The Security Shoggoth

Detecting Malicious PDFs

2009-05-21T10:36:00.003-04:00

Last night at the NE Ohio Information Security Forum I gave a presentation on Detecting Malicious PDFs. I'm still not sure if I'm going to release the presentation, but I am going to release a Snort signature that I've found useful for detecting evil PDFs.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Potential Malicious PDF (OpenAction JavaScript)"; flow:from_server,established; content:"%PDF-"; content:"<</OpenAction <</JS"; within:128; nocase; classtype:trojan-activity;)

This signature looks for the PDF header (indicating we're dealing with a PDF) then an /OpenAction followed by /JS. This indicates that JavaScript will be executed as soon as the document is open.

Yes, I realize this signature can be easily bypassed with PDF obfuscation. However, I've found that attackers are not yet using this very much. Let me know if this is useful to you.

Automating Malware Analysis article

2009-05-07T09:13:00.004-04:00

In the latest Hakin9 issue (3/2009), I have an article on automating malware analysis. The article discusses how one can set up their own malware analysis automation system using VMWare, some analysis tools and two scripts. The article uses a Linux system as the base system and a Windows XP Pro as the guest/analysis OS, but I don't see why one couldn't use Cygwin on Windows for a base system with a few tweaks.

The scripts I created for the article are meant to be used as a base for your own automated analysis system - they are meant to be expanded upon. I encourage others to add other tools and capabilities to the scripts and share them here on the blog. The scripts used are available on Hakin9's site. However, if anyone wants the actual files let me know and I'll send them out.

I should point out that the system and scripts in this article assume you are in VMWare's host-only network mode. This is to prevent malware from accidentally infecting other systems on your network, the Internet, etc. However, since the system is set up host-only mode your malware will not be able to communicate with any hosts. The only network traffic you will see are DNS requests and probes to systems that go unanswered.

I encourage others to implement this into their automation system using software such as Truman, fakedns, or InetSim to create a virtual network. Don't want to take the time? Then you'll have to wait for the next issue of Hakin9 where I have part 2 to this article and show how to set this up (along with some other cool things).

I'd love to hear any feedback on the scripts, tools, or the article...including anything you use to expand upon it.

The more things change, the more they stay the same

2009-04-24T13:57:00.002-04:00

A few weeks ago, the library at my daughter's school had a sale to get rid of some of their old books. That day, my daughter came home with a computer book published in 1984 entitled Computer Kids. The book is essentially interviews with children of various ages who use computers in school and at home. Its a very interesting read as it shows how computers were thought of back then.

One chapter in particular caught my eye because it was about computer security. The chapter focuses on a boy, who at the time was a senior in high school. In the chapter, the boy talks about copying games with his Vic20 and wardialing into other computers. At the end of the chapter, the author asks him what advice he would give to companies:

If someone were to ask me what else companies can do to protect their computer systems, I'd tell them to use passwords that are as long as possible. Most passwords are made up of eight-digit numbers. A ten-, twelve-, or even a thirty-digit number would be better. More secure. And companies shouldn't use individual words for their passwords. It's better to use a combination of words that are unlikely together.

Companies can also change passwords often, or they require the approval of one of more persons to gain access to the computer.

Interesting how advice 25 years ago is still valid today.

PHP Anti-analysis Technique

2009-03-27T14:54:00.003-04:00

I was looking through a PHP web attack toolkit yesterday and found one of the scripts was obfuscated in an attempt to prevent others from figuring out what the code does. In short, the obfuscation worked by decoded a long base64 encoded string, applying some modifications to each letter based on where it was, and then executing the final output (thru an eval command).

No problem, I thought. There are three options to decode this:

1. Figure out what the code is doing and write a translation program. Nah, too long.
2. Modify the source for PHP itself to print any eval statements to a file. Hmmmm...maybe, but not now.
3. Add a print statement to the obfuscated script to print out the unobfuscated code instead of eval'ing it. Yep...easy.

So I changed the eval statement to a print and ran the PHP code. Nothing.

After ensuring my PHP wasn't borked I decided something was going on and I needed to look at the code. After a few minutes, I found the following:

$file = __FILE__;
$file = file_get_contents($file);
$var8 = 0;
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $file, $var8);

for (;$interator_1<$enc_str_len;) {
if (count($var8)) exit;

Note that the for loop is the loop to decode each character of the PHP code.

This is a nice little anti-analysis function. First, it grabs the contents of itself in the first two lines. Then, it initializes $var8 to 0. Next, it looks for a regular expression in the contents of the current file, setting $var8 to the number of occurences found. The regular expression is a base64 encoded string. What does it decode to?

/(print|sprint|echo)/

So, its looking for any occurence of print, sprint or echo within the file. Then, in the decoding loop, if any occurences ($var8 > 0) are present the program exits. Simple technique to make analysis more difficult.

Of course, its pretty easy to bypass as well. :)

Another Odd SQL Injection Attack

2009-03-09T21:48:00.003-04:00

In my last post, I talked about a large SQL injection attacked launched against a site I help run. Well, last night it happened again.

On 3/8/09 from 10:56 GMT to 11:40 GMT, the website I help run received over 3100 SQL injection attacks from close to 2 dozen IP addresses. The query received this time was:

/modules.php?name=-1+AND+2=2+UNION+ALL+SELECT+0x3065376332613738353864303833656636636535323337343330636466343033,
0x3a3a7865512d312d7465643a3a,0x3a3a7865512d322d7465643a3a,0x3a3a7865512d332d7465643a3a,0x3a3a7865512d342d7465643a3a,
0x3a3a7865512d352d7465643a3a,0x3a3a7865512d362d7465643a3a,0x3a3a7865512d372d7465643a3a,0x3a3a7865512d382d7465643a3a,
0x3a3a7865512d392d7465643a3a,0x3a3a7865512d31302d7465643a3a,0x3a3a7865512d31312d7465643a3a,0x3a3a7865512d31322d7465643a3a,
0x3a3a7865512d31332d7465643a3a,0x3a3a7865512d31342d7465643a3a,0x3a3a7865512d31352d7465643a3a,0x3a3a7865512d31362d7465643a3a,
0x3a3a7865512d31372d7465643a3a,0x3a3a7865512d31382d7465643a3a,0x3a3a7865512d31392d7465643a3a,0x3a3a7865512d32302d7465643a3a,
0x3a3a7865512d32312d7465643a3a,0x3a3a7865512d32322d7465643a3a,0x3a3a7865512d32332d7465643a3a,0x3a3a7865512d32342d7465643a3a,
0x3a3a7865512d32352d7465643a3a,0x3a3a7865512d32362d7465643a3a,0x3a3a7865512d32372d7465643a3a,0x3a3a7865512d32382d7465643a3a,
0x3a3a7865512d32392d7465643a3a,0x3a3a7865512d33302d7465643a3a,0x3a3a7865512d33312d7465643a3a,0x3a3a7865512d33322d7465643a3a,
0x3a3a7865512d33332d7465643a3a,0x3a3a7865512d33342d7465643a3a,0x3a3a7865512d33352d7465643a3a,0x3a3a7865512d33362d7465643a3a,
0x3a3a7865512d33372d7465643a3a,0x3a3a7865512d33382d7465643a3a,0x3a3a7865512d33392d7465643a3a,0x3a3a7865512d34302d7465643a3a,
0x3a3a7865512d34312d7465643a3a,0x3a3a7865512d34322d7465643a3a,0x3a3a7865512d34332d7465643a3a,0x3a3a7865512d34342d7465643a3a,
0x3a3a7865512d34352d7465643a3a,0x3a3a7865512d34362d7465643a3a,0x3a3a7865512d34372d7465643a3a--

The User-Agent this time was Mozilla/5.0.

There are a couple interesting things to note on this attack. First is the use of the double-dashes at the end of the SQL injection. Double-dashes are used in MySQL and SQL Server queries to comment out and ignore the rest of the line.

Next, if we assume that the hex values decode into the attack then the database being attacked must decode them somehow. Since the SQL does not use a CAST operator, which SQL Server requires to convert hex into characters, and only has the hex values, then we can infer the database being attacked is MySQL. (Note that I'm basing some of this on my knowledge and previous use of SQL injection attacks from my job - I could very well be wrong on this.)

The hex encoded values are interesting. If we decode them from hex into ASCII characters, we get the following query:

/modules.php?name=-1+AND+2=2+UNION+ALL+SELECT+0e7c2a7858d083ef6ce5237430cdf403,
::xeQ-1-ted::,::xeQ-2-ted::,::xeQ-3-ted::,::xeQ-4-ted::,::xeQ-5-ted::,::xeQ-6-ted::,
::xeQ-7-ted::,::xeQ-8-ted::,::xeQ-9-ted::,::xeQ-10-ted::,::xeQ-11-ted::,::xeQ-12-ted::,
::xeQ-13-ted::,::xeQ-14-ted::,::xeQ-15-ted::,::xeQ-16-ted::,::xeQ-17-ted::,::xeQ-18-ted::,::xeQ-19-ted::,::xeQ-20-ted::,::xeQ-21-ted::,
::xeQ-22-ted::,::xeQ-23-ted::,::xeQ-24-ted::,::xeQ-25-ted::,::xeQ-26-ted::,::xeQ-27-ted::,::xeQ-28-ted::,
::xeQ-29-ted::,::xeQ-30-ted::,::xeQ-31-ted::,::xeQ-32-ted::,::xeQ-33-ted::,::xeQ-34-ted::,::xeQ-35-ted::,
::xeQ-36-ted::,::xeQ-37-ted::,::xeQ-38-ted::,::xeQ-39-ted::,::xeQ-40-ted::,::xeQ-41-ted::,::xeQ-42-ted::,
::xeQ-43-ted::,::xeQ-44-ted::,::xeQ-45-ted::,::xeQ-46-ted::,::xeQ-47-ted::--

I'll admit that this has me stumped. Due to the pattern, the hex appears to be decoded correctly. However, I cannot make heads or tails of what is being attempted here. Interestingly, googling for "::xeQ-1-ted::" brings up a number of entries which look like an attack similiar to this one may have succeeded on other sites.

So, anyone have any ideas for this one?

Odd SQL Injection Attack

2009-03-03T21:09:00.009-05:00

Updated 3/9/09.

Last night, from 21:21 EST to 21:41 EST a website I help run received over 1300 SQL injection attempts from less than a dozen IP addresses. This is a pretty popular site so its not uncommon for us to get hit with injection attacks, but its rare for us to get this hard.

Normally I would brush it off as an unsuccessful botnet attack, but the SQL injection is bugging me as I can't figure out what the purpose is. The query we recieved was as follows:

/modules.php?name=news&new_topic=9\' and 1=2 union select
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),CONCAT(0x27,0x7c,0x5f,0x7c),
CONCAT(0x27,0x7c,0x5f,0x7c) and \'1\'=\'1

The user-agent was "NV32ts".

This is an attack on PostNuke, which the site does run. However, the number of CONCAT's are what I'm stumped on (as well as some others I've asked).

The CONCAT(0x27,0x7c,0x5f,0x7c) statement decodes to:

'|_|

When you combine them all together, you get the following statement:

/modules.php?name=news&new_topic=9\' and 1=2 union select
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,'|_|,
'|_| and \'1\'=\'1

The underscore in MySQL can be used as a single-character wildcard, which could further decode the injection to:

/modules.php?name=news&new_topic=9\' and 1=2 union select
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,'||,
'||,'||,'||,'||,'||,'||,'|| and \'1\'=\'1

In reading that, its potentially a bunch of logical OR statements (the double pipes) with some single quotes. But to me it still looks like it will generate at error.

I've googled the CONCAT statement and the user-agent and there are a bunch of hits, but nothing which gives me any information. In fact, it looks like there have been a number of attacks using this string. But, that doesn't give me the purpose of the injection string above. This is what I (and some others) have come up with:

This was meant to generate a SQL error to see if a site is vulnerable. If thats the case, why so many hits in such a short period of time?
The attacker was trying to evade IDS/IPS/protections, but made a mistake.
The attacker just doesn't know what they are doing at all.

I'm open to any ideas.

UPDATE

I received alot of responses on my previous SQL Injection. Thanks to everyone who did. For the most part, most came to the same conclusion as I did that the injection was either to generate an error or it was a mistake on the attacker's part.

As for the user agent, NV32ts, I've confirmed that it is a known signature of a botnet. I am currently trying to dig up any samples on it.

InetSim Installation

2009-02-11T09:22:00.013-05:00

For a project I'm working on*, I've been looking at network simulation software to use in malware analysis. The most common one out there is Truman, written by Joe Stewart. However, Truman has some shortcomings - the biggest being it doesn't have an HTTP server and it hasn't been updated since it was released. So, I wanted to try a different one and that let me to InetSim.

InetSim has a number of software packages that need to be installed before it works. For my benefit, and I guess others as well, I'm documenting the process I took to install it on my Gentoo Linux system.

InetSim has the capability to do connection redirection, but some options have to be compiled into the kernel first. Specifically, the Netfilter NQUEUE over NFNETLINK interface (CONFIG_NETFILTER_NETLINK_QUEUE) and IP Userspace queueing via NETLINK (CONFIG_IP_NF_QUEUE) need to be compiled in. I compiled them directly into the kernel, but they could be modules as well.

Obviously, after re-compiling and installing your kernel (if needed), you should make sure that iptables is installed.
A number of Perl modules need to be installed. Fortunately, most of these are in the Portage repository and can just be emerged:
# emerge -av perl-Getopt-Long perl-libnet perl-Digest-SHA perl-digest-base perl-Digest-MD5 MIME-Base64 Net-DNS net-server
There were two Perl libraries which were not in Portage that needed to be installed from source. The first was IPC::Sharable which is located in CPAN here. Once downloaded, installation was easy:
# tar zxvf IPC-Shareable-0.60.tar.gz
# cd IPC-Shareable-0.60
# perl Makefile.PL
# make
# make test
# make install
The next required Perl library, Perlipq, took a little longer. This is a library used to interface with the packet queueing on the system for redirection. Initially, it could not find the libipq.h file in the correct location but a manual edit of the Makefile (shown below) fixed that. Perlipq is downloaded from here.
# tar zxvf perlipq-1.25.tar.gz
# cd perlipq-1.25
# perl Makefile.PL
At this point, the Makefile.PL prompts you for the location of the iptables development components. Specifically, its looking for libipq.h. It doesn't matter what we enter here as the Makefile will not find it in the correct place. Enter in some text and let the script finish.

Once the script is finished, edit the Makefile. On line 145 is the following include line:
INC = -I
This is the directory which will find libipq.h. Change it to the following:
INC = -I/usr/include/libipq
/usr/include/libipq is where libipq.h should be located. If you are unsure, run 'locate libipq.h' to see where its at. After saving the Makefile, installation can continue.
# make
# make install
Optional: If you want to make sure you have all of the necessary Perl modules loaded, run the following Perl script:
use Getopt::Long;
use Net::Server;
use Net::DNS;
use IO::Socket;
use IO::Select;
use IPC::Shareable;
use Digest::SHA1;
If there are no failures, you're good to go.
At this point, all of the pre-requisites should be installed and InetSim installation can proceed. The latest version of InetSim at the time of this writing is 1.1 and is located here. Download it an untar it into a central location - I chose /usr/local.
# tar zxvf inetsim-1.1.tar.gz
# mv inetsim-1.1 inetsim
# cd inetsim
Note: I renamed the default directory for my own benefit, this is not necessary.
InetSim uses the nobody user to run its servers. Nobody should be installed by default - but you better make sure.
A group named inetsim is also required by InetSim to run. This should be created as follows:
# groupadd inetsim
InetSim comes with a setup.sh script which modifies permissions of all the files as needed.
# sh setup.sh
If you plan on running InetSim from a script, chances are you will need to modify a small piece of the inetsim program. On line 12 of the inetsim script is the use lib Perl code which tells the script where to find the InetSim modules. In its original form, it is a relative path to the lib directory. It should be changed to an absolute path similar to the following:
use lib "/usr/local/inetsim/lib";

At this point, InetSim should be installed and ready to run. The default configuation file is located in conf/inetsim.conf and I highly recommend reading and modifying it to fit your environment. However, you should be able to use the default configuration file to test out your installation.

# /usr/local/inetsim/inetsim --session test

A number of messages of servers starting will stream by. If you don't see any errors, you are good to go!

* My new project - thanks ax0n!:

Strings and update

2009-02-05T14:54:00.004-05:00

Its been a while since I posted anything so I wanted to get something up here.

First, in my last post I mentioned how I use the strings utility when analyzing binaries. The utility will allow you to view embedded strings within a binary. By default, it only shows ASCII strings. The problem with this is that in Windows binaries, there are usually embedded strings encoded in UNICODE, and by default, strings will not show them. To get around this, I was using SysInternal's strings utility with wine on my Linux system.

However, in a comment craigb stated that you can change the encoding strings looks for with the -e option. Here is a snippet from the strings man page:

-e encoding
--encoding=encoding
Select the character encoding of the strings that are to be found.
Possible values for encoding are: s = single-7-bit-byte characters
(ASCII, ISO 8859, etc., default), S = single-8-bit-byte characters,
b = 16-bit bigendian, l = 16-bit littleendian, B = 32-bit bigen-
dian, L = 32-bit littleendian. Useful for finding wide character
strings.

By running strings using different encodings both ASCII and UNICODE strings in a Windows binary can be found. To do so, I whipped up a little Bash script which I now use whenever I want to pull strings from a binary:

#!/bin/bash

(strings -a -t x $1; strings -a -e l -t x $1) | sort

The script, which I named mystrings, takes the file to scan as a command line option. It then runs strings against it two times - the first time looking for ASCII strings and the second looking for UNICODE (16-bit little endian actually) strings. The -t x options prints the hex offset of the string within the file. After the strings commands run, they are run through the sort program and displayed.

My concern with this was the Linux strings would miss something that the SysInternal's strings would pick up. So, I ran a test where both programs were run against the same file. The output was the same! Woohoo!

In other news, I'd like to announce I got a new job starting at the beginning of the year (which is pretty much the reason I have not been posting). Those who know me know where I went to, so I won't go into details here. However, I've gotten into my groove and should be posting more soon.

Internal Laughs

2008-12-12T09:22:00.003-05:00

Most malware that I look at these days is packed, sometimes double-packed, in order to hide whats inside. When they aren't packed, many times the strings inside the binary are encoded or encrypted so a strings program can't see what is going on.

Sometimes, however, if you wish REALLY hard and REALLY believe, you come across a gem like the one I looked at last night. I was notified of a piece of malware sitting on a server from one of my many sources I have. After downloading it, one of the first things I did was run the Sysinternals strings* utility against it. I found some interesting things:

C:\Documents and Settings\James\Desktop\MSN Pass Stealer\Stub\Project1.vbp

Hello AV Companies, Please Call Me

Hello AV Companies, Please Call Me Win32.MSNPassSteal.VB Thank You!

Its so nice to see things like this at times. While I'm pretty sure James didn't write this particular piece of malware, he probably did modify the source (MSN password stealer source code is easy to find) and compiled it.

James - if you are reading this let me give you some advice. First, learn how to use your compiler and how to turn off the debugging features that are turned on by default. Second, AV companies are not going to name your malware something you want. None of them did.

And finally, if you are going to use a user ID to post the results under, don't make it unique. Our intrepid fellow put the website the stolen credentials would post to as well as the user ID to use. While I'm not 100% sure it's James' ID (whh is why I didn't show it), it is very unique and can be traced back to a single user.

Then again, James, don't follow my advice. It'll be easier to catch you that way. :)

* Even though I do 99% of my static analysis on Linux, I prefer the Sysinternals strings program because it can grab unicode strings and to my knowledge the Linux strings cannot. It works just great under wine. If anyone knows of a Linux strings program that can grab unicode strings, let me know.

Enhancing Your Skillz...

2008-11-24T14:55:00.006-05:00

I remember one of the questions I was asked in my first security job interview was "Why do you want to work in information security?" My response: because it changes on a daily basis and you have to stay on your toes. (This was also my response for "why don't you like security?")

Since then, I have always been searching for ways in which I could increase the security skills I have. Training courses, reading blogs/articles/books and networking are a great way to increase your security skills but I have always thought that there is more to security than knowing how to read a TCP packet, how a buffer overflow works or how to perform a SQL Injection attack.

If you work in Information Security you also have to have great analytical skills. You need to be able to "think outside the box", attack problems from a point of view or look at a log file and discern a pattern which someone else might not see. IMO, you can't learn these skills from reading an article or taking a training course.

However, I have found that playing games is an excellent way to increase your security analytical skills. How? A lot of games focus on strategy or pattern discernment and can help train your mind for these tasks. The following are games that I've personally played and found helpful in these areas.

Note: While I am a geek and love video games, I have specifically excluded these types of games from the following list. There are a number of reasons, but mostly because when it comes down to it, most video games are about reflexes not strategy (there are, of course, exceptions).

Set - Set is a card game where 12 cards are laid out on the table and you have to be the first person to find a set of three cards. A set consists of three cards that are either all alike or all different in each attribute (quantity, shape, shading and color). Sound easy? Not really. Set teaches your mind to attempt to focus on a number of different areas at once and discern a pattern. Great addictive game. Play it online too.

MindTrap - I love logic puzzles. To me, they are the ultimate in causing myself to "think outside the box" since most solutions aren't the obvious ones and require some thinking. Mindtrap takes logic puzzles and puts them into game form.

Puzzles for Hackers - Not a game per say, this book contains lots of puzzles designed for hackers and security professionals. It features encryption puzzles, reverse engineering and logic puzzles. I highly recommend it.

Hacker - OK, this probably isn't the best example for games in these categories...but I think this is a must have for all info sec professionals, given the history behind it.

Granted, these are only a small number of the games with potential to help us security folk. My point to all of this is that you don't just need to read a book or take a class to train yourself for your job...there are alternatives out there. And fun ones at that.

Anyone have any good games they want to share?

Malware Challenge Results

2008-11-20T16:01:00.002-05:00

After longer than I would have liked, the malware challenge results are in and posted!

There were alot of great submissions but unfortunately, we could only choose so many to receive prizes. In the end, we looked at the ones we felt gave the most information, presented it the best and would allow someone to learn from their paper.

Some quick stats on the challenge, we had over 900 downloads of the malware sample. Fortunately, we didn't have that many submissions. Most of the hits on the site came from the US, followed by Romania and Russia. Also, over 50% of the hits on the site were from Firefox!

I'd like to send a thank you to all the sponsors who donated prizes. Without them, we would not have been able to have such a great turnout. We're already thinking about the 2009 Challenge!

Any suggestions on how we could have done better? Send them our way!

Quick Update

2008-11-04T21:29:00.002-05:00

Hello all - I haven't posted in a while and for good reason. I've been busy with a very interesting job at work that I hope to be able to talk about some day. Right now I can't (client privacy and such) but I can guarantee it will make an amazing story some day.

It is because of this job that I was unable to make it to the NE Ohio Information Security Summit. I apologize to everyone who thought I would be there and I have to commend and profusely thank Greg for taking over our presentations by himself and coming up with one at the last minute. Greg is an amazing speaker and friend and I'm glad he had packed crowds in both sessions.

As for the malware challenge, we were supposed to announce the winners at the summit. However, due to my being absent we decided to (wisely I think) postpone announcements until the next NE Ohio Information Security Forum meeting on November 19th. I invite everyone to come out as we will be giving out prizes there and announcing the winners (and will announce them on the site shortly after).

I will have some interesting news in the next couple weeks and am starting on a few projects I will be blogging about. For those who have stuck with my blog, thanks. I hope not to disappoint you. :)

Phishing with Malware

2008-10-15T14:35:00.007-04:00

I've been pretty busy lately with work and the malware challenge (only 11 days left!) but I figured I'd post something which came across my inbox today. Wachovia has been getting alot of phishing attempts against it which lead to a page trying to get you to install a security update, which is actually malware. I guess the bad guys decided that Wachovia had enough and decided to turn their sites on Key Bank.

I received the following email supposedly from Key Bank asking that I update my system now.

Clicking on the link took me to the following page, which is NOT located on Key Bank's website.

If you wait long enough it will refresh itself to the executable, but by clicking on the link the page will attempt to download and run (with user acceptance) the malware and will open up another browser window to the actual Key Bank login page. This page IS on Key Bank's website, but note that Key Bank is NOT compromised.

What has happened is when the user installs the "update" the initial malware loaded downloads another one which installs itself as a service on the system. This new service then watches for any credentials sent. What happens when it gets one?

This isn't a new method for doing things - its been around for a while. However, this is the first time I've seen this specific attack (from this group) directed at Key Bank. Trend Micro has a posting about the same attack against a German bank.

Malware Challenge Contest In Full Swing!

2008-10-02T09:48:00.003-04:00

The malware challenge contest began yesterday and from what we can tell its very popular. According to our logs, we had over 100 downloads of the malware for the challenge from over a dozen countries.

For those who don't know yet, the malware challenge is a contest to analyze a piece of malware and find out what it does. The contest runs from October 1 to October 26 and the results will be presented at the Ohio Information Security Summit. Of course, we have lots of cool prizes to give away!

We have made the contest so that if you are new to malware analysis you'll still have a great shot at winning prizes. We're going to be looking more at the way people analyze the malware as opposed to if they get the right answers. In other words, if you unsure about it still participate. The worst that can happen is you learn something in the process and win a cool prize!

Also, thanks to all who have been helping advertise it! Without you no one would know about the contest.

I look forward to seeing everyone's submission!

OWASP NYC AppSec Recap

2008-09-29T10:48:00.002-04:00

The OWASP NYC AppSec conference was this past week and I was lucky enough to be one of the speakers there. Overall, the conference was great and OWASP did a tremendous job doing everything they could to make the conference go as smoothly as possible. The organizers should be commended for the job they did.

In the opening keynote, the organizers stated that this was the largest web app security conference in the world and I could see why. I believe there were over 800 people at the conference and every talk I went to was packed. While I went to many talks, there are a few that really stood out. They are:

Malspam - Garth Bruen, knujon.com - Garth talked about what knujon has been able to accomplish over the last few months and its been quite impressive. He has been gathering alot of data on illicit networks and has found a clear link between porn, drugs and malware on the Internet. He gave one example of where an illegal pharma site was shut down and two days later it was serving up porn and malware.

Security Assessing Java RMI - Adam Boulton, Corsaire - This was an excellent talk on how to assess the Java Remote Method Invocation (RMI) APIs/tools/whatever from Sun. Basically, RMI is a distributed computing API for Java and has been part of the core JDK since 1.1 (java.rmi package). Its analogous to .NET, RPC or CORBA. Adam went over some methods for attacking RMI apps and previewed a tool of his named "RMI Spy" which (I believe) he'll be releasing.

Flash Parameter Injection - Ayal Yogev & Adi Sharabani, IBM - This talk was about how to inject your own data into flash applications, the result being XSS, XSRF, or anything you can think of to attack the client. Basically, Flash applications have global variables which can be assigned as parameters when loading the flash movie in a web page. If the global variables are not initialized properly (and they usually aren't) then attackers can load their own flash apps and own the client.

APPSEC Red/Tiger Team Projects, Chris Nickerson - The next talk was probably one of the best I attended at the conference. Chris Nickerson was one of the guys on the ill-fated Tiger Team show and is a really cool guy - I talked to him for some time at the OWASP party the night before. He stated in his talk that pen testing applications does not show how a "real world attack" would happen. By performing a red/tiger team approach to an application test, you are able to show the client how an attack would occur and how their app would be broken into. In other words, if someone wants the data in an app they're not just going to bang on it from the Internet - they're going to go to the client site and try to get information from there through various methods.

Of course, those are brief descriptions of the talks. The conference will be releasing all talks on video so I recommend watching the videos - they will be worth it.

Malware Analysis Contest

2008-09-18T09:38:00.005-04:00

Last night at the NE Ohio Information Security Forum and the Security Justice podcast, I made an announcement about a malware analysis contest that Greg and I are putting on.

Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.

We have some great prizes donated by some very cool companies. To only name some, Hex-Rays is donating a copy of IDA Pro and No Starch Press is donating a copy of Chris Eagle's IDA Pro book. Addison-Wesley and KoreLogic Security are also donating prizes (yet to be announced).

I want to emphasize that you don't need to be a malware analysis expert in order to have a chance to win. The challenge is about learning. You don't need to get the answers 100% correct in order to win a prize. The goal is to learn malware analysis skills, try out new tools and have some fun in the process.

We're also looking for more companies to donate prizes. If you think your company would like to donate something for the contest, please contact me.

Please spread the word about the challenge. I'll be posting again once the challenge goes live to remind everyone!

Upcoming Appearances

2008-09-15T10:26:00.002-04:00

As some know, I will be speaking at the OWASP NYC AppSec conference next week on "Automated Web-based Malware Behavioral Analysis". Unfortunately, I'll be presenting over lunch so I'm limiting it to about 20 minutes of talking so people can eat and not listen to me. If anyone wants to get together wile at the conference, let me know.

As always, the NE Ohio Information Security Forum is this Wednesday and I will be in attendance. I encourage anyone to come out and join us. We'll be having lots of great speakers as well as free food and drink. Afterwards, we'll be going to Mavis Winkles to record the next episode of the Security Justice podcast. I'll also be making a special announcement at the forum and the podcast concerning something Greg and I are doing at this year's Ohio Information Security Summit.

Finally, I'd like to thank mubix for having me as a guest poster concerning packers on his blog. Very cool.

Flux Agent Geographic Distribution

2008-09-11T11:26:00.005-04:00

I've been looking into a fast flux botnet for the past day which came in the form of some banking malspam. If you don't know what fast flux networks are, check out the Honeynet Project's Know Your Enemy paper on them - its one of the best resources out there.

I set up a script to resolve the DNS name of the website which held the malware on it. The DNS record expired every 1500 seconds (25 minutes) so my script would perform the lookup, wait 25 minutes. perform another lookup, rinse, repeat. I did this for about 24 hours. The purpose was to see where the flux agents for the botnet were residing.

In the end, I had 88 unique IP addresses acting as flux agents residing in 21 different countries.

Interestingly, while the most were coming from Romania (18), the second largest was from Israel (15) and there were no .edu's in the mix. Remember, these are the flux agents, not the members of the botnet.

I love getting spam, redux

2008-09-10T22:08:00.007-04:00

Back in May I blogged about a site named Knujon, run by Garth Bruen, which was attempting to fight the good fight against spam not by attempting to shut down the spammers themselves, but by attempting to shut down the domains for the sites spam is advertising. His theory is sound, but how effective was it? I signed up for the Knujon service, downloaded a Thunderbird extension to send the spam I received to Knujon and have been watching the reports.

Before I go on, let me just say that with the email accounts that I use Thunderbird to check I probably receive close to 500-1000 spam a day. Thunderbird does a fairly good job of recognizing them as junk and putting them in my Junk folder. When I run my Knujon extension it attaches them to an email and sends it to Knujon to process.

By logging into the site you receive status reports on the emails you have sent them. From the statistics available, you can see how many domains they have received, how many are pending suspension and how many have been suspended.

As of 9/9/08, Knujon has received 7,115 sites from me that were being advertised in spam. So far, 291 domains are pending suspension and 270 domains have been completely removed. Not bad for only 5 months of sending emails.

For the amount of effort that I have had to put in to Knujon (almost none), I am very impressed with the results. Garth Bruen is making alot of progress in his work - according to the site they have shut down 79,500 domains with another 33,671 pending.

I highly encourage everyone to sign up on Knujon.

SEO Code Injection

2008-09-05T11:32:00.003-04:00

Gunter Ollmann posted an excellent article explaining SEO Code Injection attacks at http://technicalinfo.net/papers/SEOCodeInjection.html. This is one of the best explanations of the attack I've read. Go read it. NOW!

SEO code injection attacks have been gaining popularity by those evil malware authors as a way to get unsuspecting victims to their attack pages. A few highly publicized attacks were done earlier this year which resulted in alot of head-aches for some major sites. Dancho Danchev has alot of excellent information on these attacks on his blog.

Not the smartest...

2008-08-29T16:19:00.006-04:00

I was looking at a bot the other day I received though email. The "botmaster" (and I use that term loosely) was using mIRC-based bot, something I haven't seen in a long time. It wasn't packed, didn't perform any tricks to get installed, etc. Everything screamed amateur.

So, I ran it through my honeynet and just sat there and watched. Since it was mIRC I could open it up and just watch the channel. To my complete amazement, after confirming I was a bot (by asking me to echo some text back to him) the "botmaster" gave me admin access to the IRC channel. Huh!?!

(In the picture below the botmaster is @Gigi, my infection is @Childse.)

So, what is a self-respecting malware analyst like myself to do? Oh, I don't know. :)

Olympic Travelers Return...Bearing Gifts?

2008-08-26T09:59:00.005-04:00

Now that the Olympics are over everyone who was lucky enough to go will be traveling back to home and coming back in to work. Surely they'll be bringing the souvenirs they bought in Beijing - buttons, pins, T-shirts. But what about electronics?

China knows trade and knows an opportunity to increase sales in their country so they obviously did everything they could to ensure tourists could access Chinese markets and purchase their (cheap) goods. Did these include electronics? Absolutely!

While I have no first hand accounts of this and am speculating, I'm sure many of the recent Olympic visitors toured the Chinese markets and saw great deals on USB watches, digital frames, laptops and other computer accessories and picked them up. Soon these same people will be bringing in their newly-obtained items into their homes and hooking them up to their personal (or work) computers or, if administrators as lucky, they'll be bringing them to work to display (and use) on their desktops.

Anything to worry about? Naw, I'm sure we'll be fine. There's never been any instance of malware coming from Chinese hardware.

If anyone hears about anything like this, let me know please.

Hotel Lobby Security

2008-08-22T21:21:00.004-04:00

I'm not a physical security guy, but I am learning. I found some pictures that I took at the hotel for a conference I was at earlier this year.

Some background: The hotel is a resort hotel where the main building contains the registration desk, some restaurants/bars and meeting rooms. That leads to a large outside pool. Surrounding the pool are three large towers which contain all of the rooms. The towers have two entrances - one from the pool area and one from the parking lot. The picture below is taken as if you were coming in from the parking area. (Notice the computer used for theme park reservations - this was left unattented, but turned on, after 5PM.)

Can you spot the security flaw?

What about now?

While I'm glad they have cameras in the lobbies, I find it very pointless to have the plug about 6 inches away. BTW, the ceilings were maybe 7 feet high so its not like someone couldn't teach up to unplug it. While I never unplugged it to see how fast security would respond, if at all, I found this very interesting and have been noticing physical security flaws like this much more.

Is Free Better?

2008-08-18T13:40:00.004-04:00

I'm a geek at heart so I take part in alot of geek-related activities. One of the ones I've gotten into within the last few years is boardgaming. Not your typical games like Monopoly, Scene-It or Risk (although I love Risk), but euro-games which, IMO, have a lot more strategy in them. It is because of this hobby I was at a LFGS the other night playing games with the local boardgaming group.

We were playing a game of Arkham Horror and in between turns one of my fellow gamers and I were talking about the laptop he had just brought and was playing with. He said it was mostly set up, but he had to go out and buy the latest AV suite to make sure it was protected. I mentioned that there were free AV software available which, IMO, were just as good as the commercial software. His response was that he had used them before, had liked them, but wanted the assurance he felt when he purchased the AV software. I was a little dumbfounded by his comment.

From his perspective, he felt safer paying $50+ for an AV suite of software than using free AV software which, to his own admission, would protect him just as well. I've seen this mentality in the corporate world as well. Corporations would rather shell out large amount o' cash for security suites or devices than use, just as good or better, free software because they felt safer paying for it. After all, if they are paying for it and it fails, they have someone to sue.

This post isn't meant to start a fight on commercial vs free software. I'm just confused by the perception out there in the corporate, or in the first case, the user world that paying for something will get you more protection that using free software. I guess I'm just surprised that this point of view is taken by end-users as well.

Has anyone else seen examples of this? Any good stories to share?

Another update...

2008-08-08T09:47:00.002-04:00

Unfortunately, I'm not at BlackHat/Defcon this week so I don't have any really cool stories about 0-day attacks, vendor parties or Vegas. However, its been a week since my last post so I thought I'd put something on. (In reality I'm avoiding writing a report.)

Khallenge has come and gone. I was able to get through the first level in 36 minutes. Not bad, but I should have been able to do better than that so I'm personally disappointed. The level 1 password was XOR's encoded so it was pretty easy to find once you found the right section of code. I got level 2, but due to other pressing issues (ie. work) I was unable to finish it. I'm pretty sure the password was RC4 encrypted, but I'm not 100% sure. I'll have to wait for F-Secure to post the results.

One funny thing did happen during the contest. At one point something happened to the Khallenge website and the directory index came up instead of the page. Using that I was able to download all of the contest binaries. F-Secure fixed it pretty quickly and changed the directories the binaries were in.

Because of agent0x0, who is living it up in Vegas as we speak, I've become addicted to Twitter. I have to admit I was skeptical at first, but it is a great tool for information sharing and meeting others in the field, as well as just fooling around. Whats worse is that I have my phone hooked up to it now. :) If you're on it, follow me.