Friday, December 12, 2008

Internal Laughs

Most malware that I look at these days is packed, sometimes double-packed, in order to hide whats inside. When they aren't packed, many times the strings inside the binary are encoded or encrypted so a strings program can't see what is going on.

Sometimes, however, if you wish REALLY hard and REALLY believe, you come across a gem like the one I looked at last night. I was notified of a piece of malware sitting on a server from one of my many sources I have. After downloading it, one of the first things I did was run the Sysinternals strings* utility against it. I found some interesting things:

C:\Documents and Settings\James\Desktop\MSN Pass Stealer\Stub\Project1.vbp

Hello AV Companies, Please Call Me

Hello AV Companies, Please Call Me Win32.MSNPassSteal.VB Thank You!

Its so nice to see things like this at times. While I'm pretty sure James didn't write this particular piece of malware, he probably did modify the source (MSN password stealer source code is easy to find) and compiled it.

James - if you are reading this let me give you some advice. First, learn how to use your compiler and how to turn off the debugging features that are turned on by default. Second, AV companies are not going to name your malware something you want. None of them did.

And finally, if you are going to use a user ID to post the results under, don't make it unique. Our intrepid fellow put the website the stolen credentials would post to as well as the user ID to use. While I'm not 100% sure it's James' ID (whh is why I didn't show it), it is very unique and can be traced back to a single user.

Then again, James, don't follow my advice. It'll be easier to catch you that way. :)


* Even though I do 99% of my static analysis on Linux, I prefer the Sysinternals strings program because it can grab unicode strings and to my knowledge the Linux strings cannot. It works just great under wine. If anyone knows of a Linux strings program that can grab unicode strings, let me know.

Monday, November 24, 2008

Enhancing Your Skillz...

I remember one of the questions I was asked in my first security job interview was "Why do you want to work in information security?" My response: because it changes on a daily basis and you have to stay on your toes. (This was also my response for "why don't you like security?")

Since then, I have always been searching for ways in which I could increase the security skills I have. Training courses, reading blogs/articles/books and networking are a great way to increase your security skills but I have always thought that there is more to security than knowing how to read a TCP packet, how a buffer overflow works or how to perform a SQL Injection attack.

If you work in Information Security you also have to have great analytical skills. You need to be able to "think outside the box", attack problems from a point of view or look at a log file and discern a pattern which someone else might not see. IMO, you can't learn these skills from reading an article or taking a training course.

However, I have found that playing games is an excellent way to increase your security analytical skills. How? A lot of games focus on strategy or pattern discernment and can help train your mind for these tasks. The following are games that I've personally played and found helpful in these areas.

Note: While I am a geek and love video games, I have specifically excluded these types of games from the following list. There are a number of reasons, but mostly because when it comes down to it, most video games are about reflexes not strategy (there are, of course, exceptions).

Set - Set is a card game where 12 cards are laid out on the table and you have to be the first person to find a set of three cards. A set consists of three cards that are either all alike or all different in each attribute (quantity, shape, shading and color). Sound easy? Not really. Set teaches your mind to attempt to focus on a number of different areas at once and discern a pattern. Great addictive game. Play it online too.

MindTrap - I love logic puzzles. To me, they are the ultimate in causing myself to "think outside the box" since most solutions aren't the obvious ones and require some thinking. Mindtrap takes logic puzzles and puts them into game form.

Puzzles for Hackers - Not a game per say, this book contains lots of puzzles designed for hackers and security professionals. It features encryption puzzles, reverse engineering and logic puzzles. I highly recommend it.

Hacker - OK, this probably isn't the best example for games in these categories...but I think this is a must have for all info sec professionals, given the history behind it.

Granted, these are only a small number of the games with potential to help us security folk. My point to all of this is that you don't just need to read a book or take a class to train yourself for your job...there are alternatives out there. And fun ones at that.

Anyone have any good games they want to share?

Thursday, November 20, 2008

Malware Challenge Results

After longer than I would have liked, the malware challenge results are in and posted!

There were alot of great submissions but unfortunately, we could only choose so many to receive prizes. In the end, we looked at the ones we felt gave the most information, presented it the best and would allow someone to learn from their paper.

Some quick stats on the challenge, we had over 900 downloads of the malware sample. Fortunately, we didn't have that many submissions. Most of the hits on the site came from the US, followed by Romania and Russia. Also, over 50% of the hits on the site were from Firefox!

I'd like to send a thank you to all the sponsors who donated prizes. Without them, we would not have been able to have such a great turnout. We're already thinking about the 2009 Challenge!

Any suggestions on how we could have done better? Send them our way!

Link

Tuesday, November 4, 2008

Quick Update

Hello all - I haven't posted in a while and for good reason. I've been busy with a very interesting job at work that I hope to be able to talk about some day. Right now I can't (client privacy and such) but I can guarantee it will make an amazing story some day.

It is because of this job that I was unable to make it to the NE Ohio Information Security Summit. I apologize to everyone who thought I would be there and I have to commend and profusely thank Greg for taking over our presentations by himself and coming up with one at the last minute. Greg is an amazing speaker and friend and I'm glad he had packed crowds in both sessions.

As for the malware challenge, we were supposed to announce the winners at the summit. However, due to my being absent we decided to (wisely I think) postpone announcements until the next NE Ohio Information Security Forum meeting on November 19th. I invite everyone to come out as we will be giving out prizes there and announcing the winners (and will announce them on the site shortly after).

I will have some interesting news in the next couple weeks and am starting on a few projects I will be blogging about. For those who have stuck with my blog, thanks. I hope not to disappoint you. :)

Wednesday, October 15, 2008

Phishing with Malware

I've been pretty busy lately with work and the malware challenge (only 11 days left!) but I figured I'd post something which came across my inbox today. Wachovia has been getting alot of phishing attempts against it which lead to a page trying to get you to install a security update, which is actually malware. I guess the bad guys decided that Wachovia had enough and decided to turn their sites on Key Bank.

I received the following email supposedly from Key Bank asking that I update my system now.



Clicking on the link took me to the following page, which is NOT located on Key Bank's website.



If you wait long enough it will refresh itself to the executable, but by clicking on the link the page will attempt to download and run (with user acceptance) the malware and will open up another browser window to the actual Key Bank login page. This page IS on Key Bank's website, but note that Key Bank is NOT compromised.



What has happened is when the user installs the "update" the initial malware loaded downloads another one which installs itself as a service on the system. This new service then watches for any credentials sent. What happens when it gets one?



This isn't a new method for doing things - its been around for a while. However, this is the first time I've seen this specific attack (from this group) directed at Key Bank. Trend Micro has a posting about the same attack against a German bank.

Thursday, October 2, 2008

Malware Challenge Contest In Full Swing!

The malware challenge contest began yesterday and from what we can tell its very popular. According to our logs, we had over 100 downloads of the malware for the challenge from over a dozen countries.

For those who don't know yet, the malware challenge is a contest to analyze a piece of malware and find out what it does. The contest runs from October 1 to October 26 and the results will be presented at the Ohio Information Security Summit. Of course, we have lots of cool prizes to give away!

We have made the contest so that if you are new to malware analysis you'll still have a great shot at winning prizes. We're going to be looking more at the way people analyze the malware as opposed to if they get the right answers. In other words, if you unsure about it still participate. The worst that can happen is you learn something in the process and win a cool prize!

Also, thanks to all who have been helping advertise it! Without you no one would know about the contest.

I look forward to seeing everyone's submission!

Monday, September 29, 2008

OWASP NYC AppSec Recap

The OWASP NYC AppSec conference was this past week and I was lucky enough to be one of the speakers there. Overall, the conference was great and OWASP did a tremendous job doing everything they could to make the conference go as smoothly as possible. The organizers should be commended for the job they did.

In the opening keynote, the organizers stated that this was the largest web app security conference in the world and I could see why. I believe there were over 800 people at the conference and every talk I went to was packed. While I went to many talks, there are a few that really stood out. They are:

Malspam - Garth Bruen, knujon.com - Garth talked about what knujon has been able to accomplish over the last few months and its been quite impressive. He has been gathering alot of data on illicit networks and has found a clear link between porn, drugs and malware on the Internet. He gave one example of where an illegal pharma site was shut down and two days later it was serving up porn and malware.

Security Assessing Java RMI - Adam Boulton, Corsaire - This was an excellent talk on how to assess the Java Remote Method Invocation (RMI) APIs/tools/whatever from Sun. Basically, RMI is a distributed computing API for Java and has been part of the core JDK since 1.1 (java.rmi package). Its analogous to .NET, RPC or CORBA. Adam went over some methods for attacking RMI apps and previewed a tool of his named "RMI Spy" which (I believe) he'll be releasing.

Flash Parameter Injection - Ayal Yogev & Adi Sharabani, IBM - This talk was about how to inject your own data into flash applications, the result being XSS, XSRF, or anything you can think of to attack the client. Basically, Flash applications have global variables which can be assigned as parameters when loading the flash movie in a web page. If the global variables are not initialized properly (and they usually aren't) then attackers can load their own flash apps and own the client.

APPSEC Red/Tiger Team Projects, Chris Nickerson - The next talk was probably one of the best I attended at the conference. Chris Nickerson was one of the guys on the ill-fated Tiger Team show and is a really cool guy - I talked to him for some time at the OWASP party the night before. He stated in his talk that pen testing applications does not show how a "real world attack" would happen. By performing a red/tiger team approach to an application test, you are able to show the client how an attack would occur and how their app would be broken into. In other words, if someone wants the data in an app they're not just going to bang on it from the Internet - they're going to go to the client site and try to get information from there through various methods.


Of course, those are brief descriptions of the talks. The conference will be releasing all talks on video so I recommend watching the videos - they will be worth it.

Thursday, September 18, 2008

Malware Analysis Contest

Last night at the NE Ohio Information Security Forum and the Security Justice podcast, I made an announcement about a malware analysis contest that Greg and I are putting on.

Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.

We have some great prizes donated by some very cool companies. To only name some, Hex-Rays is donating a copy of IDA Pro and No Starch Press is donating a copy of Chris Eagle's IDA Pro book. Addison-Wesley and KoreLogic Security are also donating prizes (yet to be announced).

I want to emphasize that you don't need to be a malware analysis expert in order to have a chance to win. The challenge is about learning. You don't need to get the answers 100% correct in order to win a prize. The goal is to learn malware analysis skills, try out new tools and have some fun in the process.

We're also looking for more companies to donate prizes. If you think your company would like to donate something for the contest, please contact me.

Please spread the word about the challenge. I'll be posting again once the challenge goes live to remind everyone!

Monday, September 15, 2008

Upcoming Appearances

As some know, I will be speaking at the OWASP NYC AppSec conference next week on "Automated Web-based Malware Behavioral Analysis". Unfortunately, I'll be presenting over lunch so I'm limiting it to about 20 minutes of talking so people can eat and not listen to me. If anyone wants to get together wile at the conference, let me know.

As always, the NE Ohio Information Security Forum is this Wednesday and I will be in attendance. I encourage anyone to come out and join us. We'll be having lots of great speakers as well as free food and drink. Afterwards, we'll be going to Mavis Winkles to record the next episode of the Security Justice podcast. I'll also be making a special announcement at the forum and the podcast concerning something Greg and I are doing at this year's Ohio Information Security Summit.

Finally, I'd like to thank mubix for having me as a guest poster concerning packers on his blog. Very cool.

Thursday, September 11, 2008

Flux Agent Geographic Distribution

I've been looking into a fast flux botnet for the past day which came in the form of some banking malspam. If you don't know what fast flux networks are, check out the Honeynet Project's Know Your Enemy paper on them - its one of the best resources out there.

I set up a script to resolve the DNS name of the website which held the malware on it. The DNS record expired every 1500 seconds (25 minutes) so my script would perform the lookup, wait 25 minutes. perform another lookup, rinse, repeat. I did this for about 24 hours. The purpose was to see where the flux agents for the botnet were residing.

In the end, I had 88 unique IP addresses acting as flux agents residing in 21 different countries.



Interestingly, while the most were coming from Romania (18), the second largest was from Israel (15) and there were no .edu's in the mix. Remember, these are the flux agents, not the members of the botnet.

Wednesday, September 10, 2008

I love getting spam, redux

Back in May I blogged about a site named Knujon, run by Garth Bruen, which was attempting to fight the good fight against spam not by attempting to shut down the spammers themselves, but by attempting to shut down the domains for the sites spam is advertising. His theory is sound, but how effective was it? I signed up for the Knujon service, downloaded a Thunderbird extension to send the spam I received to Knujon and have been watching the reports.

Before I go on, let me just say that with the email accounts that I use Thunderbird to check I probably receive close to 500-1000 spam a day. Thunderbird does a fairly good job of recognizing them as junk and putting them in my Junk folder. When I run my Knujon extension it attaches them to an email and sends it to Knujon to process.

By logging into the site you receive status reports on the emails you have sent them. From the statistics available, you can see how many domains they have received, how many are pending suspension and how many have been suspended.

As of 9/9/08, Knujon has received 7,115 sites from me that were being advertised in spam. So far, 291 domains are pending suspension and 270 domains have been completely removed. Not bad for only 5 months of sending emails.


For the amount of effort that I have had to put in to Knujon (almost none), I am very impressed with the results. Garth Bruen is making alot of progress in his work - according to the site they have shut down 79,500 domains with another 33,671 pending.

I highly encourage everyone to sign up on Knujon.

Friday, September 5, 2008

SEO Code Injection

Gunter Ollmann posted an excellent article explaining SEO Code Injection attacks at http://technicalinfo.net/papers/SEOCodeInjection.html. This is one of the best explanations of the attack I've read. Go read it. NOW!

SEO code injection attacks have been gaining popularity by those evil malware authors as a way to get unsuspecting victims to their attack pages. A few highly publicized attacks were done earlier this year which resulted in alot of head-aches for some major sites. Dancho Danchev has alot of excellent information on these attacks on his blog.

Friday, August 29, 2008

Not the smartest...

I was looking at a bot the other day I received though email. The "botmaster" (and I use that term loosely) was using mIRC-based bot, something I haven't seen in a long time. It wasn't packed, didn't perform any tricks to get installed, etc. Everything screamed amateur.

So, I ran it through my honeynet and just sat there and watched. Since it was mIRC I could open it up and just watch the channel. To my complete amazement, after confirming I was a bot (by asking me to echo some text back to him) the "botmaster" gave me admin access to the IRC channel. Huh!?!

(In the picture below the botmaster is @Gigi, my infection is @Childse.)


So, what is a self-respecting malware analyst like myself to do? Oh, I don't know. :)

Tuesday, August 26, 2008

Olympic Travelers Return...Bearing Gifts?

Now that the Olympics are over everyone who was lucky enough to go will be traveling back to home and coming back in to work. Surely they'll be bringing the souvenirs they bought in Beijing - buttons, pins, T-shirts. But what about electronics?

China knows trade and knows an opportunity to increase sales in their country so they obviously did everything they could to ensure tourists could access Chinese markets and purchase their (cheap) goods. Did these include electronics? Absolutely!

While I have no first hand accounts of this and am speculating, I'm sure many of the recent Olympic visitors toured the Chinese markets and saw great deals on USB watches, digital frames, laptops and other computer accessories and picked them up. Soon these same people will be bringing in their newly-obtained items into their homes and hooking them up to their personal (or work) computers or, if administrators as lucky, they'll be bringing them to work to display (and use) on their desktops.

Anything to worry about? Naw, I'm sure we'll be fine. There's never been any instance of malware coming from Chinese hardware.

If anyone hears about anything like this, let me know please.

Friday, August 22, 2008

Hotel Lobby Security

I'm not a physical security guy, but I am learning. I found some pictures that I took at the hotel for a conference I was at earlier this year.

Some background: The hotel is a resort hotel where the main building contains the registration desk, some restaurants/bars and meeting rooms. That leads to a large outside pool. Surrounding the pool are three large towers which contain all of the rooms. The towers have two entrances - one from the pool area and one from the parking lot. The picture below is taken as if you were coming in from the parking area. (Notice the computer used for theme park reservations - this was left unattented, but turned on, after 5PM.)

Can you spot the security flaw?


What about now?



While I'm glad they have cameras in the lobbies, I find it very pointless to have the plug about 6 inches away. BTW, the ceilings were maybe 7 feet high so its not like someone couldn't teach up to unplug it. While I never unplugged it to see how fast security would respond, if at all, I found this very interesting and have been noticing physical security flaws like this much more.

Monday, August 18, 2008

Is Free Better?

I'm a geek at heart so I take part in alot of geek-related activities. One of the ones I've gotten into within the last few years is boardgaming. Not your typical games like Monopoly, Scene-It or Risk (although I love Risk), but euro-games which, IMO, have a lot more strategy in them. It is because of this hobby I was at a LFGS the other night playing games with the local boardgaming group.

We were playing a game of Arkham Horror and in between turns one of my fellow gamers and I were talking about the laptop he had just brought and was playing with. He said it was mostly set up, but he had to go out and buy the latest AV suite to make sure it was protected. I mentioned that there were free AV software available which, IMO, were just as good as the commercial software. His response was that he had used them before, had liked them, but wanted the assurance he felt when he purchased the AV software. I was a little dumbfounded by his comment.

From his perspective, he felt safer paying $50+ for an AV suite of software than using free AV software which, to his own admission, would protect him just as well. I've seen this mentality in the corporate world as well. Corporations would rather shell out large amount o' cash for security suites or devices than use, just as good or better, free software because they felt safer paying for it. After all, if they are paying for it and it fails, they have someone to sue.

This post isn't meant to start a fight on commercial vs free software. I'm just confused by the perception out there in the corporate, or in the first case, the user world that paying for something will get you more protection that using free software. I guess I'm just surprised that this point of view is taken by end-users as well.

Has anyone else seen examples of this? Any good stories to share?

Friday, August 8, 2008

Another update...

Unfortunately, I'm not at BlackHat/Defcon this week so I don't have any really cool stories about 0-day attacks, vendor parties or Vegas. However, its been a week since my last post so I thought I'd put something on. (In reality I'm avoiding writing a report.)

Khallenge has come and gone. I was able to get through the first level in 36 minutes. Not bad, but I should have been able to do better than that so I'm personally disappointed. The level 1 password was XOR's encoded so it was pretty easy to find once you found the right section of code. I got level 2, but due to other pressing issues (ie. work) I was unable to finish it. I'm pretty sure the password was RC4 encrypted, but I'm not 100% sure. I'll have to wait for F-Secure to post the results.

One funny thing did happen during the contest. At one point something happened to the Khallenge website and the directory index came up instead of the page. Using that I was able to download all of the contest binaries. F-Secure fixed it pretty quickly and changed the directories the binaries were in.

Because of agent0x0, who is living it up in Vegas as we speak, I've become addicted to Twitter. I have to admit I was skeptical at first, but it is a great tool for information sharing and meeting others in the field, as well as just fooling around. Whats worse is that I have my phone hooked up to it now. :) If you're on it, follow me.

Thursday, July 31, 2008

Misc MA Stuff

Been busy but I still wanted to post something quick.

If you didn't know, F-Secure's yearly reverse engineering challenge, Khallenge, is about to start. It works by using levels - you download a binary, figure out how to reverse it and get the password to the next level. I've done it in years past and have gotten to the last level but not beyond. Maybe I'll try this year. It starts August 1, 2008 at midnight (EEST) which should be about 5PM July 31, 2008 EST. It lasts only two days so get out there and reversing! http://www.khallenge.com/

There are many excellent blogs out there which have alot of great information on reverse engineering and malware analysis. However, I want to call out one which I consistently find excellent information on new threats and how to perform malware analysys: The Websense Security Labs Blog.

I'll be the first to admit that when I think of Websense I think of content filtering and not malware analysis. (Actually I think of some poor fool who has to visit every site that gets submitted to categorize it.) However, they have some really smart people working for them who do alot of great malware analysis work. They constantly publish excellent blog entries about different aspects of malware. This is one of the blogs which I will ensure I read whenever they publish something new. Their RSS feed is here and I highly recommend it.

Anyone have any good resources they'd like to mention?

Tuesday, July 22, 2008

Sharing Passwords

Security professionals have always beaten into our heads that we should NEVER share our passwords with anyone. For any reason. At any time.

But take the following situation.

Last night my wife got a call from an old neighbor of ours. Her aunt had died suddenly in an operation and she got a call from her frustrated uncle. Apparently, her aunt did all of the finances on the computer and did not know the password to get onto it! She called us to see if I knew how to get around the password problem.

But this got me thinking. What would happen in a situation like this with my wife and I? She doesn't know any of my passwords and I'm pretty sure I don't know hers. If something happened to us, would we be able to get into the sites the other pays things on?

The obvious solution is that we either use the same passwords or share the ones we need to know. But, sharing passwords is bad, remember? Unless you can do it securely.

While I was looking around, I found a blog post at insomnic.wordpress.com talking about this. IMO, its a pretty decent solution - use a secure password keeper program that both you and your spouse have access to. By keeping the passwords in there which you both need to know, then you are covered in the event something happens to one of you.

Yes, there is now the problem of having the "keys to the kingdom" in one spot covered by one password...but that happens anyways when you use a password keeper program. I believe as long as you are careful in the password you create for that, you should be good.

Does anyone do this now? Does anyone have any other solutions? I'm honestly curious how others do this.

Friday, July 11, 2008

My First Malware Analysis

For some reason I was thinking about one of the first malware analysis/reverse engineering attempt I did. It was about 7 or 8 years ago (wow) and I was looking at a RedHat 6.2 web server. I had been given an account there from a local business in order to make sure the security of the server was up to par.

I tried to recreate this as much as possible to give a visual reference. Since I'm going by memory I'm sure I missed something so please forgive me.

While looking over the server I noticed there was an interesting account in /etc/passwd with a UID of 0 named toor. For those not in the know, a UID of 0 on a *nix box is the super-user account on the system. The games user, which no one should be able to log in as, had a password assigned to it. Soon, I found a directory named "..." in /dev, and within that directory were a number of tools.


Additionally, while most of the system logs had mysteriously disappeared, those that were left had a number of messages stating the server was in "promiscious mode". This server had been compromised.


This was really my first attempt into forensics and at the time there were no computer forensic resources available to non-LE folk (or at least I didn't know of any). In other words, looking back I did a number of things I wouldn't do now.

I copied the tools down to my local computer and started looking it over. The files I remember were:
  • A psybnc IRC eggdrop
  • A sniffer which would scan traffic for credentials and save them to a file. A file was also present which contained a few credentials which had been captured.
  • A number of log cleaning utilities
  • A rootkit.tgz file which contained compiled binaries and not source code.
The rootkit tgz file was the most interesting to me since I had never run across one before. Through some research, I discovered that it was LRKv5 (Linux Rootkit version 5) and had downloaded the source code. (You can still download the source code for it today.)

Through reading the files which came with the source I found that the rootkit would backdoor the login process (and a number of other files) such that anyone could log in or become root by knowing a secret, hard-coded password. I had the overwhelming urge to figure out what that password was. The default password of "satori" did not work, so I had to come up with a way to figure it out.

So, I started to reverse the backdoor program in order to determine how to find the password. I still use these techniques when RE'ing malware today.

I ran strings on the program to see if I could pick out the password. Nothing jumped out at me as a potential password, but I did see a number of gcc and glibc version numbers within the binary which told me it had been compiled on a RedHat 6.2 box. In my mind, that meant I could take the source, change the password to something I knew and look for it in the binary. With any luck, I could look in the same place on the rootkit'd server and find the attacker's password.

So thats what I did. I changed the password in the source code to a password which I knew and compiled the login binary. Due to the way the binary stored the backdoor password, strings did not see it.

I opened up the binary in a hex editor and started searching for my password. Eventually, I was able to find the password and record its offset. In the picture below. the password starts at offset 0x196f and the each letter is a few bytes after.


I grabbed the backdoor'd file on the compromised server, threw it in a hex editor and found what looked like it could be the attacker's password. (In the picture below the password is "pebcak".)


To test it, telnet'd to the compromised box and logged in as a normal user with the backdoor password...successfully! I then su'd using the backdoor password and I was root! Needless to say, I sat there for a few minutes with my eyes wide open that it actually worked.

Would this work now on a modern Linux system with the same type of rootkit? Possibly.

In a few days, I'll post part two of this where I analyze what I did wrong forensically and how it should have been handled.

Tuesday, July 8, 2008

Wednesday, July 2, 2008

Akron's Free City-wide Wireless

It looks like Akron is moving forward with its plan for free city-wide wireless. The city has just committed $800K over the next 5 years and is also being backed by various organizations to the tune of $25M.

I think this is a horrible idea, as is any free city-wide wireless. Ignoring the costs associated with it that tax-payers will have to shell out, I have not seen word one anywhere on how the security of the network will be handled. Part of the article says:
The free wireless corridor will cover about 80,000 to 90,000 city residents and about 31,000 workers. It will allow anyone with a wireless-ready computer to access the Internet for free within the district.
I read that as 80,000 to 90,000 victims. Lets look at the security issues regarding giving over 100,000 people (when you include the workers) free Internet access.

1. Free wireless typically means unencrypted wireless. That means that anyone within proximity of anyone else can see their traffic...the sites they visit, the emails they read, the credit cards they use, the passwords they have. Think it won't happen? I can guarantee the entire city will be wardriven the first day this is opened.

2. I have heard it touted that businesses would be able to use this and save money. Be careful on that! Businesses who take credit cards for payment have to comply with PCI DSS and depending how they handle their cc's, using free and unencrypted wireless may be a violation of that.

3. Free wireless means anyone can use it...even criminals. I can see a number of scenarios here. First, there are now potentially 80,000+ victims on an open network now. If I'm a computer hacker I can drive around and break into these PCs, install my malware or steal information, and own the box before I'm long gone. Except through the C&C, how are you going to trace it back to me?

Second, what about child pornographers? I have to think that free wireless which is city-wide would be a dream come true for them! They want to share their pics? Drive down to Akron for 20 minutes, jump on the wireless, send everything through and drive away. Probably pretty hard to track down.

4. Who is going to be monitoring this? What privacy policies, if any, will be in place? Is there going to be a clause which states there is no privacy which will allow law enforcement to record traffic when they need it? (Not that I'm opposed to that) People need to consider that as well.

I'm sure this sounds like I'm being a nervous nelly on that, but these issues aren't anything the security industry hasn't seen before with businesses who have spent money to put security in place. I'll be curious to see what happens as this unfolds over the next few years.

Monday, June 9, 2008

Slow site == attack

I help run a few websites and saw one was running slow today. I jumped on the server and ran top, to no avail. The hosting provider had locked it down so I fell back on my sys admin days and did the next best thing: tail -f /var/log/messages:

Jun 9 20:28:56 ysdc sshd(pam_unix)[12973]: check pass; user unknown
Jun 9 20:28:56 ysdc sshd(pam_unix)[12973]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pool-71-182-88-2.ptld
or.fios.verizon.net
Jun 9 20:28:59 ysdc sshd(pam_unix)[12975]: check pass; user unknown
Jun 9 20:28:59 ysdc sshd(pam_unix)[12975]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pool-71-182-88-2.ptld
or.fios.verizon.net
Jun 9 20:29:02 ysdc sshd(pam_unix)[12979]: check pass; user unknown
Jun 9 20:29:02 ysdc sshd(pam_unix)[12979]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pool-71-182-88-2.ptld
or.fios.verizon.net
Jun 9 20:29:05 ysdc sshd(pam_unix)[12984]: check pass; user unknown
Jun 9 20:29:05 ysdc sshd(pam_unix)[12984]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pool-71-182-88-2.ptld
or.fios.verizon.net

This repeated itself approximately 2900 times in the log. Brute force attack. Suspecting what was up, I did a netcat connection to port 22 on the attacking host and confirmed my suspicion:

SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2

Looks like the kiddies are out doing their brute force of the OpenSSH Debian keys attack from a few weeks ago. Make sure you have your machines patches and re-keyed!

EDIT: Here's a breakdown of the hosts performing SSH brute force attacks since yesterday:

7202 rhost=210.118.178.184
5601 rhost=72.249.190.130
2898 rhost=pool-71-182-88-2.ptldor.fios.verizon.net
1235 rhost=220.225.200.185
364 rhost=190.9.128.108
139 rhost=61.7.150.74
52 rhost=pe26501.lrdns.com

Friday, May 30, 2008

Did Chinese hackers cause the 2003 blackout?

Here's an excellent article which talks about the possibility that Chinese hackers from the PLA may have had a hand in causing the 2003 blackout in the northeast and another one in Florida. I'm not sure if I believe this, mostly because I'd like to pretend that the nation's power grid is more protected than that (although deep down I know it isn't). My favorite quote:
A second information-security expert independently corroborated Bennett’s account of the Florida blackout. According to this individual, who cited sources with direct knowledge of the investigation, a Chinese PLA hacker attempting to map Florida Power & Light’s computer infrastructure apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this’ moment.” The hacker triggered a cascade effect, shutting down large portions of the Florida power grid, the security expert said. “I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,’ in Chinese.”
The rest of the article talks about other cyber-threats occuring from China, including cyber-espionage. One interesting quote:
During a trip to Beijing in December 2007, spyware programs designed to clandestinely remove information from personal computers and other electronic equipment were discovered on devices used by Commerce Secretary Carlos Gutierrez and possibly other members of a U.S. trade delegation, according to a computer-security expert with firsthand knowledge of the spyware used.
This would be a great article to summarize for your execs, especially if they travel overseas. China is well-known to use any tactic they can (including information theft) in order to gain a competitive advantage. What are you doing to protect your information for your employees when they travel out of the country?

Thursday, May 22, 2008

I love getting spam!!!

OK, not really, but I have been looking forward to getting it the last two weeks. Why?

At the Ohio HTCIA spring conference Greg and I sat in on a talk entitled Illicit Distribution Networks: Spam Tactics of Online Criminals by Garth Bruen of Knujon (no-junk spelled backwards). Garth had a fascinating presentation on spam networks and how we should be targeting the web sites and domains selling spam instead the ones sending the spam.

The theory behind this is if we shut down the illicit domains selling spam products, those hiring spammers will make less money and go out of business, thus putting the spammers out of business. Sounds solid to me.

The way Garth's organization, Knujon, works is that it has people send them all the spam they can. Unlike other anti-spam orgs, Knujon is only interested in the spam body not the headers. They parse the body and use it to contact registrars and force the shutdown of illicit spam domains.

Garth gave alot of great statistics such as 90% of all spam domains are set up through just 20 registrars (out of 800+). Brian Krebs recently covered more of this on his blog.

Signing up for an account on their site is easy. There are also alot of plugins to mail programs which can be used to speed up the process. I've been using one for Thunderbird and have probably sent Knujon close to 300 spam a day. I have not received any reports back yet, but once I do I'll post the results.

Monday, May 19, 2008

Convert?

I've been running Linux for at least 10 years. My entire "Linux life" has either been on a RedHat derivative or Gentoo Linux (which is what I currently use). While I have tried Debian-based distro's in the past, I haven't liked them because they were so different from what I was used to.

So, when my laptop told me FAN ERROR today and refused to boot, I had to decide what I was going to do. I was starting a big project and needed to get a machine running quickly. Fortunately, my mac mini was at hand so I could get email right away, but its a PowerPC version and is not able to run VMWare, which is what I needed.

I had a machine lying around which was powerful enough for my needs. The problem was I needed to install some Linux variant and get it up and running shortly. Gentoo wouldn't work because compiling everything from scratch would take too long. Fedora has become too bloated for me and I didn't want to fool around with CentOS.

So I turned to Ubuntu.

I have to say I'm impressed. The whole install took less than 10 minutes and then I was up and running with all the apps I needed, minus VMWare. While I'm not 100% convinced that its for me, I have to admit I may try it out the next time I decide to switch my distros.

Wednesday, May 14, 2008

Infected eBay watch

Just got back from the Ohio HTCIA 2008 conference and saw that Dave over at his Securi-D blog posted about an MP3 watch he bought off of eBay from a Chinese seller. When he plugged it into his computer, his AV detected a virus on the watch. Too funny.

Unfortunately, this thing isn't new. Within the last year, we've started to see more and more products appear which have been infected with some malware. This is not a new trend and I see this becoming more of a problem in the future.

Thursday, May 8, 2008

Notacon Videos Available

While I didn't get a chance to go to Notacon, which is a shame since its in my backyard, it appears the presentation videos have been posted and are available for download.

Speaking of conferences, the NE Ohio Information Security Summit is having a call for papers right now for this year's conference. I've been going to the conference ever since it started lo these many years ago and have been speaking at it for the last 2 or 3 years. Its an excellent opportunity to network with Info Sec people and listen to some great talks.

Friday, May 2, 2008

Race to Zero Controversy

A week ago I blogged about a new contest called Race to Zero at Defcon. The goal of the contest is to obfuscate malware enough such that when it is uploaded through a portal and scanned with AV there is a zero-percent detection rate. As expected, the AV community is up in arms about this.

My original intent was to play devil's advocate about this content and talk about the reasons why this contest is not as bad as the AV vendors are saying. However, Dancho Danchev posted something which says it best. Read that. :)

I still have my own opinions on the contest and how easy it is to obfuscate malware enough to bypass signature AV. However, I feel I would probably be beating a dead horse and so am going to forget about the whole thing.

Scheduling

I've come to a realization...30 days of blog posts is a pretty big thing to hope for, especially when you have a job (and blogging is not your full time job). ;)

So I broke my 30 day promise (if no one else but to myself), but I have kept it up well and am proud of that. I'm gonna keep posting, still trying once a day. In fact, I'll be posting two today - one now and some random malware thoughts later on.

Tuesday, April 29, 2008

The Hack without a Hack - Part 3

Yes, I've finally started to update my story. If you've forgotten what has happened, check out part 1 and part 2.

With a few quick Google searches Bill was able to find a few programs which would reveal any passwords which were hidden behind asterisks in Windows programs. More often than not, these "hidden" passwords were just being hidden from view and were decoded behind the scenes within the program. A number of programs are available which will reveal the hidden passwords and Bill found one he liked - Password Spectator (http://www.refog.com/passwordrecovery/).

A quick install and one click later and the password was revealed: "banklogin". Lame, Bill thought. It almost deserves to be broken into.


Bill opened up a telnet session to the trading machine, logged in as "trader" and began exploring the server. The server was a Debian Linux 4.0 server. From the routing tables on the machine it appeared to have a direct connection to the third party service, probably through a frame relay connection. This allowed for real-time trading to take place.

Bill couldn't tell if the third party service had access into this server, but running the "last" command, which displayed the last users to have logged on and where they came from, he did not see any connections from the other company.

Bill was logged in as user "trader". There were two other user accounts on the system: "admin" which was probably used to administrate the application and "root", the super-user account for the system. Bill's account appeared to have very little access on the system which meant he would not be able to install a sniffer unless he obtained root access.

However, since this was a 3rd party system the administrative passwords the bank normally used did not work for root. Bill tried a couple of common passwords with no luck. Quickly, though, he cursed himself for trying. Upon examining /etc/syslog.conf, the UNIX file which dictates what log messages go where, he found that any error messages were sent back to the 3rd party and to a system which he did not have access to. This meant that all of the failed password attempts he just tried were logged on another system - if anyone was watching those logs then he was sure to be discovered. Bill had to get root access quickly so he could cover his tracks.

Having administered various UNIX and Linux systems in the past, Bill knew where to look in order to find system weaknesses. After a few minutes of searching, Bill found his path to root in /var/spool/crontabs.

So, if anyone is reading this, what else could Bill have done to get the trader password? Any thoughts on how he'll get root access?

Kraken Botnet Infiltration

When the Kraken botnet was "exposed" at the RSA conference this year, alot of controversy surrounded it within the MA community. Was this really a new botnet? Was it really as big as the speakers were saying it was? Why weren't samples shared before hand? And so on.

Despite this controversy, there has been alot of interesting information about it. One of the most interesting pieces I've read is from two analysts at TippingPoint who infiltrated the Kraken botnet. Yesterday, they posted two blog entries which discuss how they did it - from both a high level and a technical level.

They are very good reads and I recommend reading them.

Kraken Botnet Infiltration
(high level)
Owning Kraken Zombies, a Detailed Discussion (technical)

Sunday, April 27, 2008

GFIRST

Speaking of conferences, Greg and I will be speaking at GFIRST, a conference put on by US-CERT in Orlando, Florida. The conference takes place from June 1-6. We will have two presentations:

Malware Analysis: The Forgotten Forensics Skill
Latest Malware Techniques

The best part about this conference is its free! We were at it last year and I highly recommend going to the conference. Its a great place to network and see security from a different point of view.

Saturday, April 26, 2008

Collaboration Technology and Engaging the Campus

Securi-D posted this on his blog at http://securid.wordpress.com/. Looks like a pretty good seminar if you can make it.

Thursday, May 8, 2008
Case Western Reserve University
Thwing Center
Cleveland, Ohio

9am - 4 pm

To the Cleveland 2.0 Community:

This is an outstanding opportunity for the entire community to learn and participant in the emerging world of collaboration technology. In addition to workshops, panels, and keynotes, there are big raffle drawings for computer systems and more (must be present to win). The website is open for registration at http://www.case.edu/its/collabtech08/collabtech08.html
Case Western Reserve University will highlight new technologies and how they enhance research and discovery during its campus Collaboration Technologies Summit 2008 from 9 a.m. to 4 p.m. May 8 in Thwing Center. In addition, the keynote and panels will be streamed in ClevelandPlus in SecondLife .

All university faculty, staff, students, alumni, neighborhood and community partners are invited to attend the symposium and demonstration event—that will be conducted simultaneously at collaborative sites throughout world.

The event will feature a keynote address by Anthony D. Williams. An author, researcher and consultant, Williams’s latest project is the bestselling book (co-authored with Don Tapscott) called Wikinomics: How Mass Collaboration Changes Everything.

Two panels at the summit will be anchored by Campus Computing Project Director, Dr. Kenneth Green, Visiting Scholar at Claremont Colleges. The first panel is titled Making Sense of the explosion of Web 2.0 tools and their relevance and consequence in Higher Education. Panelists include educators and faculty leaders from Case Western Reserve University, University of Southern California, Bradley University, and Researchers from IBM. At the end of the day-long event Green will host a panel called Collaboration Technology—What’s Next?: Bold Predictions, Cautionary Notes and Take Away Lessons. Panelists include leaders from Case Western Reserve University, Tri-C, MIT, and the co-founder of SecondLife, Cory Ondrejka.

Friday, April 25, 2008

Obfuscating Malware for Fun and Prizes

I just found out about a new contest happening this year at Defcon, called The Race to Zero. Contestants will be given a set of malware in which they have to modify and upload through a portal. In the portal, a large number of AV programs will be run against the sample. Once the files have been obfuscated enough such that no AV programs detect it, the contestant will move to the next round. Obfuscated viruses must work the same as the original.

There are positive and negative things which can come out of this. Hopefully the obfuscation techniques used in the content will be analyzed by AV vendors to increase their capabilities in detecting malware - because they most certainly will be analyzed by malware authors! I can almost guarantee that whoever wins this will have their technique studied by various organized groups around the world.

I have to admit I'm tempted on entering this. I've used some techniques to bypass AV during my tests in the past and have had good success. Now, if only I can get my work to pay for me to go. :)

Thursday, April 24, 2008

Tracking malware

I've been following the certificate phish I posted about the other night for the last couple days. There have been a few more iterations of it using the same certificate scam, only for different banks. The interesting thing is while the domain names keep changing, the IP address of one of the name servers has been staying the same. This is a fast flux network, but I have to wonder if this name server is at some bullet proof hosting provider. If I find out more I'll post.

This got me thinking - how can we track the site which malware uses? The big AV/MA companies have databases and huge repositories of information from their customer base which allows them to track the websites and groups which are sending out malware. However, I don't work for a huge AV/MA company and neither to my MA buddies. We don't have access to the resources these big companies do, but is our research any less important?

I came to the conclusion that I'm going to start my own tracking database. I've only begun to formulate the idea on how to set it up in my head. I'm curious if anyone knows of anything like this, that is publicly accessible, which already exists? I know the ISC has their DShield database but this is more of any attacks and not specific to malware.

Wednesday, April 23, 2008

LinkedIn for Targets

Often times the company I work for is hired to do "open source reconnaissance" on a network or company. Basically this means seeing what information you can get about the company or its employees from public sources. Knowing how to use WHOIS, how to query DNS and especially how to use Google is a must in this area.

You'd be surprised what you're able to find. From the obvious things like DNS zone transfers to resumes of employees describing EXACTLY how they built the ASP-based web infrastructure for the company. This information can be a dream come true for a pen tester or an attacker.

But you really need to look beyond the things Google and other search engines give you when you do this. Checking out MySpace, Facebook, and other "social networking" sites can yield a gold mine of information. My biggest fave these days when doing these types of tests: LinkedIn.

IMO, LinkedIn is essentially a toned-down "corporate" MySpace. A virtual bar where everyone can see who everyone else knows and how they know them. With the latest features, you can even get profiles on a company, see who their other employees are and what they do. Great stuff for a pen tester or an attacker.

Thats why I was really interested when I saw a post from the CSIS Security Group about an experiment they did on LinkedIn and presented about at the Europe Fraud Conference. Essentially, they created a fake person, named John Smith, gave him some fictional work history and started sending invites to everyone they could. Anytime someone sent an invite to them, they
accepted. In the end, they had over 3600 contacts - 1115 of which had contacted them!

Now, imagine what a bad guy could do on a site like LinkedIn. After having established a valid-looking profile, which according to CSIS is pretty easy to do, they would look trustworthy to anyone who saw their profile. It would be relatively easy to create a company contact list for your target company at that point and begin a targeted campaign against those people. Given the malware targeting we've been seeing lately, I have to wonder if thats not already being done.

The presentation is located at http://www.csis.dk/dk/media/LinkedIn-Threats.pdf and a technical paper on it is located at http://www.csis.dk/dk/media/LinkedIn-V2.pdf. The technical paper was released in January so it may not be news to some people, but I think its worth a read nonetheless.

Tuesday, April 22, 2008

Certificate Phish

I received an interesting phish email the other day. The email contained a notice, supposedly from a bank, which said my "personal certificate" was about to expire and in order to renew it, and keep the security of account up to date, I needed to click on the link, install the update and then log into my account. Of course, the link led to some malware.

What I find interesting about this is that it throws enough security jargon out to the recipient to make it sound believable. While most people don't know what a certificate is or what its used for, they have probably heard about it at some point and know it has to do with security.

The email also takes a different approach than most phishes - instead of telling the victim there is something wrong with their account and they need to sign in immediately to fix it, it tells them they have to update to keep secure. I think this is going to be a shift in phishing tactics - phishers will start new methods to entice users to click on their links and inadvertently reveal their credentials. Of course, this may already be happening - I am in no way a phishing expert.

In any case, it just means we need to keep vigilant and stay aware as always.

Monday, April 21, 2008

Ohio HTCIA Conference

The NE Ohio chapter of the HTCIA will be holding their annual conference on May 12-14 and registration is only $225. This is an excellent opportunity to get great training locally and at an affordable price.

The conference will be held in Kirtland, Ohio at the Lakeland Community College campus, just off Interstate 90, and only 30 minutes from downtown Cleveland. I recommend anyone who can to go.

Greg and I will be speaking on Monday and Tuesday. On Monday we will be talking about tools and techniques in analyzing malware and on Tuesday we will be discussing rootkits.

More information can be found at http://www.ohiohtcia.org/conference.html.

A list of speakers can be found at http://www.ohiohtcia.org/speakers.html.

Hope to see you there!

Sunday, April 20, 2008

The Universal Language of Computer Viruses

I do alot of malware research in my spare time. As pointed out by one of the latest posts on spylogic.net, I'm somewhat known for it in the area (although legendary may be pushing it a little.) :)
However, it occurred to me last night how much malware has tied me into other people. For example, last night I was out getting a new phone. I was talking to the guy selling me the phone and ended up telling him I worked in computer security. He asked if I did anything with computer viruses. (I should have seen where this was going.)

When I told him I did, he said that he was using LimeWire to download a new Kevin Bacon movie (oops), but inadvertently installed a virus instead. He said his computer kept flashing on and off making it almost inoperable. I gave him a few suggestions and my card and told him that if those didn't work to email me.

I just think its funny how computer viruses have become a tying factor for me to others. :)

BTW, I'm going to try something new. For the next 30 days, I will be posting an entry every day. Don't expect these to be earth-shattering, but it will at least get me in the habit to keep this thing alive, which is what I intended it to be.

Monday, March 10, 2008

More coming...

Real life things have gotten in the way of me posting anything lately, but I'll have the next segment of the story up this week.

Friday, February 29, 2008

Free Wireless Security Training

Matt Neely, one of the Northeast Ohio Information Security Forum board members, will be giving free wireless security training on March 12, 2008. Seating is extremely limited and only open to forum members, so please register ASAP.

If you are not a member, don't worry! Membership is free. Go here to register for the forum.

Thursday, February 28, 2008

The Hack without a Hack - Part 2

The XStart file was a configuration file used to login and start the trading application (located on another server). The file kept the user ID, password and method of entry into the server, and with it, Bill could log in as Louis. A plan started to formulate in his mind.

Bill knew that the traders remotely logged in to the server to run their trading application. All traders went through this server to a third party service. He didn't know much more than that, other than that was the application the traders were constantly in - exchanging money on their clients behalf. Bill began to ponder how much money actually went through that server on a daily basis. It had to be in the millions.

If he could get on that server and set up some type of sniffer, there was a good chance he could start pulling down account numbers and such. From there, who knows what type of money he could get? Bill had long ago decided that if he found a way to make some quick money at the bank he would. He had every indication that he would have no problem getting away with it. Besides, even if it was noticed it would be under Louis' ID and he would get fired.

With his plan in mind, he downloaded the file to his computer and unmounted the drive. Already having Exceed loaded on his computer, he started the XStart program and loaded the trader's file.

Immediately, the window which popped up in front of him told him the server's address, the trader's user ID and the protocol used to log in. Unsurprisingly, TELNET was used. For a bank, Bill thought, they sure skimped on security where they could.


Bill wanted to log on to the server to see what was on there but he knew that he couldn't just run the XStart file. If he did, it would launch the trading application and Louis would get kicked off as it only allowed one of the same login at a time to be on. That would alert him something was wrong and things could go down from there. If only he could get the password from the file.

Opening up the XStart file proved un-fruitful. It was some kind of binary format and didn't appear to store any type of clear-text password anywhere in the file. There had to be another way, Bill thought. Within a few minutes of searching Google, he had his answer.


Anyone want to venture a guess as to what Bill found?

Tuesday, February 26, 2008

The Hack without a Hack - Part 1

As a tribute to Security Monkey I am going to start publishing my own "case" files. However, instead of looking through the eyes of an investigator I am going to look through the eyes of an attacker. My goal is to give a different perspective to attacks in order to help understand why some attacks occur as well as how they occur. This first one is called "The Hack without a Hack".

Bill sat at his computer and cursed his job once more. To say he was unhappy was an understatement. Just three months ago he had been the head of the helpdesk of a large transportation corporation. Now, due to "cutbacks", he was the one-man personal help desk for a bunch of whiny traders at a national bank...and making $30,000 less a year. It couldn't get any worse.

His phone rang. He realized it just did.

------------------

Twenty minutes later Bill came back to his desk, swearing under his breath. Stupid traders, he thought. Bill hated the traders but this one, Louis, was the worst. Always having idiotic problems with his computer which wouldn't happen if he didn't download so much crap. This time was no exception.

Louis' computer had frozen and after a reboot he only let Bill look at the computer for five minutes before he had to get back "to the market". Kid was probably 10 years younger than him and made triple his salary. Man, how he would love to do something to him.

Bill had figured out the problem after seeing an icon in the desktop that wasn't supposed to be there. Louis had once again downloaded some new application to stream market reports to him. The problem was it was written poorly and had crashed the machine. Of course, due to the "market being open" Bill was only allowed to get the PC back up and running (a reboot) and then had to leave.

Unbeknownst to Louis, however, Bill had gotten the local administrator password to his machine. It wasn't hard - the company had the same administrator password on every computer. With the password, he could mount Louis' drive remotely to see what else the he had installed. Maybe he could even find something he could anonymously send to internal security to get Louis fired. He smiled at the thought as he began looking around.

Within minutes, Bill found something that piqued his interest. Within the trader's home directory on the system he found the trader's Hummingbird XStart file to the remote trading server.


So, any thoughts as to what Bill could be planning?

Monday, February 25, 2008

Critical VMWare Vulnerabililty

Well, it finally happened. A critical vulnerability in VMWare that allows someone to break into the host operating system was announced today. It was only a matter of time.

Virtual machines, such as VMWare, have two levels:

1) the host operating system which runs the actual virtual machine software (the physical machine)
2) the guest operating system(s) which run within the virtual machine software (the virtual machines)

For the most part, the host and guest operating systems are separate and the guest operating system is not able to access anything on the host OS, unless specifically allowed through services offered on the host OS. Commonly, access to files on the VMWare host OS is given through "Shared Folders" - essentially the same thing that you see when you share a folder within Windows.

Up until now, the majority of attacks against virtual machines have been to detect them. This is useful for malware to do because many analysts examine malware within a virtual machine. If the malware detects a VM, it can alter its execution path or stop running altogether. (You have to wonder when malware authors are going to realize corporations are beginning to use virtualization more and they are missing a huge target base by doing this.)

The only publicly-announced success of breaking out of a virtual machine (that I am aware of) is from a presentation given by Tom Liston and Ed Skoudis on some work they performed. While they showed their programs working they did not reveal details on how they were able to break out of the guest OS.

This latest VMWare vulnerability appears to be from Core Security. There aren't many details available at this time. However, it looks like if you are running VMWare with a Windows host OS and you have Shared Folders enabled, then a directory traversal attack is possible which would allow an attacker to read or write arbitrary files on your host OS. Not good.

While these circumstances may seem unlikely, they really aren't. Shared Folders is enabled by default in many versions of VMWare, and while you still need to have at least one shared folder mapped, many VM installations do.

This could allow an attacker to arbitrarily read or write files on the host OS (although I am unsure right now if execution is possible). With this ability, an attacker could trojan or infect system executables, rewrite the VM configuration file, read the SAM database, etc. Fortunately, the workaround is to just disable Shared Folders until you patch.

VMWare Advisory
ISC SANS Diary Entry
CVE Entry - CVE-2007-1744
Core Security Advisory including Proof of Concept Exploit

Thursday, February 21, 2008

A preview of things to come...

Things have finally died down and I'm going to start posting soon. There are a couple of things I plan on posting, but if anyone has any suggestions I'm always open.

I plan on posting "case files", similar to SecurityMonkey's case files. However, instead of being from the point of view of the investigator it will be from the attacker's point of view. Kinda like how Law and Order: Criminal Intent started off as.

Anyone who knows me knows I love to do malware analysis and often come across interesting "critters" (as a friend would put it). I have a couple of interesting sites I'm going to document and post about.

Of course, anything else that comes across my mind will probably get thrown up here. Take it for what its worth.

Friday, February 8, 2008

Welcome!

After many times thinking (and saying) I need to start a blog, I have decided to finally do it. Like most, I am doing this to talk about my thoughts on current security trends, security tools, malware I have analyzed as well as any cool hacks I perform.

Let the games begin!