November 17, 2013

Analyzing Malware? Don't forget to disable Windows Defender

Life's been pretty busy this past year.  In December 2012, I started at GWU on their security team, and in April of 2013, my father passed after a long and difficult illness.  So even though I've continued my studies in forensics, threats, and malware, I haven't written anything in quite some time.  I'm looking forward to posting again here, and at DeepEnd Research.

This post is more along the lines of "tool preparation" as it involves making some tweaks to your analysis system, especially if conducting memory forensics.

A few months ago, I was doing some malware analysis on a Windows 7 memory image.  I noticed a bunch of odd artifacts in the RAM image pertaining to some questionable domain names.  The domain names really didn't relate to the malware under analysis, so I was curious as to what was going on.   I had no AntiVirus or Microsoft's Malicious Software Removal Toolkit installed.   I had thought that I might have been using a non-sterile VM for analysis, so I tried reverting and even reinstalling Windows 7.
I noticed that an original installation of Windows 7 did not exhibit these artifacts, but after a full Windows update, they appeared.  I asked around on a few mailing lists, but most of the responses encouraged me to check for either a tainted VM, or some sort of Security software that I had neglected to consider.  That in fact, turned out to be exactly the case.  So what was it that I was seeing?

The test I did involved a very basic 'strings' dump of the full memory image, grepping for ".ru" and ".com" domains.  The results of this are seen below:

Since posting the domain list to the blog page is triggering many viewer's AntiVirus, I'll add download links for the text files.  
.ru domains in RAM - download link
.com domains in RAM - download link

Note that this is a grep of the entire RAM image, not looking specifically to what process may be associated with these artifacts.  To do that, we'll use 'Volatility'

I'll first use the 'yarascan' command to search for a few of the domains in order to determine the associated process:
Volatilty 'yarascan' command used to locate strings in a process.
While many of the domains located in the full RAM image did not return any hits in Volatility, a great number of them came back to Process ID 2524, which was 'svchost.exe'.

Next, let's look at what PID 2524 shows for its loaded DLLs
Loaded DLLs for PID 2524

Note that the Command line for PID 2524 was "C:\Windows\System32\svchost.exe -k secsvcs"
which is Windows Defender.  In the loaded DLL files, you can see references to Windows Defender as well.  In 2006, Microsoft included Windows Defender as a first line defense against malware, originally as anti-spyware.  It was later superceded by "Microsoft Security Essentials" which upon installation, will disable "Windows Defender".

Dumping the VAD pages for PID 2524, and searching for our domains of interest yields the name of the VAD page where our domain can be found. A hexdump of that file shows that we're on the right track:

hexdump of the dumped VAD page where the searched domain was located

You can see by this quick analysis that Windows Defender will load a large number of domains into RAM.  It's generally good practice to minimize extraneous artifacts in a sandbox image.  Since Windows Defender is enabled by default in Windows 7, don't forget to disable it via the Services applet before snapshotting your baseline VM.

As I mentioned earlier, there were also many odd domains seen in the full RAM image, that were not associated with a process via the Volatility yarascan. I've not yet accounted for this, so if anyone has any clues or additional analysis, I'd be very happy to hear of it.
Posted by at No comments:
Labels: , ,

August 2, 2012

Cridex Analysis using Volatility

Update 1 -  August 5, 2012 - located at end of post


Update 2 -  August 7, 2012 - located at end of post


I had read previous analysis reports about Cridex from various sites as M86 Security and Kahu Security. At the time, I filed this under "another banking trojan" to track, and moved on to to other things.  However Cridex once again piqued my interest when I saw an excellent analysis by Kimberly at StopMalvertising.  I took particular attention to her listing of the Cridex C&C servers she observed, as several of these IP blocks were familiar to me. More on this later.   Having obtained the same Cridex sample analyzed by Kimberly,  I was interested to see how Volatility could be used to analyze it.  This Cridex sample had MD5 hash, 734aadd62d0662256a65510271d40048. I executed the sample and dumped the memory for analysis.  A copy of this memory dump is linked at the bottom of this post.

Using the Volatility 'plist' command, we can see a list of the running processes. However it's instructive to use this in conjunction with the 'psscan' command in order to see those processes that have terminated, are unlinked, or hidden.  In this case, no discrepancies between the two commands jump out at me, but I do notice a couple of things.   First, I see a process, reader_sl.exe, PID1640 start exactly at the same time as its parent process, explorer.exe, PID1484.  I see that the parent process ID for explorer.exe is 1464, which is not listed in either 'pslist' or 'psscan'.  reader_sl.exe is a supposedly a safe process, associated with Adobe Speed Launcher, but the launch chain for this seems odd, so I'll keep note of this for now. Next, I see a second wuauclt.exe process start about 15 seconds after the first.  This isn't a major flag, but just something to note.

pslist command
psscan command

The next useful Volatility command that I use for malware analysis is the 'connections' and the 'connscan' commands. Again, running both of these will allow you to see variances, as 'connscan' will show artifacts from previous connections.

connections & connscan commands
Note that 'connections' shows that PID 1484, explorer.exe had an active connection to remote IP address 41.168.5.140 on port 8080.  'connscan' shows an artifact of a previous connection by PID 1484 to remote IP address 125.19.103.198, also on port 8080.  A quick 'whois' shows:

41.168.5.140
netname: NEOTEL
descr: NEOTEL PTY LTD
country: ZA

125.19.103.198
descr: Bharti Tele-Ventures Limited
descr: NEW DELHI
country: IN

Next, running 'sockets' and 'sockscan' will show any listening sockets that may have been initiated by a running process. As in 'conscan', 'sockscan' will show any detected artifacts from previous sockets.  In this case, we see that PID 1484, explorer.exe, opened a listening socket on port 1038 approx. 2 minutes after PID 1484 was created. 

sockets and sockscan commands
Running the 'malfind' command against our two suspect processes yields the following:


malfind command on PID 1484 & 1640
In this output, we see that the explorer.exe, PID1484 and reader_sl.exe, PID1640 processes have a PE section located at 0x1460000 and 0x3d0000 respectively.  By using the "-D" switch, 'malfind' can dump those identified segments to a dump directory for further analysis. 

We now enumerate the mutant/mutex objects for the two processes under review.  Note that I used the Volatility 'handles' command, with a subtype selection of "Mutant" in order to specifically select the mutant/mutexes associated with PID 1484 and 1640.  The 'mutantscan' command will give additional information such as its signaled state, its client ID, and which thread acquired the mutant.

process mutexes for PID 1484 & 1640
Via some Google queries, we learn that several of these mutex objects have been seen in other malware, notably:
  • 746bbf3569adEncrypt
  • _SHuassist.mtx
  • SHIMLIB_LOG_MUTEX
  • XMR8149A9A8
Next, we'll dump the VAD segments of each of these processes, run 'strings',  and look for anything interesting. 

vaddump command
'strings' output section from PID 1484, explorer.exe

'strings' output section from PID 1640, reader_sl.exe

Note the advantage of dumping the VAD segments as opposed to the entire process memory is that you can see which VAD node section the 'strings' hit was located.  In this section, we find a list of banks and financial institutions.   Here is the contents of the Cridex configuration specifically containing references to financial institutions. 



In addition to the list above, examining these VAD dumps also shows HTML code referencing or representing web pages of various financial organizations.  The code seems to indicate that these sections are part of the web injection code that is used to obtain personal information from the banking customer.  In my test of Cridex, I did not launch a web browser or continue additional interaction with my infected host.  If I had visited a URL containing these strings, it is believed that Cridex would attempt to log or capture my input, and redirect that personal information back to the controller.

While we're looking for strings, let's see what shows up for the IP addresses 41.168.5.140 & 125.19.103.198 that were seen in the Volatility "connscan" command.


Searching for the directory path after the IP addresses gives us another related IP address, 188.40.0.138:

So via various string searches and some grepping in the VAD dump directory for PID1484 & PID1640 we find these IP addresses of interest:
  • 190.81.107.70
  • 41.168.5.140
  • 85.214.204.32
  • 210.56.23.100
  • 211.44.250.173
  • 125.19.103.198
  • 188.40.0.138
Maltego lets me draw a pretty picture of the IPs, country of registration, and ASN.

Cridex IP addresses, ASN, and country of registration.
Doing some additional research, I noted that at one time or another, several domain names (now suspended) utilized all of the above listed Cridex IPs (except for 188.40.0.138). In fact, these domains each utilized the same 11 to 14 IP addresses, including the Cridex IPs for their DNS "A" records during their brief activity.  Looking at the 'whois' for a sample of these domains shows an entirely different set of IPs used for their NS records... but I digress.
domain:        VALIDATORONMEE.RU
nserver:       ns1.validatoronmee.ru. 62.213.64.161
nserver:       ns2.validatoronmee.ru. 195.62.52.69
nserver:       ns3.validatoronmee.ru. 62.76.191.172
nserver:       ns4.validatoronmee.ru. 41.66.137.155
nserver:       ns5.validatoronmee.ru. 83.170.91.152
nserver:       ns6.validatoronmee.ru. 85.214.204.32
state:         REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2012.04.10
paid-till:     2013.04.10

 domain:        POLUICENOTGO.RU
nserver:       ns1.poluicenotgo.ru. 62.76.41.3
nserver:       ns2.poluicenotgo.ru. 62.213.64.161
nserver:       ns3.poluicenotgo.ru. 195.88.242.10
nserver:       ns4.poluicenotgo.ru. 41.66.137.155
nserver:       ns5.poluicenotgo.ru. 83.170.91.152
nserver:       ns6.poluicenotgo.ru. 85.214.204.32
state:         REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2012.04.15
paid-till:     2013.04.15

 domain:        VITALITYSOMER.RU
nserver:       ns1.vitalitysomer.ru. 62.213.64.161
nserver:       ns2.vitalitysomer.ru. 195.62.52.69
nserver:       ns3.vitalitysomer.ru. 62.76.191.172
nserver:       ns4.vitalitysomer.ru. 41.66.137.155
nserver:       ns5.vitalitysomer.ru. 83.170.91.152
nserver:       ns6.vitalitysomer.ru. 85.214.204.32
state:         REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2012.04.10
paid-till:     2013.04.10
There is much more that you can do with this Cridex memory dump. For example, you can use 'apihooks' on the two processes, then drop into 'volshell' and browse through the pages. You could find the loaded DLLs, or extract a process of interest.  

For your added research, I've posted a link to the Cridex memory image below.  I didn't extract other forensic objects for this sample, but as I mentioned in my last post, I plan to do that for other samples going forward.
-------------------------------------------------------------------------------------------------------------------------------

Update 1 - August 5, 2012


In the comments section, Tamer Hassan posted a question referencing PID 1464. That PID is most likely a terminated process where 'psscan' didn't find any associated remnants. However it might be interesting to search for references to executable files.  Since we know that PID 1464 was the parent to PID 1484, it's worth looking for registry artifacts typically used by malware.  Volatility allows you to carve through the the registry that is resident in memory and display subkeys, values, and data. In this example, I looked for keys and values associated with "Software\Microsoft\Windows\CurrentVersion\Run" This is accomplished via the 'printkey' command:

python vol.py -f /home/ezio77/cridex.vmem --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"

Since 'printkey' will go through all hives, you will get multiple hits related to the key in your search.  After displaying multiple hives each with a Last Update date of either 2012-04-12 or 2012-04-13,  you'll see the following:

Registry: \Device\HarddiskVolume1\Documents and Settings\Robert\NTUSER.DAT
Key name: Run (S)
Last updated: 2012-07-22 02:31:51 
Subkeys:
Values:
REG_SZ        KB00207877.exe  : (S) "C:\Documents and Settings\Robert\Application Data\KB00207877.exe"

Perhaps KB00207877.exe was PID 1464?  It's not clear via Volatility at this point, but it's most likely just a copy of the original with an updated registry key. Referring to Microsoft's encyclopedia entry for "Worm:Win32/Cridex.G", they reference:

subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB<eight-digit number>.exe"
With data: "%AppData%\KB<eight-digit number>.exe"

Additionally, the VirusTotal analysis for this sample shows references to this naming convention as well. (Scroll to bottom and select "Additional Information")

In any case, it's good info for further analysis, including examining other registry hives.
-------------------------------------------------------------------------------------------------------------------------------

Update 2 - August 7, 2012

Michael Ligh, was kind enough to drop me a note about the parent of 'explorer.exe'. Michael is one of the key contributors to the Volatility project, as well as one of the authors of the "Malware Analyst's Cookbook and DVD" . He referenced an excerpt from his book where it explains that the parent of 'explorer.exe' is 'userinit.exe', which upon completion, will terminate, leaving 'explorer.exe' without a parent.  From the "Malware Analyst's Cookbook", pg 585:
Details aren’t available for the process with Pid 1536 (which appears to have created
explorer.exe). However, based on what you know about the boot sequence,
Pid 1536 probably belonged to userinit.exe—but it has since exited. Winlogon.exe
launches userinit.exe, which in turn launches explorer.exe. Once userinit.exe is
finished, it terminates, leaving explorer.exe without a parent process. It is still possible
to determine a process’s parent, even after the parent exits, by looking at the
_EPROCESS.InheritedFromUniqueProcessId field.
Many thanks Michael! 

-------------------------------------------------------------------------------------------------------------------------------
cridex_memdump.zip (40MB)
-------------------------------------------------------------------------------------------------------------------------------


Posted by at 4 comments:
Labels: , , ,

July 31, 2012

Sharing of Forensically Interesting Objects

As I go through various forensic cases and malware studies, I often find myself producing memory dumps of the host systems under examination.  I also dump registry hives and other objects related to my analysis.  I gave some thought as to whether there would be a benefit to the community in my sharing of these objects.  A few months back, I had a nice email exchange with Harlan Carvey of the Windows Incident Response blog.  We discussed various ways in which the malware analysis community could better collaborate with the forensics community, particularly in the area of sharing objects for analysis.  I had mentioned my thoughts as far as sharing memory dumps and other objects from various malware cases that I was working on.  Harlan encouraged me to move forward on this, and provide forensically "interesting" objects, just short of a disk image that would require Microsoft licensing.

So going forward, I will be posting analysis of various malware, along with objects consisting of memory dumps, registry hives, pcaps, and anything else that might be interesting.  You can use analysis tools such as Volatility or Mandiant's Redline with the memory dumps, while RegRipper is a very cool tool to use on registry hives.  It would be great to hear feedback on how you'll be using these objects, and the tools used in your analysis.

I'll rely on the community to let me know what is useful, and what else they might like to see.  I'd also be happy to take in any samples or items for analysis, which I'll post, as well as the objects.  None of what I post here will be related to my dayjob. It will be only what I research for myself, my other efforts, or as part of DeepEnd Research.

Please feel free to contact me with any ideas or suggestions. I'm looking forward to making this a useful resource for all who are interested!  Many thanks to Harlan for the encouragement!


Posted by at 4 comments:
Labels: , , , ,

December 12, 2011

Decoding malware SSL using Burp proxy

When performing dynamic analysis of malware, you will occasionally encounter SSL being utilized for network communication, thus preventing you from analyzing the content.  Typically Wireshark is utilized to examine network traffic at the packet level. Wireshark has an SSL dissector that allows for the decryption of SSL traffic if you provide the decryption keys. This technique is described in detail on the Wireshark wiki.   However, I prefer to use an intercepting proxy to attempt the SSL analysis. The proxy will use its own SSL server certificate to negotiate and establish an encrypted session with the remote host. Essentially you are using the proxy to "Man-in-the-Middle" the malware's connection to the remote server.

My proxy of choice is BurpSuite, however you can utilize other proxies such as Paros, Webscarab, or Fiddler.  Burp has a very cool feature called "Invisible proxying" that handles non-proxy style requests.  This can be of good use when the malware you are analyzing generates its own HTTP or HTTPS requests outside of a browser framework.

I'll first provide an example where a particular malware specimen was utilizing SSL to communicate with Craigslist.  In this case, the malware appeared to be retrieving a variety of fake postings associated with various email addresses.  The posting title and description contained what is likely encrypted data.  The following image shows Wireshark displaying SSL traffic between the malware infected host and Craigslist.  The SSL negotiation and data are evident in the stream, however being SSL, you can't read it !


However when using Burp as an intercepting proxy, you can easily see the SSL traffic and get a pretty good idea of what the malware is doing.  Here, you can see the client GET to https://post.craigslist.org


The following images show the Raw, html, and rendered page views of the server response.


Burp also allows you to export the proxied traffic to an XML file. There is also an option to Base64 encode all requests and responses. The image below shows an example of the exported data.



Now that we've seen an example of SSL decoding using Burp, I'll describe the basic setup and configuration of my environment.  You certainly don't have to use this exact setup, as I'm just describing what I do and what works for me.  Make adjustments accordingly to suit what you are using.

  • I use VMWare workstation Version 7 on an Ubuntu Linux 10.04 Server host. My guest virtual machine is Windows XP SP3. The virtual machine is setup in bridged networking mode.  I have the Burp proxy and Wireshark installed on my linux host.

  • You will need to allow the linux host to forward network traffic from the virtual machine. In order to do this, you need to enable IP forwarding via the following:
    • user@linux1:~$ sudo su
    • root@linux1:/home/user# echo 1 > /proc/sys/net/ipv4/ip_forward

    • Next, you'll need to setup an iptables rule to redirect http and https traffic to the Burp proxy which is listening by default on port 8080. This is done via:
      • user@linux1:~$ sudo iptables -P FORWARD ACCEPT
      • user@linux1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
      • user@linux1:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080

      • Boot your guest virtual machine and manually configure your network settings as follows:
        • Manually set the IP address of the guest to an unused IP address on the same subnet as your linux host
        • Set the Gateway to the IP address of the your linux host.
        • Set the DNS server IP address to that of a host on your subnet that will forward DNS requests. This isn't strictly required, as you can also set it to any public DNS server. For consistency, I set mine to my local router.

      • Turn OFF the XP Firewall.

      • Configure Burp to do invisible proxying and to listen on all interfaces.  If you don't want Burp to intercept each request, you can disable that at this time.


      • Shutdown your guest virtual machine and take a snapshot.  Restart the guest and test the proxy by browsing to any web site. You should see the traffic in Burp.  If you browse to a site using https, you will also see a browser warning error about the SSL certificate. This is because the certificate presented by Burp is not signed by a trusted authority, so the browser gives a warning.  Keep this in mind as we begin to see malware utilizing SSL certificates.  Now, you can shutdown the guest VM, revert to the recent snapshot, and be ready to go.  I also like to run wireshark on the host to match up the packet level traffic with the Burp data.   I'd recommend using a capture filter on Wireshark that only captures traffic to/from the guest VM.

      This post showed how the use of an intercepting proxy can allow you to decode an SSL traffic stream and better support your dynamic malware analysis efforts.  Decoding SSL traffic is just one small part of what can be done with this tool.  It's well worth the investment to utilize an intercepting proxy with its many other features as a routine part of your analysis process.  




      Posted by at 3 comments:

      October 19, 2011

      Welcome to DeepEnd Research

      I wanted to provide a link to another effort I am pleased to be involved in:  DeepEnd Research.

      From the website: "We are pleased to introduce DeepEnd Research, an independent information security research group that will focus on threat and intelligence analysis. Our emphasis will be on malware, exploit analysis, botnet tracking, the underground economy and overall cyberthreats. We will blog about various collection and analysis techniques, observations, and other areas of interest."

      Another primary goal of DeepEnd Research is to foster collaborative research and analysis efforts with other security groups and organizations. We welcome any opportunities or inquiries as to projects involving common areas of interest."

      I just posted DeepEnd's first blog entry, "Dirt Jumper DDoS Bot - New versions, New targets" a combined research and analysis effort with Mila Parkour of Contagio.
      Posted by at 1 comment:

      June 19, 2011

      I2P...The *other* Anonymous Network


      One of the more interesting aspects to the Internet, is the area of anonymity and hidden services. While many people are familiar with the Tor network, there is another "network" that is gaining rapidly in popularity. The I2P Anonymous Network is a peer-to-peer network in which all traffic is encrypted end-to-end.  I became interested in I2P after seeing a tweet by @OpBritain where I2P was mentioned.
      While looking into I2P further, I saw several pastebins where it was again mentioned and discussed.

      From the I2P website, "I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. I2P is designed to allow peers using I2P to communicate with each other anonymously — both sender and recipient are unidentifiable to each other as well as to third parties."

      Unlike Tor where a "directory" of the network is maintained, I2P maintains its network database via peer profiling and router info. The I2P network selects its peers by a profiling process that continually ranks performance and updates the "I2P netDb", which is contains constantly updated information on router contact information called "RouterInfos" and the destination contact information, called "LeaseSets". This netDB is distributed via a technique called "floodfill", where a smaller subset of I2P routers, known as the "floodfill routers", will maintain this distributed database. 

      I2P uses virtual, unidirectional tunnels that pass through a series of routers, and are typically 2 to 3 hops. Each round trip message and reply will require four tunnels. One each for the sender and recipient's inbound and outbound traffic. Tunnels are created using what is known as "Garlic Routing" (a shot at Tor's Onion routiing??) A Tunnel build message is sent via Garlic routing to an I2P router requesting that it participate in the tunnel.

      One of the primary uses of I2P is via an I2PTunnel application which allows for familiar TCP/IP applications to be run through the I2P network.

      I2P has been around since 2003 and has a Java client, where it will run on Windows, Linux, and MacOS. After installation, you are presented with a very comprehensive control and informational page.
      Peer profiles and UDP connections
      I2P Services

      There are many anonymous and encrypted services that can be utilized via the I2P tunnels including:
      • EEPSITES
        • Browsing to websites within the I2P network (called eepsites) as well as anonymous browsing to public sites. A custom build of Firefox called I2PFox that is hardened and built specifically for I2P is also available.
        • Hosting of your own eepsite. You can make your eepsite exclusive to I2P, or also available to a public browser.
        • Search. You can search for I2P content and sites via http://eepsites.com. You can also use Google to find http://xxxx.i2P.to websites accessible without I2P proxy.
      • EMAIL
        • Susimail/2IpMail. Anonymous email to/from public Internet. More on this below.
        • I2P-Bote accessible via http://i2pbote.i2p 
      • FILE SHARING
      • IRC AND INSTANT MESSENGER
        • IRC. Anonymous chat via a local IRC tunnel that directs to one of two I2P IRC servers. There is also an I2P Instant Messenger and the ability to run your own anonymous chat servers.  More on this below.
        • I2P-Messenger  encrypted, serverless instant messenger.
        •  Jabber via i2pjabber.i2p
      • DATA STORAGE  
        • Tahoe-LAFS. You can use it from within the I2P network.
      • FORUMS AND BLOGGING
        • Syndie. System for distributed anonymous forums.

      Addressing and Naming Services

      I2P utilizes a 516 byte crypto identifier key to refer to routers and any end point services. All destinations in I2P are referenced by this key. Three local host files are used to map destination names to their crypto key, similar to traditional DNS. I2P users can discover new destinations by subscribing to other published "addressbooks" via a configured "web of trust". I2P uses an "addressbook" application to merge these external host lists with the local host files. A "SusiDNS" application is also provided to facilitate the user's management of their host lists and addressbook configuration. The Subscriptions page allows to add additional public subscription sites in addition to the default http://www.i2p2.i2p/hosts.txt, such as
      • http://i2host.i2p/cgi-bin/i2hostetag
      • http://stats.i2p/cgi-bin/newhosts.txt
      • http://tino.i2p/hosts.txt
      • http://inr.i2p/export/alive-hosts.txt

      Basic Naming Services Architecture

      Default Addressbook
      External Destination List






      EEPSITES
      An "eepsite" is simply a website that is hosted anoymously within the I2P network and accessed via HTTP tunneled back via I2P. This is similar to Tor "hidden services".

      An I2P user would access these sites by setting their web browser's HTTP proxy to localhost:4444, and localhost:4445 for HTTPS.  An I2P eepsite will have a URL with .i2p as its top level domain, such as http://sempersecurus.i2p. By use of an "outproxy", an I2P user will also have access to external HTTP, HTTPS, and email services. The I2P "httpclient" application allows for this outproxying. If the requested hostname does not end in .i2p, a random outproxy will be selected from a user provided list, and the request will be sent there.  These outproxies are basically I2P servers that are voluntarily run specifically as an outproxy. No I2P router instance is an outproxy by default.

      Some eepsite operators will make their sites publicly available outside the I2P network. Those sites can be accessed by appending a ".to" to the I2P domain, such as http://sempersecurus.i2p.to

      There are a wide variety of eepsites running in the I2P network. Just reading through the addressbook listings is interesting and reflects the scope of material you can find in I2P.

      Homepages of various eepsites.

      The internal I2P web landscape reminds one of the public Internet from the mid 90's. Searching is rudimentary, some sites work great while others are barely usable and are functional only for a few hours a day. However, availability is not the objective with eepsites, anonymity is.

      It's very easy to setup your own eepsite within the I2P network. Comprehensive instructions are found within the local help files, as well as from the resources listed below. In a nutshell, a site is created as follows:

      • A site name is selected that won't collide with the name of another eepsite currently listed in the I2P addressbook. Add your new site name to the eepsite I2P tunnel configuration page.
      • Content is placed in a 'docroot' folder which  is created at installation.
      • Start the eepsite from your router control panel.
      • Highlight the full destination crypto key that was created for your site.
      • Enter the eepsite name and the crypto key into your master address book. Additionally, you should now register your .i2p domain in one of the I2P address books. The I2P routers periodically pull address book updates from these sites, so eventually your site will be listed across the I2P network. 

      The images below show a test eepsite I setup within minutes. There is also a pcap of the browsing session, but note that the traffic is via an encrypted tunnel



      EMAIL- SusiMail basics
      A java email client called Susimail can be accessed directly from the I2P router console window at http://localhost:7657/susimail/susimail. SusiMail allows you to send and retrieve I2P mail and was designed specifically for strong I2P privacy and anonymity. Creating an email account is takes minutes via a Postman HQ site, and chances are good that you can get your coveted address, the one you could never get on Gmail :) Oddly, I2P email only accepts letters and numbers for the password. The interface is spartan, but it works quite well most of the time.
      Webmail login page
      "Your password is too complicated"

      How I2P email works
      The following illustrations indicate the mail flow between the I2P network and the public Internet. They are based on the text explanations kindly provided by the Postman at http://hq.postman.i2p
      I2P mail to the Internet

      Internet mail back to I2P


      I2P Message headers
      According to HQ Postman, the I2P MTA (Mail Transfer Agent) provides the following sanitizing of message headers: 
      "All User-Agent: and X-Mailer: header lines are automatically removed and replaced by the line X-Mailer: smtp.postman.i2p Official I2P Mailer.
      - All X- header lines are completely removed
      - All message IDs are replaced by server-side generated message-IDs
      - All Date: tags are removed and replaced by server-side generated Dates in UTC
      - All Received: tags are removed (apart from the very last one)"
      The following chart shows comparative email headers after testing sending emails between I2P and Gmail.


      Measures to prevent abuse
      There are several good resources online pertaining to the basics of I2P mail, I just want to address a concern often expressed about anonymous mail services - abuse and its potential usage for spam and malware distribution.

      Spam
      To prevent abuse, I2P mail sets a quota for outgoing mail to 20 recipients per day. Every day at 0:00 UTC the quota is reset . You can “buy” up to 80 recipients a day by paying in hashcash tokens / CPU cycles. You cannot “hoard” your recipient quota, the number is reset to 20 every day. Additionally, there are limits on how much mail you can store and for how long. Old mail gets deleted after 180 days, but you can easily download it via POP3.

      Relay and spoofing
      You can use only your own address as the return path and the auth login name has to match the sender. The sender is able to forge the "From" address but the return path is added by the MTA and will match the actual sender.

      Settings available for I2P email accounts 
      		Hello snail mail
      Well, not exactly snail speed but by default, messages are delayed 20-50 min to provide further anonymity by skewing the time you appear to be online.  In several testing runs, the delay was seen to be as much as 3 hours. This delay setting can be changed in the Account Management section and set it to deliver ‘immediately’. Testing I2P email to and from Gmail arrived almost instantly.


      All these measures and features make the use of I2P mail for spamming and phishing rather impractical. An attacker would find it easier to use a compromised or misconfigured relay server or free webmail as opposed to I2P mail. Again, the primary goal of I2P email is anonymity.


      IRC

      I2P maintains anonymous IRC servers that can easily be accessed via an IRC client such as mIRC or xchat. After establishing with I2P, pointing the IRC client to 127.0.0.1, port 6668 will get you connected. There are many channels available on the I2P server, and users can create their own.

      Various channels on the I2P IRC server

      An I2P user can also establish their own IRC server and allow other I2P users to access it. The server is established similar to how an eepsite is built where a hostname and crypto key are generated for the particular destination. In order to connect to another I2P user's private IRC server, it was required to modify your subscription list to add the crypto keys of the destination. Next, you would create a tunnel to the destination and add that to your router address book while selecting a connection port (ie. 6669). At that point, pointing your IRC client to localhost, port 6669 would get you connected.

      Since June, 2010, I2P now supports a SOCKS IRC tunnel for clients supporting SOCKS5. By configuring your IRC client to uses SOCKS5 at localhost, port 9052, you can connect to any i2p IRC server through your client, without setting up separate tunnels for each.


      I2P Stats, Additional Information, and Resources


      Stats NETDB - http://stats.i2p.to
      I2P  is a much smaller network, compared to some better known networks like Tor but it has seen continuous growth over the past year. The best source of the current infomation about the total number of routers, the network health, and other data collected over the years about I2P is located at http://stats.i2p.toAs you can see below, at the time of the screenshot, there were 4665 routers available online, roughly twice as many as it were available a year ago.  The number is constantly changing, please see the site for the most current information.


      Official I2Psite - http://www.i2p2.de
      The Official site is the best place to start as it has the most comprehensive information about available services, installation, and resources.

      Papers, Presentations, and Videos about I2P - Site maintained on the primary I2P Website. Updated regularly.

      ZZZ -http://zzz.i2p (Accessible via I2P proxy only)
      Once you are on I2P, this is the best source of information for the patches, updates, tips and help.

      Forum - http://forum.i2p2.de
      A very active I2P user forum. Ask questions, read answers. Full of news, announcements, and discussions.

      Irongeek - http://irongeek.com
      Adrian Crenshaw's Irongeek.com site is an excellent resource for how-to videos, presentations, and security research related I2P. Check out his Black Hat presentation Identifying the true IP/network identity of I2P service hosts

      Privacy-Implications of Performance-Based Peer Selection by Onion-Routers: A Real-World Case Study using I2P - Master's thesis by Michael Herrmann -Technische Universität München

      -------------------------------------------------------------------------------------------------------------------------------
      I want to particularly thank Mila Parkour of Contagio for her excellent assistance, research, and illustrations.



      Posted by at 6 comments:
      Labels:
      Subscribe to: Posts (Atom)