DDEAUTO Opens Webpage

We have already posted about DDEAUTO, but thought we’d show another one just as it’s slightly different.
If a document opens and you are greeted by a pop up of any kind, then I’d say 99 times out of a hundred, it’s going to be a malicious exploit and you should just close and delete the document immediately and run a full Anti-Virus scan with at least 3 different free scanners.
Then 2 weeks later re-run all the scans again.

The DDEAUTO Exploit in all Microsoft Office Documents

This is the new exploit which is everywhere at the moment.
It’s a little different to the typical Macro exploits which are normally used.
In general you will need to click on 2 pop ups to allow the exploit to run, however since writing this I have played around a bit more and managed to get it down to only one pop up.
The point here in this video however is to show that if you read what the pop up says, you should not be clicking on it in any circumstances.
It’s true that some documents are linked dynamically to keep all data in linked sheets up to date. However if you are using one of these you would normally know about it.
If you don’t normally use documents with linked data and you open one which asks you to allow linked data, don’t just click OK! If you know who sent it, ask them what it is, and if you don’t know where it came from you probably should even be opening the attachment in the first place!
Then after clicking yes to the first pop up, we receive a second one, this is generally where the exploit will run. Ours is very obviously named for the sake of this demonstration, but an attacker would be trying their best to disguise it.
We hope that by watching this video you will be a little bit more educated and perhaps won’t click on that pop up box if you receive one of these emails!
Enjoy the Video.

Excel Malicious Macro Attachment

Hello again.
It’s 2017 and we are still enabling Macros in documents we receive via email! (Come on people!)
Anyways, there are still people out there who don’t believe a macro can be used this way, so here is a quick video you can show them.
In this short clip a user receives an email from Jerry.random@uk-company.com, but you can clearly see it actually came from a gmail address, and it contains an Excel invoice attachment.
In this example we have Excel set to not allow Macros to run automatically, but we are aware that a lot of people don’t use this setting (you nut-cases!).
Notice that nothing happens until the Macro is enabled!
Don’t enable a macro unless you are 100% sure of what it is.
The Excel sheet contains a simple macro which opens IE and goes to a website. This demonstrates how easy it is for an attacker to use a macro to either install malware or ransomware.  We have used this method in our demo as it is very quick and visual and seems to get the point across better than a more complicated example.

Fake URL in Email

IT’s 2017 and we are still clicking on links in emails!
This is a quick video to demonstrate how a link in an email displaying one address can take you somewhere completely different!
We’re going to follow this up with some videos showing malicious attachments.
Don’t trust emails!

Install OSSEC 2.9.2 on Ubuntu 16.04 To Monitor Multiple Servers

We have previously posted on how to install and configure Security Onion (see here) with a minimal guide on OSSEC.
I wanted to install OSSEC on it’s own server and monitor other servers separately from Security Onion, so here is the guide.
This was all performed on a fresh install of ubuntu 16.04
Update our repository as always.

sudo apt get update

Then we need to get the prerequesites before installing OSSEC.

sudo apt-get install build-essential

Now download the latest version

wget https://github.com/ossec/ossec-hids/archive/2.9.2.tar.gz

You will want to verify the checksum hash if this is going into a production environment. (We’ll do tutorial on verifying hashes in the future)
Now we extract the tar file we just downloaded

sudo tar -zxvf 2.9.2.tar.gz

I then had a folder named ossec-hids, so we cd into it

cd ossec-hids

Then run the install script.

sudo ./install.sh

Now you will need to answer the questions:

  • Installation type – server
  • Where to install – use the default (just hit enter)
  • Email notification – y (then enter your email address and smtp details)
  • Run Integrity Check – y
  • Run rootkit detection – y
  • Enable firewall drop – y (you can add your IP address to the whitelist, just in case)
  • Hit enter – If you get any errors then most likely your build-essential has not installed correctly)

Now were ready to fire up OSSEC

sudo /var/ossec/bin/ossec-control start

or check the status like this

sudo /var/ossec/bin/ossec-control status

Now we need to go over to our server which we want to monitor as an agent
Now on this server (also ubuntu) we run very similar commands as before:

sudo apt-get update
sudo apt-get install build-essential
wget https://github.com/ossec/ossec-hids/archive/2.9.2.tar.gz
sudo tar -zxvf 2.9.2.tar.gz
cd ossec-hids
sudo ./install.sh

Now you will need to answer the questions:

  • Installation type – agent
  • Where to install – use the default (just hit enter)
  • Server IP address (this is the IP address of your monitoring server)
  • Run Integrity Check – y
  • Run rootkit detection – y
  • Enable firewall drop – y (you can add your IP address to the whitelist, just in case)
  • Hit enter – If you get any errors then most likely your build-essential has not installed correctly)

Now back to the OSSEC Server so we can add the new agent allowing the two to communicate.

sudo /var/ossec/bin/manage_agents

Select ‘a’ from the options and complete the details for the agent.
Now the agent is added we need to extract the unique key and import it to the agent server.
Select option ‘e’ then make a note of the key or paste it into a file.
When finished select ‘q’ to quit.
Now we return the the agent Server and run

sudo /var/ossec/manage_agents

This time select ‘i’ to import, then copy or paste your key as instructed.
If the key is correct you should get a success message.
Now we need to restart our agent server, then log back in and check that OSSEC is running.

sudo /var/ossec/bin/ossec-control status

If it is not running then use

sudo /var/ossec/bin/ossec-control start

Back on the monitoring server we need to restart the services like so.

sudo /var/ossec/bin/ossec-control restart

That’s it. If you setup email alerts you will already have some notifying you of logins and agents being added.
In a future blog we will look at adding our own alerts.

Install Wireshark on Ubuntu

Wireshark is the best network capture tool out there, so start using it now!
Open up a Terminal and run

sudo apt-get update


sudo apt-get install wireshark

Then once the install has completed we need to configure to allow non-sudo users to capture packets so Wireshark doesn’t have to run with root privileges.

sudo dpkg-reconfigure wireshark-common

Then when asked if you want to allow non-sudo users to capture packets, select “yes”.
Then we need to add our current user to the Wireshark Group like so.

sudo adduser $USER wireshark

Now open wireshark and you will be able to capture network traffic.
Have fun.