Thursday, March 2, 2017

Slash Reborn

 بِسْمِ اللّهِ الرَّحْمَنِ الرَّحِيْمِ

السَّلاَمُ عَلَيْكُمْ وَرَحْمَةُ اللهِ وَبَرَكَاتُهُ
رَبِّ اشْرَحْ لِىْ صَدْرِىْ وَيَسِّرْلِىْ اَمْرِىْ وَاحْلُلْ عُقْدَةً مِنْ لِسَانِىْ يَفْقَهُوْاقَوْلِى 
اَلْحَمْدُلِلّ اَللّهُ اَكْبَرُ I'm still here even though not active as I used to be. اِ نْ شَآ ءَ اللّهُ I will keep contributing to share small piece of knowledge I had, which I think acceptable by most people around the globe.

So yeah, like most people, it's a complicated thing to describe me. Some might say it's along the lines of being an "acquired taste." Others might more correctly classify it as, "somebody that some people are willing to tolerate." Most likely, I am just inimitable, like many others. But I'll do the best I can to describe myself with words.

I'd say that I am an eclectic amalgamation of many seemingly paradoxical things. This can be exemplified in both my seemingly endless persistence on many topics and arguments, as well as my careful cautiousness on other topics and arguments. This is largely due to how astute I am of the topic: more knowledge, more persistent; less knowledge, obviously more cautious.

Apparently, I may look something like a serial killer or terrorist. Sometimes I can turn and become somebody who like jokes, use my OpenSSH backdoor and pwned your servers, or I can be your personal and sexiest bodyguard depending how you look at me.

So why Slash The Underground
Slash The Underground was a name given by my linux guru, burn or lordburn. My friends called me 'slash' and sometimes 'nullbyte' which is a nickname for me. It's short, clever, derogatory and sometimes considered desirable, symbolising a form of acceptance, but can often be a form of ridicule.

Hunting C&C For Fun and Profit

This is a quick post to splainz the methodology behind how we were able to make fingerprints for the Hacking Team and Equation Group C&C infrastructure allowing remote identification of their servers, as shown in The Italian Job and Equation Smasher releases on Github.
Myself and March, the rootkit wizard, have been at this kind of thing for quite some time, and have had a great deal of success in enumerating and identifying C&C infrastructure based on various oddities in how they present themselves. A fine example of this was in our Hunting Red October work prior (which resulted in the “” and “” scripts).
Basically, here is a TL;DR on how you, too, can hunt down shitbag spies and other such nasties.

Step 1: Get samples of the malware and/or IP’s of some still active C&C servers.

This is often trivial. Once someone publishes a report, or you get some nasty malware, identify the C&C server (run it in a sandbox or whatever and sniff those sweet, sweet pacotes).

Step 2: Muck about with the C&C server.

Next up, do a portscan of the C&C server(s). Of particular interest is the callback port. You want to fiddle with that port/service a bit and see if it returns a “weird” or unique banner or response, that you can chuck into shodan and try identify similar servers.
The third step is fairly simple. Once you have a list of hosts that also act in the same fashion and “smell” the same (much of this is based on scientific jiggerypokery and general faffing about with them), you portscan those and look for further similarities. Most oftentimes, C&C infrastructure is “cloned” across hosts, so they all will be set up in the same fashion.

Optional Step 4: Scan the Planet

Optionally, here you can scan the entire planet with masscan or zmap looking for similar hosts that Shodan’s crawler might not have hit yet. This gives you a nice list of IP’s to compare against netflow logs and also to bang into online sandboxes/AV things to see if theres other samples out there calling back, so you can gather more information and link samples/campaigns together.

Optional Step 5: Hack the Planet

I have NOT engaged in this hypothetical step, and cannot legally advocate for it, however others such as in the case of APT-1 (warning: PDF link) have done so. Somehow procure a copy of the C&C software in question, fuzz the shit out of it, find some bugs, and own the spying bastards, preferably uninfecting their victims and burning their infrastructure to the ground. I include this step for completeness only, and to point out that there is some recourse to be had.
Good sources of ~~DDoS numbers~~ IP addresses/C&C hosts to initially target for, er, interrogation are reports from Citizen Lab and AV vendors on the latest and lamest surveillance campaigns. Also, because some espionage campaigns are cheapskates, obtaining copies of widely (ab)used RAT software sold/used by ~~APT’s~~ script kiddies (such as Poison Ivy/BlackShades/DarkComet) and analysing those examples is also a fine way to find new, exciting fingerprints (and vulnerabilities…) to go forth and ruin some attackers days.
Further note: If the malware uses a web based (say, written in PHP) web panel, you might be able to fingerprint on HTTP titles or figure out a google-dork or other way of identifying the panel. Think of web panels as vulnerable webapps and apply the same thinking to locating and finding vulnerabilities in them. Quite often the bit of the web panel (the “gate”) that the implant calls back to fails miserably at sanitizing inputs to databases or file outputs, so there are often some gloriously exploitable bugs there. See the Herpesnet teardown/ownage by for some ideas on that :)

Have fun, and be safe. Remember kids - when fucking with C&C’s/malware, practice safe hex and wear your balaclavas!

Wednesday, July 22, 2015

Never trust a subcontractor

It all started with a phone call. "The whole network at [customer redacted] is down and they have no power - they need your help."

My blood ran cold. The engineer calling me sounded panicked, and for good reason. [Customer redacted] has an enormous natural gas facility in South Texas, too far from civilization to get enough power off of the grid. We designed and built an onsite natural gas power plant for them - a big one, capable of supplying 40+MW of power at peak load. They could run the facility for a short while without the power plant, but not long - and shutting down the facility meant losing 7 figures per hour. By the time I was informed, they had 6 hours until they had to shut down.

As the guy who had designed and installed said network, I was naturally the guy to call when it had problems, which had never happened before. It was a pretty simple network, honestly - just switches, cat5 cables and fiber. Since this was the network all the PLCs, relays, meters and whatnot ran on, it was airgapped & isolated, no routers. Not much to go wrong.

I quickly get on the phone and walk the guy on their end through plugging in a laptop and running
some simple tests. Check lights on things, ping this, ping that. Everything seems good, though. The network is emphatically not down. So I send him a remote app and take control of his laptop to see for myself.

Log into switches, check things, nope, the network's not down. When I log into the HMI system, though, I see a big red error message: "Network Error: Cannot connect to database". The database server is up, though. I log into the database server (Windows Server 2012 running MSSQL) and that's where I find the problem: SQL isn't running. I try to start it and it immediately shuts back off.

Monday, July 20, 2015

Hacking Team Uses UEFI BIOS Rootkit

The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.

They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops).  However, the code can very likely work on AMI BIOS as well.

A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation. An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system. We’ve found that Hacking Team developed a help tool for the users of their BIOS rootkit, and even provided support for when the BIOS image is incompatible.

Blocklist for Transmission

Transmission is, in my opinion, light and the best BitTorrent client for OS X so far [and did you know there’s even an unofficial Windows version too?]. Why? Because it’s super easy to use and configure and it’s not resource-hungry like some other BitTorrent client.

Looking for a nice and complete blocklist for Transmission can be a pain, especially if you’re not sure of which one to pick. In fact there are a ton of lists all for different purposes and no one will give you complete bad-peer protection since one will shield your client from spammers, one from the US Government [really?] and no one from all those things combined.

If you search on Google you will find people recommending this website, called iBlocklist, which collects various block lists but there are to many of them and they all have the same problem I said before: no complete 100% protection.

Luckly John Tyree, a user from, created a GitHub project which combines all those iBlocklist lists in to a single one and he hosted the result here. Simply add this URL in the Transmission preferences.

Good luck!

Monday, July 13, 2015

Magsukul Sapura (thank you Sapura)

السَّلاَمُ عَلَيْكُمْ وَرَحْمَةُ اللهِ وَبَرَكَاتُهُ and Good Afternoon,

بِسْمِ اللّهِ الرَّحْمَنِ الرَّحِيْمِ

اَلْحَمْدُلِلّهِ, today is my last day working at Sapura Secured Technologies as Systemic Security Manager for Sapura Defense Sdn Bhd. Once again, I've been given opportunity by Allah S.W.T. to share knowledge and experience for the industry and Information Warfare community. Although I have my own plan, but I know Allah also plans, and Allah is the best of planners. I know who I will be, and I know where I will be, but I know that Allah will choose what’s good for me.

I wanted to wish everyone happy trails. My colleagues have been nothing short of amazing, the knowledge, experience, and the quality of discussions is incredibly stimulating. In the last 7 years with Sapura, Allah S.W.T has shown me a form of great challenges which almost took me down to the ground and taught me a unique knowledge through people around me. I learned a great deal, building skills, relationships and challenges that I never think of.

Thursday, July 9, 2015

How to use SSHFS

In computing, SSHFS (SSH Filesystem) is a filesystem client to mount and interact with directories and files located on a remote server or workstation over a normal ssh connection.[1] The client interacts with the remote file system via the SSH File Transfer Protocol (SFTP),[2] a network protocol providing file access, file transfer, and file management functionality over any reliable data stream that was designed as an extension of the Secure Shell protocol (SSH) version 2.0.

In many cases it can become cumbersome to transfer files to and from proprietary and customized operating system. This can become quite a hassle in a very short period of time. Luckily there is a way to mount remote file system to local computer without NFS, SAMBA or other remote filler protocols. In this article, I will show you how to do exactly that.