A semi-anonymous jump box Part I : Email

I am finally making another post.  Yeah there is a 3 year gap from my last post, but whatever.  Life happens.

This post is going to be part one on a series about setting up semi-anonymous, remote boxes.  Normally when I scan/probe cybercriminal servers and dropsites, routing through TOR on a VM is enough.  Lately, however, I've found that having a remote, VPS-type jump-box that can't easily be traced back to me would be useful.

Now I want to take a moment to make something very clear.  The reason I say "semi-anonymous" and "can't easily be traced" is because the goal here is to protect myself against an average cybercriminal, not a nation-state adversary.  These steps would not protect anyone from a nation-state investigation.  With that said, let's get started.

This is what we're starting with:

• 25 dollars cash
• the ability to surf TOR .onion sites

This is what we want:

• an email address
• a bitcoin wallet with a little satoshi in it
• a PayPal account
• a linux VPS
  

Where again, all those assets are semi-anonymous and not easily attributable to us.

These things will be acquired step-by-step, and along the way these three rules must be followed at all times:

1. assets can only be connected to via TOR
2. assets never communicate directly with any accounts we own (i.e. once we have our first email address, never send/receive an email to/from it with another account we own)
3. assume all new assets are compromised and that you are being watched by your adversary, then verify what they can learn about us (to mentally check the assets ‘anonymity’ and to help maintain opsec)

First off is email.  Since we want an email that can be accessed via TOR, a quick google search for “tor email providers” is probably the best way to start.  At the time of writing, the top result was this reddit post listing several providers, with a bonus comment thread mentioning some good points about Sigaint.  We’ll go ahead with that option. 

[07/08/17 Update: Sigaint has since gone offline with no indication of return. Others are still available.]

Setting up a new Sigaint account is pretty normal; once that is done let’s do a quick check of our three rules:

1. assets can only be connected to via TOR - Check. Sigaint only has the hidden service, so it can only be connected to via TOR. We're good here.
2. assets never communicate directly with any accounts we own - Check. Since Sigaint does not require a pre-existing email address to be provided, this account is not tied to any other accounts we own. We just need to make sure not to send/receive any email between this account any accounts we own and we're good to go.
3. assume all new assets are compromised and that you are being watched by your adversary, then verify what they can learn about us - So let's say our adversary is suddenly able to login to this new Sigaint accout or compromise the Sigaint servers. What can they learn about us? Well, if we are disciplined about rule 2, they cannot associate this account with any 'real' accounts we own. If they compromised the Sigaint servers and were watching network logs, because of rule 1 they could not get our home IP. At most, they could watch what times we login and try to deduce our timezone. There are various guard node attacks that could possible de-anonymize us, but those are (so far) nation-state capabilities.

So far, so good. Next up, we will see how we can turn 25 dollars cash into some bitcoins using our new TOR email address.

Zodiac v0.10, Part II: Attribution

So who are these guys?

There's a lot of bits of info to do google searches on.  In the binary are these strings:

.rdata:0040C2F8 0000001F C rolotech-electronics.comuf.com
.rdata:0040C317 0000001A C speedtest1.hivelocity.net
.rdata:0040C331 0000000D C 68.11.12.242

Google searches on those domains and that IP turn up lots of malware results, all of which show almost the exact same symptoms (or "IOCs" as infosec likes to call them).  Normally, when malware is sold or traded heavily in the underground, the symptoms when that malware gets used will differ across multiple infections.  The fact that the samples are pretty homogenous seem to hint that this malware is used by one group exclusively.

Googling the deciphered hostname fkn.ddos.cat brings up this post from the excellent guys at exposedbotnets detailing what they saw on the IRC server when they ran the bot.  That's neat too because two of the names (Sabu and tflow) are old handles from some of the infamous lulzsec guys.  But it's not actually them; all of lulzsec has been busted up and in jail for a while now.

This is the part that I really liked though.  This string is found in the binary:

.rdata:0040B6C4 00000044 C PRIVMSG %s :(Version): Zodiac v0.10 (HIGHLY PRIV10) Windows version

Googling that string brings up this reddit post linking to Joe's Security Blog, where he did some very good analysis on an almost exact same sample.

But it also brought up this very interesting pastebin showing a log of some hackers hanging out in an IRC.  Now, there's a lot there, but the most interesting bits are this:

09[16:22] * Topic is ' 4,1H 9T 8P 0\ 8 No power since 2011 (damn it, Acidstorm) 0\ 9Mumble up: core.hack-the-planet.tv 64738 : niggers5 0\ 4 /htp/HTP-5.txt underway (ASCII, content) 0\ 8straylig.ht now mirroring releases 0\ 13 http://i.imgur.com/9z0MGOV.png '

this:

[18:03] <&XiX> hey nachash dont forget to make HTP-5.txt editable by htp bro

and this:

[02:17] <&Goku> 23:16 >>>> zwin-LUMPVJ|60 (zwin-@hack-BB3B7A6D.mullvad.net) has joined #shiro

[02:17] <&Goku> 23:16 <Shiro> .zwin* version

[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Version): Zodiac v0.10 (HIGHLY PRIV10) Windows version

[02:17] <&Goku> 23:16 <Shiro> .zwin* help

[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): Build type: Windows (Feb 19 2013, 22:59:38)

[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): COMMAND   DESCRIPTION

[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): quit  Make the bot quit

[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): help  Print this menu

[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): version  Print the version of the bot

[02:17] <&Goku> wont get much larger then that as well

[02:17] <&Goku> 33kb base

[02:17] <&Goku> i am

[02:17] <&Goku> god sent coder

So I'm pretty sure these are the guys that created this botnet code, because of that version string.

And, I'm pretty sure these are the guys that released the HTP zines (Hack the Planet).  Now that's kind of a big deal.  Here's the HTP-5 issue.  Have a read, it's pretty good (also note that they mention "one of our botnets, Zodiac" right in the zine).  They breached MIT, Securi, and the freakin' NIST-NVD.  But the craziest part is that they were behind the Linode breach.  That one is intense because Linode is a pretty big service provider, and in HTP's words:

Meanwhile, we enjoyed our (root) access to Nmap, Nagios, SQLite, OSTicket, Phusion Passenger (modrails), Mono Project, Prey Project, Pastie, Sucuri, Hak5, Pwnie Express, Puppet, and oauth.

They were in a position to backdoor nmap.  And yes, hacklogs can be faked, but all of these hacks have been verified.  That's a sobering thought.

Anyway, I thought it was cool that the malware I decided to really cut my teeth on was from the HTP guys.  I'm still nowhere near done with it and will post updates as I make my way through the code.

Fun times.

Part I

Zodiac v0.10, Part I: First Look

So I've made some progress on this analysis.

First off, this string was found in the sample:

.rdata:0040B05C 000000D4 C DEAR WHITEHATS: This bot isn't protected because I'm lazy and you're not going to do anything anyway, not because I'm inept. Although I have added a dirty cipher to please you. Come chat with us, we're friendly.

I believe I found the dirty cipher here:

It's kind of a Caesar Cipher: given a byte of ciphertext, if it is between 0x2E and 0x4F it will add 0x30, and if it is between 0x50 and 0x7E it will subtract 0x30.

This deciphering routine is used by the following functions (labelled by me):

And used on strings that are all collected together in a data segment.  I went ahead and deciphered what was there and changed the labels:

The deciphered label "ev1l1lod1ld0s" is used to create a mutex, so that only one copy of the bot is running on a host at a time:

 

 

The deciphered label "Windongs" is used to create a registry key at HKLM\software\microsoft\windows\currentversion\run for persistence:

And I am now starting to get into the code that connects to the command server at fkn.ddos.cat.  I'll post more on that part of the code once I've slogged through it, but I also wanted to get into another fun part of the investigation: attribution.

Intro | Part II

How do you eat an elephant?

One bite at a time.

I need to step up my Reverse Engineering game so I'm going to try a full coverage analysis of a malware sample a friend of mine sent me.  He actually sent me a bunch of samples, and this is the runt of the litter.  It's also a little dated; the C2 for this sample is already dead and the domains show up on AV sites when googled.  However, this will still be good practice.

That said, 191 functions when opened in IDA.  103 of those are unnamed, so they're the target.  Hopin' to get through it all in (at most) a month.

Let's dance.

 Part 1