Monday, September 29, 2008

OWASP NYC AppSec Recap

The OWASP NYC AppSec conference was this past week and I was lucky enough to be one of the speakers there. Overall, the conference was great and OWASP did a tremendous job doing everything they could to make the conference go as smoothly as possible. The organizers should be commended for the job they did.

In the opening keynote, the organizers stated that this was the largest web app security conference in the world and I could see why. I believe there were over 800 people at the conference and every talk I went to was packed. While I went to many talks, there are a few that really stood out. They are:

Malspam - Garth Bruen, - Garth talked about what knujon has been able to accomplish over the last few months and its been quite impressive. He has been gathering alot of data on illicit networks and has found a clear link between porn, drugs and malware on the Internet. He gave one example of where an illegal pharma site was shut down and two days later it was serving up porn and malware.

Security Assessing Java RMI - Adam Boulton, Corsaire - This was an excellent talk on how to assess the Java Remote Method Invocation (RMI) APIs/tools/whatever from Sun. Basically, RMI is a distributed computing API for Java and has been part of the core JDK since 1.1 (java.rmi package). Its analogous to .NET, RPC or CORBA. Adam went over some methods for attacking RMI apps and previewed a tool of his named "RMI Spy" which (I believe) he'll be releasing.

Flash Parameter Injection - Ayal Yogev & Adi Sharabani, IBM - This talk was about how to inject your own data into flash applications, the result being XSS, XSRF, or anything you can think of to attack the client. Basically, Flash applications have global variables which can be assigned as parameters when loading the flash movie in a web page. If the global variables are not initialized properly (and they usually aren't) then attackers can load their own flash apps and own the client.

APPSEC Red/Tiger Team Projects, Chris Nickerson - The next talk was probably one of the best I attended at the conference. Chris Nickerson was one of the guys on the ill-fated Tiger Team show and is a really cool guy - I talked to him for some time at the OWASP party the night before. He stated in his talk that pen testing applications does not show how a "real world attack" would happen. By performing a red/tiger team approach to an application test, you are able to show the client how an attack would occur and how their app would be broken into. In other words, if someone wants the data in an app they're not just going to bang on it from the Internet - they're going to go to the client site and try to get information from there through various methods.

Of course, those are brief descriptions of the talks. The conference will be releasing all talks on video so I recommend watching the videos - they will be worth it.

Thursday, September 18, 2008

Malware Analysis Contest

Last night at the NE Ohio Information Security Forum and the Security Justice podcast, I made an announcement about a malware analysis contest that Greg and I are putting on.

Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.

We have some great prizes donated by some very cool companies. To only name some, Hex-Rays is donating a copy of IDA Pro and No Starch Press is donating a copy of Chris Eagle's IDA Pro book. Addison-Wesley and KoreLogic Security are also donating prizes (yet to be announced).

I want to emphasize that you don't need to be a malware analysis expert in order to have a chance to win. The challenge is about learning. You don't need to get the answers 100% correct in order to win a prize. The goal is to learn malware analysis skills, try out new tools and have some fun in the process.

We're also looking for more companies to donate prizes. If you think your company would like to donate something for the contest, please contact me.

Please spread the word about the challenge. I'll be posting again once the challenge goes live to remind everyone!

Monday, September 15, 2008

Upcoming Appearances

As some know, I will be speaking at the OWASP NYC AppSec conference next week on "Automated Web-based Malware Behavioral Analysis". Unfortunately, I'll be presenting over lunch so I'm limiting it to about 20 minutes of talking so people can eat and not listen to me. If anyone wants to get together wile at the conference, let me know.

As always, the NE Ohio Information Security Forum is this Wednesday and I will be in attendance. I encourage anyone to come out and join us. We'll be having lots of great speakers as well as free food and drink. Afterwards, we'll be going to Mavis Winkles to record the next episode of the Security Justice podcast. I'll also be making a special announcement at the forum and the podcast concerning something Greg and I are doing at this year's Ohio Information Security Summit.

Finally, I'd like to thank mubix for having me as a guest poster concerning packers on his blog. Very cool.

Thursday, September 11, 2008

Flux Agent Geographic Distribution

I've been looking into a fast flux botnet for the past day which came in the form of some banking malspam. If you don't know what fast flux networks are, check out the Honeynet Project's Know Your Enemy paper on them - its one of the best resources out there.

I set up a script to resolve the DNS name of the website which held the malware on it. The DNS record expired every 1500 seconds (25 minutes) so my script would perform the lookup, wait 25 minutes. perform another lookup, rinse, repeat. I did this for about 24 hours. The purpose was to see where the flux agents for the botnet were residing.

In the end, I had 88 unique IP addresses acting as flux agents residing in 21 different countries.

Interestingly, while the most were coming from Romania (18), the second largest was from Israel (15) and there were no .edu's in the mix. Remember, these are the flux agents, not the members of the botnet.

Wednesday, September 10, 2008

I love getting spam, redux

Back in May I blogged about a site named Knujon, run by Garth Bruen, which was attempting to fight the good fight against spam not by attempting to shut down the spammers themselves, but by attempting to shut down the domains for the sites spam is advertising. His theory is sound, but how effective was it? I signed up for the Knujon service, downloaded a Thunderbird extension to send the spam I received to Knujon and have been watching the reports.

Before I go on, let me just say that with the email accounts that I use Thunderbird to check I probably receive close to 500-1000 spam a day. Thunderbird does a fairly good job of recognizing them as junk and putting them in my Junk folder. When I run my Knujon extension it attaches them to an email and sends it to Knujon to process.

By logging into the site you receive status reports on the emails you have sent them. From the statistics available, you can see how many domains they have received, how many are pending suspension and how many have been suspended.

As of 9/9/08, Knujon has received 7,115 sites from me that were being advertised in spam. So far, 291 domains are pending suspension and 270 domains have been completely removed. Not bad for only 5 months of sending emails.

For the amount of effort that I have had to put in to Knujon (almost none), I am very impressed with the results. Garth Bruen is making alot of progress in his work - according to the site they have shut down 79,500 domains with another 33,671 pending.

I highly encourage everyone to sign up on Knujon.

Friday, September 5, 2008

SEO Code Injection

Gunter Ollmann posted an excellent article explaining SEO Code Injection attacks at This is one of the best explanations of the attack I've read. Go read it. NOW!

SEO code injection attacks have been gaining popularity by those evil malware authors as a way to get unsuspecting victims to their attack pages. A few highly publicized attacks were done earlier this year which resulted in alot of head-aches for some major sites. Dancho Danchev has alot of excellent information on these attacks on his blog.