Gears of (Cyber)War – C++ Code to Detect Version of Windows

A common structure in malware, and also in many legitimate software is to recognize what is the underlying operating system (OS). Depending on the version of it, the virus may want to take different route to execute its activities. This functionality can be reused across different programs and is therefore useful to create and optimize. In this post, we design a function to detect the version of the Windows OS on which the program is currently running.

Share

Introduction

A common structure in malware, and also in many legitimate software is to recognize what is the underlying operating system (OS). Depending on the version of it, the virus may want to take different route to execute its activities. This functionality can be reused across different programs and is therefore useful to create and optimize. In this post, we coded a function to detect the version of the Windows OS on which the program is currently running.

Windows Versions

The Windows OS is known to have a confusing version system, which is often the result of marketing pressure. As such, while all software usually follow a version number specifying the major version, the minor version and the revision (and sometimes the build), Windows swings between years of release (ex. Windows 2000), fancy names (Windows Vista) or some designated number (Windows 7). However, in the underlying machinery of Windows are defined standard version numbers, ex. 5.1. Below is the correspondance between Windows operating systems and standard versions.

When programming in C/C++, the version number of Windows can be obtained via the OSVERSIONINFO structure (or OSVERSIONINFOEX) and the GetVersionEx Windows API function:

The version information described in the table above is stored in the dwVersionMajor and dwVersionMinor of the OSVERSIONINFO structure. All version of Windows in the table above will store the value VER_PLATFORM_WIN32_NT (0x2) in the variable dwPlatformId of the structure.

Branching C++ Code Based on Version

Based on the description above, we can create a reusable function to detect the version of the Windows OS:

Note that in many cases, we won’t know if the OS is the workstation version of Windows or the server version of it. Also, there is no details for other versions of Windows, i.e. Windows CE, Windows 95 (…should it still be used somewhere..). That’s where OSVERSIONINFOEX is useful. The wProductType variable will be set to VER_NT_WORKSTATION if the current OS is the workstation version. Furthermore, you can retrieve service packs numbers and edition information with wServicePackMajorwServicePackMinor and wSuiteMask. So if you need more details about the Windows OS, you can include these as well:

For a full version of the procedure, visit this GitHub page, you’ll find the C/C++ code.

Conclusion

Practically any malware at some point will need to check the version of the operating system being infected in order to enable specific functions or exploit certain vulnerability. Rarely will this check go as far as getting the suite, but Remote Access Tool (RAT) and bots will report the operating system, the version and the service pack. If you are a malware analyst, expeect this function to be present in whatever piece of code you’re analyzing.

Submarine Command System

Share

A press release from BAE Systems announced the installation of the Submarine Command System Next Generation (SMCS NG) on twelve nuclear submarines of the Royal Navy, effectively ending the conversion of the seven Trafalgar-class submarines, four Vanguard-class submarines and one Swiftsure class[1].

The new command system is based on COTS hardware and software products. It uses mainstream PCs and Windows as supporting components. All computers are connected with on a LAN by an Ethernet network using fiber-optic cable. According to The Register, the system will mostly be based on Windows XP[2] although in was initially decided it would be based on Windows 2000.

The role of this system is to store and compile data from various sensors in order to present tactical information for the leadership. It also controls the weaponry:

SMCS NG is designed to handle the growing volume of information available in modern nuclear submarines and to control the sophisticated underwater weapons carried now and in the future. Its core capability is the assimilation of sensor data and the compilation and display of a real time tactical picture to the Submarine Command Team[3].

The SMCS NG system is the descendant of the previous SMCS system that was proposed back in 1983, when the U.K decided to build a new command system for the then-new Trident class. Before, all electronics were custom built by Ferranti. The SMCS would use COTS material to minimize the costs and become fewer dependants on one company. The architecture of the command system was modular and was written in Ada 83. The core of the system contains an Input/Output computer node, a computer that process data from the sensors and weapons systems. There is also the central node, which is used for processing all the data. Each of the central nodes are duplicated to provide of fault-tolerance, with each being dual modular tolerant, which means that hardware components are working in parallel in case one becomes defective. The dual central nodes are connected to each other and they are also connected to Multi Function Consoles, a Main Tactical Display and two Remote Terminals, which provide the Human Computer Interface. The first phase of the project was to install the SMCS on the Vanguard class submarines.

In 1990, it was decided to extend the SMCS to other submarine classes and that the new command system would use UNIX as its base operating system. Because of the Ada architecture, problems arose when the technicians tried to map the SMCS to run-time processes of UNIX. Solaris and SPARC machines were finally selected for Multi Function Consoles. The central nodes kept their original architecture in Ada.

SMCS Multi Function Monitor in a Vanguard Class Submarine
SMCS Multi Function Monitor in a Vanguard Class Submarine

In 2000, the project was completely own by BAE Systems and the move from SPARC computers to PCs. The switch for the operating system was more difficult, as management preferred Windows while the engineers promoted the use of variants of UNIX such as BSD, Linux or Solaris. The main argument for the engineers was that with UNIX, it would be possible to remove all the extra code unneeded for the submarines operations, thus making it more secure. However, the management point of view prevailed and thus was created the “Windows for Warships” label.

Windows was chosen even after the USS Yorktown accident in 1997, in the US. The ship was crippled after the sysadmin entered invalid data into the database thought the Remote Database Manager.[4]

Insert any jokes about Windows controlling nuclear subs into the comments. Thank you.

Clippy Launch Warning Blue Screen of Death

See also:

SMCS“, AllExperts, http://en.allexperts.com/e/s/sm/smcs.htm (accessed on December 17, 2008)

Submarine Command System (SMCS)“, Ultra Electronics, http://www.ultra-ccs.com/systems/smcs/ (accessed on December 17, 2008)

Operating Systems Contracts, Trusted Software?“, Richard Smedly, Linux Format, March 2005, http://www.linuxformat.co.uk/pdfs/LXF64.pro_war.pdf (accessed on December 17, 2008)

Development Drivers in Modern Multi-function Consoles and Cabinets“, Armed Forces International, http://www.armedforces-int.com/categories/military-consoles-and-cabinets/development-drivers-in-modern-multifunction-consoles-and-cabinets.asp (accessed on December 17, 2008)


[1] “Royal Navy’s Submarine Command System Installation Programme Completes Ahead of Time”, BAE Systems, December 15, 2008, http://www.baesystems.com/Newsroom/NewsReleases/autoGen_108111514515.html (accessed on December 17, 2008)

[2] “Royal Navy completes Windows for SubmarinesTM rollout”, Lewis Page, The Register, December 16, 2008, http://www.theregister.co.uk/2008/12/16/windows_for_submarines_rollout/ (accessed on December 17, 2008)

[3] Ibid.

[4] “Operating Systems Contracts, Trusted Software? “, Richard Smedly, Linux Format, March 2005, p.72

Fun at the Library – Part 1

Share

Since this is a slow news day, and I have an essay to handout tonight, I’ll just related one of my experiment I started yesterday. As I have more time, I will push further into the system.

While waiting for a friend, I decided to stop by the library to pass time. As I was there, I was immediately attracted to the nearest computer, the one away from the cameras. Some of the computers are accessible to anyone without need for user codes and passwords. These computers are there only for book searches. About everything is disabled on those computers. The only thing people have access to is an Internet Explorer 6 window giving access to the library’s website only. The window only has the Edition, Favorites and Help (“?”) menus. No address bar but the history can be accessed. There are no taskbar, Ctrl-Alt-Del and Alt-Tab are disabled, no desktop, and the Windows key doesn’t do anything. Trying to navigate to another website by following links won’t resolve. I didn’t had my warkey with me so I couldn’t test if the USB drives were working.

For certain people, i.e. the administrators of the network amongst others, this should be sufficient to prevent people from surfing porn sites and fore bringing the apocalypse on their network. Of course, it is not. First, let’s find a way to access something else. This can be easily done by using a dark and unexplored menu available in every program called the “Help” menu: Help > Index and Summary. This will open the HTML Help window. From there: Options > Internet Options.

Internet Options Accessible from the Help Menu
Internet Options Accessible from the Help Menu

Well that was simple enough right? But it’s not quite what I want. Most of the options are disabled. I can’t use the Temporary Internet Files > Parameters > Show Files/Objects to open an Explorer window. Those are disabled as well:

  • General > Accessibility > Format Documents with my Stylesheet > Browse
  • Confidentiality > Import
  • Contents > Personal Information > Profile > OK > Numerical Identificators > Import

But those are all enabled:

  • Contents > Access Manager > Activate > General > Rating Systems > Add
  • Contents > Access Manager > Activate > Advance > Import
  • Contents > Certificates > Certificates > Import > Next > Browse
  • Contents > Certificates > Editors > Import > Next > Browse

Those options all open an Open File dialog box, from which of course, I can access about everything. First action is to open a command prompt by going to C:\Windows\system\system32 and executing the command prompt program. Up to here, it works. Now we can start to spot vulnerabilities….if needed.

Damn…no time left. Next time I need to get some info about the system. I should remember to:

1) See what is the default account the administrator uses for the users:

2) : Get the version of Windows XP they are using:

3) While at it, let’s note the version of Explorer they are using and some information about the network…

I should bring my warkey also, that would make things much easier…

Sorry for the lack of depth for tonight, I know this isn’t much, hopefully this will end up in a fully example of a simple attack against a network.

China’s Red Flag Linux

Share

Red Flag Linux Logo
Red Flag Linux Logo

Two days ago, the Inquirer post an article on a new law passed in the Chinese city of Nanchang, in the Jiangxi province, to replace pirated copies of Windows in Internet cafes by legitimate software[1]. The alternative proposed to the cafes is the Red Flag Linux distribution, which prompted fears of snooping by U.S Radio Free Asia. The radio quoted the director of the China Internet Project, Xiao Qiang as saying that “cafes were being required to install Red Flag Linux even if they were using authorised copies of Windows[2]“. According to an official of the Nanchang Cultural Discipline Team, the transition from Windows to Red Flag already started in the 600 Internet Cafes of the city[3] and not across all of China unlike many titles claim.

Short History of Red Flag Linux

Red Flag Linux was created by the Software Research Institute of the Chinese Academy of Sciences in 1999 and was financed by a government firm: NewMargin Venture Capital. The distro is now distributed to government offices and business by Red Flag Software Co[4]. The goal of the Chinese government was to reduce the dominance of Microsoft over the operating system market. It therefore invested in Red Flag Software through a venture capital investment company owned by the Ministry of Information Industry called CCIDNET Investment[5].

At first, the OS was exclusively in Chinese and restricted itself to the Chinese market. In 2003, then the company developed an English version for international markets. This project received further help after Hewlett Packard concluded a plan to provide Red Flag with help in various field to market its operating system around the world[6]. As many companies took interest in the Chinese economic boom, Red Flag signed partnerships with various western companies like IBM, Intel, HP, Oracle[7] who wanted to open a new market into China. That way, Real networks among others, distributed its media software with Red Flag[8].

According to IDC, a market-research company, the revenue of Red Flag Software Co. totalled US$8.1 million in 2003. There were 24 000 server operating system shipments accounting for $5.9 million in revenue[9]. In 2006, Red Flag Software was the top Linux distributing company in China with over 80% of the Linux desktop market[10]. After a while, new versions of Red Flag were made for mobile devices[11] and embedded devices[12]. It can also be found on various server sold across China by Dell.

Therefore it seems that Red Flag Linux, after a slow period in the dot-com crash, is alive and well nowadays in China. The operating system changed quite a bit from its beginnings in 1999 up to now but we can expect the use of this distribution to grow in the upcoming years, as prices for proprietary OS such as Windows can be quite prohibitive for most of the Chinese population. The Red Flag Linux distro can be downloaded for free from Red Flag Software Co. (see the end of this article for the links) while Vista Home Basic was sold at renminbi (US$65.80) in 2007[13]

Technical Aspects

According to this early reviewer who tested the OS back in 2002[14], the first Red Flag 2.4 Linux OS was based on the Red Hat distro. It came basically with the same options such as X11, the KDE interface as default and used the Reiser file system. Interestingly, no root password were needed and seemed to be the default account. It came with the standard user applications such as XMMS.

Since then, Red Flag Linux has switch from Red Hat to Asianux 2.0 as its base distribution[15]. A root password needs to be specified at the installation and is now available on Live CD. Also, don’t expect a completely English system, while the most important parts of it should be English, some may still be in Mandarin. XMMS has long been replaced with KDE’s multimedia tools such as KsCD, JuK, Dragon Player, and KMix. Other software you can find on the “Olympic” beta version distribution, released last September[16]:

KAddressBook Kopete
Kontact Krfb
KOrganizer KNode
Firefox Akregator
KMail Akonadi

According to the reviewer, and by looking at the English website, is does look like the English version is not maintained as much as the Chinese version. Therefore I believe the Chinese version might contain more features and less bugs. It might even contain office software such as Red Office.

This operating system is certainly one to watch, not really for its technical aspects or usefulness, but mainly because it might spread across China as businesses and governmental agencies adopt Red Flag Linux. If an attack should be ported against Chinese communication infrastructure, this distribution would certainly be one of the targets to analyze in order to find holes and exploits. Unfortunately, finding information about this Linux is tricky, mainly due to the language barrier. Using software translation is amusing but useless. It is hard to determine if the OS contains any modification for spying or snooping, as one would need to go through the source of a large part of the OS (I wish I had time to do that). But then, it’s less hard than to examine closed source software. Snooping can come from everywhere also, they might be better off with Red Flag Linux than Sony software afterall[17]

If anyone has information, please share it, as information should always be shared. In the meantime, a desktop version of Red Flag Linux is available here. And if you can understand Mandarin, maybe you could visit this page.

Enrich your Mandarin Vocabulary: 红旗 = Red Flag

See also:

Red Flag Software Co., http://www.redflag-linux.com/ (Mandarin language)

Red Flag Software Co., http://www.redflag-linux.com/eindex.html (English language)

Red Flag Linux may be next on IBM’s agenda“, James Niccolai, Network World, September 22, 2006, http://www.networkworld.com/news/2006/092206-red-flag-linux-may-be.html (accessed on December 4, 2008)

Dell flies Red Flag Linux in China“, Michael Kanellos, ZDNet, December 3, 2004, http://news.zdnet.com/2100-3513_22-133162.html (accessed on December 4, 2008)

With HP’s help, China’s Red Flag Linux to step onto global stage“, Sumner Lemon, ComputerWorld, September 2, 2003, http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,84602,00.html (accessed on December 5, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “Chinese ordered to stop using pirate software”, Emma Hughes, The Inquirer, December 3, 2008, http://www.theinquirer.net/gb/inquirer/news/2008/12/03/chinese-ordered-away-pirate (accessed on December 4, 2008)

[2] “New fears over cyber-snooping in China”, Associated Press, The Guardian, December 4, 2008, http://www.guardian.co.uk/world/2008/dec/04/china-privacy-cyber-snooping (accessed on December 4, 2008)

[3] “Chinese Authorities Enforce Switch from Microsoft”, Ding Xiao, translated by Chen Ping, Radio Free Asia Mandarin Service, December 2, 2008, http://www.rfa.org/english/news/china/microsoft%20to%20linux-12022008144416.html (accessed on December 4, 2008)

[4] Ibid.

[5] “Raising the Red Flag”, Doc Searls, Linux Journal, January 30, 2002, http://www.linuxjournal.com/article/5784 (accessed on December 4, 2008)

[6] “English version of China’s Red Flag Linux due soon”, Sumner Lemon, InfoWorld, September 8, 2003, http://www.infoworld.com/article/03/09/08/HNenglishredflag_1.html (accessed on December 4, 2008)

[7] “Red Flag Linux”, Operating System Documentation Project, January 13, 2008, http://www.operating-system.org/betriebssystem/_english/bs-redflag.htm (accessed on December 4, 2008)

[8] “RealNetworks signs up Red Flag Linux”, Stephen Shankland, CNet News, October 6, 2004, http://news.cnet.com/RealNetworks-signs-up-Red-Flag-Linux/2110-7344_3-5399530.html (accessed on December 4, 2008)

[9] “China’s Red Flag Linux to focus on enterprise”, Amy Bennett, IT World, August 16, 2004, http://www.itworld.com/040816chinaredflag (accessed on December 4, 2008)

[10] “Red Flag Linux 7.0 Preview (Olympic Edition)”, Begin Linux Blog, August 15, 2008, http://beginlinux.wordpress.com/2008/08/15/red-flag-linux-70-preview/ (accessed on December 4, 2008)

[11] “Introduction to MIDINUX”, Red Flag Software, June 2007, http://www.redflag-linux.com/chanpin/midinux/midinux_intro.pdf (accessed on December 4, 2008)

[12] “Car computer runs Red Flag Linux”, LinuxDevices, November 13, 2007, http://www.linuxdevices.com/news/NS4055537183.html (accessed on December 4, 2008)

[13] “Update: Microsoft cuts Windows Vista price in China”, Sumner Lemon, InfoWorld, August 3, 2007, http://www.infoworld.com/article/07/08/03/Microsoft-cuts-Vista-price-in-China_1.html (accessed on December 5, 2008)

[14] “Red Flag, China’s home-grown Linux distribution, is a good start”, Matt Michie, Linux.com, February 22, 2002, http://www.linux.com/articles/21365 (accessed on December 4, 2008)

[15] “Red Flag Linux Desktop”, http://www.iterating.com/products/Red-Flag-Linux-Desktop/review/Janos/2007-07-01 (accessed on December 5, 2008)

[16] “Red Flag Linux Olympic Edition fails to medal”, Preston St. Pierre, Linux.com, September 11, 2008, http://www.linux.com/feature/146867 (accessed on December 5, 2008)

[17] “Real Story of the Rogue Rootkit”, Bruce Schneier, Wired, November 17, 2005, http://www.wired.com/politics/security/commentary/securitymatters/2005/11/69601 (accessed on December 5, 2008)

New Kid on the Block: Downadup

Share

Many reports on the last few days mention a new worm growing on the back of the Windows’ MS08-067 vulnerability. The worm named Downadup, also being dubbed Conficker.A by Microsoft, as now spread to alarming levels: “We think 500,000 is a ball park figure” said Ivan Macalintal, a senior research engineer with Trend Micro Inc[1].

The Exploit

The vulnerability is located in the Windows Server service, which is used to share networks files and printers across computers on a Windows network. This service is used by all Windows versions, even the Windows 7 Pre-Beta version, therefore making every Windows user vulnerable unless patched[2]:

Microsoft Windows 2000 Service Pack 4 Windows Server 2003 with SP1 for Itanium-based Systems
Windows XP Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
Windows XP Service Pack 3 Windows Vista and Windows Vista Service Pack 1
Windows XP Professional x64 Edition Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows XP Professional x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems*
Windows Server 2003 Service Pack 1 Windows Server 2008 for x64-based Systems*
Windows Server 2003 Service Pack 2 Windows Server 2008 for Itanium-based Systems
Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition Service Pack 2

Vulnerable Operating System by the MS08-67 Exploit

The exploit is executed by sending a specially crafted packet to the RPC (Remote Procedure Call) interface. The interface could be reach by an attacker if there are no firewalls activated or if the File/Printer sharing options is enabled and connected to the Internet. The packet will cause a buffer overflow which allows arbitrary code to be executed.

The core of the exploit comes from a buffer overflow created when parsing a specific path. The exploit occurs when specially crafted packet is sent to port 139 or 445 on a Windows file/printer sharing session. The reception of that package will trigger a call to the RPC API NetPathCompare() and NetPathCanonicalize() functions.

The exploit is triggered when giving a specific path to canonicalize, such as “\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”[3] to the NetPathCanonicalize function, which uses the _tcscpy_s macro, which in turns calls the wcscpy_s function[4]. This function is used to copy a wide-character string from a location in memory to another. The buffer overflow is provoked by a miscalculation in the parameters given to the _tcscpy_s macro by the NetPathCanonicalize() function.

The _tcspy_s function is called like this by the NetPathCanonicalize:

_tcscpy_s(previousLastSlash, pBufferEnd – previousLastSlash, ptr + 2);

NetPathCanonicalize contains a complex loop to check the path for dots, dot-dots, slashes while making a lot of pointer calculations. Once the loop is passed over a couple of time, the previousLastSlash parameter gets an illegal value.

The RPC call

To exploit this vulnerability, all one have to do is to bind with the SRVSVC pipe of the Windows Server Service, which is the RPC interface and bind with it. If this is successful, a call to the NetPathCanonicalize()function with a specially crafted path as shown above, is done, then it’s only a matter of providing the payload. Exploits are already public on sites such as milw0rm[5].

The New Worm: Downadup

Downadup is the new worm to use the exploit on a large scale and has proved to be widely successful even if it’s already been one month since the vulnerability was found and patched.

Once installed on a system, the worm will copy itself with a random name into the system directory %systemroot%\system32 and register itself as a service[6]. It will, of course, also add itself into the registry with the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<name>.dll
    ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\”ServiceDll” = “<name>.dll”

It will then use those sites to get the newly infected machine’s IP address:

  • http://www.getmyip.org
  • http://getmyip.co.uk
  • http://checkip.dyndns.org

With the IP address, Downadup can download a small HTTP server (“http://trafficconverter.biz/4vir/antispyware/loadadv.exe“) and open a HTTP server on the current machine with the following address[7]:

http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]

Once the HTTP server is set up, it will scan for other vulnerable machines and when a target is found, the infected machine URL will be sent to the target as the payload. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Therefore, there is no centralized point of download. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine[8].

According to Symantec, it has a domain name generating algorithm based on dates just like the Srizbi has (see Srizbi is back for more details on the algorithm). It also deletes any prior Restore Points saved by the user or the system[9].

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “New Windows worm builds massive botnet”, Gregg Keizer, ComputerWorld, December 1, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958 (accessed on December 1, 2008)

[2] “Microsoft Security Bulletin MS08-067 – Critical”, Microsoft, October 23, 2008, http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (accessed on December 2, 2008)

[3] “Gimmiv.A exploits critical vulnerability (MS08-067)”, Sergei Shevchenko, October 23, 2008, http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html (accessed December 2, 2008)

[4] “MS08-067 and the SDL”, The Security Development Lifecycle, October 22, 2008, http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx (accessed on December 2, 2008)

[5] See MS08-067 Exploit by Debasis Mohanty and MS08-067 Remote Stack Overflow Vulnerability Exploit for examples.

[6] “F-Secure Malware Information Pages: Worm:W32/Downadup.A”, F-Secure Corporation, November 26, 2008, http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml (accessed on December 2, 2008)

[7] “W32.Downadup”, Symantec, Takayoshi Nakayama and Sean Kiernan, November 24, 2008, http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2 (accessed on December 2, 2008)

[8] “Microsoft warns of new Windows attacks”, Gregg Keizer, ComputerWorld, December 1, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958 (accessed on December 2, 2008)

[9] “Worm:Win32/Conficker.A”, Joshua Phillips, Microsoft Malware Protection Center, 2008, http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A (accessed on December 2, 2008)

Srizbi is back

Share

Update: The new Estonian company that hosted the command & control server, Starline Web Services, was shut down. The domain name chase continues !

The Srizbi botnet is back online after being shut down by the closure of the criminal hosting company McColo Corp two weeks ago. Srizbi’s command and controls servers, now moved to an Estonian hosting provider, took back control of the botnet[1] in the last days.

The Srizbi Botnet

The Srizbi botnet is mostly a spam generating botnet. According to security firm FireEye, there are 50 variants of the bot, which controls altogether around 500 000 zombies across the world[2]. The most virulent forms of Srizbi are said to control around 50 000 bots.

The Srizbi botnet had a backup procedure in case its C&C servers went down, that is why it got back online very fast. Included in the bot, is a procedure that generates domain names[3] and tries to contact it to see if the C&C is available. Therefore the owners, knowing the random-generating domain name algorithm of the botnet, only had to register one or more of the domain names that will be generated by the bots and install their new control and command server on a machine registered a valid domain name. That is enough for bots to download a new version, pointing to a new address for the botnet. To explain it using pseudo-code, it would look something like this:

More information can be found about the random name generation algorithm at FireEye[4]. Interesting enough, the algorithm is based on date to generate a new set of possible domains names by period. FireEye had successfully discovered this function after McColo closed, but due to financial constraint, they could not register all the domain names that the bot generated. That would have implied to register more than 450 domains each week…

We have registered a couple hundred domains,” Fengmin Gong, chief security content officer at FireEye Inc., “but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names.[5]

Communications intercepted between a Srizbi bot and its Command and Control Server
Communications intercepted between a Srizbi bot and its Command and Control Server

According to the Symantec Srizbi webpage[6], the worm creates windbg48.sys and another randomly named .SYS file in the %SYSTEM% folder. It then registers the wingdbg48.sys as a driver by inserting the hidden HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windbg48 key into the Windows’ Registry. Srizbi hides those keys by running in Kernel mode and hooking the ZwOpenKey and ZwEnumerateKey kernel functions among others. It might also try to block access to the registry. A tool is available in order to access the registry anyway.

It will also hide its files by hooking the NTFS file system driver. As if it was not enough, it will also modify the TCP/IP network drivers to bypass Firewalls and Intrusion Detection systems. It will also work in Safe Mode.

For those who wish to go deeper, Windows has two levels of execution: user mode and kernel mode. Usually applications run in user mode, which protects the kernel from applications so they won’t mess up the system. Kernel mode is a privilege mode where services and drivers have access to system resources such as the processor but also the memory… Hooking kernel functions is done by redirecting calls made to the kernel to a custom function. There are a couple of ways to do that in kernel mode, and one of them is to alter the System Service Descriptor Table, which is a table that maps every kernel function to an address in memory. By modifying this table to the address of your custom function, you could hook the kernel. This however would be easily detected by any anti-virus.

Another way is to insert an unconditional jump instruction into the kernel function by modifying the function directly in memory. The advantage of this method is that it’s much harder to detect, and can reproduce the same functionality of the hooked function. This is called inline function hooking.

This why this Trojan can also work in Safe Mode. I don’t know if this particular Trojan uses inline function hooking, but rootkits that uses this kind of hooking are quite hard and dangerous to remove.

Return of Srizbi

When McColo Corp. closed two weeks ago following and investigation by the Washington Post’s Security Fix, it made the news across the Internet as this hosting company was considered responsible for around 75 percent of all the spam sent across the web. Although many rejoiced, including me, at the sudden drop of spam as soon as McColo was turn off[7], everyone knew it was only temporary before the cyber criminals would found another hosting company.

Few knew that this random domain name generating routine was coded to connect to another C&C server though. As soon as it came back online, the first command it received was for a Russian spam campaign. By generating domain names such as yrytdyip.com, auaopagr.com, qpqduqud.com or ydywryfu.com, it was unthinkable for FireEye to register every possibility generated by Srizbi. It is becoming harder and harder to fight botnets on a technical basic. Fortunately, the economic fight could maybe put an end to spam, as mentioned in this Ars Technica article:

“… it suggests that spammers may be extremely sensitive to costs-more so than was previously believed. Even a small increase in the cost of sending an e-mail, they postulate, could have significant ramifications for the botnet industry, and might slow the rate at which it grows or put some spam operations out of business altogether.[8]

The Rustock, Cutwail and Asprox botnets are also making a come back[9], provoking a new surge in spam in the last few days, but not quite yet at the same level of the pre-McColo era.

See also:

Windows Rootkits of 2005, Part One“, James Butler, Sherri Sparks, Security Focus, November 4, 2005, http://www.securityfocus.com/infocus/1850, (accessed on November 27, 2008)

Fallback C&C channels“, Alex Lanstein, Atif Mushtaq, Julia Wolf, and Todd Rosenberry, FireEye, November 16, 2008,  http://blog.fireeye.com/research/2008/11/fallback-cc-channels-part-deux.html#more (accessed on November 27, 2008)


[1] “Massive botnet returns from the dead, starts spamming”, Gregg Keizer, ComputerWorld, November 26, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121678 (accessed on November 27, 2008)

[2] “Srizbi Botnet Re-Emerges Despite Security Firm’s Efforts”, Brian Krebs, Washington Post – Security Fix, November 26, 2008, http://voices.washingtonpost.com/securityfix/2008/11/srizbi_botnet_re-emerges_despi.html?hpid=news-col-blogs (accessed on November 27, 2008)

[3] “Technical details of Srizbi’s domain generation algorithm”, Julia Wolf, November 25, 2008, http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html (accessed on November 27, 2008)

[4] Ibid.

[5] “Massive botnet returns from the dead, starts spamming”, Gregg Keizer, ComputerWorld, November 26, 2008, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121678 (accessed on November 27, 2008)

[6] “Trojan.Srizbi”, Kaoru Hayashi, Symantec, July 23, 2007, http://www.symantec.com/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=2 (accessed on November 27, 2008)

[7] “Spam plummets after Calif. hosting service shuttered”, Gregg Keizer, ComputerWorld Security, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9119963 (accessed on November 27, 2008)

[8] “Study: Storm botnet brought in daily profits of up to $9,500”, Joel Hruska, Ars Technica, November 10, 2008, http://arstechnica.com/news.ars/post/20081110-study-storm-botnet-brought-in-daily-profits-of-up-to-9500.html (accessed on November 27, 2008)

[9] “Srizbi botnet active again”, Jeremy Kirk, November 27, 2008, http://www.itworldcanada.com/a/Departmental-and-End-User-Computing/7167ba6c-1cd2-4c54-9338-95a63bea47fa.html (accessed on November 27, 2008)

Integrity OS to be Released Commercially

Share

The Integrity Operating System, an OS with the highest security rating from the National Security Agency (NSA) and used by the military, will now be sold to the private sector by Integrity Global Security, a subsidiary of Green Hills Software. The commercial operating system will be based on the Integrity 178-B OS, which was used in the 1997 B1B Bomber and afterwards in F-16, F-22 and F-35 military jets. It is also used in the Airbus 380 and Boeing 787 airplanes[1].

The Integrity 178-B OS has been certified EAL6+ (Evaluation Assurance Level 6) by the NSA and is the only OS to have achieve this level of security for now. Most commercial operating systems such as Windows and Linux distributions have an EAL4+ certification. The EAL is a certification which indicates a degree of security of the operation system, level 1 is about applications having been tested but where a security breach would not incurs serious threats. A level 7, the highest level, contains applications strong enough to resist a high risk of threats and can withstand sophisticated attacks. Only one application has a level 7 certification and it is the Tenix Data Diode by Tenix America[2].

The Integrity OS can run by itself or with other operating systems on top, such as Windows, Linux, MacOS, Solaris, VxWorks, Palm OS and even Symbian OS. Each OS being in is own partition to limit the eventual failures and security vulnerabilities to the OS only.

Product

Type

Protection Profile

Security Level

INTEGRITY

Operating System

SKPP

EAL 6+

Linux

Operating System

CAPP, LSPP

EAL 4+

PR/SM LPAR Hypervisor

Virtualization

Custom

EAL 5

SELinux

Operating System

Not evaluated

EAL 4+

Solaris (and Trusted Solaris)

Operating System

CAPP, LSPP

EAL 4+

STOP OS

Operating System

CAPP, LSPP

EAL 5

VMware

Virtualization

Custom

EAL 4+

Windows Vista

Operating System

Not evaluated

EAL 4+

Windows XP

Operating System

CAPP

EAL 4+

Xen

Virtualization

Not evaluated

EAL 4+

Main Operating Systems with the type of protection profile used and the assigned EAL[3]

The main feature of the Integrity OS is the use of the Separation Kernel Protection Profile (SKPP). A protection profile (PP) is a document used by the certification process, which describes the security requirements for a particular problem. The SKPP is a standard developed by the NSA and in which the requirements for a high robustness operating system are defined and are based on John Rushby‘s concept of Separation Kernel. This concept can be summarized as:

… a single-processor model of a distributed system in which all user processes are separated in time and space from each other. In a distributed system, the execution of each process takes place in a manner independent of any other[4]

Basically, the concept is about a computer simulating a distributed environment, and each process is independent from the other, thus preventing that a corrupted or breached application gives inavertedly access to restricted resources, as it is often the case in privilege escalation in other commercial OS.

Schema of the Integrity 178B Operating System
Schema of the Integrity 178B Operating System

What makes SKPP standard so secure is that it requires a formal method of verification during the development. Furthermore, the source code is examined by a third party, in this case, the NSA.

SKPP separation mechanisms, when integrated within a high assurance security architecture, are appropriate to support critical security policies for the Department of Defense (DoD), Intelligence Community, the Department of Homeland Security, Federal Aviation Administration, and industrial sectors such as finance and manufacturing.[5]

Of course, the OS might be conceived for security and toughness, but in the end, it all depends on how it is used and configured…That’s going to be the real test. As far as I believe the people who verified the OS are competent, and all the expensive tests the company has paid to check their operating system are rigorous, the real exam would be to release it in the wild so that hackers from all around the world can have a try at it. Hopefully, we might be able to play with this OS someday…

See also:

U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness“, Information Assurance Directorate, June 29, 2007

Formal Refinement for Operating System Kernels, Chapter 4 p. 203-209“, Iain D. Craig, Springer London, Springer Link, July 2007

Separation kernel for a secure real-time operating system“, Rance J. DeLong, Safety Critical Embedded Systems, February 2008, p.22

Controlled Access Protection Profile“, Information Systems Security Organization, National Security Agency, October 8, 1999


[1] “Secure OS Gets Highest NSA Rating, Goes Commercial”, Kelly Jackson Higgins, DarkReading, November 18, 2008, http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212100421 (accessed on November 19, 2008)

[2] “TENIX Interactive Lin k solutions”, TENIX America, http://www.tenixamerica.com/images/white_papers/datasheet_summary.pdf (accessed on November 19, 2008)

[3] “The Gold Standard for Operating System Security: SKPP”, David Kleidermacher, Integrity Global Security, 2008, http://www.integrityglobalsecurity.com/downloads/SKPPGoldenStandardWhitePaper.pdf (accessed on November 19, 2008)

[4] “Formal Refinement for Operating System Kernels”, Iain D. Craig, Springer London, Springer Link, July 2007, p. 203

[5] “U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness”, Information Assurance Directorate, June 29, 2007, p.10