« Archives in January, 2011

Tools

While I was looking over my tools list, I noticed that I have not included a couple of tools that I use on a daily basis for reversing engineering malware.

The first one is Frank Boldewin’s OfficeMalScanner. OfficeMalScanner is a MS Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files.

The second Didier Steven’s PDF Tools. PDF Tools includes pdf-parser.py, make-pdf-javascript.py, and pdfid.py. Pdf-parser and pdfid are obviously the most popular and most used in the reverse engineering community. Pdf-parser.py will parse a PDF document to identify the fundamental elements used in the analyzed file. Pdfid.py is not a PDF parser, but it will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened.

And speaking of the PDF Tools, a friend of mine put together an Ubuntu ppa repository to easily add the PDF Tools to your Ubuntu workstation. To add the PDF Tools using his ppa do the following:

sudo apt-add-repository ppa:pi-rho/security
sudo apt-get update
sudo apt-get install pdf-tools

In addition to the PDF Tools, he has included nmap-5.35DC1, kismet-newcore, tshark 1.4.3, and wireshark 1.4.3.

Microsoft warns of zero-day Windows vulnerability

Microsoft warned yesterday that hackers have published proof of concept code for attacking a previously unknown security hole in all versions of Windows that could be exploited to run malicious scripts when visiting various Web sites. Once exploited, the vulnerability would allow an attacker to have access to the user’s browser, potentially allowing an attacker to harvest user information or perform cross-site scripting and spoofing attacks.

Microsoft published an advisory about the vulnerability due to the way Windows handles MHTML code.

Microsoft said it may issue a patch to fix the flaw, but that in the meantime IE users who are concerned about this threat can follow several suggested actions listed in the advisory.

Sourceforge Hacked

After dealing with several unplanned outages on Wednesday, Sourceforge determined that it was the result of an attack. Thursday, Sourceforge released a message that they detected a direct targeted attack that resulted in an exploit of several SourceForge.net servers and decided to shutdown the site.

Sourceforge posted, “Once the immediate response to this attack is over, we will be providing a much more detailed account of what’s happened, and what specific actions we are taking to prevent further exploits.”

Follow updates…

NSA Video Demonstrates a Virtual Machine Escape

This is an interesting video produced by the NSA that demonstrates an attacker escaping a virtual machine to exploit the host OS.

VM escape

Does anyone recognize Bruce?

Watch the video…

Facebook Offers Protection Against Wireless Firesheep Attack

Facebook is rolling out a more secure way to connect to its website, which will protect users from a widely publicized wireless networking attack called Firesheep. The social-networking site starting Wednesday will let users connect to Facebook using an HTTPS secure Web connection, which offers extra assurance that they’re connecting to the website that they intend to reach, while also encrypting the data sent between the PC and Facebook.

Wow, here’s a new concept. A site that requires the user to login with credentials that are most likely the same credentials used for the email address they signed up for Facebook with and no you can protect them. Secure sites have been using HTTPS for years. Why has it taken a site like Facebook so long to offer a more secure way to log in? Surely, out of the 25 billion dollars that Facebook is worth, they could have afforded the purchase of a certificate a long time ago.

For the time being though, Facebook users will need to change their security settings to turn on the HTTPS option. Oh, by the way, it’s not yet available to all users. The company does expect it to gradually become more widespread.

Read more…

Fedora System Compromised, But No Changes Made

The infrastructure of the Fedora Project was compromised over the weekend and an account belonging to a Fedora contributor was taken over by an attacker. However, Fedora officials said they don’t believe that the attacker was able to push any changes to the Fedora package system or make any actual changes to the infrastructure.

The attack appears to have targeted one specific user account, which had some high-value privileges. The attacker was able to compromise the account externally, and then had the ability to connect remotely to some Fedora systems. The attacker also changed the account’s SSH key, Fedora officials said.

“Based on the results of our investigation so far, we do not believe that any Fedora packages or other Fedora contributor accounts were affected by this compromise,” Jared Smith, the Fedora project leader, said in an email to the Fedora Project mailing list.

Read more…

Stolen Java Code Shipping with Android…Maybe Not

Reported earlier on FOSSPatents by Florian Mueller (as well as Engadget), Oracle supposedly had new evidence to support their suit against Google for patent infringement. 43 source files that were written specifically for Java turned up in Android’s source code. The over zealous patent troll also made the following claim:

“In light of the evidence I found (and which anyone can verify by downloading the original material), I believe some commentators grossly overrated Google’s defense when they interpreted it as accusing Oracle of manipulating or manufacturing evidence.”

Well, stop the press.

It seems that after further analysis of the files in question, Ed Burnette of ZDNet has concluded that there are in fact no instances of copied code shipping directly with Android. It appears the first set of 7 files are in the unit test area of the source code tree for running internal tests by developers. The second set of 37 files is actually zipped up into one file called MMAPI.zip and tucked away in a directory used for native code audio drivers for one particular type of chip set. The files were evidently used for development and neither set of files actually shipped with Android.

Major websites are Hacked and Up for Sale

Imperva blogged yesterday about a hacker who claims to have access to and control over several top .gov, .mil and .edu Web sites. While Imperva blocked out the websites, I found that Brian Krebs actually posted the screenshots without blackouts. The hacker is advertising full control and root access to cecom.army.mil as well as many major websites. All this can be yours for as much as $499 a website.

Websites for sale

Imperva mined this hacker’s postings on other forums, and found evidence that he was able to hijack the sites via SQL injection vulnerabilities, most likely with the help of an automated vulnerability scanner.

Exposing the Google Password Secrets

Nagareshwar Talekar of Security Xploded just released a complete disclosure on the Google password storage mechanism and encryption methods used by various Google applications including GTalk, Picassa, GDesktop etc and other popular browsers. The write up is complete with cryptography code examples for decryption of Google passwords for all these applications.

Also released with the write up of his research work is GooglePasswordDecryptor. GooglePasswordDecryptor is a tool used to recover stored Google account passwords by various Google applications as well as popular web browsers.

At the time of this blog, I have not looked into the GooglePasswordDecryptor tool so I can neither recommend or reject the use of this tool. But I guarantee you that I will look into it over the next days and see if it is a viable tool to add to the toolkit.

Read more…

Did a US government lab help Israel develop Stuxnet?

Questions have been raised about the involvement of US government researchers in the creation of a digital weapon that experts believe may have sabotaged centrifuges at a uranium-enrichment plant in Iran.

Researchers at the Idaho National Laboratory, which is owned by the US Department of Energy, may have passed critical information to Israel about vulnerabilities in a system that controls Iran’s enrichment plant at Natanz. That information was then used to create and test the so-called Stuxnet worm that was unleashed in a joint cyber attack on Natanz, according to the New York Times.

The report, based on anonymous sources, is sparse on detail, but asserts that in 2008 INL worked with the German firm Siemens to uncover vulnerabilities in its industrial control system. Stuxnet was then created to exploit those vulnerabilities and was tested at a lab at Israel’s nuclear facility in Dimona. The Dimona facility, according to the Times, has been involved in a joint US-Israel operation for the last two years to thwart Iran’s production of enriched uranium and forestall its development of a nuclear weapon.

Read more…