Wednesday, December 30, 2009

DECAF is Back


Hey Folks today I wanna report the DECAF history:




We originally pulled the app because of legal pressure. With DECAF v1 originally set out to restrict forensic extractions made by Microsoft COFEE, it raised major concerns with its ethical nature and potential hazard to the disruption of criminal investigations. By us disabling the application, it freed us from any damage that might have happened in the event DECAF v1 was used to block forensic examiners from extracting data. We used the words "publicity stunt" because when we pulled DECAF v1 offline and disabled the applications, we had a lot of media attention. We decided to use that channel to raise awareness for better security and more privacy tools.

After the interview with Cyberspeak, we had a nice long phone conversation. During that time, they informed me of my hazardous circumstances and gave me excellent advice; take DECAF down. Of course, if you know anything about them over at Cyberspeak, you would know they are very intelligent on more then just forensics. They are pretty well versed with federal statues. It would be silly of me to think that I knew more then them, so I followed their advice and pulled the app.

As you know, this caused major conflict in the underground scene. We started getting denial of serviced, flamed on forums, and even SoldierX did a pretty good job re-activating DECAF v1. We are definitely not mad at SoldierX for that, can you blame them? Everyone wants privacy. Not to mention DECAF v2 was already cookin' in the kitchen so it was only a bit of time before it would be released.

Now I want to address the phone home feature in DECAF v1. As you know, we were going to tailor the app towards the p2p private tracking scene. We were going to use the phone home feature to notify private tracker admins of a seeder/node who had COFEE ran on his/her machine. This feature was not complete before release but we did have it semi-working, hence the COFEE usage reporting. Some seen this as a privacy issue, which from that perspective I can see why. We decided v2 will not report usage back. We also do not perform automated version checking.

The disabling of v1 was NOT a hook in the application. It was bad coding. I did not use a try/catch on the version checking so if it failed, the app failed. Of course the app was only coded in a 1-2 day timeframe, so can you blame me? Bad practice I guess. Anyhow, when I adjusted the versioncheck on the server side, it caused the application to return a null string, causing an unhandled exception.

Version 2 is finished. We are now monitoring Microsoft COFEE, Helix, EnCase, Passware, Elcomsoft, FTK Imager Port, Forensic Toolkit, ISOBuster, and ophcrack. We also give the user the ability to add their own custom signatures. We have also added CD-Rom monitoring. We no longer execute a "self destructive lock-down mode" but rather give the user the ability to execute files, to disable the device where the signatures were found, and start-up in monitor mode.



Thank you DECAF's team for you amazing job, I really appreciated you effort. Now, may I ask you a question, What about the source code ? is it available ?


Here the direct link (no adv) to DECAF

Monday, December 28, 2009

Tweeter's Black Password List

Hey folks, just gotta from friends.
The reason I present this is because it's an interesting study of what Twitter thinks is a bad idea. I would guess that many of these passwords were taken from published lists of passwords used when cracking accounts. If you currently use passwords which resemble any of these listed below, I'd encourage you to change them as soon as possible.

111111
11111111
112233
121212
123123
123456
1234567
12345678
131313
232323
654321
666666
696969
777777
7777777
8675309
987654
aaaaaa
abc123
abc123
abcdef
abgrtyu
access
access14
action
albert
alexis
amanda
amateur
andrea
andrew
angela
angels
animal
anthony
apollo
apples
arsenal
arthur
asdfgh
asdfgh
ashley
august
austin
badboy
bailey
banana
barney
baseball
batman
beaver
beavis
bigdaddy
bigdog
birdie
bitches
biteme
blazer
blonde
blondes
bond007
bonnie
booboo
booger
boomer
boston
brandon
brandy
braves
brazil
bronco
broncos
bulldog
buster
butter
butthead
calvin
camaro
cameron
canada
captain
carlos
carter
casper
charles
charlie
cheese
chelsea
chester
chicago
chicken
cocacola
coffee
college
compaq
computer
cookie
cooper
corvette
cowboy
cowboys
crystal
dakota
dallas
daniel
danielle
debbie
dennis
diablo
diamond
doctor
doggie
dolphin
dolphins
donald
dragon
dreams
driver
eagle1
eagles
edward
einstein
erotic
extreme
falcon
fender
ferrari
firebird
fishing
florida
flower
flyers
football
forever
freddy
freedom
gandalf
gateway
gators
gemini
george
giants
ginger
golden
golfer
gordon
gregory
guitar
gunner
hammer
hannah
hardcore
harley
heather
helpme
hockey
hooters
horney
hotdog
hunter
hunting
iceman
iloveyou
internet
iwantu
jackie
jackson
jaguar
jasmine
jasper
jennifer
jeremy
jessica
johnny
johnson
jordan
joseph
joshua
junior
justin
killer
knight
ladies
lakers
lauren
leather
legend
letmein
little
london
lovers
maddog
madison
maggie
magnum
marine
marlboro
martin
marvin
master
matrix
matthew
maverick
maxwell
melissa
member
mercedes
merlin
michael
michelle
mickey
midnight
miller
mistress
monica
monkey
monkey
monster
morgan
mother
mountain
muffin
murphy
mustang
naked
nascar
nathan
naughty
ncc1701
newyork
nicholas
nicole
nipple
nipples
oliver
orange
packers
panther
panties
parker
password
password
password1
password12
password123
patrick
peaches
peanut
pepper
phantom
phoenix
player
please
pookie
porsche
prince
princess
private
purple
pussies
qazwsx
qwerty
qwertyui
rabbit
rachel
racing
raiders
rainbow
ranger
rangers
rebecca
redskins
redsox
redwings
richard
robert
rocket
rosebud
runner
rush2112
russia
samantha
sammy
samson
sandra
saturn
scooby
scooter
scorpio
scorpion
secret
sexsex
shadow
shannon
shaved
sierra
silver
skippy
slayer
smokey
snoopy
soccer
sophie
spanky
sparky
spider
squirt
srinivas
startrek
starwars
steelers
steven
sticky
stupid
success
summer
sunshine
superman
surfer
swimming
sydney
taylor
tennis
teresa
tester
testing
theman
thomas
thunder
thx1138
tiffany
tigers
tigger
tomcat
topgun
toyota
travis
trouble
trustno1
tucker
turtle
twitter
united
vagina
victor
victoria
viking
voodoo
voyager
walter
warrior
welcome
whatever
william
willie
wilson
winner
winston
winter
wizard
xavier
xxxxxx
xxxxxxxx
yamaha
yankee
yankees
yellow
zxcvbn
zxcvbnm
zzzzzz

Old Fashion Microsoft IIS Vulnerability


An old fashion vulnerability, as been discovered in Microsoft Internet Information Service (IIS) where the server interprets incorrectly files with multiple extensions separated by character ";".




The file "aspShell.as;.jpg" is interpreted by web applications as a normal JPEG file while IIS considers it as an ASP file to be interpreted.

This allows attackers to upload malicious executable's on the vulnerable web server, bypassing the normal file extension protections. In case of having the "aspShell.as;.jpg", web applications consider it as a JPEG file and IIS
consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize "aspShell.as;.jpg" as a .Net file and shows a “page not found” error. Besides using semi‐colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file ‐ “test.asp” ‐ would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi‐colon vulnerability.

The bug was discovered on April 2008 but reported only 25 December 2009.

This vulnerability has a very high impact on IIS as the attacker can bypass file extension protections by using a semi-colon after an executable extension such as “.asp”, “.cer”, “.asa”, and others.


To read more about the vulnerability, and for some examples here.

Sunday, December 27, 2009

Back From Napa


After 3 full days in Napa I'm back to Davis.
I had an awesome Christmas with my friends Ryan and Katie at "The Craftsman Inn ".



Napa's Valley seems to be the US's tuscany, wineries, hills full of grapes, good wine and, of course, wine testing tours. Everybody become friends, singing and laughing together, after a good wine round ... ... according to the old "well-known" latin sentence:





:D

Wednesday, December 23, 2009

Microsoft, Avast and McAfee Missing Simple Tests

Using the simple "Quick'n Dirty" EICAR-GTUBE-Generator0.1 ( here last version ) I hided the EICAR signature inside a simple PDF file. Now let's give this pdf to AV and see what will happen.

Here the "fun" results (click to make it bigger):




Is it not weird that some AV leaders such as Microsoft, Avast and McAfee miss this easy control ?
Now, my question comes easily ... How can we be sure that recognize more complicated virus if they miss this easy signature control ?

More reading: Here, Here and Here

New Version of EICAR-GTUBE-Generator

Hi Folks, a quick post before Xmas's eve. I've just released a new "Quick'n Dirty" release of EICAR-GTUBE-Generator.

New features:

Version 0.1 injects EICAR inside PDF files




Here the source code and the executables

1) EICAR-GTUBE-Generator-Jar0.1
2) EICAR-GTUBE-Generator-Sources0.1

Tuesday, December 22, 2009

EICAR and GTUBE Generator - Anti VIrus Results -


Analyzing the EICAR-GTUBE_Generator using a common multi-anti-virus platform like VirusTotal seems no AVs recognaize the EICAR-GTUBE-Generator as a EICAR generator (so in some way a malware generator): here the proof (click to enlarge)



Now, my question is: Do the AVs truly analyze the EICAR signature or do they apply a simple pattern matching ?
On the other hand, analyzing the resulted file EICAR.com there is more fun:



First of all Prevx.com does not recognize the EICAR file. That's very interesting,to me. They claim to be:

"PC and Internet Security powered by the World's largest real time threat database..."

But they don't recognize one of the most famous string in AV's society. So guys, are you sure to have the world's largest DB ? Maybe you need a little of "back to easy stuff" policy ?
Anyway, the second interesting thing is on Microsoft AV which recognize EICAR but as a VIrus ( in fact at the beginning there is the label Virus:). That is technically wrong. All the other Tested AVs did a good job labeling EICAR as warning and testing file. Why does Microsoft recognize EICAR as virus and not as a standard testing file ? Maybe is this just the pic of a wrong pattern recognition's iceberg, present in Microsoft AV ? I'll check out soon !

Sunday, December 20, 2009

EICAR and GTUBE Generator

Hi Folks,
today I wanna share a little but interesting (at least to me) mini software for testing ANTI-VIRUS and ANTI-SPAM engines.I called it EICAR-GTUBE-Creator and it's a little utility to create run time EICAR Test Antivirus file and GTUBE anti spam test mail.

The EICAR test file (official name: EICAR Standard Anti-Virus Test File) is a file, developed by the European Institute for Computer Antivirus Research, to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and AV programmers to test their software without having to use a real computer virus that could cause actual damage should the AV not respond correctly. EICAR likens the use of a live virus to test AV software to setting a fire in a trashcan to test a fire alarm, and promotes the EICAR test file as a safe alternative.


The GTUBE (Generic Test for Unsolicited Bulk Email) is a 68-byte test string used to test anti-spam solutions, notably those based on SpamAssassin. In SpamAssassin, it carries an antispam score of 1000 by default, which would be sufficient to trigger any installation.


The EICAR Anti-Virus test file is great to test your Anti-Virus software, but it’s not easy to handle, because your Anti-Virus software keeps deleting it. For this reason I came out with this utility. Here the main window, by clicking on EICAR button the utility will generate the the EICAR file in the current directory. Your AV should detect it immediately ! This utility can be used also to measure AV performance in detecting this file.

Here the GTUBE window. Basically you have to send one email to the testing email box. The utility will automatically add the GTUBE "Infection".



Finally the Source code and the executable (JAR, platform independent).

Java (platform independent) executable (jar)
Java Source Code (built to Netbeans 6.5.1)


Enjoy your testing

Cool and Free Software KeyLogger

Hi Folks, today I wanna share a very cool software keylogger.
It's written in C++, it uploads logged actions (like keyboard, mouse, keyboard combos, and etc.) through FTP on your personal FTP server. Here the link .

What you need to edit to fit it in your system are the following lines (click on images to make they bigger):



And if you wish to modify the file name you have to change these other lines (click on images to make they bigger):




I've used it a couple of time and it works fine under windows systems. If you wanna a more professional keylogger you may modify this code just a little to obtaining great results.

Wednesday, December 16, 2009

Free Huge Password Dictionary


Today I wanna share a huge work done during last years, just because traveling a lot it has been very useful, you know WPA2 was the main target, but you can really use it in a lot of different ways. It seems that is very difficult to find a good and free password dictionary around internet, for some of them you have to pay, for some others you need to wait long time on torrents on P2P.. So finally I decided to share my personal one :D, on RapidShare. There still is a lot to do with this huge password dictionary (I'm thinking on optimization and upgrading ), so if someone of you interested in that want to upgrade or to optimize the dictionary I'll be very glad. If you are planning to modify it, please let me know in such way I'll upgrade the RapidShare files, having an always upgraded Free Password Dictionary Repository.

Here the link to download the Free Password Dictionary:



Ok, after you downloaded all the zip files in a folder (let's say DictionaryFolder) you can unify the files, making the HugePasswordDictionary file, simply using the cat command.

cat x* >> MyHugePasswordDictionary.txt

If you wanna use the "MyHugePasswordDictionary.txt" with aircrack-ng, you need to slipt it into little 2MB files. To do that you can simply use the split Unix command like the follow example.

split -b 2m MyHugePasswordDictionary.txt

At the end of the process you'll find several 2MB files inside your "DictionaryFolder" directory.

Enjoy !

Monday, December 14, 2009

Detect and Eliminate Computer Assisted Forensics (DECAF)

Hey Folks,
today I wanna point out this interesting tool, called DECAF. It's an anti Microsoft Computer Online Forensic Evidence Extractor (COFEE).

As many of you probably remember ....

Computer Online Forensic Evidence Extractor (COFEE), designed exclusively for use by law enforcement agencies. COFEE brings together a number of common digital forensics capabilities into a fast, easy-to-use, automated tool for first responders. And COFEE is being provided—at no charge—to law enforcement around the world.
With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.


The new software against COFEE seems to be really useful for everybody who needs max privacy and for whom don't like be investigated. The web site claims:



DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.
DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE's presence by sending the application into a 'Spill the cofee' type mode. Simulation gives the user an opportunity to test his or her configuration before going live.
Future versions will have text message and email triggers so in case the computer needs to enter into lockdown mode the user can do it remotely. It will also have notification services where in the case of an emergency, someone can be notified (private torrent tracker admins). DECAF's next release is going to be available in a more light-weight version and/or a windows service.


Once run the software it appears the following window, very intuitive and very smooth.


This is the main screen about the "Lock Down" option.



Well, people who don't want "be investigate" need to install this "tiny" and "dirty" DECAF-software, BUT they must be aware that exist plenty other ways to investigate into their Windows machine.

Saturday, December 12, 2009

Google PhoneBook.

Google Phonebook has been around from years but few people know about it.

Google Phonebook is the Google product that traces your phone numbers and your addresses. To be able to search it, you have to know the URL, you can't directly link to it, and to enter the interface you must be linked to an already completed search, such as: http://www.google.com/search?hl=en&pb=r&q=Bill+Gates&btnG=Search+PhoneBook.




Typing names you get phone's numbers and addresses (attached directly to google maps). Obviously you may claim your privacy and ask to be removed from the list ( this is the direct link ), BUT did you know to be inside google phonebook ?
Maybe I'm wrong (and I'm sure I am, because they're doing it... so probably they can), but in my mind the process should be the opposite: "if you want to be linked in the phonebook you should ask to be added" (or someone should ask to you if you want to be added to the phonebook). I believe many people don't know to be linked in GPhoneBook and they don't know to share their personal information such as phone number and addresses, to all over the world.


Dan Philpott comment was:

This feature has been around and well known for ... when did Google start? Pretty much ever major search engine that ever existed has had a white pages lookup function. Published phone numbers are one of the most accessible and ubiquitous data sets available in the early days of the Internet. Search engines plugged them into the data collected and found ways to add value with things like reverse lookups.

Not sure what the privacy implications are. This information is public and published in phone books and on a wide variety of phone number sites.



Do you have any other thought ?

Finally Arrived !

Hi folks,
I'm finally in Davis, CA. The trip was very long, about 3300 Miles, 65 driving hours, a huge snow storm in Arizona (Flagstaff) lots of deserts and forests. But everything was amazing.




I enjoined a lot the long trip, the fascinating Route66 and the wonderful Painted Desert (Arizona).




From Monday I'll start my job in UCDavis.
If somebody is planning to come near bayarea please let me know, we may organize something.

Saturday, December 5, 2009

Clickjacking: Starting Point.

Hello folks,
according to wikipedia, clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.




if you're interested in new advanced clickjacking techniques, I wanna point out this nice paper ( :D ) titled: Frightened by Links, where you can find a couple of examples including codes and images. To me, it's a good starting point. Let me know what do you think about that.

Friday, December 4, 2009

Just For Fun, not Yet Security

Hi Folks, I'm still roadtripping US.
Actually I am in Oklahoma City and I'm writing from an Internet Caffe in downtown passing through a secure SSL Proxy.
I don't have enough time to write about security stuff BUT, 2 days ago I received a nice email from a friend of mine containing these funny pictures. I wanna share it to you.







I'm not sure they well represent the difference between Mic and Mac guys, anyway they're funny.