Many different types of malware and botnets require some sort of exploit payload. This payload can be obtained through traditional compromised services such as HTTP, FTP and even TFTP. Payloads can also be delivered by highly customized or proprietary protocols designed by the malware and botnet creators. 

Tenable’s research team has encountered some ports that can't be fingerprinted and appear to start an executable download when they are connected to. This is a tactic that some of the botnets use to infect additional machines.

Any program that can make a simple TCP connection and save any received data to a file can be used to retrieve these types of files. For example, a program such as netcat can be used to connect to one of these services to obtain the malware or exploit program being distributed by redirecting the data to a file. The following command line uses netcat to connect to a host on port 9002 and save the resulting data into a file named “executable.bin”.

nc 192.168.20.100 9002 > executable.bin

If you suspect this to be a malicious file, you can have it analyzed by an anti-virus tool such as ClamAV or even uploaded to a service such as Jotti's malware scan.

Nessus Detection

Plugin 33950 named "MS Executable Detection" attempts to connect to any service that has been identified as being "unknown". Nessus has an extensive database of application banners and fingerprints. If an open port is identified but cannot be fingerprinted, Nessus will place it into the knowledge base marked as an "unknown service". All services marked in this way will be probed by the new plugin to see if they are distributing an executable.

Tenable's research team has encountered these types of servers running on many different ports, primarily on ports much higher than 1024.

To have Nessus look for these services, configure your scans with the following settings:

• Ensure the MS Executable Detection plugin (which is in the Service detection family) is enabled.
• Perform port scans that target ports higher than 1024. For a complete audit, consider scanning all ports.
• Ensure that the Service Detection (2nd Pass), Service Identification (2nd Pass) and Service Identification are all enabled.
• Make sure that the "Probe services on every port" setting under the Advanced tab and "Global variable settings" is enabled.

Below is a Nessus scan policy that you can download for use with your Nessus client. It has a pre-configured scan policy, which can be used to scan networks to look for these services hosting potentially hostile executables.

Download MS-Executable-Scan.nessus

Below is a screen shot of scan results from an infected system:

When the plugin detects an executable, it will display a binary hex dump of the contents. It will also generate hash values of the obtained file that can be submitted to http://www.virustotal.com/buscaHash.html for analysis and other organizations such as Bit9. 

For more Information

Previous blog posts have discussed using Nessus, the Passive Vulnerability Scanner and the Log Correlation Engine to look for compromised or infected hosts:

• Boss, I think Half of our FTP Servers are fake!
• Detecting Compromised Windows Hosts
• Hunting Symantec Worms
• Using "New Port Browsing" Events to find Worm/Trojan/Rootkit Activity

Tenable's Research group recently added support to the Nessus ProfessionalFeed and HomeFeed to audit missing 64 bit Windows 2003 security patches via file version checks.

File version checking is the most effective way to test a Windows system for missing patches. Nessus has been able to do this on most Windows OSes (including 64 bit Windows Vista and Windows 2008) for a long time and due to customer demand, we've added support for Windows 2003 64 bit systems.

Tenable also recently improved the performance of the smb_hotfixes.nasl plugin to reduce network traffic. This will decrease the amount of time it takes to perform patch audits of all Windows systems. 

To make use of this functionality, simply update your Nessus plugins and then perform a credentialed audit of a 64 bit Windows 2003 system with the "Windows : Microsoft Bulletins" plugin family enabled as shown below:

If you are unfamiliar with performing credentialed patch audits with Nessus, please refer to the documentation and example video which show how to perform these types of audits.

If you perform patch auditing with Nessus, these previous blog entries will be of interest:

• Knowing When to Patch
• Testing the Effectiveness of your Patch Management System
• Finding Vulnerabilities older than 30 Days
• Full SU/SUDO Support for UNIX Patch Audits

Another Black Hat conference for the record books! It’s traditional for me to have a panic attack on the eve of Black Hat, trying to pull the Hacker Court team together to work on our presentation (“Hack MyFace”) and swearing I’m never doing this again. This year was even worse: the defendant, Simple Nomad, and the judge, Richard Salgado, both had to cancel at the last minute. We still had to work out evidence details (as Simple Nomad once pointed out, it would be easier to actually hack into a system than generate fake evidence) and now had to find replacement players. Richard Salgado noted that “anyone can be a judge”, but who could fill Simple Nomad’s stylish boots?

Fortunately, fellow NMRC member and Hacker Court veteran, Weasel, came to the rescue to play “Simplé Gnomad”, complete with bathrobe, and sunglasses. Hacker Court co-founder, Jonathan Klein, stepped in as a very intimidating Judge.

This case hinged on the fact that the defendant , responding to a journalist’s inquiry, used a zero-day exploit to hack into a presumed social networking site, “MyFace” with the encouragement of the site’s owner, Mudge, who was really a Secret Service Agent investigating social networking exploits. The site was actually a Virtual Machine (VM) on a server that housed other case VMs (agency budget cut-backs). The defendant not only compromised the security of the “MyFace” site but also broke out of “MyFace” and obtained information about sensitive on-going investigations.

In his opening statement, Prosecutor Paul Ohm accused the defendant of three charges of computer crime: Unauthorized Transmission of a Program; Unauthorized Access to Computers; Obtaining Information by Computer from Government Computer.

Defense attorney Jennifer Granick countered that the defendant was entrapped and that the real villain in this case was the inept Agent Mudge who authorized the defendant to test the security of a system that he owned and who clearly told the defendant there were “no limits.” There was no way the defendant could know that he should stop at the first VM since he was told by the site’s alleged owner that there were “no limits.”

Agent Mudge testified that he engaged the defendant to test the security of the “MyFace” and determine if the defendant had a working zero-day exploit. He described monitoring the system during the defendant’s exploit attempt and finally receiving an email from the defendant that noted “eight VMs are a lot for the hardware your host is running on.” This referred to the other VMs used for other investigations. Mudge did not think these VMs were at risk because “they were all perfectly sandboxed from one another.” Apparently, he was mistaken.

During forensic analysis, it was discovered that the defendant obtained a highly sensitive file named “OngoingSecretInvestigations”, which contained the name of the case agent and target for each VM. This was a serious problem since Mudge did not know the identity of the hacker and could not have this sensitive information made public.

Mudge testified that he traced the intruder’s IP address to the “L33t’s Coffee & Tea” in Burbank, California, an Internet café. The barista remembered the journalist being with a regular customer who always wore a bathrobe and sunglasses. Mudge staked out the coffee shop, finally observing the suspect leaving and followed him to a Ralph’s market, where the suspect bought a carton of half & half and paid with a check for $0.73. After the suspect left, Mudge obtained a copy of the check, which contained the suspect’s home address, where Mudge discovered the zero-day exploit in a briefcase. The briefcase was introduced into evidence and opened in front of the judge, who gazed with astonishment at the glowing light and asked “Is that what I think it is?”

Mudge was badgered by Jennifer Granick on cross and forced to admit that he did not impose limits on Simplé Gnomad’s testing.

The next witness called was the journalist who allegedly met with Simplé Gnomad in the coffee shop, Simon Ross (played by Brian Martin). Mr. Ross testified that he ran a blog called “simonsayssecurity.gryppad.com”. When asked to identify the person he met in the coffee shop, Mr. Ross’s attorney, Kurt Opsahl, objected and cited that his client was protected by the reporter’s privilege and should not be required to answer the question. Judge Klein ruled that the government had not exhausted its means to get the IP address from other sources so the journalist could not be compelled to turn that information over. However, it was also ruled that the journalist could be compelled to testify to events he witnessed in the coffee shop and Simon Ross (aka Brian Martin) was ordered to testify. When he (quite rudely) refused to cooperate, Mr. Ross was held in contempt and (forcefully) subdued by the bailiff.

The final witness was the defendant himself, Simplé Gnomad (played by Weasel in bathrobe and sunglasses). Jennifer Granick tried to talk her client out of testifying, since this could add additional charges of obstruction if he is found guilty. However, Simplé Gnomad wanted to clear his name and stated that he was framed.

After closing statements by the prosecution and defense, Judge Klein read the Jury Instructions and the case was turned over to the audience for deliberation with about two minutes left in our time slot. An informal show of hands produced the following verdict:
18 U.S.C. § 1030(a)(5)(A)(i)– Unauthorized transmission of a program
Not Guilty
18 U.S.C. § 1030(a)(5)(A)(ii) - Unauthorized Access to Computers
Not Guilty
18 U.S.C. § 1030(a)(2)(B)–Obtaining Information by Computer from Government Computer
Guilty as charged

Ok, so this was running roughshod over the legal process but most trials don’t have to clear the room so that Caesar’s catering staff can clean up all the beer bottles and plates left on the floor. As we wearily parted ways at the bottom of the escalator, Paul Ohm asked “So, ready to start work on next year’s?”

As a new Tenable employee, one of my first opportunities was to sit in on recently updated Nessus training classes taught by Tenable’s Training Lead, Matt Franz. Joining me in putting Matt on the hot seat was Tenable CSO Marcus Ranum. As a consultant, I have been using Nessus for almost ten years to assist in assessing clients’ networks, but had never attended formal training on the software. I sat in on the first day of class to better understand how to leverage Nessus to perform credentialed scans to audit a system against configuration standards such as CIS or PCI. Other students attended to not only learn more about Nessus, but also to learn how Nessus can specifically help assess their organization.

The first day covered a wide variety of activities involving the Nessus including installation, administration, configuration, scanning, policy generation, vulnerability analysis and reporting. Using a hands-on environment, students learned each aspect of the Nessus products by performing tests with a variety of configurations and hypothetical situations. Unlike many classes or training, the material wasn’t rigid in any way. As different ideas and questions came up, students were encouraged to discuss and experiment on the test network. In the first day alone, students chatted about the merit of CVSS scores, the philosophy of what defined a vulnerability and one-off situations on using Nessus across VPNs with SSH port forwarding. One of the nicer surprises to students was learning how to better manipulate scanner output, filter results to better match their needs and export them to a new file. Using this new-found ability, students quickly began discussing how this might better help administrators remediate vulnerabilities by severity, expertise or subnet. At some point, Matt brought in several boxes of pizza and encouraged us to chow down while we continued to learn. We ended up firing off several concurrent scans while watching a traffic monitor to see how much traffic was generated and directly answer students’ questions.

The second day delved into using Nessus for compliance audits, where students continued to learn and enhance their Nessus knowledge and skills as applied to their enterprise environments. With the ability for Nessus to assist in determining a system’s compliance with various federal guidelines, using the compliance plugins available to ProfessionalFeed customers adds additional functionality and value to an organization. This class gave additional instruction to students and demonstrated not only how to use the vulnerability scanner to ensure compliance, but also how to write custom audit profiles specific to their organizations.

Attending the Nessus training class made me realize that while the course material may be static, each class would invariably branch out and learn aspects of the scanner that were more helpful to the students’ own networks. Solid course material, combined with insightful class discussions provided a valuable learning experience.

For more information: http://www.nessus.org/training/

Hacker Court is once again returning to the Black Hat Briefings! For our seventh Black Hat presentation, we will be conducting a mock court trial focused on the issues of entrapment, journalist privilege and wiretapping, titled "Hack MyFace."

What is "Hacker Court?"

Hacker Court is a loose organization of attorneys, security professionals and hackers with the goal of demonstrating the dynamics, frustrations and complexity of computer crime trials.

Teaching Points
The Hacker Court mock trials endeavor to teach a technical audience the reality of computer crime trials.
Before joining Tenable, I was a free-lance security consultant and developed a particular interest in computer crime cases after personal experience in dealing with an intrusion. I thought I knew a lot about the process, but it wasn’t until I actually worked on a case with the Federal Defender’s Office in NY that I realized just how naïve I was on how the legal system really worked. The defendant was even more naïve and honestly thought that a “jury of his peers” meant that people like Simple Nomad, Jericho and Rain Forest Puppy would serve on the jury. After all - his “peers” were hackers!

Since then, I’ve been involved in other cases and these are a few of the major lessons I’ve learned:
1. Defendants lie, even to their own defense team
2. Admissibility of evidence is up to the judge, not the technology or its merit
3. A jurist with an infosec background would be disqualified from serving on a computer crime case
4. Defense experts cannot talk about the case no matter how much the defendant smears them to his friends
5. There are no “Matlock” moments
6. The trial is all about the attorneys’ performances
7. Technical evidence is boring, especially to the jury
8. A case will most likely not be prosecuted unless there is a 95 chance of a conviction. Corollary: if you go to trial, you're probably going down.
9. Cross examination of witnesses is brutal
10. The trial may take place years after the crime

The most important (and scary) lesson I learned is that the case will be won or lost by the side that makes their story compelling and interesting. Technical details are neither.

How it's Done
The Hacker Court mock trials demonstrate these points by enacting a courtroom environment where the audience is the jury. There is no pre-set outcome and we take great pains to make the sure the deck is pretty evenly stacked (which differs from most trials where the prosecution usually wins). Although we work out the facts of the case ahead of time, much of the testimony from witnesses is ad-libbed, often with amusing results.

Hacker Court differs from an actual trial in that we streamline the process and have some fun with it. An actual trial can take weeks - we have 2 hours, which normally wouldn’t cover the opening remarks. Most trials are also extremely boring, despite what you may see on TV. We take many liberties to make it fun, which no judge in his right mind would tolerate in an actual trial. For example, our 2004 presentation “Pirates of the Potomac: The Curse of the Bl4ck Perl” featured Simple Nomad as “Captain Jack Hack” (aka “Cracker Jack”), a hacker accused of “war-sailing” up the Potomac.

This Year's Case
This year’s presentation will once again feature Simple Nomad as the defendant, a “l33t” hacker who frequently posts to a blog run by a journalist who investigates cases of identity theft and exposure of personal information. Nomad claims to have a zero-day exploit that will work on any social networking site and is goaded by another blog poster to prove it by exploiting a social networking site called “MyFace.”

A more complete case summary, along with Speaker bios, may be found at the Black Hat site.

Both sides will argue their case on August 6, 2008 at the Palace 1 ballroom during the Gala Reception of Black Hat. Who will win? That's for the audience to decide! So if you’re coming to Black Hat, grab some food and drink from the Gala and join us in the Palace 1 ballroom!

On August 6th, 2008, I will be participating in a Vulnerabiltiy Management webinar hosted by WhiteHatWorld. We will be discussing best practices for scanning and configuration auditing. Panelists also include representatives from Qualys and Rapid7. To register, please visit this link or visit http://www.whitehatworld.com/ to learn more and view their library of recorded webinars.