Lost in Security (and mostly everything else)

Malware Exercise 2015-08-07 – Someone was fooled by a malicious email

Herbie August 18, 2015 February 23, 2016Packet Analysis

Prologue about this and future “Malware Excercise” posts I have been wanting to blog about my experiences playing with malware and trying to figure out how they work, techniques that helped me dissect them, tools that I used, etc… but never really had the chance/time to sit down and do it outside of work. Since Security Researcher Brad Duncan (follow him on Twitter or via his site at Malware Traffic Analysis) has started to do lab exercises for other researchers/analysts I figured that it would be a good way of killing two birds with one stone (doing the exercise and…

Allowed memory size of ‘XXX’ error in Security Onion – Fixed!

Herbie May 14, 2015 May 15, 2015SecurityOnion

So off and on while playing with Security Onion and Squert over the past several months, I have come across the dreaded “PHP Fatal error: Allowed memory size of X bytes exhausted (tried to allocate Y bytes) in /var/www/squert/.inc/callback.php” error when pulling up a full PCAP in either ELSA or Squert. Looking around at different posts via the SO group on Google and on Google itself, I could never “fix” the issue. Most of the time the answer was to do the following: You’ll need to increase the memory_limit setting in php.ini and restart Apache.

Umm… What is this on the wife’s laptop?

Herbie April 30, 2015 February 23, 2016Packet Analysis, SecurityOnion

So last night while playing around with my router trying to get it running as an OpenVPN Server (which was nothing but an all-day, bang-your-head-against-the-wall kind of experience since, from what I can tell reading multiple sites about Mikrotik, does not have a solid OpenVPN server package) I noticed this little gem in my Squert console via Security Onion:

15-02-2015 – Sweet Orange infection

Herbie February 15, 2015 February 23, 2016Packet Analysis

So while at work the other day I came across an interesting alert that, thankfully, was not successful. The following is what I got once I got home and was able to run this on my test VM. So let the party begin! The start of the infection chain starts here via this site (which I searched from Google): hxxp[:]//emmalinebride[.]com/decor/best-ombre-wedding-ideas/&rct=j&frm=1&q=&esrc=s&sa=U&ei=i7zbVLvYHovdatCRgqgF&ved=0CBQQFjAA&usg=AFQjCNEcGHpoa885u50SmO64kUXJ_gUH-Q Once the page loaded, there was an interesting call on port 8085 as you can see below: GET /adm/lines.php?norway=3 HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Referer: http://emmalinebride.com/decor/best-ombre-wedding-ideas/ Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;…

Part 3 of 3 : Nice email – Subject: Employee Documents – Internal Use

Herbie January 27, 2015 January 27, 2015Packet Analysis

This is my last post about this particular malicious email that I got in the mail sometime last week. If you have not read the other posts about this email (looks to be in the Dyre malware family), please see part one here and part two here.

Part 2 of 3 : Nice email – Subject: Employee Documents – Internal Use

Herbie January 26, 2015 January 26, 2015Packet Analysis

As the title suggest, this is the continuation of my investigation into a malicious Dyre email that I received a while back. If you did not see my initial post (and mind you, first blog about malware analysis), then you can find that here. The other thing that I am going to do is use a new tool created by Omri Herscovici called CapTipper. For more information about this tool, check out his page here.

Part 1 of 3 : Nice email – Subject: Employee Documents – Internal Use

Herbie January 21, 2015 January 26, 2015Packet Analysis

So I figured that it is time that I start putting SO (Security Onion) to good use and start trying to find malware to dissect. So I started going through the SPAM/JUNK mail folders in the different email accounts that I have. After checking several emails, I came across the following email: From: “invoice” <no-replay@invoice.com> To: <redacted> Subject: Employee Documents – Internal Use The email headers for this are as follows: Delivered-To: redacted Received: by 10.96.187.137 with SMTP id fs9csp1765471qdc; Wed, 21 Jan 2015 04:48:40 -0800 (PST) X-Received: by 10.229.102.68 with SMTP id f4mr57827176qco.15.1421844520124; Wed, 21 Jan 2015 04:48:40 -0800…

Security Onion and Elsa issues

Herbie November 6, 2014 January 16, 2024SecurityOnion

So the other day while reviewing alerts in Squert I noticed a lot of alerts triggering for ‘ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack.’ The rule for this is: alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:”ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack”; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:”|16 03 00|”; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3;) This got me thinking why am I just now starting to see this alert after running SO for a couple months now? Looking into the…