Yesterday I was configuring my firewall to allow my laptop to talk to a network printer installed on my family’s LAN.  You may find that odd, but I tend to segregate my network into several slices such as a lab network, my network, and my family’s network.  This ensures the stuff I am analyzing or playing within the lab doesn’t infect and/or affect my network or my family’s network.  It also allows me to configure specific monitoring policies for snort, dans guardian, and other network monitoring tools targeted specifically for things like my kids Internet activities.  Anyways all that is besides the point, back to the silly printer fun stuff.  Once I had the firewall rule in place I utilized netcat to verify my connection over port 9100 to the printer like this:  “nc 192.168.1.15 9100″.  Not sure why I did it other than sheer curiosity, but I typed “test” into the connection prompt and much to my surprise the printer printed a single page with the word “test” on it.  Now this is probably not news for many of you, but it was to me as I didn’t realize that network printers listened on port 9100 for just a RAW data feed.  I guess I was expecting the network printer to expect some sort of formated protocol and it can, but the cool thing is it doesn’t have to be.  With this new information, to me at least, I immediately started to ponder the EVIL things that could be done with this such as printer Spam.  It also kind of  reminded me of the nasty black fax DoS concept/trick where you tape a few sheets of black paper together to continuously feed into a fax machine and send it to a recipient with the intention of draining all the toner out of the receiving fax machine.  The following image came to mind immediately:

With that thought in mind I initially created a simple Perl script to scan for printers listening on port 9001 and then also send data to any printers discovered.  My first iteration of the script allowed for files to be read in and then sent to the printer in either binary format or text format, but then I kind of backed off on releasing that for obvious script kiddie reasons.  Could you imagine a skiddie that could easily just read something like /dev/sda or /dev/random into a script to send it to a network printer.  Obviously anyone with a little Perl knowledge could add that functionality back in and/or extend the script, but I can sleep well at night knowing I didn’t include it.  My silly and simple script only allows you to send a command line passed argument message to the printer, which could be utilized in a nasty manner but it is a little more limiting than just allowing binary data to be piped into the printer listening port.  If your interested you can get a copy of the script here: printerScanner.pl.  It is nothing real special other than you can use it to scan a network range of printers listening on port 9001 and then if you choose to do so send a simple text based message to the printer to see if it supports RAW input for printing.

After writing this script and the first section of this blog post I did a Google search to see if anyone else had talked and/or had written about this silly network printer scenario and without disappointment I found that Adrian “Irongeek” Crenshaw had a much better write up on this and so much more here: Hacking Network Printers.  The funny realization I had in regards to all this is that Adrian documented this 4+ years ago, and I just ran into it yesterday.  I have no issues in admitting that I was not aware of this simple RAW input method for network printers, as it confirms my thoughts on situations like this where you can feel as if you have a really good fundamental understanding of a topic area, but there is always room to learn something new or in this case something old.  Also after reading through Adrian’s write up I decided to see if I could come up with a Google dork for the Brother network printer I was testing this with on my network and low and behold here it is: inurl:”printer/main.html”.  It still shocks me how many times devices like network printers are made available to the public either via a system administrators misconfiguration or a network engineer not taking security into account during his or her implementation with things such as Access Control Lists.

I was notified the other date that the anubis_submit.pl script was no longer working and users were recieving 404 page not found errors.  Anubis made a few changes to the web form submission fields and the url which caused my script to break.  I have since updated the script to work with their new submission page.  Thanks for the heads up for those of you that let me know it was broken and feel free to contact me if you have any questions or comments.

I was recently introduced to UploadMalware.com, which is a site made up of several security professional volunteers. They actively accept your Malware binary submissions and submit them to several Antivirus companies to help in speeding up the process of identifying, classifying, and the development of Malware signatures, which may I say benefits everyone. You can find a list of vendors they work with here: Vendors. In support of what these volunteers are attempting to do I have created a small Perl script that will allow anyone to submit suspicious binaries to their site without having to use the web interface. I have included all of the options available to you via their web form. All options except for the binary file are optional when submitting binaries to them, but I would encourage you to provide as much information as possible. They also offer an IRC channel where many of these professionals can be found hanging out willing to talk with you about your submissions or anything else Malware and/or Security related. You can find their channel “#uploadmalware” on the WyldRyde IRC Network, or use their instant chat web client located on their website.

If you have a honeypot or harvest Malware, may I suggest using this script to automatically submit binaries by creating a cron job or writing a small wrapper script. Just a suggestion.

Here is a link to the script I created: uploadmalware_submit_pl. As always if you have any issues with this script or find any bugs feel free to contact me anytime.

After talking it over with a few colleagues and friends I have decided to release the script I utilize to extract the peer IP addresses and ports from the Storm Worm ini/config file, as I think it may benefit others. The current configuration file for the Storm Worm is “aromis.config” and it holds the IPs for bot peers the infected computer can communicate with. This will not be the entire list of IPs infected with the Storm Worm, as the Storm Worm breaks it’s bot networks up into small sub-network like structures. This is why it has been so hard for Security Professionals to combat the worm, and gather an accurate number of hosts infected with this worm.

Something to consider before using script is I can not guarantee it to work on new configuration files, as the authors of the Storm Worm could change this file at any given time. If they do decide to modify the configuration file structure I may or may not decide to update the script to reflect these changes. I think once you see how simple it is, you may just want to update it yourself. I am not a professional programmer nor a Perl guru, so if you find anything insane in the code I welcome your fixes and/or improvements.

With all that being said run it at your own risk as I provide no warranty! Well here you go: storm_config_decoder_pl. The output from this script is very simple “ip address:port” for example “192.168.0.1:1234″ with the last line of output telling you exactly how many unique ip addresses it was able to identify. Oh, I almost forgot to mention it can parse multiple files just use the “*” as a wildcard character or specify the files with a space between them. This option has been very useful to me in combining the configuration files from several different infections over a period of time such as the last 24 hours. Try it as you may get some intresting results

As always if you have any questions or comments regarding this post or script feel free to contact me at anytime at jeremy [at] sudosecure [dot] net. Enjoy!

Since my release of the ThreatExpert.com Perl script to aid in the batch processing of Malware binaries and automating the submission of these binaries for analysis I have written two more. One for the CWSandbox and one for Anubis. If you haven’t used either of these sandboxes for a quick analysis I would really recommend them as they can provide a very fast and detailed report for suspected Malware binaries using a combination of automated static analysis and behavioral analysis techniques. One of the major advantages in utilizing them is you won’t have to set up your own lab/sandnet to analysis suspicious binaries, and there is no risk of infecting your network during the analysis. Most of these sandboxes have established relationships with Antivirus companies to aid in the development of antivirus signatures through the sharing of submitted Malware binaries, so again I would encourage all of you to utilize them for the “greater good”.

With that being said, I tend to favor the CWSandbox due to the wealth of information they provide in their reports. They provide options to down load a pcap file of network activity during the execution of the binary, a cab file of the analysis, an xml report, or just browse the results in their easy to navigate web interface. The pcap files can be downloaded and used to aid in writing snort signatures to feed your IDS solution, which would then aid in identifying other computers on your network that could possibly be infected with the same Malware. The detailed report of system modifications can also be used to search out possible computers infected with this Malware without an IDS solution in place.

Well enough rambling, so here you go two more scripts that I hope you can find useful: cwsandbox_submit_pl and anubis_submit.pl.

As always I do not warranty these scripts in any shape or fashion and you assume all risk in running them. Although if you have any questions, bug reports, or comments feel free to shoot me an email at: jeremy [at] sudosecure [dot] net.

Over the weekend I was working on some long over due tasks that desperately needed my attention on my honeypot, and wrote a short Perl script to allow me to submit files to the ThreatExpert sandnet for analysis. It is a fairly simple script that will accept wildcards to submit several files or a specific file name to submit individual files. With a wrapper script or some simple modifications it could easily be modified to run via a cron job or in a never ending while loop to submit new files as they are seen by your honeypot. My version does this, but I didn’t want to realase that code just in case someone used it to cause a DOS attack on ThreatExpert by submiting hundreds of files without realizing what they were doing.

I can’t guarantee this script will run tomorrow, because if ThreatExpert decides to modify there web form submission structure this script will begin to fail. I don’t really see them doing this as they offer a free Windows GUI to do this same task and a modification would break that application as well.

Anyways you can get the script here: ThreatExpert Submit Script, just change the extension from “.txt” to “.pl”. Here are a few examples of how to run it:

submit the three specified files to ThreatExpert.com and receive an email report at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f badFile1 badFile2 badFile3

submit the entire directory /malware to ThreatExpert and receive an email report at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f /malware/*

submit all files that start with “bad” to ThreatExpert and receive an email at my.email@notta.com
./threatExpert_submit.pl -e my.email@notta.com -f bad*

If you have any issues running it or just have questions feel free to contact me at jeremy [at] sudosecure [dot] net anytime.