Wednesday, January 28, 2009

Web Application Scanners Comparison

This is a comparison between some of the well known web scanners (Acuentix, HP WebInspect, IBM Rational Appscan). Do not depend on it totally, as there are some concerns about the methodology, however it is a good starting point.
Acuentix seems to be the best, I personally like it.

http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html

Tuesday, January 27, 2009

Malicious Shortcut

Malicious Shortcut is new way of dropping a mlaware on your PC, while the shortcut itself is not a malware, however, it contains a script to launch cmd.exe and ftp to a malicious ftp server and download malware.
The link can be sent by email or hosted on a web server, it is a nice trick to evade your email AV and your Internet filtering system.
http://www.avertlabs.com/research/blog/index.php/2009/01/26/abusing-shortcut-files/


Sunday, January 25, 2009

JavaScript Obfuscators

I got some comments and suggestions on this entry so, I have updated it.

There are lots of commercial and open source Javascript obfuscators for legitimate use, such as enhancing the web page performance. Hackers are using the same tools to hide the malicious activity of their Javascript code, here is a small list of some of the available tools:

Free/Open-source JS Obfuscators:
http://www.javascriptobfuscator.com/Default.aspx
http://dean.edwards.name/packer/
http://www.shaneng.net/index.php?n=Main.JavaScriptObfuscator
http://scriptasylum.com/tutorials/encdec/javascript_encoder.html
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
http://www.jimmyleo.com/work/FreShowStart.htm

Commercial JS Obfuscators (some has full functional, time-trial versions):
Jasob3:
http://www.jasob.com/
Thicket obfuscator:
http://www.semdesigns.com/Products/Obfuscators/ECMAScriptObfuscator.html
Javascript obfuscator:
http://www.javascript-source.com/javascript-obfuscator.html
Stunnix:
http://www.stunnix.com/prod/jo/
SOC:
http://www.codehouse.com/products/soc/
TrickyScripter:
http://trickyscripter.com/
ESC:
http://www.saltstorm.net/depo/esc/

Quick notes:
- At the end of the day, the obfuscated code will be running on the browser without obfuscation, so this should not be considered as a security feature.
- The only reason from my point-of-view to study obfuscation is by the web filtering vendors to make sure that their internet filtering solutions can decode the obfuscated code before passing it to the end-user.

Some of the obfuscation techniques:
Character encoding, randomization of variables and function names, strings manipulation, comments insertion, code nesting, code shuffling, new line characters and NOPs, and encryption.

Saturday, January 24, 2009

The largest data breach in history

Around 100 million credit and debit accounts have been leaked in the black market. A malware on a processing system in Heartland Payment Systems company is responsible of collecting this huge number of cards information, the exact details is not yet released including the exact number of leaked cards information and the exact parts of information that was leaked.
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html

Updated:
The source of breach is outside USA, can you make a country guess???
http://www.storefrontbacktalk.com/securityfraud/feds-identify-overseas-suspect-in-heartland-case/

If you have time to play the guessing game, take a look at:

End-of-year Security Reports - 2008

Updated:
Here is my TOP 10 list of security reports

Cisco 2008 Annual security report:
Vulnerabilities increased by 11.5% than last year, 90% increase in the threats from legitimate domains,.
http://cisco.com/en/US/prod/vpndevc/annual_security_report.html

Finjan:
Expected sharp rise in cybercrime in 2009 due to the current economic downturn
http://www.finjan.com/GetObject.aspx?objid=641

Anti-Phishing Working Group:
Password stealing malicious code URLs are on the rise
http://www.antiphishing.org/reports/apwg_report_Q2_2008.pdf

Cenzic Q2 2008 report:
http://www.cenzic.com/news_events/Cenzic_AppSecTrends_Q2-08.php

Symantec Underground Economy Report:

F-Secure Threat Summary for H2, 2008:

Trend Micro, Most Abused Infection Vector:

MessageLabs:

Arbor:

Sophos:
http://www.sophos.com/securityreport2009

Updated:
I have added more reports to my top 10 list:

Whitehat Security:

http://www.whitehatsec.com/home/resource/stats.html


Enisa (European Network and Information Security Agency):
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_web2.pdf

Panda Security:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2008/12/31/Annual_Report_Pandalabs_2008_ENG.pdf

WebSense:
-77% of web sites hosting malicious content are legitimate sites
- 70% of the top 100 sites hosted or redirect to a malicious content
- 57% of data stealing attacks are conducted over the web
http://www.websense.com/site/Docs/whitepapers/en/WSL_ReportQ3Q4FNL.PDF?CMP=NR012109A

CSI:

Aladdin:

IBM X-Force:

Friday, January 23, 2009

Pen-Testing Resources

Updated:
This is a summary of multiple old posts related to Pen-Testing


Application Pen-Testing Time Estimator:
http://www.coffeeandsecurity.com/resources/tools/tamapper.aspx

Tips and Tricks:
Some very good presentations on network pen-testing with very few tools, the aim is to select the most effective tools for your testing, and how to maximize their usage, there are very nice tips, tricks, and examples in the presentations.
http://pauldotcom.com/TriplePlay-NetworkPenTestingTools.pdf
http://inguardians.com/pubs/PenTestPerfectStormPart1FINAL.pdf
http://inguardians.com/pubs/PenTestPerfectStormPart2FINAL.pdf



Tools:
FireCat is a
collection of the most efficient and useful FireFox extensions for application security auditing and assessment. This is how to turn your FireFox into a security auditing and assessment tool.
http://www.security-database.com/toolswatch/FireCAT-1-5-released.html


Sample Report:
Offensive Security has just released a sample penetration testing report, it is not "Nessus results" kind of reports, must-seen...
http://www.offensive-security.com/offsec-sample-report.pdf

Wednesday, January 21, 2009

Mobile Credit Theft

Researchers discovered new trojans on Symbian platform that transfer a small amount of the victim credit to the attacker mobile, the trojan will transfer small amount in order not to be noticed.
No information available on how to protect yourself from these trojans or the propagation vector.
http://www.viruslist.com/en/weblog?weblogid=208187621

Monday, January 19, 2009

Must have Firefox Add-ons

Updated

CookieSafe
Control cookie permissions
https://addons.mozilla.org/en-US/firefox/addon/2497
No Script
Allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice

FireKeeper
IDS/IPS for your Firefox, will intercepts all your browser request/responses and can prevent all suspicious activities.

Zotero
The best tool ever in organizing your research, manage files, web pages, and images from within your browser in a single place.
https://addons.mozilla.org/en-US/firefox/addon/3504

JSView
View the embedded source code of JavaScripts and Style Sheets in any web page
https://addons.mozilla.org/en-US/firefox/addon/2076

SwitchProxy
Manage and switch between multiple proxy configuration
https://addons.mozilla.org/en-US/firefox/addon/125

HauteSecure
Threat warning and reputation rating for the web sites you are visiting. Protect from web-based malware.

RequestPolicy
Control Cross-Site-Requests, comprehensive client-side protection against CSRF
Targeted Advertising Cookie Opt-Out (TACO) 1.3
Prevent Advertising Networks from collecting your personal information from cookies
https://addons.mozilla.org/en-US/firefox/addon/11073

Collection:

Malware Hash Registry:

Mass Injection Analysis
Redirection Chaining
Deobfuscation Analysis
Content Profiling

Sunday, January 18, 2009

Millions of infections exploiting MS08-067

A malware is spreading everywhere, if you are following the basic general security recommendations, you should not be concerned, however the infection numbers are showing that people are still doing the same old mistakes. if you company is infected, it is an indication of a poor security policy.....

The estimated number of infected hosts is several millions worldwide, and it is getting worse.
Downadup or Conficker worm designed to call back home, and receive further instructions.
http://www.f-secure.com/weblog/archives/00001584.html

the worm has other names:
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)

Propagation vector:
Like other worms, the infected machine will scan the network looking for vulnerable machines, but the worm has other ways of propagation, it will scan the company network trying to guess passwords using hundreds of common words, then infect these machines. It will also try to infect your removable USB stick and propagate using the autorun.inf

Once infected, the worm will disable many security services on the victim machine and will block access to some sites such as Microsoft and most Anti-Virus sites.

MS advisories:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx

F-Secure Advisory:
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

TrendMicro Analysis:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.AD&VSect=T

Obfuscated autorun.ini file analysis:
http://www.sophos.com/security/blog/2009/01/2628.html?_log_from=rss

Mcafee Analysts discovered that the exploit used in this worm was made using Metasploit, which raise a concern about the security tools being used by the bad guys.
http://www.avertlabs.com/research/blog/index.php/2009/01/15/conficker-worm-using-metasploit-payload-to-spread/

In the early releases of the worm, the worm will expose the machine to a fake security software, earning 30$ per sale
http://blogs.zdnet.com/security/?p=2388

The way the worm is calling home is a new technique. by using a complicated algorithm that is changing on daily basis, the worm will generate many possible domain names everyday and will try to connect to. It impossible to shut down all possible domains, because many of them are never registered, this gives the guys who are controlling the worm the ability to select the time and domain they want to use to get control of the infected machines. F-Secure manged to play the same game and predict un-registered domain name, and used it to control the worm.
http://www.f-secure.com/weblog/archives/00001579.html

CNN Coverage:
http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html

Protection:
- Patch your systems with MS08-067, the patch was released late October 2008
- Use long difficult passwords
- MS Malicious Software Removal Kit is able to detect and clean the worm
- Disable the autorun feature:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true

F-Secure disinfection tool:
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

My blog entry about the early worm:
http://okamalo.blogspot.com/2008/11/worm-exploiting-ms08-067-in-wild.html

Updated
In-depth analysis on memory injection, and how conflicker is injected into rundll32.dll to bypass the firewall and HIPS.
http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html

And here is a tool to detect a list of C&C domain names:

Friday, January 16, 2009

Web Hacking Challenges

This is a list of some web hacking challenges for learning purposes, there are many levels and several technologies to hack like XSS, SQL-Injection, Flash, Java, HTML,.....

http://www.hackthissite.org
http://www.hack-test.com/


Have fun ....


Friday, January 9, 2009

Cyber warfare against Israel

Several thousands of Israeli web sites have been hacked during the last few days, as part of Arab hackers reaction to the latest Israeli attack on Gaza, Palestine.
Several defacement are part of coordinated efforts, while others are just individual expressions.
Hackers are mainly from Algeria, Morocco, Egypt, Turkey, Saudi Arabia.

There were also some coordinated efforts to launch a DDOS attacks on some Israeli governmental sites, the hackers used many forums to distribute the message, tools, date and time to launch the attack, I would assume that the bad performance of Internet in the Arab world due to the cables cut in the Mediterranean, largely reduced the effect of the DDOS.
Updated:
Check the Arabic attack archive site: http://www.arabic-m.com for a list of hacked websites.

On the other side, Israel is making use of Internet channels like YouTube and Twitter to deliver their political messages, in addition to online monitoring service like http://israel.internet-haganah.com/

Updated:
Israeli domain registration server (DomainTheNet) was hacked by a Moroccan hackers group, the hackers were able to get a password that allowed them to change the DNS records of some web pages to be forwarded to other pages with some political messages.



Updated:
Israeli hackers developed a program and published it on the Internet attracting Israeli people to download the tool and contribute to the current cyber warfare between Israel and Palestine.

Analysis of the program was done by SANS, and it seems to be a risky one as it will try to connect to an irc server, and wait for orders, this can be used for many purposes.

The site is changing the location regularly, the last working address for it is http://help-israel-win.tk/



Updated:
USA military sites are now part of the war, turkish hacker successfully defaced some USA military web sites and NATO Parliament site using SQL-Injection attacks.

Thursday, January 8, 2009

10 ways to protect yourself

ESET blog has some nice "10 ways to protect your self" articles, aimed at normal users.

- Disable autorun in windows
- Do not use your computer with administrator privileges
- Use different passwords for your computer and your online services
- Change the password frequently
- Do not trust links in your email, even from friends
- Protect sensitive information on your computer with encryption
- Backup your data regularly
- Avoid fake security software
- Avoid free wifi hotspots 
- Do not use cracked/pirated software, audio and video.
- Keep applications and operating system components up-to-date with automated updates and patches
- Do not disclose sensitive information on the public we sites like facebook or linkedin
- Do not depend on antivirus only, use personal firewall, antispam, anti-phishing toolbars


Monday, January 5, 2009

Nokia S60 phones exploit blocks SMS/MMS

DOS against Nokia Series 60 phones have been disclosed and demonstrated in 25th Chaos Communication Congress, Berlin , last week.

The 3GPP TS 23,040 standard specifies a method of sending email via SMS, if this email is longer than 32 characters, the affected symbian versions will fail to display the message or give any indication on the user interface, and the device will not be able to send or receive any more SMS or MMS messages.
S60 version 2.6 and 3.0 will be locked after just one message, while 2.8 and 3.1 will be locked up after more than 11 messages.

The only way to recover from this situation is to perform factory reset, no firmware update is available to fix this problem till now
Although this is not high security risk, the risk can be mitigated by the operators by filtering this kind of SMS on the network.

F-Secure report:
http://www.f-secure.com/weblog/archives/00001569.html

Advisory:
http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

Video:
https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi

Affected devices are mainly Nokia E and N sieres, list of models are in the advisory.

Sunday, January 4, 2009

Evading Anti-Virus, the easy way

This is just an example of how well-known malware can evade Anti-Virus:

- Use a file splitter software to split the malware into several small size files
- Run the anti-virus engine locally to scan all the small files, the anti-virus will detect a signature of the malware in one or more of the small splitted files.
- Next step is to use a Hex editor to change the signature of these detected files, by changing any byte within the file.
- Test the anti-virus again against all edited files, you may want to repeat the process and change a different byte.
- Re-run your file splitter to un-split your files
- Test the malware if it works fine or your changes did break the code. You will have to start over again, if the code is broken.
- Once your tests succeeded, your malware should be now un-detectable.