1,590 views | This page as PDF
BruCON 2010 : Day 0x2
[WORKSHOP] – Malicious PDF Analysis
Didier Stevens spared no expense and prepared an impressive lab, offering all sorts of pdf exercise files. Trying to squeeze in weeks and months of research into a 2 hour workshop, he managed to make things look so simple and took the time to explain how to use his tools to dissect pdf files, find malicious code, extract it and analyze the code. He even was so generous to include his chapter from a (unfortunately cancelled) malware analysis book.
Update : Didier has posted the pdf analysis ebook on his blog. You can download the file here
The lab was built around 2 tools written by Didier : pdfid.py and pdf-parser.py
We also learned how pdf encryption works (basically, only contents are encrypted, but not the structure, so you can still analyze the structure with the tools… but it won’t decrypt it). Encrypting a pdf can be done using DRM (which, in essence, protects the file with an owner password). Didier mentions that QPDF can be used to further analyze encrypted files, or to create encrypted pdf files.
If you ever get the chance to take Didier’s workshop, don’t hesitate. You’ll love it !
Some related links :
Repelling the Wily Insider : Finding backdoors in code
Matias Madou (Principal Security Research at Fortify) introduces his talk by explaining that he focuses on finding new techniques for finding vulnerabilities (static and dynamic analysis), and new ways to protect web apps.
Matias explains that still a vast amount of insiders (employees) pose a substantial risk to the company. But the real danger may come from developers. Developers have access to source code and might leave backdoors (intentionally or not).
The main motives for leaving backdoor-alike code inside applications are money and revenge.
Some interesting examples where “special” code was planted in applications are
- various open source / public disclosures
- anonymized commercial / enterprise code
- the 2004 obfuscated voting contest (Stanford), where
- votes should be counted correctly in test mode
- one candidate should be favored
- the code should not get detected by human code reviews
Classes of insider threats :
- (Medco 2008) : compare current date with a certain date, and delete files (destructive)
- (Linux 2005) : if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
- This code actually sets uid to 0 (only one =)
- Bug/Authorization issue
- (Borland’s Interbase 2003)if (username ==” politically” and password == “correct”) // grant access
- Tried to fix a chicken & egg issue, hardcoded a username & password in the application
- Authentication issue, Hardcoded sensitive data
Logic or Time Bomb : Malicious code lies dormant until a trigger is reached (time, logic).
Backdoors & Secret Credentials : Provide covert access to the system in the future :
- code that allows remote access
- adding hardcoded credentials
- adding a master password
Some cases : Borland Interbase, WordPress backdoor (iz), Optix Pro (2004), Subseven (2000) (the last 2 apps are backdoor apps that… are backdoored themselves)
Fixed communication channel to transfer data out of the organization (via a network socket, via emails, posting it to an evil website, etc). The transfer could be time based, change trigger based, etc.
The code is usually static and cannot be changed.
Dynamic code injection / manipulation
This refers to techniques which abuse reflection, perform resource rewrites, does runtime compilation, performs class loader abuse, and so on.
There are not a lot of known cases that use this type of malicious code (because it’s pretty complex to do… it usually is easier to hardcode code into the application.
Ofuscation / Camouflage
Usually applied to other techniques, to prevent manual code reviewers to find the special code. Techniques to do this include making use of encoding/decoding functions.
Techniques for defenders :
How can we uncover malicious code ?
Peer review : Obviously suspicious strings/code in the code base. But what if the code is not that suspicious, and introduces the issue if it’s just a matter of “=” instead of “==”) ? Examples like this are really hard to spot.
Static analysis : While this is not “the” magic solution (because it’s hard to define “what to look for” and “where to start”), it might help to get you some ideas so you can dive deeper into specific parts of the source code.
Matias mentions that you should think about “what would people try to do”, and look for references to that. If you want to find instances where people try to grab an entire database and send it somewhere else, you may want to look for instructions that will read from the database, and instructions that would set up network sockets.
Inserting credentials into a user database table might be suspicious as well. Looking for email addresses / mailing API’s is a good idea as well. Finding for example “if” statements that use “=” instead of “==” is useful as well. And the list goes on.
Runtime testing : QA
Extensive functional testing can help, but we might be intersted in the code that is not running / not running all the time (dead code). If the backdoor is time based for example, it’s most likely not going to run at test time.
Runtime testing : production
Look for anomalies – unexpected spikes in traffic for example, or performance issues. These might indicate that something unusual is happening (such as dumping the database and transferring it over the network)
Interpret the results
Matias continues by explaining that interpreting the results is important as well. First step in the exercise would need to be to order the results based on the importance/impact. This might help code reviewers to look at specific parts of the code. If you find a date/time comparison routine in a login script, then this might be suspicious and may be a high priority target.
If you combine all that knowledge and techniques, Matias says, it may be possible to turn them into some rules and apply priorities based on those rules, pretty much building upon Jeff Williams’ paper on the subject and extending it with more rules.
What will people with malicious intentions try to do ?
- make the code to look as real as possible, and as benign as possible
- understand defender’s capabilities to detect/discover and act accordingly
- use tools that might help to hide/insert code
Matias closes his talk by explaining that, despite all the efforts, catching malicious insiders is like looking for a needle in a haystack.
Most companies tend to ignore the problem. Others may have a change management process in place that might help detecting malicious code as it gets inserted into the source. But if we are talking about big code changes, it would still be very complex to actually read and interpret every single code change.
If the insider has bad intentions, odds are very high that he will succeed. He might get caught afterwards, but harm might be done already.
Head Hacking – The Magic Of Suggestion And Perception
He will talk about types of social engineering, tools for the job and journey to enlightenment, and provide some tips on how to apply this knowledge in our day-to-day lives.
Social Engineering (SE), Dale says, is all about.. lying… about convincing people to believe something.
- Opportunist : attractive individual, available time-wise, got some skills about SE, sometimes first-timers can be classified as “opportunists”
- Natural confidence : talks the talk, but don’t always walk the walk. they are good communicators, and are comfortable interacting with people. They may lack some expertise/experience with SE
- Professional : Skilled in InfoSec, regimented, knowledgeable. They have more art, use less science
- Seasoned Pro (ninja’s) : They have repetition and experience on their side. They know how to handle confrontation and are passionate about SE. Most of them think they know everything.
- Master Manipulator : He understands how and why. They have done a lot of testing, done research, and are ready to change techniques to make them more successful (constant evolution). They have a game plan. (Not just A->B, but have a whole series of plans and ways to get to the goal). They have multiple outs. They are passionate, dedicated and creative. One of the bad things is that they tend to be real cocky bastards :)
How can we utilize the power of our minds, linguistics and obversations to become the master manipulator ? Dale explains what he has been working on over the last months and years to get more proficient in this area, and what we need to focus on in order to get better at this as well.
- Limbic system (animalistic – fight or flight – reactive)
- Subconscious (power house) : takes in about 11000000 pieces of information a second
- Conscious (our reality) : based on what we perceive to be priority information
First, of all, in order to become more proficient at SE / Head Hacking, you need to be committed. You need to be focused and you need to focus your target on you and what you are telling him. You need to have a planned path and you have to be able to put the target in the best position so he can be easily persuaded. Finally, you need to reach some sort of agreement. You have to make the target accept that you are where you are and that’s it’s not strange or unacceptable that you’re there. Also, it might help to choose the right side ear, because that’s the best way to reach the part of the brain that will help you reach your goal. Finally, you have to stay true to what you say. Putting that together, you’ll have to make the leap. By sending signals to the target, making him believe that you do belong here or where you need to be, it will become easier to reach that goal.
Because “Everything happens for a reason”. If you start a sentence with “because”, you might already take away possible doubts about why you want to do something.
The index finger. By making certain subtle changes to the way you talk about something, you can influence people to select something in particular, or make a certain choice.
NLP : Neuro-Linguistic Programming. Getting familiar with these techniques, you will be able to achieve your goals in a better/faster way. NLP is essentially a study of therapy. It’s not a science. It’s an art, a process, based on thinking about why something works in a certain way. In NLP, rapport is important. We like people who are like us, and they like us. Mimicking each other may be a good signal to indicate that there’s a certain level of rapport happening. That means that you can build up rapport with someone, convincing him that you are trustworthy and that person might start sharing private details about his life with you.
NLP is build around frames. Each individual has a frame, something that surrounds him and describes how that person lives his life. By using NLP scripts, you can try to ReFrame, manipulate people to start doing something else.
The question you need to ask yourself first is “What would it take to make it happen ?”, so you can define what you need, what needs to be done to get there, and to what extend you will have to manipulate people.
NLP Pattern examples :
- Redefinition – Change the focus and question during the talk.
- Agreement – Agree on the negative, focus to the positive ( = your idea / requirement)
- Awareness – Bring attention to something, key words. Emphasize certain words, utilize language to focus on certain key words
- Interruption – create confusion, information overflow, derailment. Use the opportunity to insert your own idea/goal, don’t wait until the target resumes “normal operation”. Use that one or 2 seconds to inject your code.
When you are trying NLP for the first time, be prepared to get disappointed many times. Be prepared to work hard, but don’t make things overly complex.
Maybe it works to just ask. Just ask for a password. It might work. We all have to answer something.
To take things to another level, you can also try to use some techniques related with hypnosis. Hypnosis is based on neuro-hypnotism, and aims at putting someone into a wakeful state of focused attention. Using the focus and subconscious communication (art of vagueness and assumption), you may be able to close the gap and get the target to do what you want him to do. Dale says that, as he was reading more about hypnosis, he came across the “Rapid Induction Technique (Anthony Jacquin wrote a book about it)”, allowing you to play the game in just a matter of seconds.
The main thing is : Keep it simple (language-wise, story-wise, etc).
Try to interrupt normal reasoning and inject your code. Use pattern interrupts, 7+ Open loops (brains can handle that number of stories without an end). Speak in ambiguous terms. Make suggestions. Create a YES set (make the target think that everything you says is true).
Reinforcement is key. Pacing and leading is important. You can take a direct or indirect approach. Share the experience, send body signals that will emphasize what you say. Either way, the ultimate goals is to make the target to do exactly what you want.
From a protection point of view : Educate, Empower, Test, Communicate, Make it personal, don’t be a target, and be mindful. Don’t stop learning, don’t assume you know everything already.
I’m not a social engineer expert at all, but I have been very intrigued by hypnosis and NLP myself for a long time, so I really looked forward and have enjoyed this talk. It is clear that this art takes a lot of practice, “No Fear” attitude, and a pair of balls of steel.
Good job Dale !
The Hex Factor
Although I had planned most part of my day in advance (and wanted to attend more talks in the afternoon) I ended up doing something else. I noticed that my friends from Ascure were taking “The Hex Factor” challenge, so I decided to sit down with them and observe how they were hacking their way into various systems and taking other hacking challenges…
For the record, and as I mentioned in yesterday’s post, “The Hex Factor” is a Capture The Flag game, held during the conference. Because a lot of people, volunteers, worked really really hard building the challenges and hosting the Hex Factor machines, I think their hard work deserve a warm round of applause and a lot of respect.
Anyways, I ended up looking at one of the challenges myself (a reverse engineering exercise) and I have to admit… the Hex Factor builders really did an awesome job. (you have an evil wicked mind, Didier !) Because “The Hex Factor” will be organized during some other conferences in the next couple of months (Hack In The Box, SANS London), I’m not going to spoil the fun by disclosing solutions about the challenges… If you have the opportunity to take the challenges… man… I can guarantee this : you are going to love it !
By the way – the Ascure team won the contest this year. Big thumbs up to the team, it was a pleasure watching you guys working together and win the game. (And in case anyone is wondering… no… I didn’t do anything to help them)
Another high five goes to 0xtosh. He came in on the fifth place… on his own. No team, just solo skillz. Respect.
By the time the Hex Factor finished, the BruCON lightning talks were about to start, so I rushed back to the Westvleteren meeting room and watched how MC’s-on-duty Chris John Riley and Dale Pearson turned another episode of the lightning talks into a success.
Presentation slides & other blogs
Rootshell (Xavier Mertens) write-up about BruCON
All presentations can be found here :
BruCON 2010 is over – looking forward to BruCON 2011
Next, I would like to thank all of the volunteers that made BruCON a success. Although this was just the second edition, and driven by volunteers and supported by a few sponsors, everything was handled and managed in a very professional manner. But what is even more important is the fact that I really enjoyed the atmosphere. You could smell passion, talent, skills and mutual respect in the air… Do I need to say more ?
Finally, I would like to say hi to the nice people I met at BruCON… looking forward to meeting you again some time soon folks !
© 2010, Corelan Team (corelanc0d3r). All rights reserved.