Sunday, March 28, 2010

Flint – Web-based Firewall Rule Scanner

Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems so you can:

•CLEAN UP RUSTY CONFIGURATIONS that are crudded up with rules that can’t match traffic.
•ERADICATE LATENT SECURITY PROBLEMS lurking in overly-permissive rules
•SANITY CHECK CHANGES to see if new rules create problems.
Flint is absolutely free. There’s no catch. You can download the source from the git repository. This isn’t the “play at home” version; it’s their second product, and they want to do it open source.



Why You Need Flint

You have multiple firewalls protecting internal networks from the Internet and controlling access to customer data. Your business changes, and so do your firewalls, and not always at the same time. Firewalls can get out of step with policies.

Everybody makes mistakes. To understand a firewall configuration, you have to read hundreds of configuration lines, and then you have to think like a firewall does. People aren’t good at thinking like firewalls. So most firewalls are riddled with subtle mistakes. Some of those mistakes can be expensive:

•INSECURE SERVICES might be allowed through the firewall, preventing it from blocking attacks.
•LAX CONTROLS ON DMZs may expose staging and test servers.
•FIREWALL MANAGEMENT PORTS may be exposed to untrusted networks.
•REDUNDANT FIREWALL RULES may be complicating your configuration and slowing you down.

You can download Flint here:

VMWare Virtual Machine – FlintVM-current.zip
OVF Virtual Machine – FlintVM-current.ovf.zip
Source – flint-current.tgz

Wednesday, March 24, 2010

Critical Log Review Checklist for Security Incidents

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review.

General Approach


Identify which log sources and automated tools you can use during the analysis.
Copy log records to a single location where you will be able to review them.
Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
Determine whether you can rely on logs' time stamps; consider time zone differences.
Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
Go backwards in time from now to reconstruct actions after and before the incident.
Correlate activities across different logs to get a comprehensive picture.
Develop theories about what occurred; explore logs to confirm or disprove them.

Potential Security Log Sources
Server and workstation operating system logs

Application logs (e.g., web server, database server)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
Outbound proxy logs and end-user application logs
Remember to consider other, non-log sources for security events.

Typical Log Locations
Linux OS and core applications: /var/log

Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats

What to Look for on Linux
Successful user login----- “Accepted password”,“Accepted publickey”,"session opened”

Failed user login----- “authentication failure”,“failed password”
User log-off----- “session closed”
User account change or deletion----- “password changed”,“new user”,“delete user”
Sudo actions----- “sudo: … COMMAND=…” “FAILED su”
Service failure----- “failed” or “failure”  

What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.

Most of the events below are in the Security log; many are only logged on the domain controller

User logon/logoff events----- Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc

User account changes----- Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes----- To self: 628; to others: 627
Service started or stopped----- 7035, 7036, etc.
Object access denied (if auditing enabled)----- 560, 567, etc

What to Look for on Network Device
Look at both inbound and outbound activities.

Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.

Traffic allowed on firewall----- “Built … connection”,“access-list … permitted”

Traffic blocked on firewall----- “access-list … denied”,"deny inbound”,“Deny … by”
Bytes transferred (large files?)----- “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage----- “limit … exceeded”,“CPU utilization”
Detected attack activity----- “attack from”
User account changes----- “user added”,“user deleted”,“User priv level changed”
Administrator access----- “AAA user …”,“User … locked out”,“login failed”

What to Look for on Web Servers
Excessive access attempts to non-existent files

Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours

Failed user authentication----- Error code 401, 403

Invalid request----- Error code 400
Internal server----- error Error code 500

Monday, March 22, 2010

Google Talk used to distribute Fake AV

Maria Varmazis, a colleague from our Boston office, got to experience what happens when a friend's account is compromised. When she logged onto Gmail, she got a pop-up message from someone she regularly chats with: "Hey are you on Facebook ??? If u are then check this out ". Wisely, Maria didn't click on the link and instead passed it on to me to investigate.


The link led me to a web page that had some dancing stick people and a link that read, "Click on the picture to download my party pictures gallery. . . (Click Open or Run when prompted.)".

Of course I wanted to view this party picture gallery. . . Past experience tells me the best pictures are taken after 11pm at parties. When I clicked the image, Internet Explorer presented a download prompt for a file called my_image_gallery.scr


This attack once again shows us the importance of defense in depth. An administrator for an organizational network has several chances to prevent this infection:

1.Education. Teach end users how to spot something out of the ordinary, to avoid clicking links in IMs, and what techniques are used in social engineering.

2.Anti-virus. As Virus Bulletin regularly demonstrates, the majority of up-to-date anti-virus products protect against most in-the-wild threats.

3.Proactive protection. Using heuristic, behavioral and other techniques provides protection against malicious code that may not yet be detected by your anti-virus definitions.

4.Web filtering. Both the site offering malware for me to download, and the one that was luring me into clicking the picture were blocked by the Sophos Web Appliance as malicious. Our web appliance also scans all your downloads for malware, and lets you disable downloading of dangerous filetypes.

Unfortunately, quite often our friends may not really be our friends. Use this as a reminder to stay vigilant and warn others about this type of attack.

Friday, March 19, 2010

Top 10 Ways to avoid Phishing Scams - Please Forward To All Non-IT People You Konw.

The phenomenon of internet phishing scams is a serious problem, and the number and sophistication of these schemes are increasing all the time. Individuals using the web for personal or business reasons must be alert to possible fraud, and employers should warn their employees and customers to be extremely selective about giving out personal financial information over the Internet.


The following is a list of suggestions and recommendations that may help people avoid becoming a victim of these online phishing scams.

1. Never fill out forms in e-mail messages that ask for personal financial information. Many Phishing scams are designed to get access to accounts that can then be drained of funds by the scammers

2. Check your online accounts regularly, as well as your bank, credit and debit card statements to make sure all transactions are legitimate.

3. If you suspect an e-mail might not be authentic, don't use the links within the e-mail to get to a webpage, as it may leave your computer vulnerable. Often the entire point of these e-mails is to get you to do just that.

4. You should always be suspicious of any e-mail with “urgent” requests for personal financial information.

5. If you do provide personal information (like a credit card number), do so only via a secure website or the telephone.

6. Always make sure you're on a secure Web server when sharing sensitive information. To do so, check the beginning of the URL in your browser address bar. It should be "https" rather than "http." The "s" stands for secure.

7. It’s advisable to install a Web browser toolbar to alert you before you visit known phishing fraud websites.

8. If you receive an e-mail message that is not personalized, assume it's a shady message.

9. If e-mails use upsetting or exciting statements to try to get you to react immediately, that’s a red flag signaling to stop and think carefully about your next move; these statements are almost always false anyway.

10. Make sure that your browser is up-to-date and security patches have been applied.

Thursday, March 18, 2010

How to Protect Yourself from ZeuS

The security consultants recommends that businesses and home users carry out online banking and financial transactions on isolated workstations that are not used for general Internet activities, such as web browsing and reading email which could increase the risk of infection.


Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts. Keep your antivirus, operating system and software patches up to date. Also do not open suspicious e-mail attachments or links from people that you do not know and even if you do know them, check with them to find out if they sent you something prior to opening the email.

Additionally, awareness for both customers and employees is crucial. In particular, employees who interface with clients should be made aware of these types of threats to help triage potential victims.

Zeus Trojan Now Has Hardware Licensing Scheme

The authors of the Zeus bot client, perhaps the most popular and pervasive piece of malware of its kind right now, have taken an extraordinary step to protect their creation: inserting a hardware-based licensing scheme into the Trojan. This represents a significant leap in the sophistication and professionalism of malware development, researchers say.


Zeus has been making the rounds on the Web for some time now, and it has gone through a number of revisions and upgrades in recent months. Its creators, who remain unknown, have steadily added more and more features and functionality to the package, including a form grabber for Firefox, the ability to add extra data fields to online banking applications, a backconnect module and support for Windows Vista and Windows 7.

Much of this is fairly standard stuff, but the addition of the hardware licensing/activation scheme is an interesting, unique twist. Researchers at SecureWorks have been analyzing each new iteration of the Zeus kit and found that the latest release, version 1.3.4.x, added this functionality, likely in an effort to prevent rivals from selling pirated versions of the attack kit.

"The author has gone to great lengths to protect this version using a Hardware-based Licensing System. The author of Zeus has created a hardware-based licensing system for the Zeus Builder kit that you can only run on one computer. Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer. This is the first time we have seen this level of control for malware.," Kevin Stevens and Don Jackson of SecureWorks wrote.


The newest release of Zeus is selling for $3,000 to $4,000 right now in private sales, the researchers said, and is being sold solely by the kit's author. Other, older versions have been sold publicly in the past, which likely led to the author taking the step of using the hardware licensing system to protect his creation.

 
While Zeus includes a wide range of capabilities now, its basic reason for being is to steal financial data. Think of it as a banker Trojan on steroids, the 2007 David Ortiz of malware. As the SecureWorks researchers found, Zeus does much of its dirty work through secure HTTP POST requests to the remote command-and-control server. It targets a broad spectrum of financial data, including credit card numbers, bank account numbers and online banking login credentials.

Stevens and Jackson said that the Zeus author is working on version 1.4 of the kit, which will include a polymorphic encryption feature.

"The 1.4 version of ZeuS will enable the ZeuS Trojan to re-encrypt itself each time it infects a victim, thus making each infection unique. The 1.4 version also enables the ZeuS file names to be randomly generated, thus each infection will contain different file names. This will make it very difficult for anti-virus engines to identify the ZeuS Banking Trojan on the victims’ system," they said.

Wednesday, March 17, 2010

Google search reveals 3 million pages link to rogue AVs

Do you know what the latest version of Adobe’s Flash Player is? If you don’t, you may very well fall for this:





Flash Player 11?
There are more than 3 million pages linking to this alleged version 11:


Most pages are from unsanitized forums, but there is even a Google Ad for it! Ooooops….



The screen below depicts the social engineering trick: What appears to be an X-rated video with a Windows Media Player logo (that is odd!).


What intrigued me in that screenshot was that this malicious post was made with a user account that was highly rated:Such posts are automated, so I’d guess this user got his credentials stolen. Regardless, it adds to the deceptiveness, coming from what looks like an ‘approved’ forum user.

What happens next is an intermediary URL, freevideos.osa.pl/video.php?, redirects you to fast flux domains updated on a regular basis, all showing the well known “YouTube-like” screenie:

Clicking on it will download ‘video-plugin.45210.exe’ (Virus Total detection here)
So, what really is the latest Adobe Flash Player? The answer: 10.0.45.2


Looks like the bad guys are already one step ahead. By the way, I did a Google search with version 12 and it returned nothing
In the meantime, there are million of pages out there fooling people and infecting them with a non-existent Flash Player version.

Tuesday, March 16, 2010

Fixing the Windows Registry Using Backtrack

BackTrack is the most popular Linux live CD distribution focused on penetration testing. It comes loaded with all the top security tools so that you can immediately startup with your work without the need for downloading and installing any of the security tools.




One of the use of BackTrack is to fix Windows problems such as fixing the registry, resetting the user passwords etc. Here I am going to explain how we can use BackTrack to fix the Windows registry.


Often times, we mess up with the registry leaving the system in hanged state. In such situations BackTrack plays major role to put you back on track.

Registry Recovery Operation
To start with, boot your system with BackTrack CD. After booting you have to make sure that your Windows system partition is mounted in read/write mode. If your system partition has NTFS file system then you have to unmount that partition and remount in read/write mode.



Lets assume that your system partition is /dev/hda1 which is currently mounted on to /mnt/hda1. You can use 'mount' command to view the devices and their respective mount points.

To unmount this partition use following command
# umount /mnt/hda1

Now to mount it with read/write access, execute the following command
# mount -o rw /dev/hda1 /mnt/hda1

If the above method does not work then use the following method specified by Muts of BackTrack. For FAT32 partition, you need not have to do anything as it is already mounted with read/write access.

Using Chntpw tool to Edit Windows Registry
Now go to config folder on your system partition which has all registry hives.
# cd /mnt/hda1/windows/system32/config

Then type 'chntpw' command to view its help screen. This tool comes with built-in registry editor which can be used to manipulate any part of the registry. To invoke registry editor you have to specify -e option with the name of registry hive file. Entire Windows registry data is stored in couple of hive files. Here is the table below that shows mapping between the hive file and the part of the registry. Based on what part of the registry you are going to modify, you have to select corresponding hive file.

Let me explain the complete registry editing operation with an example. Assume that 'Windows Themes service' is preventing normal booting of your system. Now to bring your system back to normal you need disable this service.


The registry key for the Themes service is located here.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Themes

To disable this service, we have to change the 'Start' value (under above mentioned key) to '4'.
Start REG_DWORD 4

Now from the above table, its clear that we have to use 'SYSTEM' hive file for editing with 'chntpw'. Type the command as shown below.
# chntpw -e SYSTEM

At the new command prompt type ? to see various commands used for registry editing. Most useful commands are dir,cat,cd,ed etc.

Now type 'dir' command to see all the subkeys under the root key. You will see many ControlSet00* keys under this, but where is the CurrentControlSet key. We need this subkey to edit properties of Themes service..!

Well, don't be panic. The answer is hidden in 'Select' subkey. Now enumerate all the values under 'Select' subkey as shown below.

> cd Select
> dir

Now the value associated with 'Current' subkey will tell you which is the currently used ControlSet00* key. For example if the 'Current' has value 2 then that means you have to select 'ControlSet002' etc. On my machine the 'Current' has value 1. So I am going to select 'ControlSet001' key.

Know we know which controlset we have to use for our purpose. Now select it and move on to Themes subkey as shown below. Note that we are under Select key. You have to go back to root key to choose the ControlSet key.
> cd..
> cd ControlSet001\Services\Themes

Now type 'dir' command to see all the names and their values under this key. We have to just change DWORD value of 'Start' to 4 using the 'ed' command.
> ed Start

When you are prompted to enter new value, just type 4 and press 'ENTER' to set the new value.To verify use the below shown command.
> cat Start

Once you have modified all required changes, type 'q' to quit the registry editor and then press 'y' to save your changes. After that restart the system and you should be able to login normally without any problem.

Monday, March 15, 2010

Remote VNC Installation



RealVNC is a server and client application for the Virtual Network Computing (VNC) protocol to control another computer's screen remotely. The company RealVNC Ltd. — founded by the same AT&T team which created the original VNC program — produces the RealVNC software. RealVNC runs on Windows, Mac OS X (Enterprise edition only), and many Unix-like operating systems (both free and enterprise-class). A RealVNC client also runs on the Java platform and on the iPhone. A Windows-only client is now available, designed to interface to the embedded server on Intel AMT chipsets found on Intel vPro motherboards.

New phishing campaign against Facebook led by Zeus

Some time ago we warned about different campaigns where the employer, in all cases without exception, is the exploitation of social engineering to execute a fraudulent component, and the goal is the theft of sensitive information.

Cases like the previous campaign by using the image of ZeuS Facebook and phishing attacks using popular services such as primary coverage, including IRS, VISA, Google and Blogger, among many others, are concrete examples that demonstrate what is the magnitude of the business ZeuS offers computer criminals.

A few days ago, a new campaign to materialize from the hand of ZeuS, involving a large battery of malicious domains. Among them:

downloads.legomay.com/id735rp/LoginFacebook.php
downloads.legomay.net/id735rp/LoginFacebook.php
downloads.legomay.org/id735rp/LoginFacebook.php
downloads.megavids.org/id735rp/LoginFacebook.php
downloads.migpix.com/id735rp/LoginFacebook.php
downloads.migpix.net/id735rp/LoginFacebook.php
downloads.migpix.org/id735rp/LoginFacebook.php
downloads.modavedis.com/id735rp/LoginFacebook.php
downloads.modavedis.net/id735rp/LoginFacebook.php
downloads.modavedis.org/id735rp/LoginFacebook.php
downloads.portodrive.org/id735rp/LoginFacebook.php
downloads.reggiepix.com/id735rp/LoginFacebook.php
downloads.reggiepix.net/id735rp/LoginFacebook.php
downloads.reggiepix.org/id735rp/LoginFacebook.php
downloads.regzapix.com/id735rp/LoginFacebook.php
downloads.regzapix.net/id735rp/LoginFacebook.php
downloads.regzapix.org/id735rp/LoginFacebook.php
downloads.regzavids.com/id735rp/LoginFacebook.php
downloads.regzavids.net/id735rp/LoginFacebook.php
downloads.regzavids.org/id735rp/LoginFacebook.php
downloads.restopix.org/id735rp/LoginFacebook.php
downloads.restpictures.com/id735rp/LoginFacebook.php
downloads.restpictures.net/id735rp/LoginFacebook.php
downloads.restpictures.org/id735rp/LoginFacebook.php
downloads.restway.net/id735rp/LoginFacebook.php
downloads.restway.org/id735rp/LoginFacebook.php
downloads.tastyfiles.net/id735rp/LoginFacebook.php
downloads.vedivids.com/id735rp/LoginFacebook.php
downloads.vedivids.net/id735rp/LoginFacebook.php
downloads.vedivids.org/id735rp/LoginFacebook.php
downloads.vediway.com/id735rp/LoginFacebook.php
downloads.vediway.net/id735rp/LoginFacebook.php
downloads.vediway.org/id735rp/LoginFacebook.php

auth.facebook.com.legomay.com/id735rp/LoginFacebook.php
auth.facebook.com.legomay.net/id735rp/LoginFacebook.php
auth.facebook.com.legomay.org/id735rp/LoginFacebook.php
auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
auth.facebook.com.migpix.com/id735rp/LoginFacebook.php
auth.facebook.com.migpix.net/id735rp/LoginFacebook.php
auth.facebook.com.migpix.org/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.com/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.net/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.org/id735rp/LoginFacebook.php
auth.facebook.com.portodrive.org/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.com/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.net/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.org/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.com/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.net/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.org/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.com/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.net/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.org/id735rp/LoginFacebook.php
auth.facebook.com.restopix.org/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.com/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.net/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.org/id735rp/LoginFacebook.php
auth.facebook.com.restway.net/id735rp/LoginFacebook.php
auth.facebook.com.restway.org/id735rp/LoginFacebook.php
auth.facebook.com.tastyfiles.net/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.com/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.net/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.org/id735rp/LoginFacebook.php
auth.facebook.com.vediway.com/id735rp/LoginFacebook.php
auth.facebook.com.vediway.net/id735rp/LoginFacebook.php
auth.facebook.com.vediway.org/id735rp/LoginFacebook.php

The folder Id735rp also contains kit phishing, ZeuS trojan, which in this case appears under the name photo.exe (19d9cc4d9d512e60f61746ef4c741f09).

Even in the same URL format strategy is being used by another known crimeware: Phoenix Exploit Pack.

Sunday, March 14, 2010

Evil Sports Sites

 A Google query to us that points to yet another temptation that the criminals are taking advantage of - the March Madness basketball tournaments here in the USA.  I'm sure that other sporting events are just as popular with the scammers and crooks.  If you want to check out the fun, put this into your browser:


We trust that you are not crazy enough to click on the links that Google marks as hazardous to your computer's health, but if you do and you net something really cool that you'd like to analyze, please let me know what you uncover.

Saturday, March 13, 2010

Password cracker 100 times faster with an SSD

The security specialist Objectif Sécurité has optimised its rainbow tables – a common tool used to crack password hashes – to make use of SSDs. The result is, according to Objectif Sécurité's Philippe Oechslin, an acceleration by a factor of 100 when compared to their old 8GB Rainbow Tables for XP hashes. A web form takes the XP-hashes and cracks them for free with the new, ten times larger tables.


Oechslin has fitted an elderly Athlon 64 X2 4400+ with an SSD and the optimised tables. This system can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per second, a speed that is a factor of 500 faster than an Elcomsoft cracker supported by a modern Tesla GPU from NVIDIA.

Calculations with rainbow tables achieve the acceleration by pre-computing the intermediate steps of all possible password hashes for a specific algorithm and then storing those results as a table. The more steps that are stored, the bigger the tables and the faster the cracking process. Once the tables no longer fit in memory, the less-used parts of the tables are saved on mass storage devices, previously this would have been a hard disk, which in turn leads to slower access times while searching them.

Rainbow Cracking - MD2, MD4, MD5, SHA1,L1



RainbowCrack is a computer program which generates rainbow tables to be used in password cracking. RainbowCrack differs from "conventional" brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.


As RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.

Hackers leave Orissa Govt website ‘tipsy-turvy’

Description:


If you click open Orissa Government's official website even as you read this piece of news, chances are that it would show you the price list of various kinds of liquor available in Delhi.

Chances are that it is still dishing out details of Delhi's entertainment and luxury tax structure. And why? Hackers seemed to have breached security firewalls of the State Government website - www.orissa.gov.

in/www.orissagov.nic.in - and in its place appears the official website of Excise Department of Government of National Capital Territory (NCT) of Delhi.

The matter came to notice only on Thursday evening, a few good hours after offices of State Government had closed for the day, it was not immediately possible to ascertain who could be behind the mischief.

As a result, those who logged into the site found, much to their curiosity, details of price list of various alcohol Delhites enjoy - whisky, beer, rum, wine, gin, vodka, brandy, and yes, country liquor too.

"It appears to be handiwork of some mischief mong ers who defaced the State Government website and placed such a webpage," said a software professional of the city.

It was not immediately known if the act could have anything to do with the huge information stored on the website or those who were behind it made any attempt to break into the servers.

Friday, March 12, 2010

Bypassing Firewalls Using Reverse Telnet


Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.


In 2000 according to www.insecure.org Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

According to http://nc110.sourceforge.net, some of netcat's major features are:

•Outbound or inbound connections, TCP or UDP, to or from any ports
•Full DNS forward/reverse checking, with appropriate warnings
•Ability to use any local source port
•Ability to use any locally-configured network source address
•Built-in port-scanning capabilities, with randomization
•Built-in loose source-routing capability
•Can read command line arguments from standard input
•Slow-send mode, one line every N seconds
•Hex dump of transmitted and received data
•Optional ability to let another program service established connections
•Optional telnet-options responder
•Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

Hostmap

What is hostmap?

Hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby by Alessandro `jekil` Tanasi and licensed under GNU General Public License version 3 (GPLv3). It's goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

The major features are:
DNS names and virtual hosts enumeration
Multiple discovery techniques, to read more see documentation.
Results correlation, aggregation and normalization
Multithreaded and event based engine
Platform independent


Download:
http://sourceforge.net/projects/hostmap/files/

Thursday, March 11, 2010

Wednesday, March 10, 2010

Don't Play Poker on an Infected Table - Part Three

The monetization of phony online gambling networks -- clearly tolerating systematic violation of their TOS -- is continuing with the scammers behind last month's campaign (Don't Play Poker on an Infected Table - Part Two) spamvertising another portfolio of domains using new templates.


It's worth pointing out that the spammers don't just earn revenue every time someone installs the application, but also, every time the, now converted visitor, interacts financially with the service, a monetization approach you'll see in the attached screenshots.

Detection rates for the spamvertised binaries (downloaded from gamez-lux.com and we3tt.com) : StarsVIPCasino_Setup.exe - Result: 14/42 (33.33%); GoldenMummyEN.exe - Result: 9/42 (21.43%); RubyRoyaleEN.exe - Result: 11/42 (26.19%). Sample phone back locations: download.thepalacegroupgaming.com; pcm3.valueactive.eu; rubyfortune.mgsmup.com

Spamvertised domains include:


adrembovesttes.net - Email: pengjiajie222@163.com
bonuscasinoslux.net - Email: fgsdvbbvd@qq.com
bonusgameslux.net - Email: fgsdvbbvd@qq.com
bonusluxcasinos.net - Email: fgsdvbbvd@qq.com
bonusluxplays.net - Email: fgsdvbbvd@qq.com
bonusplayslux.net - Email: fgsdvbbvd@qq.com
casinosbonuslux.net - Email: fgsdvbbvd@qq.com
casinosluxclub.net - Email: fgsdvbbvd@qq.com
casinosluxstar.net - Email: fgsdvbbvd@qq.com
clopelinesutes.net - Email: fgsdvbbvd@qq.com
clubgameslux.net - Email: fgsdvbbvd@qq.com
clubluxgames.net - Email: fgsdvbbvd@qq.com
club-of-lux.net - Email: fgsdvbbvd@qq.com
clubs-play.net - Email: fgsdvbbvd@qq.com
clubvegas-games.net - Email: fgsdvbbvd@qq.com
gameclubviva.net - Email: fgsdvbbvd@qq.com
game-lux-club.net - Email: fgsdvbbvd@qq.com
gamesbonuslux.net - Email: fgsdvbbvd@qq.com
games-gold.net - Email: fgsdvbbvd@qq.com
gameslux.net - Email: fgsdvbbvd@qq.com
gamesstarlux.net - Email: fgsdvbbvd@qq.com
gamevivagold.net - Email: fgsdvbbvd@qq.com
gorxshop.net - Email: sdfxckj@msn.com
hannoweramtes.net - Email: ftyughsere@qq.com
lutiok.net - Email: ftgy23fge@126.com
luxbonusgames.net - Email: fgsdvbbvd@qq.com
luxbonusplays.net - Email: fgsdvbbvd@qq.com
luxcasinosbonus.net - Email: fgsdvbbvd@qq.com
luxclubcasinos.net - Email: fgsdvbbvd@qq.com
luxclubplays.net - Email: fgsdvbbvd@qq.com


luxgamesbonus.net - Email: fgsdvbbvd@qq.com
luxgamesstar.net - Email: fgsdvbbvd@qq.com
luxplaysclub.net - Email: fgsdvbbvd@qq.com
luxplaysstar.net - Email: fgsdvbbvd@qq.com
luxs-games.net - Email: fgsdvbbvd@qq.com
luxstarplays.net - Email: fgsdvbbvd@qq.com
mollehoukutes.net - Email: guoaiwense@163.com
murgadobarotes.net - Email: guoaiwense@163.com
namedosaras.net - Email: ftyughsere@qq.com
pay3500win.net - Email: dfgdvbcv@sina.com
playeuro777.net - Email: fghvvbcfgds@tom.com
playeuro888.net - Email: fghvvbcfgds@tom.com
playglobal777.net - Email: dfhhjg4ee@163.com
playsclublux.net - Email: fgsdvbbvd@qq.com
playsluxclub.net - Email: fgsdvbbvd@qq.com
realcash-mine.net - Email: dfgdvbcv@sina.com
realcash-offer.net - Email: dfgdvbcv@sina.com
realcash-wins.net - Email: dfgdvbcv@sina.com
regal-jackpot.net - Email: dfgdvbcv@sina.com
regalvegas-online.net - Email: dfgdvbcv@sina.com
royalcasino777.net - Email: edwfrsdf@126.com
royalcasino888.net - Email: edwfrsdf@126.com
royalvegas-play.net - Email: dfgdvbcv@sina.com
satregonovates.net - Email: pengjiajie222@163.com
softaserutes.net - Email: ftyughsere@qq.com
softoutnertes.net - Email: ftyughsere@qq.com
softuoplowtes.net - Email: ftyughsere@qq.com
stargameslux.net - Email: ftyughsere@qq.com
starluxcasinos.net - Email: ftyughsere@qq.com
sundowutortes.net - Email: guoaiwense@163.com
vegasclubsgame.net - Email: fgsdvbbvd@qq.com
vegasgamesclub.net - Email: fgsdvbbvd@qq.com

Phony affiliate networks are reserve the right to forward the responsibility for the malicious activity to participants violating their Terms or Service. A violation that earned both parties significant amounts of money, in between


Tuesday, March 9, 2010

Vodafone Android Phone: Complete with Mariposa Malware

Panda Security has a post up on one of their employees buying a brand new Android phone from Vodafone and discovering it was spreading Mariposa. It didn't infect the phone proper, but it did have autoexec.inf and autoexec.bat files designed to infect whatever Windows machine the phone was plugged into via USB cable. Unlike the Engergizer story from yesterday, this one is happening now. Standard USB defenses apply, don't automatically execute autoexec.bat/inf files from USB devices. This Microsoft KB article discusses how to disable the "Autoplay" functionality that leads to this problem.

This leads to the interesting question, why not just infect the phones? The technology is certainly there to write malware that is phone specific.  We won't see mass infection of phones (or even better, a cell-phone botnet) likely until commerce is much more common on phones.  Malware is driven by the desire of profit and once it becomes profitable, we'll see exploitation.  The problem is, that these slimmed down devices make it difficult to configure in security. Only a few cell phone types even have the option of cell phone antivirus software. The clock is ticking on that threat.

SAHI – Web Automation & Application Security Testing Tool

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is a tester friendly tool. It abstracts out most difficulties that testers face while automating web applications. Some salient features include excellent recorder, platform and browser independence, no XPaths, no waits, multi-threaded playback, excellent Java interaction and inbuilt reporting.

Features
  • Browser and Operating System independent
  • Powerful recorder which works across browsers
  • Powerful Object Spy
  • Intuitive and simple APIs
  • Javascript based scripts for good programming control
  • Version Controllable text-based scripts
  • In-built reports
  • In-built multi-threaded or parallel playback of tests
  • Tests do not need the browser window to be in focus
  • Command line and ant support for integration into build processes
  • Supports external proxy, HTTPS, 401 & NTLM authentications
  • Supports browser popups and modal dialogs
  • Supports AJAX and highly dynamic web applications
  • Scripts very robust
  • Works on applications with random auto-generated ids
  • Very lightweight and scalable
  • Supports data-driven testing. Can connect to database, Excel or CSV file.
  • Ability to invoke any Java library from scripts
Limitations
  • Framesets/pages with frames/iframes loading pages from multiple domains is not supported. Sahi cannot handle pages which have other pages from different domains embedded in them using iframes or frames. So you cannot have a page from google.com having an iframe with a page from yahoo.com. Note that this is not the same as switching between domains, where you navigate from a google.com page to a yahoo.com page, which will work in Sahi.
  • File upload field will not be populated on browsers for javascript verification. File upload itself works fine
You can download SAHI here:
http://sahi.co.in/w/


Scam Alert - Cute (and malicious) - funny picture from Facebook friends

Cute (but malicious)
There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it.

We can't say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files.

Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com:

 
 
This is what the end-user will download onto their system – an executable claiming to be a .gif:
 
 
 
Should they run the file, two things will happen. The first is that a rather charming image will appear on their desktop (courtesy of a hidden file called “Out.exe” which is dropped into the User Account Temp folder) – all part of the general ruse to make them think that yes, they really have been sent a “funny picture”:


 
 
 
The second is a little more sinister – an entire hidden directory (called tmp0000729b, dropped into the Windows Temp folder) arrives unannounced, laying the groundwork for an IRC invasion:


 
 
Yes, anyone blessed with the “vision” of those little angels is now part of a collection of IRC drones. If the end-user should hover their mouse over the seemingly empty system tray, they’ll actually discover the mIRC Daemon running in a hidden state:


 
 
As is typical for an IRC related hijack, everything is hidden away to keep the end-user from suspecting anything is wrong. Hidden mIRC tools, and seemingly deserted IRC channels are the order of the day. Shall we open up the mIRC client and play a little game of “Now you see it, now you don’t” in reverse?
 
 

Taken at face value, the above screenshots shows the victim sitting in an empty IRC channel. However, a quick highlight and...




...there they are, sitting beneath a pair of Admins in a #Music room. You can set mIRC to accept and ignore certain types of files by default, and here the client is indeed set to disallow .exes, .dlls .bat and .scr files but allow normal files such as .wavs, .jpegs, .gifs and MP3s. The victim is placed into numerous #Music rooms like the one above on various IRC servers, so it’s a possibility the intention here is media sharing by way of compromised PCs.

Detections aren’t great at the moment (11/42 in VirusTotal)virustotal.com/analisis/9618c83546c16ae1dab70ca0d2e594c2dd41f622820d92e7bc9e22f2b3bc9f38-1267769547

We detect this as Trojan.Win32.Generic!BT, and as for the domain?

Browser Exploitation


BeEF is a web browser exploitation framework. This tool will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.

Main Features :
BeEF provides an easily integratable framework that demonstrates the impact of browser and Cross-site Scripting issues in real-time. Development has focused on creating a modular framework. This has made module development a very quick and simple process.
•Browser exploitation modules
•Keystroke logging
•Distributed Port Scanning
•Integration with Metasploit via XML-RPC
•Mozilla extension exploitation support
•Tor detection
•Browser functionality detection modules

Monday, March 8, 2010

Professional Hacker Online-They Say Soooo

They Say
 "Hireshacker has been the most renowned password retrieval service for over 5 years. With an immaculate experience spanning over 5 years, and having helped over a dozen law agencies across the world, we attain the most transparent and effective solutions that cater to your needs. "

Online SUPPORT @ 24/7/365

We have experts available 24/7 to answer all queries. We are open 365 days.
Access Guaranteed
If the password changes within 72 hrs after we provide it to you, we will retrieve it again for half the price.


Transparent and; Fraud-free
We provide multiple proofs before payment. At no point are you liable to pay us unless you are totally convinced.


SEO poisoning on TV show

A new SEO (Search Engine Optimization) poisoning attack doing the rounds in the last 6-8 hours. We have talked about this kind of attacks in the past, although they were mainly focused on other hot technological topics, major tragedies, or events. This time, the topic to get on top of the search engines result page is a TV reality show. Specifically, there is a TV show premiere in the US tonight called "Billy the Exterminator". The "wiki billy the exterminator" search term in Google (USE WITH CAUTION: http://www.google.com/search?q=wiki+billy+the+exterminator) shows the poisoning attack.




The compromised sites present the following URL format: /FILE.php?PARAM=billy%20the%20exterminator%20wiki, where FILE is most commonly a three letter file name, and PARAM is an input parameter (one or multiple characters). The affected sites are using a drive by attack, providing victims a fake AV warning message that drives them to download a piece of malware: "Warning! Your computer is vulnerable to malware attacks. We recommend you to check your system immediately. Press OK to start the process now.".

PDF Info Stealer PoC

An info stealer is malware that steals credentials or files from its victims.

Info stealers don’t require admin rights to perform their task, and can be designed to evade or bypass AV, HIPS, DLP and other security software.
This PDF document exploits a known vulnerability, and executes shellcode to load a DLL (embedded inside the PDF document) from memory into memory. This way, nothing gets written to disk (except the PDF file). The DLL searches the My Documents folder of the currect user for a file called budget.xls, and uploads it to Pastebin.com.



PDF info stealer was succesful: file budget.xls was posted to Pastebin.com

Preventing an info stealer from operating is not easy. The Windows operating system is designed to give user processes unrestricted access to the user’s data. It’s only starting with the Windows Vista kernel and Windows Integrity Control that a process can be assigned a lower level than user data and be restricted from accessing it. Lowering the Integrity Level of Acrobat Reader will help us in this case, but if I exploit an Excel vulnerability (or just use macros, without exploiting a vulnerability), the integrity levels will not protect us.

Neither is preventing data egress easy. OK, you can decide to block Pastebin.com. But can you block all sites that can be posted to? Like Wikipedia? And if you can, do you block ICMP packets?

To protect confidential data, don’t let it be accessed by systems with Internet access. That’s not very practical, but it’s reliable. Or use strong encryption with strong passwords (not the default RC4 Excel encryption). The info stealer will have the extra difficulty to steal the password too.


Phishing database

Financial & Banking Institutions

Canada Trusth (http://www.tdcanadatrust.com/)
http://www-tdcanadatrust-com.epage.ru/td-bank-index.html
Citigroup (http://www.citigroup.com)
http://www.alanmetauro.com/home/online.citibank.com/US/JPS/portal/Index.do.htm?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH
CUA - Credit Union Australia (http://www.cua.com.au)
http://www.colconkproducts.com/pub/your-account-is-locked-cua-com-au/
http://173-11-85-81-sfba.hfc.comcastbusiness.net/images/webbanker.cua.com.au/webbanker/CUA/
UniCredit Banca (http://www.unicreditbanca.it)
http://161.58.125.218/uc/index.html
Grupo Banca Carige (http://www.gruppocarige.it/ws/gruppo/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_carige/index.html
Grupo Banca Popolare Di Bari
http://www.georgiakoreans.com/bbs/data/bpr/index.html
Banca Cesare Ponti (http://www.gruppocarige.it/grp/bponti/html/ita/index.htm)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_cesare_ponti/index.html
Banca Del Monte Di Luccia (http://www.gruppocarige.it/ws/bmlucca/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_del_monte_di_lucca/index.html
CRS - Cassa di Risparmio di Savona (http://www.gruppocarige.it/ws/carisa/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_savona/index.html
Cassa di Risparmio di Carrara (http://www.gruppocarige.it/ws/crcarrara/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_carrara/index.html
Poste Italiane (http://www.poste.it)
http://posteitalianeonlinebpolcarteprestafgfdf.pcriot.com/posteitaliane/bpol/cartepre/formslogin.aspx.php?TYPE=33554433&REALMOID=06-b5208d98-1e41-108b-b247-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME
http://www.ynzal.com/catalog/images/bpol/bancoposta/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
http://www.yelin.ru/wm/bancopostaonline.poste.it/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
Santander (www.santander.com)
http://slarrauri.com/tusitioweb/demo/BentoBox/modules/Logon.html
ABSA (http://www.absa.co.za)
http://markostoreltd.com/account.log/index.php
HSBC (http://www.hsbc.com)
http://worldviba.org/hboard3/bbs/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.ss4net.com/flash/IBlogin.html
http://www.tricitypt.com/photos/pediatrics/hsbcsecure/IBlogin.html
http://in2pool.com/Sources/.x/IBlogin.html
http://erethizon.net/pomocne/hibernace/IBlogin.php
http://cs.kku.ac.kr/data/file/alumnus/hsbconline/HSBC/index.php
http://etechsol.pk/cp/IBlogin.html
http://www.fsk-squad.eu/stats/IBlogin.html
http://www.goldenstwarriors.com/boxes/IBlogin.html
http://singaporeluggagestorage.info/modules/foles/kmg/www.hsbc.co.uk/CAM10-jsessionid=000026MQ7KnXUxsKmiYKszFUkGJ12c58ti63.htm
In the domain singaporeluggagestorage.info climbed several packages of phishing through a shell. Besides HSBC phishing pack, found others to CIBS and ING Direct.



ING Direct (http://www.ing.com)

http://singaporeluggagestorage.info/modules/foles/mijn.ing.htm
Lloyds TSB (http://www.lloydstsb.com)
http://cjuckett.com/gallery/include/login/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/customer.ibc/
Wachovia (http://www.wachovia.com)
http://202.111.173.205/.../wachovia/AuthService.php?action=presentLogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?action=returnHome
Bank of America (http://www.bankofamerica.com)
http://210.116.103.118/~kardex/gnuboard4/bbs/Languages/
http://ahuarqalliance.com/~ahuarqal/Pringles/www.bankofamerica.com/bofa-update/bofa-update/bofa/
J.P.Morgan (http://www.jpmorgan.com)
http://martindlk.ie/pdf_files/10/c/ch.htm?customerid=&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=708XeMWZllWXS3AlBX+VShqAhQRfhgTDrf&co_partnerId=2&siteid=0&ru=&pp=&pageType=708&MfcISAPICommand=ConfirmRegistration&708XeMWZllWXS3AlBXVShqAhQRfhgTDrfQRfhgTDrfA
egg (http://www.egg.com)
http://www.extv.co.kr/data/file/s_tag08/819,00.html
http://www.wrpt.us/fireworks/Egg-Login.htm
InterSwitch (http://www.interswitchng.com)
http://2009_securityupdate1.t35.com/Nigeria_interSwitch.htm
MoneyGram (http://www.moneygram.com)
http://121.11.253.235/.cgi-bin/mg/MoneyGram/eMoneyTransfer/
Discover (http://www.discovercard.com)
https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main
VISA (http://www.visa.com)
http://intersecure.fr/security/verified/cards/unlock/ssl/Deutschland/

Oficla botnet with more than 200,000 zombies recruits


In a recent investigation, we discovered a Oficla botnet, also known as Sasfis in nomenclature of some antivirus companies, with a significant amount of zombies recruited in 48 countries, demonstrating the connotation scale represents the same on stage crimeware.

The base command and control (C&C) of this botnet Oficla is maintained through crimeware myLoader (costing in the underground market is USD 700) and is in Russia, a country in which the largest number of computers infected with a total of 116.119, followed by Ukraine with 53.746.

The total number of zombies that are part of this botnet amounts to an alarming number of 210.619. This information can be verified through the following screen.
  
While the figure is alarming, the problem is much deeper and disturbing. That is, for a system to an active part of a botnet, means that previously was infected by malicious code (in this case, Oficla/Sasfis), which shows clearly the failure of the security mechanisms implemented to counter this threats.

Not only in terms of prevention of infection but also to detect, depending on the type of traffic TCP/IP and HTTP, the system is part of a botnet.

On the other hand, it's important to note that the recruitment of this botnet continues to rise with approximately 120 computers infected per hour.

A report with more details on the management framework and the power of the botnet recruitment Oficla/Sasfis can be downloaded from the papers section of Malware Intelligence.

Sunday, March 7, 2010

DoD Endorses Certification for Hackers

The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders.
Specifically, the new Certified Ethical Hacker program is required for the DoD’s computer network defenders (CND’s), a specialized personnel classification within the DoD’s information assurance workforce.

The Certified Ethical Hacker requirement falls under the auspices of DoD Directive 8570 Information Assurance Workforce Improvement Program.
The current version (incorporating Change 2) was signed by Assistant Secretary of Defense, John G. Grimes and was officially instated on February 25, 2010.
Directive 8570 provides clear guidance to information assurance training, certification and workforce management across all components of the DoD…

http://information-security-resources.com/2010/03/04/dod-endorses-certification-for-hackers/

Saturday, March 6, 2010

Automation in creating exploits

The exploitation of vulnerability now represents one of the highest infection strategies used in the stage of crimeware and exploits while allowing exploit weaknesses aren’t a new concept, the fact is that more and more notorious actions.


In fact now continue to be exploited, especially through exploits pack, a large number of vulnerabilities that many have been settled more than two years ago.

However, when these vulnerabilities are of type 0-Day, the problem is power. Cases such as “Operation Aurora” which has recently been bandied about by exploiting a vulnerability in the type 0-Day Internet Explorer 6. Yes, you read that right … Internet Explorer 6 and currently is being used to spread malware mass but only through version 6, but also on the 7 and 8.

The vulnerability is identified as CVE-2010-0249, and as was the case with the vulnerability exploited by the worm conficker (MS08-067) where automated creation, has recently met a builder that automates the creation of the exploit for Internet Explorer in an extremely simple question that is common in such applications.

This application is Chinese and only lets you configure the web address from where you try to exploit the weakness in the browser. Then generates a file called IE.html containing the exploit code and the url used for the attack, which is obfuscated.
 
 
As condiments relevant subject, the exploit generated (embedded in the html) is detected by less than 40% of companies reporting according to antivirus virutotal. While the builder is detected, by far, at least 25%.


On the other hand, exploits automation generates a gap, revealing that many operations “disguised” as part of campaign of distraction after simple attacks,

What is your firewall log telling you - Part #2

Following up on Mark Hofman's earlier post ("What is your firewall log telling you"), here's some tips on how a Unix command line can be used to cut a big firewall log file down to size for quick analysis.


In the installation that I use as an example here, the firewall sits between the internal network and the Internet, and only allows the internal proxy server to talk to the Internet. PC's on the internal network must surf over the proxy, and are barred from making direct connections through the firewall. This doesn't mean though that the PC's won't try -- a lot of malware, chat software, file sharing tools, etc are proxy-aware, but frequently also try a "direct" connection first. Looking at the direct connections that internal PCs attempt to make is a good way to find out what's happening on the network...

Let's assume we have a Checkpointish log format like this:

time=2010-03-02 23:59:57 action=drop orig=192.168.1.103 i/f_dir=inbound i/f_name=eth1c0 has_accounting=0 product=VPN-1 & FireWall-1 policy_name=INTERNET src=1.2.3.4 s_port=37586 dst=3.4.5.6 service=3384 proto=tcp rule=16 xlatesrc=8.9.10.11 xlatesport=57517 xlatedport=0 NAT_rulenum=4 NAT_addtnl_rulenum=internal

Let's further assume that we have already checked the connections that the firewall accepts, and that we now only want to look at traffic the firewall blocked. The easiest way to accomplish this is by suppressing all log lines that contain the string "action=accept", as follows

grep -v "action=accept"
 
Now is where things get interesting. To make sense of the huge volume of log lines, we have to somehow "boil them down" into the essentials. Piping a log line into a command like this

cut -d" " -f14-16

will just give us the fields 14-16 of each log line, with "space" used as separator (-delimiter). Your log line format might vary of course, so just count and adapt. In the above example, fields 14-16 amount to "dst=3.4.5.6 service=443 proto=tcp", so this gives us the destinations that our internal PCs attempt to talk to. Applying this "cut" command to the entire log still will give us the same number of lines as we had in the original log, but adding a command like

sort uniq -c sort -rn

combines and counts all identical entries (uniq -c), and then gives us those lines that have the highest counts (sort, -n: by number, -r : reverse order). The result on the firewall log that I used as example here was

36642 dst=194.186.121.68 service=80 proto=tcp
8616 dst=62.105.135.101 service=80 proto=tcp
2641 dst=192.168.0.1 service=657 proto=udp
[...]

Once at this stage, the next step is to find out what these destinations are, and which systems we have on the network that are trying to talk to them. In this example, a quick check of "whois" reveals that both the top two IP addresses are in Russia ... and the topmost address had 36642 connection attempts from our network in a single day. Hmmm.....

Extending our original "cut" command above into

cut -d " " -f12,14-16

now also includes the "source address" (field 12) into the output. If we now filter (grep) the output to only contain the first of the above russian IPs, the entire command line becomes

cat logfile.20100302 grep -v "action=accept" cut -d" " -f12,14-16 grep "194.186.121.68" sort uniq -c sort -rn

36424 src=192.168.140.108 dst=194.186.121.68 service=80 proto=tcp
218 src=192.168.143.19 dst=194.186.121.68 service=80 proto=tcp

which shows two clients on our internal network (192.168.x) that try to talk to this outside IP address.

Now, the next step is to isolate the process(es) on these two systems that initiate the connections. If the two clients run on Windows, the best bet here is to use "tcpview" from the SysInternals suite. Some patience is called for - since the connection gets dropped by our firewall, it will not be listed as an active (ESTABLISHED) connection. But watching tcpview should eventually show a process that tries to open an outbound connection ("SYN_SENT"). Once the process is known, the "What Does Your Firewall Log Tell You" portion of this investigation is over, and standard malware fighting procedures kick in. SysInternals "ProcessExplorer" is a good next step to learn more about the potentially malicious process.

What is your favorite way to quickly carve out interesting tidbits from huge firewall logs?

What is your firewall telling you and what is TCP249? (Part1)

As part of our operational processes there is typically a line item stating "Review Firewall Logs". This is a requirement in many different standards and most people will have it down as a task to do. However we all know that there are way more interesting things to do rather than looking at log files. Unless you have some nice tools, it is one task that soon sends junior mad.


In trying to save Junior's sanity and basically because I am one of those people that actually likes looking at logs (I know, I have no life) I was going through some firewall logs. They never disappoint. There are the usual port scans happening for various ports:

217.10.127.105 13845 aaa.bbb.ccc.0 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.6 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.21 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.12 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.20 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.10 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.41 22 TCP
...
The usual hits on ports 135/137/139/445/1433/1434/25 can be found in the log file and there are the at the moment plenty of hits on 3306 for MySQL. A more unusual port to be hit was UDP 7 and TCP 249. UDP 7 was associated with some checks from a University (http://isc.sans.org/diary.html?storyid=4660), but I have yet to confirm this is the case here. TCP249 however isn't that common and If you do have some captures of traffic to TCP 249 I'd be interested in seeing them. There were also a number of high ports being hit, after chasing these down, in this environment, they were associated with torrent and Skype traffic.

It is also interesting to check the outbound traffic. Having a look to see what is trying to leave the network can also be enlightening. Torrent traffic seems to be fairly prevalent in the the logs I'm looking at, alas all it highlighted is that we'll have to do a regular dump of the NAT table so we can correlate the info and tag the internal user that is being silly. The logs can show you which machines talk to the internet and for what reason. They teach you what is normal in your network, something not easily achieved by using automated tools. People are still better than machines at identifying "weird". If you have the capacity you should consider logging not just denied traffic, but also allowed traffic on the firewall. Many attacks will try and sneak through, if you log all traffic you may be able to identify it.

When junior starts to shake and make strange noises that indicate the removal of all sharp objects from the office is needed, take a walk through your logs and get a feel for the "street" as it were. I can guarantee you will learn something. It may be something as exciting as a new attack, or as mundane as finding out some of your processes aren't working or being followed. You could even discover that some of your expensive tools aren't quite telling you the whole truth. Every now and then, take out your command prompt, find the grep man page and go nuts.

The Samurai Web Testing Framework

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

Friday, March 5, 2010

Why DRM Doesn’t Work

THE GEEK CODE

The Geek Code is basicly a (small) part of Internet history. When the author incarnation of the code back in '93, it was as a lark. Eventually, it evolved into the form you see online now and has remained virtually unchanged since that time.

The Code Looks Something As Below....

GED/J d-- s:++>: a-- C++(++++) ULU++ P+ L++ E---- W+(-) N+++ o+ K+++ w--- O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G+++++ e++ h r-- y++**


This parody of the output created by the PGP program will attempt to universalize how you will see the Geek Code around the net. Your GEEK CODE BLOCK will look like the following:

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GED/J d-- s:++>: a-- C++(++++) ULU++ P+ L++ E---- W+(-) N+++ o+ K+++ w---
O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++
G+++++ e++ h r-- y++**
------END GEEK CODE BLOCK------

To Cerate A Code...
http://www.geekcode.com/geek.html