October 24, 2014

My Etherealmind

Response: Cisco Announces Membership of Open Compute Project


A blog post on the Cisco’s website announces Cisco joins Open Compute Project as a Gold member: To that list, I am pleased to announce that we recently joined the Open Compute Project as a Gold member. The motivation behind our membership is similar to our involvement in the aforementioned open networking projects: we see […]

The post Response: Cisco Announces Membership of Open Compute Project appeared first on EtherealMind.

by Greg Ferro at October 24, 2014 05:37 PM

Cisco IOS Hints and Tricks

Tech Talks: Introduction to Label Distribution Protocol (LDP)

In the third part of MPLS Tech Talks we focused on the role of label distribution protocol (LDP) and its operation in frame-mode MPLS. You can watch the video on the ipSpace.net Tech Talks web page.

by Ivan Pepelnjak (noreply@blogger.com) at October 24, 2014 08:40 AM

XKCD Comics

October 23, 2014

My Etherealmind

Tech Notes: Ping Sweep an IP Subnet


This is my current goto code snippet for using the BASH command line to perform a ping sweep through an IPv4 subnet. for i in `seq 1 255`; do ping -c 1 192.168.1.$i | tr \\n ' ' | awk '/1 received/ {print $2}'; done This script is deliberately simple, only works for /24 subnets but […]

The post Tech Notes: Ping Sweep an IP Subnet appeared first on EtherealMind.

by Greg Ferro at October 23, 2014 05:30 PM

Peter's CCIE Musings and Rants
My Etherealmind

Thoughts of My Day: VCE Always Was An EMC Property


EMC announced during it’s quarterly results that it was taking a larger position in VCE. VCE was always an EMC asset, co-operation with partners Cisco, Intel and VMware has never been strong and this simply closes out the current chapter.  The end result positions EMC to also be a “IBM style” company with a full […]

The post Thoughts of My Day: VCE Always Was An EMC Property appeared first on EtherealMind.

by Greg Ferro at October 23, 2014 08:36 AM

Cisco IOS Hints and Tricks

IPv6 in a Global Company – a Real-World Example

More than a year ago I wrote a response to a comment Pascal wrote on my Predicting the IPv6 BGP table size blog post. I recently rediscovered it and figured out that it’s (unfortunately) as relevant as it was almost 18 months ago.

Other people have realized we have this problem in the meantime, and are still being told to stop yammering because the problem is not real. Let’s see what happens in a few years.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 23, 2014 08:34 AM

All You Need Are Two Top-of-Rack Switches

Every time I’m running a classroom version of my Designing the Cloud Infrastructure workshop, I start with a simple question: “Who has more than 2000 VMs or bare-metal servers in the data center?

I might see three hands on a good day; 90-95% of the audience have smaller data centers… and some of them get disappointed when I tell them they don’t need more than two ToR switches in their data center.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 23, 2014 06:44 AM

October 22, 2014

Internetwork Expert Blog

New CCIE RSv5 Troubleshooting/Full Scale Rack Rentals & Labs

Rack Rentals for INE’s CCIE RSv5 Workbook’s Troubleshooting Labs and Full Scale Labs are now available via the Members Site. To access them login to http://members.ine.com, click “Rack Rentals” on the dashboard on the left, and then click “Schedule” under “CCIE Routing & Switching v5 Full Scale.”

This topology uses 20 routers and 4 switches and is for both Troubleshooting and Full Scale Labs. The topology above it, “CCIE Routing & Switching v5″, uses 10 routers and 4 switches, and supports all the Advanced Technology Labs and Foundation Labs.

The loading and saving of initial configs is supported through the Rack Control Panel, which can greatly save you time in your studies, especially with very large topologies such as those used in the Troubleshooting and Full Scale Labs.

Additionally, Full Scale Lab 2 and Troubleshooting Lab 2 have been posted to the CCIE RSv5 Workbook. More Foundation, Troubleshooting, and Full Scale Labs are currently in development and will be posted soon. For discussion on these new labs please visit the CCIE RSv5 Workbook section of IEOC, our online community.

by Brian McGahan, CCIE #8593, CCDE #2013::13 at October 22, 2014 04:13 PM

Packet Pushers Blog/Podcast

Show 209 – HP Networks and Network Management – Sponsored

Talking about Network Management get mixed reactions in the network industry with a rich history of products that didn't match our expectations or needs. In today's sponsored podcast, HP Networking continues their mission to change the way network engineers feel about their NMS's through the HP Intelligent Management Center.

by Packet Pushers Podcast at October 22, 2014 04:04 PM

XKCD Comics

October 21, 2014

My Etherealmind

Response: HowTo Configure IP Multicast PIM on ECMP| Mellanox Interconnect Community


Today I spent several hours reading up on PIM Bidirectional for an customer implementation on an ECMP networking. I realise that somewhere inside my head there is a lot of IP Multicast knowledge that hasn’t been lost but it is definitely hiding. I had to re-learn a number of concepts before I started feel confident. […]

The post Response: HowTo Configure IP Multicast PIM on ECMP| Mellanox Interconnect Community appeared first on EtherealMind.

by Greg Ferro at October 21, 2014 09:01 PM

The Networking Nerd

Twitter, Please Stop Giving Me Things I Don’t Want

new-twitter-logo

Last week, Twitter confirmed that they will start injecting tweets from users you don’t follow into your timeline.  The collective cry from their user base ranged from outrage to a solid “meh”.  It seems that Twitter has stumbled onto the magic formula that Facebook has perfected: create a feature the users don’t care about and force it onto them.  Why?

Twitter Doesn’t Care About Power Users

Twitter has an interesting mix of users.  They reported earlier this year that 44% of their user base has never tweeted.  That’s a lot of accounts that were created for the purpose of reserving a name or following people in read-only mode.  That must concern Twitter.  Because people that don’t tweet can’t be measure for things like advertising.  They won’t push the message of a sponsored tweet.  They won’t add their voice to the din.  But what about those users that tweet regularly?

Power users are those that tweet frequently without a large follower base.  Essentially, everyone that isn’t a celebrity with a million followers or a non-tweeting account.  You know, the real users on Twitter.  The people that make typos in their tweets and actually check to see who follows them.  The ones that don’t have a “social media team” tweeting for them.  Nothing wrong with a team tweeting for a brand, but when they’re tweeting for a person it’s a little disconcerting.

Power users keep getting screwed by Twitter.  The API changes really hurt those that use clients other than the official ones.  Given that Twitter has killed most of it’s “official” clients in favor of pushing people to use the web, it makes you wonder what their strategy might be.  They are entirely beholden to their investors right now.  That means user signups and ad revenue.  And it means focusing on making the message widespread.  Why worry about placating the relatively small user base that uses your product when you can create a method for reaching millions with a unicast sponsored hashtag? Or by injecting tweets from people you don’t follow into your timeline?

The tweet injection thing is like a popup ad.  It serves the purpose of Twitter deciding to show you some tweets from other “users”.  Anyone want to bet those users will quickly start becoming corporate accounts? Perhaps they pay Twitter to ensure their tweets show up in a the timelines of a specific demographic.  It makes total sense when your users are nothing but a stream of revenue

Making Twitter Usable Again

I mentioned some things the other day that I think Twitter needs to do to make their service usable for power users again.  I wanted to expand on them a bit here:

The Unfollow Bug – Twitter has a problem with keeping followers.  For some reason, your account will randomly unfollow a user with no notification.  You usually don’t figure it out until you want to send them a DM or notice that they’ve unfollowed you and mention it.  It’s an irritating bug that’s been going on for years with no hope of resolution.  Twitter needs to sort this one out quickly.  As a side note, if you run a service that monitors people that have unfollowed you, consider adding a digest of users that I have unfollowed this week.  if the list doesn’t match those that I purposely unfollow, at least you know when you’ve been hit by this bug.

Links in Direct Messages – Twitter disabled the ability to send a link in a direct message a few months ago.  Their argument was that it cut down on spam.  The real reason was Twitter’s attempt to turn DMs into a instant message platform.  Twitter experimented with a setting that enabled DMs from users you don’t follow.  They pulled it before it went live due to user feedback.  One of the arguments was that spam accounts could bombard you with URLs that led to phishing attacks and other unsavory things.  Twitter responded by disabling links in DMs even though they removed the feature it was intended to protect.  It’s time for Twitter to give us this feature back.

Token Limits – This “feature” has to go.  Restricting 3rd party clients because they exist destroys the capabilities of your power users. I use a client because it gives me easy access to features I use all the time, like conversation views and muting.  I also don’t like sitting on the garish Twitter website and constantly refreshing to see new tweets.  I’d rather use some other client. Twitter has a love/hate relationship with non-official clients.  Mostly because those clients strip out ads and sponsored tweets.  They don’t let Twitter earn money from them.  Which is why Twitter is stamping them out for “replicating official client features” left and right.  Curiously enough, I’ve never heard about HootSuite being hit with user token limits.  But considering that a lot of Twitter’s favorite celebrities use it (or at least their social media teams do), I’m not shocked they’re on the exempt list.


Tom’s Take

I still find Twitter a very useful tool.  It’s not something that can just be set into automatic and left alone.  It takes curation and attention to make it work for you.  But it also needs help from Twitter’s side.  Instead of focusing on ways to make me see things I don’t care about from people I don’t want to follow, how about making your service work the way I want it to work.  I’m more like to use (and suggest) a service that works.  I barely check Facebook anymore because I’m constantly “fixing” their Top Posts algorithm.  Don’t turn your service into something I spend most of my time fixing.


by networkingnerd at October 21, 2014 04:26 PM

Cisco IOS Hints and Tricks

Network Programmability Phase 1: the Configured Network

During his Network Programmability 101 webinar Matt Oswalt described three phases of network programmability. The first level in the pyramid of programmable awesomeness (his words, not mine) is described in today’s video.

by Ivan Pepelnjak (noreply@blogger.com) at October 21, 2014 12:20 PM

October 20, 2014

My Etherealmind

Confusing Times in Networking and Cognition Jumps


I’ve been researching four different and distinct types of networking in the last few weeks. I’m finding that the cognition required to jump between technologies is making my head hurt. Here is a summary of four technology areas that interest me this week. Optical Networking As part of research project I have been getting deep […]

The post Confusing Times in Networking and Cognition Jumps appeared first on EtherealMind.

by Greg Ferro at October 20, 2014 05:49 PM

Cisco IOS Hints and Tricks

Micro-BFD: BFD over LAG (Port Channel)

The discussion in the comments to my LAG versus ECMP post took a totally unexpected turn when someone mentioned BFD failure detection over port channels (link aggregation groups – LAGs).

What’s the big deal?

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 20, 2014 08:15 AM

XKCD Comics

October 19, 2014

Cisco IOS Hints and Tricks

Just Published: Juniper Data Center Switches

Want to know what the difference between Virtual Chassis and Virtual Chassis Fabric is? How Local Link Bias works? How ISSU on QFX 5100 works even though the box doesn’t have two supervisor boards? You’ll find answers to all these questions in new videos describing Juniper data center switches.

by Ivan Pepelnjak (noreply@blogger.com) at October 19, 2014 07:01 PM

Honest Networker

October 18, 2014

My Etherealmind

Response: http2 explained


Been researching HTTP2 protocol on the basis that is will, more or less, be the dominant protocol on the Internet and everywhere else. Aside from the sense of excitement I get from looking at solving old problems, HTTP2 is a huge change for networking and this site has the best explanation I’ve found so far. Check […]

The post Response: http2 explained appeared first on EtherealMind.

by Greg Ferro at October 18, 2014 06:34 PM

Honest Networker
Cisco IOS Hints and Tricks

Workload Mobility and Reality: Bandwidth Constraints

People talking about long-distance workload mobility and cloudbursting often forget the physical reality documented in the fallacies of distributed computing. Today we’ll focus on bandwidth, in a follow-up blog post we’ll deal with its ugly cousin latency.

TL&DR summary: If you plan to spread application components across the network without understanding their network requirements, you’ll get the results you deserve.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 18, 2014 01:47 PM

October 17, 2014

PACKETattack

Announcement: The Hot Aisle Newsletter

I’ve launched a newsletter called The Hot Aisle. Why might you care? The Hot Aisle is a personal look at my real life IT engineering projects, thoughts about the networking industry I won’t publish anywhere else, my growingly contrarian views on social media, good stuff I’ve read, and comments from fellow Hot Aisle readers. The content is […]

by Ethan Banks at October 17, 2014 06:07 PM

My Etherealmind

Monospaced Fonts and Command Line


Recently I've been on a search for a 'better' font to use in terminals. In an unrelated coincidence, I learned about anti-aliasing, I still don't understand it but it makes a difference.

The post Monospaced Fonts and Command Line appeared first on EtherealMind.

by Greg Ferro at October 17, 2014 05:57 PM

XKCD Comics

October 16, 2014

Packet Pushers Blog/Podcast

Automating the Cabbage Patch Network Today (2014)

“Sometimes my head is a bit of an idiot” is something my daughter might say and that happens to me too, if that time is today and this article, let me know. If you don’t get the Cabbage Patch reference and its juxtaposition to automation, see here. I’ve tried to avoid sarcasm (and arrogance) but have […]

Author information

Steven Iveson

Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and has never been too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife Sam and their four children.

He's worked in the IT industry for over 15 years in a variety of roles, predominantly in data centre environments. Working with switches and routers pretty much from the start he now also has a thirst for application delivery, SDN, virtualisation and related products and technologies. He's published a number of F5 Networks related books and is a regular contributor at DevCentral.

The post Automating the Cabbage Patch Network Today (2014) appeared first on Packet Pushers Podcast and was written by Steven Iveson.

by Steven Iveson at October 16, 2014 09:14 PM

PACKETattack

Cisco ACI Fabric Forwarding In A Nutshell

As I study software defined networking architectures, I’ve observed that none of them are exactly alike. There are common approaches, but once diving into the details of what’s being done and how, even the common approaches seem to have as many differences as similarities. One of the most interesting elements of SDN architectures […]

by Ethan Banks at October 16, 2014 08:44 PM

My Etherealmind

IOS: show tcp vty


On Cisco IOS, this is a very useful command "show tcp vty xx" to show TCP statistics of the VTY session. If you think your terminal is running slow because of packet loss or delay then this command will provide visibility. The other cause is the CPU/Memory running slow if you don't see any errors on the TCP (as you can see below).

The post IOS: show tcp vty appeared first on EtherealMind.

by Greg Ferro at October 16, 2014 06:55 PM

Cisco IOS Hints and Tricks

October 15, 2014

My Etherealmind

Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project


Very, very funny quote in the Pew Research Report: How could people benefit from a gigabit network? One expert in this study, David Weinberger, a senior researcher at Harvard’s Berkman Center for Internet & Society, predicted, “There will be full, always-on, 360-degree environmental awareness, a semantic overlay on the real world, and full-presence massive open […]

The post Killer Apps in the Gigabit Age | Pew Research Center’s Internet & American Life Project appeared first on EtherealMind.

by Greg Ferro at October 15, 2014 07:05 PM

Networking Now (Juniper Blog)

Safeguarding cloud security before it’s too late

vault.pngEarlier this month, many of the world’s biggest cloud-service providers quietly cooperated to update the open-source Xen hypervisor software. What wasn’t publicly revealed until after the update was safely completed, however, was that it actually was a carefully coordinated operation intended to head off a major security breach, as identified in the Xen patch advisory.

by KyleAdams at October 15, 2014 06:09 PM

Potaroo blog

ECDSA and DNSSEC

Yes, that's a cryptic topic, even for an article that addresses matters of the use of cryptographic algorithms, so congratulations for getting even this far! This is a report of a an experiment conducted in September and October 2014 by the authors to measure the extent to which deployed DNSSEC-validating resolvers fully support the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) with curve P-256.

October 15, 2014 05:18 PM

Router Jockey

AS-Path Filtering

2014-10-15 at 8.36 AM
Before we get into the how, let’s talk about the why. According to the CIDR Report, the global IPv4 routing table sits at about 525,000 routes, it has doubled in size since mid 2008 and continues to press upwards at an accelerated rate. This momentum, which in my estimate started around 2006, will most likely never slow down. As network engineers, what are we to do? Sure, memory is as plentiful as we could ask for, but what of TCAM? On certain platforms, like the 7600/6500 on the Sup720 and even some of the ASR1ks we have already surpassed the limits of what they can handle (~512k routes in the FIB). While it is possible to increase the TCAM available for routing information, there are other solutions that don’t include replacing hardware just yet.

As far as I know, adjusting TCAM partitioning on the ASR1000 is not possible at this time.

Before I get too deep into this, I should clarify as many of you (yes, I’m looking at you Fry) are asking yourselves why is an ISP running BGP on a 6500… Many of my customers are small ISPs or data centers that have little to no networking experience. They are the small guys attempting to provide high speed service to rural areas that truly need it. Most of these guys are 3-4 person shops that have a ton of people wearing multiple hats, and after spending the last decade working with them, I have to respect that. /soapbox

AS Path Filtering

My favorite solution to this problem has been to filter out routes that have long AS Paths. This works particularly well if you’re receiving full tables + a default from your upstream providers. My thoughts have always been, less ensure path optimization for very short AS Paths, and for anything above 3 networks… who cares!? The example below uses AS path filtering and local preference to always ensure that we’re sending traffic, to destinations 3 networks or less away, out the best path that we have.

ip as-path access-list 100 permit ^[0-9]*$
ip as-path access-list 200 permit ^[0-9]*_[0-9]*$
ip as-path access-list 300 permit ^[0-9]*_[0-9]*_[0-9]*$
!
ip prefix-list any seq 5 permit 0.0.0.0/0 le 32
!
route-map ebgp-in permit 10
 match as-path 100
 set local-preference 193
!
route-map ebgp-in permit 20
 match as-path 200
 set local-preference 192
!
route-map ebgp-in permit 20
 match as-path 300
 set local-preference 191
!
route-map ebgp-in deny 99
 match ip address any
!
router bgp 65100
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 65011
 neighbor 1.1.1.1 route-map ebgp-in in
 neighbor 2.2.2.2 remote-as 65022
 neighbor 2.2.2.2 route-map ebgp-in in
!

As you can see, we’re using a route-map to filter updates from our peer. Inside our first statement we’re using a match statement on AS-Path ACL 100, which has a regular expression to match updates with a single AS number in the AS-Path. Our set statement is used to modify the local-preference on those routes well above the default 100. While the BGP best path selection algorithm would certainly prefer these routes according to their AS-Path, personally I like overriding all local-preference settings throughout my configs to suit the needs of the business. I also typically set BGP Communities on these prefixes to aide in identification of applied policy. But I digress. This continues on in the next statement, matching an AS-Path length of 2, and setting a slightly lower local-preference. And again in the third statement, until we reach statement 99, which is configured to deny any other routes from being learned.

Forklifting

In addition to the routing table limitations, the sheer amount of load that running BGP adds to the CPU in your 6500/7600 series is going to be the last nail in the coffin, and I completely understand and agree. And because I understand many of you that are still on those platforms need an affordable option, I have good news for you. The ASR 9001 has a scaled down 60gbps build that comes in at a rather reasonable price, which should be rather affordable after you factor in trade-in value on your legacy platform. Not only will the ASR 9k completely blow the doors off your 7600 right out of the box, but it should last you a rather long time, as it is scalable to 120gbps. As for it’s routing abilities, it shares the same IOS-XR platform as the larger ASR 9ks, and has plenty of memory to support millions of routes.

The post AS-Path Filtering appeared first on Router Jockey.

by Tony Mattke at October 15, 2014 04:10 PM

Networking Now (Juniper Blog)

Our Biggest Security Threat? It’s Not Who You Think

As a Chief Information Security Officer, I get a lot of questions about the cyber security threats and what worries me most. I field questions about Anonymous, geo-political hackers, cyber-extortionists, malware, and the like.

by Sherry Ryan at October 15, 2014 01:00 PM

Cisco IOS Hints and Tricks

Networking Is Not as Special as We Think It Is

I was listening to the Packet Pushers show #203 – an interesting high-level discussion of policies (if you happen to be interested in those things) – and unavoidably someone had to mention how the networking is all broken because different devices implement the same functionality in different ways and use different CLI/API syntax.

Read more ...

by Ivan Pepelnjak (noreply@blogger.com) at October 15, 2014 08:14 AM

Networking Now (Juniper Blog)

October 2014 Microsoft Patch Tuesday Summary

It’s Microsoft Patch Tuesday! In the October edition there are 8 updates; three are marked "Critical" and five are rated "Important". A total of 24 vulnerabilities were fixed over 8 bulletins this month. One of the Critical update MS14-056 is an all version Internet Explorer (IE 6 to 11) patch. This single update resolves 14 CVE's (Common Vulnerability and Exposure).

by prashantk at October 15, 2014 01:19 AM

XKCD Comics

October 14, 2014

My Etherealmind

Network Dictionary – Invariant


I use the term "invariant" quite regularly when designing networks. It sounds fancy.

The post Network Dictionary – Invariant appeared first on EtherealMind.

by Greg Ferro at October 14, 2014 07:47 PM

Security to the Core | Arbor Networks Security

MindshaRE: Statically Extracting Malware C2s Using Capstone Engine

It’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that the malware does not run properly in your sandbox, the C2s are down or you don’t have the time / sandbox bandwidth to manually run and extract the information from network indicators.

Intro

To find C2 info, one could always just extract all hostname-/IP-/URI-/URL-like elements via string regex matching, but it’s entirely possible to end up false positives or in some cases multiple hostname and URI combinations and potentially mismatch the information. In addition to that issue, there are known families of malware that will include benign or junk hostnames in their disassembly that may never get referenced or only referenced to make false phone-homes. Manually locating references and then disassembling using a disassembler (in my case, Capstone Engine) can help to verify that you have found the correct information and avoid any of the junk inserted to throw your analysis off.

For those not familiar, Capstone Engine is a disassembler written by Nguyen Anh Quynh that was first released in 2013. The engine has seen a significant amount of development in that short amount of time and has a good track record of handling some tricky disassembly. Most importantly, it supports most popular programming languages, including Python – my current programming language of choice. One complaint I have with using an on-the-fly disassembler is the lack of symbols, but that can be gotten around by taking the list of imports and addresses from pefile and then checking any memory references against it. All of the PoCs presented expect an image base of 0×400000, but for any production use the actual image base should be parsed out and replaced.

 

Example: Backoff PoS Malware

Backoff is a recently discovered PoS malware family. I noticed that many of the times the malware was sandboxed, it would not communicate with a C2, but I could see the C2 info in plain-text in the binary or other times when the C2 was down.

Backoff C2 Plain-Text

Backoff C2 Plain-Text

In an attempt to “correctly” locate the C2 information and utilize some Capstone-fu, I crafted a function that first locates hostname- or IP-like strings in the binary, looks for a “mov [register+offset]/<addr> addr” pattern, and then uses capstone to disassemble to obtain the other configuration elements.

Backoff ASM Code to load C2

Backoff ASM Code to load C2

This ends up being useful, since the argument order is not necessarily the same. This doesn’t work for all versions, but does work for most – I have encountered a number that are using a VisualBasic injector or are using an array structure to store the config so the below code will not work. This can be coupled with another piece of code that searches for version-like strings and then disassembles to find the additional campaign name attached to the binary. The code should check to see if a) host,port, URI are defined after the loop and b) if the number of mov instructions encountered before the call was 3. The number of mov’s ends up being important since my code starts with the hostname and the arguments are not always encountered in the same order. If the mov’s are less than 3, then I jump back the appropriate number of mov’s via regex search and then walk the disassembly again to see if I encounter the expected configuration data. This will also help find the backup domains and URLs that are embedded in the malware that may not be seen during a sandbox run even if there is successful communication to the C2. The code is quick and dirty and can easily be improved by validating  some common instructions seen in between, but is presented as-is for this example:


    md = Cs(CS_ARCH_X86, CS_MODE_32)
    md.detail = True
    movs = 0
    host = None
    uri = None
    port = None
    for insn in md.disasm(code, 0x1000):
        if insn.mnemonic == 'mov':
            movs += 1
            if insn.operands[1].type == X86_OP_IMM:
                v = insn.operands[1].value.imm.real
                if v < 65536:
                    port = v
                else:
                    x = self.get_string(file,v-0x400000)
                    if URI_REGEX.match(x): uri = x
                    elif DOMAIN_REGEX.match(x): host = x
                    elif IP_REGEX.match(x): host = x
         elif insn.mnemonic == 'call': break 
         if movs == 3: break 

Example: Alina PoS Malware

 

Alina is a PoS malware family that has been around for awhile. Similar to Backoff, I noticed that many of the sandbox runs did not successfully communicate with the malware when the configuration was viewable.

Alina C2 Strings

Alina C2 Strings

I used a similar process to what I did with Backoff to first locate potential C2 candidates and then search for XREFs and disassemble with capstone. Many times the C2 is stored is pushed onto the stack followed by instructions setting local variables and then a subroutine call. Prior to the push of the C2 and the URI, there is another push that represents the length of the string and can also be used to validate the sequence. Once again, this is a great place to utilize capstone to make sure that anything that is extracted matches up with what is desired.

Alina ASM to load C2

Alina ASM to load C2

This sequence of pushes and calls always seems to be preceded by a call to InitializeCriticalSection, so I first look for that, using a dict built from loading the binary into pefile to get at the import table.. The order that the hostname and the c2 occur in the binary can be flip-flopped, so I allow for that. I do make sure that the next push after the strlen is a string  The code can be extended further to validate that the strlen matches the string I extract from the binary, but this is just a PoC :)

    for i in md.disasm(CODE, push_len_addr):
        if instr_cnt == 0:
            # check for InitializeCriticalSection
            if i.mnemonic == 'call' and \
              impts.get(i.operands[0].mem.disp,'') == 'InitializeCriticalSection':
                print "On the right track..."
            else:
                break
        elif i.mnemonic == 'push' and i.operands[0].imm < 0x100:
            strlen = i.operands[0].imm
            str_instr = instr_cnt + 1
            print "Found the strlen push",i.mnemonic,i.op_str
        elif strlen and str_instr == instr_cnt and i.mnemonic == 'push':
            addr = i.operands[0].imm
            if addr == 0x400000+file.find(s):
                print 'found hostname push'
                hostname = get_string(file,addr-0x400000)
                print hostname
            else:
                uri = get_string(file,addr-0x400000)
                if URI_REGEX.match(uri): print uri
        instr_cnt += 1

 

Example: DirtJumper Drive

My last example involves a more complex example. Drive stores its most interesting strings in an encrypted format and does not decrypt all those strings in the same function (for more information see my previous blog post here), instead scattering the calls throughout the binary. In this example, I use the encrypted install name – it always starts with the same characters – to help us locate the decryption function. The decryption function is the function called right after the call  that Xrefs the encrypted install name.

Drive Install Name XRef

Drive Install Name XRef

With the address of the decryption function  known, I use the “k=” string used in the phone-home to help locate the network communication function. This function is where the C2 information is first decrypted and the C2 and the URI are the first two things decrypted in this function. The code can then be walked further down to locate the C2 port, but that code is not shown here.

Drive C2 decryption

Drive C2 decryption

Here’s the first piece of code used to locate the decryption function:


        mov_addr = '\xb8'+struct.pack("<I",0x400000+file.find(s))
        instr_addr = 0x400000+file.find(mov_addr)
        if instr_addr <= 0x400000:
            mov_addr = '\xba'+struct.pack("<I",0x400000+file.find(s))
            instr_addr = 0x400000+file.find(mov_addr)

        # looks for PUSH EBP; MOV EBP, ESP
        func_start = file[:instr_addr-0x400000].rfind('\x55\x8b\xec')
        code = file[func_start:func_start+0x200]
        md = Cs(CS_ARCH_X86, CS_MODE_32)
        md.detail = True
        decrypt_func_next = False
        calls = 0
        for i in md.disasm(code, func_start+0x400000):
            # looking for mov eax, 
            if i.mnemonic == 'mov' and len(i.operands) == 2 \
              and i.operands[0].type == X86_OP_REG and i.operands[0].reg == X86_REG_EAX \
              and i.operands[1].type == X86_OP_IMM and i.operands[1].imm >= 0x400000 \
              and i.operands[1].imm <= 0x500000:
                d = decrypt_drive(get_string(file,i.operands[1].imm-0x400000))
                # validate that this is indeed the install name
                if d.endswith('.exe'):
                    config['install_name'] = d
                    decrypt_func_next = True
            # check for the next call after the install name call
            elif decrypt_func_next and 'install_name' in config \
              and i.mnemonic == 'call' and calls == 1:
                config['decrypt_func'] = i.operands[0].imm
                break
            elif 'install_name' in config and i.mnemonic == 'call':
                calls += 1

Now that the decryption function has been located, the desired C2 information can now be located.


        mov_inst = '\xba'+struct.pack("<I",0x400000+file.find('k='))
        mov_k_addr = 0x400000+file.find(mov_inst)
        # look for PUSH EBP; MOV EBP, ESP
        func_start = file[:instr_addr-0x400000].rfind('\x55\x8b\xec')
        code = file[func_start:func_start+0x200]
        md = Cs(CS_ARCH_X86, CS_MODE_32)
        md.detail = True
        calls = 0
        d = None
        for i in md.disasm(code, func_start + 0x400000):
            # look for mov edx, <addr>
            if i.mnemonic == 'mov' and len(i.operands) == 2 \
              and i.operands[0].type == X86_OP_REG and i.operands[0].reg == X86_REG_EDX \
              and i.operands[1].type == X86_OP_IMM and i.operands[1].imm >= 0x400000 \
              and i.operands[1].imm <= 0x500000:
                d = get_string(file,i.operands[1].imm-0x400000)
            # if call decrypt_func, then decrypt(d)
            elif i.mnemonic == 'call' and i.operands[0].imm == config['decrypt_func'] and d:
                # first call is the c2 host/ip
                if calls == 0:
                    config['host'] = decrypt_drive(d)
                    d = None
                    calls += 1
                # 2nd call is the URI
                elif calls == 1:
                    config['uri'] = decrypt_drive(d)
                    d = None
                    break

Future Work

Capstone is a useful tool to have in your toolbox and hopefully the PoC code presented in this post will aid others in the future. For my own future work, I plan to tighten up the code presented and work on getting code for other interesting malware families into something that will be suitable to push out for public release.

by Jason Jones at October 14, 2014 03:48 PM

Cisco IOS Hints and Tricks