Singapore Chapter Status Report 2012 (Aug 2011 - Oct 2012)

ORGANIZATION

• Cecil Su: Chapter Lead, Early Warning System, Honeypots deployment, Data Analysis.
• Nicolas Collery: Development, Malware analysis and RCE, Honeypots deployment, Data analysis.
• Vicky Khan: Development, Malware analysis, Research
• Vijay Vikram: Center Manager, Research, Development, Honeypots deployment.
• Eugene Teo: Research, Malware analysis and RCE, Data analysis.
• Emil Jingwei: Research guide.
• Rong Hwa: Development, Malware analysis and RCE, Honeypots deployment, Data analysis.

Note: Additional new member, Rong Hwa (from Infocomm Development Authority of Singapore), Anti-Malware Team Lead for both the Singapore Government CERT and SingCERT.

DEPLOYMENTS

Contributed by Emil Tan

• Housekeep and decommissioned old machines at James Cook University computer lab
• Re-assigned usable servers and reinstalled OS onto new testbed
• Redesigned SHC website

Contributed by Vicky Khan

• Deploy HoneeBox and push alerts to HoneyCloud

RESEARCH AND DEVELOPMENT
Nicolas Collery on GSoC 2012 #13 - Network Analyser

Vicky Khan on Malware classification using YARA:
YARA is being used to determine filetypes, compute checksums, detect packers and creation of new signatures. This has been very useful in identifying different classes of malware for further analysis. YARA has also been used to take ClamAV signatures and create YARA rules for detection.

FINDINGS
Contributed by Rong Hwa

Sykipot (Smartcard proxy variant)
A detailed analysis of Sykipot (smartcard proxy variant) malware was performed and its internal working was fully exposed. The details would facilitate security analysts or researchers to: (1) response and remediate Sykipot infections; (2) analyze the impact of Sykipot infection; (3) decrypt Sykipot encrypted messages; or (4) even design a fake bot to communicate with the attackers for future research works.
One interesting observation was that the key logging activities and network communication would only be behaviourally active when the infected users opens the browser or outlook. By this way, it would achieve the following: (1) stealthiness as the traffic appear along side with user generated traffic; (2) Poor response to sandbox analysis due to possibly lack of specific user actions within sandbox environment; (3) key log only interesting contents such as email body.
Aside, one other important finding was that the employed cryptographic algorithm was uncovered. A customised DES was found to be used with a tweak in (only) one of its DES expansion table value. This technique is highly effective as it would impede analysis due to the difficulty to identify this tweak. Additionally, standard DES algorithm would not be able to decrypt its cipher as this tweak would result in a totally different cipher block due to the diffusion mechanism within the algorithm.
Last but not least, all of the command and control commands and artifacts for this malware were identified to facilitate future analysis.

NGRBot
A detailed analysis of NGRBot was performed and the following details were discussed: (1) Impact; (2) Encryption & tampering detection mechanism; (3) Functionalities, (4) Hooking technique, and the (5) Architecture Set-up for communicating with this malware.
A number of interesting observations were identified. Of which, it is interesting to see that "api.wipmania.com" was misused to get locality information for nickname generation. On top of that, the user agent that was "Mozilla/4.0" which was obviously suspicious. This could be applied to the network to identify signs of infection.
Aside, it was also observed that this malware was designed to steal web credential and perform DDoS. Its capability to "hack" the hackers by stealing the hackforum credentials was probably for intelligence gathering.
Last but not least, having all the commands found does not warrant an analyst to interact with the malware even with the IRC server set up. This malware would subtly authenticate its owner by checking the IRC message header which would include the reverse-resolved attacker's IP address against a customised DNS server. Suppose if the attacker's IP could be reverse-resolved to "gov.ba" (a recognised spoofed domain), it would imply that the command is from the registered attacker. Having said that, this domain could be easily spoofed and this does not imply that the offensive traffic is truly from gov.ba.

Zeus P2P DGA
A Zeus sample was partially reversed and its domain generation algorithm was detailed as its algorithm was often mentioned but probably not detailed except for a report by Trend Micro (File-Patching ZBOT Variants, ZeuS 2.0 Levels Up). However, it was noted that this found algorithm was changed and we felt that the community needs to be updated. Its domains are mainly generated using (1) a date-time stamp and (2) an integer (0-999) as an initial seed. This initial seed will be then hashed using MD5 to generate a final seed to further generate sub domains. The specified integer was also utilized to select the root domain to post-fix with the generated sub domain. It was believed that this discovery could be used to "predict" future malicious domains.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

1) Presentation to public on "Introduction to Honeypots" under interest group Edgis Sharing Session at the Singapore Management University, September 2012 (Emil Tan)

2) Presentation to public day ready to be presented at next annual meeting (1st version ready for last meeting - cancelled to personal agenda) - "Look back at cybercrime - some tools and techniques" (Nicolas Collery)

3) Presentation of same material to OWASP/AISP/Sec-77 Group (Nicolas Collery)

4) Introductions to Honeypots: Tracking hackers and activities, 10-July-2012.
Conducted a 90 minute session on Low-Interaction Honeypots with the students of IT (Networking) taking the Advanced E security course at James Cook University (SG Campus). In this session, students learnt about Honeypots, their deployment, detecting and logging attacks. Low interaction honeypot,HoneyD was used in a virtual environment and students tested handful of services and scenarios to complete the session. (Vijay Vikram)

5) Detailed analysis of Sykipot [Smartcard proxy variant] – Rong Hwa
http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant_33919

6) A Chat with NGRBot (paper) – Rong Hwa
http://resources.infosecinstitute.com/ngr-rootkit/

7) A Chat with NGRBot (video) – Rong Hwa
http://www.youtube.com/watch?v=64lhDuxtLtE&noredirect=1

8) Presentation at GovWare Day 1 Government Track - A Chat with NGRBot (Sep 2012) (Rong Hwa)

9) Conducted a one-day Malware Reverse Engineering Workshop for IDA Infocomm Security Seminar (July 2012) – Rong Hwa

GOALS

Upon reflection, we have managed to increase the number of public and private presentations/talks and raise the visibility of the Honeynet Project in this part of the world.
As of late last year, we have started collaborating with more IHLs, government agencies and private institutions.

Revamped our website, and continually trying to improve the contents.

Next year’s plans are to identify upcoming malware threats and provide detailed analysis to:
(1) share interesting techniques found;
(2) apply remedies; and
(3) promote user awareness.

MISC ACTIVITIES
NIL

MENTORING

1) The Singapore Honeynet Chapter members are mentors to the Singapore Polytechnic final-year students in their honeynet-related projects.
2) Rong Hwa is currently a part-time lecturer at Nanyang Polytechnic lecturing on the subject of malware analysis.