Pär Österberg Medina: Detecting Rootkits in Memory Dumps


A precious presentation by Pär Österberg Medina about dumping and analyzing a memory dump for detecting rootkits, discovered in the twitter feed of Binni Shah:


Covered topics

  • What is a rootkit?
  • Dumping the memory
  • How-to analyze a memory dump?
  • Different rootkit techniques and how we detect it

The presentation

https://www.terena.org/activities/tf-csirt/meeting27/oesterberg-rootkits.pdf

FLOSS: FireEye Labs Obfuscated String Solver — Automatically extract obfuscated strings from…

Malware authors pack their software to resist reverse engineering and enable their operations to survive longer.

However, many features of packing are easy to automatically identify during static or dynamic analysis.

Continue reading “FLOSS: FireEye Labs Obfuscated String Solver — Automatically extract obfuscated strings from…”

The neverending story about FBI’s TorBrowser 0-Day

Let’s try to retrace the steps of this strange story


July 14, 2015

From Seattlepi.com:

A Vancouver middle school teacher accused of collecting child pornography online now faces federal charges.

Federal prosecutors in Seattle claim Jay Michaud was caught downloading child pornography in February. Michaud was arrested Monday and has since been charged in U.S. District Court.

Writing the court, an FBI special agent said Michaud spent nearly 100 hours surfing a hidden online network specializing in child pornography. The agent noted that the secret nature of the website would make it extremely difficult to come across accidentally.

The Washington Post reported that FBI seized the site’s servers and in February 2015 launched the exploit on the site leading to charges against 137 people:

The user’s online handle was “Pewter,” and while logged on at a website called Playpen, he allegedly downloaded images of young girls being sexually molested.

In order to uncover Pewter’s true identity and location, the FBI quietly turned to a technique more typically used by hackers. The agency, with a warrant, surreptitiously placed computer code, or malware, on all computers that logged into the Playpen site. When Pewter connected, the malware exploited a flaw in his browser, forcing his computer to reveal its true Internet protocol address. From there, a subpoena to Comcast yielded his real name and address.

https://www.washingtonpost.com/world/national-security/how-the-government-is-using-malware-to-ensnare-child-porn-users/2016/01/21/fb8ab5f8-bec0-11e5-83d4-42e3bceea902_story.html


February 25, 2016

The U.S. District Judge Robert J. Bryan has confirmed what has probably been the worst-kept secret in security, that Carnegie Mellon University’s Software Engineering Institute was indeed contracted by the Department of Defense to study how to break Tor anonymity.

https://www.washingtonpost.com/world/national-security/how-the-government-is-using-malware-to-ensnare-child-porn-users/2016/01/21/fb8ab5f8-bec0-11e5-83d4-42e3bceea902_story.html

“Based upon the submissions of the parties, it is clear to the court the government has provided to the defendant basic information about the technique used by SEI to obtain IP addresses of Tor users, including the defendant. Among other items, the government’s disclosures included information regarding the funding and structure relationship between SEI and DOD, as well as directing the defendant to publicly available materials regarding the Tor network.”

https://www.washingtonpost.com/world/national-security/how-the-government-is-using-malware-to-ensnare-child-porn-users/2016/01/21/fb8ab5f8-bec0-11e5-83d4-42e3bceea902_story.html


May 11, 2016

Mozilla filed a motion with the U.S. District Court in Tacoma, Wa., asking the government to disclose the zero-day vulnerability it exploited in the Tor Browser and Firefox:

https://assets.documentcloud.org/documents/2830393/Mozilla-s-Motion-to-Intervene-in-the-Playpen-Case.pdf


May 25, 2016

Judge Robert J. Bryan granted defendant Jay Michaud’s motion to exclude the evidence.

“For the reasons stated orally on the record, evidence of the N.I.T., the search warrant issued based on the N.I.T., and the fruits of that warrant should be excluded and should not be offered in evidence at trial”

https://assets.documentcloud.org/documents/2842885/Michaud-Order.pdf

Stay tuned to the next episode …

Crashing OSX and iOS apps with a simple PNG image

Lander Brandt has discovered a denial of service vulnerability in ImageIO, a library of utilities for parsing various image formats.

Which apps as affected?

It’s used in many OS X and iOS applications including:

  • Tweetbot
  • Safari
  • Messages
  • Mail
  • Preview

Some popular applications that do not use ImageIO include:

  • Chrome
  • Firefox
  • Telegram

The bug is a simple Null Point Reference in PNG parsing (more technical info on Lander Brandt article):


What’s happening here is:

– libpng hits an unknown chunk

– The custom chunk callback is called

– Apple’s own internal method which returns a pointer to the chunk returns null since there’s no data

– There’s no check on the chunk pointer returned

– Oops


What is the impact?

This bug can be triggered any time a PNG file is being processed. So really, anything that processes the image can be caused to crash.

Some examples:

  • Receiving the malicious image via text message with message previews turned on will crash SpringBoard on iOS
  • Entering a message thread containing the image will crash the messages app
  • Opening an email containing the image will crash the mail client
  • Posting a link to the image will crash some third-party Twitter clients which try to load the image
  • Visiting a page containing the image will crash Safari’s content renderer

The fix?

The bug was reported to Apple in Dec 16, 2015, and in Mar 22, 2016 the fix was notified as ‘in progress’.