Malware Minute: SQL Slammer

In this installation of Malware Minute, I decided to take it back a little old school and research and discuss a worm that infected over 75,000 computers and took out a major portion of the internet in 8.5 seconds in 2003 called SQL Slammer. This is not the first malware to attack SQL servers, nor was it the first work ever discovered, but it was a type of malware that transformed the way that vulnerabilities are reported, as well as, how Microsoft handled system patching.

Before getting into the details of this specific malware, it is very important to explain what a SQL Server is if there is anyone out there that does not know. Most applications run off of databases, which are large storage facilities for data. These databases are of a few varieties, some use a language called SQL, and these are considered SQL databases, the most common of these is Microsoft SQL Server, MySQL, and Oracle. Then there are others that do not use the SQL language but instead use another type of scripting language. These databases are called NoSQL databases. When a website or application retrieves, such as a username and password, it must connect to a server that is hosting a database and retrieve this information. As you can imagine, most of the internet is connected to a database.

SQL slammer was derived from an exploit that Security Researcher David Litchfield developed ethically in 2002 on an assignment. Litchfield developed the exploit from a tool called SQLPing that would inject a single byte packet with a value of 0x02 into UDP port 1434 on a SQL Server (Litchfield, 2010). Litchfield, like most security researchers, became interested in what would happen if he changed the byte and incremented the values. He wrote a short program and tested it out on a SQL server 2000 testing environment; this was when he discovered the exploit initially. He noticed that value 0x08 in the SQL Server had crashed the server, and became interested in what was happening, so he broke down the code and began exploring (Litchfield, 2010).

Essentially through reverse engineering and analyzing the exploit, Litchfield finds a way to own the SQL servers by finding a buffer overflow vulnerability. A buffer overflow is a condition in which a program attempts to put more data in a buffer (section of allocated memory) than it can hold, which can corrupt the data or create an area to execute malicious code. Litchfield reported this information to Microsoft, they released a patch, then allowed Litchfield to present his proof of concept at a security conference the following month (Litchfield, 2010).

While Litchfield is technically the writer of the exploit, he is not the author of the malware. Litchfield’s purpose was to alert the security community about the need to apply the patch. However, someone took his proof of concept code and developed it into a worm that would replicate itself on multiple computers. Even though a patch was created to secure the system, it was not effective when many systems had not been patched to fix the vulnerability. This created a new code of ethics per se in the security world. Exploits are now handled more responsibly, and vendors have changed how they release patches. The malware was stored in memory (RAM) and was able to be wiped off of a system through a restart. However, the malware could replicate itself and find its way back in the SQL Server system if it were not patched.

This malware shows how security researchers must be responsibly presenting their proof of concepts at security conferences as well as the importance of vendors to get patches to build, distributed, and alert their user’s when bugs are found.

Works Cited:

Litchfied, D. (2010). The Inside Story of SQL Slammer. Retrieved on April 10, 2019, from https://threatpost.com/inside-story-sql-slammer-102010/74589/

Malware Minute: Carbanak

Recently, I was listening to the podcast “Darknet Diaries,” and they had an episode on a malware campaign called Carbanak that primarily attacked banks. This attack was incredibly intriguing to me because of how organized the campaign was. I almost expected it to be an advertisement for another Oceans movie. Carbanak used tactics that seem like an organized crime unit would employ on robbing a bank. In this installation of Malware Minute, I hope to explain Carbanak and keep this post at a minute or two read.

Carbanak was a campaign targeting bank in which the adversary would remove roughly 2.5 to 10 million dollars before abandoning their victims (Kaspersky, n.d.). This malware was not advanced; it did not use any zero-day exploits or any new information. It simply used already existing patched vulnerabilities on machines that had not already installed updates to patch the vulnerabilities.

A zero-day exploit is a vulnerability that has been discovered and exploited on the same day vulnerability was discovered. On day zero a patch has not been developed, and malicious actors have a new hole to explore.

The Carbanak gang responsible for the malware targeted their victims using spear phishing emails, which is a targeted email using social engineering practices to convince someone to click on a link (Trend Micro, 2019). When the users clicked on the link in the email, it downloads a malicious file that creates a backdoor on the computer system. Once the backdoor was created, the Carbanak malware would run various commands like keystroke logging, taking screenshots and checking the software running on the machine (Trend Mircro, 2019). The attackers wanted to move around the network without being detected and attempted to familiarize themselves with the normal workflow of the victims. The attackers would move laterally through the network through remote administration tools, once the systems they were targeting were breached they would record the victims and familiarize themselves with normal workflow and use the information gathered to manipulate bank records and transfer funds (Trend Mirco, 2019).

Once the attackers gained access to the network, they were able to transfer money at will. They would hire mules to come to the bank at specific intervals and release thousands of dollars of cash, and the mules would take it and leave. Other times they would have the mules set up bank accounts and have strange amounts of money in the bank account, such as $3.33, then run an update query to transfer millions of dollars into their bank accounts and the henchmen would transfer it over the SWIFT network to the criminals’ accounts.

Kaspersky Labs points out that the initial target was Russian banks, but as time went on more countries became targets, including the United States (Kaspersky Labs, n.d.). In March 2018 the leader of the gang was arrested in Spain, but the attacks are persisting and evolving.

This attack is proof of the importance of updating software. The machines that were compromised in 2016 could have been prevented if the banks had updated the software to patch vulnerabilities found and fixed by Microsoft in 2012 (Trend Micro, 2019). Phishing emails were also used to infect the network initially; proper social engineering training is crucial to prevent this type of attack, employees should know not to open suspicious emails, and to check the email addresses to ensure they are the correct domain.

Works Cited

Carbanak APT. (n.d.). Kaspersky Lab. Retrieved on April 3, 2019 from https://usa.kaspersky.com/resource-center/threats/carbanak-apt

Carbanak Threat Details and protection using Trend Micro Products. (2019). Trend Mirco. Retrieved on April 3, 2019 from https://success.trendmicro.com/solution/1107858-carbanak-threat-details-and-protection-using-trend-micro-products#

Over the Wire Bandit Walk-through 2

Level 4:

This level required that I find the flag in the only human readable file in the Inhere directory. I thought about trying a few other ways of doing this, but I found out on my first attempt that what I had intended, worked, and I did not go any further. For this one, I used the cat command with an asterisk at the end of the file. The asterisk is a wildcard that searched through each of the files that start with file, no matter what is at the end. When I used this command in that sequence, it worked, and I was able to sort through just a little bit of junk to find the password.

The password for level 5 is koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5:

I was incredibly surprised at how easily I figured this one out. I thought it would take me a long time. However, it only took me a few minutes with a little help from google. The point behind this challenge is to find a file in the inhere directory that is human-readable, 1033 bytes in size and not executable. In this challenge, I used the find command. I knew since I had some properties that I had to follow I would have to add a few extra flags to get to the file. Using the find command, I had to use the size flag to put the size of the file we wanted to see. Since the file size was 1033 bytes, we had to add the file size as -size 1033c and add a readable as well as an executable flag. The readable flag is simply -readable, but since the property has to be not executable a ! is required before the -executable flag. This tells the shell that we do not want to find a file that is executable. After running this command the file  ./maybehere07/.file2 is returned, so I run the cat command on that and the password for level 6 is returned.

Level 6 password is DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6:

Level 6 offered some challenges. This challenge was very similar to the last challenge; I had to look for a file that had three properties. This had to be owned by the user bandit7 and the group bandit6 and a size of 33 bytes. This initially I thought it would be very similar to the last challenge, except I would have to search the entire drive and add the owners and it would return the value I wanted. However, I kept getting stuck on a bunch of random characters and so forth. I googled how to sort through all of the information and figured out I could redirect my output from the command to dev/null, and it would return the name of the directory. From there I could cat the file. So I searched the entire drive by using. Instead of just the period like last time, then I wanted to view a file, that was 33 bytes in size, so I used the command -type f and -size 33c. Next, the user and group needed to be given, so I used the -user and -group flags and directed it to the dev/null. Then I was given the directory and was able to cat into it.

Password for Level 7: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7:

Level 7 was one that I was very familiar with the commands. The challenge requirement was to find the password in the data.txt file that was next to the word millionth. I knew from previous classes, and other endeavors that grep was the perfect tool for this one. I was able to pipe grep with the words millionth with the cat command and it worked. When used grep allows the user to locate specific information in a file.

Password for level 8: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Malware Minute: Mirai Botnet

The proliferation of IoT (Internet of Things: think Alexa) devices has brought about many complications in IT security. A scan of the types of devices presented at a consumer tradeshow would point out hundreds of devices ranging from “smart shoes” to “smart cars.” These types of devices are constantly growing, yet they have very little security in place, many of these devices cannot be patched if vulnerabilities are found. It is the sad state of technology and the best dream possible for malicious actors.

The availability of vulnerable IoT devices has created a flourishing environment for adversaries by creating many machines to carry out attacks. One incredibly famous malware that used this to their advantage was Mirai. Before getting into the specifics of what Mirai was, I think it is incredibly important to explain what a botnet is.

According to Cloudflare, a botnet is a group of computers that have been infected with malware and gives control to a malicious actor (Cloudflare, n.d.). Essentially, the owner of the computer has relinquished control of it to another person, who has ill intent. When a bunch of these devices is compromised together they make up a network of robots, under the control of a single person, hence the name botnet.

So what was the Mirai botnet? Cofounders of Protraf Solutions, Paras Jha and Josiah White created the Mirai botnet to sell DDoS attack mitigation (Cloudflare, n.d.). The creators were attacking companies then offering services to protect against their attack. A DDoS attack floods a network with requests which render them useless, sometimes taking systems down for hours, and costing businesses approximately $10,000 or more per hour of downtime. Mirai looks for other strains of malware on devices when it infects the device and wipes it clean to ensure it is the only malware that owns the device (Fruhlinger, 2018).

In 2016, a massive DDoS attack left much of the internet down along the east coast of the United States (Fruhlinger, 2018). Researchers realized that the Mirai botnet caused this. The Mirai botnet was able to compromise over 100,000 IoT devices by searching sections of the internet for IoT devices that were using default credentials (Cloudflare, n.d.). Due to the weak security of the devices, the botnet was able to own many of those machines and carry out a large DDoS attack.  

The Mirai botnet is mutating, many other and more powerful, botnets have been created using the source code from Mirai such as Reaper (Cloudflare, 2019). This type of malware and how it infects devices is more prove about the need to change default passwords and use password managers for strong, unique passwords as well as multi-factor authentication to ensure they are not infected with strains of malware. Mirai was stored in the memory of the device it infected, a simple reboot would wipe the malware from the device, however without changing the password to a stronger password the devices would likely be infected shortly thereafter (Fruhlinger, 2018).

Works Cited

What is The Mirai Botnet? (n.d.). Cloudflare. Retrieved on April 1, 2019 from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/

Fruhlinger, J. (2018).  The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet. CSO. Retrieved on April 1, 2019, from https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html

Over The Wire Bandit Walk-through 1

For the last few weeks I have been playing a war game at OverTheWire.org called Bandit. The game essentially teaches linux basics. I thought it would be a great opportunity to share what how I came to the results in my blog. This specific blog post goes through levels zero through 3.

Level 0:

This level is simple. The object is to login to the server using SSH, next look for the readme file that  has the password stored in it and read it.

First I log into the server then use the listing command ls to show the files. There is a file named readme so I use the cat command to print the contents of the readme file.

The password for level 1 is boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1:

In level 1 I need to read a file that does not have a traditional filename, but it has a special character as the filename. When reading files in Linux it is necessary to use an escape character to read a file that uses special characters. This is done by using the string combination of ./

For this level I again used ls to read the listing of files in the directory. I see that the directory has a file named -, in order to read a file that is named using a special character I have to use the escape combination of ./ and the cat command.

The password for level 2 is CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2:

This level requires that I read a file that has spaces in it. Again an escape character is needed to do this, if an escape character was not used then cat would try to read each word in the filename as a different file and would likely give an error saying “spaces does not exist in this directory” or something to that degree. The solution to this problem would be to used the escape character \ after each word, and include the space. The command would look like that cat spaces\ in\ this\ filename

Since we use the escape character it continues to read through the file as  if it were one string.

The password for level 3 is UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3:

This level requires that I find a hidden file in the inhere directory. For this level it is necessary to use a few other commands. First I use the change directory to command to change to the inhere directory. Since the file is hidden if I were to ls I would not find any directories. So I have to use a special command that shows all files in a directory. I use the listing all command by using ls with a flag a. The command would be crafted as such ls -a. As can be seen in the screen shot below we see a .hidden file. In order to read the file an escape character is required because the file begins with a special character. I used the forward slash again for this so the command reads cat \.hidden

The password for level 4 is  pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Malware Minute: LockerGoga

Over the last two years, malware known as ransomware has grown significantly. One of the most famous of these was WannaCrypt, also notoriously known as WannCry, which used the eternalblue exploit developed by the NSA and kept secret before NSA data leaks. While WannaCry was crippled due to Marcus Hutchins’ (aka Malware Tech) discovery of a kill switch, this has not prevented other ransomware developers from continuing down the path that the original developers (possibly the Lazarus Group of Pyongyang) developed. Petya then notPetya became household names in the security world, and ransomware became a known threat to many businesses, as well as government agencies thus incentivizing operating systems and anti-virus companies to offer backup packages to subscribers.

  Since the beginning of the year, security researchers have been watching a newer strain of ransomware called LockerGoga. LockerGoga was first submitted to malware database VirusTotal on January 24, 2019 (Rashid, 2019). This specific malware targets the industrial and manufacturing industry, which is very different from other variants of ransomware such as NotPetya and WannaCry, and recently forced Norwegian aluminum manufacturer Norsk Hydro to switch to manual operations (Greenberg, 2019). Ransomware effects users by encrypting all the files on their computer’s hard drives, and delivering a ransom, to the user to pay a ransom, usually in bitcoin, to the developers to receive the encryption key that will decrypt all their files. If the ransom is not paid within a specific amount of time, the data is encrypted forever or wiped from the device. Many organizations that have fallen prey to these types of attacks would be forced to pay the ransom to continue operating unless they had proper off-site backups of their data (see SamSam ransomware and Atlanta, GA).

For the industrial and manufacturing industry ransomware can be very disruptive. According to threat researchers, this strain of malware is particularly disruptive by shutting down computers completely, locking out users, and even making it difficult to pay the ransoms (Greenberg, 2019). Researchers are still determining how LockerGoga is infecting its targets and spreading through networks, unlike similar ransomware, NotPetya and WannaCry, the malware does not have wormlike abilities (Rashid, 2019). MalewareHunterTeam has noted that that the target’s credentials seem to be known prior to initial infection, possibly through Phishing campaigns (Greenberg, 2019).

In many cases of a malware attack, like any development operation, the tools go under continual developments, refining processes and improving their capabilities. Palo Alto Networks’ security research team Unit 42 believes that the group behind LockerGoga is still refining the ransomware and are figuring out how to add command-and-control features by calling undocumented Windows APIs and manipulating dynamically linked windows libraries that handle network connections (Rashid, 2019).

LockerGoga proves the need for proper backups, security policies, and trainings of employees again. Norsk Hydro has declined to pay the ransom but will be looking at a payout in rebuilding in the upwards of 80 Million dollars, having already spent 40 Million in the last week (Rashid, 2019). The cost to recover from this type of attack is often more expensive than the attacks themselves and could easily cause a smaller organization to go bankrupt.

Works Cited

Greenberg, A. (2019). A Guide to LockerGoga, The ransomware Crippling Industrial Firms. WIRED. Retrieved on March 28, 2019, from https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

Rashid, F. (2019). Researchers Still Unraveling LockerGoga Ransomware. Decipher. Retrieved on March 28, 2019, from https://duo.com/decipher/researchers-still-unraveling-lockergoga-ransomware