Monday, June 29, 2009

US and UK launch Cyber Security Forces

UK government just announced the launch of its cyber security agency, shortly after US did similar announcement.

Both Cyber Security Operation Centers will be fully operational before end of this year, taking into consideration the two big incidents with Estonia and Georgia.
Both will have similar goals and objectives, which are offering cyber defense capabilities, with some capabilities for offensive attacks and spying activities!!!

Sunday, June 28, 2009

NetFlow v5 vs. NetFlow v9

Lancope blog has a quick and easy explanation about the differences between Netflow v5 and v9, check it here.

Thursday, June 25, 2009

Using Phishtank API to check if your site is listed as suspicious

Here is another way of checking if your web site is infected as part of a phishing attack, the script below is using phishtank public list in csv format:

#!/usr/bin/perl
#downloaod the phishtank list
system('wget http://data.phishtank.com/data/online-valid.csv" -O /feeds/url/phishtanklist.txt');
#delay the script for 10 sec
$oldtime = (time + 10);
while (time < $oldtime) {}
#define your url $url = yourdomain.com;
#get phishtank list
open (file, "/feeds/url/phishtanklist.txt") or die $!;
#Since blogger is removing some html tags like, add the word file in between the below <>
while ($record = <> )
{
#extract string starting with http ending with first comma
if ($record =~ /http:(.*?)\,/ ) {$Furl = $&};
#remove the comma
$Furl =~ s/\,//;
#remove the http part
$Furl =~ s/http:\/\///;
#compare your url with phishtank url
if ($Furl =~ /$url/) {
print "matched $url ";
}}
close file;

Sunday, June 21, 2009

Using google safe browsing API to check if your site is listed as suspicious

Google is maintaining a couple of lists of bad urls that they identified using their crawlers. This is a quick example of how to make a good use of one of the lists to monitor your web site if it has been compromised and identified by google.

My 2 perl scripts, are using the available modules:
Net::Google::SafeBrowsing::UpdateRequest
Net::Google::SafeBrowsing::Blocklist


I am updating the google list every hour, and then check my urls using a crontab job:


1st script (register in google to get a key):

#!/usr/bin/perl
use Net::Google::SafeBrowsing::UpdateRequest;
$apikey='put-your-key-here';
$dbfile = "/feeds/url/glist.txt";
$skip_mac= "true";
$blocklist = "goog-black-hash";
my $u = Net::Google::SafeBrowsing::UpdateRequest->new($apikey, $dbfile, $blocklist);
if ($u->update and $u->close) {
print "Seccessfully Updated $blocklist in $dbfile\n";
}



2nd script is just an example on how to compare your url against googleSafe browsing blocklist:

#!/usr/bin/perl

use Net::Google::SafeBrowsing::UpdateRequest;
use Net::Google::SafeBrowsing::Blocklist;
$apikey='put-your-key-here';
$dbfile = "/feeds/url/glist.txt";
$skip_mac= "true";
$tablename = "goog-malware-hash";
$uri = "http://www.yourdomain.com/";
my $blocklist = Net::Google::SafeBrowsing::Blocklist->new($tablename, $dbfile, $apikey);
my $matched_uri = $blocklist->suffix_prefix_match($uri);
if (defined($matched_uri)) {
print "Matched '$matched_uri'\n";
} else {
print " No Match ";
}
$blocklist->close;

Thursday, June 18, 2009

Wednesday, June 17, 2009

Veiled, a browser based darknet

Networks like Tor, FreeNet, and Gnutella, are well known darknets, a new comer is about to be available, Veiled.
Veiled does not require much technical knowledge to use, unlike other networks. Utilizing HTML 5 and browsers, it should attract lots of users.

Veiled is a zero-footprint network, with no traces on users. It is not peer-to-peer, but a chain of repeaters.

With encryption added on, Veiled should be an ultimate choice for free speech groups and underground groups as well.

Read the full article here, and check Blackhat conference next month for more details.

Updated
Here is the presentation given on Blackhat 2009

Tuesday, June 16, 2009

Iran Elections



Organized DDOS attacks, instructions for protesters, news, links to videos, open proxies...
The usage of twitter and blogs for effective communication during and after the Iranian elections is showing how effective the social media is, therefor Twitter scheduled maintenance has been changed and rescheduled to be at midnight Iran local time. As per twitter status blog, "Twitter is currently playing as an important communication tool in Iran. Tonight's planned maintenance has been rescheduled to tomorrow between".
It is interesting that twitter decided to be offline during US peak hours, for the availability in Iran.

On the other hand, attacks against pro-AhmadiNejad sites are coordinated using twitter. The tools used are not related to botnets, they are all manual tools like Page Rebooter that allows the user to automatically reload a specific web page every pre-defined interval like 1 sec., or IFRAME Loading Script for people running web sites, that will redirect the site visitors to the target url and automatically refresh it.

http://blogs.zdnet.com/security/?p=3613





Friday, June 12, 2009

Botnet vs. Malware Relationship

A paper published by Damballa recently is trying dig into the relationship between Malware and Botnets.

Here are some interesting points:
- A single malware does not correspond to a single botnet
- Professional malware kits available for few thousand dollars can bypass most anitivirus technologies and often comes with 24x7 support and money-back guarantee for evading antivirus
- Malware kits can generate different variants with different encryption keys, communication methods, and admin passwords.
- The list of DYI malware tool kit is growing
- Criminals are using multiple and different kits to create armories of bot agents, so there is no single detection algorithm or cleaning process will be capable of wiping out an entire botnet.

Wednesday, June 10, 2009

Bad Guys Tools - Crypter

It is interesting how the bad guys are few steps ahead, the below image is for a crypter that is anti Good-Guys-Tools !. Did they miss anything?? it is sold only for 35$.

Tuesday, June 9, 2009

SPAM statistics for your country, HOWTO

This how to get the spam level for specific country from one of the well known spam Black lists:
To get the daily black listed ips you have to register in CBL: http://cbl.abuseat.org/
They are using rsync to distribute the ip list.

to download the list after registration:
/usr/bin/rsync -av rsync://rsync.cbl.abuseat.org/cbl/list.txt /feeds/cbl/list.txt
once you download the list.txt, use a perl script to resolve and filter the country code and query the whois db for network name, the below perl script is using Net::Whois::IP and IP::Country::Fast libraries.
use this command to redirect the output to EG.txt
# perl geo.perl >EG.txt
geo.perl:
use Net::Whois::IP qw(whoisip_query);
use IP::Country::Fast;
my $reg = IP::Country::Fast->new();
my $search_options =["NetName","OrgName"];
my $tt=0;
my @tyy;
open (list, "/feeds/cbl/list.txt")||die "couldn't open the file!";
while ($record = <> )
{

chomp $record;
$cc=$reg->inet_atocc($record);
if($cc eq "EG")
{
$ip=$record;
my $response = whoisip_query($ip,"",$search_options);
foreach (sort keys(%{$response}))
{
$res=$_;
$res1=$response->{$_};

if ($res=~ /netname/) {print $ip . " "; print $res1 . "\n";}
$tyy[$tt] = "$_ $response->{$_} \n";
$tt++;
}}}
close(list);

Now you have EG.txt file will all IPs from Egypt with network name from whois db, you can then upload it to mysql database for further processing:
First create the database cbl and create the table list:
use cbl;
CREATE TABLE list (
date TIMESTAMP NOT NULL,
ip varchar(80) NOT NULL default '',
netname varchar(80) NOT NULL default ''
);


Then upload the file to the database:
#/usr/bin/mysql -u root -ppassword < /feeds/cbl/commands commands file: use cbl; LOAD DATA INFILE '/feeds/cbl/EG.txt' INTO TABLE list FIELDS TERMINATED BY ' ' LINES TERMINATED BY '\n' (ip,netname,date) ; Now you have the data in the database, you can apply any sort of reporting on it. I am using php and utilizing Google charts API, here is one example:


Saturday, June 6, 2009

File Upload Forms, Common Security Issues

Acunetix released a paper on common security problems with "file upload" forms, with some examples.
Common problems such as:
- Simple upload without validation
- MIME type validation
- Blocking dangerous extensions
- Double extensions
- Image header checking
- .htaccess protection
- Client side validation
http://www.acunetix.com/websitesecurity/Why-File-Upload-Forms-are-a-Major-Security-Threat.pdf

Thursday, June 4, 2009

Security Incident Rating


An interesting blog entry by taosecurity suggesting 10 different ratings for Incidents, this rating system makes sense to many security professionals, however it might be "too much" for management.

http://taosecurity.blogspot.com/2009/05/information-security-incident-rating.html

Wednesday, June 3, 2009

Scanning MS Office Documents for Malicious Traces

OfficeMalScanner is a new tool to scan MS Office documents for malicious traces like shellcode, PE files, or embedded OLE stream. The tool comes with hexview.

http://www.reconstructer.org/code/OfficeMalScanner.zip

Tuesday, June 2, 2009

Security Tools List

There are lots of tools lists out there, but this one is very extensive and pretty much updated.
http://securitytoolslist.domandhost.com/

Monday, June 1, 2009

Analysis of botnet attack targeting Instant Messaging users

Here is a nice analysis of malware targeting various IM clients using sdbot variant, the infection require user action by clicking on the link sent to the IM client, and execute the downloaded file. the downloaded file has a very low detection rate by many AV due to the packing used.