Archive for category Software Security
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
Adobe Apologized for a 16 month-old-Bug
Posted by Mourad Ben Lakhoua in News, Software Security, Vulnerabilities, Vulnerabilities & attacks, Web Security on February 9, 2010
Adobe Company has officially apologized for the flash player 16 month old vulnerability that is still not fixed.
According to Adobe the bug has been eliminated in the beta flash player 10.1, but there still not yet a stable version for this release.
The bug officially was reported on the 22nd of September 2008 and all Flash player plug-in since the 9th version are affected. Many hackers used this gap to inject malicious code on victim’s machine.
Currently Adobe experts provided a special web page to check this vulnerability. The exploit really work you can test it following this link but before clicking you should make sure that you have another page open on the same browser.
Adobe Product Manager Emmy Huang promised that on the next Flash player 10.1 releases the vulnerability will be fixed without giving any sign on the final version date.
you can install the Adobe Flash Player 10.1 from Here.
make sure you subscribe to my RSS feed!
Microsoft prepares 13 patches for Next Tuesday
Posted by Mourad Ben Lakhoua in Operating System, Software Security, Vulnerabilities on February 5, 2010
Microsoft announce that they are about to release a 13 security updates on next Tuesday, these new security patches are issued to fix 26 security vulnerabilities in windows operating system and Microsoft office suite.
According to the Advanced Notification five updates are critical and the 8 others are important. While we can find 11 of 13 patches are issued to fix vulnerabilities in one or more operating systems, and the remaining two patches are for Office XP and Office 2003 for windows and Office 2004 for Mac.
Among the patches we can find a fix for a 17 year old Bug in 32-bit windows version, and will close the loophole that involves the venerable DOS operating system. Internet Explorer two recent critical vulnerabilities will not be patched for this Tuesday updates.
You can find Microsoft Security Bulletin Advance Notification for February 2010 Here.
make sure you subscribe to my RSS feed!
Apache SpamAssassin New Release
Posted by Mourad Ben Lakhoua in News, Software Security, Tools on January 27, 2010
New version of the anti-spam filter SpamAssassin Today has been released, the free anti spam solution is widely used by hundreds of thousands organization around the globe.
Apache SpamAssassin 3.3.0 offers a new way of updating rules for spam filtering. Now the rules database are separated from the main product and loaded through the automatic updates. This approach has been provided as an option in the previous versions.
SpamAssassin supports a huge number of filtration mechanisms, including text analysis, Bayesian filtering, DNS blocklists, collaborative filtering databases and much more. All these methods will help in the spam identification and reduce the false positive (ham incorrectly marked as spam).
You can download Apache SpamAssassin 3.3.0 here.
Software Failure or 2010 Problem!
Posted by Mourad Ben Lakhoua in News, Software Security on January 7, 2010
The New Year 2010 starts with a no good surprise not only for system administrators but also for many European Banks customers. Many cardholders were not able to use cash machines or make payments via terminals. The problem was caused by vulnerability in the software chips installed with ATMs.
Bugs corrupted not only ATM software but also a different number of software vendors, the first error was noticed in the spam filtering program SpamAssassin. This is due to a default rule FH_DATE_PAST_20XX which made all messages marked as spam and been stored in the junk folder.
Security software company Symantec has faced also some problems in 2010 and released a bulletin that reports a bug in the Symantec Endpoint Protection Manager (SEPM) server. This error in the system does not allow customer to install updates that were released after 31/12/2009 so users were defenseless against new malwares. On a Blog post Symantec stated that they are working on a solution and will update customers when a solution becomes available.
make sure you subscribe to my RSS feed!
Microsoft to Fix 12 Vulnerabilities On Tuesday, While Sophos Alerts of fake Microsoft updates coming through email
Posted by Mourad Ben Lakhoua in News, Software Security, Vulnerabilities, Vulnerabilities & attacks on December 5, 2009
On this Tuesday we are going to have the regular monthly update by Microsoft the release will include a set of patches to fix 12 problem, we can find among the patches a fix to Internet Explorer 8 vulnerability.
These releases are issued for windows 2000, XP, Vista, Windows 7, Windows Server 2003, 2008 as well as IE 8, Office XP and Office 2003. Three patches status are critical, this means that the impact allows a hacker to use these bugs to run an arbitrary command remotely.
Internet Explorer 8 vulnerability will also be among the patches this bug can allow attacker to run malicious software on the system like Trojan or rootkit to steal credential and data authentication, Microsoft already warned of an existing exploit for this bug and recommends all customers to prevent this attack by keeping antivirus up to date, using a good Pc Firewall and installing all previous patches.
On the other hand Sophos security lab alerted of a fake email message that includes a link to an executable file Windows-KBxxxxx-ENU.exe which contains malware Mal/EncPK-LL here you can find the email image:
The source of the message appears coming directly from Steve Lipner, Microsoft’s Director of Security Assurance, it is here important to be careful and not follow direct links to executable files and make sure that you are updating your system from a trusted sources.
make sure you subscribe to my RSS feed!
Metasploit Framework 3.3 New Stable Release
Posted by Mourad Ben Lakhoua in News, Pentesting, Software Security on November 18, 2009
A new release has been recently announced by Metasploit Team, Metasploit framework helps to perform penetration testing and creating a new exploit for the available bugs.
The Metasploit platform is used by professionals in the Network security, Network admin, developers and researchers to test the security level of any new system installed. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. Metasploit is an open source project managed by Rapid7. The software packages are based on Ruby and C.
The process of developing Metasploit Framework 3.3 has taken about 12 months. The new version includes 120 new exploit modules, over 100 new auxiliary modules, and 180 bug fixes. The release notes are online and you can download the Toolkit immediately.
DisCryptor Protects Your Privacy
Posted by Mourad Ben Lakhoua in Privacy & data protection, Software Security, Tools on October 26, 2009
DisCryptor is a complete software for protecting your privacy by providing a free personal product to save sensitive data, send important documents via E-mail and transfer folders on USB memory in an easy and very fast way.
After the installation you will have a very rich dashboard that provides tab for creating new virtual or physical drive so it only needs to click to start encrypting the disk.
You can also creat a traveler disk this functionality will help you encrypt your usb drive so your entire content will be encrypted with a very high security level , the interesting point that later when you are looking to open your files on any PC it is possible even if you have no DisCryptor on it , by choosing Travel disk functionality and you burn an autorun soft to a CD/DVD , and you just need to have the CD and the USB device or external hard drive to open your file.
it is also possible to use this software package to encrypt your files, Encrypted file in software DisCryptor will always has a .DCF extension and icon of DisCryptor logo.
Maybe the biggest panic for any person is to remember passwords. You can imagine how a person will remember thousands of passwords or to write them on a sheet of paper this all is very risky and easy to be lost. Here this software solved the issue by providing a solution to manage passwords and store them in an encrypted way (Hash function includes SHA-256, SHA-384 a SHA-512..), even when you create a password it automatically show the security Level of this password according to the chosen security profile and it is recommended to use the strongest password as possible and keep you tracking your passwords.
Currently there are three types of license a free personal edition, a Business edition and an Enterprise edition you can read more details about Discryptor Here.
make sure you subscribe to my RSS feed!
TrueCrypt 6.3 Free Open-Source Disk Encryption Software
Posted by Mourad Ben Lakhoua in Encryption, Software Security, Tools on October 23, 2009
TrueCrypt one of the popular tools for encrypting and hiding partition under Linux, MacOS and Windows system has released a new version.
The new features at this release include:
• Full support for Windows 7.
• Full support for Mac OS X 10.6 Snow Leopard.
• The ability to configure selected volumes.
TrueCrypt is an open-source, multi-platform application that allows you to create secure, encrypted folders for your data.
It is always recommended to use Truecrypt instead of other built in encryption system because it can hide your volumes and make it impossible for anyone to note the file existing on the HD, plus it provides a flexible way to choose encryption algorithms.
With TruCrypt your data remains encrypted until you need it.More details about the release can be found Here.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Software Security category.
SUBSCRIBE
