Wednesday

Hackers and suits: 10 Tips for bridging the gap



There is a Great Divide in the realm of information technology. I'm not talking about Windows versus Linux or Java versus .NET-no, nothing like that. The gap I'm referring to is between software developers and the people who manage them - what I call hackers and suits.

Full article with the 10 tips (Itworld.com)

Tuesday

NIST drafts guidance on risk management



This was released about a week ago and it's only a draft. But it might be an interesting read anyway.

NIST announces the release of the initial public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective.

This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a disciplined, structured, flexible, extensible, and repeatable approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization.

Comments will be accepted through December 14, 2007. Email comments to: sec-cert@nist.gov

URL to DRAFTS page:
http://csrc.nist.gov/publications/PubsDrafts.html

URL to PDF file for Draft SP 8000-39:
http://csrc.nist.gov/publications/drafts/800-39/SP-800-39-ipd.pdf

Monday

ExploitMe: Free Firefox Plug-Ins Test Web Apps



Canadian researchers have built a set of free exploit tools for Web applications that run as Firefox browser plug-ins; the so-called ExploitMe suite includes tools for cross-site scripting (XSS) and SQL injection, two of the most common vulnerabilities found on Websites.

Nishchal Bhalla, founder of Security Compass, and his fellow researchers at the firm will demonstrate and release the new exploit tools -- aimed at facilitating penetration testing of Web applications -- at next month's SecTor security conference in Toronto. The tools let researchers, Web app developers, and quality assurance staffers "fuzz" their Web apps for vulnerabilities to XSS and SQL injection attacks.

Full article (darkreading.com)

Sunday

The Best Security Books to have in your library



I found an interesting list of books on the SANS website today:

The Best Security Books to have in your library
October 25th, 2007
By GIAC Advisory Board

What are the best security books to have in your library? To find out, we polled the GIAC Advisory Board. Students that score over 90 on their GIAC certification exams are invited to join the Advisory Board. Their answers are shown below. The ones in bold received multiple votes.

Full list of books.

Richard Bejtlich's from Taosecurity also has three very interesting Amazon Listmania Lists with tons of recommendations:
Here is my current wishlist. I still have massive amounts to read (somehow).

How to pentest a VOIP enabled LAN



Sandro from sipvicious.org published a short story called "How to get the job done". The plot is a scenario showing how SIPVicious tool suite can possibly be used in a corporate environment by a malicious intern.

"The objective was to get the latest research documents from the lab servers. Chris didn't ask why, and they never asked how, but he did not think it would be much of a problem. His previous experience had taught him that no one seems to take these things too seriously until its too late. Especially for someone from the inside. But Pharmakom Industries seemed a bit different. It was the third day since the meeting, his ‘research’ had been exhaustive and had had no luck yet."

SIPVicious tools currently consist of:

  • svmap - this is a sip scanner. Lists SIP devices found on an IP range
  • svwar - identifies active extensions on a PBX
  • svcrack - an online password cracker for SIP PBX
  • svreport - manages sessions and exports reports to various formats
Enjoy!

Friday

Striptease award for solving captchas



In September, we saw the outsourcing of software designed to break CAPTCHAs. I knew what CAPTCHAs were but I didn't know it was a acronym: "Completely Automated Public Turing test to tell Computers and Humans Apart". Anyway, what is the best software to crack these? Yes! The human brain! A clever social engineering design is the next threat we have to deal with. Solve the captcha and get a striptease in return. Full Analysis by Pandalabs.

Hmmm, can you recognise this kind of image? Yes, it’s a captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart) image. Now, look at yourself, you are a human automated captcha reader. If you type the correct interpretation of the image, you are sending the information necessary to break the protection of the targeted site. This attack could be used to create massive mail accounts, for comment posting… for all the services that use captchas to authenticate a person instead of a computer. In this particular case, the captchas were from Yahoo.

Thursday

PDF URI exploitation and the RBN

It seems the PDF URI handling vulnerability is being exploited and guess who shows up from the whois lookup? From the honeyblog analysis:

The URL handling vulnerability in Windows XP and Windows Server 2003 is being actively exploited in the wild according to a posting to full-disclosure. The PDF file attached to that mail contains an exploit for this vulnerability, which contains shellcode to download a binary via FTP from 81.95.146.130. A whois lookup of this IP shows that it belongs to RBN, the Russian Business Network. RBN was quite often in the press recently.

The downloaded binary injects itself into several Windows processes and collects various information from the infected machine. This data is then sent to http://81.95.147.107/cgi-bin/pstore.cgi, another IP address within the RBN network. A complete CWSandbox analysis of the binary is also available.


Shouldn't we be blocking the entire AS by now?

Hack.lu was pwned in 15 minutes and a small review of the event



Well, the participants weren't the only 'victims' at Hack.lu, apparently the backbone switch got pwned 15 minutes after the start.

It was my first visit at the Hack.lu conference. They have about 200 visitors which makes it a small but more social event. The talks were super on the content side. Given my interest in presentation techniques, I was reviewing the presentation style of everyone as well. There were a few "death by powerpoint" cases. An example of a good presentation was the one from Lance Spitzner or the presentation about enabling cross-site requests from Thomas Roessler's. A good set of slides should help the talker present the message, it should not be the entire message. Here are some presentation pointers:

  • keep the text short, avoid excessive bulletpoints
  • limit the number of slides (or at least the total time)
  • avoid stock templates
  • use visuals (our memory is better in remembering images then text)
  • alternate your voice, don't speak in a monotone fashion
  • try to use a joke from time to time (depending on the audience this can be hard)
  • don't read from your slides (prepare!!!)
So kudos to the entire hack.lu and keep up the good work. CU next year!!!

Ultimate Geek Shirt

From ThinkGeek. A shirt that detects wifi signals...... (click on the image for live action)

Podcast: Audioparasitics Episode 19: Is 'security through virtualization' a myth?



Episode 19 - Part 1 of 2 - Is 'security through virtualization' a myth? We tackle the subject with special guests Rafal Wojtczuk and Rahul Kashyap.

Wednesday

Sometime you have to be faster



Since reverse engineering has awakened my interest in malware or should I say vice versa, I have been on the lookout for "sources". Some of those sources have been casual emails with some security researchers I encountered. Today, I got an email with the link "http://81.95.149.51/ms" (don't worry it's not live anymore). This person encountered the link on a certain mailinglist.
This IP was hosting quite a bit of malware, if I read some reports and this page from google cache. Apparently I was just too late to download all the binaries for analysis. At least the directory doesn't have the same name anymore. When I looked up the AS number, it seemed to belong to RBN-AS RBusiness Network.

40989 RBN-AS RBusiness Network

Adjacency: 2 Upstream: 1 Downstream: 1
Upstream Adjacent AS list
AS41173 SBT-AS SBT Telecom
Downstream Adjacent AS list
AS28866 AKIMON-AS Aki Mon Telecom
Yay, those guys again. If you have been reading this blog, you should know what RBN means and what it stands for. I was about ready to publish this post and had a quick glance at my RSS feeds of today. It seemed I wasn't the first to blog about this "discovery", Over 100 Malwares Hosted on a Single RBN IP (ddanchev). Oh well...... sometimes you have to be faster. At least, the investigation lead me to some interesting forums and rss feeds to add to my collection.

BONUS: RBN's Fake Security Software (ddanchev).

Tuesday

Phishing Trends Activity Report for July 2007

Released on the October 18th:

The Anti Phishing WorkGroup's combined report, covering phishing activity during July 2007 is available here: APWG Phishing Trends Activity Report for July 2007.



Some highlights of the report:

  • For the first time recorded by the APWG, China has surpassed the United States as the country hosting the largest percentage of phishing websites with 23.74% of the total detected in a month’s sampling period.
  • The average time online for phish sites descended to 3.6 days, the shortest time-live duration yet recorded by the APWG.
  • The number of unique phishing websites detected by APWG in July was 30,999, a decrease of nearly 1,000 from June.
  • July saw a decrease in the number of hijacked brands to 126, a drop of 20 from June.
  • The number of unique phishing reports submitted to APWG in July was 23,917, a decrease of nearly 5,000 reports from the previous month.
  • Financial Services continue to be the most targeted industry sector at 94.4% of all attacks recorded in the month of July. The APWG notes that more than half of the most targeted brands belong to European financial institutions.

The (real) reason I want a big videocard is to .....

...crack Windows NTLM passwords up to 25 times faster

It is well recognised that graphics processors (GPUs) have a far greater theoretical performance than current CPUs. Now, Elcomsoft has proved in version 2.0 of its Distributed Password Recovery (DPR) how GeForce-8 cards can be used to crack Windows NTLM passwords up to 25 times faster than previously thought possible. Cracking an eight-character Windows password now only takes three to five days, instead of two months. Furthermore, multiple computers can be combined in a cluster to increase the throughput even further. Elcomsoft plans to patent the software it has developed for this purpose.


The Compute Unified Device Architecture (CUDA) framework allows high-performance tasks to be outsourced to the graphics card. In particular, tasks that can be highly parallelized are especially suitable for modern graphics cards like Nvidia's, with its 128 stream processors. GPUs do not handle floating-point calculations as accurately as CPUs, which is why they are not as suitable for such applications as climate modelling, but they are adept at the high precision fixed-point arithmetic that is used in encryption. (Heise.co.uk)

Video: Chinese Cyberwarriors

Originally aired on the Discovery channel: Chinese Cyberwarriors


Adobe Acrobat and Reader security patch finally released


Hot from SANS ISC, the patch for the Adobe vulnerability discovered last month:

"Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Release date: October 22, 2007

Vulnerability identifier: APSB07-18

CVE number: CVE-2007-5020

Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed

Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier"

The acrobat patch is available here http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

The reader patch is available here http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

Monday

A Hacker's Holiday Shopping List



Malicious hackers and other assorted bad guys looking for new tools for plying their trade this upcoming holiday season will have plenty of toys and services to choose from.

Servicing them is a growing underground market bristling with botnets, Trojans, rootkits, spyware and all sorts of shady services aimed at everybody from the humble do-it-yourself hacker to sophisticated, organized criminal gangs.

A Hacker's Holiday Shopping List (PC World)

Even our Security Warrior got a Russian DDoS spam this week:

I got this great piece of spam the other day - a loose translation says "want to blow away the competitors' sites? Order our DDoS service. 10 minute trial free. (!) Prices from $99-300."

Now if the title of this post was a little misleading and your girlfriend needed some pointers for Xmas, go here! ;-)

Reverse engineering 101



After the CTF @ Hack.lu, I got more interested in Reverse engineering so I looked up some resources to help sharpen my skills. First of all, there is a Wikibook on Reverse Engineering to familiarize yourself with some of the concepts.

Then there is a two piece part on reverse engineering at the ethicalhacker.network.

In Part 1, Intro to Reverse Engineering - No Assembly Required, we extended the series of coding articles for non-programmers with an area of high interest in the infosec community. We're proud to be able to bring you the highly anticipated follow-up complete with screen shots, sample code and applications. This one is long and detailed, so strap yourselves in for some great educational content.

This paper is designed to outline some essential reverse engineering concepts, tools and techniques - primarily, debuggers and using the debugging process to reverse engineer application functions and algorithms. It is assumed you have knowledge of basic assembly and C programming. An understanding of Win32 programming and API calls is also helpful. This tutorial does not necessarily have to be read in order (although it is strongly advised), as some sections do not contain information that directly relates to subsequent sections. However, if you begin skipping around and find that you have trouble understanding a concept, or feel like you missed an explanation, it would be best to go back to previous sections of the tutorial and read them first.

After that, let's get to Intro to Reverse Engineering - Part 2

If you need some practice, you can always try the challenges from F-secure:

Don’t forget Didier Steven's tools to help you with the challenges:

- Challenger
- OllyStepNSearch

Think it’s too difficult for you? Think again, this movie (YouTube) shows how easy the first level of last year’s challenge was, XviD hires here

I also noticed Didier created a wiki on reverse engineering:

Sunday

First batch of CCCamp 2007 videos online

A friend of mine pointed out to me that the CCCamp wiki was updated. The first batch of videos are available for download:



If someone can help with the hosting of the videos, please mail at "cccvid_at_web12.kunden.air-webhosting.de" Then the rest of the videos can be cut and recoded. Some of the remaining videos have slight picture errors. Advice for repairs to the same address please. (Request from r0ckarong)

The 24C3 Congress is coming up. I really want to go but I will have to see if I have enough budget left to go.

Tracking the Russian Business Network Part 2



There has been a lot to read about the Russian Business Network lately. When visiting Taosecurity, I discovered a blog -- rbnexploit.blogspot.com -- that is focussed exclusively on the RBN. In their latest post "RBN - The Good, Bad and the Ugly" they focus on the RBN Autonomous System.

The problem is the RBN's Autonomous System is integrated within the whole of the Russian , Eastern European, and Eastern Scandinavian internet system overall.

Routing enumeration from Richard Bejtlich shows us how to find the routes to a certain network.

Bonus: Uncovering Online Fraud Rings: The Russian Business Network (idefence webcast)
The Russian Business Network (RBN) developed into its current incarnation as "the baddest of the bad" Internet service provider (ISP) in June 2006. Before then, much of the malicious code currently hosted on RBN servers was located on the IP block of another St. Petersburg ISP, the now-defunct ValueDot. Like ValueDot before it, but unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control (C&C), and denial of service (DoS) attacks on every single server owned and operated by RBN.

MITMing a room full of security people @ Hack.lu



Just a quickie: MITMing a room full of security people ;-)

The screenshot

The analysis

Saturday

Capture The Flag @ Hack.lu 2007

Well, I didn't blog a lot about the Hack.lu convention but I was having fun with the CTF game and it took most of my time. It was so much fun. I was fooling around with Hex editors and other tools (on Backtrack). My goal was to learn as much as possible from the game. The CTF was a multi disciplinary contest. There were 5 categories:

  1. Binary Leetness
  2. Forensics
  3. Web Hacking
  4. Potent Pwnables
  5. Trivia
I found it a pity that the game just started on day 2 and I didn't want to neglect following the presentations and talking to other people. It was hard not to get back to the game as soon as possible. I ended up in the top ten but there were still a few hours left when I headed back home. I certainly learned some new 'tricks'.
Next time, I will prepare a laptop with some proper tools and configuration. I only had the livecd from Backtrack and it had some drawbacks.
I hope the CTF will be posted online at some point in time so I can have a shot at the remaining challenges. I still have some of the binaries to analyze at home. But the web hacking is another thing. Since I was having so much fun, first thing I did back home, was to install Webgoat 5.1. So I'm finishing my post here. I have some playing to do! ;-)



Update: To clarify to some people. This was not the classical CTF game you see at most conferences. This was more a quiz with questions ranging from hacker trivia to computer forensics and Web server administration. For example, for forensics 100, you saw the photo of a street sign and the question was 'in which city was this photo taken'. The purpose was of course to look at the GPS coordinates embedded in the EXIF format and not looking up the street names on google (which might be a bit harder to solve this way). A classical CTF would not have been my cup of tea but this hacker game was very entertaining and educational.

5 in a row: Multiple Zero day and patch releases



It's been a busy week with a lot of (zero day) attack vectors appearing together with some patch releases:

Friday

New spam wave using MP3



The next wave in the ongoing evolution of pump and dump spam is using mp3. Really!

I'm keeping it short today since I'm participating in the CTF at Hack.lu! ;-)

Presentation skills & Pecha Kucha Brussels

It's not unimportant to have good soft skills. Being a domain expert just isn't enough anymore. You have to be able to adequately present your ideas.

With this in mind, I have been analysing the presentations on Hack.lu not just the content, but the presentation techniques. How many slides were used? Do they use good visuals? Do they read from their slides? Do they use too many text or bullet points in one slide? etc etc.....

You can look at a comparison of presentations from Bill Gates and Steve Jobs. Guess who gives the best presentations?

Lance Spitzner at Hack.lu for example was also very good at giving presentations. To help improve ourselves, there is a progress report on the book from Presentation Zen. And there is the first Pecha Kucha night in Brussels coming up.

Local homepage:http://pechakucha.architempo.net/
NEXT EVENT: Vol.01 - 20 November 2007 - 20:20 pm

Avoid social engineering and identity theft

Ever googled your own name? Yes? Then try out the following. It's amazing how much traces people leave on the internet. We need to be careful about the information, we put online. Identity theft and social engineers will abuse it otherwise.



Maltego is a program that can be used to determine the relationships and real world links between:

People
Groups of people (social networks)
Companies
Organizations
Web sites
Internet infrastructure such as:
Domains
DNS names
Netblocks
IP addresses
Phrases
Affiliations
Documents and files

I challenge you to try it out! ;-)

UPDATE (Source Security.nl): There is a launch of a similar Dutch search engine ttp://www.wieowie.nl/

Hack.lu day 1: honeypots, voip pentesting and exploiting anti-virus



Day 1 on Hack.lu was a very productive one. I met a lot of interesting people and learned a lot. This day was supposed to be mostly about workshops. Unfortunately only one out of three I attented, was actually hands on. The other were only demos.

The first presentation was by the FCCU (Belgian Federal Computer Crime Unit). Because of licensing issues, it was only a demo. After the talk, I argumented to the speakers that the active participants could have provided each their own VM with Windows OS. It was also a requirement for other workshops. I didn't learn much here because the talk was very similar to their presentation in the ISSA conference some months ago. So I was disappointed it wasn't more hands on.
The second presentation by Joffrey Czarny was actually very interactive and included a lab. This was the most fun of the entire day. I will list some of the tools we used:

And last but not least, third presentation of the day was about exploiting Anti-virus. It was very similar to the talk on CCCamp 'Antivirus (in)security' also by Sergio Alvarez . Besides the presentation, it was also only a demo and no actual workshop. There were some new elements in the presentation compared to the previous one. The worst thing that can happen to an AV product is not actually failing to detect malware. It's not crashing. It's being exploited. Think about it, which one is worse? Exploiting a client or exploiting a gateway? Defence in depth says to use different scanning engines. Something I have also been promoting.

Actually this defence in depth practice also increases your risk. The more different engines you use, the more chance you have to get exploited this way. I never looked at it this way. I saw a demo on a fully patched machine and it got owned

Scary stuff.

Thursday

Hack.lu: start of day 1



Normal blogging may be a bit on the low side during the next days because I'm at the Hack.lu conference. On the bright side, I will try to report about the event as much as possible.

My program for today is:

  1. 9:00 - 11:00 Forensic analysis of botnets by FCCU, Belgium
  2. 11:00 - 13:00 VoIP workshop by Joffrey Czarny
  3. 14:00 - 16:00 The death of defense in depth? (Revisiting AV software) by Thierry Zoller, Sergio Alvarez

Ready? Go!!

Protect your browser: Browser rootkits, Virtual appliances and Network Admission Control



There has been a lot of discussion this year about virtual rootkits and Blue Pill. pdp from Gnucitizens takes another approach: browser rootkits.
Criminals used to go after your system but nowadays they go after your data. Browser are just middleware. The closer to the data the better! pdp states. This is why browser rootkits make sense.

Lets take Firefox for example. Firefox is a complex, dynamic project which is subjected to regular updates. A big portion of the browser is written in scripted languages such as JavaScript and Python and supporting formats such as XML, RDF, XUL, XHTML and others. Given the fact that any of these components can be modified to serve the rootkit purpose, the antivirus agents need to be capable of understanding the technologies involved in Firefox in order to prevent or ensure the malware detection.

Let’s not forget the fact that the browser is a key business software which is usually allowed to get out (surf the Web), directly or via a Web proxy. The browser is configured to communicate by default. This ensures that the rootkit software can always get out and also let the rootkit master in, circumventing any restriction that may exist in between. There is no other technology that matches the same level of interoperability and communication power.

Last but not least, browser rootkits are portable when the browser itself is available to more then one platform. Firefox, again, is one of the most vivid examples. Firefox extensions, which can be easily turned into rookits, are OS independent. A single rootkit can infect Windows, Linux and MacOS at the same time without the need for reorganization of the source code. This feature makes browser rookits the perfect malware.

Short after this article, Joanna Rutkowska, the researcher behind Blue Pill reacted with her own view on browser rootkits.

She doesn't expect that browser rootkits will replace the OS rootkits but they will definitely become more and more an important problem.

There are some ways to avoid, or minimize the impact from browser-based rootkits. Just use two different browsers – one for sensitive and the other one for non-sensitive operations. There are more ways to achieve this. Use Firefox simultaneously with different profiles, run seperate browsers, or even use virtual appliances. Other researchers have also indicated they prefer to run browsers in a virtual 'appliance' in select cases.

After the banking Trojans in Belgium, I expect to see this browser virtualization an option in the future. Another approach might be a NAC (Network Admission Control) type of access where banks will scan your PC for Trojans and other security criteria before they allow you access. Just today, Panda launched their Panda Security for Internet Transactions.

Panda Security for Internet Transactions, an antifraud service for online
transactions to protect clients of e-banking, pay-platforms and e-commerce
against active malware. Banks and businesses will be able to scan PCs to
ensure that users launching transactions on their websites are not affected
by any malicious code. This eliminates the risk of passwords being stolen
or other fraudulent operations.

Wednesday

Stormworm mutates: it is expanding and dividing



Storm work is using another theme to infect new victims. This latest theme is about a kitty cat ecard. The subjects are among other:"Someone is thinking of you! Open your ecard!" , "We have a ecard greeting for you." , "We have a ecard surprise!", etc.

When someone visits these websites, it shows the "The Laughing Psycho Kitty Cat"ecard and points to an executable named "SuperLaugh.exe". It's about 118KB.

More info and screenshot at Trendmicro.

Joe Stewart from Secureworks has new info on the StormWorm:

The latest Storm variants have a new twist. They now use a 40-byte key to encrypt their Overnet P2P traffic. This means that each node will only be able to communicate with
nodes that use the same key. This effectively allows the Storm author to segment
the Storm botnet into smaller networks. This could be a precursor to selling
Storm to other spammers
, as an end-to-end spam botnet system, complete with
fast-flux DNS and hosting capabilities. If that’s the case, we might see a lot more of Storm in the future.

The good news is, since we can now distinguish this new Storm traffic from legitimate” (cough) Overnet P2P traffic, it makes it easier for network administrators to detect Storm nodes on networks where firewall policies normally allow P2P traffic (I.E. not corporate networks, we hope!).

Matt Jonkman over at Bleedingthreats.net has written some signatures to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet sizes typical of Storm, occuring over a certain threshold. Since there’s no content matching, these could be prone to false positives in certain cases, so the usual caveats with bleeding-edge signatures apply.

Zero day exploit for Adobe Acrobat is now in the wild



On the 20th of September, Gnucitizen discover a flaw in Adobe Acrobat Reader. They didn't release any exploit code so Adobe could fix it.

But someone has read the advisory and released a Proof of Concept through the full disclosure mailinglist.

As far as I have been following the story, Adobe hasn't released a patch for this at the moment.
For the recent versions, there is a workaround (SANS ISC). For the older versions, Host intrusion prevention and gateway scanning might be the only defence for now.

Testing the Sunbelt Network Security Inspector

Sunbelt is putting out a call out for beta testers for the new version of their network security tool, Sunbelt Network Security Inspector (a tool for network security analysis, not for home/consumer use , à la Nessus).
If you’re a security professional and want to test it,you can simply send an email to beta(at)sunbelt-software.com, with the subject “SNSI 2.0 BETA”.

The Russian Business Network denies allegations



Yesterday, I talked about the Russian Business Network which provides Web hosting services to numerous cyber criminal operations. Today, I read an article by Wired.com where an individual claiming to represent the Russian Business Network has denied these allegations. Jaret said, everyone was essentially wrong in their assessments:

"We can't understand on which basis these organizations have
such an opinion about our company. We can say that this is subjective opinion
based on these organizations' guesswork." Jaret's e-mail signature identifies
him as working in RBN's abuse department.


Despite the consensus of the security community, and
recent press reports from
The Economist and The Washington Post, RBN denies that it's a web
shop for criminals. RBN doesn't have any more criminal activity on its network
than any other provider, and it responds to abuse reports submitted via e-mail
and a telephone hotline, says Jaret. He claims the organization closes
criminals' sites down within 24 hours of notification.


After security companies began scrutinizing RBN, the
company took down its website and changed its registration information. The
iDefense analyst says RBN doesn't need a website, because it gets its business
through word of mouth in the underworld, and from dodgy crime-oriented web
forums. RBN says it gets its customers through resellers, and that a new website
is under development.

Full article here.

Having read the last part of the article, I tried to go www.rbnnetwork.com which seems to point to the loopback address. Phishy indeed.



Monday

90% of all Belgian email is spam.



During a keynote at the Broadband World Forum Europe 2007, Belgacom presented some figures about the number of spam.

The total was almost 27 billion estimated for this year. Three years ago this number was 'only' 1,1 billion. About 88.5 percent of all email is considered as spam.

To combat image or pdf spam, Belgacom is using an additional technique based on the reputation of the sender. To achieve this, they work together with other European Telecom Operators but not with Belgian competitors such as Telenet.

Original story from zdnet.be (in dutch).

One of the reason of the increase is the difficulty in shutting down spambots due to Fast Flux DNS. Fast-Flux Spam and Scams Increasin (Ddanchev) shows us some nice graphics that try to map out this fast rotation. Here is his original analysis about the storm worm Fast Flux Network.

Event: Barcamp Brussels #4

It has been almost 6 months since the last Barcamp so they started preparations for Barcamp Brussels #4.

Barcamp Brussels #4

The proposed dates are: Nov 24th or Dec 1st. Location: to be defined. Sponsors: to be defined (you know how to reach me). Logo can be found on Flickr.

If you want to attend and/or present: please add your name to http://barcampbrussels.wikispaces.com/BarcampBrussels4.

For info: yes, the colors of the logo are inspired by Orange Bleu. Let’s see if we can organize a Barcamp faster than Belgium can form a government.

What is Barcamp, you might ask?
BarCamp is an international network of user generated conferences — open, participatory workshop-events, whose content is provided by participants — often focusing on early-stage web applications, and related open source technologies, social protocols, and open data formats.
I was too late for the previous edition but I will be attending the next one. Seems like fun.

Tracking the Russian Business Network



Last month, we talked about China's Wicked Rose and the NCPH Hacking Group. This month, we are going to mention the Russian Business Network (RBN) . Malware researchers have been tracking this group for some time and they claim they are responsible for a lot of pain on the Internet.

Brian Krebs has written a good overview of the RBN on his blog.

The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of 'phishing' -- ID-theft scams in which cybercrooks use e-mail to lure people into entering personal and financial data at fake commerce and banking sites."

It is tough to find a serious cyber-crime attack over the past two to three years that did not involve RBN Internet addresses to some degree.

It seems the RBN is also listed in ROKSO (Register of Known Spam Organisation) of Spamhaus.

Here are some related articles:

Sunday

More details on the "in the wild" MS07-060 exploit



Yesterday, I blogged about the Microsoft Word exploit MS07-060 in the wild. It seems this exploit sample was first captured by a Belgian researcher Maarten Van Horenbeeck and shared with Symantec and other vendors. He gives a detailed analysis, pointing out how targeted this attack was and still is. It also shows us that the first appearance of the exploit was 6-8 hours before Microsoft released the patch.

It was executed early in the day on Tuesday, while Microsoft released its patch in the late afternoon. At the time of the attack, AV coverage was nonexistent.

As part of our investigation we extracted each of the binaries and performed analysis on them separately. None of them was detected by more than a few anti virus tools. Five days after the attack, which was distributed to AV vendors on Tuesday evening, coverage is still spotty (none of them gains more than a 5/32 on Virustotal).

We distributed this sample to 30+ AV vendors on Tuesday night CEST. Currently (Friday night), according to Virustotal, the following anti virus solutions have implemented file-scanning coverage for the Word dropper:

AntiVir 7.6.0.23 2007.10.12 TR/Drop.MSWord.Macf.A
Fortinet 3.11.0.0 2007.10.12 W32/Agent.BZE!tr.bdr
F-Secure 6.70.13030.0 2007.10.12 Trojan-Dropper.MSWord.Macf.a
Ikarus T3.1.1.12 2007.10.13 Exploit.Win32.MS05-002
Kaspersky 7.0.0.125 2007.10.13 Trojan-Dropper.MSWord.Macf.a
NOD32v2 2589 2007.10.12 Win32/Agent.BZE
Symantec 10 2007.10.13 Trojan.Mdropper.Z
Webwasher-Gateway 6.0.1 2007.10.12 Trojan.Drop.MSWord.Macf.A
You can read the full analysis on the Daemon.be blog.

Saturday

Analysis of the BlackEnergy DDoS Bot



Jose Nazario from Arbor Network presents us with a paper based on the BlackEnergy toolkit. From the summary of the paper:

BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike most
common bots, this bot does not communicate with the botnet master using IRC. Also, we
do not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small
(under 50KB) binary for the Windows platform that uses a simple grammar to
communicate. Most of the botnets we have been tracking (over 30 at present) are located
in Malaysian and Russian IP address space and have targeted Russian sites with their
DDoS attacks.

This report is based on analysis of the distribution package of the BlackEnergy botnet,
tracking approximately 30 live and distinct botnets, and disassembly of several samples
captured in the wild.

I received a lot of additional data, binaries and reports from various researchers in the community. To respect their confidentiality, I credit them by initials in the paper. The bot’s only gotten marginal attention from malcode research people in the past few months. However, it’s a prototypical HTTP bot. BlackEnergy has been called a “skiddie tool” by someone I know, and looking at the attacks they’ve been launching I’m inclined to agree. The threat level from this botnet isn’t as high as it is from other botnets we’re tracking. Some graphics not in the paper are the botnet C&C locations and the DDoS targets. If you flip between them quickly you’ll notice some overlap; one botnet attacking another.

You can download and read the report for yourself: BlackEnergy DDoS Bot Analysis [PDF], 11 pages.

Friday

Hack.lu conference in just a few days



In 6 days, I will be attending the Hack.lu conference. The agenda seems to be finalized. Let's have a look at the workshops on Thursday and the rest of the event:

Workshop1 Workshop2 Workshop3
9:00

Writing exploits using Metasploit 3.0

Saumil Shah

9:00

WiFi protected setup workshop

Philippe Teuwen

9:00

Forensic analysis of botnets

FCCU, Belgium

10:45

Refreshment Break

10:45

Refreshment Break

10:45

Refreshment Break

11:00

Writing exploits using Metasploit 3.0

Saumil Shah

11:00

VoIP workshop

Joffrey Czarny

11:00

Forensic analysis of botnets

FCCU, Belgium

13:00

Lunch

13:00

Lunch

13:00

Lunch

14:00

The death of defense in depth? (Revisiting AV software)

Thierry Zoller, Sergio Alvarez

14:00

Phishing workshop

Antiphishing Workinggroup

14:00

HackCamp (Barcamp/unconference)


Friday 19/10 - Saturday 20/10 : Lecture + Poster session + Lightning Talks

Doors will be open at 8:30

The agenda is probably not the final agenda of the conference as it may slightly change. Please check regularly the website for any updates!

Friday 19.10.2007 Saturday 20.10.2007
9:00

Opening Speech

Lance Spitzner

9:00

Breaking and Securing Web applications

Nitesh Dhanjani

9:50

Is IT virtualisation a security panacea

Frank Ackermann

9:50

Cracking Windows Access Control

Andrey Kolishchak

10:40 Refreshment Break 10:40 Refreshment Break
11:00

Botspy - Efficient observation of botnets

Claus Overbeck

11:00

Zombie 2.0

Diego Tiscornia, Fernando Russ

11:50

E-Passports: The good, the bad and the ugly

Zubair Khan

11:50

Masm

Yoann Guillot

12:40 Lunch Break 12:40 Lunch Break
13:30 Lightning talks 13:30 Lightning talks
14:00

Automated Malware Behaviour Analysis

Gerard Wagener

14:00

TBA

14:50

Exploiting SAP Internals

Mariano Nunez di Croce

14:50

Cost of Malware and Spam - Willingness-to-pay for IT security

Oliver Schmid

15:40 Refreshment Break 15:40 Refreshment Break
16:00

Rootkits

Eric Lacombe

16:00

Authentication and Intrusion Prevention for Multi Link Wireless Networks

Raphael Frank

16:50

Wifi fuzzing, remote kernel exploitation

Frank Veysset, Laurent Butti, Julien Tinnes

16:50 Agent oriented SQL abuse

Fernando Russ, Diego Tiscornia

17:40 Injecting RDS-TMC traffic

Daniele Bianco, Andrea Barisani (tbc)

17:40 Closing of the conference

If you want to attend the conference and didn't pre-register, it's still possible. The price will be 300,- EUR at the conference entrance. For students the price will stay 100,- EUR.

Microsoft Word exploit in the wild



Well, the time between the vulnerability (patch) announcement and an active exploit just seems to be getting shorter and shorter. From Zero Day:

Just 24 hours after Microsoft shipped a patch for a critical vulnerability affecting Microsoft Word, researchers at Symantec say they have intercepted a malicious Word .doc rigged with a backdoor Trojan.

The malicious document exploits the workspace memory corruption remote code execution flaw patched in the MS07-060 and signals a renewed push by malware authors to release exploits immediately after Patch Tuesday.

Symantec researcher Orla Cox noted that exploitation of these types of vulnerabilities are very targeted — aimed at specific companies — and limited in nature.

In the Patch Tuesday bulletin, Microsoft confirmed that the flaw was being exploited in the wild.

In this instance, the rigged file is named “hope see again.doc” and arrives via e-mail. When the document is opened on an unpatched machine, the exploit drops a Trojan that uses rootkit techniques to avoid detection. The Trojan may also disable security software and programs.

To avoid suspicion, it also creates and opens a clean Word .doc written in Chinese with the same file name.

Symantec warns that the end result is a backdoor on the compromised computer that connects to a Chinese Web site on TCP port 80.

Patch those systems. Have a look at the previous MS Patch Tuesday for more details.

Stopping targeted attacks, why signatures are not enough anymore



We have seen and targeted attacks on users. As a defender, I have been on the lookout for the next generation of new Anti-virus technologies.
As we can see, the Malware Boom Puts Pressure on AV Labs: The volume of malware attacks has increased 185 percent in recent months, and antivirus research labs are struggling to keep up. We need the next generation which will fight malware without relying on signature updates

Last week, I happened to stumble upon Symantec Endpoint Protection.

  • Proactive Threat Scanning Behavioral-based protection that protects against zero-day threats and threats not seen before.
  • Advanced Rootkit Detection and Removal Provides superior rootkit detection and removal by integrating VxMS (Veritas Mapping Service—a Veritas technology), thereby providing access below the operating system to allow thorough analysis and repair.
  • Application Control Allows administrators to control access to specific processes, files, and folders by users and other applications. It provides application analysis, process control, file and registry access control, and module and DLL control. It enables administrators to restrict certain activities deemed as suspicious or high risk.
  • Device Control Controls which peripherals can be connected to a machine and how the peripherals are used. It locks down an endpoints to prevent connections from thumb drives, CD burners, printers, and other USB devices.
Being able to lock down parts of the registry and stop binaries being written to disk for example can already stop a lot of infections. On the SANS website, I also found an interesting whitepaper:

Stopping the Targeted Attack: Why Comprehensive Malware Protection is Superior to Anti-virus Signatures for Protecting Your Organization (Whitepaper)
This paper discusses the evolving nature of malware, and why enterprises continue to be highly vulnerable to targeted malware attacks despite deployment of common security solutions like anti-virus software and traditional firewalls. Accordingly, the paper then describes new solutions designed to be much more proactive and effective in protecting an organization’s inbound and outbound traffic.

From the paper, the changing nature of Malware are:

1. Malware attacks are much more focused and sophisticated: Gone are the old random-style attacks. Today’s malware is focused on specific organizations or users with specific behavior patterns. It largely depends on who the organization is or what the user does, what sites are accessed online, whether material is downloaded from risky sites, and how careful he/she is about downloading files attached to emails, and similar issues. The traditional “one solution fits all” approach to stopping attacks is no longer applicable.
2.
Malware changes its code constantly: The latest viruses are designed to avoid detection by AV engines
by automatically changing or mutating every day and every time they send themselves out. Anti-virus vendors either have to use performance-hungry and error-prone heuristics or must create a new signature for each mutation.
3.
Malware means money: Malware is no longer a teen prank. It is created and distributed by sophisticated individuals and well organized groups. The perpetrators either are or employ talented software engineers who are as good as those employed by anti-malware vendors, and they work hard to stay at least one step ahead of the good guys. More often, malware is actually used for corporate espionage against a specific corporation, as the infiltration of the Israel HOT cable television group network in 2005 showed11.
4.
Some malware removers are actually malware: This ‘greyware’ represents a deceitful trap for users. Some pornography Web sites are rumored to have deals in place with malware authors. E.g. when someone accesses the site they get a fake error message that his/her system is compromised and is urged to click a link and download a “test utility” to scan. This “test utility” is usually a piece of spyware disguised as a seemingly benign system cleaner or something similar.
5.
Standard antivirus programs are often ineffective: The malware designers constantly test their creations against Norton, McAfee, and other popular anti-virus and anti-spyware systems, so they know those programs will not detect their malware during the zero hour when it is first released. By the time the vendors catch up, the damage is done, and the bad guys change their code to make it undetectable again. Sometimes these code changes are even automatic (see #2 above).
6.
Hide and seek: More and more malware actually tries to hide itself by using rootkit mechanisms or completely disabling anti-virus software on the client.