Wednesday, January 21, 2015

MC-SQLR Amplification: MS SQL Server Resolution Service enables reflected DDoS with 440x amplification


The MS SQL Server Resolution Service allows a client to interrogate a server hosting a SQL Server installation and to receive back detailed information about the SQL Server instances available on the server.  The client sends a one-byte request to the server, and the server responds with a variable-length message containing instance names, versions, and other connection details. 

This service can be exploited to conduct reflected DDoS attacks.  Because the client request is very small and the server response is potentially large, an attacker can gain significant amplification.  A large number of MS SQL Servers are internet-facing, providing ample reflection surfaces for attackers.

This technique was observed in the wild in December 2014, when it was employed as part of a DDoS attack against the website of the City of Columbia, Missouri.  In this incident, the technique resulted in an average incoming response of approximately 440 bytes.  Assuming a one-byte request size per response, the attack yielded an amplification factor of 440x.


Beginning at about 11:00 PM on Christmas Eve 2014, the website of the City of Columbia, Missouri was hit by a DDoS attack.  Over the course of the next 24 hours, the attacker, going by the handle Bitcoin Baron, used a number of the attack techniques we've all grown accustomed to seeing: NTP amplification, SSDP amplification, and a good old fashioned SYN Flood.  One of the attack techniques hurled at the city, though, was a little out of the ordinary.

Friday, July 18, 2014

VMware Leaves Artifacts of Guest Applications on the Host


In the VMware environment, Unity Mode presents guest VM applications to the host desktop.  This provides a convenient way for the user to access applications installed on the guest without switching back and forth from the host to the guest.  When a guest VM application is run in Unity Mode, the application appears in the host desktop just as a host application would.

To enable the guest-to-host communication required for Unity Mode, VMware stores information about guest applications in a directory called caches, nested within the directory where the .vmdk file is housed.  Significant information about guest VM applications is recorded in the caches directory.  This information is recorded whether or not the application is ever used in Unity Mode, and it persists after the application has been uninstalled from the guest VM.  By examining the caches directory, a forensic examiner may be able to recover information such as:
  1. the names and full paths of all shortcuts ever present in the Start Menu of the guest;
  2. the date and time the shortcut were placed in the Start Menu;
  3. the icon used by the shortcut;
  4. the date on which the guest application was first run in Unity Mode (if applicable).
The ubiquity of virtualization presents ample opportunity for the examiner to find useful artifacts in the caches directory of a subject workstation or server.  This article describes the behavior of VMware running a Windows XP guest on a Windows 7 host.  Other combinations of host and guest OSes may present somewhat different findings, but I presume the behavior will be broadly similar across platforms.  As always, the examiner should conduct his or her own tests to confirm these findings before drawing conclusions.

Cross-Contamination of Unallocated Space between VMware Guest and Host


In a VMware environment, a virtual disk can be shrunk if it becomes too large.  If the virtual disk has a large amount of unallocated space, the user can use VMware utilities to shrink it to the smallest size required.  When the user does this, unallocated space from within the VM may be transferred to the unallocated space of the host.  VMware shrinks the .vmdk file but does not effectively zero out the data on the virtual disk before returning it to the host.  In some cases, this can result in relevant data being misleadingly placed on a host.

Interestingly, the reverse is not the case. When a new VM is created with a preallocated drive, VMware does zero out all the space assigned to the virtual drive prior to making it available for use.  If you create a new VM and give it a 10 GB preallocated disk, you'll get 10 GB of zeros before your OS starts to install.

However, if you shrink a virtual disk, the contents of the disk that are unallocated in the context of the VM will be excluded from the virtual disk without wiping.  That data may be transferred to the unallocated space of the host largely intact.

Monday, November 5, 2012

Artifacts of Host-to-Guest File Copy in the VMWare Environment


In a virtualization environment using VMWare, one method of introducing a file onto a guest virtual machine is to simply copy and paste the file from the host system into the VMWare window. From the user’s perspective, this is a typical copy-and-paste operation, resulting in a new file in the context of the guest system that the user can then manipulate normally from inside the guest system.

Of interest to the forensic examiner, however, is the fact that a host-to-guest copy-and-paste operation in the VMWare Player environment leaves a temporary copy of the source file in %tmp%\VMWareDnD on the guest. This temporary file may be valuable in recovering the prior contents of the copied file after the live file is manipulated by the user. In addition, the temporary file retains the file creation timestamp of the original file on the host machine, potentially providing valuable information for timeline reconstruction. The temporary file persists when the guest is suspended or shut down. It is cleared when the guest is booted up.

Sunday, November 27, 2011

Start Menu and IE Favorites Artifacts in the MenuOrder Registry Key


In most versions of Windows, a user can manually organize the order in which applications and application groups are displayed in the Start Menu.  A user might, for example, drag a frequently-used application group to the top of the Start Menu and leave the remainder of the items in alphabetical order.  The displayed order of items in the Start Menu is independent of the order in which  %userprofile%\Start Menu is sorted in Windows Explorer. 

Similarly, a user can manually rearrange items in the Favorites menu or Favorites Center of Internet Explorer (IE) independent of the displayed sort order of %userprofile%\Favorites.

These user-defined display settings are controlled by the Windows registry.

Friday, September 9, 2011

I will be speaking at SecureWorld Expo 2011 - St. Louis

SecureWorld Expo 2011 is coming to St. Louis September 13 - 14.  Please come join me at 11:00 on Wednesday for my presentation, "Forensics in Internal Investigations: People, Policies, and Politics." 

Information Security Officers and Analysts are often called upon to conduct investigations into employee actions.  Internal data leaks, violations of acceptable use policies, rogue devices, unauthorized software, and countless other kinds of suspected insider offenses pull information security practitioners into the role of investigator.

Too often, organizations fail to prepare for and effectively manage internal investigations.  Taking an ad-hoc approach to investigations and failing to bring the right skills and tools to the job will lead to ineffective investigations that ultimately increase, rather than mitigate, organizational risk.

This presentation will introduce the concepts and benefits of computer forensics, lay out basic principles for establishing an effective internal investigative function, and discuss organizational and political issues confronting information security practitioners who find themselves investigating their coworkers.

I hope to see you there!

Sunday, August 28, 2011

Colleges and Universities Account for a Disproportionate Number of Reported Data Breaches


As the depressingly steady march of breach notifications comes across my RSS feeds, I notice that US colleges and universities seem to be the victims of an awful lot of breaches.  At least, when I skim the list of breaches cataloged by resources like the DataLossDB and the Privacy Rights Clearinghouse, the names of colleges and universities stick out to me.  It sure looks like higher education makes up a disproportionate number of breach victims.  Several other infosec writers, both inside and outside academia, have made the same point (see below for more articles on the topic).

But, maybe that’s just confirmation bias.  Maybe colleges and universities are not breached any more often than other organizations, and it just seems that way to my subjective memory.  So, I decided to dig into the data a little and see if institutions of higher education – or for that matter, any particular types of organizations or businesses – account for a disproportionately large percentage of breach reports. 


I decided to look at publicly reported incidents of external breaches which were:  1) known or presumed to be malicious; and 2) not carried out or assisted by malicious insiders.  I was only interested in reports of “hacks”, not in reports of lost laptops, accidental exposures on FTP servers, accidental emailings, insider abuse, and so on.