Saturday, October 24, 2015

Timing attack vulnerability in Zeus server-sides

Timing attacks has proven practical since 96' as shown in a paper by Paul C. Kocher. In his paper Paul demonstrate how, by effectively measuring the amount of time required for private key operation, one could completely uncover the private key. This attack was shown to be effective against widely known crypto-systems such as Diffie-Hellman, RSA and DSS.

Almost ten years later on 2004, another research paper was published by Dan Boneh and David Brumley, entitled "Remote Timing Attacks are Practical" claiming that timing attack as shown in Paul C. Kocher paper are also practical remotely. Their research shows a successful attack against a remote instance of Apache server using OpenSSL running on local network.

Then, in Crosby paper and also in Daniel Mayer & Joel Sandin paper they documented an  extensive bench-marking work to determine what is actually the smallest processing time frame that can be measured across the different hardware and networking setups.

Now, to tell you the truth, I didn't know a thing about these publications or much of the existence of timing attacks when I found this vulnerability in Zeus botnet's server-side about three years ago. Even though i didn't use much of the mentioned knowledge in my research, I decided to give this intro for people who would like to expand their knowledge about these attacks.

The vulnerability I've discovered is basically a timing attack which enable a remote attacker to resolve the length in characters of the reports directory name by carefully measuring the response time of the server. While this vulnerability maybe considered as low risk, as well as found on fraudulent piece of software, I find its nature to be a very interesting and intriguing case-study which could be of a good use for future researchers.

Friday, October 2, 2015

A Walkthrough of the “APT” Intelligence Gathering Process

Every meticulous APT attack starts with a comprehensive intelligence gathering that includes getting to know the target before proceeding to a more invasive act. In this research paper, I shall discuss the reconnaissance process performed on a potential target from the perspective of the adversary.

This demonstration will show how much information can be harvested from a hypothetical targeted entity, using techniques, tools, and procedures (TTP) which are available to literally anyone.

Some may suggest that certain threat actors do not necessarily use conventional means/sources since they can afford more elaborate means for collecting their intelligence (“intel”). While this may be  true, such means are generally unnecessary due to the amount of intel that can be gathered by open source intelligence (OSINT).

Full research paper