Blog Moved

Please update your links. I'm moving my blog here:


A Closer Look at the Twitter-Controlled Botnet (Part 1)




Part 1 of this post will cover getting the malware, decoding it and scanning it. If I have time, Part 2 will be some disassembly & debugging (both static and dynamic).

I wasn't aware of Jose Nazario's post concerning this topic while I was conducting this research; I had only been exposed to the Wired Threat Level article prior to researching. So while I present some of the same information as Jose, this duplication of information only came to my attention afterwords.

If you've read Jose's post, this post may still be worth the read for several reasons:
- Jose and I differed on some of the tools & techniques used.
- I attempt to offer a more detailed description of my methods/logic as a pseudo-tutorial.
- I mirror all the necessary info so the readers can do this themselves.
- There's a quick discussion on some malware I found hosted at (Jose probably saw it too but didn't mention it) as well as a possible lead to a very sloppy botnet master.


Getting the Malware:
I was reading some feeds on Friday (Aug 14th)
and came across Wired's article on outsourcing botnet C&C (command & control) to Twitter. What caught my eye wasn't so much the article itself but the screenshot accompanying the article. Many times when major outlets report on botnet/worms/virii/etc, crucial details are left out either intentionally (to protect the innocent) or accidentally. This was not the case with this article.

I immediately recognized the tweets in the above screenshot as being base64 encoded. Furthermore, all of the posts started with the same 18 characters, indicating to me that these are not encrypted nor obfuscated beyond the simple base64 encoding. Perhaps the botnet herders are using Robin Wood's KreiosC2 for nefarious purposes? This is evidence for a fairly unsophisticated botnet herder.

I transcribed the messages captured in the screenshot and decoded them in order from most recent to least recent. Some contained what appeared to be multiple links (redirections valid as of Aug 14th, 2009):

aHR0cDovL2JpdC5seS8xN2EzdFMg (malware)

aHR0cDovL2JpdC5seS9MT2ZSTyBodHRwOi8vYml0Lmx5L0ltZ2 (malware)
|_ (unrelated?)

aHR0cDovL2JpdC5seS8xN2w0RmEgaHR0cDovL2JpdC5seS8xN (malware)
|_ (unrelated?)

aHR0cDovL2JpdC5seS9wbVN1YyBodHRwOi8vYml0Lmx5LzE3b (malware)
|_ (unrelated?)


(dead link)

(dead link)

(dead link)

There's several interesting items here, in no particular order:
  1. It appears as though Debian is better at proactively moderating these type of posts than Ubuntu is (all the Debian links were dead when I tried them but the Ubuntu link worked fine). In Ubuntu's defense, however, the offending links were killed within an hour of me notifying them.

  2. Payloads are being pushed out in rapid succession to both the C&C venues (Twitter, Jaiku, Tumblr, etc) and the payload hosting sites, indicating that this process has been automated. Automated payload deployment was determined by looking at some of the URLs linked in the Twitter screenshot:

    It can be deduced from these URLs that malware was uploaded to in a short enough time period to warrant consecutive numbers. Furthermore, it is clear that whoever controlled the Twitter C&C made these uploads as well, judging by the upd4t3 handle present across services.

  3. All the Twitter posts that included two redirect URLs appear to have a nonsense link as the second URL. If anyone has a theory as to the purpose of these secondary links, please leave a comment or shoot me an email @ my[remove_this]

  4. The botnet herder's name is Rafael? I took another look at the malware hosted at Ubuntu and removing the plain/: (mirror)

Decoding the Malware:

Get the base64 samples (password: infected).
Turning these base64 strings into something meaningful was a little more involved than simply decoding them. Of course the first thing I did was decode them. For that I wrote a little Python script. (I'm new to Python and figured this would be a simple exercise. It was.)
# decodes base64 files
# (C) 2009 Paul Makowski. GPLv2.
# usage: python / (encoded_file) (output_file)

import base64
import sys

encodedFile = sys.argv[1]
outputFile = sys.argv[2]

encodedFileHndl = open(encodedFile,"r")
outputFileHndl = open(outputFile, "w")


After decoding the malware I now had 5 files and named them after their URLs: 9506, 9507, 9508, 9509 & 252515.

I ran an md5 on all of them (I used OS X... it would be md5sum in Linux):
$ md5 *.base64
MD5 (252515.base64) = a5f84f74cf9aa832355d5cd558cbfca6
MD5 (9506.base64) = 7743eac81be2b803093a6277323f17cb
MD5 (9507.base64) = a5f84f74cf9aa832355d5cd558cbfca6
MD5 (9508.base64) = a5051a6e5365bdc4dd8267e62d3e2902
MD5 (9509.base64) = 1a81e69e65b75f8b9e72e94c6f86a52b
As you can see, payloads 9507 from and 252515 from are actually the same payload. (Yes I know about md5 collisions...but there's very little point to messing with the hashes in this scenario.)

So now we've narrowed down the available payloads to 4: 9506 through 9509. I named these 9506.bin through 9509.bin (since at this point I didn't know their true filetype).

Making Sense of the Malware:

The first thing I tried after I de-base64'ed the payloads was to take a look at them with a hex editor. Being on OS X, I used Hex Fiend (if I were on Windows, I'd use WinHex; Linux I'd use hexedit):
I took note of two items:
  1. This is not a Windows executable; this is a .zip file. I determined this by the magic number at the beginning of the file (seen above). PK means zip; MZ (or ZM) means Windows PE.

    file verified these findings:
    $ file 950*.bin
    9506.bin: Zip archive data, at least v2.0 to extract
    9507_252515.bin: Zip archive data, at least v2.0 to extract

    9508.bin: Zip archive data, at least v2.0 to extract
    9509.bin: Zip archive data, at least v2.0 to extract

  2. There's a file called gbpm.dll inside the archive. At the bottom of the binary (not shown), is another string that reads gbpm.exe. This also turned out to be a file in the archive.
All of the other payloads appeared the same way under a hex editor. I renamed them all from *.bin to *.zip and unzipped them.

Now I had four folders, each containing a unique gdpm.dll and gdpm.exe. I renamed all the gdpm.exes to gdpm.livemalware so I wouldn't accidentally execute them on my Windows box.

I checked the md5s to see if any were duplicates:
$ md5 950*/*.dll && md5 950*/*.livemalware
MD5 (9506/gbpm.dll) = 0dc041988367e4ca0faa1f119c748efb
MD5 (9507_252515/gbpm.dll) = 6cd9ee23dedf7c6a53668a7c4f830d78
MD5 (9508/gbpm.dll) = 1a1b3c05470ea788a86c4b9ed5c9b28f
MD5 (9509/gbpm.dll) = b15df1614d09ebb7b15d04ce914ee05f
MD5 (9506/gbpm.livemalware) = 4c537d461490ac998256c6deca11eeb4
MD5 (9507_252515/gbpm.livemalware) = 359ca7a025c3fe3cb7f60a3dd8ff4478
MD5 (9508/gbpm.livemalware) = b3a7f3145dc93e8721a4078f5e32fb44
MD5 (9509/gbpm.livemalware) = 08b05a33c6a989cc9c3f0a0918afa943
None were the same - I have 4 different pairs of malware samples :)

I uploaded the files to Virustotal to see if any were recognized. AV detection was poor to say the least (not that I'm surprised):
9506/gbpm.dll (4/41 antivirus detection) (new file)
9506/gbpm.exe (11/39 antivirus detection) (new file)
9507_252515/gbpm.dll (4/41 antivirus detection) (new file)
9507_252515/gbpm.exe (13/39 antivirus detection)
9508/gbpm.dll (5/41 antivirus detection)
9508/gbpm.exe (13/39 antivirus detection)
9509/gbpm.dll (6/41 antivirus detection)
9509/gbpm.exe (8/41 antivirus detection)
The files marked new file had not been seen by Virustotal previously. All .dlls had a fairly low detection rate. That combined with the fact that some had not been seen by Virustotal previously reminds me of PandaLabs recent press release on virii only being useful for 24 hours.

So what kind of malware do we have anyways? Virustotal points toward Eldorado or Svelta for some files. Jose says in his post that these aren't the botnet control agents, but are additional feature-adding payloads. Perhaps this means keyloggers, DDoS tools, etc?


In Part 2 of this post, I will delve into dissecting the malware and making sense of what it does. Hopefully manual analysis will yield more information that AV signatures...

HTTP POST -> HTTPS = Bad Idea®

This will be a quick post (pun not intended) on why you should never allow anything sensitive to be sent from an unsecured page to an SSL-encrypted page. Many, many websites do this (Digg & Facebook quickly come to mind), and it's a serious problem that has an easy solution.

When a user logs into a service, she has a reasonable expectation her credentials will be secured in transit. In the context of web applications, this means SSL.

A typical Facebook login goes like this:
1) Adam requests
2) Facebook sends a response with:

<form method="POST" action=""
name="menubar_login" id="menubar_login">
3) Adam enters his credentials and hits Login.

The problem with this is how does Adam know that the form he intends to submit to is actually destined for As stated in step 2, will return code to instruct Adam's browser to post to an SSL secured page owned by Facebook. But what kind of assurance does Adam have that this is the code he received?

Consider the following scenario: Mallory uses something like ettercap on her university's dorm network: she poisons the subnet traffic (her entire dorm building), tricking her fellow students' computers to send all internet-bound traffic through her.

Mallory then uses Moxie Marlinspike's sslstrip to automate an attack against Facebook. sslstrip will replace any responses from with something like:
<form method="POST" action="">
Unless Adam looked at the source code of the alleged response from, he would be unaware that his credentials were actually going to be send to Mallory's malicious web host.

After harvesting the credentials, Mallory continues employing sslstrip to make (possiblly SSL-secured) page requests on behalf of Adam, staying in the middle of the conversation and reading everything unencrypted on the wire. Or she could just reset the connection, forcing Adam to legitimately log in. After all, she got what she set out for; why let Adam continue to consume her resources?

The solution? Only offer login pages over SSL. Pretty simple :)

GDB Crackme

I wrote a really simple crackme (a la for a team presentation I'm giving on software piracy. I'm usually interested in the low-level details of any computer topic and piracy is no exception. My portion of the presentation is focused on 'real-world' demos of cracking applications to divert program execution in an effort to illustrate how a software pirate may attempt to bypass copyright controls. It was a good excuse to learn some more about GDB - something I'd been meaning to do for a while.

The code is written in C and tested on Windows XP and OS 10.5.7. There's really no input validation, so don't be suprised if it breaks with fringe cases.

Get the Code

Stop reading here if you wish to figure out for yourself how to use GDB to make it print "you entered the correct serial number!" without actually entering the correct serial number. If you want to know how I did it, keep reading.


1) Because this demo was just supposed to illustrate the ideas behind altering program flow, I built the crackme with debugging symbols (plus I'm not good enough with gdb to do it without the symbols...please comment if you know of any good tuts):

gcc -g crackme.c -o crackme
2) Then I ran the program and found its PID (two Terminal windows):
3) Next, I launched gdb and attached to the process:
gdb attach (PID of crackme)
4) If I wasn't familiar with my code, I would probably run bt (backtrace) to see where I am frame-wise:
5) Then I listed the variables in the scope of 'main' (because the other frames look pretty internal and uninteresting):
info scope main
6) I explained if I were a cracker, I'd probably jump at the chance to modify a variable named 'correctSerialEntered'. Because crackme was built with symbols, GDB knows its a signed int and will set it correctly if instructed:
ptype main::correctSerialEntered
7) Finally, I set 'correctSerialEntered' to 1:
set main::correctSerialEntered=1
8) ...and detached from the process:
Back at my crackme Terminal window, I can enter almost anything I like into both the username prompt and the serial prompt and get the "you entered the correct serial number!" response.

On to learning some more gdb to do it without debugging symbols...

Fun with Apple EFI Firmware Passwords

I read somewhere that Apple uses weak encryption on its firmware passwords for Intel/EFI based computers, so I decided to take a look at it while on a long flight. I looked around for more specific discussion on the topic and didn't find anything, so I'll share what I found along with a tool I wrote to automate the changing and decrypting of the password. I wouldn't consider the method that they employed encryption per se, but rather an obfuscation of the password. In either case, what they did is certainly not cryptographically secure. It's not immediately clear to me why they didn't just MD5 the password or something... the nvram appears to have sufficient space to store such a hashed value.

Tested with: OS X 10.5.6/1st Gen (Core Duo)/Macbook Pro & OS X 10.5.6/Core 2 Duo/Macbook Pro.
Useful for: pen tests, lab deployment
Disclaimer: I take no responsibility with what you do with this information. Messing with the nvram can be potentially very serious business. Don't contact me if your mac stops booting.

The method I employed requires root access, either via the root account or single user mode. In a pen test scenario, it may be possible to escalate to root via an exploit (as opposed to password compromise). If the firmware password is the same or similar to another password in use, this may allow for further escalation of privilege / decryption of files / access to other machines / etc. In a lab deployment scenario, it may be desirable to set a firmware password on deployed machines. This process would be more easily automated with a CLI program like the one I'm providing. Of course, there is the OFPW tool, but that was designed for the older Open Firmware and I've had problems running it on under Leopard/EFI and am unclear as to whether or not it supports the new hardware. The OFPW binary seems to be unnecessarily elusive and documentation even more so.

Here's now the obfuscation works:

  1. a <= 255 character ASCII string is accepted by Firmware Password Utility
  2. string is viewed as binary (ASCII decoded)
  3. every other bit is NOT'ted, beginning with a NOT (i.e. NOT, passthru, NOT, passthru, etc)
  4. resulting bitstream is stored as the password.
You can query the current password via Terminal (hex-ASCII encoding , %-delineated):
sudo nvram -p
... or you can get the contents of nvram in XML with the password in base64:
sudo nvram -x -p
Let's run through an example. We'll set our firmware password to:
... which is a fairly random ASCII string. Let's interpret it as ASCII and translate to binary:
01101010 01101000 00110011 00110111 00110110 01100100 01110011 00111000
... now we apply the magic formula of NOT'ting every other bit, beginning with an initial NOT:
11000000 11000010 10011001 10011101 10011100 11001110 11011001 10010010
... then we hex-ify it:
c0 c2 99 9d 9c ce d9 92
... and finally add '%' delimitors:
... now we run:
sudo nvram security-password=%c0%c2%99%9d%9c%ce%d9%92
... and our firmware password has been updated to jh376ds8.

Obviously the reverse could be employed to reveal a firmware password.

Note: there are three security levels included in Apple's EFI:
none: Firmware password is ignored, all boot actions allowed (single user, boot off external, etc). This is a default setting.
command: Firmware password enforced if user requests to boot off another device by holding down 'alt' during boot. Single user, target disk mode, etc disabled.
full: All actions are disallowed, unless correct password is entered (including normal boot to blessed drive).

Only ASCII characters with decimal values between 32 and 127 (inclusive) are allowed and the password cannot be longer than 255 characters. If the password is empty, Apple's GUI utility actually stores "none" as the password, so I would recommend not using "none" as a password.

Get the code

Takeaway: if you're using an EFI password on your Apple computer, don't use that password for anything else. It is easily recovered (granted with root access), but even this recovery could allow for easy future access or further compromise.

©2009 Paul Makowski | Template by TNB