Happy New Year 2010, Greetings from Warlock !

( Yup, he ain’t dead yet )

Now we had some request to post this earlier and through the Warlock blog, and since most of you found the previous 2008 and 2009 ” security predictions” posts useful, we hope you find this useful too !

• Well you guessed it ! Social Networks topped the list for 2010, with malware targetting Social Network sites like Koobface (that appeared for Facebook) to be more common,

• File Sharing Sites (Rapidshare, other file share services utilizing cloud computing , yup that includes torrents *smile* ) will continue to be a prime target,

• Botnets and Botnet gang partnerships will increase dramatically this year,

• Adobe Acrobat and Flash Attacks

• iPhone and Android Massive Attacks !

• New wave of attacks on Web services such as the new Google wave, is a hot cake

• Traditional exploit epidemics will continue as 2009 was rather quiet compared to 2008

That’s it folks , Put your security hats on , and all the best !

Hasta La Vista for now !

Two of these upcoming critical updates address the targets of active hacking attacks - a vulnerability in SMBv2 (Server Message Block, version 2) and a security flaw in the FTP component in Microsoft’s IIS web server software.

Other patches cover IE, Office, developer tools, and SQL Server. All supported versions of Windows will need patching for one reason or another, including Windows 7. The operating system doesn’t ship till 22 October but its RTM code needs patching ahead of that to defend against critical IE8-related security bugs.

The 13 bulletins compare with the previous high-water mark of 12, reached by Microsoft in February 2007 and equalled in October 2008.

For a PoC Code by Metasploit on SMBv2 click here

See here on how to disable SMBv2

Here are a few links to softwares and techniques you can use to have a safer, better, browsing and online experience !

Online Browsing Privacy

Fix:

- Try using your browsers Private Browsing features ( In Private for IE8 )

- Firefox users, you could try “Distrust” (http://www.gness.com/distrust/)

- Instruct IE to save its cache to a portable drive that you keep plugged in whenever you need to use the browser
(Open the Internet Options control panel, click the Settings button in the Temporary Internet Files section, click the Move Folder button, and navigate to a folder on your external drive.)

- Using a software utility to wipe the cache securely after you’re done surfing.
Try Eraser (http://www.heidi.ie/eraser/)

- Secunia Personal Software Inspector ( http://secunia.com/)

- If you suspect a virus infected file , go ahead to VirusTotal (http://www.virustotal.com/) , get the file scanned online by over 35 different AV engines.

Anti Phishing - The best approach, and the most straightforward, is never to click a link in any e-mail message to access your confidential sites. Instead, always type the URL or use a bookmark. That one habit will protect you from almost every phishing attack.

But no browser can completely prevent sites from tracking your visit. For better anonymity, use Anonymizer (http://www.anonymizer.com/) or the excellent Tor or The Onion Ring ( http://tor.eff.org/).

Password Privacy

Why You Should Care: Your passwords are the keys to everything you’ve locked inside.
These days everyone has a LinkedIn account, a Facebook profile, and a Twitter feed, and these information make it all too easy to guess the answers to commonly used security questions such as the high school you attended or the name of your dog. You may have blogged about these things half a dozen times or more.

Fix:

Use a password manager religiously, and back up your password files. Portableapps.com version of the KeePass software (http://portableapps.com/) is a good place to start. And once you’ve created a random, unguessable password, generate a second, different password in the manager - use as the answer to the inevitable “mother’s maiden name” question (or questions).

Mom may not appreciate being identified as Miss L33t#r5, but no one will ever guess that that’s how you listed her in your “secret questions” data sheet.

Also If you can restart a public PC that you need to use, then bring your own bootable OS ( XP, Linux, etc ) and preload it with an AV , Password Manager that could be downloaded at PortableApps.com

Also Be careful of Using Laptops in Hotspots for your Online Banking Needs !

Cell Phone Security

Fix:

Before you ditch an old phone, use your phone’s reset codes or menu options to clear your message archives and your contacts list. Check the ReCellular Data Eraser (http://www.recellular.com/recycling/data_eraser/) page to learn how to reset your phone, and follow the instructions there.

Fake Anti-Malware

Scenario: Fraudulently advertised, ineffective antimalware ranks among the fastest-growing types of online scams. Products with names like DriveCleaner, WinFixer, Antivirus XP, and Antivirus 2009 are touted through online ads that simulate Windows alert messages, warning you that your computer is infected with some sort of malware and advising you to buy a particular antivirus product to fix it.

Fix : Use a real anti malware , based on ratings done by independent researchers

OS Exploit Attacks ( 0h Day )

Fix : Smile and Pray

You just have to keep up on the latest security news and visit update.microsoft.com as soon as you hear about any out-of-band patches, rather than waiting for Automatic Updates to kick in.

In 2008 :

67% percent of the attacks in 2008 were “for profit” motivated.

Ideological hacking came second.

With 20%, good old SQL injections dominated as the most common techniques used in the attacks.

XSS finished 4th with 12 percent and the young and promising CSRF is still only seldom exploited out there and was included in the “others” group.

In 2009:

1. Bots will be the dominant issue for 2009

2. Web 2.0 services and sites will come under targeted attacks – XSS & CSRF

3. Social networking sites will continue to provide helpless victims.

4. Windows Vista will become a more appealing target to attackers.

5. Mobile Hacking – Blackberry & iPhone Hacking

6. Smarter malware – Obfuscation Techniques

7. Take advantage of opportunity – Corporate Espionage & Competitive Intelligence

8. Drive-by Pharming

Hi Guys ! Here is something *dangerous* for you to learn and experiment with.

This time, I thought I’d post about the recent JBIG2 Adobe Acrobat Universal Exploit (APSB09-01 (aka CVE-2009-0658))

The guys at Blacksecurity have written a very neat modification of the original blog post in the snort VRT blog posting (http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html)

The actual bug stems from a pointer-indexing issue when utilizing a specifically crafted JBIG2 structure. And the Blasksec folks have made it available in a pdf format.

All you have to do is :

1. Download the exploit here (Please dont use Adobe Acrobat *grin* )

2. Execute it on the victim machine

3. Telnet from another machine to the victim machine on port 5500. (Yup ! The exploit binds a shell to port 5500 )

Have fun, folks !

Read more about how it is done here

As i was reading TheStar Online , i came across this interesting *flawed?* article.

It says : Nigerian woman jailed for online scam

Then somewhere in between the article , it says

“Peace Okotie, 26, a business studies student at a private college here, is said to be the first person to be convicted under the Penal Code for such a scam.

Okotie from Benin, who changed her plea to guilty after a witness testified at her trial earlier, was also slapped with four months’ jail for overstaying in Malaysia after her student pass expired on July 22 last year. “

So, dude, Is she from Benin (purple below) or Nigeria (green below) ? or perhaps they mean the Benin City of Nigeria ? anyway, “Malaysia Boleh !”

Now this girl is convicted , Why ? you may ask .. Why then do we still get these types of Email Scams ? Shouldn’t the authorities go all out to catch all of them ? Or.. Was it , that the victim was an influential person ? One sided Justice, one may say. I say ” Malaysia Boleh ! “

Now , here is a tinker , to all of you , namely :

1. M. Mageswari - The Star Journalist
2. Magistrate Siti Shakirah Mohtarudin
3. DPP Azimul Azami Mohd Nor
4. Buang Md Sayuti - The infamous “victim”

” Why did the ‘innocent’ victim , entertain the e-mail in the first place ? “

Some may answer : ” Its your GREED. E-mail scam victims, and victims of GREED. The very thought that you have myteriously, or mistakenly been awarded USD 1 million “

I say : Malaysia Boleh !

I think this could make a very good topic for a talkshow.. Hitz, BFM , TV3 , Astro ?

Earlier this week, Cisco’s homepage was briefly classified by Websense as a hacking site.

This bungle happened as a result of their censorware, picking up an IP currently being used by Cisco, which was previously used by a hacking site.

As a result of this, corporate users of Websense’s web filtering technology were denied access to Cisco.com for about 15 minutes on Tuesday

The hosting IP of the site http://www.cisco.com/ was flagged for investigation for potential suspicious activity as the IP had formerly been in the hacking category.

After a thorough investigation the site was reviewed and identified safe for browsing within 15 minutes.

While I dont think the 15 minutes outage would have adversely affected Cisco.com traffic or users, however, this is a simple example of how false positives / alarms from security products could affect users.

MDD

pyCrypto

Volatility 1.3 Beta

Volatility Plugin from Moyix

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Step by Step Example :

First of all, run MDD to dump the memory of the machine. The output file , would be an image of the physical memory, and MDD is often used to only dump the memory.

C:\Documents and Settings\Administrator\Desktop\MDD>mdd_1.3.exe -o dump.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c’ for details.

-> Dumping 511.48 MB of physical memory to file ‘dump.dd’.

130938 map operations succeeded (1.00)

0 map operations failed

took 32 seconds to write

MD5 is: 78924418adaf67d22a6687dcc6ff4e23

C:\Documents and Settings\Administrator\Desktop\MDD>

Next, we will need to analyze the “memory image” - dump.dd .

For this, we will be using Using Volatility (1.3_Beta), Volatility Plugin from Moyix, and a Windows Hash/Password Finder (SamInside) to identify the passwords.

1. First of all, most of these scripts are written in python, and as such, you would need to download and install a python interpreter (Active Python ).

2. Download Volatility (1.3_Beta) , extract it to a folder.

3. Download Volatility Plugin from Moyix, extract it, and copy its content into the Volatility folder, overwriting your existing forensics, memory_objects, and memory_plugins folders.

4. Download pyCrypto and install it.

5. Copy the dump.dd file (output file of MDD) into the Volatility folder.

6. Run hivescan from volatility to get the hive offsets. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta> python volatility hivescan -f dump.dd

Offset (hex)

45147992 0×2b0e758

45393752 0×2b4a758

49832984 0×2f86418

56797016 0×362a758

58091352 0×3766758

64191328 0×3d37b60

145440776 0×8ab4008

146819936 0×8c04b60

147082080 0×8c44b60

197245792 0xbc1bb60

215368912 0xcd644d0

228964464 0xda5b870

244838408 0xe97f008

271077384 0×10285008

271171592 0×1029c008

361696096 0×158f0b60

373147760 0×163dc870

401433808 0×17ed64d0

425734152 0×19603008

435642376 0×19f76008

452021088 0×1af14b60

489651040 0×1d2f7b60

506391392 0×1e2eeb60

509397104 0×1e5cc870

526976208 0×1f6904d0

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

7. Next, Run hivelist from volatility with the first hivescan offset, from previous output. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>python volatility hivelist -f dump.dd -o 0×2b0e758

Address Name

0xe1cda008 \Documents and Settings\Administrator\Local Settings\Application Da

ta\Microsoft\Windows\UsrClass.dat

0xe1cc4008 \Documents and Settings\Administrator\NTUSER.DAT

0xe1afeb60 \Documents and Settings\LocalService\Local Settings\Application Dat

a\Microsoft\Windows\UsrClass.dat

0xe1b4c008 \Documents and Settings\LocalService\NTUSER.DAT

0xe1b13870 \Documents and Settings\NetworkService\Local Settings\Application D

ata\Microsoft\Windows\UsrClass.dat

0xe1b004d0 \Documents and Settings\NetworkService\NTUSER.DAT

0xe1609b60 \WINDOWS\system32\config\software

0xe160bb60 \WINDOWS\system32\config\default

0xe1741b60 \WINDOWS\system32\config\SAM

0xe1607008 \WINDOWS\system32\config\SECURITY

0xe142e418 [no name]

0xe1036758 \WINDOWS\system32\config\system

0xe1022758 [no name]

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

8. Now that we have the address locations, Pay attention to SAM & SYSTEM addresses. Find Password Hash using this command : python volatility hashdump -f dump.dd -y System Hive Offset -s SAM Hive Offset.

python volatility hashdump -f dump.dd -y 0xe1036758 -s 0xe1741b60

Extracted SAM :

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:e342f6782d705142f81cce8f13488846:5cc6a7ed5dce2e04e648b8b6c14c9eed:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:00fb5891d8488d816968e68a09a868b8:::

john:1003:972d6bbe1f00e65eaad3b435b51404ee:69bf94898385467264708f3cc51cf0a4:::

Now you can just open this as a pwdump file in SamInside and crack it !

Here is how your final output should look like ! Good Luck Guys !

When the clock strikes 12:00 noon in New York, Microsoft says it’ll release its much anticipated Internet Explorer 8 software to the world.

So take note when Microsoft announces an update to the Web-dominating software favored by your IT department.

Out of beta, Steve Ballmer claims that IE 8, “gets people to the information they need, fast, and provides protection that no other browser can match.”

Time will tell, eh hax0rs? Cansec West was interesting , with all the pwning of browsers going on… Only time will tell.. Short period of time , that is… Well, infact it’s already pwned *grin*

Internet Explorer 8 Homepage

CanSec West Pwn2Own Contest

Users who wind up happening across maliciously constructed websites will be exposed to a malicious script, categorised by Sophos as Reffor-A, designed to alarm users into purchasing a scareware package. Such scareware (fake anti-virus) packages are among the internet’s fastest growing nuisances. These applications typically attempt to frighten users into thinking their computers are riddled with malware, even if the PC is clean, as a ruse designed to trick people in purchasing ineffective clean-up tools.

Hackers regularly take advantage of breaking news story, often acting in advance of any kind of security response.

Previous situations have been during Benazir Bhutto’s death, Valentine’s Day, President Obama’s Inauguration, and others.

Recently for example, hackers exploited confusion created by the Symantec / PIFTS.EXE incident earlier this month and similar keyword stuffing tactics, to draw surfers towards rogue sites, also punting fake anti-malware scanning software.

Talk about creativity !

Read more from Sophos Blog