Wednesday, July 5, 2017

NotPetya/Petya : Faulty malware code ?? or Intentional Wiper malware !!

The past week has been one crazy ride with the ransomware/wiper attack Nonpetya outbreak. This malware caused a havoc around the globe especially in Ukraine, Russia, India and US with many more countries in the list. This ransomware/wiper uses wowsmith123456@posteo.net as the contact detail and asks for $300 in bitcoins to a given address.

Working of NotPetya


The ransomware Petya/Not Petya encrypts MFT (Master File Tree) tables for NTFS partitions and that overites the MBR (master Boot Record) with a custom boot loader that shows a message of ransom to the user upon booting. According to several resources Payload Security, Avira this virus exploits the Microsoft's SMB vulnerability ETERNALBLUE, that was also used for Wannacry. Upon more research deep down that the virus also uses one more exploit ETERNALROMANCE.

Once the device is infected it uses the following mechanisms to propagate.

  • EternalBlue : Exploit used by WannaCry
  • EternalRomance : A SMBv1 Exploit leaked by "Shadow Brokers"
  • PsExec : It is a light weight telnet-replacement that lets you perform different                       process on the system.
  •  WMI : Windows Management Instrumentation


Targeted File for encryption


.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.

Ransom Note found on the infected devices



"If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don\'t waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
Send $300 worth of Bitcoin to following address:


Send your Bitcoin wallet ID and personal installation key to e-mail :

wowsmith123456@posteo.net"

EMAIL No Longer Valid !!!


This is email address was only single point of contact with the NotPetya authors, and it was to be used for verifying bitcoin payments. This was later in the day blocked by the email service provider Posteo.net. This german based email service provider made sure that they are not linked by whatsoever mean to any malicious activity. Since the email was only single point of contact to receive the decryption keys after being hit, now it would be impossible for the victims to receive their encrypted files.


A Wiper Malware/Not a ransomware


Throughout the whole havoc, it was assumed that the Notpetya is a ransomware and is designed to earn money in the form of bitcoins but later it was discovered that the design of the virus was flawed and the encrypted files could not be decrypted at any cost. It was assumed that the files are encrypted one by one but the Petya reboots the victims computer and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR).

Many big guns were hit by this wiper attack including several government offices.
  • AP Moller-Maersk
  • WPP
  • Merck & Co.
  • Ukranian Banks, Power Grid
  • Saint Gobain
  • Evraz


How did the Virus or Wiper malware spread ?


This massive outbreak spread when an unidentified attacker compromised the M.E.Doc servers. M.E.Doc is a popular accounting software used by Ukranian companies. When the tainted software reached the clients, the malware Notpetya was then delivered to them.


How to Save yourself from this Wiper malware ? 

First and foremost, one must do the following steps and make sure they are not the brink of being effected.
  • One must apply the MS provided patch MS17-010, this will help do half work.
  • Disable SMBv1 on your devices and move to SMBv2.
  • Ensure you have high end Anti-malware/virus to keep you safe.

One cannot stop NotPetya from spreading but you can keep your system safe by performing the below vaccination.

While trying to understand the working of this malware, the researchers found out that this malware looks up for a file and if that file is found the encryption process would not proceed. Notpetya look for file called perfc in the C:\Windows folder. No we need to create the same in our C:\Windows folder.

Steps to consider

Make sure your files are readable and not hidden. You can do the same by going to your windows folder and under tools tab.




Once all the files are visible, you will find notepad.exe in windows folder. Make a duplicate copy of the same and it will be named as notepad-copy.exe . Now rename the copy file with perfc and it will ask you to confirm for the change in the file name. Continue with "yes" and left to click to check the properties of perfc file and check the read-only box.



Now, click on apply. The file perfc is now created and that is all we need to vaccinate our computer.

Your device is now vaccinated from Petya/NotPetya/Petrwrap/Nyetya/ransomware.




Sunday, June 18, 2017

Unveiling Router Security Issues by CIA

Gone are the days when Cherryblossom was just a Japanese flower. The term is now used to name a hacking program developed by CIA.

Wikileaks dumped new files in their vault 7 series which contains CIA-made hacking tools.

Cherryblossom (CB), a multi-functional framework that can be used to hack various router models. CB compromises wireless networking devices. Cherryblossom monitors the internet activity by performing several software exploits on targets of interest.

Terminologies used in Cherry Blossom :-

Cherry blossom is a project of the program Cherry Bomb in year 2011-2012. Cherry Blossom used below terms to explain how it works.


Flytrap : A wireless access point that is being compromised.

Mission : Task assigned to a Flytrap.

Cherry Tree : Also know as command post, it controls Missions, Flytrap status alerts etc.

Cherry Web : GUI bases command interface for running on cherry tree.


Beacon : A periodic communication between flytrap and CherryTree.


Target : The user whose activities are being monitored.



         Image source : Original Document

Implanting of  Firmware CherryBlossom.

The Flytrap is implanted with Cherry Blossom firmware, either using Claymore tool or by supply chain operation. Beacons on periodic intervals are shared between operators (CT) and the infected routers.

As per the manual on Wikileaks, Cherry Blossom works by monitoring the Access Points and routers by implanting a firmware and delivering software exploits and the internet activities.
The architecture defined in CB does not limits itself to wireless devices, it can spread to wired devices too. These are monitored using "missions".

Mission type may vary depending upon the target source.

  1. Snooping the traffic from Access points and routers.
  2. Alarming the activity of targets.
  3. Forming a virtual private network to internal network.
  4. Monitoring the activities of wired devices.
  5. Altering communication between different parties that believe they are connected more of an interception.
CherryBlossom uses Linux Based tool "Sundew" to find out the make and model of the wireless device. The scanning is done on the basis of MAC address. A series of tasks are performed to find out make and model of the network nodes.

The hacking tools are developed with the help of a non-profit organisation SRI International, the name can only be seen in one document related to Sundew.

CherryBlossom supports various Router/AP models.

According to the documents from CIA, Flytraps can be installed on wireless routers as well as Access Points. You can find the list of all the vendor that are included in the document below. For full vendor specific list please follow the original release document here.

3Com
Accton
Aironet/Cisco
Allied Telesyn
Ambit
AMIT, Inc
Apple
Asustek Co
Belkin
Breezecom
Cameo
D-Link
Gemtek
Global Sun
Linksys
Motorola
Orinoco
Planet Tec
Senao
US Robotics
Z-Com

Unlike the Shadow brokers last release of the hacking tool, Wikileaks just released the documents related to the same and not the actual tool.

Thursday, June 8, 2017

Apache Server Configuration (Debian/Ubuntu)

What is Apache?
Apache is the most popular web server on the internet. It is used to serve more than half of all active websites on the globe. It is an open source web application program for deploying web servers. Apache is developed and maintained by an open community of developers under the Apache Software Foundation. Most commonly used on a UNIX-like (usually Linux), the software is available for a variety of operating system besides UNIX, including Microsoft Windows.
Apache 2 (Version 2.0) has improved support for non-Unix, e.g. Windows and OS/2 too. Apache is free and open source software.
Installing Apache 2 Server:-
Before starting the installation of Apache server, please ensure that the host system must have a FQDN (Fully Qualified Domain Name) hostname.
To check the existing hostname of the system, the following command is used:
Now, To Install the Apache 2 Web Server with its documentation and a collection of their relative utilities, the following command is used:
In Debian operating system, apache keeps its main configuration files within the following directory "/etc/apache2".

There are a number of plain text files and sub-directories in /etc/apache2 directory.
Here we have a need to familiar with the useful files & directories under this.
We are starting with one by one & proceed further to understand it thoroughly.

“apache2.conf” File: This is the main configuration file for the apache web server. Almost all configurations can be done within this file. Although, it is recommended to use separate designated files for simplicity. This file will keep the default configurations and will be the central point of access for the server to read configuration details.

“ports.conf”: This file is used to specify the ports on which the virtual hosts should listen on. Please be sure to check that this file is correct if we are configuring the SSL.

“conf-available” Directory: This directory is used for controlling specific aspects of the Apache configuration.

For example, it is often used to define SSL configuration and default security choices. This directory contains multiple files that are used for further server functionality.
The files under this Directory are explained as:

“apache2-doc.conf” File: This file is used to create an alias of any directory and if we want to provide some access permissions over it so the queries must be written in the apache2-doc.conf file to create any symlinks. An example of symlink is shown below.

charset.conf” File:  In order to set the particular character set over the whole Apache Web Server by default, query must be enabled in charset.conf file.

“localized-error-pages.conf” File: All of the apache error responses are done from this file. It contains the error messages for every dedicated apache failure.

“other-vhosts-access-log.conf” File: In this file, we need to define the access log file location path for every other vhosted domain on this server. The query used for defining that access log file location path is as follow:
security.conf” File: If we need to provide any security parameter to the web server globally then that query or security query will be defined in this file.
“serve-cgi-bin.conf” File: In order to enable any module over the web server so the ifmodule conditions are defined in this file.
Now, we move to other directories on /etc/apache2 directory.
“Conf-enabled” Directory: This directory is responsible for holding the symlinks related to the configuration files in the “conf-available” directory.

“sites-available” Directory: This directory basically contains all the virtual host files that are defined for different-different web sites. This directory contains the available configurations not active configurations.
The files under this Directory are explained as:

“000-default.conf” File: This is the dummy file containing the dummy Virtual host entries. All the other virtual hosts or domains, which are hosted over this server uses the entries similar to this file.
An example of sample Virtual host for a domain is as below:
“default-ssl.conf” File: This is also the dummy file containing the Virtual host configuration for the domains using SSL configurations.
An example of Virtual host for domain using SSL and how it works over https is as below:


Self Signed Certificate :- Here we need to discuss one more thing related to SSL as sometimes, if a user wants to use self signed certificate for SSL connections so the following steps need to be follow to generate the self signed certificate.

Step 1:- First, install or upgrade the package called “openSSL”.

Step 2:- _ Secondly, enable the SSL Module using below commands.
Step 3:- Now, create a Self-Signed SSL Certificate. First, let's create a new directory where we can
                       store the private key and certificate.
           Generate a new certificate and a private key to protect it.
Openssl req –x509 –nodes –days 365 –newkey rsa:2048 –keyout /etc/httpd/ssl/apache.key –out /etc/httpd/ssl/apache.crt
Following things need to understand on the above command:
  • The day’s flag specifies how long the certificate should remain valid. In the example, the certificate    
           will last for one year i.e. 365 Days.
  • The keyout flag specifies the path to our generated key.
  • The out flag specifies the path to our generated certificate.
During the execution of the command, some parameters will ask to fill like Country Name, State, Organization Name, etc. So, you should fill the desired parameters as asked.
Step 4:-          Now, set the file permissions to protect your private key and certificate.
Step 5:-          Now, these self signed certificates can be used to run the domain or server over https                              
                      connection. An example of Virtual host of such SSL enabled domain is as below:
Now, we move to some other directories on /etc/apache2 directory.
“sites-enabled” Directory: This directory establishes which virtual host definitions are actually being used. Usually, this directory consists of symbolic links to files defined in the "sites-available" directory.

“mods-[enabled,available]” Directory: This directory is similar in function to the sites directory, but it defines the modules that can be optionally loaded.
The explanations of the modules which are enabled by default and available in mods-enabled directory are as follows:
“access_compat.load” Module: This module checks the version compatibility of the installed modules and the apache configuration files.
“alias.conf” Module: This module is used to create the fake alias of any directory or file basically means for which we don’t want to show the exact location.
“autoindex.conf” Module: This module loads all of the directories included in apache by default.
“deflate.conf” Module: This module loads the default script types which are used by hosted applications of apache.
“dir.conf” Module: This module loads the types of index pages which are accessed as default by apache server in the directory.
“dnssd.conf” Module: This module allows Apache Server to advertise itself and the available websites to clients compatible with the protocol.
“mime.conf” Module: This module loads different types of files according to their extensions over the internet. It is used to assign content metadata to the content selected for an HTTP response by mapping patterns in the URI or filenames to the metadata values. Some examples are: AddLanguage, AddCharset, AddHandler, etc.
“mpm_event.conf” Module: This module is designed to allow more requests to be served simultaneously by passing off some processing work to the listeners threads, freeing up the worker threads to serve new requests.
“negotiation.conf” Module: This module allows apache to give precedence to some languages in case of a tie during content negotiation. Just list the languages in decreasing order of preference.
“setenvif.conf” Module: This module contains some list of directives that modify normal HTTP response for a request, to handle the browser based problems.
“status.conf” Module: This module helps in updating the server health status reports with the help of an HTML page.


Integration with PHP module:-

In this section, we will see the integration of the Apache Server with PHP module. In order to run the PHP files over the server, we need to follow the below steps.

Step 1:- First, Install the php module packages from repository.
Need to select “Agree” for the installation during the above command execution and PHP will be installed on your Droplet.
Step 2:- Once the above command works, you should just Restart or Reload the Apache Service.
Step 3:- Add a new entry in the Virtual host file of the domain to which the php files need to be run.
               Then the new Virtual host may looks like as below:
Step 3:-  At last, we need to create a Test file in the root folder of the Domain and then check the file by opening it on to the Web Browser.

Virtual Hosting :-
Virtual hosting is a method for hosting multiple websites (domains) on a single server. You can host multiple websites on a single machine with a single IP using virtual hosting. All domains on that server will be sharing a single IP. Virtual hosting is very useful in shared web hosting environments, where hundreds of websites are hosted on a single server. All of the Virtual Host configurations for the different websites are created or stored in the /etc/apache2/sites-available directory on Debian/Ubuntu.

Types of Virtual Hosting :-
Name based Virtual Hosting:-  It is the type of virtual hosting which is defined on the basis of domain name. i.e. single ip is used to host multiple websites on a single web server. Let's create a virtual host file for the website www.example1.com.
  • First, let’s create a directory structure of the website www.example1.com
ubuntu-apache2-example1-directory.png
  • Add the following content to the index.html file.
ubuntu-apache2-example1-index-html.png
  • After that, lets create a virtualhost configuration file for a website www.example1.com  
ubuntu-apache2-example1-apache-conf.png
  • Add the following content.
ubuntu-apache2-example1-apache-conf-details.png
  • Save and close the file when you are finished.

  • Similarly, let’s create a directory structure of the website www.example2.com
ubuntu-apache2-example2-directory.png
  • Add the following content to the index.html file.
ubuntu-apache2-example2-index-html.png
  • After that, let’s create another virtual host file for the website www.example2.com.
ubuntu-apache2-example2-apache-conf.png
  • Add the following content.
ubuntu-apache2-example2-apache-conf-details.png
  • In this way, the two virtualhost files are created for two domains.
  • Now Enable the New Virtual Host Files.
ubuntu-apache2-enable-sites.png
  • Now restart the apache service.
ubuntu-apache2-restart-apache.png

  • Now edit the hosts file of the web server and add the entries of these two domain names as shown below:

ubuntu-apache2-hosts.png

  • After successful restart of apache service, open the domain name example1.com or example2.com on browser.  
ubuntu-apache2-example2-browser.png
IP Based Virtual Hosting :- It is the type of virtual hosting which is defined on the basis of dedicated IP address. i.e. each website is assigned with a dedicated IP address. Let's create a virtual host file for the website www.example3.com.
  • First, create the directory structure of the website.
ubuntu-apache2-example3-apache-conf-details.png
  • Now create the virtual host configuration for the website www.example3.com.
ubuntu-apache2-example3-apache-conf-path.png
  • Add the following content to that file.
ubuntu-apache2-example3-apache-conf.png
  • Save and closed when you are finished.
  • Now create the directory structure for website www.example4.com.
ubuntu-apache2-example4-apache-conf-details.png
  • Now create another virtual host configuration for website www.example4.com.
ubuntu-apache2-example4-apache-conf-path.png
  • Add the following entries in this vhost file.
ubuntu-apache2-example4-apache-conf.png 
  • Save and close when you are finished.
  • Now restart the apache service.
ubuntu-apache2-restart-apache.png
  • Now edit the hosts file of the web server and add the entries of these two domain names as shown below:
ubuntu-apache2-ip-based-host.png
  • On successful restart of the apache service, open the websites i.e. www.example3.com, www.example4.com, in browser.
ubuntu-apache2-example3-browser.png


Here, the Apache Server Configuration ends up.

-/-/-