TheHacker 20150805
VBA32 20150806
VIPRE 20150806
ViRobot 20150806
Zillya 20150806
Zoner 20150806
nProtect 20150806

LIFARS: Hackers Disable ‘Smart’ Rifle and Change Its Target, Remotely

4 August 2015

When I read the LIFARS post ‘Hackers Disable ‘Smart’ Rifle and Change Its Target, Remotely’ I felt really appalled. Not so much because the rifle’s built-in Linux server was compromised, but rather because the software developers ignored really all requirements about security and safety. Just one example from the post:

Every rifle contains a built-in network password that’s default and cannot be changed.

I do not know what planet these developers are living on, but it’s definitely not the earth.

From my point of view the software must force the marksman to change the password before he fires the first shot. In addition, Two Factor Authentication is mandatory in safety relevant cases, on a transaction basis, and with the second factor always entered directly on the rifle. Preferably through a custom grip, like the Walter PPK which Q gave to 007 in Skyfall.

Imagine security and safety standards are such bad in the billions of devices making up the Internet of Things universe. With this Doomsday is no longer just a religious concept …

Sleep well!