October 22, 2014

Cisco IOS Hints and Tricks

All You Need Are Two Top-of-Rack Switches

Every time I’m running a classroom version of my Designing the Cloud Infrastructure workshop, I start with a simple question: “Who has more than 2000 VMs or bare-metal servers in the data center?

I might see three hands on a good day; 95-95% of the audience have smaller data centers… and some of them get disappointed when I tell them they don’t need more than two ToR switches in their data center.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 22, 2014 07:18 AM

XKCD Comics

October 21, 2014

My Etherealmind

Response: HowTo Configure IP Multicast PIM on ECMP| Mellanox Interconnect Community


Today I spent several hours reading up on PIM Bidirectional for an customer implementation on an ECMP networking. I realise that somewhere inside my head there is a lot of IP Multicast knowledge that hasn’t been lost but it is definitely hiding. I had to re-learn a number of concepts before I started feel confident. […]

The post Response: HowTo Configure IP Multicast PIM on ECMP| Mellanox Interconnect Community appeared first on EtherealMind.

by Greg Ferro at October 21, 2014 09:01 PM

The Networking Nerd

Twitter, Please Stop Giving Me Things I Don’t Want

new-twitter-logo

Last week, Twitter confirmed that they will start injecting tweets from users you don’t follow into your timeline.  The collective cry from their user base ranged from outrage to a solid “meh”.  It seems that Twitter has stumbled onto the magic formula that Facebook has perfected: create a feature the users don’t care about and force it onto them.  Why?

Twitter Doesn’t Care About Power Users

Twitter has an interesting mix of users.  They reported earlier this year that 44% of their user base has never tweeted.  That’s a lot of accounts that were created for the purpose of reserving a name or following people in read-only mode.  That must concern Twitter.  Because people that don’t tweet can’t be measure for things like advertising.  They won’t push the message of a sponsored tweet.  They won’t add their voice to the din.  But what about those users that tweet regularly?

Power users are those that tweet frequently without a large follower base.  Essentially, everyone that isn’t a celebrity with a million followers or a non-tweeting account.  You know, the real users on Twitter.  The people that make typos in their tweets and actually check to see who follows them.  The ones that don’t have a “social media team” tweeting for them.  Nothing wrong with a team tweeting for a brand, but when they’re tweeting for a person it’s a little disconcerting.

Power users keep getting screwed by Twitter.  The API changes really hurt those that use clients other than the official ones.  Given that Twitter has killed most of it’s “official” clients in favor of pushing people to use the web, it makes you wonder what their strategy might be.  They are entirely beholden to their investors right now.  That means user signups and ad revenue.  And it means focusing on making the message widespread.  Why worry about placating the relatively small user base that uses your product when you can create a method for reaching millions with a unicast sponsored hashtag? Or by injecting tweets from people you don’t follow into your timeline?

The tweet injection thing is like a popup ad.  It serves the purpose of Twitter deciding to show you some tweets from other “users”.  Anyone want to bet those users will quickly start becoming corporate accounts? Perhaps they pay Twitter to ensure their tweets show up in a the timelines of a specific demographic.  It makes total sense when your users are nothing but a stream of revenue

Making Twitter Usable Again

I mentioned some things the other day that I think Twitter needs to do to make their service usable for power users again.  I wanted to expand on them a bit here:

The Unfollow Bug – Twitter has a problem with keeping followers.  For some reason, your account will randomly unfollow a user with no notification.  You usually don’t figure it out until you want to send them a DM or notice that they’ve unfollowed you and mention it.  It’s an irritating bug that’s been going on for years with no hope of resolution.  Twitter needs to sort this one out quickly.  As a side note, if you run a service that monitors people that have unfollowed you, consider adding a digest of users that I have unfollowed this week.  if the list doesn’t match those that I purposely unfollow, at least you know when you’ve been hit by this bug.

Links in Direct Messages – Twitter disabled the ability to send a link in a direct message a few months ago.  Their argument was that it cut down on spam.  The real reason was Twitter’s attempt to turn DMs into a instant message platform.  Twitter experimented with a setting that enabled DMs from users you don’t follow.  They pulled it before it went live due to user feedback.  One of the arguments was that spam accounts could bombard you with URLs that led to phishing attacks and other unsavory things.  Twitter responded by disabling links in DMs even though they removed the feature it was intended to protect.  It’s time for Twitter to give us this feature back.

Token Limits – This “feature” has to go.  Restricting 3rd party clients because they exist destroys the capabilities of your power users. I use a client because it gives me easy access to features I use all the time, like conversation views and muting.  I also don’t like sitting on the garish Twitter website and constantly refreshing to see new tweets.  I’d rather use some other client. Twitter has a love/hate relationship with non-official clients.  Mostly because those clients strip out ads and sponsored tweets.  They don’t let Twitter earn money from them.  Which is why Twitter is stamping them out for “replicating official client features” left and right.  Curiously enough, I’ve never heard about HootSuite being hit with user token limits.  But considering that a lot of Twitter’s favorite celebrities use it (or at least their social media teams do), I’m not shocked they’re on the exempt list.


Tom’s Take

I still find Twitter a very useful tool.  It’s not something that can just be set into automatic and left alone.  It takes curation and attention to make it work for you.  But it also needs help from Twitter’s side.  Instead of focusing on ways to make me see things I don’t care about from people I don’t want to follow, how about making your service work the way I want it to work.  I’m more like to use (and suggest) a service that works.  I barely check Facebook anymore because I’m constantly “fixing” their Top Posts algorithm.  Don’t turn your service into something I spend most of my time fixing.


by networkingnerd at October 21, 2014 04:26 PM

Cisco IOS Hints and Tricks

Network Programmability Phase 1: the Configured Network

During his Network Programmability 101 webinar Matt Oswalt described three phases of network programmability. The first level in the pyramid of programmable awesomeness (his words, not mine) is described in today’s video.

by Ivan Pepelnjak (noreply@blogger.com) at October 21, 2014 12:20 PM

October 20, 2014

My Etherealmind

Confusing Times in Networking and Cognition Jumps


I’ve been researching four different and distinct types of networking in the last few weeks. I’m finding that the cognition required to jump between technologies is making my head hurt. Here is a summary of four technology areas that interest me this week. Optical Networking As part of research project I have been getting deep […]

The post Confusing Times in Networking and Cognition Jumps appeared first on EtherealMind.

by Greg Ferro at October 20, 2014 05:49 PM

Cisco IOS Hints and Tricks

Micro-BFD: BFD over LAG (Port Channel)

The discussion in the comments to my LAG versus ECMP post took a totally unexpected turn when someone mentioned BFD failure detection over port channels (link aggregation groups – LAGs).

What’s the big deal?

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 20, 2014 08:15 AM

XKCD Comics

October 19, 2014

Cisco IOS Hints and Tricks

Just Published: Juniper Data Center Switches

Want to know what the difference between Virtual Chassis and Virtual Chassis Fabric is? How Local Link Bias works? How ISSU on QFX 5100 works even though the box doesn’t have two supervisor boards? You’ll find answers to all these questions in new videos describing Juniper data center switches.

by Ivan Pepelnjak (noreply@blogger.com) at October 19, 2014 07:01 PM

Honest Networker

October 18, 2014

My Etherealmind

Response: http2 explained


Been researching HTTP2 protocol on the basis that is will, more or less, be the dominant protocol on the Internet and everywhere else. Aside from the sense of excitement I get from looking at solving old problems, HTTP2 is a huge change for networking and this site has the best explanation I’ve found so far. Check […]

The post Response: http2 explained appeared first on EtherealMind.

by Greg Ferro at October 18, 2014 06:34 PM

Honest Networker
Cisco IOS Hints and Tricks

Workload Mobility and Reality: Bandwidth Constraints

People talking about long-distance workload mobility and cloudbursting often forget the physical reality documented in the fallacies of distributed computing. Today we’ll focus on bandwidth, in a follow-up blog post we’ll deal with its ugly cousin latency.

TL&DR summary: If you plan to spread application components across the network without understanding their network requirements, you’ll get the results you deserve.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 18, 2014 01:47 PM

October 17, 2014

PACKETattack

Announcement: The Hot Aisle Newsletter

I’ve launched a newsletter called The Hot Aisle. Why might you care? The Hot Aisle is a personal look at my real life IT engineering projects, thoughts about the networking industry I won’t publish anywhere else, my growingly contrarian views on social media, good stuff I’ve read, and comments from fellow Hot Aisle readers. The content is […]

by Ethan Banks at October 17, 2014 06:07 PM

My Etherealmind

Monospaced Fonts and Command Line


Recently I've been on a search for a 'better' font to use in terminals. In an unrelated coincidence, I learned about anti-aliasing, I still don't understand it but it makes a difference.

The post Monospaced Fonts and Command Line appeared first on EtherealMind.

by Greg Ferro at October 17, 2014 05:57 PM

XKCD Comics

October 16, 2014

Packet Pushers Blog/Podcast

Automating the Cabbage Patch Network Today (2014)

“Sometimes my head is a bit of an idiot” is something my daughter might say and that happens to me too, if that time is today and this article, let me know. If you don’t get the Cabbage Patch reference and its juxtaposition to automation, see here. I’ve tried to avoid sarcasm (and arrogance) but have […]

Author information

Steven Iveson

Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and has never been too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife Sam and their four children.

He's worked in the IT industry for over 15 years in a variety of roles, predominantly in data centre environments. Working with switches and routers pretty much from the start he now also has a thirst for application delivery, SDN, virtualisation and related products and technologies. He's published a number of F5 Networks related books and is a regular contributor at DevCentral.

The post Automating the Cabbage Patch Network Today (2014) appeared first on Packet Pushers Podcast and was written by Steven Iveson.

by Steven Iveson at October 16, 2014 09:14 PM

PACKETattack

Cisco ACI Fabric Forwarding In A Nutshell

As I study software defined networking architectures, I’ve observed that none of them are exactly alike. There are common approaches, but once diving into the details of what’s being done and how, even the common approaches seem to have as many differences as similarities. One of the most interesting elements of SDN architectures […]

by Ethan Banks at October 16, 2014 08:44 PM

My Etherealmind

IOS: show tcp vty


On Cisco IOS, this is a very useful command "show tcp vty xx" to show TCP statistics of the VTY session. If you think your terminal is running slow because of packet loss or delay then this command will provide visibility. The other cause is the CPU/Memory running slow if you don't see any errors on the TCP (as you can see below).

The post IOS: show tcp vty appeared first on EtherealMind.

by Greg Ferro at October 16, 2014 06:55 PM

Cisco IOS Hints and Tricks

October 15, 2014

My Etherealmind

Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project


Very, very funny quote in the Pew Research Report: How could people benefit from a gigabit network? One expert in this study, David Weinberger, a senior researcher at Harvard’s Berkman Center for Internet & Society, predicted, “There will be full, always-on, 360-degree environmental awareness, a semantic overlay on the real world, and full-presence massive open […]

The post Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project appeared first on EtherealMind.

by Greg Ferro at October 15, 2014 07:05 PM

Networking Now (Juniper Blog)

Safeguarding cloud security before it’s too late

vault.pngEarlier this month, many of the world’s biggest cloud-service providers quietly cooperated to update the open-source Xen hypervisor software. What wasn’t publicly revealed until after the update was safely completed, however, was that it actually was a carefully coordinated operation intended to head off a major security breach, as identified in the Xen patch advisory.

by KyleAdams at October 15, 2014 06:09 PM

Potaroo blog

ECDSA and DNSSEC

Yes, that's a cryptic topic, even for an article that addresses matters of the use of cryptographic algorithms, so congratulations for getting even this far! This is a report of a an experiment conducted in September and October 2014 by the authors to measure the extent to which deployed DNSSEC-validating resolvers fully support the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) with curve P-256.

October 15, 2014 05:18 PM

Router Jockey

AS-Path Filtering

2014-10-15 at 8.36 AM
Before we get into the how, let’s talk about the why. According to the CIDR Report, the global IPv4 routing table sits at about 525,000 routes, it has doubled in size since mid 2008 and continues to press upwards at an accelerated rate. This momentum, which in my estimate started around 2006, will most likely never slow down. As network engineers, what are we to do? Sure, memory is as plentiful as we could ask for, but what of TCAM? On certain platforms, like the 7600/6500 on the Sup720 and even some of the ASR1ks we have already surpassed the limits of what they can handle (~512k routes in the FIB). While it is possible to increase the TCAM available for routing information, there are other solutions that don’t include replacing hardware just yet.

As far as I know, adjusting TCAM partitioning on the ASR1000 is not possible at this time.

Before I get too deep into this, I should clarify as many of you (yes, I’m looking at you Fry) are asking yourselves why is an ISP running BGP on a 6500… Many of my customers are small ISPs or data centers that have little to no networking experience. They are the small guys attempting to provide high speed service to rural areas that truly need it. Most of these guys are 3-4 person shops that have a ton of people wearing multiple hats, and after spending the last decade working with them, I have to respect that. /soapbox

AS Path Filtering

My favorite solution to this problem has been to filter out routes that have long AS Paths. This works particularly well if you’re receiving full tables + a default from your upstream providers. My thoughts have always been, less ensure path optimization for very short AS Paths, and for anything above 3 networks… who cares!? The example below uses AS path filtering and local preference to always ensure that we’re sending traffic, to destinations 3 networks or less away, out the best path that we have.

ip as-path access-list 100 permit ^[0-9]*$
ip as-path access-list 200 permit ^[0-9]*_[0-9]*$
ip as-path access-list 300 permit ^[0-9]*_[0-9]*_[0-9]*$
!
ip prefix-list any seq 5 permit 0.0.0.0/0 le 32
!
route-map ebgp-in permit 10
 match as-path 100
 set local-preference 193
!
route-map ebgp-in permit 20
 match as-path 200
 set local-preference 192
!
route-map ebgp-in permit 20
 match as-path 300
 set local-preference 191
!
route-map ebgp-in deny 99
 match ip address any
!
router bgp 65100
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 65011
 neighbor 1.1.1.1 route-map ebgp-in in
 neighbor 2.2.2.2 remote-as 65022
 neighbor 2.2.2.2 route-map ebgp-in in
!

As you can see, we’re using a route-map to filter updates from our peer. Inside our first statement we’re using a match statement on AS-Path ACL 100, which has a regular expression to match updates with a single AS number in the AS-Path. Our set statement is used to modify the local-preference on those routes well above the default 100. While the BGP best path selection algorithm would certainly prefer these routes according to their AS-Path, personally I like overriding all local-preference settings throughout my configs to suit the needs of the business. I also typically set BGP Communities on these prefixes to aide in identification of applied policy. But I digress. This continues on in the next statement, matching an AS-Path length of 2, and setting a slightly lower local-preference. And again in the third statement, until we reach statement 99, which is configured to deny any other routes from being learned.

Forklifting

In addition to the routing table limitations, the sheer amount of load that running BGP adds to the CPU in your 6500/7600 series is going to be the last nail in the coffin, and I completely understand and agree. And because I understand many of you that are still on those platforms need an affordable option, I have good news for you. The ASR 9001 has a scaled down 60gbps build that comes in at a rather reasonable price, which should be rather affordable after you factor in trade-in value on your legacy platform. Not only will the ASR 9k completely blow the doors off your 7600 right out of the box, but it should last you a rather long time, as it is scalable to 120gbps. As for it’s routing abilities, it shares the same IOS-XR platform as the larger ASR 9ks, and has plenty of memory to support millions of routes.

The post AS-Path Filtering appeared first on Router Jockey.

by Tony Mattke at October 15, 2014 04:10 PM

Networking Now (Juniper Blog)

Our Biggest Security Threat? It’s Not Who You Think

As a Chief Information Security Officer, I get a lot of questions about the cyber security threats and what worries me most. I field questions about Anonymous, geo-political hackers, cyber-extortionists, malware, and the like.

by Sherry Ryan at October 15, 2014 01:00 PM

Cisco IOS Hints and Tricks

Networking Is Not as Special as We Think It Is

I was listening to the Packet Pushers show #203 – an interesting high-level discussion of policies (if you happen to be interested in those things) – and unavoidably someone had to mention how the networking is all broken because different devices implement the same functionality in different ways and use different CLI/API syntax.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 15, 2014 08:14 AM

Networking Now (Juniper Blog)

October 2014 Microsoft Patch Tuesday Summary

It’s Microsoft Patch Tuesday! In the October edition there are 8 updates; three are marked "Critical" and five are rated "Important". A total of 24 vulnerabilities were fixed over 8 bulletins this month. One of the Critical update MS14-056 is an all version Internet Explorer (IE 6 to 11) patch. This single update resolves 14 CVE's (Common Vulnerability and Exposure).

by prashantk at October 15, 2014 01:19 AM

XKCD Comics

October 14, 2014

My Etherealmind

Network Dictionary – Invariant


I use the term "invariant" quite regularly when designing networks. It sounds fancy.

The post Network Dictionary – Invariant appeared first on EtherealMind.

by Greg Ferro at October 14, 2014 07:47 PM

Security to the Core | Arbor Networks Security

MindshaRE: Statically Extracting Malware C2s Using Capstone Engine

It’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that the malware does not run properly in your sandbox, the C2s are down or you don’t have the time / sandbox bandwidth to manually run and extract the information from network indicators.

Intro

To find C2 info, one could always just extract all hostname-/IP-/URI-/URL-like elements via string regex matching, but it’s entirely possible to end up false positives or in some cases multiple hostname and URI combinations and potentially mismatch the information. In addition to that issue, there are known families of malware that will include benign or junk hostnames in their disassembly that may never get referenced or only referenced to make false phone-homes. Manually locating references and then disassembling using a disassembler (in my case, Capstone Engine) can help to verify that you have found the correct information and avoid any of the junk inserted to throw your analysis off.

For those not familiar, Capstone Engine is a disassembler written by Nguyen Anh Quynh that was first released in 2013. The engine has seen a significant amount of development in that short amount of time and has a good track record of handling some tricky disassembly. Most importantly, it supports most popular programming languages, including Python – my current programming language of choice. One complaint I have with using an on-the-fly disassembler is the lack of symbols, but that can be gotten around by taking the list of imports and addresses from pefile and then checking any memory references against it. All of the PoCs presented expect an image base of 0×400000, but for any production use the actual image base should be parsed out and replaced.

 

Example: Backoff PoS Malware

Backoff is a recently discovered PoS malware family. I noticed that many of the times the malware was sandboxed, it would not communicate with a C2, but I could see the C2 info in plain-text in the binary or other times when the C2 was down.

Backoff C2 Plain-Text

Backoff C2 Plain-Text

In an attempt to “correctly” locate the C2 information and utilize some Capstone-fu, I crafted a function that first locates hostname- or IP-like strings in the binary, looks for a “mov [register+offset]/<addr> addr” pattern, and then uses capstone to disassemble to obtain the other configuration elements.

Backoff ASM Code to load C2

Backoff ASM Code to load C2

This ends up being useful, since the argument order is not necessarily the same. This doesn’t work for all versions, but does work for most – I have encountered a number that are using a VisualBasic injector or are using an array structure to store the config so the below code will not work. This can be coupled with another piece of code that searches for version-like strings and then disassembles to find the additional campaign name attached to the binary. The code should check to see if a) host,port, URI are defined after the loop and b) if the number of mov instructions encountered before the call was 3. The number of mov’s ends up being important since my code starts with the hostname and the arguments are not always encountered in the same order. If the mov’s are less than 3, then I jump back the appropriate number of mov’s via regex search and then walk the disassembly again to see if I encounter the expected configuration data. This will also help find the backup domains and URLs that are embedded in the malware that may not be seen during a sandbox run even if there is successful communication to the C2. The code is quick and dirty and can easily be improved by validating  some common instructions seen in between, but is presented as-is for this example:


    md = Cs(CS_ARCH_X86, CS_MODE_32)
    md.detail = True
    movs = 0
    host = None
    uri = None
    port = None
    for insn in md.disasm(code, 0x1000):
        if insn.mnemonic == 'mov':
            movs += 1
            if insn.operands[1].type == X86_OP_IMM:
                v = insn.operands[1].value.imm.real
                if v < 65536:
                    port = v
                else:
                    x = self.get_string(file,v-0x400000)
                    if URI_REGEX.match(x): uri = x
                    elif DOMAIN_REGEX.match(x): host = x
                    elif IP_REGEX.match(x): host = x
         elif insn.mnemonic == 'call': break 
         if movs == 3: break 

Example: Alina PoS Malware

 

Alina is a PoS malware family that has been around for awhile. Similar to Backoff, I noticed that many of the sandbox runs did not successfully communicate with the malware when the configuration was viewable.

Alina C2 Strings

Alina C2 Strings

I used a similar process to what I did with Backoff to first locate potential C2 candidates and then search for XREFs and disassemble with capstone. Many times the C2 is stored is pushed onto the stack followed by instructions setting local variables and then a subroutine call. Prior to the push of the C2 and the URI, there is another push that represents the length of the string and can also be used to validate the sequence. Once again, this is a great place to utilize capstone to make sure that anything that is extracted matches up with what is desired.

Alina ASM to load C2

Alina ASM to load C2

This sequence of pushes and calls always seems to be preceded by a call to InitializeCriticalSection, so I first look for that, using a dict built from loading the binary into pefile to get at the import table.. The order that the hostname and the c2 occur in the binary can be flip-flopped, so I allow for that. I do make sure that the next push after the strlen is a string  The code can be extended further to validate that the strlen matches the string I extract from the binary, but this is just a PoC :)

    for i in md.disasm(CODE, push_len_addr):
        if instr_cnt == 0:
            # check for InitializeCriticalSection
            if i.mnemonic == 'call' and \
              impts.get(i.operands[0].mem.disp,'') == 'InitializeCriticalSection':
                print "On the right track..."
            else:
                break
        elif i.mnemonic == 'push' and i.operands[0].imm < 0x100:
            strlen = i.operands[0].imm
            str_instr = instr_cnt + 1
            print "Found the strlen push",i.mnemonic,i.op_str
        elif strlen and str_instr == instr_cnt and i.mnemonic == 'push':
            addr = i.operands[0].imm
            if addr == 0x400000+file.find(s):
                print 'found hostname push'
                hostname = get_string(file,addr-0x400000)
                print hostname
            else:
                uri = get_string(file,addr-0x400000)
                if URI_REGEX.match(uri): print uri
        instr_cnt += 1

 

Example: DirtJumper Drive

My last example involves a more complex example. Drive stores its most interesting strings in an encrypted format and does not decrypt all those strings in the same function (for more information see my previous blog post here), instead scattering the calls throughout the binary. In this example, I use the encrypted install name – it always starts with the same characters – to help us locate the decryption function. The decryption function is the function called right after the call  that Xrefs the encrypted install name.

Drive Install Name XRef

Drive Install Name XRef

With the address of the decryption function  known, I use the “k=” string used in the phone-home to help locate the network communication function. This function is where the C2 information is first decrypted and the C2 and the URI are the first two things decrypted in this function. The code can then be walked further down to locate the C2 port, but that code is not shown here.

Drive C2 decryption

Drive C2 decryption

Here’s the first piece of code used to locate the decryption function:


        mov_addr = '\xb8'+struct.pack("<I",0x400000+file.find(s))
        instr_addr = 0x400000+file.find(mov_addr)
        if instr_addr <= 0x400000:
            mov_addr = '\xba'+struct.pack("<I",0x400000+file.find(s))
            instr_addr = 0x400000+file.find(mov_addr)

        # looks for PUSH EBP; MOV EBP, ESP
        func_start = file[:instr_addr-0x400000].rfind('\x55\x8b\xec')
        code = file[func_start:func_start+0x200]
        md = Cs(CS_ARCH_X86, CS_MODE_32)
        md.detail = True
        decrypt_func_next = False
        calls = 0
        for i in md.disasm(code, func_start+0x400000):
            # looking for mov eax, 
            if i.mnemonic == 'mov' and len(i.operands) == 2 \
              and i.operands[0].type == X86_OP_REG and i.operands[0].reg == X86_REG_EAX \
              and i.operands[1].type == X86_OP_IMM and i.operands[1].imm >= 0x400000 \
              and i.operands[1].imm <= 0x500000:
                d = decrypt_drive(get_string(file,i.operands[1].imm-0x400000))
                # validate that this is indeed the install name
                if d.endswith('.exe'):
                    config['install_name'] = d
                    decrypt_func_next = True
            # check for the next call after the install name call
            elif decrypt_func_next and 'install_name' in config \
              and i.mnemonic == 'call' and calls == 1:
                config['decrypt_func'] = i.operands[0].imm
                break
            elif 'install_name' in config and i.mnemonic == 'call':
                calls += 1

Now that the decryption function has been located, the desired C2 information can now be located.


        mov_inst = '\xba'+struct.pack("<I",0x400000+file.find('k='))
        mov_k_addr = 0x400000+file.find(mov_inst)
        # look for PUSH EBP; MOV EBP, ESP
        func_start = file[:instr_addr-0x400000].rfind('\x55\x8b\xec')
        code = file[func_start:func_start+0x200]
        md = Cs(CS_ARCH_X86, CS_MODE_32)
        md.detail = True
        calls = 0
        d = None
        for i in md.disasm(code, func_start + 0x400000):
            # look for mov edx, <addr>
            if i.mnemonic == 'mov' and len(i.operands) == 2 \
              and i.operands[0].type == X86_OP_REG and i.operands[0].reg == X86_REG_EDX \
              and i.operands[1].type == X86_OP_IMM and i.operands[1].imm >= 0x400000 \
              and i.operands[1].imm <= 0x500000:
                d = get_string(file,i.operands[1].imm-0x400000)
            # if call decrypt_func, then decrypt(d)
            elif i.mnemonic == 'call' and i.operands[0].imm == config['decrypt_func'] and d:
                # first call is the c2 host/ip
                if calls == 0:
                    config['host'] = decrypt_drive(d)
                    d = None
                    calls += 1
                # 2nd call is the URI
                elif calls == 1:
                    config['uri'] = decrypt_drive(d)
                    d = None
                    break

Future Work

Capstone is a useful tool to have in your toolbox and hopefully the PoC code presented in this post will aid others in the future. For my own future work, I plan to tighten up the code presented and work on getting code for other interesting malware families into something that will be suitable to push out for public release.

by Jason Jones at October 14, 2014 03:48 PM

Cisco IOS Hints and Tricks

October 13, 2014

The Networking Nerd

The Great Tech Reaving

It seems as though the entire tech world is splitting up.  HP announced they are splitting the Personal Systems Group into HP, Inc and the rest of the Enterprise group in HP Enterprise.  Symantec is forming Veritas into a separate company as it focuses on security and leaves the backup and storage pieces to the new group.  IBM completed the sale of their x86 server business to Lenovo.  There are calls for EMC and Cisco to split as well.  It’s like the entire tech world is breaking up right before the prom.

Acquisition Fever

The Great Tech Reaving is a logical conclusion to the acquisition rush that has been going on throughout the industry for the past few years.  Companies have been amassing smaller companies like trading cards.  Some of the acquisitions have been strategic.  Buying a company that focuses on a line of work similar to the one you are working on makes a lot of sense.  For instance, EMC buying XtremIO to help bolster flash storage.

Other acquisitions look a bit strange.  Cisco buying Flip Video.  Yahoo buying Tumblr. There’s always talk around these left field mergers.  Is the CEO looking for synergy? Is there a hidden play that we’re unaware of? Sometimes that kind of thinking pays off.  Other times you end up with Zimbra.  More often than not, the company ends up writing down the assets of the acquired company and taking very little from the purchase.  Maybe not as big as the Autonomy write down, but even getting rid of Flip can make waves.

It makes a person wonder what the point of an acquisition is if it’s just going to wind up being an accounting charge later.  Is it a tax shelter?  A way to use up outstanding cash?  Maybe even a way to buy a particularly good developer and fold them into your organization to keep them out of a competitor’s hands?  The reasons are myriad but it appears that the fever is dying down.  And that might end up hurting innovation in the long term.

This Is Not An Exit Strategy

Think about the startup out there making a hot new technology.  They had their heart set on getting bought by a bigger company in the market.  Now, they just watched that company split off half of their business into a new company.  Cash is hard to find for a new acquisition.  Now the startup has to find a different way to monetize things.  Should we redouble our efforts to market the product? Get new investors? Go public?

I’ve said before that pinning your hopes on getting purchased isn’t the best way to run a business.  It’s like betting all your hopes on getting the winning numbers in the lottery.  It might happen, but the odds are against it.  Perhaps the end result of a market full of split companies will be a reevaluation of the idea of an exit strategy.  Rather than building a business for the sole purpose of being bought entrepreneurs will start building businesses to make products and sell them.  It’s a radical idea, but not so radical as to be unbelievable.  Just ask Hewlett and Packard.  Or Jobs and Wozniak. Or anyone else that didn’t have an exit strategy instead of a business plan.


Tom’s Take

Companies can be too big.  IBM has sold off most of what made it IBM.  Symantec and HP are in the process.  The next domino to fall will be EMC.  Then Cisco.  After that, the landscape will look much different.  But in a good way.  It’s like a stock split.  The same amount of knowledge is out there.  It’s just held differently.  That’s good for the industry because it forces the status quo to change.  New alliances, new partnerships, and new synergies can be found by upsetting the apple cart now and then.


by networkingnerd at October 13, 2014 07:39 PM

Router Jockey

Network Design — Keeping it simple

complexitySince the dawn of time people have skirted best practice and banged together networks, putting the proverbial square peg in the esoteric round hole. For example, new vendor XYZ’s solution has brought in new requirements for deployment. While it may seem easier for to throw together a new firewall, a switch, and maybe some additional routes, and of course Tom‘s favorite… NAT — but where does it stop!? As you continue to pile layer upon layer into your uninspired network design you will soon realize that your “beautiful network” has become the ugly duckling that you need help fixing.

That leads me to my first point. Complex systems are expensive, not only in CAPEX, but in OPEX. When you design and build a network, you have to ensure that you are not building something that no one else has dreamed up, or else your problems will also be unique. And without the additional money to hire top tier engineers, you could be short staffed, or worse yet, facing the problem on your own. The more complex your network becomes, the more likely it is to fail. As I’m often quoted as saying, “The complexity required for robustness, often goes again robustness…”, and those systems are often replaced.

As you build upon your complex design, your entire network, once agile because ridged and unable to adapt to changes. While you have to learn to understand that no single design can last for ever, the simpler designs tend to be more flexible and adaptable into your ever changing needs. You have to remember that your network is not just there to serve the end users, or systems. Your network is in the middle of everything your company does and has to be able to mold itself to fit the businesses ecosystem.

Design flexibility starts with simplicity, but also requires adding complexity when it comes to redundancy. Without redundancy upgrades and maintenance impact core services, those impacts could force bad policy into place making it impossible for you to do you maintenance. I’ve worked on far too many enterprise networks that suffer from lack up maintenance windows, which only ends up making the problems worse.

Last, but certainly least I want to talk about testing. One of the biggest things I learned at my last job is that no matter how meticulously you designed your system, no matter how much redundancy you think you have, all of that has to be tested on a regular basis. Changes happen, and it always seems that no matter how much documentation you have, something is going to be left out. The only thing that is going to find these problems is real life, end to end testing… LDAP connections for your VPN, DNS issues, vendor configuration issues, everything that is critical for your business to function needs to be well documented and tested.

The post Network Design — Keeping it simple appeared first on Router Jockey.

by Tony Mattke at October 13, 2014 06:24 PM

My Etherealmind

If Cisco Could Be Split Up, What Could Go ?


Following the breakups of IBM and HP as they divest the low profit divisions and EMC under a some pressure to disband the Federation, the same question is often raised about Cisco but what could go ?

The post If Cisco Could Be Split Up, What Could Go ? appeared first on EtherealMind.

by Greg Ferro at October 13, 2014 05:57 PM

Networking Now (Juniper Blog)

Cloud Burst... How Jennifer Lawrence Changed My Day

The moment personal photos of Jennifer Lawrence, Kim Kardashian and other celebrities were leaked from iCloud it became global breaking news and suddenly everyone had questions and opinions about cloud security.

by Bask at October 13, 2014 01:00 PM

Recap of VMworld 2014 USA - Juniper Style

This was the first year that I got to attend VMworld as a member of the Juniper family ( this was my fourth VMworld ). It was a great experience, we had our first lab in the Hands-on Lab which I personally think was a success and of course we had a booth. We received a lot of complements on the documentation for the lab and how it explained all the facets of the product. I had people fighting ( well not literally ) for the long sleeve shirts that we distributed to everyone who took the lab ( check it out below )

 

 

juniper lab shirt.JPG

 

It gave us a lot of visibility into our virtual security solutions and how they play in your VMware environment. The great thing, the fun isn't over…

 
A) VMware will make the labs available online in approximately 2 - 3 weeks so you can take them from the comfort of whatever you find comfortable, whenever you want to take it. The link is http://labs.hol.vmware.com .
In the meantime, if you are interested in reading the lab that I wrote, it is available in PDF format and html format
 
2) We will be at VMworld 2014 Europe in Barcelona. Sadly we won't have shirts but the lab will be there and I promise to give you a hug if you take the lab. Hugs are better anyway.
 
The lab hours this year are : 
 
Monday / October 13 : 8:00 - 18:00
Tuesday / October 14 : 10:30 - 18:30
Wednesday / October 15 : 10:30 - 18:00
Thursday / October 16 : 8:00 - 16:00
 
I look forward to seeing you there!
 
#JuniperLab
#PewPew

by banksek at October 13, 2014 08:02 AM

Cisco IOS Hints and Tricks

Packet Reordering and Service Providers

My “Was it bufferbloat?” blog post generated an unexpected amount of responses, most of them focusing on a side note saying “it looks like there really are service providers out there that are clueless enough to reorder packets within a TCP session”. Let’s walk through them.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 13, 2014 08:59 AM

Packet Pushers Blog/Podcast

Thinking Through Title II Reguation

Over at CircleID, Geoff Huston has a long’ish article on Title II regulation of the Internet, and the ideals of “net neutrality.” The reasoning is tight and strong — his conclusion a simple one: At its heart, the Internet access business really is a common carrier business. So my advice to the FCC is to […]

Author information

Russ White

Russ White
Principle Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about, or don't really care about. You want numbers and letters? Okay: CCIE 2635, CCDE 2007:001, CCAr, BSIT, MSIT (Network Design & Architecture, Capella University), MACM (Biblical Literature, Shepherds Theological Seminary). Russ is a Principal Engineer in the IPOS Team at Ericsson, where he works on lots of different stuff, serves on the Routing Area Directorate at the IETF, and is a cochair of the Internet Society Advisory Council. Russ will be speaking in November at the Ericsson Technology Day. he recently published The Art of Network Architecture, is currently working on a new book in the area of network complexity with Addison Wesley, a book on innovation from within a Christian worldview, and he blogs at ntwrk.guru on network engineering.

The post Thinking Through Title II Reguation appeared first on Packet Pushers Podcast and was written by Russ White.

by Russ White at October 13, 2014 07:00 AM

XKCD Comics

October 12, 2014

My Etherealmind

Last Chance at Chassis Switch Saloon


In recent network designs, the big, hot and heavy chassis switch has become the last option for a number of reasons. Switch Performance and Capacity. Port Density In the past, the most common decision for buying a chassis has been port density. A chassis backplane provides a high speed connection for the line cards to […]

The post Last Chance at Chassis Switch Saloon appeared first on EtherealMind.

by Greg Ferro at October 12, 2014 10:54 PM

Cisco IOS Hints and Tricks

How to Get into the Top N%

Michael Church wrote an interesting answer on Quora, describing a logarithmic scale of programming skills and (even more importantly) hints to follow to get from n00b into the top N% (for some small value of N):

  • Budget 7–14 years;
  • Study voraciously;
  • Build things when you don’t know that you’ll succeed;
  • Network to get new ideas;
  • Job hop when you stop learning.

Replace “programmer” with “networking engineer” and read the whole answer ;)

by Ivan Pepelnjak (noreply@blogger.com) at October 12, 2014 06:57 PM

October 11, 2014

My Etherealmind

Big Problems Often Require Big Solutions


You can ignore big problems but they need big solutions to remove them from the agenda.

The post Big Problems Often Require Big Solutions appeared first on EtherealMind.

by Greg Ferro at October 11, 2014 07:34 PM

Packet Pushers Blog/Podcast

PQ Show 34 – Cloudflare Keyless SSL

A couple of weeks ago, Cloudflare announced a new solution that allows DDOS Protection, Caching and application firewalls of SSL encrypted traffic without handing over the private key. This is a significant breakthrough for companies. Many companies have strong controls over private keys that prevent external sharing. More often the simple cost of key ceremonies is punitive to the business.

by Packet Pushers Podcast at October 11, 2014 05:00 PM