ASPENSMONSTER

June 19, 2015

Experiments in Blocking Ads on the Twitch Roku App

Filed under: Uncategorized — aspensmonster @ 12:03 am

Flattr this!

Wow. So I haven’t written anything for this in ages it seems. I can’t say I have much content to give, but I recently acquired a Roku. It shows ads. I’m not down with appliances I own doing things I don’t like. So I looked into ad-blocking, and sure enough, Reddit has the answer:

http://www.reddit.com/r/Roku/comments/2qiqvn/blocking_advertisments_on_most_roku_devices/

It involves network-level blocking. Not the best approach, but until pervasive rooting efforts are underway for the Roku it’s better than nothing. I utilized the following regex to block the mentioned URLs at Layer 7 on my Mikrotik router device-wide on the FORWARD chain:

^.+(cloudservices.roku.com|doubleclick.net).*$

This will surely have a performance impact, so I’m looking into restricting the packet body check to just the MAC of the Roku. Will update if I figure that out.

After restarting the Roku, sure enough, the irritating-ass adverts to the right of my home screen were gone. However, I then noticed that I couldn’t watch any streams from the Twitch app. Any attempt to load a stream –any stream, no matter the viewer count or relative obscurity of the title– was met with a black screen and “Retrieving…” text for approximately 30 seconds, followed by a return to the Roku home screen. It was as if the Twitch app had simply crashed.

I was able to isolate traffic on my network and confirm that it was the Roku hitting the firewall rule when attempting to watch the stream. I’ve got work in the morning, but I’m making it a weekend project to figure out if there’s a way to get ad-blocking working in the Twitch Roku app (and perhaps other apps as well), and perhaps on the Chromecast as well.

August 8, 2014

FinFisher (Gamma International) Leaked Malware Suite Analysis

Filed under: Uncategorized — aspensmonster @ 8:08 pm

Flattr this!

0: Some notes

This document will be continually updated in the coming days.

UPDATE September 9 2014: Putting this on hold for now. Lots of other demands on my time at the moment.

Several days ago, a hacker operating under the alias PhineasFisher made the following post an the Anarchism subreddit: http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked/.

This blog post serves as my main/central point from which I hope to analyze the content of these leaks. I have already begun analysis in different spaces:

I’ll likely continue to work in these spaces, but wanted to have a more personal, scratch-pad-like spot to continue to work.


1: Big picture of the leaked content

The hacker has provided his own overview (in a pastebin) of the leaked content.

The torrent file may be downloaded at: http://aspensmonster.com/finfisher.torrent

Directory structure (root directory named “finfisher”):

  • Database.sql – A database containing data for the webapp whose root is found at /finfisher/www/GGI
  • qateam – Contains contents of an internal web server –presumably found after initial penetration of the public-facing webserver at http://finsupport.finfisher.com— that was serving various mobile malware kits. The directory name seems to imply this was used by their QA team
  • www – Presumably the contents of the public-facing webserver
    • conf – site administration stuff. phpmyadmin, webalyzer
    • ffw – a demo of FinFisher Web / FinSpy Web, demonstrating numerous attack vectors for infecting target machines
    • FinFisher – Appears to be a dropbox of sorts for clients to retrieve their purchased kits; Most content is encrypted (as well as protected by an Apache mod_auth_basic username/password dialog), but there is some truly fascinating material in some of the other directories. The bulk of the size of the torrent can be found in these encrypted “Package.zip.gpg”-type files.
      • Sales – Folder containing several archives of sales tools, tool documentation, company roadmaps, and even a pricelist
        • 05_New_Design.rar – Contains boilerplate business forms, like offer templates for prospective clients, license renewals for current clients, and a (relatively recent) pricelist, dated December 16 2013, that also coincidentally leaks some business-related logic (markups, preferred clients, etc)
        • GammaSalesKit.zip – Contains lots of information about the company and its offerings, as well as roadmaps that indicate they were actively working on developing Mac and Linux intrusion capabilities in addition to the traditional Windows targets.
      • Engineers7117 – Folder filled with subdirectories and encrypted files. The directory names, as well as the filenames, seem to indicate that much of the (up-to-date) technical documentation of FinFisher/Gamma International’s catalog could be found within these files, were they decrypted.
    • GGI – Appears to be the root directory of the webapp powering the finsupport subdomain. Mostly just php stuff, but a directory named Attachments has unencrypted stuff that Gamma Group’s clients sent to them, presumably through the finsupport website’s support webform.
      • Support – Holds code for the support form
        • Attachments – Holds LOTS of different attachments, possibly named once again with the short keyids of the senders –though an initial search found no matches in public-key servers– that are unencrypted and include images (typically of FinSpy Master C&C servers that are failing to boot due to segfaults), and zip/rar archives that contain server logs for their “FinSpy Master” Command and Control (C&C) server (which, apparently, runs on a Debian GNU/Linux base). LOTS of interesting stuff in these logs, along with some basic insight into how this C&C server works (these logs, combined with diagrams from some of their sales material, can provide an excellent architectural overview of their product catalog).

Not every file is listed. I tried to only include what looked like the more useful bits for analysis.


2: A first look at corporate structure and product offerings

At this point, I will be referencing files found within the torrent by their names, as well as a sha256 hash of the file.

Filename sha256sum
GammaSalesKit.zip -> Gamma Corporate Presentation 2012-02-08_draft.pptx 2993ecb60c48a16e1d07fa207c0bdf5d3f8c1f16ec33253cef01b5285ea25dc1
ff_001_corporate_structure

Slide 2 from the aforementioned file. Diagrams corporate structure.

All of these companies fall under the parent company Gamma Group. See Project PM for more information on the Gamma Group. This leak concerns Gamma International, and focuses on (child company?) Finfisher IT Intrusion’s portfolio of technologies. That portfolio is further introduced in slide 7 of the same file:

ff_002_portfolio_overview

High-level overview of the various components of the portfolio.

Further detail on this architecture –specifically, how the components communicate with each other– can be found in several brochures, along with a slide from the following file:

Filename sha256sum
GammaSalesKit.zip -> FinFisher-Presentation-2012-02-08_final.pptx 11ef3578be97cfa29d5d44036a6a307cc2d9fac0139124eaf1af5610e2920d96
ff_003_finspy_communications_architecture

Details communications pathways for the FinSpy product family.

Of particular importance is the use of relays throughout the internet to shield targets from the FinSpy Master command and control server. This product suite is architecturally identical to that of typical botnets found in the wild. Where the FinSpy product suite excels is in its coverage of the entire communications chain. Whereas typical botnet operators have only web-based attacks –visit a malicious url, download an infected file– FinFisher IT Intrusion and Gamma International have developed an entire suite of offerings that can be deployed at attack vectors all along the chain for the purposes of compromising the target with malware. The various pieces of software are described in turn in the same powerpoint slideshow file, and are detailed in the next section.


3: Investigating product capabilities

First, an overview of the available products that can be used to compromise target systems:

Product Name Description
FinSpy Mobile Offers ability to compromise target’s mobile phone: BlackBerry, iOS, Android.
FinSpy Refers to the suite of FinFly offerings enumerated below.
FinFly USB Requires direct access to machine. Can extract and infect.
FinFly FireWire Requires direct access to machine. Can extract and infect.
FinFly LAN Requires direct access to the target LAN. Can perform various MITM activities.
FinFly NET Requires that target visit a network that is in the control of the attacker. Can perform various MITM activies.
FinFly ISP Attacks the target’s ISP. Can MITM either before hitting the ISPs core network, or afterward.
FinFly Web Attempts to deploy malware to targets through various web-based attack vectors (See github repo for the code found in the leaks).
FinFly Exploit Portal Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets and deploy to said targets using various other FinFly offerings.

Gamma International provides a handy suite of brochures that detail these capabilities, previously leaked by Wikileaks as well as more recently by the hacker. The hacker also gained access to some of the software behind the FinSpy Mobile and FinFly Web offerings, as well as customer-provided support documents (images, log files). Utilizing these sources, a more thorough understanding of these products can be obtained than is revealed by the brochures alone. As well, some of the attack vectors have since been uncovered and disclosed publicly –in particular, the FinFly Firewire attack has been revealed since 2012 and largely mitigated.

FinFly Web

See: https://github.com/FinFisher/FinFly-Web

Older Posts »