![\"bruconlogo\"](\"\/wp-content\/uploads\/2010\/09\/bruconlogo3.jpg\" "\\"bruconlogo\\"")
<\/a> I started the second day at BruCON with attending the workshop about analyzing malicious pdf files.<\/p>\nDidier Stevens<\/a> spared no expense and prepared an impressive lab, offering all sorts of pdf exercise files.\u00a0 Trying to squeeze in weeks and months of research into a 2 hour workshop, he managed to make things look so simple and took the time to explain how to use his tools to dissect pdf files, find malicious code, extract it and analyze the code.\u00a0 He even was so generous to include his chapter from a (unfortunately cancelled) malware analysis book.<\/p>\n Update : Didier has posted the pdf analysis ebook on his blog. You can download the file here<\/a><\/p><\/blockquote>\n The lab was built around 2 tools written by Didier : pdfid.py and pdf-parser.py<\/p>\n Where the first exercises used plain simple javascript instructions, we quickly had to start analyzing files that contained obfuscated javascript, used vulnerabilities in pdf readers (and used javascript to perform heap spraying), or contained other files embedded inside the pdf file.<\/p>\n We also learned how pdf encryption works (basically, only contents are encrypted, but not the structure, so you can still analyze the structure with the tools\u2026 but it won\u2019t decrypt it). Encrypting a pdf can be done using DRM (which, in essence, protects the file with an owner password). Didier mentions that\u00a0 QPDF<\/a> can be used to further analyze encrypted files, or to create encrypted pdf files.<\/p>\n Summarizing the workshop, Didier explains that this is just the beginning. We only analyzed some simple examples, but he also stresses that most of the current malware examples found in the wild use javascript\/javascript obfuscation one way or another.<\/p>\n If you ever get the chance to take Didier\u2019s workshop, don\u2019t hesitate. You\u2019ll love it !<\/p>\n Some related links :<\/p>\n http:\/\/blog.didierstevens.com\/programs\/pdf-tools\/<\/a><\/p>\n http:\/\/media.software.com.pl\/hakin9\/en\/Listingi\/03_2009\/Anatomy_of_Malicious_PDF_Documents.rtf<\/p>\n Matias Madou (Principal Security Research at Fortify) introduces his talk by explaining that he focuses on finding new techniques for finding vulnerabilities (static and dynamic analysis), and new ways to protect web apps.<\/p>\n The main motives for leaving backdoor-alike code inside applications are money and revenge.<\/p>\n Some interesting examples where \u201cspecial\u201d code was planted in applications are<\/p>\n Logic or Time Bomb <\/span><\/strong>: Malicious code lies dormant until a trigger is reached (time, logic).<\/p>\n Backdoors & Secret Credentials<\/span><\/strong> : Provide covert access to the system in the future :<\/p>\n Some cases : Borland Interbase, WordPress backdoor (iz), Optix Pro (2004), Subseven (2000)\u00a0 (the last 2 apps are backdoor apps that\u2026 are backdoored themselves)<\/p>\n Nefarious communcations<\/span><\/strong><\/p>\n Fixed communication channel to transfer data out of the organization (via a network socket, via emails, posting it to an evil website, etc).\u00a0 The transfer could be time based, change trigger based, etc. Dynamic code injection \/ manipulation<\/span><\/strong><\/p>\n This refers to techniques which abuse reflection, perform resource rewrites, does runtime compilation, performs class loader abuse, and so on.<\/p>\n There are not a lot of known cases that use this type of malicious code (because it\u2019s pretty complex to do\u2026 it usually is easier to hardcode code into the application.<\/p>\n Ofuscation \/ Camouflage<\/span><\/strong><\/p>\n Usually applied to other techniques, to prevent manual code reviewers to find the special code. Techniques to do this include making use of encoding\/decoding functions.<\/p>\n How can we uncover malicious code ?<\/p>\n Peer review <\/span><\/strong>: Obviously suspicious strings\/code in the code base.\u00a0 But what if the code is not that suspicious, and introduces the issue if it\u2019s just a matter of \u201c=\u201d instead of \u201c==\u201d) ?\u00a0 Examples like this are really hard to spot.<\/p>\n Static analysis<\/span><\/strong> : While this is not \u201cthe\u201d magic solution (because it\u2019s hard to define \u201cwhat to look for\u201d and \u201cwhere to start\u201d), it might help to get you some ideas so you can dive deeper into specific parts of the source code.<\/p>\n Matias mentions that you should think about \u201cwhat would people try to do\u201d, and look for references to that.\u00a0 If you want to find instances where people try to grab an entire database and send it somewhere else, you may want to look for instructions that will read from the database, and instructions that would set up network sockets.<\/p>\n Inserting credentials into a user database table might be suspicious as well.\u00a0 Looking for email addresses \/ mailing API\u2019s is a good idea as well.\u00a0 Finding for example \u201cif\u201d statements that use \u201c=\u201d\u00a0 instead of \u201c==\u201d is useful as well.\u00a0 And the list goes on.<\/p>\n Runtime testing : QA<\/span><\/strong><\/p>\n Extensive functional testing can help, but we might be intersted in the code that is not running \/ not running all the time (dead code).\u00a0 If the backdoor is time based for example, it\u2019s most likely not going to run at test time.<\/p>\n Runtime testing : production<\/span><\/strong><\/p>\n Look for anomalies \u2013 unexpected spikes in traffic for example, or performance issues. These might indicate that something unusual is happening (such as dumping the database and transferring it over the network)<\/p>\n Interpret the results<\/span><\/strong><\/p>\n Matias continues by explaining that interpreting the results is important as well.\u00a0 First step in the exercise would need to be to order the results based on the importance\/impact.\u00a0 This might help code reviewers to look at specific parts of the code.\u00a0 If you find a date\/time comparison routine in a login script, then this might be suspicious and may be a high priority target.<\/p>\n If you combine all that knowledge and techniques, Matias says, it may be possible to turn them into some rules and apply priorities based on those rules, pretty much building upon Jeff Williams\u2019<\/a> paper on the subject and extending it with more rules.<\/p>\n Matias closes his talk by explaining that, despite all the efforts, catching malicious insiders is like looking for a needle in a haystack.<\/p>\n Most companies tend to ignore the problem. Others may have a change management process in place that might help detecting malicious code as it gets inserted into the source.\u00a0 But if we are talking about big code changes, it would still be very complex to actually read and interpret every single code change.<\/p>\n If the insider has bad intentions, odds are very high that he will succeed.\u00a0 He might get caught afterwards, but harm might be done already.<\/p>\n He will talk about types of social engineering, tools for the job and journey to enlightenment, and provide some tips on how to apply this knowledge in our day-to-day lives.<\/p>\n Social Engineering (SE), Dale says, is all about.. lying\u2026 about convincing people to believe something.<\/p>\n How can we utilize the power of our minds, linguistics and obversations to become the master manipulator ?\u00a0 Dale explains what he has been working on over the last months and years to get more proficient in this area, and what we need to focus on in order to get better at this as well.<\/p>\n First, of all, in order to become more proficient at SE \/ Head Hacking, you need to be committed<\/span><\/strong>. You need to be focused and you need to focus your target on you and what you are telling him.\u00a0 You need to have a planned path and you have to be able to put the target in the best position so he can be easily persuaded.\u00a0 Finally, you need to reach some sort of agreement. You have to make the target accept that you are where you are and that\u2019s it\u2019s not strange or unacceptable that you\u2019re there.\u00a0 Also, it might help to choose the right side ear, because that\u2019s the best way to reach the part of the brain that will help you reach your goal.\u00a0 Finally, you have to stay true to what you say. Putting that together, you\u2019ll have to make the leap. By sending signals to the target, making him believe that you do belong here or where you need to be, it will become easier to reach that goal.<\/p>\n Because <\/span><\/strong>\u201cEverything happens for a reason\u201d.\u00a0 If you start a sentence with \u201cbecause\u201d, you might already take away possible doubts about why you want to do something.<\/p>\n The index finger<\/span><\/strong>. By making certain subtle changes to the way you talk about something, you can influence people to select something in particular, or make a certain choice.<\/p>\n NLP <\/span><\/strong>: Neuro-Linguistic Programming.\u00a0 Getting familiar with these techniques, you will be able to achieve your goals in a better\/faster way.\u00a0\u00a0 NLP is essentially a study of therapy. It\u2019s not a science. It\u2019s an art, a process, based on thinking about why something works in a certain way.\u00a0 In NLP, rapport is important.\u00a0 We like people who are like us, and they like us.\u00a0 Mimicking each other may be a good signal to indicate that there\u2019s a certain level of rapport happening.\u00a0 That means that you can build up rapport with someone, convincing him that you are trustworthy and that person might start sharing private details about his life with you.<\/p>\n NLP is build around frames.\u00a0 Each individual has a frame, something that surrounds him and describes how that person lives his life.\u00a0\u00a0 By using NLP scripts, you can try to ReFrame, manipulate people to start doing something else.<\/p>\n The question you need to ask yourself first is \u201cWhat would it take to make it happen ?\u201d, so you can define what you need, what needs to be done to get there, and to what extend you will have to manipulate people.<\/p>\n NLP Pattern examples :<\/p>\n When you are trying NLP for the first time, be prepared to get disappointed many times. Be prepared to work hard, but don\u2019t make things overly complex.<\/p>\n Maybe it works to just ask.\u00a0 Just ask for a password. It might work. We all have to answer something.<\/p>\n To take things to another level, you can also try to use some techniques related with hypnosis.\u00a0 Hypnosis is based on neuro-hypnotism, and aims at putting someone into a wakeful state of focused attention.\u00a0 Using the focus and subconscious communication (art of vagueness and assumption), you may be able to close the gap and get the target to do what you want him to do.\u00a0 Dale says that, as he was reading more about hypnosis, he came across the \u201cRapid Induction Technique (Anthony Jacquin wrote a book about it)\u201d, allowing you to play the game in just a matter of seconds.<\/p>\n The main thing is : Keep it simple\u00a0 (language-wise, story-wise, etc).<\/p>\n Try to interrupt normal reasoning and inject your code.\u00a0 Use pattern interrupts, 7+ Open loops (brains can handle that number of stories without an end).\u00a0 Speak in ambiguous terms.\u00a0 Make suggestions. Create a YES set (make the target think that everything you says is true).<\/p>\n From a protection point of view : Educate, Empower, Test, Communicate, Make it personal, don\u2019t be a target, and be mindful. Don\u2019t stop learning, don\u2019t assume you know everything already.<\/p>\n I\u2019m not a social engineer expert at all, but I have been very intrigued by hypnosis and NLP myself for a long time, so I really looked forward and have enjoyed this talk. It is clear that this art takes a lot of practice, \u201cNo Fear\u201d attitude, and a pair of balls of steel.<\/p>\n If you are interested in this topic, check out http:\/\/www.youtube.com\/user\/headhacking, http:\/\/www.headhacker.net\/videos\/<\/a><\/p>\n Contact Dale : dale@headhacker.net<\/a> \/ https:\/\/twitter.com\/headhacking<\/a> and https:\/\/twitter.com\/dalepearson<\/a><\/p>\n Good job Dale !<\/p>\n For the record, and as I mentioned in yesterday\u2019s post, \u201cThe Hex Factor\u201d is a Capture The Flag game, held during the conference.\u00a0 Because a lot of people, volunteers, worked really really hard building the challenges and hosting the Hex Factor machines, I think their hard work deserve a warm round of applause and a lot of respect.<\/p>\n <applause><\/p>\n Anyways, I ended up looking at one of the challenges myself (a reverse engineering exercise) and I have to admit\u2026\u00a0 the Hex Factor builders really did an awesome job. (you have an evil wicked mind, Didier<\/a> !)\u00a0 Because \u201cThe Hex Factor\u201d will be organized during some other conferences in the next couple of months (Hack In The Box, SANS London), I\u2019m not going to spoil the fun by disclosing solutions about the challenges\u2026\u00a0 If you have the opportunity to take the challenges\u2026 man\u2026 I can guarantee this : you are going to love it !<\/p>\n By the way \u2013 the Ascure team won the contest this year. Big thumbs up to the team, it was a pleasure watching you guys working together and win the game.\u00a0 (And in case anyone is wondering\u2026 no\u2026 I didn\u2019t do anything to help them)<\/p>\n Another high five goes to 0xtosh<\/a>. He came in on the fifth place\u2026 on his own. No team, just solo skillz. Respect.<\/p>\n By the time the Hex Factor finished, the BruCON lightning talks<\/a> were about to start, so I rushed back to the Westvleteren meeting room and watched how MC\u2019s-on-duty Chris John Riley and Dale Pearson turned another episode of the lightning talks into a success.<\/p>\n After the lightning talks ended, WickedClown<\/a> was awarded with the \u201cbest lightning talk\u201d price (about a RDP vulnerability). You can listen to his lightning talk here<\/a>.<\/p>\n http:\/\/blog.rootshell.be\/2010\/09\/26\/brucon-2010-wrap-up\/<\/a><\/p>\n http:\/\/2010.brucon.org\/index.php\/Presentations<\/a><\/p>\n Before finishing this post, I wanted to share some nice pictures, featuring Chris John Riley doing his lightning talk about UA-Tester<\/a>, dressed as an evil hax0r pimp\u2026\u00a0 (slides here<\/a>)<\/p>\n Next, I would like to thank all of the volunteers that made BruCON a success. Although this was just the second edition, and driven by volunteers and supported by a few sponsors, everything was handled and managed in a very professional manner.\u00a0 But what is even more important is the fact that I really enjoyed the atmosphere.\u00a0 You could smell passion, talent, skills and mutual respect in the air\u2026\u00a0 Do I need to say more ?<\/p>\n Finally, I would like to say hi to the nice people I met at BruCON\u2026 looking forward to meeting you again some time soon folks !<\/p>\n %%EOF<\/p>\n","protected":false},"excerpt":{"rendered":"Repelling the Wily Insider : Finding backdoors in code<\/h3>\n
Insider threats<\/h4>\n
<\/a> Matias explains that still a vast amount of insiders (employees) pose a substantial risk to the company.\u00a0 But the real danger may come from developers. Developers have access to source code and might leave backdoors (intentionally or not).<\/p>\n\n
\n
Classes of insider threats :<\/h4>\n
\n
\n
\n
<\/a> The way Matias wants to classify the issues (based on the technique you need to use to find the issues) :<\/p>\n\n
\nThe code is usually static and cannot be changed.<\/p>\nTechniques for defenders :<\/h4>\n
What will people with malicious intentions try to do ?<\/h4>\n
\n
Head Hacking \u2013 The Magic Of Suggestion And Perception<\/h3>\n
<\/a> Dale Pearson, \u201cHead Hacker\u201d, kicks off his session by explaining that he will talk about hacking humans, hacking minds\u2026 Social Engineering basically.<\/p>\n<\/a> There are various types of social engineering :<\/p>\n\n
<\/a> He starts by explaining that the best tool for the job is your brains !\u00a0 There are 3 important parts of the brain :<\/p>\n\n
\n
<\/a> Reinforcement is key. Pacing and leading is important. You can take a direct or indirect approach.\u00a0 Share the experience, send body signals that will emphasize what you say.\u00a0 Either way, the ultimate goals is to make the target to do exactly what you want.<\/p>\nThe Hex Factor<\/h3>\n
<\/a>Although I had planned most part of my day in advance (and wanted to attend more talks<\/a> in the afternoon) I ended up doing something else.\u00a0 I noticed that my friends from Ascure<\/a> were taking \u201cThe Hex Factor\u201d challenge, so I decided to sit down with them and observe how they were hacking their way into various systems and taking other hacking challenges\u2026<\/p>\nPresentation slides & other blogs<\/h3>\n
Rootshell (Xavier Mertens) write-up about BruCON<\/h4>\n
All presentations can be found here :<\/h4>\n
BruCON 2010 is over \u2013 looking forward to BruCON 2011<\/h3>\n
<\/a> <\/a> <\/a> <\/a><\/p>\n