How a research project at Fox-IT enhances your security career

Posted on September 7, 2015 by bweymes

Internships are a great way to assess a student’s capabilities, Fox-IT is always looking for talented individuals, that have proven that they have what it takes to be ‘a foxer’.

At Fox-IT we hold our colleagues to the highest (technical) knowledge standard. If everyone is held to this high standard, we can insure the quality of our products and services, as well having capable colleagues in a challenging but foremost exciting environment.

Internships are an excellent method of engaging in research that can be futuristic or visionary. Not all research however leads to positive expected results, but that’s why it’s called research after all. Typically, a student will research, and then PoC (Proof of Concept) one of the many processes or technologies that we need. We introduce the student to the world of IT security, in a very focused manner.This usually involves a very narrow area of research that concentrates on only one problem. Supervision by ‘a foxer’ that knows the intricacies of the problems that we are trying to solve, allows us to get the best out of the student. “The more focused the research the better” is the motto here. Students usually spend 5 months on their project, which is quite short for research, testing and quality work, especially if you include all the documentation that is needed for the educational institutes as well.

How does one enrol for security research at Fox-IT?

I’ll start with an example of how our enrolment process works. A student will look at the list of available projects that we have on our website: https://www.fox-it.com/nl/werken-bij-fox-it/stage-afstuderen/. They register by sending an email to vacature@fox-it.com, with their CV, which projects interest them, and why. This email is then forwarded to the responsible division student coordinators for processing. Let me just say that there are always custom projects for capable motivated students. This online list can never be considered complete or extensive. If you have a brilliant idea of your own, do not hesitate to submit that as a proposal.

I will get the students details that relate to MSS (Managed Security Monitoring), send them an email or ring them for a time for an interview at Fox-IT HQ. As part of the process, I will interview the candidate. This will allow me to get to know them, their capabilities and guide them towards projects that best suit their skills (that they already have). At this stage, we will figure out the best course of action. In the end, we have a research proposal that describes what will be done during the internship.

Different types of Internships
There are three types of interns inside Fox-IT. The first is what I would call a standard internship, which involves working inside our dedicated intern room, focusing on the research and producing results. The second type is external or very short internships. These internships are done externally without the student coming to Fox-IT every day. I’m personally not a big fan of these internships, and they are rare. The third type of internship is MSS specific, as the intern is also tested for acceptance into the SOC excellence program, otherwise they can always be a standard intern. See https://www.fox-it.com/nl/vacancies/7384/. Their research projects are enriched by the front line experience that they gain working in our SOC (Security Operations Center) on a part-time basis.

Over the years we have gotten interns from many different countries and educational institutes. Most are from inside the EU (such as myself), but also from other places such as Mexico, India or Jamaica. For these students or others to far away from Delft, we offer a temporary place to rent, we very originally call the ‘Fox House’.

The difference between Fox-IT and others
I frankly can only speak for how it is at MSS, and how we do things, but everyday is guaranteed to be different. New exploits needing to be analysed, new interesting incidents to investigate or new detection methods to develop are the norm. As a principle of Fox-IT, technical creativity is encouraged. Giving us the room for cutting edge innovation, such as Quantum Insert detection (https://github.com/fox-it/quantuminsert) that allows us to make a difference for not only our customers but also the wider community. So if you want to participate in our continuous innovation, consider a Fox-IT internship.

As a side note, a substantial minority of the staff are international and many of our processes are in English. So I wouldn’t call Fox-IT your typical Dutch company. In short, Fox-IT offers students a friendly, technically competent and international environment to do their research, and progress their career.

Barry Weymes
Senior Security Expert at MSS

Seen in the wild: Updated Exploit Kits

Posted on March 6, 2013 by bweymes

In early March, after one of our network sensors flagged an incident at one of our customers, we noticed some traffic going to a rather suspicious .biz domain. When looking into the details of this domain, we found it to be registered to a guy named “Lukas Vask”.

When doing a reverse whois on just the email address, we found that Mister Vask owns 88 domains, 3 ‘.com’, 1 ‘.net’, 70 other gTLD’s and 14 ccTLD’s.
When reviewing the same data some days later we found that he bought another 78 domains.

A small sample list of unique domains used:

hxxp://www.goothewebcomwert.biz
hxxp://www.tenofityrocla.biz
hxxp://www.turkglobvan.in
hxxp://www.myfirstsitemanme.com
hxxp://www.globin-fo-stat.info
hxxp://www.globinfodetails.info
hxxp://www.findservicenuclear.org
hxxp://www.pubbotstatistic.com
hxxp://www.botupdatestatistic.com
hxxp://www.currentlocalburn5.biz
hxxp://www.currentlocalburn.biz

Alongside the above unique domains seen, we noticed a simple type of domain obfuscation. Using a combination of 3 to 5 words from the english dictionary with both the .org and .biz TLD’s are registered. Afterwards a letter is added to the end of the domains, which are just ascending letters of the alphabet and again the .org and .biz are also registered.

A small example list of the used words:
longdrivetoair
hitoryyoutohorm
takeafreemyw

We’ve seen the following being used in the wild:

hxxp://www.hitoryyoutohorm.biz
hxxp://www.hitoryyoutohorm.org
hxxp://www.hitoryyoutohormb.biz
hxxp://www.hitoryyoutohormb.org
hxxp://www.hitoryyoutohormc.biz
hxxp://www.hitoryyoutohormc.org
hxxp://www.hitoryyoutohormf.biz
hxxp://www.hitoryyoutohormf.org
hxxp://www.hitoryyoutohormg.biz
hxxp://www.hitoryyoutohormg.org
hxxp://www.hitoryyoutohormh.biz
hxxp://www.hitoryyoutohormh.org
hxxp://www.hitoryyoutohormk.org
hxxp://www.hitoryyoutohorml.biz
hxxp://www.hitoryyoutohorml.org

hxxp://www.takeafreemyw.biz
hxxp://www.takeafreemyw.org
hxxp://www.takeafreemywb.biz
hxxp://www.takeafreemywb.org

These pages are serving the Nice Pack exploit kit at this time.

Nice Pack Exploit Kit

Previous listings of the Nice Pack exploit kit have used Javascript with the old fashioned try and catch methods which are easily detected by IDS systems. For the new landing page of Nice Pack the creators took some time in figuring out how to sail free from the IDS detection by using even more obfuscated Javascript with no clear usage of known functions. Using a combination of these randomly named variables and functions makes these landing pages harder to detect.

Sample landing page:

Deobfuscated it looks like this:

The NicePack uses a combination of Adobe PDF and Java exploits to drop its malware.
The Java exploit targets CVE-2012-1723. The Adobe PDF exploit could not be determined as it seems the exploit kit is missing files, a 404 is returned when the malicious PDF should be served.

One way of determining if you’re dealing with a NicePack exploit kit domain is by doing a HTTP request on port 443, in the response you get will included a little hint.

Checksums malicious files NicePack:
3cf648103d7d9ed4185494979af10b2c https://www.virustotal.com/en/file/5e283a5ef0213d9c920e644fb74b2de96420926fda86f80b9cf192e7514e5555/analysis/1362477992/

Sweet Orange Exploit Kit

While taking a look at Mister Vask, we found another type of domain obfuscation used to spread the Sweet Orange exploit kit.
This DGA works similar to the alphabet one but in this case adds an asceding number at the end, we’ve seen the following being used:

hxxp://www.currentlocalburn5.biz
hxxp://www.currentlocalburn.biz

The new URL syntax of Sweet Orange looks like this as seen in the wild:

/mambots/feedback/dog/questions.php?alert=477&oracle=79&courses=813&christmas=961&photos=653&talks=538
/software/careers.php?sony=228&hardcore=79&groupsn=685&contrib=277&featured=750

Older versions of the Sweet Orange exploit kit used shorter links for the landing page.

The landing page in this version of Sweet Orange:

The deobfuscated script part:

This part embeds the malicious PDF file located at ‘./tUaZFs’. The PDF targets CVE-2010-0188.The above attempts to exploit java vulnerbilities by loading malicious JAR files which target specific Java versions.The Java archives we’ve seen target CVE-2012-1723 and CVE-2013-0431 .

While most exploit kits check Java and Adobe versions to determine the most suitable way to drop their malware, this one attempts everything anyway and discards any version checking.
The bruteforce approach it seems.

Checksums malicious files SweetOrange:
6292f68f7deb3d7bb946096b9ecd8f45 https://www.virustotal.com/en/file/62a0a8ca7c9c92e06314cdd01c75048addf455972d8e6cea98b1050c7667f6ab/analysis/1362477648/
b4a044835a6a1464c556042db484b977 https://www.virustotal.com/en/file/499e42c9869f3e5a87478afe6a5c17978eeaefde9530cca6b73e315d2d740304/analysis/1362477660/
7a7ce94c19fcc47e20068e3f51971b52 https://www.virustotal.com/en/file/93e54881d92c38bb8876c7cd8af0da83051ec469f6dd5119a2a3f40696852501/analysis/1362477670/

Conclusion

Getting back to the WHOIS information, it seems the domains for both exploit kits are being registered with the same credentials. Either a fake account or stolen identity is being used by multiple people or the same guys are behind SweetOrange and NicePack.. who knows.

Yonathan Klijnsma & Barry Weymes

Writeup on nbc.com distributing Citadel malware

Posted on February 21, 2013 by bweymes

Every now and then, an incident occurs in the SOC (Security Operation Center) that really captures everyone involved’s imagination. NBC’s websites getting hacked, is just one case, in point.

At 16:43 CET, this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting US financials institutions. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com.

https://www.virustotal.com/en/file/96deefbe5034d826b2fe4796c32104badaa6c8df768da1059827ccac6ef2f9d8/analysis/1361464137/

It has been shown before (with Dutch news site nu.nl, for example, along with the recent incidents at the New York Times and Wall Street Journal), targeting media and news websites can vastly improve an attacker’s chances of success. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these web servers, they can use them to distribute malware to every visitor of that web server.

The flow of the attack looks like this:

An iframe (on nbc.com) loads a webpage that tries to download and execute a malicious JAR file as well as a malicious PDF.

hxxp://finesseindia.com/332.jar & hxxp://finesseindia.com/987.pdf

Many more different URLs have been used in the coming hours after the first sign of the attack was detected.

The Citadel malware distributed is configured to manipulate traffic to and from the banking sites of the following banks amongst others:

Wells Fargo
USAA
Citibank
Bank of America
TD Ameritrade
Suntrust
Navy Federal Credit Union
Citizensbank Online
Fifth Third Bank
PNC
Chase
Schwab
American Express

The malware was no longer served at 21:28 CET.

This isn’t the first time a major website is compromised and starts spreading malware, and we don’t presume its the last. Be wary.

Barry Weymes et al.

Credit to Yonathan Klijnsma and Lennart Haagsma for discovery.

Oracle getting serious about Java

Posted on February 12, 2013 by bweymes

Recently, Oracle released new a version of Java with a difference. Java/1.7.0_13 is the latest version. Its increased the default security from ‘Medium’ to ‘High’, which restricts execution of unsigned applets. It also introduced a new warning to people executing Java code which checks if Java is using the latest version. You might notice the process jusched.exe running on your Windows PC to do this check. The conclusion here is that Oracle is getting serious about keeping its users up to date.

JavaOne

The above notice will give the users three choices: Update, Block or Continue. ‘Update’ will stop the execution and bring the user to the Java website to download the latest and safest version. ‘Block’ will not allow Java from being executed now and in future. By pressing ‘Block’ the user Pressing ‘Later’ button the java code will be executed.

JavaTwo

Why this updating matters? It matters because these days the majority of machines exploited are because of Java vulnerabilities. Exploit kits used to deliver a malicious payload to a victims computer are the form of a jar file (Java Archive). This usually happens when the victim visits a compromised website or opens a malicious email. A typical exploit kit has some malicious JavaScript that will test for vulnerable Java versions (amongst other things). Once the script has found the vulnerable version, it will automatically try to execute a malicious jar file to gain control of the machine. Some examples of successful exploitation that we have seen at the SOC recently:

hxxp://nika16.nazwa.pl/332.jar Java/1.6.0_14
hxxp://stp.softupcheck.info/28ce4a88eed0ccb186520e43a867c384/1359543705/9ojy9x.app Java/1.6.0_20
hxxp://kh.jimmywalkermusic.com /WtfWQjU.jar Java/1.6.0_37
hxxp://www1.v4xm7g02agdn0.undo.it/mkbrifd.jar Java/1.6.0_38
hxxp://uvyesn.dyndns-at-home.com/funds/1z9a02laoa15yy1591g5.jar Java/1.7.0_06

Blackhole_2.0.1_succesful_exploitation_distribution

Above shows part of a web interface for a botnet that has over 17500 successfully exploited systems using this blackhole exploit kit, we can see that over 78% of the systems was compromised by a Java exploit. This percentage is common and similar in other exploit kits, showing that Java continues to be the most commonly attacked application.

It would seem that users, don’t update software regularly and this is why the recent move by Oracle is important. Hopefully, this will stop the bad guys (continuously) taking advantage of that fact.

In the wild, we have seen the all types of old Java virtual machines getting compromised, anyone with these versions are obviously vulnerable. It is highly recommended that you either disable/uninstall Java or if you must use it make sure it is always up to date. Oracle’s increased focus on security stems from the need for better security in the software we use everyday, if this doesn’t happen maybe users and organisations will simply not accept it because it is too risky to have installed anymore.

Barry Weymes et al, Security Analyst at the Fox-IT Security Operations Center.

Fox-IT International blog

News and opinions from Fox-IT

Author Archives: bweymes