Posts Tagged Security
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
Zeus Trojan infected 2.5 thousands Corperate machine around the Globe
Posted by Mourad Ben Lakhoua in News on February 18, 2010
Over the past 1,5 year more than 75 thousands machine worldwide have been infected by Zeus Trojan this is according to NetWitnes Company, all these infected computers were used to thief Banking account, Social Networking and email passwords.
Among the victims we can find some of the major companies like Merck, Cardinal Health, Paramount Pictures and Juniper Networks. NetWitness informed that Cybercriminals might be from an Eastern European group countries and performed their activities over a server located in Germany, by spreading emails containing malicious software or redirecting victims to a malicious website.
The observed hacking activities do not stop here but researchers noted that on 26 January they found a 76 Gigabytes of data stolen by this Trojan, this data contains information about 68 thousand corporate logins as well as online Banking credential, Facebook , Yahoo and Hotmail.
Attackers According to NetWitness are still actively exploiting all vulnerabilities to spread their dangerous Malware in the globe and controlling remotely all these machines by using different ways like p2p-bots Waldec botnet.
ZeuS consists of two main parts:
1. Command control (panel) – a set of scripts, including the admin area that can be installed on the server.
2. Bot – Win32 victim side (Trojan).
The Main features of Zeus are:
1- Invisible in windows process list
2- Bypass most firewalls.
3- Works on the windows restricted accounts.
4- The main Bot are encrypted
5- Disable Windows Firewall, which provides access to incoming messages/ commands.
6- All settings including configuration ,logs and commands passes over encrypted HTTP form (HTTPS).
7- Separate configuration file are available that allows hackers to find them when they lose access to the Main server.
8- Configuration Backup file are available in case of losing the config.
9- The ability to work with any kind of Browser because the program is running through wininet.dll (Internet Explorer, Mozilla Firefox, AOL…)
10- Interception of all machine activities by including a keylogger.
11- Simple transparent URL-redirection to fake web sites (GET / POST-requests, etc.)
12- Get all SSL/TLS Certificate imported by the victim and send them to the server
13- POP3 and Ftp protocol grabber.
14- Search all Hard disk files and download a specific file as desired by the attacker.
15- Getting screenshot in real time.
As you can see it is very easy to gain access to any person sensitive information so it is important to keep your AV/System definitions up to date to ensure you have the best protection against new threats.
make sure you subscribe to my RSS feed!
Microsoft prepares 13 patches for Next Tuesday
Posted by Mourad Ben Lakhoua in Operating System, Software Security, Vulnerabilities on February 5, 2010
Microsoft announce that they are about to release a 13 security updates on next Tuesday, these new security patches are issued to fix 26 security vulnerabilities in windows operating system and Microsoft office suite.
According to the Advanced Notification five updates are critical and the 8 others are important. While we can find 11 of 13 patches are issued to fix vulnerabilities in one or more operating systems, and the remaining two patches are for Office XP and Office 2003 for windows and Office 2004 for Mac.
Among the patches we can find a fix for a 17 year old Bug in 32-bit windows version, and will close the loophole that involves the venerable DOS operating system. Internet Explorer two recent critical vulnerabilities will not be patched for this Tuesday updates.
You can find Microsoft Security Bulletin Advance Notification for February 2010 Here.
make sure you subscribe to my RSS feed!
Apache SpamAssassin New Release
Posted by Mourad Ben Lakhoua in News, Software Security, Tools on January 27, 2010
New version of the anti-spam filter SpamAssassin Today has been released, the free anti spam solution is widely used by hundreds of thousands organization around the globe.
Apache SpamAssassin 3.3.0 offers a new way of updating rules for spam filtering. Now the rules database are separated from the main product and loaded through the automatic updates. This approach has been provided as an option in the previous versions.
SpamAssassin supports a huge number of filtration mechanisms, including text analysis, Bayesian filtering, DNS blocklists, collaborative filtering databases and much more. All these methods will help in the spam identification and reduce the false positive (ham incorrectly marked as spam).
You can download Apache SpamAssassin 3.3.0 here.
Secure Live-CD Ubuntu Privacy Remix 9.04r3 is Out!
Posted by Mourad Ben Lakhoua in News, Operating System, Privacy & data protection on January 11, 2010
Ubuntu Privacy Remix (UPR) developers released a new modified version of the Linux Ubuntu operating system and now are available for download online.
UPR is a Live CD Destro that aims to provide users with an environment that allows to safely handling personal information, the system installed on the computer running UPR remains untouched.
The risk of theft of such private data arises not only from “conventional” criminals, trojans. rootkits, keyloggers etc. Ubuntu Privacy Remix is a tool to protect your data against unsolicited access.
To mitigate the risks Ubuntu Privacy Remix tries to create such a working environment on any PC with the following measures:
• The system resides on a read-only CD, Spyware and other malicious software cannot be installed permanently.
• The system completely ignores any potentially compromised local (S-)ATA hard disks.
• The system kernel is modified so that it cannot activate any network hardware. No LAN/WLAN/Bleutooth/Infrared etc.
• The system is based on free software which can be verified in source code.
• To ease working with a non-modifiable system, UPR introduces “extended TrueCrypt-Volumes”, which can store program configuration like GnuPG settings, OpenOffice dictionaries etc. permanently and securely within an encrypted volume.
The OS software component, including the system kernel, has been updated to the latest versions and as a result the creators managed to get rid of some bugs and vulnerabilities. In addition to the CD version there is a special utility to create bootable USB-drive directly from the protected environment.
you can download Ubuntu Privacy Remix 9.04r3 here.
make sure you subscribe to my RSS feed!
Software Failure or 2010 Problem!
Posted by Mourad Ben Lakhoua in News, Software Security on January 7, 2010
The New Year 2010 starts with a no good surprise not only for system administrators but also for many European Banks customers. Many cardholders were not able to use cash machines or make payments via terminals. The problem was caused by vulnerability in the software chips installed with ATMs.
Bugs corrupted not only ATM software but also a different number of software vendors, the first error was noticed in the spam filtering program SpamAssassin. This is due to a default rule FH_DATE_PAST_20XX which made all messages marked as spam and been stored in the junk folder.
Security software company Symantec has faced also some problems in 2010 and released a bulletin that reports a bug in the Symantec Endpoint Protection Manager (SEPM) server. This error in the system does not allow customer to install updates that were released after 31/12/2009 so users were defenseless against new malwares. On a Blog post Symantec stated that they are working on a solution and will update customers when a solution becomes available.
make sure you subscribe to my RSS feed!
Hewlett-Packard Fixes a Bunch of OpenView Vulnerabilities
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks on December 11, 2009
Hewlett-Packard Company has released several patches for a bunch of vulnerability on OpenView Software products. HP advises administrators to install the patches immediately to mitigate the risk.
OpenView Network Node Manager (OV NNM) is affected by 12 critical bugs that attackers could use to execute remote arbitrary code and gain control over the system.
The vulnerable versions are OV NNM 7.01 and 7.35 running on HP-UX, Linux, Solaris and Microsoft Windows. But here it is important to note that fixes are released only to version 7.53 so to install the patches for all previous versions Admin are required to upgrade to the latest one and then install the updates.
About eleven of the twelve bugs are detected by TippingPoint and the last bug is reported by researcher from IBM X-Force unit.
So go a head To review the Support Communication –Security Bulletin and act upon as soon as possible.
make sure you subscribe to my RSS feed!
First Tool to Crack Microsoft BitLocker Encryption
Posted by Mourad Ben Lakhoua in Pentesting on December 3, 2009
Passware Company has introduced the first commercial software solution that offer a way to Crack files encrypted by BitLocker system. Microsoft released this advanced tool for a full hard drive encryption system and it has integrated it in windows Vista and made it also available on Windows 7 and Windows Server2008.
We already listed on a previous post the enhancement in Microsoft Windows7 ( Windows 7 overall security improvement )and you can find among the improvement the BitLocker tool that is provided by Microsoft.
Passware Kit Forensic 9.5 recovers encryption keys for hard disks, secure Technology and BitLocker. the way that this software work is by scanning HD image searching for cryptographic keys and decrypt the image to make it in a clear file.
Now the Software is available in several versions and there is a mobile version that gives user the ability to have it on a USB stick and use it directly on the desired machine without leaving any trace on it. This is not all because this tool also offers 8 different password recovery attacks (Dictionary , Brute-force, Xieva , Known Password/Part , Previous Passwords, Decryptum, SureZip , Join Attacks, and Append Attacks) these 8 types gives the user a way to customize the desired attack according to the type of file and available information so it reduces the Time of operation.
Currently the tool supports 180 types of file and allows users to restore PGP-archives and virtual disks passwords. The program compatible with Windows 7/VISTA/2003/XP and 2008 server.
you can find more details on the official webstie.
make sure you subscribe to my RSS feed!
Attack Hitting Virtual Private Networks & How to Protect Yourself
Posted by Mourad Ben Lakhoua in Cloud Computing Security, News, Vulnerabilities on December 1, 2009
Virtual private network (VPN) software from Cisco, Juniper and other multiple vendors are concerned for a new vulnerability that makes a big number of customers at Risk this is according to a Monday report issued by US-CERT.
Clientless SSL VPN is used to provide internal network access over web browser to several resources such as corporate email server or application servers. The Bug allows an attacker to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content), monitor keystrokes of more than 90 + companies including Cisco, Juniper, SafeNet, and Sonic Wall.
Currently there is no solution to this problem but to mitigate the risk we can do the following:
1- Limit URL rewriting to trusted domains If supported by the VPN server, URLs should only be rewritten for trusted internal sites.
All other sites and domains should not be accessible through the VPN server.Since an attacker only needs to convince a user to visit web page being viewed through the VPN to exploit this vulnerability, this workaround is likely to be less effective if there are a large number of hosts or domains that can be accessed through the VPN server. When deciding which sites can be visited through use of the VPN server, it is important to remember that all allowed sites will operate within the same security context in the web browser.
2- Limit VPN server network connectivity to trusted domains It may be possible to configure the VPN device to only access specific network domains. This restriction may also be possible by using firewall rules.
3- Disable URL hiding featuresObfuscating URLs hides the destination page from the end user. This feature can be used by an attacker to hide the destination page of any links they send. For example, https://
On the other hand It is very important to contact the vendor to ask if the gap already exist and if there is a patch to apply for this Bug.
US-CERT report can be found here.
make sure you subscribe to my RSS feed!
SUBSCRIBE
